# Flog Txt Version 1 # Analyzer Version: 4.3.0 # Analyzer Build Date: Sep 20 2021 05:59:55 # Log Creation Date: 28.09.2021 08:48:14.427 Process: id = "1" image_name = "94bc5b095176ccf49917563287006f3efd903cac47d48e251f4f4554ee87c990.exe" filename = "c:\\users\\keecfmwgj\\desktop\\94bc5b095176ccf49917563287006f3efd903cac47d48e251f4f4554ee87c990.exe" page_root = "0x3c81f000" os_pid = "0xe1c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x45c" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\94bc5b095176ccf49917563287006f3efd903cac47d48e251f4f4554ee87c990.exe\" " cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e957" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 117 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 118 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 119 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 120 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 121 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 122 start_va = 0x220000 end_va = 0x25ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 123 start_va = 0x2d0000 end_va = 0x3cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 124 start_va = 0xad0000 end_va = 0xb63fff monitored = 1 entry_point = 0xb5f056 region_type = mapped_file name = "94bc5b095176ccf49917563287006f3efd903cac47d48e251f4f4554ee87c990.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\94bc5b095176ccf49917563287006f3efd903cac47d48e251f4f4554ee87c990.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\94bc5b095176ccf49917563287006f3efd903cac47d48e251f4f4554ee87c990.exe") Region: id = 125 start_va = 0x776e0000 end_va = 0x77888fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 126 start_va = 0x778c0000 end_va = 0x77a3ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 127 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 128 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 129 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 130 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 131 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 132 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 133 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 272 start_va = 0xb0000 end_va = 0x12ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 273 start_va = 0x75100000 end_va = 0x75107fff monitored = 0 entry_point = 0x751020f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 274 start_va = 0x75110000 end_va = 0x7516bfff monitored = 0 entry_point = 0x7514f9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 275 start_va = 0x75170000 end_va = 0x751aefff monitored = 0 entry_point = 0x7519e088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 276 start_va = 0x774c0000 end_va = 0x775defff monitored = 0 entry_point = 0x774d5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 277 start_va = 0x772b0000 end_va = 0x773bffff monitored = 0 entry_point = 0x772c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 278 start_va = 0x774c0000 end_va = 0x775defff monitored = 0 entry_point = 0x774d5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 279 start_va = 0x774c0000 end_va = 0x775defff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000774c0000" filename = "" Region: id = 280 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 281 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000775e0000" filename = "" Region: id = 282 start_va = 0x3d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 283 start_va = 0x752a0000 end_va = 0x752e9fff monitored = 1 entry_point = 0x752a2e54 region_type = mapped_file name = "mscoree.dll" filename = "\\Windows\\SysWOW64\\mscoree.dll" (normalized: "c:\\windows\\syswow64\\mscoree.dll") Region: id = 284 start_va = 0x772b0000 end_va = 0x773bffff monitored = 0 entry_point = 0x772c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 285 start_va = 0x773e0000 end_va = 0x77426fff monitored = 0 entry_point = 0x773e74c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 286 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 287 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 288 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 289 start_va = 0x130000 end_va = 0x196fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 290 start_va = 0x510000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 291 start_va = 0x510000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 292 start_va = 0x5e0000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 293 start_va = 0x77180000 end_va = 0x7721ffff monitored = 0 entry_point = 0x771949e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 294 start_va = 0x76b90000 end_va = 0x76c3bfff monitored = 0 entry_point = 0x76b9a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 295 start_va = 0x77490000 end_va = 0x774a8fff monitored = 0 entry_point = 0x77494975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 296 start_va = 0x769e0000 end_va = 0x76acffff monitored = 0 entry_point = 0x769f0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 297 start_va = 0x75410000 end_va = 0x7546ffff monitored = 0 entry_point = 0x7542a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 298 start_va = 0x75400000 end_va = 0x7540bfff monitored = 0 entry_point = 0x754010e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 299 start_va = 0x5f0000 end_va = 0x7bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 300 start_va = 0x75210000 end_va = 0x7529cfff monitored = 1 entry_point = 0x75222860 region_type = mapped_file name = "mscoreei.