# Flog Txt Version 1 # Analyzer Version: 4.6.0 # Analyzer Build Date: Jul 8 2022 06:26:21 # Log Creation Date: 05.08.2022 12:17:19.471 Process: id = "1" image_name = "45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe.exe" page_root = "0x2c078000" os_pid = "0x1384" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x7b4" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe.exe\" " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fa87" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 117 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 118 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 119 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 120 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 121 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 122 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 123 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 124 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 125 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 126 start_va = 0x400000 end_va = 0x411fff monitored = 1 entry_point = 0x40d0ae region_type = mapped_file name = "45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe.exe") Region: id = 127 start_va = 0x771d0000 end_va = 0x7734afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 128 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 129 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 130 start_va = 0x7fff0000 end_va = 0x7ffa1676ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 131 start_va = 0x7ffa16770000 end_va = 0x7ffa16930fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 132 start_va = 0x7ffa16931000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffa16931000" filename = "" Region: id = 271 start_va = 0x420000 end_va = 0x61ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 272 start_va = 0x640d0000 end_va = 0x6411ffff monitored = 0 entry_point = 0x640e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 273 start_va = 0x64050000 end_va = 0x640c9fff monitored = 0 entry_point = 0x64063290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 274 start_va = 0x76720000 end_va = 0x767fffff monitored = 0 entry_point = 0x76733980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 275 start_va = 0x64120000 end_va = 0x64127fff monitored = 0 entry_point = 0x641217c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 276 start_va = 0x620000 end_va = 0x8effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 277 start_va = 0x72010000 end_va = 0x72068fff monitored = 1 entry_point = 0x72020780 region_type = mapped_file name = "mscoree.dll" filename = "\\Windows\\SysWOW64\\mscoree.dll" (normalized: "c:\\windows\\syswow64\\mscoree.dll") Region: id = 278 start_va = 0x76720000 end_va = 0x767fffff monitored = 0 entry_point = 0x76733980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 279 start_va = 0x76910000 end_va = 0x76a8dfff monitored = 0 entry_point = 0x769c1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 280 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 281 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 282 start_va = 0x420000 end_va = 0x4ddfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 283 start_va = 0x610000 end_va = 0x61ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 284 start_va = 0x620000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 285 start_va = 0x7f0000 end_va = 0x8effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 286 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 287 start_va = 0x76600000 end_va = 0x7667afff monitored = 0 entry_point = 0x7661e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 288 start_va = 0x76a90000 end_va = 0x76b4dfff monitored = 0 entry_point = 0x76ac5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 289 start_va = 0x4e0000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 290 start_va = 0x620000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 291 start_va = 0x790000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 292 start_va = 0x76cb0000 end_va = 0x76cf3fff monitored = 0 entry_point = 0x76cc9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 293 start_va = 0x76c00000 end_va = 0x76cacfff monitored = 0 entry_point = 0x76c14f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 294 start_va = 0x73f00000 end_va = 0x73f1dfff monitored = 0 entry_point = 0x73f0b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 295 start_va = 0x73ef0000 end_va = 0x73ef9fff monitored = 0 entry_point = 0x73ef2a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 296 start_va = 0x76840000 end_va = 0x76897fff monitored = 0 entry_point = 0x768825c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 297 start_va = 0x520000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 298 start_va = 0x71e00000 end_va = 0x71e7cfff monitored = 1 entry_point = 0x71e10db0 region_type = mapped_file name = "mscoreei.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscoreei.dll") Region: id = 299 start_va = 0x76d00000 end_va = 0x76d44fff monitored = 0 entry_point = 0x76d1de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 300 start_va = 0x762b0000 end_va = 0x7646cfff monitored = 0 entry_point = 0x76392a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 301 start_va = 0x74ab0000 end_va = 0x74bfefff monitored = 0 entry_point = 0x74b66820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 302 start_va = 0x743d0000 end_va = 0x74516fff monitored = 0 entry_point = 0x743e1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 303 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 304 start_va = 0x8f0000 end_va = 0xa77fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 305 start_va = 0x741b0000 end_va = 0x741dafff monitored = 0 entry_point = 0x741b5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 306 start_va = 0xa80000 end_va = 0xc00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a80000" filename = "" Region: id = 307 start_va = 0xc10000 end_va = 0x200ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c10000" filename = "" Region: id = 308 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 309 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 310 start_va = 0x1e0000 end_va = 0x1ebfff monitored = 1 entry_point = 0x1ed0ae region_type = mapped_file name = "45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe.exe") Region: id = 311 start_va = 0x76d50000 end_va = 0x76d5bfff monitored = 0 entry_point = 0x76d53930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 312 start_va = 0x71df0000 end_va = 0x71df7fff monitored = 0 entry_point = 0x71df17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 313 start_va = 0x6ed60000 end_va = 0x6f440fff monitored = 1 entry_point = 0x6ed8cd70 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll") Region: id = 314 start_va = 0x71cf0000 end_va = 0x71de4fff monitored = 0 entry_point = 0x71d44160 region_type = mapped_file name = "msvcr120_clr0400.dll" filename = "\\Windows\\SysWOW64\\msvcr120_clr0400.dll" (normalized: "c:\\windows\\syswow64\\msvcr120_clr0400.dll") Region: id = 315 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 316 start_va = 0x1f0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 317 start_va = 0x520000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 318 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 319 start_va = 0x530000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 320 start_va = 0x540000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 321 start_va = 0x560000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 322 start_va = 0x570000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 323 start_va = 0x580000 end_va = 0x580fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 324 start_va = 0x590000 end_va = 0x590fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 325 start_va = 0x2010000 end_va = 0x208ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002010000" filename = "" Region: id = 326 start_va = 0x2090000 end_va = 0x21affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002090000" filename = "" Region: id = 327 start_va = 0x5a0000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 328 start_va = 0x2090000 end_va = 0x218ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002090000" filename = "" Region: id = 329 start_va = 0x21a0000 end_va = 0x21affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021a0000" filename = "" Region: id = 330 start_va = 0x5e0000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 331 start_va = 0x21b0000 end_va = 0x41affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021b0000" filename = "" Region: id = 332 start_va = 0x41b0000 end_va = 0x424ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041b0000" filename = "" Region: id = 333 start_va = 0x720000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 334 start_va = 0x4250000 end_va = 0x434ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004250000" filename = "" Region: id = 335 start_va = 0x4350000 end_va = 0x4686fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 336 start_va = 0x6daa0000 end_va = 0x6ed51fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "mscorlib.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\mscorlib\\7582400666d289c016013ad0f6e0e3e6\\mscorlib.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\mscorlib\\7582400666d289c016013ad0f6e0e3e6\\mscorlib.ni.dll") Region: id = 337 start_va = 0x74dc0000 end_va = 0x74eaafff monitored = 0 entry_point = 0x74dfd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 338 start_va = 0x4690000 end_va = 0x4720fff monitored = 0 entry_point = 0x46c8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 339 start_va = 0x5e0000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 340 start_va = 0x71c70000 end_va = 0x71ceffff monitored = 1 entry_point = 0x71c71180 region_type = mapped_file name = "clrjit.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clrjit.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clrjit.dll") Region: id = 341 start_va = 0x76680000 end_va = 0x76711fff monitored = 0 entry_point = 0x766b8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 342 start_va = 0x5f0000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 343 start_va = 0x600000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 344 start_va = 0x600000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 345 start_va = 0x6d0d0000 end_va = 0x6da9bfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System\\1be7a15b1f33bf22e4f53aaf45518c77\\System.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system\\1be7a15b1f33bf22e4f53aaf45518c77\\system.ni.dll") Region: id = 346 start_va = 0x600000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 347 start_va = 0x70010000 end_va = 0x70022fff monitored = 0 entry_point = 0x70019950 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 348 start_va = 0x72860000 end_va = 0x7288efff monitored = 0 entry_point = 0x728795e0 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 349 start_va = 0x70350000 end_va = 0x7036afff monitored = 0 entry_point = 0x70359050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 350 start_va = 0x6c9a0000 end_va = 0x6d0c0fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.core.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Core\\eb4cca4f06a15158c3f7e2c56516729b\\System.Core.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.core\\eb4cca4f06a15158c3f7e2c56516729b\\system.core.ni.dll") Region: id = 351 start_va = 0x600000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 352 start_va = 0x760000 end_va = 0x77ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 353 start_va = 0x600000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 354 start_va = 0x73f90000 end_va = 0x74107fff monitored = 0 entry_point = 0x73fe8a90 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 355 start_va = 0x764c0000 end_va = 0x764cdfff monitored = 0 entry_point = 0x764c5410 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 356 start_va = 0x760000 end_va = 0x769fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "crypt32.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\crypt32.dll.mui") Region: id = 357 start_va = 0x770000 end_va = 0x77ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 358 start_va = 0x73f20000 end_va = 0x73f2efff monitored = 0 entry_point = 0x73f22e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 359 start_va = 0x74eb0000 end_va = 0x762aefff monitored = 0 entry_point = 0x7506b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 360 start_va = 0x76800000 end_va = 0x76836fff monitored = 0 entry_point = 0x76803b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 361 start_va = 0x745b0000 end_va = 0x74aa8fff monitored = 0 entry_point = 0x747b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 362 start_va = 0x74520000 end_va = 0x745acfff monitored = 0 entry_point = 0x74569b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 363 start_va = 0x76470000 end_va = 0x764b3fff monitored = 0 entry_point = 0x76477410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 364 start_va = 0x780000 end_va = 0x780fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 365 start_va = 0x5e430000 end_va = 0x5e4cbfff monitored = 1 entry_point = 0x5e4be9a6 region_type = mapped_file name = "microsoft.visualbasic.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\v4.0_10.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualBasic.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_msil\\microsoft.visualbasic\\v4.0_10.0.0.0__b03f5f7f11d50a3a\\microsoft.visualbasic.dll") Region: id = 366 start_va = 0x4690000 end_va = 0x472bfff monitored = 1 entry_point = 0x471e9a6 region_type = mapped_file name = "microsoft.visualbasic.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\v4.0_10.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualBasic.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_msil\\microsoft.visualbasic\\v4.0_10.0.0.0__b03f5f7f11d50a3a\\microsoft.visualbasic.dll") Region: id = 367 start_va = 0x7a0000 end_va = 0x7affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 368 start_va = 0x764d0000 end_va = 0x764d5fff monitored = 0 entry_point = 0x764d1460 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll") Region: id = 369 start_va = 0x4730000 end_va = 0x482ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004730000" filename = "" Region: id = 370 start_va = 0x4830000 end_va = 0x490ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 371 start_va = 0x7a0000 end_va = 0x7dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 372 start_va = 0x4910000 end_va = 0x4a0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004910000" filename = "" Region: id = 373 start_va = 0x73dd0000 end_va = 0x73e44fff monitored = 0 entry_point = 0x73e09a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 374 start_va = 0x4a10000 end_va = 0x4b1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004a10000" filename = "" Region: id = 375 start_va = 0x2010000 end_va = 0x204ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002010000" filename = "" Region: id = 376 start_va = 0x2080000 end_va = 0x208ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002080000" filename = "" Region: id = 377 start_va = 0x4a10000 end_va = 0x4b0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004a10000" filename = "" Region: id = 378 start_va = 0x4b10000 end_va = 0x4b1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004b10000" filename = "" Region: id = 379 start_va = 0x72290000 end_va = 0x723dafff monitored = 0 entry_point = 0x722f1660 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll") Region: id = 380 start_va = 0x4b20000 end_va = 0x4b5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004b20000" filename = "" Region: id = 381 start_va = 0x4b60000 end_va = 0x4c5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004b60000" filename = "" Region: id = 382 start_va = 0x4c60000 end_va = 0x4c9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004c60000" filename = "" Region: id = 383 start_va = 0x4ca0000 end_va = 0x4d9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004ca0000" filename = "" Region: id = 384 start_va = 0x4da0000 end_va = 0x4ddffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004da0000" filename = "" Region: id = 385 start_va = 0x4de0000 end_va = 0x4edffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004de0000" filename = "" Region: id = 386 start_va = 0x7e0000 end_va = 0x7e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 387 start_va = 0x74340000 end_va = 0x743c3fff monitored = 0 entry_point = 0x74366220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 388 start_va = 0x72070000 end_va = 0x7228bfff monitored = 0 entry_point = 0x7223bc40 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\SysWOW64\\actxprxy.dll" (normalized: "c:\\windows\\syswow64\\actxprxy.dll") Region: id = 389 start_va = 0x2050000 end_va = 0x2050fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002050000" filename = "" Region: id = 390 start_va = 0x2060000 end_va = 0x2063fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 391 start_va = 0x4ee0000 end_va = 0x4f24fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000c.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db") Region: id = 392 start_va = 0x2070000 end_va = 0x2073fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 393 start_va = 0x4f30000 end_va = 0x4fbdfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 394 start_va = 0x4fc0000 end_va = 0x4fd0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "propsys.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\propsys.dll.mui") Region: id = 395 start_va = 0x2190000 end_va = 0x2193fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 396 start_va = 0x4fe0000 end_va = 0x4ff3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000016.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000016.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000016.db") Region: id = 397 start_va = 0x5000000 end_va = 0x5000fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005000000" filename = "" Region: id = 398 start_va = 0x70590000 end_va = 0x7070dfff monitored = 0 entry_point = 0x7060c630 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 399 start_va = 0x73ae0000 end_va = 0x73daafff monitored = 0 entry_point = 0x73d1c4c0 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 400 start_va = 0x2190000 end_va = 0x2190fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002190000" filename = "" Thread: id = 1 os_tid = 0x1388 [0109.458] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0109.472] RoInitialize () returned 0x1 [0109.472] RoUninitialize () returned 0x0 [0118.721] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x8472b8) returned 1 [0118.729] CryptGetProvParam (in: hProv=0x8472b8, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x1 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1 [0118.731] CoTaskMemAlloc (cb=0x20) returned 0x840830 [0118.731] CryptGetProvParam (in: hProv=0x8472b8, dwParam=0x1, pbData=0x840830, pdwDataLen=0x19f3bc, dwFlags=0x1 | out: pbData=0x840830, pdwDataLen=0x19f3bc) returned 1 [0118.732] CoTaskMemFree (pv=0x840830) [0118.732] CryptGetProvParam (in: hProv=0x8472b8, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1 [0118.732] CoTaskMemAlloc (cb=0x20) returned 0x840718 [0118.732] CryptGetProvParam (in: hProv=0x8472b8, dwParam=0x1, pbData=0x840718, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x840718, pdwDataLen=0x19f3bc) returned 1 [0118.732] CoTaskMemFree (pv=0x840718) [0118.732] CryptGetProvParam (in: hProv=0x8472b8, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1 [0118.733] CoTaskMemAlloc (cb=0x20) returned 0x8408a8 [0118.733] CryptGetProvParam (in: hProv=0x8472b8, dwParam=0x1, pbData=0x8408a8, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x8408a8, pdwDataLen=0x19f3bc) returned 1 [0118.733] CoTaskMemFree (pv=0x8408a8) [0118.733] CryptGetProvParam (in: hProv=0x8472b8, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1 [0118.733] CoTaskMemAlloc (cb=0x20) returned 0x840830 [0118.733] CryptGetProvParam (in: hProv=0x8472b8, dwParam=0x1, pbData=0x840830, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x840830, pdwDataLen=0x19f3bc) returned 1 [0118.733] CoTaskMemFree (pv=0x840830) [0118.733] CryptGetProvParam (in: hProv=0x8472b8, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1 [0118.733] CoTaskMemAlloc (cb=0x20) returned 0x8406c8 [0118.733] CryptGetProvParam (in: hProv=0x8472b8, dwParam=0x1, pbData=0x8406c8, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x8406c8, pdwDataLen=0x19f3bc) returned 1 [0118.733] CoTaskMemFree (pv=0x8406c8) [0118.733] CryptGetProvParam (in: hProv=0x8472b8, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1 [0118.733] CoTaskMemAlloc (cb=0x20) returned 0x840808 [0118.733] CryptGetProvParam (in: hProv=0x8472b8, dwParam=0x1, pbData=0x840808, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x840808, pdwDataLen=0x19f3bc) returned 1 [0118.733] CoTaskMemFree (pv=0x840808) [0118.733] CryptGetProvParam (in: hProv=0x8472b8, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1 [0118.733] CoTaskMemAlloc (cb=0x20) returned 0x8408d0 [0118.733] CryptGetProvParam (in: hProv=0x8472b8, dwParam=0x1, pbData=0x8408d0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x8408d0, pdwDataLen=0x19f3bc) returned 1 [0118.734] CoTaskMemFree (pv=0x8408d0) [0118.734] CryptGetProvParam (in: hProv=0x8472b8, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1 [0118.734] CoTaskMemAlloc (cb=0x20) returned 0x8408d0 [0118.734] CryptGetProvParam (in: hProv=0x8472b8, dwParam=0x1, pbData=0x8408d0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x8408d0, pdwDataLen=0x19f3bc) returned 1 [0118.734] CoTaskMemFree (pv=0x8408d0) [0118.734] CryptGetProvParam (in: hProv=0x8472b8, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1 [0118.734] CoTaskMemAlloc (cb=0x20) returned 0x840920 [0118.734] CryptGetProvParam (in: hProv=0x8472b8, dwParam=0x1, pbData=0x840920, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x840920, pdwDataLen=0x19f3bc) returned 1 [0118.734] CoTaskMemFree (pv=0x840920) [0118.734] CryptGetProvParam (in: hProv=0x8472b8, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1 [0118.734] CoTaskMemAlloc (cb=0x20) returned 0x8408d0 [0118.734] CryptGetProvParam (in: hProv=0x8472b8, dwParam=0x1, pbData=0x8408d0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x8408d0, pdwDataLen=0x19f3bc) returned 1 [0118.734] CoTaskMemFree (pv=0x8408d0) [0118.734] CryptGetProvParam (in: hProv=0x8472b8, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1 [0118.734] CoTaskMemAlloc (cb=0x20) returned 0x8407e0 [0118.734] CryptGetProvParam (in: hProv=0x8472b8, dwParam=0x1, pbData=0x8407e0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x8407e0, pdwDataLen=0x19f3bc) returned 1 [0118.734] CoTaskMemFree (pv=0x8407e0) [0118.735] CryptGetProvParam (in: hProv=0x8472b8, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1 [0118.735] CoTaskMemAlloc (cb=0x20) returned 0x8408f8 [0118.735] CryptGetProvParam (in: hProv=0x8472b8, dwParam=0x1, pbData=0x8408f8, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x8408f8, pdwDataLen=0x19f3bc) returned 1 [0118.735] CoTaskMemFree (pv=0x8408f8) [0118.735] CryptGetProvParam (in: hProv=0x8472b8, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1 [0118.735] CoTaskMemAlloc (cb=0x20) returned 0x840718 [0118.735] CryptGetProvParam (in: hProv=0x8472b8, dwParam=0x1, pbData=0x840718, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x840718, pdwDataLen=0x19f3bc) returned 1 [0118.735] CoTaskMemFree (pv=0x840718) [0118.735] CryptGetProvParam (in: hProv=0x8472b8, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1 [0118.735] CoTaskMemAlloc (cb=0x20) returned 0x8408d0 [0118.735] CryptGetProvParam (in: hProv=0x8472b8, dwParam=0x1, pbData=0x8408d0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x8408d0, pdwDataLen=0x19f3bc) returned 1 [0118.735] CoTaskMemFree (pv=0x8408d0) [0118.735] CryptGetProvParam (in: hProv=0x8472b8, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1 [0118.735] CoTaskMemAlloc (cb=0x20) returned 0x840808 [0118.736] CryptGetProvParam (in: hProv=0x8472b8, dwParam=0x1, pbData=0x840808, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x840808, pdwDataLen=0x19f3bc) returned 1 [0118.736] CoTaskMemFree (pv=0x840808) [0118.736] CryptGetProvParam (in: hProv=0x8472b8, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1 [0118.736] CoTaskMemAlloc (cb=0x20) returned 0x840808 [0118.736] CryptGetProvParam (in: hProv=0x8472b8, dwParam=0x1, pbData=0x840808, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x840808, pdwDataLen=0x19f3bc) returned 1 [0118.736] CoTaskMemFree (pv=0x840808) [0118.736] CryptGetProvParam (in: hProv=0x8472b8, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1 [0118.736] CoTaskMemAlloc (cb=0x20) returned 0x840808 [0118.736] CryptGetProvParam (in: hProv=0x8472b8, dwParam=0x1, pbData=0x840808, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x840808, pdwDataLen=0x19f3bc) returned 1 [0118.736] CoTaskMemFree (pv=0x840808) [0118.736] CryptGetProvParam (in: hProv=0x8472b8, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1 [0118.736] CoTaskMemAlloc (cb=0x20) returned 0x8406c8 [0118.736] CryptGetProvParam (in: hProv=0x8472b8, dwParam=0x1, pbData=0x8406c8, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x8406c8, pdwDataLen=0x19f3bc) returned 1 [0118.737] CoTaskMemFree (pv=0x8406c8) [0118.737] CryptGetProvParam (in: hProv=0x8472b8, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1 [0118.737] CoTaskMemAlloc (cb=0x20) returned 0x840830 [0118.737] CryptGetProvParam (in: hProv=0x8472b8, dwParam=0x1, pbData=0x840830, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x840830, pdwDataLen=0x19f3bc) returned 1 [0118.737] CoTaskMemFree (pv=0x840830) [0118.737] CryptGetProvParam (in: hProv=0x8472b8, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1 [0118.737] CoTaskMemAlloc (cb=0x20) returned 0x840790 [0118.737] CryptGetProvParam (in: hProv=0x8472b8, dwParam=0x1, pbData=0x840790, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x840790, pdwDataLen=0x19f3bc) returned 1 [0118.737] CoTaskMemFree (pv=0x840790) [0118.737] CryptGetProvParam (in: hProv=0x8472b8, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 0 [0118.826] CryptImportKey (in: hProv=0x8472b8, pbData=0x2287fcc, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x83e350) returned 1 [0118.828] CryptContextAddRef (hProv=0x8472b8, pdwReserved=0x0, dwFlags=0x0) returned 1 [0118.845] BCryptGetFipsAlgorithmMode (in: pfEnabled=0x19f3e8 | out: pfEnabled=0x19f3e8) returned 0x0 [0118.859] CryptContextAddRef (hProv=0x8472b8, pdwReserved=0x0, dwFlags=0x0) returned 1 [0118.859] CryptDuplicateKey (in: hKey=0x83e350, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x83e410) returned 1 [0118.860] CryptContextAddRef (hProv=0x8472b8, pdwReserved=0x0, dwFlags=0x0) returned 1 [0118.860] CryptSetKeyParam (hKey=0x83e410, dwParam=0x4, pbData=0x22889ac*=0x1, dwFlags=0x0) returned 1 [0118.860] CryptSetKeyParam (hKey=0x83e410, dwParam=0x1, pbData=0x2288978, dwFlags=0x0) returned 1 [0118.869] CryptDecrypt (in: hKey=0x83e410, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2288a8c, pdwDataLen=0x19f3f8 | out: pbData=0x2288a8c, pdwDataLen=0x19f3f8) returned 1 [0118.935] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\AppContext", ulOptions=0x0, samDesired=0x20019, phkResult=0x19de18 | out: phkResult=0x19de18*=0x0) returned 0x2 [0118.942] CryptDecrypt (in: hKey=0x83e410, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2288b9c, pdwDataLen=0x19f3f8 | out: pbData=0x2288b9c, pdwDataLen=0x19f3f8) returned 0 [0118.944] CryptDestroyKey (hKey=0x83e350) returned 1 [0118.944] CryptReleaseContext (hProv=0x8472b8, dwFlags=0x0) returned 1 [0118.944] CryptReleaseContext (hProv=0x8472b8, dwFlags=0x0) returned 1 [0118.944] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x847780) returned 1 [0118.945] CryptImportKey (in: hProv=0x847780, pbData=0x228a46c, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x83e290) returned 1 [0118.945] CryptContextAddRef (hProv=0x847780, pdwReserved=0x0, dwFlags=0x0) returned 1 [0118.946] CryptContextAddRef (hProv=0x847780, pdwReserved=0x0, dwFlags=0x0) returned 1 [0118.946] CryptDuplicateKey (in: hKey=0x83e290, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x83e1d0) returned 1 [0118.946] CryptContextAddRef (hProv=0x847780, pdwReserved=0x0, dwFlags=0x0) returned 1 [0118.946] CryptSetKeyParam (hKey=0x83e1d0, dwParam=0x4, pbData=0x228abd4*=0x1, dwFlags=0x0) returned 1 [0118.946] CryptSetKeyParam (hKey=0x83e1d0, dwParam=0x1, pbData=0x228aba0, dwFlags=0x0) returned 1 [0118.946] CryptDecrypt (in: hKey=0x83e1d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x228acb8, pdwDataLen=0x19f3c8 | out: pbData=0x228acb8, pdwDataLen=0x19f3c8) returned 1 [0118.947] CryptDecrypt (in: hKey=0x83e1d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x228ad00, pdwDataLen=0x19f3f8 | out: pbData=0x228ad00, pdwDataLen=0x19f3f8) returned 1 [0118.947] CryptDecrypt (in: hKey=0x83e1d0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x228ad30, pdwDataLen=0x19f3f8 | out: pbData=0x228ad30, pdwDataLen=0x19f3f8) returned 0 [0118.948] CryptDestroyKey (hKey=0x83e290) returned 1 [0118.948] CryptReleaseContext (hProv=0x847780, dwFlags=0x0) returned 1 [0118.948] CryptReleaseContext (hProv=0x847780, dwFlags=0x0) returned 1 [0118.948] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x847340) returned 1 [0118.949] CryptImportKey (in: hProv=0x847340, pbData=0x228aebc, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x83e8d0) returned 1 [0118.949] CryptContextAddRef (hProv=0x847340, pdwReserved=0x0, dwFlags=0x0) returned 1 [0118.949] CryptContextAddRef (hProv=0x847340, pdwReserved=0x0, dwFlags=0x0) returned 1 [0118.949] CryptDuplicateKey (in: hKey=0x83e8d0, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x83e450) returned 1 [0118.949] CryptContextAddRef (hProv=0x847340, pdwReserved=0x0, dwFlags=0x0) returned 1 [0118.949] CryptSetKeyParam (hKey=0x83e450, dwParam=0x4, pbData=0x228b614*=0x1, dwFlags=0x0) returned 1 [0118.950] CryptSetKeyParam (hKey=0x83e450, dwParam=0x1, pbData=0x228b5e0, dwFlags=0x0) returned 1 [0118.950] CryptDecrypt (in: hKey=0x83e450, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x228b6f4, pdwDataLen=0x19f3f8 | out: pbData=0x228b6f4, pdwDataLen=0x19f3f8) returned 1 [0118.950] CryptDecrypt (in: hKey=0x83e450, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x228b724, pdwDataLen=0x19f3f8 | out: pbData=0x228b724, pdwDataLen=0x19f3f8) returned 0 [0118.950] CryptDestroyKey (hKey=0x83e8d0) returned 1 [0118.950] CryptReleaseContext (hProv=0x847340, dwFlags=0x0) returned 1 [0118.950] CryptReleaseContext (hProv=0x847340, dwFlags=0x0) returned 1 [0118.950] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x847c48) returned 1 [0118.951] CryptImportKey (in: hProv=0x847c48, pbData=0x228b880, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x83e710) returned 1 [0118.951] CryptContextAddRef (hProv=0x847c48, pdwReserved=0x0, dwFlags=0x0) returned 1 [0118.952] CryptContextAddRef (hProv=0x847c48, pdwReserved=0x0, dwFlags=0x0) returned 1 [0118.952] CryptDuplicateKey (in: hKey=0x83e710, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x83e8d0) returned 1 [0118.952] CryptContextAddRef (hProv=0x847c48, pdwReserved=0x0, dwFlags=0x0) returned 1 [0118.952] CryptSetKeyParam (hKey=0x83e8d0, dwParam=0x4, pbData=0x228bfd8*=0x1, dwFlags=0x0) returned 1 [0118.952] CryptSetKeyParam (hKey=0x83e8d0, dwParam=0x1, pbData=0x228bfa4, dwFlags=0x0) returned 1 [0118.952] CryptDecrypt (in: hKey=0x83e8d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x228c0b8, pdwDataLen=0x19f3f8 | out: pbData=0x228c0b8, pdwDataLen=0x19f3f8) returned 1 [0118.953] CryptDecrypt (in: hKey=0x83e8d0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x228c0e4, pdwDataLen=0x19f3f8 | out: pbData=0x228c0e4, pdwDataLen=0x19f3f8) returned 0 [0118.953] CryptDestroyKey (hKey=0x83e710) returned 1 [0118.953] CryptReleaseContext (hProv=0x847c48, dwFlags=0x0) returned 1 [0118.953] CryptReleaseContext (hProv=0x847c48, dwFlags=0x0) returned 1 [0118.953] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x847b38) returned 1 [0118.954] CryptImportKey (in: hProv=0x847b38, pbData=0x228c248, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x83e290) returned 1 [0118.954] CryptContextAddRef (hProv=0x847b38, pdwReserved=0x0, dwFlags=0x0) returned 1 [0118.955] CryptContextAddRef (hProv=0x847b38, pdwReserved=0x0, dwFlags=0x0) returned 1 [0118.955] CryptDuplicateKey (in: hKey=0x83e290, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x83e710) returned 1 [0118.955] CryptContextAddRef (hProv=0x847b38, pdwReserved=0x0, dwFlags=0x0) returned 1 [0118.955] CryptSetKeyParam (hKey=0x83e710, dwParam=0x4, pbData=0x228c9b0*=0x1, dwFlags=0x0) returned 1 [0118.955] CryptSetKeyParam (hKey=0x83e710, dwParam=0x1, pbData=0x228c97c, dwFlags=0x0) returned 1 [0118.955] CryptDecrypt (in: hKey=0x83e710, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x228ca94, pdwDataLen=0x19f3c8 | out: pbData=0x228ca94, pdwDataLen=0x19f3c8) returned 1 [0118.955] CryptDecrypt (in: hKey=0x83e710, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x228cadc, pdwDataLen=0x19f3f8 | out: pbData=0x228cadc, pdwDataLen=0x19f3f8) returned 1 [0118.956] CryptDecrypt (in: hKey=0x83e710, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x228cb08, pdwDataLen=0x19f3f8 | out: pbData=0x228cb08, pdwDataLen=0x19f3f8) returned 0 [0118.956] CryptDestroyKey (hKey=0x83e290) returned 1 [0118.956] CryptReleaseContext (hProv=0x847b38, dwFlags=0x0) returned 1 [0118.956] CryptReleaseContext (hProv=0x847b38, dwFlags=0x0) returned 1 [0118.956] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x847918) returned 1 [0118.957] CryptImportKey (in: hProv=0x847918, pbData=0x228cc8c, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x83e210) returned 1 [0118.957] CryptContextAddRef (hProv=0x847918, pdwReserved=0x0, dwFlags=0x0) returned 1 [0118.957] CryptContextAddRef (hProv=0x847918, pdwReserved=0x0, dwFlags=0x0) returned 1 [0118.958] CryptDuplicateKey (in: hKey=0x83e210, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x83e290) returned 1 [0118.958] CryptContextAddRef (hProv=0x847918, pdwReserved=0x0, dwFlags=0x0) returned 1 [0118.958] CryptSetKeyParam (hKey=0x83e290, dwParam=0x4, pbData=0x228d3e4*=0x1, dwFlags=0x0) returned 1 [0118.958] CryptSetKeyParam (hKey=0x83e290, dwParam=0x1, pbData=0x228d3b0, dwFlags=0x0) returned 1 [0118.958] CryptDecrypt (in: hKey=0x83e290, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x228d4c4, pdwDataLen=0x19f3f8 | out: pbData=0x228d4c4, pdwDataLen=0x19f3f8) returned 1 [0118.958] CryptDecrypt (in: hKey=0x83e290, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x228d4f0, pdwDataLen=0x19f3f8 | out: pbData=0x228d4f0, pdwDataLen=0x19f3f8) returned 0 [0118.958] CryptDestroyKey (hKey=0x83e210) returned 1 [0118.958] CryptReleaseContext (hProv=0x847918, dwFlags=0x0) returned 1 [0118.958] CryptReleaseContext (hProv=0x847918, dwFlags=0x0) returned 1 [0118.958] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x846f00) returned 1 [0118.959] CryptImportKey (in: hProv=0x846f00, pbData=0x228d644, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x83e350) returned 1 [0118.959] CryptContextAddRef (hProv=0x846f00, pdwReserved=0x0, dwFlags=0x0) returned 1 [0118.960] CryptContextAddRef (hProv=0x846f00, pdwReserved=0x0, dwFlags=0x0) returned 1 [0118.960] CryptDuplicateKey (in: hKey=0x83e350, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x83e810) returned 1 [0118.960] CryptContextAddRef (hProv=0x846f00, pdwReserved=0x0, dwFlags=0x0) returned 1 [0118.960] CryptSetKeyParam (hKey=0x83e810, dwParam=0x4, pbData=0x228dd9c*=0x1, dwFlags=0x0) returned 1 [0118.960] CryptSetKeyParam (hKey=0x83e810, dwParam=0x1, pbData=0x228dd68, dwFlags=0x0) returned 1 [0118.960] CryptDecrypt (in: hKey=0x83e810, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x228de7c, pdwDataLen=0x19f3f8 | out: pbData=0x228de7c, pdwDataLen=0x19f3f8) returned 1 [0118.961] CryptDecrypt (in: hKey=0x83e810, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x228deac, pdwDataLen=0x19f3f8 | out: pbData=0x228deac, pdwDataLen=0x19f3f8) returned 0 [0118.961] CryptDestroyKey (hKey=0x83e350) returned 1 [0118.961] CryptReleaseContext (hProv=0x846f00, dwFlags=0x0) returned 1 [0118.961] CryptReleaseContext (hProv=0x846f00, dwFlags=0x0) returned 1 [0118.961] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x8476f8) returned 1 [0118.962] CryptImportKey (in: hProv=0x8476f8, pbData=0x228e004, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x83e850) returned 1 [0118.962] CryptContextAddRef (hProv=0x8476f8, pdwReserved=0x0, dwFlags=0x0) returned 1 [0118.962] CryptContextAddRef (hProv=0x8476f8, pdwReserved=0x0, dwFlags=0x0) returned 1 [0118.962] CryptDuplicateKey (in: hKey=0x83e850, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x83e2d0) returned 1 [0118.967] CryptContextAddRef (hProv=0x8476f8, pdwReserved=0x0, dwFlags=0x0) returned 1 [0118.967] CryptSetKeyParam (hKey=0x83e2d0, dwParam=0x4, pbData=0x228e75c*=0x1, dwFlags=0x0) returned 1 [0118.967] CryptSetKeyParam (hKey=0x83e2d0, dwParam=0x1, pbData=0x228e728, dwFlags=0x0) returned 1 [0118.968] CryptDecrypt (in: hKey=0x83e2d0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x228e83c, pdwDataLen=0x19f3f8 | out: pbData=0x228e83c, pdwDataLen=0x19f3f8) returned 1 [0118.968] CryptDecrypt (in: hKey=0x83e2d0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x228e86c, pdwDataLen=0x19f3f8 | out: pbData=0x228e86c, pdwDataLen=0x19f3f8) returned 0 [0118.968] CryptDestroyKey (hKey=0x83e850) returned 1 [0118.968] CryptReleaseContext (hProv=0x8476f8, dwFlags=0x0) returned 1 [0118.968] CryptReleaseContext (hProv=0x8476f8, dwFlags=0x0) returned 1 [0118.968] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x847098) returned 1 [0118.969] CryptImportKey (in: hProv=0x847098, pbData=0x228e9c4, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x83e850) returned 1 [0118.969] CryptContextAddRef (hProv=0x847098, pdwReserved=0x0, dwFlags=0x0) returned 1 [0118.970] CryptContextAddRef (hProv=0x847098, pdwReserved=0x0, dwFlags=0x0) returned 1 [0118.970] CryptDuplicateKey (in: hKey=0x83e850, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x83e510) returned 1 [0118.970] CryptContextAddRef (hProv=0x847098, pdwReserved=0x0, dwFlags=0x0) returned 1 [0118.970] CryptSetKeyParam (hKey=0x83e510, dwParam=0x4, pbData=0x228f11c*=0x1, dwFlags=0x0) returned 1 [0118.970] CryptSetKeyParam (hKey=0x83e510, dwParam=0x1, pbData=0x228f0e8, dwFlags=0x0) returned 1 [0118.970] CryptDecrypt (in: hKey=0x83e510, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x228f1fc, pdwDataLen=0x19f3f8 | out: pbData=0x228f1fc, pdwDataLen=0x19f3f8) returned 1 [0118.970] CryptDecrypt (in: hKey=0x83e510, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x228f22c, pdwDataLen=0x19f3f8 | out: pbData=0x228f22c, pdwDataLen=0x19f3f8) returned 0 [0118.970] CryptDestroyKey (hKey=0x83e850) returned 1 [0118.970] CryptReleaseContext (hProv=0x847098, dwFlags=0x0) returned 1 [0118.970] CryptReleaseContext (hProv=0x847098, dwFlags=0x0) returned 1 [0118.997] GetUserNameW (in: lpBuffer=0x19f20c, pcbBuffer=0x19f484 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x19f484) returned 1 [0119.005] GetComputerNameW (in: lpBuffer=0x19f20c, nSize=0x19f484 | out: lpBuffer="XC64ZB", nSize=0x19f484) returned 1 [0119.005] CoTaskMemAlloc (cb=0x20c) returned 0x84aeb8 [0119.005] GetSystemDirectoryW (in: lpBuffer=0x84aeb8, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0119.006] CoTaskMemFree (pv=0x84aeb8) [0119.014] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x19eea4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0119.017] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x19f440) returned 1 [0119.018] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x19f46c, lpTotalNumberOfBytes=0x19f464, lpTotalNumberOfFreeBytes=0x19f45c | out: lpFreeBytesAvailableToCaller=0x19f46c, lpTotalNumberOfBytes=0x19f464, lpTotalNumberOfFreeBytes=0x19f45c) returned 1 [0119.018] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x19f43c) returned 1 [0119.070] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x847ab0) returned 1 [0119.070] CryptImportKey (in: hProv=0x847ab0, pbData=0x22912f8, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x83ef50) returned 1 [0119.070] CryptContextAddRef (hProv=0x847ab0, pdwReserved=0x0, dwFlags=0x0) returned 1 [0119.071] CryptContextAddRef (hProv=0x847ab0, pdwReserved=0x0, dwFlags=0x0) returned 1 [0119.071] CryptDuplicateKey (in: hKey=0x83ef50, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x83ead0) returned 1 [0119.071] CryptContextAddRef (hProv=0x847ab0, pdwReserved=0x0, dwFlags=0x0) returned 1 [0119.071] CryptSetKeyParam (hKey=0x83ead0, dwParam=0x4, pbData=0x2291fb0*=0x1, dwFlags=0x0) returned 1 [0119.071] CryptSetKeyParam (hKey=0x83ead0, dwParam=0x1, pbData=0x2291f7c, dwFlags=0x0) returned 1 [0119.071] CryptDecrypt (in: hKey=0x83ead0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x22925b4, pdwDataLen=0x19f3c8 | out: pbData=0x22925b4, pdwDataLen=0x19f3c8) returned 1 [0119.071] CryptDecrypt (in: hKey=0x83ead0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x229288c, pdwDataLen=0x19f3f8 | out: pbData=0x229288c, pdwDataLen=0x19f3f8) returned 1 [0119.071] CryptDecrypt (in: hKey=0x83ead0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x22928c0, pdwDataLen=0x19f3f8 | out: pbData=0x22928c0, pdwDataLen=0x19f3f8) returned 0 [0119.072] CryptDestroyKey (hKey=0x83ef50) returned 1 [0119.072] CryptReleaseContext (hProv=0x847ab0, dwFlags=0x0) returned 1 [0119.072] CryptReleaseContext (hProv=0x847ab0, dwFlags=0x0) returned 1 [0119.072] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x8473c8) returned 1 [0119.073] CryptImportKey (in: hProv=0x8473c8, pbData=0x229391c, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x83ee90) returned 1 [0119.073] CryptContextAddRef (hProv=0x8473c8, pdwReserved=0x0, dwFlags=0x0) returned 1 [0119.074] CryptContextAddRef (hProv=0x8473c8, pdwReserved=0x0, dwFlags=0x0) returned 1 [0119.074] CryptDuplicateKey (in: hKey=0x83ee90, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x83eed0) returned 1 [0119.074] CryptContextAddRef (hProv=0x8473c8, pdwReserved=0x0, dwFlags=0x0) returned 1 [0119.074] CryptSetKeyParam (hKey=0x83eed0, dwParam=0x4, pbData=0x2294dd4*=0x1, dwFlags=0x0) returned 1 [0119.074] CryptSetKeyParam (hKey=0x83eed0, dwParam=0x1, pbData=0x2294da0, dwFlags=0x0) returned 1 [0119.074] CryptDecrypt (in: hKey=0x83eed0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x2295bd8, pdwDataLen=0x19f3c8 | out: pbData=0x2295bd8, pdwDataLen=0x19f3c8) returned 1 [0119.075] CryptDecrypt (in: hKey=0x83eed0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x22962b0, pdwDataLen=0x19f3f8 | out: pbData=0x22962b0, pdwDataLen=0x19f3f8) returned 1 [0119.075] CryptDecrypt (in: hKey=0x83eed0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x22962d8, pdwDataLen=0x19f3f8 | out: pbData=0x22962d8, pdwDataLen=0x19f3f8) returned 0 [0119.075] CryptDestroyKey (hKey=0x83ee90) returned 1 [0119.075] CryptReleaseContext (hProv=0x8473c8, dwFlags=0x0) returned 1 [0119.075] CryptReleaseContext (hProv=0x8473c8, dwFlags=0x0) returned 1 [0119.846] CertDuplicateCertificateContext (pCertContext=0x8460f0) returned 0x8460f0 [0119.903] LocalAlloc (uFlags=0x0, uBytes=0x2a) returned 0x83a818 [0119.924] CryptFindOIDInfo (dwKeyType=0x2, pvKey=0x83a818, dwGroupId=0x3) returned 0x0 [0119.981] LocalFree (hMem=0x83a818) returned 0x0 [0119.981] LocalAlloc (uFlags=0x0, uBytes=0x2a) returned 0x857e70 [0119.981] CryptFindOIDInfo (dwKeyType=0x2, pvKey=0x857e70, dwGroupId=0x0) returned 0x0 [0120.156] LocalFree (hMem=0x857e70) returned 0x0 [0120.159] LocalAlloc (uFlags=0x0, uBytes=0x15) returned 0x841cc0 [0120.159] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x841cc0, dwGroupId=0x0) returned 0x73f9d6c0 [0120.165] CryptDecodeObject (in: dwCertEncodingType=0x10001, lpszStructType=0x13, pbEncoded=0x229850c, cbEncoded=0x20e, dwFlags=0x0, pvStructInfo=0x0, pcbStructInfo=0x19f434 | out: pvStructInfo=0x0, pcbStructInfo=0x19f434) returned 1 [0120.165] LocalAlloc (uFlags=0x0, uBytes=0x214) returned 0x857f80 [0120.165] CryptDecodeObject (in: dwCertEncodingType=0x10001, lpszStructType=0x13, pbEncoded=0x229850c, cbEncoded=0x20e, dwFlags=0x0, pvStructInfo=0x857f80, pcbStructInfo=0x19f434 | out: pvStructInfo=0x857f80, pcbStructInfo=0x19f434) returned 1 [0120.166] LocalFree (hMem=0x857f80) returned 0x0 [0127.196] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", nBufferLength=0x105, lpBuffer=0x19eda4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", lpFilePart=0x0) returned 0x43 [0127.202] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", nBufferLength=0x105, lpBuffer=0x19ee08, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", lpFilePart=0x0) returned 0x43 [0127.202] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x19f2b0) returned 1 [0127.203] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x19f32c | out: lpFileInformation=0x19f32c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56a29ff, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97df7583, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97df7583, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x8c8f)) returned 1 [0127.203] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x19f2ac) returned 1 [0127.295] CoTaskMemAlloc (cb=0x2e) returned 0x8578c0 [0127.302] CryptFindOIDInfo (dwKeyType=0x2, pvKey=0x8578c0, dwGroupId=0x1) returned 0x0 [0127.302] CryptFindOIDInfo (dwKeyType=0x2, pvKey=0x8578c0, dwGroupId=0x0) returned 0x0 [0127.303] CoTaskMemFree (pv=0x8578c0) [0127.326] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="AsyncMutex_6SI8OkPnk") returned 0x2d8 [0127.951] ExpandEnvironmentStringsW (in: lpSrc="%AppData%", lpDst=0x19f328, nSize=0x64 | out: lpDst="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming") returned 0x26 [0127.951] ExpandEnvironmentStringsW (in: lpSrc="%AppData%", lpDst=0x19f328, nSize=0x64 | out: lpDst="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming") returned 0x26 [0127.952] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", nBufferLength=0x105, lpBuffer=0x19ef24, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", lpFilePart=0x0) returned 0x31 [0127.955] GetCurrentProcessId () returned 0x1384 [0128.000] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x19ecc4 | out: lpLuid=0x19ecc4*(LowPart=0x14, HighPart=0)) returned 1 [0128.002] GetCurrentProcess () returned 0xffffffff [0128.002] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x19ecc0 | out: TokenHandle=0x19ecc0*=0x2e8) returned 1 [0128.003] AdjustTokenPrivileges (in: TokenHandle=0x2e8, DisableAllPrivileges=0, NewState=0x22ba060*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0128.003] CloseHandle (hObject=0x2e8) returned 1 [0128.007] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1384) returned 0x2e8 [0128.204] EnumProcessModules (in: hProcess=0x2e8, lphModule=0x22ba0a4, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x22ba0a4, lpcbNeeded=0x19f434) returned 1 [0128.206] GetModuleInformation (in: hProcess=0x2e8, hModule=0x400000, lpmodinfo=0x22ba1e4, cb=0xc | out: lpmodinfo=0x22ba1e4*(lpBaseOfDll=0x400000, SizeOfImage=0x12000, EntryPoint=0x0)) returned 1 [0128.207] CoTaskMemAlloc (cb=0x804) returned 0x888e28 [0128.207] GetModuleBaseNameW (in: hProcess=0x2e8, hModule=0x400000, lpBaseName=0x888e28, nSize=0x800 | out: lpBaseName="45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe.exe") returned 0x44 [0128.207] CoTaskMemFree (pv=0x888e28) [0128.208] CoTaskMemAlloc (cb=0x804) returned 0x888e28 [0128.208] GetModuleFileNameExW (in: hProcess=0x2e8, hModule=0x400000, lpFilename=0x888e28, nSize=0x800 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe.exe")) returned 0x62 [0128.209] CoTaskMemFree (pv=0x888e28) [0128.218] CloseHandle (hObject=0x2e8) returned 1 [0128.231] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x31b54f0, Length=0x20000, ResultLength=0x19f43c | out: SystemInformation=0x31b54f0, ResultLength=0x19f43c*=0x14fe0) returned 0x0 [0128.260] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xb88) returned 0x0 [0128.261] EnumProcesses (in: lpidProcess=0x22e1ec8, cb=0x400, lpcbNeeded=0x19f3a4 | out: lpidProcess=0x22e1ec8, lpcbNeeded=0x19f3a4) returned 1 [0128.265] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x19f100, nSize=0x101, Arguments=0x0 | out: lpBuffer="Access is denied.\r\n") returned 0x13 [0128.304] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1018) returned 0x2f0 [0128.304] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x22e2a6c, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x22e2a6c, lpcbNeeded=0x19f434) returned 1 [0128.306] GetModuleInformation (in: hProcess=0x2f0, hModule=0x11c0000, lpmodinfo=0x22e2bac, cb=0xc | out: lpmodinfo=0x22e2bac*(lpBaseOfDll=0x11c0000, SizeOfImage=0x17000, EntryPoint=0x11c14a1)) returned 1 [0128.307] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.307] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x11c0000, lpBaseName=0x88b0f0, nSize=0x800 | out: lpBaseName="spgagentservice.exe") returned 0x13 [0128.307] CoTaskMemFree (pv=0x88b0f0) [0128.307] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.307] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x11c0000, lpFilename=0x88b0f0, nSize=0x800 | out: lpFilename="C:\\Program Files\\Windows Portable Devices\\spgagentservice.exe" (normalized: "c:\\program files\\windows portable devices\\spgagentservice.exe")) returned 0x3d [0128.308] CoTaskMemFree (pv=0x88b0f0) [0128.308] CloseHandle (hObject=0x2f0) returned 1 [0128.308] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0128.308] EnumProcesses (in: lpidProcess=0x22e4d44, cb=0x400, lpcbNeeded=0x19f3a4 | out: lpidProcess=0x22e4d44, lpcbNeeded=0x19f3a4) returned 1 [0128.310] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x19f100, nSize=0x101, Arguments=0x0 | out: lpBuffer="Access is denied.