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscoreei.dll") Region: id = 301 start_va = 0x73430000 end_va = 0x73432fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\SysWOW64\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\syswow64\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 302 start_va = 0x76850000 end_va = 0x768a6fff monitored = 0 entry_point = 0x76869ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 303 start_va = 0x76270000 end_va = 0x762fffff monitored = 0 entry_point = 0x76286343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 304 start_va = 0x766d0000 end_va = 0x767cffff monitored = 0 entry_point = 0x766eb6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 305 start_va = 0x77890000 end_va = 0x77899fff monitored = 0 entry_point = 0x778936a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 306 start_va = 0x76300000 end_va = 0x7639cfff monitored = 0 entry_point = 0x76333fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 307 start_va = 0x20000 end_va = 0x3dfff monitored = 0 entry_point = 0x3158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 308 start_va = 0x5f0000 end_va = 0x777fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 309 start_va = 0x7b0000 end_va = 0x7bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 310 start_va = 0x20000 end_va = 0x3dfff monitored = 0 entry_point = 0x3158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 311 start_va = 0x77430000 end_va = 0x7748ffff monitored = 0 entry_point = 0x7744158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 312 start_va = 0x77050000 end_va = 0x7711bfff monitored = 0 entry_point = 0x7705168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 313 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 314 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 315 start_va = 0x7c0000 end_va = 0x940fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 316 start_va = 0xb70000 end_va = 0x1f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b70000" filename = "" Region: id = 317 start_va = 0x950000 end_va = 0x9ddfff monitored = 1 entry_point = 0x9df056 region_type = mapped_file name = "94bc5b095176ccf49917563287006f3efd903cac47d48e251f4f4554ee87c990.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\94bc5b095176ccf49917563287006f3efd903cac47d48e251f4f4554ee87c990.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\94bc5b095176ccf49917563287006f3efd903cac47d48e251f4f4554ee87c990.exe") Region: id = 318 start_va = 0x950000 end_va = 0x9ddfff monitored = 1 entry_point = 0x9df056 region_type = mapped_file name = "94bc5b095176ccf49917563287006f3efd903cac47d48e251f4f4554ee87c990.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\94bc5b095176ccf49917563287006f3efd903cac47d48e251f4f4554ee87c990.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\94bc5b095176ccf49917563287006f3efd903cac47d48e251f4f4554ee87c990.exe") Region: id = 319 start_va = 0x743d0000 end_va = 0x743d8fff monitored = 0 entry_point = 0x743d1220 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 320 start_va = 0x723c0000 end_va = 0x72b6efff monitored = 1 entry_point = 0x723dd0d0 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll") Region: id = 321 start_va = 0x71c10000 end_va = 0x723befff monitored = 1 entry_point = 0x71c2d0d0 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll") Region: id = 322 start_va = 0x723c0000 end_va = 0x72b6efff monitored = 1 entry_point = 0x723dd0d0 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll") Region: id = 323 start_va = 0x751f0000 end_va = 0x75203fff monitored = 0 entry_point = 0x751fac00 region_type = mapped_file name = "vcruntime140_clr0400.dll" filename = "\\Windows\\SysWOW64\\vcruntime140_clr0400.dll" (normalized: "c:\\windows\\syswow64\\vcruntime140_clr0400.dll") Region: id = 324 start_va = 0x72310000 end_va = 0x723bafff monitored = 0 entry_point = 0x723a5f20 region_type = mapped_file name = "ucrtbase_clr0400.dll" filename = "\\Windows\\SysWOW64\\ucrtbase_clr0400.dll" (normalized: "c:\\windows\\syswow64\\ucrtbase_clr0400.dll") Region: id = 325 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 326 start_va = 0x80000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 327 start_va = 0x90000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 328 start_va = 0xa0000 end_va = 0xaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 329 start_va = 0x1a0000 end_va = 0x1affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 330 start_va = 0x1b0000 end_va = 0x1bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 331 start_va = 0x1c0000 end_va = 0x1cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 332 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 333 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 334 start_va = 0x950000 end_va = 0x9fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 335 start_va = 0xa00000 end_va = 0xa9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a00000" filename = "" Region: id = 336 start_va = 0x1f90000 end_va = 0x1fcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 337 start_va = 0x2020000 end_va = 0x211ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002020000" filename = "" Region: id = 338 start_va = 0x7efd8000 end_va = 0x7efdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 339 start_va = 0x1f0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 340 start_va = 0x2120000 end_va = 0x411ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002120000" filename = "" Region: id = 341 start_va = 0x4120000 end_va = 0x41bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 342 start_va = 0x270000 end_va = 0x2affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 343 start_va = 0x4390000 end_va = 0x448ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004390000" filename = "" Region: id = 344 start_va = 0x7efd5000 end_va = 0x7efd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 345 start_va = 0x4280000 end_va = 0x42bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004280000" filename = "" Region: id = 346 start_va = 0x45c0000 end_va = 0x46bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045c0000" filename = "" Region: id = 347 start_va = 0x7efad000 end_va = 0x7efaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Region: id = 348 start_va = 0x46c0000 end_va = 0x498efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 349 start_va = 0x70f00000 end_va = 0x7230afff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "mscorlib.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\mscorlib\\36eaccfde177c2e7b93b8dbdde4e012a\\mscorlib.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\mscorlib\\36eaccfde177c2e7b93b8dbdde4e012a\\mscorlib.ni.dll") Region: id = 350 start_va = 0x763d0000 end_va = 0x7652bfff monitored = 0 entry_point = 0x7641ba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 351 start_va = 0x742e0000 end_va = 0x7435ffff monitored = 0 entry_point = 0x742f37c9 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 352 start_va = 0x4990000 end_va = 0x4b1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004990000" filename = "" Region: id = 353 start_va = 0x4490000 end_va = 0x456efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004490000" filename = "" Region: id = 354 start_va = 0x1f0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 355 start_va = 0x751e0000 end_va = 0x751e2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-xstate-l2-1-0.dll" filename = "\\Windows\\SysWOW64\\api-ms-win-core-xstate-l2-1-0.dll" (normalized: "c:\\windows\\syswow64\\api-ms-win-core-xstate-l2-1-0.dll") Region: id = 356 start_va = 0x70db0000 end_va = 0x70e38fff monitored = 1 entry_point = 0x70db1130 region_type = mapped_file name = "clrjit.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clrjit.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clrjit.dll") Region: id = 357 start_va = 0x76ad0000 end_va = 0x76b5efff monitored = 0 entry_point = 0x76ad3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 358 start_va = 0x200000 end_va = 0x20ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 359 start_va = 0x70350000 end_va = 0x70da4fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System\\2c3c912ea8f058f9d04c4650128feb3f\\System.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system\\2c3c912ea8f058f9d04c4650128feb3f\\system.ni.dll") Region: id = 360 start_va = 0x701a0000 end_va = 0x70342fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.drawing.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Drawing\\f7568d7f1b9d356f64779b4c0927cfb3\\System.Drawing.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.drawing\\f7568d7f1b9d356f64779b4c0927cfb3\\system.drawing.ni.dll") Region: id = 361 start_va = 0x6f330000 end_va = 0x70195fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.windows.forms.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Windows.Forms\\c9a4cbc00f690a9e3cddfc400f6e85bb\\System.Windows.Forms.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.windows.forms\\c9a4cbc00f690a9e3cddfc400f6e85bb\\system.windows.forms.ni.dll") Region: id = 362 start_va = 0x6ed80000 end_va = 0x6f323fff monitored = 1 entry_point = 0x6f30b692 region_type = mapped_file name = "system.windows.forms.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL\\System.Windows.Forms\\v4.0_4.0.0.0__b77a5c561934e089\\System.Windows.Forms.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_msil\\system.windows.forms\\v4.0_4.0.0.0__b77a5c561934e089\\system.windows.forms.dll") Region: id = 363 start_va = 0x210000 end_va = 0x211fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 364 start_va = 0x6eb10000 end_va = 0x6f327fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.core.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Core\\31fae3290fad30c31c98651462d22724\\System.Core.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.core\\31fae3290fad30c31c98651462d22724\\system.core.ni.dll") Region: id = 365 start_va = 0x6ea00000 end_va = 0x6eb04fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.configuration.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Configuration\\96f7edb07b12303f0ec2595c7f3778c7\\System.Configuration.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.configuration\\96f7edb07b12303f0ec2595c7f3778c7\\system.configuration.ni.dll") Region: id = 366 start_va = 0x6e280000 end_va = 0x6e9f3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.xml.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Xml\\15af16d373cf0528cb74fc73d365fdbf\\System.Xml.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.xml\\15af16d373cf0528cb74fc73d365fdbf\\system.xml.ni.dll") Region: id = 367 start_va = 0x260000 end_va = 0x26ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 368 start_va = 0x70ee0000 end_va = 0x70ef2fff monitored = 1 entry_point = 0x70eed900 region_type = mapped_file name = "nlssorting.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\nlssorting.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\nlssorting.dll") Region: id = 369 start_va = 0x4b20000 end_va = 0x4df1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nlp" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\sortdefault.nlp" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\sortdefault.nlp") Region: id = 370 start_va = 0x755b0000 end_va = 0x761f9fff monitored = 0 entry_point = 0x75631601 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 371 start_va = 0x2b0000 end_va = 0x2b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 372 start_va = 0x74490000 end_va = 0x7449afff monitored = 0 entry_point = 0x74491992 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 373 start_va = 0x4e00000 end_va = 0x4feffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004e00000" filename = "" Region: id = 374 start_va = 0x70ec0000 end_va = 0x70ed6fff monitored = 0 entry_point = 0x70ec35fa region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 375 start_va = 0x74190000 end_va = 0x741a6fff monitored = 0 entry_point = 0x74193573 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 376 start_va = 0x3d0000 end_va = 0x40bfff monitored = 0 entry_point = 0x3d128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 377 start_va = 0x410000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 378 start_va = 0x3d0000 end_va = 0x40bfff monitored = 0 entry_point = 0x3d128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 379 start_va = 0x3d0000 end_va = 0x40bfff monitored = 0 entry_point = 0x3d128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 380 start_va = 0x3d0000 end_va = 0x40bfff monitored = 0 entry_point = 0x3d128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 381 start_va = 0x3d0000 end_va = 0x40bfff monitored = 0 entry_point = 0x3d128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 382 start_va = 0x74150000 end_va = 0x7418afff monitored = 0 entry_point = 0x7415128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 383 start_va = 0x41c0000 end_va = 0x4241fff monitored = 0 entry_point = 0x41c19a9 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll") Region: id = 384 start_va = 0x41c0000 end_va = 0x4241fff monitored = 0 entry_point = 0x41c19a9 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll") Region: id = 385 start_va = 0x6e1f0000 end_va = 0x6e273fff monitored = 0 entry_point = 0x6e1f19a9 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll") Region: id = 386 start_va = 0x4990000 end_va = 0x4acffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004990000" filename = "" Region: id = 387 start_va = 0x4ae0000 end_va = 0x4b1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004ae0000" filename = "" Region: id = 388 start_va = 0x2c0000 end_va = 0x2cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 389 start_va = 0x6e000000 end_va = 0x6e1e1fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.visualbasic.