\r\n") returned 0x13 [0128.311] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xe98) returned 0x2f0 [0128.311] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x22e58a4, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x22e58a4, lpcbNeeded=0x19f434) returned 1 [0128.313] GetModuleInformation (in: hProcess=0x2f0, hModule=0x13e0000, lpmodinfo=0x22e59e4, cb=0xc | out: lpmodinfo=0x22e59e4*(lpBaseOfDll=0x13e0000, SizeOfImage=0x17000, EntryPoint=0x13e14a1)) returned 1 [0128.314] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.314] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x13e0000, lpBaseName=0x88b0f0, nSize=0x800 | out: lpBaseName="fling.exe") returned 0x9 [0128.314] CoTaskMemFree (pv=0x88b0f0) [0128.314] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.314] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x13e0000, lpFilename=0x88b0f0, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Mozilla Firefox\\fling.exe" (normalized: "c:\\program files (x86)\\mozilla firefox\\fling.exe")) returned 0x30 [0128.315] CoTaskMemFree (pv=0x88b0f0) [0128.315] CloseHandle (hObject=0x2f0) returned 1 [0128.316] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x30c) returned 0x2f0 [0128.316] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x22e7b50, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x22e7b50, lpcbNeeded=0x19f434) returned 0 [0128.316] GetCurrentProcessId () returned 0x1384 [0128.316] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1384) returned 0x2f4 [0128.324] IsWow64Process (in: hProcess=0x2f4, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1 [0128.324] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1 [0128.346] EtwEventRegister (in: ProviderId=0x22e84d4, EnableCallback=0x7706ee, CallbackContext=0x0, RegHandle=0x22e84b0 | out: RegHandle=0x22e84b0) returned 0x0 [0128.348] EtwEventSetInformation (RegHandle=0x83c3f8, InformationClass=0x38, EventInformation=0x2, InformationLength=0x22e8474) returned 0x0 [0128.369] CloseHandle (hObject=0x2f4) returned 1 [0128.369] CloseHandle (hObject=0x2f0) returned 1 [0128.369] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1020) returned 0x2f0 [0128.370] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x22e9bc4, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x22e9bc4, lpcbNeeded=0x19f434) returned 1 [0128.371] GetModuleInformation (in: hProcess=0x2f0, hModule=0xca0000, lpmodinfo=0x22e9d04, cb=0xc | out: lpmodinfo=0x22e9d04*(lpBaseOfDll=0xca0000, SizeOfImage=0x17000, EntryPoint=0xca14a1)) returned 1 [0128.372] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.372] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0xca0000, lpBaseName=0x88b0f0, nSize=0x800 | out: lpBaseName="utg2.exe") returned 0x8 [0128.373] CoTaskMemFree (pv=0x88b0f0) [0128.373] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.373] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0xca0000, lpFilename=0x88b0f0, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Windows Sidebar\\utg2.exe" (normalized: "c:\\program files (x86)\\windows sidebar\\utg2.exe")) returned 0x2f [0128.373] CoTaskMemFree (pv=0x88b0f0) [0128.373] CloseHandle (hObject=0x2f0) returned 1 [0128.374] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xf58) returned 0x2f0 [0128.374] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x22ebe6c, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x22ebe6c, lpcbNeeded=0x19f434) returned 1 [0128.375] GetModuleInformation (in: hProcess=0x2f0, hModule=0x10a0000, lpmodinfo=0x22ebfac, cb=0xc | out: lpmodinfo=0x22ebfac*(lpBaseOfDll=0x10a0000, SizeOfImage=0x17000, EntryPoint=0x10a14a1)) returned 1 [0128.376] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.376] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x10a0000, lpBaseName=0x88b0f0, nSize=0x800 | out: lpBaseName="whatsapp.exe") returned 0xc [0128.376] CoTaskMemFree (pv=0x88b0f0) [0128.376] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.376] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x10a0000, lpFilename=0x88b0f0, nSize=0x800 | out: lpFilename="C:\\Program Files\\Windows Journal\\whatsapp.exe" (normalized: "c:\\program files\\windows journal\\whatsapp.exe")) returned 0x2d [0128.377] CoTaskMemFree (pv=0x88b0f0) [0128.377] CloseHandle (hObject=0x2f0) returned 1 [0128.377] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xdcc) returned 0x2f0 [0128.377] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x22ee118, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x22ee118, lpcbNeeded=0x19f434) returned 1 [0128.379] GetModuleInformation (in: hProcess=0x2f0, hModule=0xcc0000, lpmodinfo=0x22ee258, cb=0xc | out: lpmodinfo=0x22ee258*(lpBaseOfDll=0xcc0000, SizeOfImage=0x17000, EntryPoint=0xcc14a1)) returned 1 [0128.379] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.380] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0xcc0000, lpBaseName=0x88b0f0, nSize=0x800 | out: lpBaseName="addmusic.exe") returned 0xc [0128.380] CoTaskMemFree (pv=0x88b0f0) [0128.380] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.380] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0xcc0000, lpFilename=0x88b0f0, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Reference Assemblies\\addmusic.exe" (normalized: "c:\\program files (x86)\\reference assemblies\\addmusic.exe")) returned 0x38 [0128.381] CoTaskMemFree (pv=0x88b0f0) [0128.381] CloseHandle (hObject=0x2f0) returned 1 [0128.381] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1268) returned 0x2f0 [0128.381] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x22f03dc, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x22f03dc, lpcbNeeded=0x19f434) returned 0 [0128.381] GetCurrentProcessId () returned 0x1384 [0128.381] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1384) returned 0x2f4 [0128.381] IsWow64Process (in: hProcess=0x2f4, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1 [0128.381] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1 [0128.383] CloseHandle (hObject=0x2f4) returned 1 [0128.383] CloseHandle (hObject=0x2f0) returned 1 [0128.383] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xe1c) returned 0x2f0 [0128.383] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x22f0650, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x22f0650, lpcbNeeded=0x19f434) returned 1 [0128.393] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x22f075c, cb=0x200, lpcbNeeded=0x19f434 | out: lphModule=0x22f075c, lpcbNeeded=0x19f434) returned 1 [0128.402] GetModuleInformation (in: hProcess=0x2f0, hModule=0x3b0000, lpmodinfo=0x22f099c, cb=0xc | out: lpmodinfo=0x22f099c*(lpBaseOfDll=0x3b0000, SizeOfImage=0xca000, EntryPoint=0x3b3a40)) returned 1 [0128.402] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.402] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x3b0000, lpBaseName=0x88b0f0, nSize=0x800 | out: lpBaseName="IEXPLORE.EXE") returned 0xc [0128.403] CoTaskMemFree (pv=0x88b0f0) [0128.403] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.403] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x3b0000, lpFilename=0x88b0f0, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE" (normalized: "c:\\program files (x86)\\internet explorer\\iexplore.exe")) returned 0x35 [0128.404] CoTaskMemFree (pv=0x88b0f0) [0128.404] CloseHandle (hObject=0x2f0) returned 1 [0128.404] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xf50) returned 0x2f0 [0128.404] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x22f2b18, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x22f2b18, lpcbNeeded=0x19f434) returned 1 [0128.407] GetModuleInformation (in: hProcess=0x2f0, hModule=0x90000, lpmodinfo=0x22f2c58, cb=0xc | out: lpmodinfo=0x22f2c58*(lpBaseOfDll=0x90000, SizeOfImage=0x17000, EntryPoint=0x914a1)) returned 1 [0128.407] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.407] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x90000, lpBaseName=0x88b0f0, nSize=0x800 | out: lpBaseName="webdrive.exe") returned 0xc [0128.408] CoTaskMemFree (pv=0x88b0f0) [0128.408] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.408] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x90000, lpFilename=0x88b0f0, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Microsoft SQL Server\\webdrive.exe" (normalized: "c:\\program files (x86)\\microsoft sql server\\webdrive.exe")) returned 0x38 [0128.408] CoTaskMemFree (pv=0x88b0f0) [0128.409] CloseHandle (hObject=0x2f0) returned 1 [0128.409] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xdc4) returned 0x2f0 [0128.409] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x22f4ddc, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x22f4ddc, lpcbNeeded=0x19f434) returned 1 [0128.411] GetModuleInformation (in: hProcess=0x2f0, hModule=0xd0000, lpmodinfo=0x22f4f1c, cb=0xc | out: lpmodinfo=0x22f4f1c*(lpBaseOfDll=0xd0000, SizeOfImage=0x17000, EntryPoint=0xd14a1)) returned 1 [0128.412] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.430] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0xd0000, lpBaseName=0x88b0f0, nSize=0x800 | out: lpBaseName="region_successful_show.exe") returned 0x1a [0128.431] CoTaskMemFree (pv=0x88b0f0) [0128.431] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.431] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0xd0000, lpFilename=0x88b0f0, nSize=0x800 | out: lpFilename="C:\\Program Files\\MSBuild\\region_successful_show.exe" (normalized: "c:\\program files\\msbuild\\region_successful_show.exe")) returned 0x33 [0128.432] CoTaskMemFree (pv=0x88b0f0) [0128.432] CloseHandle (hObject=0x2f0) returned 1 [0128.432] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x54c) returned 0x2f0 [0128.432] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x22f70b0, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x22f70b0, lpcbNeeded=0x19f434) returned 0 [0128.432] GetCurrentProcessId () returned 0x1384 [0128.433] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1384) returned 0x2f4 [0128.433] IsWow64Process (in: hProcess=0x2f4, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1 [0128.433] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1 [0128.435] CloseHandle (hObject=0x2f4) returned 1 [0128.435] CloseHandle (hObject=0x2f0) returned 1 [0128.435] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xfb0) returned 0x2f0 [0128.436] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x22f7324, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x22f7324, lpcbNeeded=0x19f434) returned 1 [0128.438] GetModuleInformation (in: hProcess=0x2f0, hModule=0x1390000, lpmodinfo=0x22f7464, cb=0xc | out: lpmodinfo=0x22f7464*(lpBaseOfDll=0x1390000, SizeOfImage=0x17000, EntryPoint=0x13914a1)) returned 1 [0128.439] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.439] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x1390000, lpBaseName=0x88b0f0, nSize=0x800 | out: lpBaseName="ccv_server.exe") returned 0xe [0128.439] CoTaskMemFree (pv=0x88b0f0) [0128.439] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.440] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x1390000, lpFilename=0x88b0f0, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Microsoft SQL Server\\ccv_server.exe" (normalized: "c:\\program files (x86)\\microsoft sql server\\ccv_server.exe")) returned 0x3a [0128.440] CoTaskMemFree (pv=0x88b0f0) [0128.440] CloseHandle (hObject=0x2f0) returned 1 [0128.440] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x214) returned 0x0 [0128.440] EnumProcesses (in: lpidProcess=0x22f95f0, cb=0x400, lpcbNeeded=0x19f3a4 | out: lpidProcess=0x22f95f0, lpcbNeeded=0x19f3a4) returned 1 [0128.446] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x19f100, nSize=0x101, Arguments=0x0 | out: lpBuffer="Access is denied.\r\n") returned 0x13 [0128.447] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xe80) returned 0x2f0 [0128.447] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x22fa150, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x22fa150, lpcbNeeded=0x19f434) returned 1 [0128.449] GetModuleInformation (in: hProcess=0x2f0, hModule=0x170000, lpmodinfo=0x22fa290, cb=0xc | out: lpmodinfo=0x22fa290*(lpBaseOfDll=0x170000, SizeOfImage=0x17000, EntryPoint=0x1714a1)) returned 1 [0128.450] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.450] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x170000, lpBaseName=0x88b0f0, nSize=0x800 | out: lpBaseName="filezilla.exe") returned 0xd [0128.457] CoTaskMemFree (pv=0x88b0f0) [0128.457] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.457] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x170000, lpFilename=0x88b0f0, nSize=0x800 | out: lpFilename="C:\\Program Files\\Windows Journal\\filezilla.exe" (normalized: "c:\\program files\\windows journal\\filezilla.exe")) returned 0x2e [0128.458] CoTaskMemFree (pv=0x88b0f0) [0128.458] CloseHandle (hObject=0x2f0) returned 1 [0128.458] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xfe0) returned 0x2f0 [0128.458] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x22fc400, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x22fc400, lpcbNeeded=0x19f434) returned 1 [0128.460] GetModuleInformation (in: hProcess=0x2f0, hModule=0x11b0000, lpmodinfo=0x22fc540, cb=0xc | out: lpmodinfo=0x22fc540*(lpBaseOfDll=0x11b0000, SizeOfImage=0x17000, EntryPoint=0x11b14a1)) returned 1 [0128.460] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.460] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x11b0000, lpBaseName=0x88b0f0, nSize=0x800 | out: lpBaseName="fpos.exe") returned 0x8 [0128.461] CoTaskMemFree (pv=0x88b0f0) [0128.461] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.461] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x11b0000, lpFilename=0x88b0f0, nSize=0x800 | out: lpFilename="C:\\Program Files\\Windows Media Player\\fpos.exe" (normalized: "c:\\program files\\windows media player\\fpos.exe")) returned 0x2e [0128.461] CoTaskMemFree (pv=0x88b0f0) [0128.461] CloseHandle (hObject=0x2f0) returned 1 [0128.461] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1008) returned 0x2f0 [0128.462] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x22fe6a8, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x22fe6a8, lpcbNeeded=0x19f434) returned 1 [0128.463] GetModuleInformation (in: hProcess=0x2f0, hModule=0x11a0000, lpmodinfo=0x22fe7e8, cb=0xc | out: lpmodinfo=0x22fe7e8*(lpBaseOfDll=0x11a0000, SizeOfImage=0x17000, EntryPoint=0x11a14a1)) returned 1 [0128.464] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.464] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x11a0000, lpBaseName=0x88b0f0, nSize=0x800 | out: lpBaseName="spcwin.exe") returned 0xa [0128.464] CoTaskMemFree (pv=0x88b0f0) [0128.464] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.464] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x11a0000, lpFilename=0x88b0f0, nSize=0x800 | out: lpFilename="C:\\Program Files\\Internet Explorer\\spcwin.exe" (normalized: "c:\\program files\\internet explorer\\spcwin.exe")) returned 0x2d [0128.465] CoTaskMemFree (pv=0x88b0f0) [0128.465] CloseHandle (hObject=0x2f0) returned 1 [0128.465] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xe88) returned 0x2f0 [0128.465] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x2300950, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2300950, lpcbNeeded=0x19f434) returned 1 [0128.467] GetModuleInformation (in: hProcess=0x2f0, hModule=0xe60000, lpmodinfo=0x2300a90, cb=0xc | out: lpmodinfo=0x2300a90*(lpBaseOfDll=0xe60000, SizeOfImage=0x17000, EntryPoint=0xe614a1)) returned 1 [0128.468] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.468] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0xe60000, lpBaseName=0x88b0f0, nSize=0x800 | out: lpBaseName="flashfxp.exe") returned 0xc [0128.469] CoTaskMemFree (pv=0x88b0f0) [0128.469] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.469] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0xe60000, lpFilename=0x88b0f0, nSize=0x800 | out: lpFilename="C:\\Program Files\\Windows Portable Devices\\flashfxp.exe" (normalized: "c:\\program files\\windows portable devices\\flashfxp.exe")) returned 0x36 [0128.469] CoTaskMemFree (pv=0x88b0f0) [0128.469] CloseHandle (hObject=0x2f0) returned 1 [0128.469] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x604) returned 0x2f0 [0128.469] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x2302c10, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2302c10, lpcbNeeded=0x19f434) returned 0 [0128.470] GetCurrentProcessId () returned 0x1384 [0128.470] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1384) returned 0x2f4 [0128.470] IsWow64Process (in: hProcess=0x2f4, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1 [0128.470] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1 [0128.471] CloseHandle (hObject=0x2f4) returned 1 [0128.471] CloseHandle (hObject=0x2f0) returned 1 [0128.472] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xdb4) returned 0x2f0 [0128.472] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x2302e84, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2302e84, lpcbNeeded=0x19f434) returned 1 [0128.474] GetModuleInformation (in: hProcess=0x2f0, hModule=0x70000, lpmodinfo=0x2302fc4, cb=0xc | out: lpmodinfo=0x2302fc4*(lpBaseOfDll=0x70000, SizeOfImage=0x17000, EntryPoint=0x714a1)) returned 1 [0128.474] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.474] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x70000, lpBaseName=0x88b0f0, nSize=0x800 | out: lpBaseName="born.exe") returned 0x8 [0128.474] CoTaskMemFree (pv=0x88b0f0) [0128.475] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.475] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x70000, lpFilename=0x88b0f0, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Windows Sidebar\\born.exe" (normalized: "c:\\program files (x86)\\windows sidebar\\born.exe")) returned 0x2f [0128.475] CoTaskMemFree (pv=0x88b0f0) [0128.475] CloseHandle (hObject=0x2f0) returned 1 [0128.475] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x10c4) returned 0x2f0 [0128.475] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x230512c, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x230512c, lpcbNeeded=0x19f434) returned 1 [0128.477] GetModuleInformation (in: hProcess=0x2f0, hModule=0xcb0000, lpmodinfo=0x230526c, cb=0xc | out: lpmodinfo=0x230526c*(lpBaseOfDll=0xcb0000, SizeOfImage=0x17000, EntryPoint=0xcb14a1)) returned 1 [0128.477] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.478] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0xcb0000, lpBaseName=0x88b0f0, nSize=0x800 | out: lpBaseName="player.exe") returned 0xa [0128.478] CoTaskMemFree (pv=0x88b0f0) [0128.478] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.478] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0xcb0000, lpFilename=0x88b0f0, nSize=0x800 | out: lpFilename="C:\\Program Files\\Internet Explorer\\player.exe" (normalized: "c:\\program files\\internet explorer\\player.exe")) returned 0x2d [0128.478] CoTaskMemFree (pv=0x88b0f0) [0128.479] CloseHandle (hObject=0x2f0) returned 1 [0128.479] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xe74) returned 0x2f0 [0128.479] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x23073d4, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x23073d4, lpcbNeeded=0x19f434) returned 1 [0128.481] GetModuleInformation (in: hProcess=0x2f0, hModule=0x2a0000, lpmodinfo=0x2307514, cb=0xc | out: lpmodinfo=0x2307514*(lpBaseOfDll=0x2a0000, SizeOfImage=0x17000, EntryPoint=0x2a14a1)) returned 1 [0128.481] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.481] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x2a0000, lpBaseName=0x88b0f0, nSize=0x800 | out: lpBaseName="far.exe") returned 0x7 [0128.481] CoTaskMemFree (pv=0x88b0f0) [0128.481] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.482] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x2a0000, lpFilename=0x88b0f0, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Windows Sidebar\\far.exe" (normalized: "c:\\program files (x86)\\windows sidebar\\far.exe")) returned 0x2e [0128.482] CoTaskMemFree (pv=0x88b0f0) [0128.482] CloseHandle (hObject=0x2f0) returned 1 [0128.482] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xf38) returned 0x2f0 [0128.482] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x2309678, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2309678, lpcbNeeded=0x19f434) returned 1 [0128.484] GetModuleInformation (in: hProcess=0x2f0, hModule=0x1030000, lpmodinfo=0x23097b8, cb=0xc | out: lpmodinfo=0x23097b8*(lpBaseOfDll=0x1030000, SizeOfImage=0x17000, EntryPoint=0x10314a1)) returned 1 [0128.484] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.484] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x1030000, lpBaseName=0x88b0f0, nSize=0x800 | out: lpBaseName="trillian.exe") returned 0xc [0128.485] CoTaskMemFree (pv=0x88b0f0) [0128.485] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.485] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x1030000, lpFilename=0x88b0f0, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Windows Photo Viewer\\trillian.exe" (normalized: "c:\\program files (x86)\\windows photo viewer\\trillian.exe")) returned 0x38 [0128.485] CoTaskMemFree (pv=0x88b0f0) [0128.485] CloseHandle (hObject=0x2f0) returned 1 [0128.486] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xdac) returned 0x2f0 [0128.486] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x230b93c, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x230b93c, lpcbNeeded=0x19f434) returned 1 [0128.487] GetModuleInformation (in: hProcess=0x2f0, hModule=0x12a0000, lpmodinfo=0x230ba7c, cb=0xc | out: lpmodinfo=0x230ba7c*(lpBaseOfDll=0x12a0000, SizeOfImage=0x17000, EntryPoint=0x12a14a1)) returned 1 [0128.488] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.488] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x12a0000, lpBaseName=0x88b0f0, nSize=0x800 | out: lpBaseName="stop give.exe") returned 0xd [0128.488] CoTaskMemFree (pv=0x88b0f0) [0128.488] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.488] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x12a0000, lpFilename=0x88b0f0, nSize=0x800 | out: lpFilename="C:\\Program Files\\Windows Multimedia Platform\\stop give.exe" (normalized: "c:\\program files\\windows multimedia platform\\stop give.exe")) returned 0x3a [0128.489] CoTaskMemFree (pv=0x88b0f0) [0128.489] CloseHandle (hObject=0x2f0) returned 1 [0128.489] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xf30) returned 0x2f0 [0128.489] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x230dc04, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x230dc04, lpcbNeeded=0x19f434) returned 1 [0128.491] GetModuleInformation (in: hProcess=0x2f0, hModule=0xd50000, lpmodinfo=0x230dd44, cb=0xc | out: lpmodinfo=0x230dd44*(lpBaseOfDll=0xd50000, SizeOfImage=0x17000, EntryPoint=0xd514a1)) returned 1 [0128.492] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.492] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0xd50000, lpBaseName=0x88b0f0, nSize=0x800 | out: lpBaseName="thunderbird.exe") returned 0xf [0128.492] CoTaskMemFree (pv=0x88b0f0) [0128.492] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.492] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0xd50000, lpFilename=0x88b0f0, nSize=0x800 | out: lpFilename="C:\\Program Files\\Windows Defender\\thunderbird.exe" (normalized: "c:\\program files\\windows defender\\thunderbird.exe")) returned 0x31 [0128.493] CoTaskMemFree (pv=0x88b0f0) [0128.493] CloseHandle (hObject=0x2f0) returned 1 [0128.493] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x5f8) returned 0x2f0 [0128.493] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x230febc, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x230febc, lpcbNeeded=0x19f434) returned 0 [0128.493] GetCurrentProcessId () returned 0x1384 [0128.493] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1384) returned 0x2f4 [0128.493] IsWow64Process (in: hProcess=0x2f4, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1 [0128.493] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1 [0128.496] CloseHandle (hObject=0x2f4) returned 1 [0128.496] CloseHandle (hObject=0x2f0) returned 1 [0128.496] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xff8) returned 0x2f0 [0128.496] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x2310130, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2310130, lpcbNeeded=0x19f434) returned 1 [0128.501] GetModuleInformation (in: hProcess=0x2f0, hModule=0xa10000, lpmodinfo=0x2310270, cb=0xc | out: lpmodinfo=0x2310270*(lpBaseOfDll=0xa10000, SizeOfImage=0x17000, EntryPoint=0xa114a1)) returned 1 [0128.502] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.502] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0xa10000, lpBaseName=0x88b0f0, nSize=0x800 | out: lpBaseName="mxslipstream.exe") returned 0x10 [0128.502] CoTaskMemFree (pv=0x88b0f0) [0128.502] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.502] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0xa10000, lpFilename=0x88b0f0, nSize=0x800 | out: lpFilename="C:\\Program Files\\Windows Mail\\mxslipstream.exe" (normalized: "c:\\program files\\windows mail\\mxslipstream.exe")) returned 0x2e [0128.503] CoTaskMemFree (pv=0x88b0f0) [0128.503] CloseHandle (hObject=0x2f0) returned 1 [0128.503] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x21c) returned 0x2f0 [0128.503] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x23123e8, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x23123e8, lpcbNeeded=0x19f434) returned 0 [0128.504] GetCurrentProcessId () returned 0x1384 [0128.504] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1384) returned 0x2f4 [0128.504] IsWow64Process (in: hProcess=0x2f4, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1 [0128.504] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1 [0128.506] CloseHandle (hObject=0x2f4) returned 1 [0128.506] CloseHandle (hObject=0x2f0) returned 1 [0128.506] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x908) returned 0x2f0 [0128.506] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x231265c, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x231265c, lpcbNeeded=0x19f434) returned 0 [0128.507] GetCurrentProcessId () returned 0x1384 [0128.507] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1384) returned 0x2f4 [0128.507] IsWow64Process (in: hProcess=0x2f4, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1 [0128.507] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1 [0128.508] CloseHandle (hObject=0x2f4) returned 1 [0128.509] CloseHandle (hObject=0x2f0) returned 1 [0128.509] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1308) returned 0x0 [0128.509] EnumProcesses (in: lpidProcess=0x23128d0, cb=0x400, lpcbNeeded=0x19f3a4 | out: lpidProcess=0x23128d0, lpcbNeeded=0x19f3a4) returned 1 [0128.511] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x19f100, nSize=0x101, Arguments=0x0 | out: lpBuffer="Access is denied.