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Microsoft.V9921e851#\\a891970b44db9e340c3ef3efa95b793c\\Microsoft.VisualBasic.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\microsoft.v9921e851#\\a891970b44db9e340c3ef3efa95b793c\\microsoft.visualbasic.ni.dll") Region: id = 390 start_va = 0x2c0000 end_va = 0x2cdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002c0000" filename = "" Region: id = 391 start_va = 0xa10000 end_va = 0xa4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a10000" filename = "" Region: id = 392 start_va = 0xa60000 end_va = 0xa9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 393 start_va = 0x4320000 end_va = 0x435ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004320000" filename = "" Region: id = 394 start_va = 0x4e70000 end_va = 0x4f6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004e70000" filename = "" Region: id = 395 start_va = 0x4fb0000 end_va = 0x4feffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004fb0000" filename = "" Region: id = 396 start_va = 0x50a0000 end_va = 0x519ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000050a0000" filename = "" Region: id = 397 start_va = 0x7efa7000 end_va = 0x7efa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efa7000" filename = "" Region: id = 398 start_va = 0x7efaa000 end_va = 0x7efacfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efaa000" filename = "" Region: id = 399 start_va = 0x950000 end_va = 0x9b1fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "mscorrc.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorrc.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscorrc.dll") Region: id = 400 start_va = 0x9c0000 end_va = 0x9fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 401 start_va = 0x6de70000 end_va = 0x6dffffff monitored = 0 entry_point = 0x6df0d026 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll") Region: id = 402 start_va = 0x51a0000 end_va = 0x538ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000051a0000" filename = "" Region: id = 403 start_va = 0x3d0000 end_va = 0x3dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 404 start_va = 0x4230000 end_va = 0x426ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004230000" filename = "" Region: id = 405 start_va = 0x51d0000 end_va = 0x52cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000051d0000" filename = "" Region: id = 406 start_va = 0x5380000 end_va = 0x538ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005380000" filename = "" Region: id = 407 start_va = 0x7efa4000 end_va = 0x7efa6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efa4000" filename = "" Region: id = 408 start_va = 0x4990000 end_va = 0x4a0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004990000" filename = "" Region: id = 409 start_va = 0x4ac0000 end_va = 0x4acffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004ac0000" filename = "" Region: id = 410 start_va = 0x6dd70000 end_va = 0x6de6afff monitored = 0 entry_point = 0x6dd817e1 region_type = mapped_file name = "windowscodecs.dll" filename = "\\Windows\\SysWOW64\\WindowsCodecs.dll" (normalized: "c:\\windows\\syswow64\\windowscodecs.dll") Region: id = 411 start_va = 0x41c0000 end_va = 0x4225fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041c0000" filename = "" Region: id = 412 start_va = 0x5390000 end_va = 0x548ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005390000" filename = "" Region: id = 413 start_va = 0x3e0000 end_va = 0x3effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 414 start_va = 0x3e0000 end_va = 0x3effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 415 start_va = 0x4a10000 end_va = 0x4a75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004a10000" filename = "" Region: id = 416 start_va = 0x3e0000 end_va = 0x3effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 417 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 418 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 419 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 420 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 421 start_va = 0x510000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 422 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 423 start_va = 0x520000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 424 start_va = 0x530000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 425 start_va = 0x540000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 426 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 427 start_va = 0x5a0000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 428 start_va = 0x5b0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 429 start_va = 0x5c0000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 430 start_va = 0x5d0000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 431 start_va = 0x780000 end_va = 0x78ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000780000" filename = "" Region: id = 432 start_va = 0x790000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 433 start_va = 0x7a0000 end_va = 0x7affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 434 start_va = 0xa00000 end_va = 0xa0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a00000" filename = "" Region: id = 435 start_va = 0xa50000 end_va = 0xa5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 436 start_va = 0xaa0000 end_va = 0xaaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000aa0000" filename = "" Region: id = 437 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 438 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 439 start_va = 0x510000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 440 start_va = 0x520000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 441 start_va = 0x530000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 442 start_va = 0x540000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 443 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 444 start_va = 0x5a0000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 445 start_va = 0x5b0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 446 start_va = 0x5c0000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 447 start_va = 0x5d0000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 448 start_va = 0x780000 end_va = 0x78ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000780000" filename = "" Region: id = 449 start_va = 0x790000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 450 start_va = 0x7a0000 end_va = 0x7affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 451 start_va = 0xa00000 end_va = 0xa0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a00000" filename = "" Region: id = 452 start_va = 0xa50000 end_va = 0xa5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 453 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 454 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 455 start_va = 0x510000 end_va = 0x548fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 456 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 457 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 458 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 459 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 460 start_va = 0x5020000 end_va = 0x505ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005020000" filename = "" Region: id = 461 start_va = 0x55e0000 end_va = 0x56dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000055e0000" filename = "" Region: id = 462 start_va = 0x7efa1000 end_va = 0x7efa3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efa1000" filename = "" Region: id = 463 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 464 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 465 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 466 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 467 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 468 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 469 start_va = 0x54b0000 end_va = 0x54effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000054b0000" filename = "" Region: id = 470 start_va = 0x5770000 end_va = 0x586ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005770000" filename = "" Region: id = 471 start_va = 0x73f80000 end_va = 0x74074fff monitored = 0 entry_point = 0x73f90d9e region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll") Region: id = 472 start_va = 0x7ef9e000 end_va = 0x7efa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef9e000" filename = "" Region: id = 473 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 474 start_va = 0x744a0000 end_va = 0x7463dfff monitored = 0 entry_point = 0x744ce6b5 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 475 start_va = 0x550000 end_va = 0x550fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 476 start_va = 0x5a0000 end_va = 0x5a1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 477 start_va = 0x740d0000 end_va = 0x7411bfff monitored = 0 entry_point = 0x740d2c14 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll") Region: id = 478 start_va = 0x550000 end_va = 0x550fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 479 start_va = 0x76530000 end_va = 0x765b2fff monitored = 0 entry_point = 0x765323d2 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 480 start_va = 0x5b0000 end_va = 0x5b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 481 start_va = 0x74680000 end_va = 0x750fffff monitored = 0 entry_point = 0x74686b95 region_type = mapped_file name = "ieframe.dll" filename = "\\Windows\\SysWOW64\\ieframe.dll" (normalized: "c:\\windows\\syswow64\\ieframe.dll") Region: id = 482 start_va = 0x76ca0000 end_va = 0x76ca4fff monitored = 0 entry_point = 0x76ca1438 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll") Region: id = 483 start_va = 0x74640000 end_va = 0x7467bfff monitored = 0 entry_point = 0x74643089 region_type = mapped_file name = "oleacc.dll" filename = "\\Windows\\SysWOW64\\oleacc.dll" (normalized: "c:\\windows\\syswow64\\oleacc.dll") Region: id = 484 start_va = 0x76e50000 end_va = 0x7704afff monitored = 0 entry_point = 0x76e522d9 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 485 start_va = 0x5c0000 end_va = 0x5c0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "oleaccrc.dll" filename = "\\Windows\\SysWOW64\\oleaccrc.dll" (normalized: "c:\\windows\\syswow64\\oleaccrc.dll") Region: id = 486 start_va = 0x5d0000 end_va = 0x5d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 487 start_va = 0x75470000 end_va = 0x755a5fff monitored = 0 entry_point = 0x75471b35 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 488 start_va = 0x765c0000 end_va = 0x766b4fff monitored = 0 entry_point = 0x765c1865 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 489 start_va = 0x768b0000 end_va = 0x769d0fff monitored = 0 entry_point = 0x768b158e region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 490 start_va = 0x766c0000 end_va = 0x766cbfff monitored = 0 entry_point = 0x766c238e region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 491 start_va = 0x5870000 end_va = 0x596ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005870000" filename = "" Region: id = 492 start_va = 0x76cb0000 end_va = 0x76e4cfff monitored = 0 entry_point = 0x76cb17e7 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\SysWOW64\\setupapi.dll" (normalized: "c:\\windows\\syswow64\\setupapi.dll") Region: id = 493 start_va = 0x76240000 end_va = 0x76266fff monitored = 0 entry_point = 0x762458b9 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 494 start_va = 0x773c0000 end_va = 0x773d1fff monitored = 0 entry_point = 0x773c1441 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 495 start_va = 0x780000 end_va = 0x78cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\setupapi.dll.mui") Region: id = 496 start_va = 0x74460000 end_va = 0x74480fff monitored = 0 entry_point = 0x7446145e region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 497 start_va = 0x77130000 end_va = 0x77174fff monitored = 0 entry_point = 0x771311e1 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\SysWOW64\\Wldap32.dll" (normalized: "c:\\windows\\syswow64\\wldap32.dll") Region: id = 498 start_va = 0x790000 end_va = 0x793fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 499 start_va = 0xaa0000 end_va = 0xab6fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000007.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000007.db") Region: id = 500 start_va = 0x7a0000 end_va = 0x7a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 501 start_va = 0x790000 end_va = 0x793fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 502 start_va = 0x1fd0000 end_va = 0x1ffffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000e.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000e.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000e.db") Region: id = 503 start_va = 0xa00000 end_va = 0xa03fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 504 start_va = 0x4e00000 end_va = 0x4e65fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 505 start_va = 0xac0000 end_va = 0xacdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "propsys.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\propsys.dll.mui") Region: id = 506 start_va = 0x1f70000 end_va = 0x1f70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f70000" filename = "" Region: id = 507 start_va = 0x1f80000 end_va = 0x1f8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f80000" filename = "" Region: id = 564 start_va = 0x6dc40000 end_va = 0x6dd6ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.management.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Management\\e114780fd3ea5727401c06ea4f22ef35\\System.Management.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.management\\e114780fd3ea5727401c06ea4f22ef35\\system.management.ni.dll") Region: id = 609 start_va = 0x2000000 end_va = 0x200ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002000000" filename = "" Region: id = 610 start_va = 0x2010000 end_va = 0x201ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002010000" filename = "" Region: id = 611 start_va = 0x4270000 end_va = 0x427ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004270000" filename = "" Region: id = 614 start_va = 0x42c0000 end_va = 0x42cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000042c0000" filename = "" Region: id = 615 start_va = 0x1f80000 end_va = 0x1f8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f80000" filename = "" Region: id = 619 start_va = 0x5540000 end_va = 0x557ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005540000" filename = "" Region: id = 620 start_va = 0x5770000 end_va = 0x586ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005770000" filename = "" Region: id = 621 start_va = 0x7ef9e000 end_va = 0x7efa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef9e000" filename = "" Region: id = 622 start_va = 0x7ef40000 end_va = 0x7ef8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef40000" filename = "" Region: id = 623 start_va = 0x7ef30000 end_va = 0x7ef3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef30000" filename = "" Region: id = 624 start_va = 0x70ea0000 end_va = 0x70eb9fff monitored = 0 entry_point = 0x70eb03d0 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\SysWOW64\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wmiutils.dll") Region: id = 625 start_va = 0x6dbd0000 end_va = 0x6dc30fff monitored = 0 entry_point = 0x6dc0bf40 region_type = mapped_file name = "wbemcomn2.dll" filename = "\\Windows\\SysWOW64\\wbemcomn2.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn2.dll") Region: id = 626 start_va = 0x76200000 end_va = 0x76234fff monitored = 0 entry_point = 0x7620145d region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 627 start_va = 0x774b0000 end_va = 0x774b5fff monitored = 0 entry_point = 0x774b1782 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 629 start_va = 0x74290000 end_va = 0x7429dfff monitored = 0 entry_point = 0x74291235 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\SysWOW64\\RpcRtRemote.dll" (normalized: "c:\\windows\\syswow64\\rpcrtremote.dll") Region: id = 631 start_va = 0x54e0000 end_va = 0x551ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000054e0000" filename = "" Region: id = 632 start_va = 0x5a40000 end_va = 0x5b3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005a40000" filename = "" Region: id = 633 start_va = 0x7ef9b000 end_va = 0x7ef9dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef9b000" filename = "" Region: id = 635 start_va = 0x56e0000 end_va = 0x571ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000056e0000" filename = "" Region: id = 636 start_va = 0x5cd0000 end_va = 0x5dcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005cd0000" filename = "" Region: id = 637 start_va = 0x7ef98000 end_va = 0x7ef9afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef98000" filename = "" Region: id = 638 start_va = 0x70e70000 end_va = 0x70e7afff monitored = 0 entry_point = 0x70e752a0 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 646 start_va = 0x70e40000 end_va = 0x70e60fff monitored = 1 entry_point = 0x70e498e0 region_type = mapped_file name = "wminet_utils.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WMINet_Utils.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\wminet_utils.dll") Region: id = 647 start_va = 0x1f80000 end_va = 0x1f8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f80000" filename = "" Region: id = 648 start_va = 0x1f80000 end_va = 0x1f8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f80000" filename = "" Region: id = 649 start_va = 0x1f80000 end_va = 0x1f8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f80000" filename = "" Region: id = 1001 start_va = 0x6db30000 end_va = 0x6db3efff monitored = 0 entry_point = 0x6db393d0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 1002 start_va = 0x6da80000 end_va = 0x6db25fff monitored = 0 entry_point = 0x6daea2f0 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 1003 start_va = 0x6da60000 end_va = 0x6da77fff monitored = 0 entry_point = 0x6da61335 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\SysWOW64\\ntdsapi.dll" (normalized: "c:\\windows\\syswow64\\ntdsapi.dll") Region: id = 1004 start_va = 0x4a80000 end_va = 0x4abffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004a80000" filename = "" Region: id = 1005 start_va = 0x5c90000 end_va = 0x5d8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005c90000" filename = "" Region: id = 1006 start_va = 0x7ef98000 end_va = 0x7ef9afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef98000" filename = "" Region: id = 1007 start_va = 0x5580000 end_va = 0x55bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005580000" filename = "" Region: id = 1008 start_va = 0x5e20000 end_va = 0x5f1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005e20000" filename = "" Region: id = 1009 start_va = 0x7ef95000 end_va = 0x7ef97fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef95000" filename = "" Region: id = 1127 start_va = 0x1f80000 end_va = 0x1f82fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f80000" filename = "" Region: id = 1128 start_va = 0x1f80000 end_va = 0x1f8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f80000" filename = "" Region: id = 1129 start_va = 0x2000000 end_va = 0x200ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002000000" filename = "" Region: id = 1130 start_va = 0x1f80000 end_va = 0x1f8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f80000" filename = "" Region: id = 1131 start_va = 0x1f80000 end_va = 0x1f8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f80000" filename = "" Region: id = 1132 start_va = 0x2000000 end_va = 0x2000fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002000000" filename = "" Region: id = 1133 start_va = 0x2010000 end_va = 0x2013fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1151 start_va = 0x4270000 end_va = 0x427ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004270000" filename = "" Region: id = 1162 start_va = 0x42c0000 end_va = 0x42cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000042c0000" filename = "" Region: id = 1163 start_va = 0x42d0000 end_va = 0x42dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000042d0000" filename = "" Region: id = 1215 start_va = 0x52d0000 end_va = 0x530ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000052d0000" filename = "" Region: id = 1216 start_va = 0x5ff0000 end_va = 0x60effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005ff0000" filename = "" Region: id = 1217 start_va = 0x7ef92000 end_va = 0x7ef94fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef92000" filename = "" Region: id = 1239 start_va = 0x59f0000 end_va = 0x5a2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000059f0000" filename = "" Region: id = 1240 start_va = 0x61e0000 end_va = 0x62dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000061e0000" filename = "" Region: id = 1241 start_va = 0x7ef2d000 end_va = 0x7ef2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ef2d000" filename = "" Thread: id = 1 os_tid = 0xe20 [0078.645] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0 [0084.278] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\AppContext", ulOptions=0x0, samDesired=0x20019, phkResult=0x3ce7c0 | out: phkResult=0x3ce7c0*=0x0) returned 0x2 [0084.279] RegCloseKey (hKey=0x80000002) returned 0x0 [0084.286] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Windows.Forms\\v4.0_4.0.0.0__b77a5c561934e089\\System.Windows.Forms.dll", nBufferLength=0x105, lpBuffer=0x3cea44, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Windows.Forms\\v4.0_4.0.0.0__b77a5c561934e089\\System.Windows.Forms.dll", lpFilePart=0x0) returned 0x77 [0084.512] IsAppThemed () returned 0x1 [0084.520] CoTaskMemAlloc (cb=0xf0) returned 0x470380 [0084.521] CreateActCtxA (pActCtx=0x3cef68) returned 0x470574 [0084.663] CoTaskMemFree (pv=0x470380) [0084.819] RegisterClipboardFormatW (lpszFormat="WM_GETCONTROLNAME") returned 0xc1b9 [0084.819] RegisterClipboardFormatW (lpszFormat="WM_GETCONTROLTYPE") returned 0xc1b7 [0086.917] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\94bc5b095176ccf49917563287006f3efd903cac47d48e251f4f4554ee87c990.exe.config", nBufferLength=0x105, lpBuffer=0x3ce8dc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\94bc5b095176ccf49917563287006f3efd903cac47d48e251f4f4554ee87c990.exe.config", lpFilePart=0x0) returned 0x66 [0087.419] GetCurrentProcess () returned 0xffffffff [0087.419] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x3cec14 | out: TokenHandle=0x3cec14*=0x1f0) returned 1 [0087.425] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", nBufferLength=0x105, lpBuffer=0x3ce6cc, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", lpFilePart=0x0) returned 0x2e [0087.631] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x3cec0c | out: lpFileInformation=0x3cec0c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc63fb400, ftCreationTime.dwHighDateTime=0x1d4e4ee, ftLastAccessTime.dwLowDateTime=0xb9f350b0, ftLastAccessTime.dwHighDateTime=0x1d706ae, ftLastWriteTime.dwLowDateTime=0xc63fb400, ftLastWriteTime.dwHighDateTime=0x1d4e4ee, nFileSizeHigh=0x0, nFileSizeLow=0x8c8e)) returned 1 [0087.633] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", nBufferLength=0x105, lpBuffer=0x3ce698, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", lpFilePart=0x0) returned 0x43 [0087.633] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x3cec14 | out: lpFileInformation=0x3cec14*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc63fb400, ftCreationTime.dwHighDateTime=0x1d4e4ee, ftLastAccessTime.dwLowDateTime=0xb9f350b0, ftLastAccessTime.dwHighDateTime=0x1d706ae, ftLastWriteTime.dwLowDateTime=0xc63fb400, ftLastWriteTime.dwHighDateTime=0x1d4e4ee, nFileSizeHigh=0x0, nFileSizeLow=0x8c8e)) returned 1 [0087.635] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", nBufferLength=0x105, lpBuffer=0x3ce634, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", lpFilePart=0x0) returned 0x43 [0087.639] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x3ceb4c) returned 1 [0087.639] CreateFileW (lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x40 [0087.640] GetFileType (hFile=0x40) returned 0x1 [0087.640] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x3ceb48) returned 1 [0087.640] GetFileType (hFile=0x40) returned 0x1 [0092.087] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", nBufferLength=0x105, lpBuffer=0x3cde88, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", lpFilePart=0x0) returned 0x43 [0092.088] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", nBufferLength=0x105, lpBuffer=0x3cdeec, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", lpFilePart=0x0) returned 0x43 [0092.089] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x3ce12c) returned 1 [0092.089] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x3ce3f0 | out: lpFileInformation=0x3ce3f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc63fb400, ftCreationTime.dwHighDateTime=0x1d4e4ee, ftLastAccessTime.dwLowDateTime=0xb9f350b0, ftLastAccessTime.dwHighDateTime=0x1d706ae, ftLastWriteTime.dwLowDateTime=0xc63fb400, ftLastWriteTime.dwHighDateTime=0x1d4e4ee, nFileSizeHigh=0x0, nFileSizeLow=0x8c8e)) returned 1 [0092.089] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x3ce128) returned 1 [0092.863] BCryptGetFipsAlgorithmMode (in: pfEnabled=0x3ce2bc | out: pfEnabled=0x3ce2bc) returned 0x0 [0093.483] GetFileSize (in: hFile=0x40, lpFileSizeHigh=0x3cec08 | out: lpFileSizeHigh=0x3cec08*=0x0) returned 0x8c8e [0093.484] ReadFile (in: hFile=0x40, lpBuffer=0x21501ec, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x3cebc4, lpOverlapped=0x0 | out: lpBuffer=0x21501ec*, lpNumberOfBytesRead=0x3cebc4*=0x1000, lpOverlapped=0x0) returned 1 [0093.523] ReadFile (in: hFile=0x40, lpBuffer=0x21501ec, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x3cea74, lpOverlapped=0x0 | out: lpBuffer=0x21501ec*, lpNumberOfBytesRead=0x3cea74*=0x1000, lpOverlapped=0x0) returned 1 [0093.525] ReadFile (in: hFile=0x40, lpBuffer=0x21501ec, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x3ce928, lpOverlapped=0x0 | out: lpBuffer=0x21501ec*, lpNumberOfBytesRead=0x3ce928*=0x1000, lpOverlapped=0x0) returned 1 [0093.526] ReadFile (in: hFile=0x40, lpBuffer=0x21501ec, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x3ce928, lpOverlapped=0x0 | out: lpBuffer=0x21501ec*, lpNumberOfBytesRead=0x3ce928*=0x1000, lpOverlapped=0x0) returned 1 [0093.527] ReadFile (in: hFile=0x40, lpBuffer=0x21501ec, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x3ce928, lpOverlapped=0x0 | out: lpBuffer=0x21501ec*, lpNumberOfBytesRead=0x3ce928*=0x1000, lpOverlapped=0x0) returned 1 [0093.527] ReadFile (in: hFile=0x40, lpBuffer=0x21501ec, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x3ce860, lpOverlapped=0x0 | out: lpBuffer=0x21501ec*, lpNumberOfBytesRead=0x3ce860*=0x1000, lpOverlapped=0x0) returned 1 [0093.536] ReadFile (in: hFile=0x40, lpBuffer=0x21501ec, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x3ce9cc, lpOverlapped=0x0 | out: lpBuffer=0x21501ec*, lpNumberOfBytesRead=0x3ce9cc*=0x1000, lpOverlapped=0x0) returned 1 [0093.538] ReadFile (in: hFile=0x40, lpBuffer=0x21501ec, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x3ce8c0, lpOverlapped=0x0 | out: lpBuffer=0x21501ec*, lpNumberOfBytesRead=0x3ce8c0*=0x1000, lpOverlapped=0x0) returned 1 [0093.539] ReadFile (in: hFile=0x40, lpBuffer=0x21501ec, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x3ce8c0, lpOverlapped=0x0 | out: lpBuffer=0x21501ec*, lpNumberOfBytesRead=0x3ce8c0*=0xc8e, lpOverlapped=0x0) returned 1 [0093.539] ReadFile (in: hFile=0x40, lpBuffer=0x21501ec, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x3ce984, lpOverlapped=0x0 | out: lpBuffer=0x21501ec*, lpNumberOfBytesRead=0x3ce984*=0x0, lpOverlapped=0x0) returned 1 [0093.539] CloseHandle (hObject=0x40) returned 1 [0093.540] CloseHandle (hObject=0x1f0) returned 1 [0093.541] GetCurrentProcess () returned 0xffffffff [0093.541] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x3ced60 | out: TokenHandle=0x3ced60*=0x1f0) returned 1 [0093.542] CloseHandle (hObject=0x1f0) returned 1 [0093.543] GetCurrentProcess () returned 0xffffffff [0093.543] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x3ced60 | out: TokenHandle=0x3ced60*=0x1f0) returned 1 [0093.544] CloseHandle (hObject=0x1f0) returned 1 [0093.554] GetCurrentProcess () returned 0xffffffff [0093.555] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x3cec14 | out: TokenHandle=0x3cec14*=0x1f0) returned 1 [0093.556] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\94bc5b095176ccf49917563287006f3efd903cac47d48e251f4f4554ee87c990.exe.config" (normalized: "c:\\users\\keecfmwgj\\desktop\\94bc5b095176ccf49917563287006f3efd903cac47d48e251f4f4554ee87c990.exe.config"), fInfoLevelId=0x0, lpFileInformation=0x3cec0c | out: lpFileInformation=0x3cec0c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0093.556] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\94bc5b095176ccf49917563287006f3efd903cac47d48e251f4f4554ee87c990.exe.config", nBufferLength=0x105, lpBuffer=0x3ce698, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\94bc5b095176ccf49917563287006f3efd903cac47d48e251f4f4554ee87c990.exe.config", lpFilePart=0x0) returned 0x66 [0093.557] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\94bc5b095176ccf49917563287006f3efd903cac47d48e251f4f4554ee87c990.exe.config" (normalized: "c:\\users\\keecfmwgj\\desktop\\94bc5b095176ccf49917563287006f3efd903cac47d48e251f4f4554ee87c990.exe.config"), fInfoLevelId=0x0, lpFileInformation=0x3cec14 | out: lpFileInformation=0x3cec14*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0093.558] CloseHandle (hObject=0x1f0) returned 1 [0093.558] GetCurrentProcess () returned 0xffffffff [0093.558] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x3ced60 | out: TokenHandle=0x3ced60*=0x1f0) returned 1 [0093.559] CloseHandle (hObject=0x1f0) returned 1 [0093.560] GetCurrentProcess () returned 0xffffffff [0093.561] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x3ced60 | out: TokenHandle=0x3ced60*=0x1f0) returned 1 [0093.561] CloseHandle (hObject=0x1f0) returned 1 [0093.622] GetCurrentProcess () returned 0xffffffff [0093.622] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x3ceb78 | out: TokenHandle=0x3ceb78*=0x1f0) returned 1 [0093.686] CloseHandle (hObject=0x1f0) returned 1 [0093.687] GetCurrentProcess () returned 0xffffffff [0093.687] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x3ceb90 | out: TokenHandle=0x3ceb90*=0x1f0) returned 1 [0093.746] CloseHandle (hObject=0x1f0) returned 1 [0093.779] GetSystemMetrics (nIndex=75) returned 1 [0093.907] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x0 [0094.981] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x772b0000 [0094.985] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AddDllDirectory", cchWideChar=15, lpMultiByteStr=0x3cee5c, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AddDllDirectory", lpUsedDefaultChar=0x0) returned 15 [0094.985] GetProcAddress (hModule=0x772b0000, lpProcName="AddDllDirectory") returned 0x773f1e91 [0094.986] LoadLibraryExW (lpLibFileName="comctl32.dll", hFile=0x0, dwFlags=0x800) returned 0x6e1f0000 [0095.017] AdjustWindowRectEx (in: lpRect=0x3cefc4, dwStyle=0x56cf0000, bMenu=0, dwExStyle=0x50001 | out: lpRect=0x3cefc4) returned 1 [0095.025] GetCurrentProcess () returned 0xffffffff [0095.025] GetCurrentThread () returned 0xfffffffe [0095.025] GetCurrentProcess () returned 0xffffffff [0095.026] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x3ceedc, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x3ceedc*=0x40) returned 1 [0095.028] GetCurrentThreadId () returned 0xe20 [0095.041] GetCurrentActCtx (in: lphActCtx=0x3cee3c | out: lphActCtx=0x3cee3c*=0x0) returned 1 [0095.041] ActivateActCtx (in: hActCtx=0x470574, lpCookie=0x3cee4c | out: hActCtx=0x470574, lpCookie=0x3cee4c) returned 1 [0095.044] GetModuleHandleW (lpModuleName="user32.dll") returned 0x766d0000 [0095.044] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="DefWindowProcW", cchWideChar=14, lpMultiByteStr=0x3cecf4, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DefWindowProcWUo\x8aED%Dþ