\r\n") returned 0x13 [0128.513] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x3a0) returned 0x2f0 [0128.513] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x2313430, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2313430, lpcbNeeded=0x19f434) returned 0 [0128.513] GetCurrentProcessId () returned 0x1384 [0128.513] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1384) returned 0x2f4 [0128.513] IsWow64Process (in: hProcess=0x2f4, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1 [0128.513] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1 [0128.515] CloseHandle (hObject=0x2f4) returned 1 [0128.515] CloseHandle (hObject=0x2f0) returned 1 [0128.515] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xe64) returned 0x2f0 [0128.516] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x23136a4, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x23136a4, lpcbNeeded=0x19f434) returned 1 [0128.518] GetModuleInformation (in: hProcess=0x2f0, hModule=0x930000, lpmodinfo=0x23137e4, cb=0xc | out: lpmodinfo=0x23137e4*(lpBaseOfDll=0x930000, SizeOfImage=0x17000, EntryPoint=0x9314a1)) returned 1 [0128.519] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.519] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x930000, lpBaseName=0x88b0f0, nSize=0x800 | out: lpBaseName="coreftp.exe") returned 0xb [0128.519] CoTaskMemFree (pv=0x88b0f0) [0128.519] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.520] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x930000, lpFilename=0x88b0f0, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Mozilla Firefox\\coreftp.exe" (normalized: "c:\\program files (x86)\\mozilla firefox\\coreftp.exe")) returned 0x32 [0128.520] CoTaskMemFree (pv=0x88b0f0) [0128.520] CloseHandle (hObject=0x2f0) returned 1 [0128.520] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xfc8) returned 0x2f0 [0128.520] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x2315958, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2315958, lpcbNeeded=0x19f434) returned 1 [0128.523] GetModuleInformation (in: hProcess=0x2f0, hModule=0x9e0000, lpmodinfo=0x2315a98, cb=0xc | out: lpmodinfo=0x2315a98*(lpBaseOfDll=0x9e0000, SizeOfImage=0x17000, EntryPoint=0x9e14a1)) returned 1 [0128.523] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.524] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x9e0000, lpBaseName=0x88b0f0, nSize=0x800 | out: lpBaseName="creditservice.exe") returned 0x11 [0128.524] CoTaskMemFree (pv=0x88b0f0) [0128.524] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.524] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x9e0000, lpFilename=0x88b0f0, nSize=0x800 | out: lpFilename="C:\\Program Files\\WindowsPowerShell\\creditservice.exe" (normalized: "c:\\program files\\windowspowershell\\creditservice.exe")) returned 0x34 [0128.525] CoTaskMemFree (pv=0x88b0f0) [0128.525] CloseHandle (hObject=0x2f0) returned 1 [0128.525] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x460) returned 0x2f0 [0128.525] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x2317c1c, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2317c1c, lpcbNeeded=0x19f434) returned 0 [0128.526] GetCurrentProcessId () returned 0x1384 [0128.526] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1384) returned 0x2f4 [0128.526] IsWow64Process (in: hProcess=0x2f4, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1 [0128.526] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1 [0128.528] CloseHandle (hObject=0x2f4) returned 1 [0128.528] CloseHandle (hObject=0x2f0) returned 1 [0128.529] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x210) returned 0x2f0 [0128.529] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x2317e90, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2317e90, lpcbNeeded=0x19f434) returned 0 [0128.529] GetCurrentProcessId () returned 0x1384 [0128.529] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1384) returned 0x2f4 [0128.529] IsWow64Process (in: hProcess=0x2f4, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1 [0128.529] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1 [0128.531] CloseHandle (hObject=0x2f4) returned 1 [0128.531] CloseHandle (hObject=0x2f0) returned 1 [0128.531] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xf24) returned 0x2f0 [0128.531] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x2318104, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2318104, lpcbNeeded=0x19f434) returned 1 [0128.534] GetModuleInformation (in: hProcess=0x2f0, hModule=0x390000, lpmodinfo=0x2318244, cb=0xc | out: lpmodinfo=0x2318244*(lpBaseOfDll=0x390000, SizeOfImage=0x17000, EntryPoint=0x3914a1)) returned 1 [0128.534] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.534] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x390000, lpBaseName=0x88b0f0, nSize=0x800 | out: lpBaseName="smartftp.exe") returned 0xc [0128.534] CoTaskMemFree (pv=0x88b0f0) [0128.535] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.535] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x390000, lpFilename=0x88b0f0, nSize=0x800 | out: lpFilename="C:\\Program Files\\Windows Portable Devices\\smartftp.exe" (normalized: "c:\\program files\\windows portable devices\\smartftp.exe")) returned 0x36 [0128.535] CoTaskMemFree (pv=0x88b0f0) [0128.535] CloseHandle (hObject=0x2f0) returned 1 [0128.535] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xd98) returned 0x2f0 [0128.535] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x231a3c4, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x231a3c4, lpcbNeeded=0x19f434) returned 1 [0128.537] GetModuleInformation (in: hProcess=0x2f0, hModule=0xc80000, lpmodinfo=0x231a504, cb=0xc | out: lpmodinfo=0x231a504*(lpBaseOfDll=0xc80000, SizeOfImage=0x17000, EntryPoint=0xc814a1)) returned 1 [0128.538] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.538] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0xc80000, lpBaseName=0x88b0f0, nSize=0x800 | out: lpBaseName="star-various.exe") returned 0x10 [0128.538] CoTaskMemFree (pv=0x88b0f0) [0128.538] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.538] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0xc80000, lpFilename=0x88b0f0, nSize=0x800 | out: lpFilename="C:\\Program Files\\Microsoft Office\\star-various.exe" (normalized: "c:\\program files\\microsoft office\\star-various.exe")) returned 0x32 [0128.539] CoTaskMemFree (pv=0x88b0f0) [0128.539] CloseHandle (hObject=0x2f0) returned 1 [0128.539] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xe5c) returned 0x2f0 [0128.539] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x231c684, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x231c684, lpcbNeeded=0x19f434) returned 1 [0128.541] GetModuleInformation (in: hProcess=0x2f0, hModule=0xb40000, lpmodinfo=0x231c7c4, cb=0xc | out: lpmodinfo=0x231c7c4*(lpBaseOfDll=0xb40000, SizeOfImage=0x17000, EntryPoint=0xb414a1)) returned 1 [0128.541] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.541] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0xb40000, lpBaseName=0x88b0f0, nSize=0x800 | out: lpBaseName="bitkinex.exe") returned 0xc [0128.542] CoTaskMemFree (pv=0x88b0f0) [0128.542] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.542] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0xb40000, lpFilename=0x88b0f0, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Windows NT\\bitkinex.exe" (normalized: "c:\\program files (x86)\\windows nt\\bitkinex.exe")) returned 0x2e [0128.542] CoTaskMemFree (pv=0x88b0f0) [0128.542] CloseHandle (hObject=0x2f0) returned 1 [0128.542] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xab0) returned 0x2f0 [0128.542] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x231e934, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x231e934, lpcbNeeded=0x19f434) returned 0 [0128.543] GetCurrentProcessId () returned 0x1384 [0128.543] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1384) returned 0x2f4 [0128.543] IsWow64Process (in: hProcess=0x2f4, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1 [0128.543] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1 [0128.549] CloseHandle (hObject=0x2f4) returned 1 [0128.549] CloseHandle (hObject=0x2f0) returned 1 [0128.549] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x390) returned 0x2f0 [0128.549] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x231eba8, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x231eba8, lpcbNeeded=0x19f434) returned 0 [0128.549] GetCurrentProcessId () returned 0x1384 [0128.549] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1384) returned 0x2f4 [0128.549] IsWow64Process (in: hProcess=0x2f4, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1 [0128.550] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1 [0128.551] CloseHandle (hObject=0x2f4) returned 1 [0128.551] CloseHandle (hObject=0x2f0) returned 1 [0128.551] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xd90) returned 0x2f0 [0128.551] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x231ee1c, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x231ee1c, lpcbNeeded=0x19f434) returned 1 [0128.553] GetModuleInformation (in: hProcess=0x2f0, hModule=0x380000, lpmodinfo=0x231ef5c, cb=0xc | out: lpmodinfo=0x231ef5c*(lpBaseOfDll=0x380000, SizeOfImage=0x17000, EntryPoint=0x3814a1)) returned 1 [0128.553] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.553] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x380000, lpBaseName=0x88b0f0, nSize=0x800 | out: lpBaseName="onlybudgetplant.exe") returned 0x13 [0128.554] CoTaskMemFree (pv=0x88b0f0) [0128.554] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.554] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x380000, lpFilename=0x88b0f0, nSize=0x800 | out: lpFilename="C:\\Program Files\\WindowsPowerShell\\onlybudgetplant.exe" (normalized: "c:\\program files\\windowspowershell\\onlybudgetplant.exe")) returned 0x36 [0128.554] CoTaskMemFree (pv=0x88b0f0) [0128.554] CloseHandle (hObject=0x2f0) returned 1 [0128.555] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xf18) returned 0x2f0 [0128.555] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x23210e8, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x23210e8, lpcbNeeded=0x19f434) returned 1 [0128.556] GetModuleInformation (in: hProcess=0x2f0, hModule=0x13d0000, lpmodinfo=0x2321228, cb=0xc | out: lpmodinfo=0x2321228*(lpBaseOfDll=0x13d0000, SizeOfImage=0x17000, EntryPoint=0x13d14a1)) returned 1 [0128.557] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.557] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x13d0000, lpBaseName=0x88b0f0, nSize=0x800 | out: lpBaseName="skype.exe") returned 0x9 [0128.557] CoTaskMemFree (pv=0x88b0f0) [0128.557] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.557] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x13d0000, lpFilename=0x88b0f0, nSize=0x800 | out: lpFilename="C:\\Program Files\\Common Files\\skype.exe" (normalized: "c:\\program files\\common files\\skype.exe")) returned 0x27 [0128.558] CoTaskMemFree (pv=0x88b0f0) [0128.558] CloseHandle (hObject=0x2f0) returned 1 [0128.558] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xe4c) returned 0x2f0 [0128.558] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x2323380, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2323380, lpcbNeeded=0x19f434) returned 1 [0128.560] GetModuleInformation (in: hProcess=0x2f0, hModule=0x170000, lpmodinfo=0x23234c0, cb=0xc | out: lpmodinfo=0x23234c0*(lpBaseOfDll=0x170000, SizeOfImage=0x17000, EntryPoint=0x1714a1)) returned 1 [0128.560] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.560] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x170000, lpBaseName=0x88b0f0, nSize=0x800 | out: lpBaseName="barca.exe") returned 0x9 [0128.561] CoTaskMemFree (pv=0x88b0f0) [0128.561] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.561] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x170000, lpFilename=0x88b0f0, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Common Files\\barca.exe" (normalized: "c:\\program files (x86)\\common files\\barca.exe")) returned 0x2d [0128.562] CoTaskMemFree (pv=0x88b0f0) [0128.562] CloseHandle (hObject=0x2f0) returned 1 [0128.562] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xf10) returned 0x2f0 [0128.562] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x2325624, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2325624, lpcbNeeded=0x19f434) returned 1 [0128.564] GetModuleInformation (in: hProcess=0x2f0, hModule=0x13b0000, lpmodinfo=0x2325764, cb=0xc | out: lpmodinfo=0x2325764*(lpBaseOfDll=0x13b0000, SizeOfImage=0x17000, EntryPoint=0x13b14a1)) returned 1 [0128.564] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.564] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x13b0000, lpBaseName=0x88b0f0, nSize=0x800 | out: lpBaseName="scriptftp.exe") returned 0xd [0128.565] CoTaskMemFree (pv=0x88b0f0) [0128.565] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.565] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x13b0000, lpFilename=0x88b0f0, nSize=0x800 | out: lpFilename="C:\\Program Files\\Windows Media Player\\scriptftp.exe" (normalized: "c:\\program files\\windows media player\\scriptftp.exe")) returned 0x33 [0128.565] CoTaskMemFree (pv=0x88b0f0) [0128.565] CloseHandle (hObject=0x2f0) returned 1 [0128.565] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x138) returned 0x0 [0128.566] EnumProcesses (in: lpidProcess=0x23278dc, cb=0x400, lpcbNeeded=0x19f3a4 | out: lpidProcess=0x23278dc, lpcbNeeded=0x19f3a4) returned 1 [0128.567] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x19f100, nSize=0x101, Arguments=0x0 | out: lpBuffer="Access is denied.\r\n") returned 0x13 [0128.568] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1fc) returned 0x2f0 [0128.568] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x232843c, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x232843c, lpcbNeeded=0x19f434) returned 0 [0128.569] GetCurrentProcessId () returned 0x1384 [0128.569] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1384) returned 0x2f4 [0128.569] IsWow64Process (in: hProcess=0x2f4, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1 [0128.569] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1 [0128.570] CloseHandle (hObject=0x2f4) returned 1 [0128.570] CloseHandle (hObject=0x2f0) returned 1 [0128.571] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xbfc) returned 0x2f0 [0128.571] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x23286b0, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x23286b0, lpcbNeeded=0x19f434) returned 0 [0128.571] GetCurrentProcessId () returned 0x1384 [0128.571] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1384) returned 0x2f4 [0128.571] IsWow64Process (in: hProcess=0x2f4, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1 [0128.571] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1 [0128.573] CloseHandle (hObject=0x2f4) returned 1 [0128.573] CloseHandle (hObject=0x2f0) returned 1 [0128.573] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xfd4) returned 0x2f0 [0128.573] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x2328924, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2328924, lpcbNeeded=0x19f434) returned 1 [0128.575] GetModuleInformation (in: hProcess=0x2f0, hModule=0x12c0000, lpmodinfo=0x2328a64, cb=0xc | out: lpmodinfo=0x2328a64*(lpBaseOfDll=0x12c0000, SizeOfImage=0x17000, EntryPoint=0x12c14a1)) returned 1 [0128.575] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.575] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x12c0000, lpBaseName=0x88b0f0, nSize=0x800 | out: lpBaseName="edcsvr.exe") returned 0xa [0128.576] CoTaskMemFree (pv=0x88b0f0) [0128.576] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.576] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x12c0000, lpFilename=0x88b0f0, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Windows NT\\edcsvr.exe" (normalized: "c:\\program files (x86)\\windows nt\\edcsvr.exe")) returned 0x2c [0128.576] CoTaskMemFree (pv=0x88b0f0) [0128.576] CloseHandle (hObject=0x2f0) returned 1 [0128.577] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xd80) returned 0x2f0 [0128.577] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x232abcc, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x232abcc, lpcbNeeded=0x19f434) returned 1 [0128.578] GetModuleInformation (in: hProcess=0x2f0, hModule=0x380000, lpmodinfo=0x232ad0c, cb=0xc | out: lpmodinfo=0x232ad0c*(lpBaseOfDll=0x380000, SizeOfImage=0x17000, EntryPoint=0x3814a1)) returned 1 [0128.579] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.579] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x380000, lpBaseName=0x88b0f0, nSize=0x800 | out: lpBaseName="list-begin.exe") returned 0xe [0128.579] CoTaskMemFree (pv=0x88b0f0) [0128.579] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.579] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x380000, lpFilename=0x88b0f0, nSize=0x800 | out: lpFilename="C:\\Program Files\\Common Files\\list-begin.exe" (normalized: "c:\\program files\\common files\\list-begin.exe")) returned 0x2c [0128.580] CoTaskMemFree (pv=0x88b0f0) [0128.580] CloseHandle (hObject=0x2f0) returned 1 [0128.580] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xe44) returned 0x2f0 [0128.580] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x232ce7c, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x232ce7c, lpcbNeeded=0x19f434) returned 1 [0128.582] GetModuleInformation (in: hProcess=0x2f0, hModule=0x2a0000, lpmodinfo=0x232cfbc, cb=0xc | out: lpmodinfo=0x232cfbc*(lpBaseOfDll=0x2a0000, SizeOfImage=0x17000, EntryPoint=0x2a14a1)) returned 1 [0128.582] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.582] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x2a0000, lpBaseName=0x88b0f0, nSize=0x800 | out: lpBaseName="alftp.exe") returned 0x9 [0128.583] CoTaskMemFree (pv=0x88b0f0) [0128.583] CoTaskMemAlloc (cb=0x804) returned 0x88b0f0 [0128.583] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x2a0000, lpFilename=0x88b0f0, nSize=0x800 | out: lpFilename="C:\\Program Files\\Reference Assemblies\\alftp.exe" (normalized: "c:\\program files\\reference assemblies\\alftp.exe")) returned 0x2f [0128.583] CoTaskMemFree (pv=0x88b0f0) [0128.583] CloseHandle (hObject=0x2f0) returned 1 [0128.583] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x378) returned 0x2f0 [0128.583] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x232f124, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x232f124, lpcbNeeded=0x19f434) returned 0 [0128.584] GetCurrentProcessId () returned 0x1384 [0128.584] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1384) returned 0x2f4 [0128.584] IsWow64Process (in: hProcess=0x2f4, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1 [0128.584] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1 [0128.585] CloseHandle (hObject=0x2f4) returned 1 [0128.585] CloseHandle (hObject=0x2f0) returned 1 [0128.585] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1094) returned 0x2f0 [0128.586] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x232f398, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x232f398, lpcbNeeded=0x19f434) returned 0 [0128.586] GetCurrentProcessId () returned 0x1384 [0128.586] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1384) returned 0x2f4 [0128.586] IsWow64Process (in: hProcess=0x2f4, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1 [0128.586] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1 [0128.587] CloseHandle (hObject=0x2f4) returned 1 [0128.587] CloseHandle (hObject=0x2f0) returned 1 [0128.587] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xf00) returned 0x2f0 [0128.587] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x232f60c, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x232f60c, lpcbNeeded=0x19f434) returned 1 [0128.589] GetModuleInformation (in: hProcess=0x2f0, hModule=0xd50000, lpmodinfo=0x232f74c, cb=0xc | out: lpmodinfo=0x232f74c*(lpBaseOfDll=0xd50000, SizeOfImage=0x17000, EntryPoint=0xd514a1)) returned 1 [0128.590] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.590] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0xd50000, lpBaseName=0x85c418, nSize=0x800 | out: lpBaseName="pidgin.exe") returned 0xa [0128.590] CoTaskMemFree (pv=0x85c418) [0128.590] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.590] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0xd50000, lpFilename=0x85c418, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Microsoft Analysis Services\\pidgin.exe" (normalized: "c:\\program files (x86)\\microsoft analysis services\\pidgin.exe")) returned 0x3d [0128.596] CoTaskMemFree (pv=0x85c418) [0128.596] CloseHandle (hObject=0x2f0) returned 1 [0128.596] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xfc0) returned 0x2f0 [0128.596] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x23318d4, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x23318d4, lpcbNeeded=0x19f434) returned 1 [0128.598] GetModuleInformation (in: hProcess=0x2f0, hModule=0x2e0000, lpmodinfo=0x2331a14, cb=0xc | out: lpmodinfo=0x2331a14*(lpBaseOfDll=0x2e0000, SizeOfImage=0x17000, EntryPoint=0x2e14a1)) returned 1 [0128.599] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.599] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x2e0000, lpBaseName=0x85c418, nSize=0x800 | out: lpBaseName="centralcreditcard.exe") returned 0x15 [0128.599] CoTaskMemFree (pv=0x85c418) [0128.599] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.599] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x2e0000, lpFilename=0x85c418, nSize=0x800 | out: lpFilename="C:\\Program Files\\Windows Journal\\centralcreditcard.exe" (normalized: "c:\\program files\\windows journal\\centralcreditcard.exe")) returned 0x36 [0128.600] CoTaskMemFree (pv=0x85c418) [0128.600] CloseHandle (hObject=0x2f0) returned 1 [0128.600] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xd70) returned 0x2f0 [0128.600] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x2333ba4, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2333ba4, lpcbNeeded=0x19f434) returned 1 [0128.603] GetModuleInformation (in: hProcess=0x2f0, hModule=0x1240000, lpmodinfo=0x2333ce4, cb=0xc | out: lpmodinfo=0x2333ce4*(lpBaseOfDll=0x1240000, SizeOfImage=0x17000, EntryPoint=0x12414a1)) returned 1 [0128.603] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.603] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x1240000, lpBaseName=0x85c418, nSize=0x800 | out: lpBaseName="heshot.exe") returned 0xa [0128.604] CoTaskMemFree (pv=0x85c418) [0128.604] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.604] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x1240000, lpFilename=0x85c418, nSize=0x800 | out: lpFilename="C:\\Program Files\\Windows Multimedia Platform\\heshot.exe" (normalized: "c:\\program files\\windows multimedia platform\\heshot.exe")) returned 0x37 [0128.605] CoTaskMemFree (pv=0x85c418) [0128.605] CloseHandle (hObject=0x2f0) returned 1 [0128.606] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xe34) returned 0x2f0 [0128.606] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x2335e60, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2335e60, lpcbNeeded=0x19f434) returned 1 [0128.609] GetModuleInformation (in: hProcess=0x2f0, hModule=0xdc0000, lpmodinfo=0x2335fa0, cb=0xc | out: lpmodinfo=0x2335fa0*(lpBaseOfDll=0xdc0000, SizeOfImage=0x17000, EntryPoint=0xdc14a1)) returned 1 [0128.609] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.609] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0xdc0000, lpBaseName=0x85c418, nSize=0x800 | out: lpBaseName="absolutetelnet.exe") returned 0x12 [0128.610] CoTaskMemFree (pv=0x85c418) [0128.610] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.610] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0xdc0000, lpFilename=0x85c418, nSize=0x800 | out: lpFilename="C:\\Program Files\\WindowsPowerShell\\absolutetelnet.exe" (normalized: "c:\\program files\\windowspowershell\\absolutetelnet.exe")) returned 0x35 [0128.611] CoTaskMemFree (pv=0x85c418) [0128.611] CloseHandle (hObject=0x2f0) returned 1 [0128.611] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xef8) returned 0x2f0 [0128.611] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x2338128, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2338128, lpcbNeeded=0x19f434) returned 1 [0128.614] GetModuleInformation (in: hProcess=0x2f0, hModule=0x960000, lpmodinfo=0x2338268, cb=0xc | out: lpmodinfo=0x2338268*(lpBaseOfDll=0x960000, SizeOfImage=0x17000, EntryPoint=0x9614a1)) returned 1 [0128.614] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.614] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x960000, lpBaseName=0x85c418, nSize=0x800 | out: lpBaseName="outlook.exe") returned 0xb [0128.615] CoTaskMemFree (pv=0x85c418) [0128.615] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.615] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x960000, lpFilename=0x85c418, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Common Files\\outlook.exe" (normalized: "c:\\program files (x86)\\common files\\outlook.exe")) returned 0x2f [0128.616] CoTaskMemFree (pv=0x85c418) [0128.616] CloseHandle (hObject=0x2f0) returned 1 [0128.616] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xe2c) returned 0x2f0 [0128.616] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x233a3d4, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x233a3d4, lpcbNeeded=0x19f434) returned 1 [0128.618] GetModuleInformation (in: hProcess=0x2f0, hModule=0xfd0000, lpmodinfo=0x233a514, cb=0xc | out: lpmodinfo=0x233a514*(lpBaseOfDll=0xfd0000, SizeOfImage=0x17000, EntryPoint=0xfd14a1)) returned 1 [0128.619] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.619] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0xfd0000, lpBaseName=0x85c418, nSize=0x800 | out: lpBaseName="3dftp.exe") returned 0x9 [0128.620] CoTaskMemFree (pv=0x85c418) [0128.620] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.620] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0xfd0000, lpFilename=0x85c418, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Microsoft.NET\\3dftp.exe" (normalized: "c:\\program files (x86)\\microsoft.net\\3dftp.exe")) returned 0x2e [0128.620] CoTaskMemFree (pv=0x85c418) [0128.620] CloseHandle (hObject=0x2f0) returned 1 [0128.621] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1078) returned 0x0 [0128.621] EnumProcesses (in: lpidProcess=0x233c67c, cb=0x400, lpcbNeeded=0x19f3a4 | out: lpidProcess=0x233c67c, lpcbNeeded=0x19f3a4) returned 1 [0128.627] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xf68) returned 0x2f0 [0128.628] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x233d028, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x233d028, lpcbNeeded=0x19f434) returned 1 [0128.630] GetModuleInformation (in: hProcess=0x2f0, hModule=0xb40000, lpmodinfo=0x233d168, cb=0xc | out: lpmodinfo=0x233d168*(lpBaseOfDll=0xb40000, SizeOfImage=0x17000, EntryPoint=0xb414a1)) returned 1 [0128.631] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.631] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0xb40000, lpBaseName=0x85c418, nSize=0x800 | out: lpBaseName="winscp.exe") returned 0xa [0128.631] CoTaskMemFree (pv=0x85c418) [0128.631] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.632] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0xb40000, lpFilename=0x85c418, nSize=0x800 | out: lpFilename="C:\\Program Files\\Windows Multimedia Platform\\winscp.exe" (normalized: "c:\\program files\\windows multimedia platform\\winscp.exe")) returned 0x37 [0128.632] CoTaskMemFree (pv=0x85c418) [0128.632] CloseHandle (hObject=0x2f0) returned 1 [0128.632] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x360) returned 0x2f0 [0128.632] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x233f2e4, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x233f2e4, lpcbNeeded=0x19f434) returned 0 [0128.633] GetCurrentProcessId () returned 0x1384 [0128.633] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1384) returned 0x2f4 [0128.633] IsWow64Process (in: hProcess=0x2f4, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1 [0128.633] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1 [0128.635] CloseHandle (hObject=0x2f4) returned 1 [0128.635] CloseHandle (hObject=0x2f0) returned 1 [0128.635] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xd60) returned 0x2f0 [0128.635] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x233f558, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x233f558, lpcbNeeded=0x19f434) returned 1 [0128.641] GetModuleInformation (in: hProcess=0x2f0, hModule=0x220000, lpmodinfo=0x233f698, cb=0xc | out: lpmodinfo=0x233f698*(lpBaseOfDll=0x220000, SizeOfImage=0x17000, EntryPoint=0x2214a1)) returned 1 [0128.641] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.642] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x220000, lpBaseName=0x85c418, nSize=0x800 | out: lpBaseName="upon.exe") returned 0x8 [0128.642] CoTaskMemFree (pv=0x85c418) [0128.642] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.642] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x220000, lpFilename=0x85c418, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Windows Portable Devices\\upon.exe" (normalized: "c:\\program files (x86)\\windows portable devices\\upon.exe")) returned 0x38 [0128.643] CoTaskMemFree (pv=0x85c418) [0128.643] CloseHandle (hObject=0x2f0) returned 1 [0128.643] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x4e8) returned 0x2f0 [0128.643] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x2341814, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2341814, lpcbNeeded=0x19f434) returned 1 [0128.645] GetModuleInformation (in: hProcess=0x2f0, hModule=0xc00000, lpmodinfo=0x2341954, cb=0xc | out: lpmodinfo=0x2341954*(lpBaseOfDll=0xc00000, SizeOfImage=0x17000, EntryPoint=0xc014a1)) returned 1 [0128.645] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.645] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0xc00000, lpBaseName=0x85c418, nSize=0x800 | out: lpBaseName="omnipos.exe") returned 0xb [0128.646] CoTaskMemFree (pv=0x85c418) [0128.646] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.646] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0xc00000, lpFilename=0x85c418, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Windows Sidebar\\omnipos.exe" (normalized: "c:\\program files (x86)\\windows sidebar\\omnipos.exe")) returned 0x32 [0128.646] CoTaskMemFree (pv=0x85c418) [0128.646] CloseHandle (hObject=0x2f0) returned 1 [0128.646] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xee8) returned 0x2f0 [0128.646] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x2343ac8, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2343ac8, lpcbNeeded=0x19f434) returned 1 [0128.648] GetModuleInformation (in: hProcess=0x2f0, hModule=0xf30000, lpmodinfo=0x2343c08, cb=0xc | out: lpmodinfo=0x2343c08*(lpBaseOfDll=0xf30000, SizeOfImage=0x17000, EntryPoint=0xf314a1)) returned 1 [0128.649] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.649] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0xf30000, lpBaseName=0x85c418, nSize=0x800 | out: lpBaseName="operamail.exe") returned 0xd [0128.649] CoTaskMemFree (pv=0x85c418) [0128.649] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.649] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0xf30000, lpFilename=0x85c418, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Windows NT\\operamail.exe" (normalized: "c:\\program files (x86)\\windows nt\\operamail.exe")) returned 0x2f [0128.650] CoTaskMemFree (pv=0x85c418) [0128.650] CloseHandle (hObject=0x2f0) returned 1 [0128.650] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1384) returned 0x2f0 [0128.650] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x2345d78, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2345d78, lpcbNeeded=0x19f434) returned 1 [0128.651] GetModuleInformation (in: hProcess=0x2f0, hModule=0x400000, lpmodinfo=0x2345eb8, cb=0xc | out: lpmodinfo=0x2345eb8*(lpBaseOfDll=0x400000, SizeOfImage=0x12000, EntryPoint=0x0)) returned 1 [0128.651] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.651] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x400000, lpBaseName=0x85c418, nSize=0x800 | out: lpBaseName="45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe.exe") returned 0x44 [0128.651] CoTaskMemFree (pv=0x85c418) [0128.651] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.651] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x400000, lpFilename=0x85c418, nSize=0x800 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe.exe")) returned 0x62 [0128.651] CoTaskMemFree (pv=0x85c418) [0128.652] CloseHandle (hObject=0x2f0) returned 1 [0128.652] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x294) returned 0x2f0 [0128.652] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x2348100, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2348100, lpcbNeeded=0x19f434) returned 0 [0128.652] GetCurrentProcessId () returned 0x1384 [0128.652] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1384) returned 0x2f4 [0128.652] IsWow64Process (in: hProcess=0x2f4, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1 [0128.652] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1 [0128.654] CloseHandle (hObject=0x2f4) returned 1 [0128.655] CloseHandle (hObject=0x2f0) returned 1 [0128.655] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xfa8) returned 0x2f0 [0128.655] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x2348374, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2348374, lpcbNeeded=0x19f434) returned 1 [0128.657] GetModuleInformation (in: hProcess=0x2f0, hModule=0x140000, lpmodinfo=0x23484b4, cb=0xc | out: lpmodinfo=0x23484b4*(lpBaseOfDll=0x140000, SizeOfImage=0x17000, EntryPoint=0x1414a1)) returned 1 [0128.657] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.657] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x140000, lpBaseName=0x85c418, nSize=0x800 | out: lpBaseName="aldelo.exe") returned 0xa [0128.658] CoTaskMemFree (pv=0x85c418) [0128.658] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.658] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x140000, lpFilename=0x85c418, nSize=0x800 | out: lpFilename="C:\\Program Files\\WindowsPowerShell\\aldelo.exe" (normalized: "c:\\program files\\windowspowershell\\aldelo.exe")) returned 0x2d [0128.658] CoTaskMemFree (pv=0x85c418) [0128.658] CloseHandle (hObject=0x2f0) returned 1 [0128.658] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x7ec) returned 0x2f0 [0128.659] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x234a61c, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x234a61c, lpcbNeeded=0x19f434) returned 0 [0128.659] GetCurrentProcessId () returned 0x1384 [0128.659] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1384) returned 0x2f4 [0128.659] IsWow64Process (in: hProcess=0x2f4, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1 [0128.659] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1 [0128.660] CloseHandle (hObject=0x2f4) returned 1 [0128.660] CloseHandle (hObject=0x2f0) returned 1 [0128.661] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x4e0) returned 0x2f0 [0128.661] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x234a890, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x234a890, lpcbNeeded=0x19f434) returned 0 [0128.661] GetCurrentProcessId () returned 0x1384 [0128.661] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1384) returned 0x2f4 [0128.661] IsWow64Process (in: hProcess=0x2f4, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1 [0128.661] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1 [0128.662] CloseHandle (hObject=0x2f4) returned 1 [0128.663] CloseHandle (hObject=0x2f0) returned 1 [0128.663] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xee0) returned 0x2f0 [0128.663] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x234ab04, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x234ab04, lpcbNeeded=0x19f434) returned 1 [0128.665] GetModuleInformation (in: hProcess=0x2f0, hModule=0x8d0000, lpmodinfo=0x234ac44, cb=0xc | out: lpmodinfo=0x234ac44*(lpBaseOfDll=0x8d0000, SizeOfImage=0x17000, EntryPoint=0x8d14a1)) returned 1 [0128.665] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.665] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x8d0000, lpBaseName=0x85c418, nSize=0x800 | out: lpBaseName="notepad.exe") returned 0xb [0128.666] CoTaskMemFree (pv=0x85c418) [0128.666] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.666] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x8d0000, lpFilename=0x85c418, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Windows Multimedia Platform\\notepad.exe" (normalized: "c:\\program files (x86)\\windows multimedia platform\\notepad.exe")) returned 0x3e [0128.666] CoTaskMemFree (pv=0x85c418) [0128.666] CloseHandle (hObject=0x2f0) returned 1 [0128.666] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xddc) returned 0x2f0 [0128.666] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x234cdd0, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x234cdd0, lpcbNeeded=0x19f434) returned 1 [0128.668] GetModuleInformation (in: hProcess=0x2f0, hModule=0x12e0000, lpmodinfo=0x234cf10, cb=0xc | out: lpmodinfo=0x234cf10*(lpBaseOfDll=0x12e0000, SizeOfImage=0x17000, EntryPoint=0x12e14a1)) returned 1 [0128.669] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.669] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x12e0000, lpBaseName=0x85c418, nSize=0x800 | out: lpBaseName="wide-represent.exe") returned 0x12 [0128.670] CoTaskMemFree (pv=0x85c418) [0128.670] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.670] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x12e0000, lpFilename=0x85c418, nSize=0x800 | out: lpFilename="C:\\Program Files\\Reference Assemblies\\wide-represent.exe" (normalized: "c:\\program files\\reference assemblies\\wide-represent.exe")) returned 0x38 [0128.670] CoTaskMemFree (pv=0x85c418) [0128.670] CloseHandle (hObject=0x2f0) returned 1 [0128.670] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1c8) returned 0x0 [0128.670] EnumProcesses (in: lpidProcess=0x234f0a0, cb=0x400, lpcbNeeded=0x19f3a4 | out: lpidProcess=0x234f0a0, lpcbNeeded=0x19f3a4) returned 1 [0128.672] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x19f100, nSize=0x101, Arguments=0x0 | out: lpBuffer="Access is denied.\r\n") returned 0x13 [0128.674] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xb00) returned 0x2f0 [0128.674] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x234fc00, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x234fc00, lpcbNeeded=0x19f434) returned 0 [0128.674] GetCurrentProcessId () returned 0x1384 [0128.674] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1384) returned 0x2f4 [0128.674] IsWow64Process (in: hProcess=0x2f4, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1 [0128.674] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1 [0128.676] CloseHandle (hObject=0x2f4) returned 1 [0128.676] CloseHandle (hObject=0x2f0) returned 1 [0128.676] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xd4c) returned 0x2f0 [0128.676] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x234fe74, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x234fe74, lpcbNeeded=0x19f434) returned 1 [0128.678] GetModuleInformation (in: hProcess=0x2f0, hModule=0x1000000, lpmodinfo=0x234ffb4, cb=0xc | out: lpmodinfo=0x234ffb4*(lpBaseOfDll=0x1000000, SizeOfImage=0x17000, EntryPoint=0x10014a1)) returned 1 [0128.678] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.678] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x1000000, lpBaseName=0x85c418, nSize=0x800 | out: lpBaseName="laymoneyremain.exe") returned 0x12 [0128.679] CoTaskMemFree (pv=0x85c418) [0128.679] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.679] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x1000000, lpFilename=0x85c418, nSize=0x800 | out: lpFilename="C:\\Program Files\\Windows Defender\\laymoneyremain.exe" (normalized: "c:\\program files\\windows defender\\laymoneyremain.exe")) returned 0x34 [0128.679] CoTaskMemFree (pv=0x85c418) [0128.679] CloseHandle (hObject=0x2f0) returned 1 [0128.680] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1c0) returned 0x0 [0128.680] EnumProcesses (in: lpidProcess=0x235213c, cb=0x400, lpcbNeeded=0x19f3a4 | out: lpidProcess=0x235213c, lpcbNeeded=0x19f3a4) returned 1 [0128.681] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x19f100, nSize=0x101, Arguments=0x0 | out: lpBuffer="Access is denied.\r\n") returned 0x13 [0128.682] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xf98) returned 0x2f0 [0128.682] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x2352c9c, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2352c9c, lpcbNeeded=0x19f434) returned 1 [0128.684] GetModuleInformation (in: hProcess=0x2f0, hModule=0xed0000, lpmodinfo=0x2352ddc, cb=0xc | out: lpmodinfo=0x2352ddc*(lpBaseOfDll=0xed0000, SizeOfImage=0x17000, EntryPoint=0xed14a1)) returned 1 [0128.686] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.686] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0xed0000, lpBaseName=0x85c418, nSize=0x800 | out: lpBaseName="afr38.exe") returned 0x9 [0128.687] CoTaskMemFree (pv=0x85c418) [0128.687] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.687] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0xed0000, lpFilename=0x85c418, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Reference Assemblies\\afr38.exe" (normalized: "c:\\program files (x86)\\reference assemblies\\afr38.exe")) returned 0x35 [0128.688] CoTaskMemFree (pv=0x85c418) [0128.688] CloseHandle (hObject=0x2f0) returned 1 [0128.688] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xe0c) returned 0x2f0 [0128.688] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x2354f50, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2354f50, lpcbNeeded=0x19f434) returned 1 [0128.690] GetModuleInformation (in: hProcess=0x2f0, hModule=0x1060000, lpmodinfo=0x2355090, cb=0xc | out: lpmodinfo=0x2355090*(lpBaseOfDll=0x1060000, SizeOfImage=0x17000, EntryPoint=0x10614a1)) returned 1 [0128.690] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.690] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x1060000, lpBaseName=0x85c418, nSize=0x800 | out: lpBaseName="expert_right.exe") returned 0x10 [0128.690] CoTaskMemFree (pv=0x85c418) [0128.691] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.691] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x1060000, lpFilename=0x85c418, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Windows Sidebar\\expert_right.exe" (normalized: "c:\\program files (x86)\\windows sidebar\\expert_right.exe")) returned 0x37 [0128.691] CoTaskMemFree (pv=0x85c418) [0128.691] CloseHandle (hObject=0x2f0) returned 1 [0128.691] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xed0) returned 0x2f0 [0128.691] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x2357218, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2357218, lpcbNeeded=0x19f434) returned 1 [0128.693] GetModuleInformation (in: hProcess=0x2f0, hModule=0xbd0000, lpmodinfo=0x2357358, cb=0xc | out: lpmodinfo=0x2357358*(lpBaseOfDll=0xbd0000, SizeOfImage=0x17000, EntryPoint=0xbd14a1)) returned 1 [0128.693] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.693] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0xbd0000, lpBaseName=0x85c418, nSize=0x800 | out: lpBaseName="ncftp.exe") returned 0x9 [0128.694] CoTaskMemFree (pv=0x85c418) [0128.694] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.694] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0xbd0000, lpFilename=0x85c418, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Windows Photo Viewer\\ncftp.exe" (normalized: "c:\\program files (x86)\\windows photo viewer\\ncftp.exe")) returned 0x35 [0128.695] CoTaskMemFree (pv=0x85c418) [0128.695] CloseHandle (hObject=0x2f0) returned 1 [0128.695] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x11e0) returned 0x2f0 [0128.695] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x23594cc, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x23594cc, lpcbNeeded=0x19f434) returned 0 [0128.695] GetCurrentProcessId () returned 0x1384 [0128.695] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1384) returned 0x2f4 [0128.695] IsWow64Process (in: hProcess=0x2f4, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1 [0128.695] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1 [0128.697] CloseHandle (hObject=0x2f4) returned 1 [0128.697] CloseHandle (hObject=0x2f0) returned 1 [0128.698] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xf90) returned 0x2f0 [0128.698] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x2359740, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2359740, lpcbNeeded=0x19f434) returned 1 [0128.700] GetModuleInformation (in: hProcess=0x2f0, hModule=0xb0000, lpmodinfo=0x2359880, cb=0xc | out: lpmodinfo=0x2359880*(lpBaseOfDll=0xb0000, SizeOfImage=0x17000, EntryPoint=0xb14a1)) returned 1 [0128.700] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.700] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0xb0000, lpBaseName=0x85c418, nSize=0x800 | out: lpBaseName="accupos.exe") returned 0xb [0128.701] CoTaskMemFree (pv=0x85c418) [0128.701] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.701] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0xb0000, lpFilename=0x85c418, nSize=0x800 | out: lpFilename="C:\\Program Files\\Common Files\\accupos.exe" (normalized: "c:\\program files\\common files\\accupos.exe")) returned 0x29 [0128.702] CoTaskMemFree (pv=0x85c418) [0128.702] CloseHandle (hObject=0x2f0) returned 1 [0128.702] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xd40) returned 0x2f0 [0128.702] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x235b9e0, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x235b9e0, lpcbNeeded=0x19f434) returned 1 [0128.704] GetModuleInformation (in: hProcess=0x2f0, hModule=0x970000, lpmodinfo=0x235bb20, cb=0xc | out: lpmodinfo=0x235bb20*(lpBaseOfDll=0x970000, SizeOfImage=0x17000, EntryPoint=0x9714a1)) returned 1 [0128.704] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.704] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x970000, lpBaseName=0x85c418, nSize=0x800 | out: lpBaseName="maintain_consider.exe") returned 0x15 [0128.705] CoTaskMemFree (pv=0x85c418) [0128.705] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.705] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x970000, lpFilename=0x85c418, nSize=0x800 | out: lpFilename="C:\\Program Files\\Common Files\\maintain_consider.exe" (normalized: "c:\\program files\\common files\\maintain_consider.exe")) returned 0x33 [0128.705] CoTaskMemFree (pv=0x85c418) [0128.705] CloseHandle (hObject=0x2f0) returned 1 [0128.705] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xec8) returned 0x2f0 [0128.705] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x235dca8, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x235dca8, lpcbNeeded=0x19f434) returned 1 [0128.707] GetModuleInformation (in: hProcess=0x2f0, hModule=0x12f0000, lpmodinfo=0x235dde8, cb=0xc | out: lpmodinfo=0x235dde8*(lpBaseOfDll=0x12f0000, SizeOfImage=0x17000, EntryPoint=0x12f14a1)) returned 1 [0128.708] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.708] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x12f0000, lpBaseName=0x85c418, nSize=0x800 | out: lpBaseName="leechftp.exe") returned 0xc [0128.708] CoTaskMemFree (pv=0x85c418) [0128.708] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.708] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x12f0000, lpFilename=0x85c418, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\MSBuild\\leechftp.exe" (normalized: "c:\\program files (x86)\\msbuild\\leechftp.exe")) returned 0x2b [0128.709] CoTaskMemFree (pv=0x85c418) [0128.709] CloseHandle (hObject=0x2f0) returned 1 [0128.709] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x274) returned 0x2f0 [0128.709] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x235ff50, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x235ff50, lpcbNeeded=0x19f434) returned 0 [0128.709] GetCurrentProcessId () returned 0x1384 [0128.709] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1384) returned 0x2f4 [0128.709] IsWow64Process (in: hProcess=0x2f4, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1 [0128.709] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1 [0128.711] CloseHandle (hObject=0x2f4) returned 1 [0128.711] CloseHandle (hObject=0x2f0) returned 1 [0128.711] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x64c) returned 0x2f0 [0128.711] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x23601c4, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x23601c4, lpcbNeeded=0x19f434) returned 0 [0128.711] GetCurrentProcessId () returned 0x1384 [0128.711] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1384) returned 0x2f4 [0128.711] IsWow64Process (in: hProcess=0x2f4, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1 [0128.711] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1 [0128.712] CloseHandle (hObject=0x2f4) returned 1 [0128.712] CloseHandle (hObject=0x2f0) returned 1 [0128.713] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xd38) returned 0x2f0 [0128.713] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x2360438, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2360438, lpcbNeeded=0x19f434) returned 1 [0128.714] GetModuleInformation (in: hProcess=0x2f0, hModule=0x10a0000, lpmodinfo=0x2360578, cb=0xc | out: lpmodinfo=0x2360578*(lpBaseOfDll=0x10a0000, SizeOfImage=0x17000, EntryPoint=0x10a14a1)) returned 1 [0128.715] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.715] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x10a0000, lpBaseName=0x85c418, nSize=0x800 | out: lpBaseName="taskenter.exe") returned 0xd [0128.715] CoTaskMemFree (pv=0x85c418) [0128.715] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.715] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x10a0000, lpFilename=0x85c418, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Mozilla Firefox\\taskenter.exe" (normalized: "c:\\program files (x86)\\mozilla firefox\\taskenter.exe")) returned 0x34 [0128.717] CoTaskMemFree (pv=0x85c418) [0128.717] CloseHandle (hObject=0x2f0) returned 1 [0128.717] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xdfc) returned 0x2f0 [0128.717] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x23626f4, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x23626f4, lpcbNeeded=0x19f434) returned 1 [0128.719] GetModuleInformation (in: hProcess=0x2f0, hModule=0x1000000, lpmodinfo=0x2362834, cb=0xc | out: lpmodinfo=0x2362834*(lpBaseOfDll=0x1000000, SizeOfImage=0x17000, EntryPoint=0x10014a1)) returned 1 [0128.719] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.719] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x1000000, lpBaseName=0x85c418, nSize=0x800 | out: lpBaseName="centralteach.exe") returned 0x10 [0128.719] CoTaskMemFree (pv=0x85c418) [0128.720] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.720] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x1000000, lpFilename=0x85c418, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Windows Sidebar\\centralteach.exe" (normalized: "c:\\program files (x86)\\windows sidebar\\centralteach.exe")) returned 0x37 [0128.720] CoTaskMemFree (pv=0x85c418) [0128.720] CloseHandle (hObject=0x2f0) returned 1 [0128.720] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xff0) returned 0x2f0 [0128.720] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x23649bc, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x23649bc, lpcbNeeded=0x19f434) returned 1 [0128.722] GetModuleInformation (in: hProcess=0x2f0, hModule=0x300000, lpmodinfo=0x2364afc, cb=0xc | out: lpmodinfo=0x2364afc*(lpBaseOfDll=0x300000, SizeOfImage=0x17000, EntryPoint=0x3014a1)) returned 1 [0128.723] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.723] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x300000, lpBaseName=0x85c418, nSize=0x800 | out: lpBaseName="isspos.exe") returned 0xa [0128.723] CoTaskMemFree (pv=0x85c418) [0128.723] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.723] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x300000, lpFilename=0x85c418, nSize=0x800 | out: lpFilename="C:\\Program Files\\Microsoft Office\\isspos.exe" (normalized: "c:\\program files\\microsoft office\\isspos.exe")) returned 0x2c [0128.724] CoTaskMemFree (pv=0x85c418) [0128.724] CloseHandle (hObject=0x2f0) returned 1 [0128.724] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x894) returned 0x2f0 [0128.724] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x2366c64, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2366c64, lpcbNeeded=0x19f434) returned 0 [0128.727] GetCurrentProcessId () returned 0x1384 [0128.727] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1384) returned 0x2f4 [0128.727] IsWow64Process (in: hProcess=0x2f4, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1 [0128.727] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1 [0128.729] CloseHandle (hObject=0x2f4) returned 1 [0128.729] CloseHandle (hObject=0x2f0) returned 1 [0128.729] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x3f4) returned 0x2f0 [0128.729] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x2366ed8, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2366ed8, lpcbNeeded=0x19f434) returned 0 [0128.729] GetCurrentProcessId () returned 0x1384 [0128.729] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1384) returned 0x2f4 [0128.729] IsWow64Process (in: hProcess=0x2f4, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1 [0128.729] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1 [0128.730] CloseHandle (hObject=0x2f4) returned 1 [0128.730] CloseHandle (hObject=0x2f0) returned 1 [0128.731] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xdf4) returned 0x2f0 [0128.731] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x236714c, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x236714c, lpcbNeeded=0x19f434) returned 1 [0128.734] GetModuleInformation (in: hProcess=0x2f0, hModule=0x210000, lpmodinfo=0x236728c, cb=0xc | out: lpmodinfo=0x236728c*(lpBaseOfDll=0x210000, SizeOfImage=0x17000, EntryPoint=0x2114a1)) returned 1 [0128.734] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.734] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x210000, lpBaseName=0x85c418, nSize=0x800 | out: lpBaseName="always interest bad.exe") returned 0x17 [0128.735] CoTaskMemFree (pv=0x85c418) [0128.735] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.735] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x210000, lpFilename=0x85c418, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Windows Sidebar\\always interest bad.exe" (normalized: "c:\\program files (x86)\\windows sidebar\\always interest bad.exe")) returned 0x3e [0128.735] CoTaskMemFree (pv=0x85c418) [0128.735] CloseHandle (hObject=0x2f0) returned 1 [0128.735] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xeb8) returned 0x2f0 [0128.735] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x2369430, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2369430, lpcbNeeded=0x19f434) returned 1 [0128.737] GetModuleInformation (in: hProcess=0x2f0, hModule=0xc60000, lpmodinfo=0x2369570, cb=0xc | out: lpmodinfo=0x2369570*(lpBaseOfDll=0xc60000, SizeOfImage=0x17000, EntryPoint=0xc614a1)) returned 1 [0128.738] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.738] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0xc60000, lpBaseName=0x85c418, nSize=0x800 | out: lpBaseName="icq.exe") returned 0x7 [0128.738] CoTaskMemFree (pv=0x85c418) [0128.738] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.738] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0xc60000, lpFilename=0x85c418, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Windows Portable Devices\\icq.exe" (normalized: "c:\\program files (x86)\\windows portable devices\\icq.exe")) returned 0x37 [0128.739] CoTaskMemFree (pv=0x85c418) [0128.739] CloseHandle (hObject=0x2f0) returned 1 [0128.739] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xf7c) returned 0x2f0 [0128.739] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x236b6e4, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x236b6e4, lpcbNeeded=0x19f434) returned 1 [0128.741] GetModuleInformation (in: hProcess=0x2f0, hModule=0xb50000, lpmodinfo=0x236b824, cb=0xc | out: lpmodinfo=0x236b824*(lpBaseOfDll=0xb50000, SizeOfImage=0x17000, EntryPoint=0xb514a1)) returned 1 [0128.741] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.741] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0xb50000, lpBaseName=0x85c418, nSize=0x800 | out: lpBaseName="active-charge.exe") returned 0x11 [0128.742] CoTaskMemFree (pv=0x85c418) [0128.742] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.742] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0xb50000, lpFilename=0x85c418, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Windows Portable Devices\\active-charge.exe" (normalized: "c:\\program files (x86)\\windows portable devices\\active-charge.exe")) returned 0x41 [0128.742] CoTaskMemFree (pv=0x85c418) [0128.742] CloseHandle (hObject=0x2f0) returned 1 [0128.742] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xeb0) returned 0x2f0 [0128.742] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x236d9c0, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x236d9c0, lpcbNeeded=0x19f434) returned 1 [0128.744] GetModuleInformation (in: hProcess=0x2f0, hModule=0x1290000, lpmodinfo=0x236db00, cb=0xc | out: lpmodinfo=0x236db00*(lpBaseOfDll=0x1290000, SizeOfImage=0x17000, EntryPoint=0x12914a1)) returned 1 [0128.745] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.745] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x1290000, lpBaseName=0x85c418, nSize=0x800 | out: lpBaseName="gmailnotifierpro.exe") returned 0x14 [0128.745] CoTaskMemFree (pv=0x85c418) [0128.745] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.745] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x1290000, lpFilename=0x85c418, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Microsoft.NET\\gmailnotifierpro.exe" (normalized: "c:\\program files (x86)\\microsoft.net\\gmailnotifierpro.exe")) returned 0x39 [0128.746] CoTaskMemFree (pv=0x85c418) [0128.746] CloseHandle (hObject=0x2f0) returned 1 [0128.746] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x11c0) returned 0x2f0 [0128.746] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x236fc94, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x236fc94, lpcbNeeded=0x19f434) returned 0 [0128.746] GetCurrentProcessId () returned 0x1384 [0128.746] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1384) returned 0x2f4 [0128.746] IsWow64Process (in: hProcess=0x2f4, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1 [0128.746] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1 [0128.748] CloseHandle (hObject=0x2f4) returned 1 [0128.748] CloseHandle (hObject=0x2f0) returned 1 [0128.748] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xf70) returned 0x2f0 [0128.748] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x236ff08, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x236ff08, lpcbNeeded=0x19f434) returned 1 [0128.750] GetModuleInformation (in: hProcess=0x2f0, hModule=0x860000, lpmodinfo=0x2370048, cb=0xc | out: lpmodinfo=0x2370048*(lpBaseOfDll=0x860000, SizeOfImage=0x17000, EntryPoint=0x8614a1)) returned 1 [0128.750] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.750] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x860000, lpBaseName=0x85c418, nSize=0x800 | out: lpBaseName="yahoomessenger.exe") returned 0x12 [0128.751] CoTaskMemFree (pv=0x85c418) [0128.751] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.751] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x860000, lpFilename=0x85c418, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Microsoft.NET\\yahoomessenger.exe" (normalized: "c:\\program files (x86)\\microsoft.net\\yahoomessenger.exe")) returned 0x37 [0128.751] CoTaskMemFree (pv=0x85c418) [0128.751] CloseHandle (hObject=0x2f0) returned 1 [0128.752] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xde4) returned 0x2f0 [0128.752] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x23721d4, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x23721d4, lpcbNeeded=0x19f434) returned 1 [0128.753] GetModuleInformation (in: hProcess=0x2f0, hModule=0x920000, lpmodinfo=0x2372314, cb=0xc | out: lpmodinfo=0x2372314*(lpBaseOfDll=0x920000, SizeOfImage=0x17000, EntryPoint=0x9214a1)) returned 1 [0128.754] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.754] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0x920000, lpBaseName=0x85c418, nSize=0x800 | out: lpBaseName="open consumer reality.exe") returned 0x19 [0128.754] CoTaskMemFree (pv=0x85c418) [0128.754] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.754] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0x920000, lpFilename=0x85c418, nSize=0x800 | out: lpFilename="C:\\Program Files\\Internet Explorer\\open consumer reality.exe" (normalized: "c:\\program files\\internet explorer\\open consumer reality.exe")) returned 0x3c [0128.755] CoTaskMemFree (pv=0x85c418) [0128.755] CloseHandle (hObject=0x2f0) returned 1 [0128.756] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x7b4) returned 0x2f0 [0128.756] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x2374694, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2374694, lpcbNeeded=0x19f434) returned 0 [0128.757] GetCurrentProcessId () returned 0x1384 [0128.757] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1384) returned 0x2f4 [0128.757] IsWow64Process (in: hProcess=0x2f4, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1 [0128.757] IsWow64Process (in: hProcess=0x2f0, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1 [0128.758] CloseHandle (hObject=0x2f4) returned 1 [0128.758] CloseHandle (hObject=0x2f0) returned 1 [0128.758] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xea0) returned 0x2f0 [0128.758] EnumProcessModules (in: hProcess=0x2f0, lphModule=0x2374908, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2374908, lpcbNeeded=0x19f434) returned 1 [0128.760] GetModuleInformation (in: hProcess=0x2f0, hModule=0xb30000, lpmodinfo=0x2374a48, cb=0xc | out: lpmodinfo=0x2374a48*(lpBaseOfDll=0xb30000, SizeOfImage=0x17000, EntryPoint=0xb314a1)) returned 1 [0128.761] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.761] GetModuleBaseNameW (in: hProcess=0x2f0, hModule=0xb30000, lpBaseName=0x85c418, nSize=0x800 | out: lpBaseName="foxmailincmail.exe") returned 0x12 [0128.761] CoTaskMemFree (pv=0x85c418) [0128.761] CoTaskMemAlloc (cb=0x804) returned 0x85c418 [0128.761] GetModuleFileNameExW (in: hProcess=0x2f0, hModule=0xb30000, lpFilename=0x85c418, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\WindowsPowerShell\\foxmailincmail.exe" (normalized: "c:\\program files (x86)\\windowspowershell\\foxmailincmail.exe")) returned 0x3b [0128.762] CoTaskMemFree (pv=0x85c418) [0128.762] CloseHandle (hObject=0x2f0) returned 1 [0128.772] GetCurrentProcess () returned 0xffffffff [0128.773] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19f404 | out: TokenHandle=0x19f404*=0x2f0) returned 1 [0128.778] GetTokenInformation (in: TokenHandle=0x2f0, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x19f404 | out: TokenInformation=0x0, ReturnLength=0x19f404) returned 0 [0128.778] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x8430f0 [0128.778] GetTokenInformation (in: TokenHandle=0x2f0, TokenInformationClass=0x8, TokenInformation=0x8430f0, TokenInformationLength=0x4, ReturnLength=0x19f404 | out: TokenInformation=0x8430f0, ReturnLength=0x19f404) returned 1 [0128.780] LocalFree (hMem=0x8430f0) returned 0x0 [0128.781] DuplicateTokenEx (in: hExistingToken=0x2f0, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0x19f40c | out: phNewToken=0x19f40c*=0x2f4) returned 1 [0128.781] CheckTokenMembership (in: TokenHandle=0x2f4, SidToCheck=0x2377ad4*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x19f41c | out: IsMember=0x19f41c) returned 1 [0128.781] CloseHandle (hObject=0x2f4) returned 1 [0128.789] LocalAlloc (uFlags=0x0, uBytes=0x8) returned 0x8430d0 [0128.789] LocalAlloc (uFlags=0x0, uBytes=0xfc) returned 0x889ef8 [0133.710] LocalFree (hMem=0x8430d0) returned 0x0 [0133.711] LocalFree (hMem=0x889ef8) returned 0x0 [0133.712] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", nBufferLength=0x105, lpBuffer=0x19ef28, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", lpFilePart=0x0) returned 0x31 [0133.712] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x19f3d0) returned 1 [0133.712] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\svchost.exe"), fInfoLevelId=0x0, lpFileInformation=0x19f44c | out: lpFileInformation=0x19f44c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0133.712] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x19f3cc) returned 1 [0133.713] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", nBufferLength=0x105, lpBuffer=0x19ee48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", lpFilePart=0x0) returned 0x31 [0133.713] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x19f380) returned 1 [0133.714] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\svchost.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x31c [0133.715] GetFileType (hFile=0x31c) returned 0x1 [0133.715] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x19f37c) returned 1 [0133.715] GetFileType (hFile=0x31c) returned 0x1 [0133.717] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe.exe", nBufferLength=0x105, lpBuffer=0x19ee24, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe.exe", lpFilePart=0x0) returned 0x62 [0133.717] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x19f35c) returned 1 [0133.717] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x32c [0133.718] GetFileType (hFile=0x32c) returned 0x1 [0133.718] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x19f358) returned 1 [0133.718] GetFileType (hFile=0x32c) returned 0x1 [0133.718] GetFileSize (in: hFile=0x32c, lpFileSizeHigh=0x19f458 | out: lpFileSizeHigh=0x19f458*=0x0) returned 0xc000 [0133.719] ReadFile (in: hFile=0x32c, lpBuffer=0x237850c, nNumberOfBytesToRead=0xc000, lpNumberOfBytesRead=0x19f404, lpOverlapped=0x0 | out: lpBuffer=0x237850c*, lpNumberOfBytesRead=0x19f404*=0xc000, lpOverlapped=0x0) returned 1 [0133.719] CloseHandle (hObject=0x32c) returned 1 [0133.720] WriteFile (in: hFile=0x31c, lpBuffer=0x237850c*, nNumberOfBytesToWrite=0xc000, lpNumberOfBytesWritten=0x19f43c, lpOverlapped=0x0 | out: lpBuffer=0x237850c*, lpNumberOfBytesWritten=0x19f43c*=0xc000, lpOverlapped=0x0) returned 1 [0133.737] CloseHandle (hObject=0x2d8) returned 1 [0133.738] CoTaskMemAlloc (cb=0x20c) returned 0x88c640 [0133.738] GetTempPathW (in: nBufferLength=0x104, lpBuffer=0x88c640 | out: lpBuffer="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\") returned 0x25 [0133.738] CoTaskMemFree (pv=0x88c640) [0133.738] GetLongPathNameW (in: lpszShortPath="C:\\Users\\RDHJ0C~1\\", lpszLongPath=0x19ef10, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\RDhJ0CNFevzX\\") returned 0x16 [0133.739] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\", nBufferLength=0x105, lpBuffer=0x19ef24, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\", lpFilePart=0x0) returned 0x29 [0133.739] CoTaskMemAlloc (cb=0x20c) returned 0x88c640 [0133.739] GetTempFileNameW (in: lpPathName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\", lpPrefixString="tmp", uUnique=0x0, lpTempFileName=0x88c640 | out: lpTempFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpB6E4.tmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmpb6e4.tmp")) returned 0xb6e4 [0133.741] CoTaskMemFree (pv=0x88c640) [0133.784] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpB6E4.tmp.bat", nBufferLength=0x105, lpBuffer=0x19ee08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpB6E4.tmp.bat", lpFilePart=0x0) returned 0x38 [0133.784] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x19f340) returned 1 [0133.784] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpB6E4.tmp.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmpb6e4.tmp.bat"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x2d8 [0133.785] GetFileType (hFile=0x2d8) returned 0x1 [0133.785] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x19f33c) returned 1 [0133.785] GetFileType (hFile=0x2d8) returned 0x1 [0133.785] CoTaskMemAlloc (cb=0x20c) returned 0x88c640 [0133.785] GetTempPathW (in: nBufferLength=0x104, lpBuffer=0x88c640 | out: lpBuffer="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\") returned 0x25 [0133.786] CoTaskMemFree (pv=0x88c640) [0133.786] GetLongPathNameW (in: lpszShortPath="C:\\Users\\RDHJ0C~1\\", lpszLongPath=0x19ef20, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\RDhJ0CNFevzX\\") returned 0x16 [0133.787] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\", nBufferLength=0x105, lpBuffer=0x19ef34, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\", lpFilePart=0x0) returned 0x29 [0133.788] WriteFile (in: hFile=0x2d8, lpBuffer=0x23870ec*, nNumberOfBytesToWrite=0xa5, lpNumberOfBytesWritten=0x19f3dc, lpOverlapped=0x0 | out: lpBuffer=0x23870ec*, lpNumberOfBytesWritten=0x19f3dc*=0xa5, lpOverlapped=0x0) returned 1 [0133.789] CloseHandle (hObject=0x2d8) returned 1 [0133.796] CoTaskMemAlloc (cb=0x20e) returned 0x88c640 [0133.796] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x88c640 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0133.796] CoTaskMemFree (pv=0x88c640) [0133.798] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpB6E4.tmp.bat\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f1e8*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2388420 | out: lpCommandLine="\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpB6E4.tmp.bat\"", lpProcessInformation=0x2388420*(hProcess=0x32c, hThread=0x2d8, dwProcessId=0xcb4, dwThreadId=0xcb0)) returned 1 [0133.826] CloseHandle (hObject=0x2d8) returned 1 [0133.831] CoGetContextToken (in: pToken=0x19f320 | out: pToken=0x19f320) returned 0x0 [0133.831] CObjectContext::QueryInterface () returned 0x0 [0133.831] CObjectContext::GetCurrentThreadType () returned 0x0 [0133.831] Release () returned 0x0 [0133.832] CoGetContextToken (in: pToken=0x19f03c | out: pToken=0x19f03c) returned 0x0 [0133.832] CObjectContext::QueryInterface () returned 0x0 [0133.832] CObjectContext::GetCurrentThreadType () returned 0x0 [0133.832] Release () returned 0x0 [0133.834] CoGetContextToken (in: pToken=0x19f03c | out: pToken=0x19f03c) returned 0x0 [0133.834] CObjectContext::QueryInterface () returned 0x0 [0133.834] CObjectContext::GetCurrentThreadType () returned 0x0 [0133.834] Release () returned 0x0 [0133.928] CoGetContextToken (in: pToken=0x19f03c | out: pToken=0x19f03c) returned 0x0 [0133.928] CObjectContext::QueryInterface () returned 0x0 [0133.928] CObjectContext::GetCurrentThreadType () returned 0x0 [0133.928] Release () returned 0x0 [0133.976] CoGetContextToken (in: pToken=0x19f054 | out: pToken=0x19f054) returned 0x0 [0133.976] CObjectContext::QueryInterface () returned 0x0 [0133.976] CObjectContext::GetCurrentThreadType () returned 0x0 [0133.976] Release () returned 0x0 [0133.976] CoUninitialize () Thread: id = 2 os_tid = 0x13a4 Thread: id = 3 os_tid = 0x13cc Thread: id = 4 os_tid = 0x13d0 [0109.480] CoGetContextToken (in: pToken=0x434fc74 | out: pToken=0x434fc74) returned 0x0 [0109.480] CObjectContext::QueryInterface () returned 0x0 [0109.481] CObjectContext::GetCurrentThreadType () returned 0x0 [0109.481] Release () returned 0x0 [0109.481] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0109.481] RoInitialize () returned 0x1 [0109.481] RoUninitialize () returned 0x0 [0133.833] EtwEventUnregister (RegHandle=0x83c3f8) returned 0x0 [0133.930] CloseHandle (hObject=0x31c) returned 1 [0133.949] CloseHandle (hObject=0x2f0) returned 1 [0133.950] CloseHandle (hObject=0x32c) returned 1 [0133.952] CloseHandle (hObject=0x45c) returned 1 [0133.954] LocalFree (hMem=0x841cc0) returned 0x0 [0133.954] CertFreeCertificateContext (pCertContext=0x8460f0) returned 1 [0133.956] CryptDestroyKey (hKey=0x83eed0) returned 1 [0133.956] CryptReleaseContext (hProv=0x8473c8, dwFlags=0x0) returned 1 [0133.957] CryptReleaseContext (hProv=0x8473c8, dwFlags=0x0) returned 1 [0133.957] CryptDestroyKey (hKey=0x83ead0) returned 1 [0133.957] CryptReleaseContext (hProv=0x847ab0, dwFlags=0x0) returned 1 [0133.957] CryptReleaseContext (hProv=0x847ab0, dwFlags=0x0) returned 1 [0133.958] CryptDestroyKey (hKey=0x83e510) returned 1 [0133.958] CryptReleaseContext (hProv=0x847098, dwFlags=0x0) returned 1 [0133.959] CryptReleaseContext (hProv=0x847098, dwFlags=0x0) returned 1 [0133.959] CryptDestroyKey (hKey=0x83e2d0) returned 1 [0133.960] CryptReleaseContext (hProv=0x8476f8, dwFlags=0x0) returned 1 [0133.960] CryptReleaseContext (hProv=0x8476f8, dwFlags=0x0) returned 1 [0133.960] CryptDestroyKey (hKey=0x83e810) returned 1 [0133.960] CryptReleaseContext (hProv=0x846f00, dwFlags=0x0) returned 1 [0133.961] CryptReleaseContext (hProv=0x846f00, dwFlags=0x0) returned 1 [0133.961] CryptDestroyKey (hKey=0x83e290) returned 1 [0133.961] CryptReleaseContext (hProv=0x847918, dwFlags=0x0) returned 1 [0133.961] CryptReleaseContext (hProv=0x847918, dwFlags=0x0) returned 1 [0133.962] CryptDestroyKey (hKey=0x83e710) returned 1 [0133.962] CryptReleaseContext (hProv=0x847b38, dwFlags=0x0) returned 1 [0133.962] CryptReleaseContext (hProv=0x847b38, dwFlags=0x0) returned 1 [0133.962] CryptDestroyKey (hKey=0x83e8d0) returned 1 [0133.963] CryptReleaseContext (hProv=0x847c48, dwFlags=0x0) returned 1 [0133.963] CryptReleaseContext (hProv=0x847c48, dwFlags=0x0) returned 1 [0133.963] CryptDestroyKey (hKey=0x83e450) returned 1 [0133.963] CryptReleaseContext (hProv=0x847340, dwFlags=0x0) returned 1 [0133.964] CryptReleaseContext (hProv=0x847340, dwFlags=0x0) returned 1 [0133.964] CryptDestroyKey (hKey=0x83e1d0) returned 1 [0133.964] CryptReleaseContext (hProv=0x847780, dwFlags=0x0) returned 1 [0133.964] CryptReleaseContext (hProv=0x847780, dwFlags=0x0) returned 1 [0133.965] RegCloseKey (hKey=0x80000004) returned 0x0 [0133.965] CryptDestroyKey (hKey=0x83e410) returned 1 [0133.965] CryptReleaseContext (hProv=0x8472b8, dwFlags=0x0) returned 1 [0133.966] CryptReleaseContext (hProv=0x8472b8, dwFlags=0x0) returned 1 Thread: id = 5 os_tid = 0xd08 [0128.803] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0 [0129.631] RoInitialize () returned 0x1 [0129.632] RoUninitialize () returned 0x0 [0129.643] ShellExecuteExW (in: pExecInfo=0x2377f90*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="cmd", lpParameters="/c schtasks /create /f /sc onlogon /rl highest /tn \"svchost\" /tr '\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe\"' & exit", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x2377f90*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="cmd", lpParameters="/c schtasks /create /f /sc onlogon /rl highest /tn \"svchost\" /tr '\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe\"' & exit", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x45c)) returned 1 [0133.657] CoGetContextToken (in: pToken=0x4a0fd20 | out: pToken=0x4a0fd20) returned 0x0 [0133.661] CoUninitialize () Thread: id = 6 os_tid = 0xd04 Thread: id = 7 os_tid = 0xd00 Thread: id = 8 os_tid = 0xcc0 Thread: id = 9 os_tid = 0xcc4 Process: id = "2" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x73c01000" os_pid = "0xcbc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x1384" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c schtasks /create /f /sc onlogon /rl highest /tn \"svchost\" /tr '\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe\"' & exit" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fa87" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 401 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 402 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 403 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 404 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 405 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 406 start_va = 0x1a0000 end_va = 0x1f1fff monitored = 1 entry_point = 0x1b4fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 407 start_va = 0x200000 end_va = 0x41fffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000200000" filename = "" Region: id = 408 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 409 start_va = 0x4400000 end_va = 0x4403fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004400000" filename = "" Region: id = 410 start_va = 0x4410000 end_va = 0x4410fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004410000" filename = "" Region: id = 411 start_va = 0x4420000 end_va = 0x4421fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004420000" filename = "" Region: id = 412 start_va = 0x771d0000 end_va = 0x7734afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 413 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 414 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 415 start_va = 0x7fff0000 end_va = 0x7dfa1676ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 416 start_va = 0x7dfa16770000 end_va = 0x7ffa1676ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfa16770000" filename = "" Region: id = 417 start_va = 0x7ffa16770000 end_va = 0x7ffa16930fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 418 start_va = 0x7ffa16931000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffa16931000" filename = "" Region: id = 419 start_va = 0x4430000 end_va = 0x44dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004430000" filename = "" Region: id = 420 start_va = 0x640d0000 end_va = 0x6411ffff monitored = 0 entry_point = 0x640e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 421 start_va = 0x64050000 end_va = 0x640c9fff monitored = 0 entry_point = 0x64063290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 422 start_va = 0x76720000 end_va = 0x767fffff monitored = 0 entry_point = 0x76733980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 423 start_va = 0x64120000 end_va = 0x64127fff monitored = 0 entry_point = 0x641217c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 442 start_va = 0x44e0000 end_va = 0x460ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044e0000" filename = "" Region: id = 443 start_va = 0x76720000 end_va = 0x767fffff monitored = 0 entry_point = 0x76733980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 444 start_va = 0x76910000 end_va = 0x76a8dfff monitored = 0 entry_point = 0x769c1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 445 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 446 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 607 start_va = 0x4610000 end_va = 0x46cdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 608 start_va = 0x76a90000 end_va = 0x76b4dfff monitored = 0 entry_point = 0x76ac5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 609 start_va = 0x4430000 end_va = 0x446ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004430000" filename = "" Region: id = 610 start_va = 0x44d0000 end_va = 0x44dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044d0000" filename = "" Region: id = 611 start_va = 0x46d0000 end_va = 0x47cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000046d0000" filename = "" Region: id = 612 start_va = 0x47d0000 end_va = 0x491ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000047d0000" filename = "" Region: id = 613 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 614 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 615 start_va = 0x4920000 end_va = 0x4c56fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 10 os_tid = 0xcb8 [0152.319] GetProcAddress (hModule=0x76720000, lpProcName="SetConsoleInputExeNameW") returned 0x76a2b440 [0152.319] GetProcessHeap () returned 0x4510000 [0152.319] RtlAllocateHeap (HeapHandle=0x4510000, Flags=0x8, Size=0x400a) returned 0x451bda0 [0152.319] GetProcessHeap () returned 0x4510000 [0152.320] RtlFreeHeap (HeapHandle=0x4510000, Flags=0x0, BaseAddress=0x451bda0) returned 1 [0152.321] _wcsicmp (_String1="schtasks", _String2=")") returned 74 [0152.321] _wcsicmp (_String1="FOR", _String2="schtasks") returned -13 [0152.321] _wcsicmp (_String1="FOR/?", _String2="schtasks") returned -13 [0152.321] _wcsicmp (_String1="IF", _String2="schtasks") returned -10 [0152.321] _wcsicmp (_String1="IF/?", _String2="schtasks") returned -10 [0152.321] _wcsicmp (_String1="REM", _String2="schtasks") returned -1 [0152.321] _wcsicmp (_String1="REM/?", _String2="schtasks") returned -1 [0152.321] GetProcessHeap () returned 0x4510000 [0152.321] RtlAllocateHeap (HeapHandle=0x4510000, Flags=0x8, Size=0x58) returned 0x451ac90 [0152.321] GetProcessHeap () returned 0x4510000 [0152.321] RtlAllocateHeap (HeapHandle=0x4510000, Flags=0x8, Size=0x1a) returned 0x4510578 [0152.323] GetProcessHeap () returned 0x4510000 [0152.323] RtlAllocateHeap (HeapHandle=0x4510000, Flags=0x8, Size=0xe2) returned 0x451acf0 [0152.324] GetProcessHeap () returned 0x4510000 [0152.324] RtlAllocateHeap (HeapHandle=0x4510000, Flags=0x8, Size=0x58) returned 0x451ade0 [0152.325] _wcsicmp (_String1="exit", _String2=")") returned 60 [0152.325] _wcsicmp (_String1="FOR", _String2="exit") returned 1 [0152.325] _wcsicmp (_String1="FOR/?", _String2="exit") returned 1 [0152.325] _wcsicmp (_String1="IF", _String2="exit") returned 4 [0152.325] _wcsicmp (_String1="IF/?", _String2="exit") returned 4 [0152.325] _wcsicmp (_String1="REM", _String2="exit") returned 13 [0152.325] _wcsicmp (_String1="REM/?", _String2="exit") returned 13 [0152.325] GetProcessHeap () returned 0x4510000 [0152.325] RtlAllocateHeap (HeapHandle=0x4510000, Flags=0x8, Size=0x58) returned 0x451ae40 [0152.325] GetProcessHeap () returned 0x4510000 [0152.325] RtlAllocateHeap (HeapHandle=0x4510000, Flags=0x8, Size=0x12) returned 0x4517698 [0152.326] GetConsoleTitleW (in: lpConsoleTitle=0x19fa10, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0152.326] _wcsicmp (_String1="schtasks", _String2="DIR") returned 15 [0152.327] _wcsicmp (_String1="schtasks", _String2="ERASE") returned 14 [0152.327] _wcsicmp (_String1="schtasks", _String2="DEL") returned 15 [0152.327] _wcsicmp (_String1="schtasks", _String2="TYPE") returned -1 [0152.327] _wcsicmp (_String1="schtasks", _String2="COPY") returned 16 [0152.327] _wcsicmp (_String1="schtasks", _String2="CD") returned 16 [0152.327] _wcsicmp (_String1="schtasks", _String2="CHDIR") returned 16 [0152.327] _wcsicmp (_String1="schtasks", _String2="RENAME") returned 1 [0152.327] _wcsicmp (_String1="schtasks", _String2="REN") returned 1 [0152.327] _wcsicmp (_String1="schtasks", _String2="ECHO") returned 14 [0152.328] _wcsicmp (_String1="schtasks", _String2="SET") returned -2 [0152.328] _wcsicmp (_String1="schtasks", _String2="PAUSE") returned 3 [0152.328] _wcsicmp (_String1="schtasks", _String2="DATE") returned 15 [0152.328] _wcsicmp (_String1="schtasks", _String2="TIME") returned -1 [0152.328] _wcsicmp (_String1="schtasks", _String2="PROMPT") returned 3 [0152.328] _wcsicmp (_String1="schtasks", _String2="MD") returned 6 [0152.328] _wcsicmp (_String1="schtasks", _String2="MKDIR") returned 6 [0152.328] _wcsicmp (_String1="schtasks", _String2="RD") returned 1 [0152.328] _wcsicmp (_String1="schtasks", _String2="RMDIR") returned 1 [0152.328] _wcsicmp (_String1="schtasks", _String2="PATH") returned 3 [0152.328] _wcsicmp (_String1="schtasks", _String2="GOTO") returned 12 [0152.328] _wcsicmp (_String1="schtasks", _String2="SHIFT") returned -5 [0152.328] _wcsicmp (_String1="schtasks", _String2="CLS") returned 16 [0152.328] _wcsicmp (_String1="schtasks", _String2="CALL") returned 16 [0152.328] _wcsicmp (_String1="schtasks", _String2="VERIFY") returned -3 [0152.328] _wcsicmp (_String1="schtasks", _String2="VER") returned -3 [0152.328] _wcsicmp (_String1="schtasks", _String2="VOL") returned -3 [0152.328] _wcsicmp (_String1="schtasks", _String2="EXIT") returned 14 [0152.328] _wcsicmp (_String1="schtasks", _String2="SETLOCAL") returned -2 [0152.328] _wcsicmp (_String1="schtasks", _String2="ENDLOCAL") returned 14 [0152.328] _wcsicmp (_String1="schtasks", _String2="TITLE") returned -1 [0152.328] _wcsicmp (_String1="schtasks", _String2="START") returned -17 [0152.328] _wcsicmp (_String1="schtasks", _String2="DPATH") returned 15 [0152.328] _wcsicmp (_String1="schtasks", _String2="KEYS") returned 8 [0152.328] _wcsicmp (_String1="schtasks", _String2="MOVE") returned 6 [0152.328] _wcsicmp (_String1="schtasks", _String2="PUSHD") returned 3 [0152.328] _wcsicmp (_String1="schtasks", _String2="POPD") returned 3 [0152.328] _wcsicmp (_String1="schtasks", _String2="ASSOC") returned 18 [0152.328] _wcsicmp (_String1="schtasks", _String2="FTYPE") returned 13 [0152.328] _wcsicmp (_String1="schtasks", _String2="BREAK") returned 17 [0152.328] _wcsicmp (_String1="schtasks", _String2="COLOR") returned 16 [0152.328] _wcsicmp (_String1="schtasks", _String2="MKLINK") returned 6 [0152.329] _wcsicmp (_String1="schtasks", _String2="DIR") returned 15 [0152.329] _wcsicmp (_String1="schtasks", _String2="ERASE") returned 14 [0152.329] _wcsicmp (_String1="schtasks", _String2="DEL") returned 15 [0152.329] _wcsicmp (_String1="schtasks", _String2="TYPE") returned -1 [0152.329] _wcsicmp (_String1="schtasks", _String2="COPY") returned 16 [0152.329] _wcsicmp (_String1="schtasks", _String2="CD") returned 16 [0152.329] _wcsicmp (_String1="schtasks", _String2="CHDIR") returned 16 [0152.329] _wcsicmp (_String1="schtasks", _String2="RENAME") returned 1 [0152.329] _wcsicmp (_String1="schtasks", _String2="REN") returned 1 [0152.329] _wcsicmp (_String1="schtasks", _String2="ECHO") returned 14 [0152.329] _wcsicmp (_String1="schtasks", _String2="SET") returned -2 [0152.329] _wcsicmp (_String1="schtasks", _String2="PAUSE") returned 3 [0152.329] _wcsicmp (_String1="schtasks", _String2="DATE") returned 15 [0152.329] _wcsicmp (_String1="schtasks", _String2="TIME") returned -1 [0152.329] _wcsicmp (_String1="schtasks", _String2="PROMPT") returned 3 [0152.329] _wcsicmp (_String1="schtasks", _String2="MD") returned 6 [0152.329] _wcsicmp (_String1="schtasks", _String2="MKDIR") returned 6 [0152.329] _wcsicmp (_String1="schtasks", _String2="RD") returned 1 [0152.329] _wcsicmp (_String1="schtasks", _String2="RMDIR") returned 1 [0152.329] _wcsicmp (_String1="schtasks", _String2="PATH") returned 3 [0152.329] _wcsicmp (_String1="schtasks", _String2="GOTO") returned 12 [0152.329] _wcsicmp (_String1="schtasks", _String2="SHIFT") returned -5 [0152.329] _wcsicmp (_String1="schtasks", _String2="CLS") returned 16 [0152.329] _wcsicmp (_String1="schtasks", _String2="CALL") returned 16 [0152.329] _wcsicmp (_String1="schtasks", _String2="VERIFY") returned -3 [0152.329] _wcsicmp (_String1="schtasks", _String2="VER") returned -3 [0152.329] _wcsicmp (_String1="schtasks", _String2="VOL") returned -3 [0152.329] _wcsicmp (_String1="schtasks", _String2="EXIT") returned 14 [0152.329] _wcsicmp (_String1="schtasks", _String2="SETLOCAL") returned -2 [0152.329] _wcsicmp (_String1="schtasks", _String2="ENDLOCAL") returned 14 [0152.330] _wcsicmp (_String1="schtasks", _String2="TITLE") returned -1 [0152.330] _wcsicmp (_String1="schtasks", _String2="START") returned -17 [0152.330] _wcsicmp (_String1="schtasks", _String2="DPATH") returned 15 [0152.330] _wcsicmp (_String1="schtasks", _String2="KEYS") returned 8 [0152.330] _wcsicmp (_String1="schtasks", _String2="MOVE") returned 6 [0152.330] _wcsicmp (_String1="schtasks", _String2="PUSHD") returned 3 [0152.330] _wcsicmp (_String1="schtasks", _String2="POPD") returned 3 [0152.330] _wcsicmp (_String1="schtasks", _String2="ASSOC") returned 18 [0152.330] _wcsicmp (_String1="schtasks", _String2="FTYPE") returned 13 [0152.330] _wcsicmp (_String1="schtasks", _String2="BREAK") returned 17 [0152.330] _wcsicmp (_String1="schtasks", _String2="COLOR") returned 16 [0152.330] _wcsicmp (_String1="schtasks", _String2="MKLINK") returned 6 [0152.330] _wcsicmp (_String1="schtasks", _String2="FOR") returned 13 [0152.330] _wcsicmp (_String1="schtasks", _String2="IF") returned 10 [0152.330] _wcsicmp (_String1="schtasks", _String2="REM") returned 1 [0152.330] GetProcessHeap () returned 0x4510000 [0152.330] RtlAllocateHeap (HeapHandle=0x4510000, Flags=0x8, Size=0x210) returned 0x451aea0 [0152.331] GetProcessHeap () returned 0x4510000 [0152.331] RtlAllocateHeap (HeapHandle=0x4510000, Flags=0x8, Size=0xf4) returned 0x451b0b8 [0152.331] _wcsnicmp (_String1="scht", _String2="cmd ", _MaxCount=0x4) returned 16 [0152.331] GetProcessHeap () returned 0x4510000 [0152.331] RtlAllocateHeap (HeapHandle=0x4510000, Flags=0x8, Size=0x418) returned 0x45105c8 [0152.331] SetErrorMode (uMode=0x0) returned 0x0 [0152.331] SetErrorMode (uMode=0x1) returned 0x0 [0152.331] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x45105d0, lpFilePart=0x19f51c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f51c*="Desktop") returned 0x1d [0152.331] SetErrorMode (uMode=0x0) returned 0x1 [0152.331] GetProcessHeap () returned 0x4510000 [0152.331] RtlReAllocateHeap (Heap=0x4510000, Flags=0x0, Ptr=0x45105c8, Size=0x56) returned 0x45105c8 [0152.331] GetProcessHeap () returned 0x4510000 [0152.332] RtlSizeHeap (HeapHandle=0x4510000, Flags=0x0, MemoryPointer=0x45105c8) returned 0x56 [0152.332] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x1cf4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0152.332] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0152.332] GetProcessHeap () returned 0x4510000 [0152.332] RtlAllocateHeap (HeapHandle=0x4510000, Flags=0x8, Size=0x110) returned 0x451b1b8 [0152.332] GetProcessHeap () returned 0x4510000 [0152.332] RtlAllocateHeap (HeapHandle=0x4510000, Flags=0x8, Size=0x218) returned 0x4510628 [0152.339] GetProcessHeap () returned 0x4510000 [0152.339] RtlReAllocateHeap (Heap=0x4510000, Flags=0x0, Ptr=0x4510628, Size=0x112) returned 0x4510628 [0152.339] GetProcessHeap () returned 0x4510000 [0152.339] RtlSizeHeap (HeapHandle=0x4510000, Flags=0x0, MemoryPointer=0x4510628) returned 0x112 [0152.339] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1cf4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0152.339] GetProcessHeap () returned 0x4510000 [0152.339] RtlAllocateHeap (HeapHandle=0x4510000, Flags=0x8, Size=0xe0) returned 0x4510748 [0152.341] GetProcessHeap () returned 0x4510000 [0152.341] RtlReAllocateHeap (Heap=0x4510000, Flags=0x0, Ptr=0x4510748, Size=0x76) returned 0x4510748 [0152.341] GetProcessHeap () returned 0x4510000 [0152.341] RtlSizeHeap (HeapHandle=0x4510000, Flags=0x0, MemoryPointer=0x4510748) returned 0x76 [0152.342] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0152.342] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\schtasks.*" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\schtasks.*"), fInfoLevelId=0x1, lpFindFileData=0x19f2a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f2a8) returned 0xffffffff [0152.342] GetLastError () returned 0x2 [0152.342] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0152.342] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\schtasks.*" (normalized: "c:\\windows\\syswow64\\schtasks.*"), fInfoLevelId=0x1, lpFindFileData=0x19f2a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f2a8) returned 0x451b2d0 [0152.343] GetProcessHeap () returned 0x4510000 [0152.343] RtlAllocateHeap (HeapHandle=0x4510000, Flags=0x0, Size=0x14) returned 0x45175b8 [0152.343] FindClose (in: hFindFile=0x451b2d0 | out: hFindFile=0x451b2d0) returned 1 [0152.343] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\schtasks.COM" (normalized: "c:\\windows\\syswow64\\schtasks.com"), fInfoLevelId=0x1, lpFindFileData=0x19f2a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f2a8) returned 0xffffffff [0152.343] GetLastError () returned 0x2 [0152.343] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\schtasks.EXE" (normalized: "c:\\windows\\syswow64\\schtasks.exe"), fInfoLevelId=0x1, lpFindFileData=0x19f2a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f2a8) returned 0x451b2d0 [0152.343] GetProcessHeap () returned 0x4510000 [0152.343] RtlReAllocateHeap (Heap=0x4510000, Flags=0x0, Ptr=0x45175b8, Size=0x4) returned 0x451b310 [0152.343] FindClose (in: hFindFile=0x451b2d0 | out: hFindFile=0x451b2d0) returned 1 [0152.343] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0152.343] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0152.343] GetConsoleTitleW (in: lpConsoleTitle=0x19f79c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0152.356] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f6c8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f6ac | out: lpAttributeList=0x19f6c8, lpSize=0x19f6ac) returned 1 [0152.356] UpdateProcThreadAttribute (in: lpAttributeList=0x19f6c8, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f6b4, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f6c8, lpPreviousValue=0x0) returned 1 [0152.356] GetStartupInfoW (in: lpStartupInfo=0x19f700 | out: lpStartupInfo=0x19f700*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0152.357] GetProcessHeap () returned 0x4510000 [0152.357] RtlAllocateHeap (HeapHandle=0x4510000, Flags=0x8, Size=0x18) returned 0x45178d8 [0152.357] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0152.357] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0152.357] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0152.357] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0152.357] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0152.357] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0152.357] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0152.357] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0152.357] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0152.357] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0152.357] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0152.357] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0152.357] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0152.357] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0152.357] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0152.357] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0152.357] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0152.357] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0152.357] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0152.357] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0152.357] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0152.358] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0152.358] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0152.358] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0152.358] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0152.358] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0152.358] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0152.358] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0152.358] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0152.358] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0152.358] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0152.360] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0152.360] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0152.360] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0152.360] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0152.360] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0152.360] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0152.360] GetProcessHeap () returned 0x4510000 [0152.360] RtlFreeHeap (HeapHandle=0x4510000, Flags=0x0, BaseAddress=0x45178d8) returned 1 [0152.360] GetProcessHeap () returned 0x4510000 [0152.360] RtlAllocateHeap (HeapHandle=0x4510000, Flags=0x8, Size=0xa) returned 0x451b2d0 [0152.360] lstrcmpW (lpString1="\\schtasks.exe", lpString2="\\XCOPY.EXE") returned -1 [0152.364] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\schtasks.exe", lpCommandLine="schtasks /create /f /sc onlogon /rl highest /tn \"svchost\" /tr '\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe\"' ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f650*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="schtasks /create /f /sc onlogon /rl highest /tn \"svchost\" /tr '\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe\"' ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f69c | out: lpCommandLine="schtasks /create /f /sc onlogon /rl highest /tn \"svchost\" /tr '\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe\"' ", lpProcessInformation=0x19f69c*(hProcess=0xa8, hThread=0xa4, dwProcessId=0x438, dwThreadId=0xc44)) returned 1 [0152.644] CloseHandle (hObject=0xa4) returned 1 [0152.644] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0152.644] GetProcessHeap () returned 0x4510000 [0152.644] RtlFreeHeap (HeapHandle=0x4510000, Flags=0x0, BaseAddress=0x4519ea0) returned 1 [0152.644] GetEnvironmentStringsW () returned 0x4519ea0* [0152.644] GetProcessHeap () returned 0x4510000 [0152.644] RtlAllocateHeap (HeapHandle=0x4510000, Flags=0x8, Size=0xa76) returned 0x4517e10 [0152.644] memcpy (in: _Dst=0x4517e10, _Src=0x4519ea0, _Size=0xa76 | out: _Dst=0x4517e10) returned 0x4517e10 [0152.645] FreeEnvironmentStringsA (penv="=") returned 1 [0152.645] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0 [0155.943] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0x19f634 | out: lpExitCode=0x19f634*=0x0) returned 1 [0155.944] CloseHandle (hObject=0xa8) returned 1 [0155.944] _vsnwprintf (in: _Buffer=0x19f71c, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f63c | out: _Buffer="00000000") returned 8 [0155.944] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0155.944] GetProcessHeap () returned 0x4510000 [0155.945] RtlFreeHeap (HeapHandle=0x4510000, Flags=0x0, BaseAddress=0x4517e10) returned 1 [0155.945] GetEnvironmentStringsW () returned 0x4517e10* [0155.945] GetProcessHeap () returned 0x4510000 [0155.945] RtlAllocateHeap (HeapHandle=0x4510000, Flags=0x8, Size=0xa9c) returned 0x451c848 [0155.945] memcpy (in: _Dst=0x451c848, _Src=0x4517e10, _Size=0xa9c | out: _Dst=0x451c848) returned 0x451c848 [0155.945] FreeEnvironmentStringsA (penv="=") returned 1 [0155.945] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0155.945] GetProcessHeap () returned 0x4510000 [0155.945] RtlFreeHeap (HeapHandle=0x4510000, Flags=0x0, BaseAddress=0x451c848) returned 1 [0155.945] GetEnvironmentStringsW () returned 0x4517e10* [0155.945] GetProcessHeap () returned 0x4510000 [0155.945] RtlAllocateHeap (HeapHandle=0x4510000, Flags=0x8, Size=0xa9c) returned 0x451c848 [0155.945] memcpy (in: _Dst=0x451c848, _Src=0x4517e10, _Size=0xa9c | out: _Dst=0x451c848) returned 0x451c848 [0155.945] FreeEnvironmentStringsA (penv="=") returned 1 [0155.945] GetProcessHeap () returned 0x4510000 [0155.945] RtlFreeHeap (HeapHandle=0x4510000, Flags=0x0, BaseAddress=0x451b2d0) returned 1 [0155.946] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f6c8 | out: lpAttributeList=0x19f6c8) [0155.946] GetConsoleTitleW (in: lpConsoleTitle=0x19fa10, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0156.645] _wcsicmp (_String1="exit", _String2="DIR") returned 1 [0156.645] _wcsicmp (_String1="exit", _String2="ERASE") returned 6 [0156.645] _wcsicmp (_String1="exit", _String2="DEL") returned 1 [0156.645] _wcsicmp (_String1="exit", _String2="TYPE") returned -15 [0156.645] _wcsicmp (_String1="exit", _String2="COPY") returned 2 [0156.645] _wcsicmp (_String1="exit", _String2="CD") returned 2 [0156.645] _wcsicmp (_String1="exit", _String2="CHDIR") returned 2 [0156.645] _wcsicmp (_String1="exit", _String2="RENAME") returned -13 [0156.645] _wcsicmp (_String1="exit", _String2="REN") returned -13 [0156.645] _wcsicmp (_String1="exit", _String2="ECHO") returned 21 [0156.645] _wcsicmp (_String1="exit", _String2="SET") returned -14 [0156.645] _wcsicmp (_String1="exit", _String2="PAUSE") returned -11 [0156.645] _wcsicmp (_String1="exit", _String2="DATE") returned 1 [0156.645] _wcsicmp (_String1="exit", _String2="TIME") returned -15 [0156.645] _wcsicmp (_String1="exit", _String2="PROMPT") returned -11 [0156.645] _wcsicmp (_String1="exit", _String2="MD") returned -8 [0156.645] _wcsicmp (_String1="exit", _String2="MKDIR") returned -8 [0156.645] _wcsicmp (_String1="exit", _String2="RD") returned -13 [0156.645] _wcsicmp (_String1="exit", _String2="RMDIR") returned -13 [0156.645] _wcsicmp (_String1="exit", _String2="PATH") returned -11 [0156.645] _wcsicmp (_String1="exit", _String2="GOTO") returned -2 [0156.645] _wcsicmp (_String1="exit", _String2="SHIFT") returned -14 [0156.646] _wcsicmp (_String1="exit", _String2="CLS") returned 2 [0156.646] _wcsicmp (_String1="exit", _String2="CALL") returned 2 [0156.646] _wcsicmp (_String1="exit", _String2="VERIFY") returned -17 [0156.646] _wcsicmp (_String1="exit", _String2="VER") returned -17 [0156.646] _wcsicmp (_String1="exit", _String2="VOL") returned -17 [0156.646] _wcsicmp (_String1="exit", _String2="EXIT") returned 0 [0156.646] GetProcessHeap () returned 0x4510000 [0156.646] RtlAllocateHeap (HeapHandle=0x4510000, Flags=0x8, Size=0xc) returned 0x451b2d0 [0156.646] GetProcessHeap () returned 0x4510000 [0156.646] RtlAllocateHeap (HeapHandle=0x4510000, Flags=0x8, Size=0x12) returned 0x4517898 [0156.646] exit (_Code=0) Thread: id = 20 os_tid = 0xc48 Process: id = "3" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x58436000" os_pid = "0xcb4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x1384" cmd_line = "C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpB6E4.tmp.bat\"\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fa87" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 424 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 425 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 426 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 427 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 428 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 429 start_va = 0x1a0000 end_va = 0x1f1fff monitored = 1 entry_point = 0x1b4fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 430 start_va = 0x200000 end_va = 0x41fffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000200000" filename = "" Region: id = 431 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 432 start_va = 0x4400000 end_va = 0x4403fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004400000" filename = "" Region: id = 433 start_va = 0x4410000 end_va = 0x4410fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004410000" filename = "" Region: id = 434 start_va = 0x4420000 end_va = 0x4421fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004420000" filename = "" Region: id = 435 start_va = 0x771d0000 end_va = 0x7734afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 436 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 437 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 438 start_va = 0x7fff0000 end_va = 0x7dfa1676ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 439 start_va = 0x7dfa16770000 end_va = 0x7ffa1676ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfa16770000" filename = "" Region: id = 440 start_va = 0x7ffa16770000 end_va = 0x7ffa16930fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 441 start_va = 0x7ffa16931000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffa16931000" filename = "" Region: id = 447 start_va = 0x4430000 end_va = 0x446ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004430000" filename = "" Region: id = 448 start_va = 0x640d0000 end_va = 0x6411ffff monitored = 0 entry_point = 0x640e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 449 start_va = 0x64050000 end_va = 0x640c9fff monitored = 0 entry_point = 0x64063290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 450 start_va = 0x76720000 end_va = 0x767fffff monitored = 0 entry_point = 0x76733980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 451 start_va = 0x64120000 end_va = 0x64127fff monitored = 0 entry_point = 0x641217c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 462 start_va = 0x4470000 end_va = 0x46effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004470000" filename = "" Region: id = 463 start_va = 0x76720000 end_va = 0x767fffff monitored = 0 entry_point = 0x76733980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 464 start_va = 0x76910000 end_va = 0x76a8dfff monitored = 0 entry_point = 0x769c1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 465 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 466 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 590 start_va = 0x4470000 end_va = 0x452dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 591 start_va = 0x45f0000 end_va = 0x46effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045f0000" filename = "" Region: id = 592 start_va = 0x76a90000 end_va = 0x76b4dfff monitored = 0 entry_point = 0x76ac5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 593 start_va = 0x4530000 end_va = 0x456ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004530000" filename = "" Region: id = 594 start_va = 0x46f0000 end_va = 0x47effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000046f0000" filename = "" Region: id = 595 start_va = 0x47f0000 end_va = 0x488ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000047f0000" filename = "" Region: id = 596 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 634 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 635 start_va = 0x72060000 end_va = 0x72067fff monitored = 0 entry_point = 0x72061840 region_type = mapped_file name = "cmdext.dll" filename = "\\Windows\\SysWOW64\\cmdext.dll" (normalized: "c:\\windows\\syswow64\\cmdext.dll") Region: id = 636 start_va = 0x76600000 end_va = 0x7667afff monitored = 0 entry_point = 0x7661e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 637 start_va = 0x76cb0000 end_va = 0x76cf3fff monitored = 0 entry_point = 0x76cc9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 638 start_va = 0x76c00000 end_va = 0x76cacfff monitored = 0 entry_point = 0x76c14f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 639 start_va = 0x73f00000 end_va = 0x73f1dfff monitored = 0 entry_point = 0x73f0b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 640 start_va = 0x73ef0000 end_va = 0x73ef9fff monitored = 0 entry_point = 0x73ef2a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 641 start_va = 0x76840000 end_va = 0x76897fff monitored = 0 entry_point = 0x768825c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 644 start_va = 0x4430000 end_va = 0x443ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004430000" filename = "" Region: id = 645 start_va = 0x4460000 end_va = 0x446ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004460000" filename = "" Region: id = 677 start_va = 0x4890000 end_va = 0x4bc6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1104 start_va = 0x73e50000 end_va = 0x73ee1fff monitored = 0 entry_point = 0x73e90380 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll") Region: id = 1120 start_va = 0x7fb00000 end_va = 0x7fea0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sysmain.sdb" filename = "\\Windows\\AppPatch\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\sysmain.sdb") Region: id = 1198 start_va = 0x4570000 end_va = 0x4590fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cmd.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\cmd.exe.mui") Thread: id = 11 os_tid = 0xcb0 [0150.544] GetModuleHandleA (lpModuleName=0x0) returned 0x1a0000 [0150.544] __set_app_type (_Type=0x1) [0150.544] __p__fmode () returned 0x76b44d6c [0150.544] __p__commode () returned 0x76b45b1c [0150.544] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1b5200) returned 0x0 [0150.544] __getmainargs (in: _Argc=0x1c60e8, _Argv=0x1c60ec, _Env=0x1c60f0, _DoWildCard=0, _StartInfo=0x1c60fc | out: _Argc=0x1c60e8, _Argv=0x1c60ec, _Env=0x1c60f0) returned 0 [0150.545] GetCurrentThreadId () returned 0xcb0 [0150.545] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xcb0) returned 0x84 [0150.545] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76720000 [0150.545] GetProcAddress (hModule=0x76720000, lpProcName="SetThreadUILanguage") returned 0x76762510 [0150.545] SetThreadUILanguage (LangId=0x0) returned 0x409 [0150.676] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0150.677] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0150.677] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0150.677] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0150.677] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0150.677] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0150.677] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x80, RegionSize=0x1000, State=0x1000, Protect=0x2, Type=0x1000000)) returned 0x1c [0150.677] GetConsoleOutputCP () returned 0x1b5 [0152.260] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1cf460 | out: lpCPInfo=0x1cf460) returned 1 [0152.260] SetConsoleCtrlHandler (HandlerRoutine=0x1c0e40, Add=1) returned 1 [0152.261] _get_osfhandle (_FileHandle=1) returned 0x3c [0152.261] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x0) returned 1 [0152.292] _get_osfhandle (_FileHandle=1) returned 0x3c [0152.292] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x1cf40c | out: lpMode=0x1cf40c) returned 1 [0152.300] _get_osfhandle (_FileHandle=1) returned 0x3c [0152.300] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1 [0152.304] _get_osfhandle (_FileHandle=0) returned 0x38 [0152.304] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0x1cf408 | out: lpMode=0x1cf408) returned 1 [0152.306] _get_osfhandle (_FileHandle=0) returned 0x38 [0152.306] SetConsoleMode (hConsoleHandle=0x38, dwMode=0x1a7) returned 1 [0152.344] GetEnvironmentStringsW () returned 0x45f7d50* [0152.344] GetProcessHeap () returned 0x45f0000 [0152.344] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0xa1a) returned 0x45f8778 [0152.344] memcpy (in: _Dst=0x45f8778, _Src=0x45f7d50, _Size=0xa1a | out: _Dst=0x45f8778) returned 0x45f8778 [0152.344] FreeEnvironmentStringsA (penv="A") returned 1 [0152.344] GetProcessHeap () returned 0x45f0000 [0152.344] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x4) returned 0x45f0550 [0152.344] GetEnvironmentStringsW () returned 0x45f7d50* [0152.344] GetProcessHeap () returned 0x45f0000 [0152.344] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0xa1a) returned 0x45f91a0 [0152.344] memcpy (in: _Dst=0x45f91a0, _Src=0x45f7d50, _Size=0xa1a | out: _Dst=0x45f91a0) returned 0x45f91a0 [0152.344] FreeEnvironmentStringsA (penv="A") returned 1 [0152.344] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x94) returned 0x0 [0152.345] RegQueryValueExW (in: hKey=0x94, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0152.345] RegQueryValueExW (in: hKey=0x94, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0152.345] RegQueryValueExW (in: hKey=0x94, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0152.345] RegQueryValueExW (in: hKey=0x94, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0152.345] RegQueryValueExW (in: hKey=0x94, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0152.345] RegQueryValueExW (in: hKey=0x94, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0152.345] RegQueryValueExW (in: hKey=0x94, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0152.345] RegCloseKey (hKey=0x94) returned 0x0 [0152.345] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x94) returned 0x0 [0152.345] RegQueryValueExW (in: hKey=0x94, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0152.345] RegQueryValueExW (in: hKey=0x94, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0152.345] RegQueryValueExW (in: hKey=0x94, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0152.345] RegQueryValueExW (in: hKey=0x94, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0152.345] RegQueryValueExW (in: hKey=0x94, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0152.346] RegQueryValueExW (in: hKey=0x94, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0152.346] RegQueryValueExW (in: hKey=0x94, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0152.346] RegCloseKey (hKey=0x94) returned 0x0 [0152.346] time (in: timer=0x0 | out: timer=0x0) returned 0x62ed0ae5 [0152.346] srand (_Seed=0x62ed0ae5) [0152.346] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpB6E4.tmp.bat\"\"" [0152.346] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpB6E4.tmp.bat\"\"" [0152.346] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1d7720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0152.346] GetProcessHeap () returned 0x45f0000 [0152.346] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x210) returned 0x45f9bc8 [0152.346] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x45f9bd0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0152.346] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x1cf4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0152.346] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1cf4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0152.346] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x1cf4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0152.346] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0152.346] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0152.346] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0152.346] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0152.346] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0152.347] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0152.347] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0152.347] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0152.347] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0152.347] GetProcessHeap () returned 0x45f0000 [0152.347] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x45f8778) returned 1 [0152.347] GetEnvironmentStringsW () returned 0x45f7d50* [0152.347] GetProcessHeap () returned 0x45f0000 [0152.347] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0xa32) returned 0x45fa820 [0152.348] memcpy (in: _Dst=0x45fa820, _Src=0x45f7d50, _Size=0xa32 | out: _Dst=0x45fa820) returned 0x45fa820 [0152.348] FreeEnvironmentStringsA (penv="A") returned 1 [0152.348] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x1cf4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0152.348] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x1cf4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0152.348] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0152.348] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0152.348] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0152.348] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0152.348] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0152.348] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0152.348] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0152.348] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0152.348] GetProcessHeap () returned 0x45f0000 [0152.348] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x44) returned 0x45f05c8 [0152.348] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0152.348] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19fc4c*="Desktop") returned 0x1d [0152.348] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0152.348] FindFirstFileW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x45f0618 [0152.349] FindClose (in: hFindFile=0x45f0618 | out: hFindFile=0x45f0618) returned 1 [0152.349] memcpy (in: _Dst=0x19fc5a, _Src=0x19f9fc, _Size=0xa | out: _Dst=0x19fc5a) returned 0x19fc5a [0152.349] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX" (normalized: "c:\\users\\rdhj0cnfevzx"), lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x45f0618 [0152.349] FindClose (in: hFindFile=0x45f0618 | out: hFindFile=0x45f0618) returned 1 [0152.349] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0152.349] memcpy (in: _Dst=0x19fc66, _Src=0x19f9fc, _Size=0x18 | out: _Dst=0x19fc66) returned 0x19fc66 [0152.349] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop"), lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x78104e93, ftLastAccessTime.dwHighDateTime=0x1d8a8c5, ftLastWriteTime.dwLowDateTime=0x78104e93, ftLastWriteTime.dwHighDateTime=0x1d8a8c5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x45f0618 [0152.349] FindClose (in: hFindFile=0x45f0618 | out: hFindFile=0x45f0618) returned 1 [0152.349] memcpy (in: _Dst=0x19fc80, _Src=0x19f9fc, _Size=0xe | out: _Dst=0x19fc80) returned 0x19fc80 [0152.349] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11 [0152.349] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1 [0152.349] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1 [0152.349] GetProcessHeap () returned 0x45f0000 [0152.350] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x45fa820) returned 1 [0152.350] GetEnvironmentStringsW () returned 0x45f7d50* [0152.350] GetProcessHeap () returned 0x45f0000 [0152.350] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0xa76) returned 0x45f9de0 [0152.350] memcpy (in: _Dst=0x45f9de0, _Src=0x45f7d50, _Size=0xa76 | out: _Dst=0x45f9de0) returned 0x45f9de0 [0152.350] FreeEnvironmentStringsA (penv="=") returned 1 [0152.350] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1d7720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0152.350] GetProcessHeap () returned 0x45f0000 [0152.351] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x45f05c8) returned 1 [0152.351] GetProcessHeap () returned 0x45f0000 [0152.351] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x400e) returned 0x45fbce0 [0152.352] GetProcessHeap () returned 0x45f0000 [0152.352] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x86) returned 0x45fa860 [0152.352] GetProcessHeap () returned 0x45f0000 [0152.353] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x4008) returned 0x45ffcf8 [0152.353] GetProcessHeap () returned 0x45f0000 [0152.353] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x4008) returned 0x4603d08 [0152.354] GetProcessHeap () returned 0x45f0000 [0152.354] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x45fbce0) returned 1 [0152.355] GetConsoleOutputCP () returned 0x1b5 [0152.645] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1cf460 | out: lpCPInfo=0x1cf460) returned 1 [0152.645] GetUserDefaultLCID () returned 0x409 [0152.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x1d34a0, cchData=8 | out: lpLCData=":") returned 2 [0152.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0152.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0152.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0152.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x1d34b0, cchData=8 | out: lpLCData="/") returned 2 [0152.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x1d3500, cchData=32 | out: lpLCData="Mon") returned 4 [0152.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x1d3540, cchData=32 | out: lpLCData="Tue") returned 4 [0152.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x1d3580, cchData=32 | out: lpLCData="Wed") returned 4 [0152.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x1d35c0, cchData=32 | out: lpLCData="Thu") returned 4 [0152.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x1d3600, cchData=32 | out: lpLCData="Fri") returned 4 [0152.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x1d3640, cchData=32 | out: lpLCData="Sat") returned 4 [0152.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x1d3680, cchData=32 | out: lpLCData="Sun") returned 4 [0152.646] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x1d34c0, cchData=8 | out: lpLCData=".") returned 2 [0152.646] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x1d34e0, cchData=8 | out: lpLCData=",") returned 2 [0152.646] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0152.648] GetProcessHeap () returned 0x45f0000 [0152.648] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x0, Size=0x20c) returned 0x45fa938 [0152.648] GetConsoleTitleW (in: lpConsoleTitle=0x45fa938, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0152.659] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76720000 [0152.659] GetProcAddress (hModule=0x76720000, lpProcName="CopyFileExW") returned 0x7673ffc0 [0152.659] GetProcAddress (hModule=0x76720000, lpProcName="IsDebuggerPresent") returned 0x7673b0b0 [0152.659] GetProcAddress (hModule=0x76720000, lpProcName="SetConsoleInputExeNameW") returned 0x76a2b440 [0152.660] GetProcessHeap () returned 0x45f0000 [0152.660] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x400a) returned 0x45fbce0 [0152.660] GetProcessHeap () returned 0x45f0000 [0152.660] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x45fbce0) returned 1 [0152.662] _wcsicmp (_String1="\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpB6E4.tmp.bat\"", _String2=")") returned -7 [0152.662] _wcsicmp (_String1="FOR", _String2="\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpB6E4.tmp.bat\"") returned 68 [0152.662] _wcsicmp (_String1="FOR/?", _String2="\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpB6E4.tmp.bat\"") returned 68 [0152.662] _wcsicmp (_String1="IF", _String2="\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpB6E4.tmp.bat\"") returned 71 [0152.662] _wcsicmp (_String1="IF/?", _String2="\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpB6E4.tmp.bat\"") returned 71 [0152.662] _wcsicmp (_String1="REM", _String2="\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpB6E4.tmp.bat\"") returned 80 [0152.662] _wcsicmp (_String1="REM/?", _String2="\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpB6E4.tmp.bat\"") returned 80 [0152.662] GetProcessHeap () returned 0x45f0000 [0152.662] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x58) returned 0x45fab50 [0152.662] GetProcessHeap () returned 0x45f0000 [0152.662] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x7e) returned 0x45fabb0 [0152.663] GetConsoleTitleW (in: lpConsoleTitle=0x19fa70, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0152.663] GetFileAttributesW (lpFileName="\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpB6E4.tmp.bat\"" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\\"c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmpb6e4.tmp.bat\"")) returned 0xffffffff [0152.664] _wcsicmp (_String1="\"C", _String2="DIR") returned -66 [0152.664] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67 [0152.664] _wcsicmp (_String1="\"C", _String2="DEL") returned -66 [0152.664] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82 [0152.664] _wcsicmp (_String1="\"C", _String2="COPY") returned -65 [0152.664] _wcsicmp (_String1="\"C", _String2="CD") returned -65 [0152.664] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65 [0152.664] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80 [0152.664] _wcsicmp (_String1="\"C", _String2="REN") returned -80 [0152.664] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67 [0152.664] _wcsicmp (_String1="\"C", _String2="SET") returned -81 [0152.664] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78 [0152.664] _wcsicmp (_String1="\"C", _String2="DATE") returned -66 [0152.664] _wcsicmp (_String1="\"C", _String2="TIME") returned -82 [0152.664] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78 [0152.664] _wcsicmp (_String1="\"C", _String2="MD") returned -75 [0152.664] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75 [0152.664] _wcsicmp (_String1="\"C", _String2="RD") returned -80 [0152.664] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80 [0152.664] _wcsicmp (_String1="\"C", _String2="PATH") returned -78 [0152.664] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69 [0152.665] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81 [0152.665] _wcsicmp (_String1="\"C", _String2="CLS") returned -65 [0152.665] _wcsicmp (_String1="\"C", _String2="CALL") returned -65 [0152.665] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84 [0152.665] _wcsicmp (_String1="\"C", _String2="VER") returned -84 [0152.665] _wcsicmp (_String1="\"C", _String2="VOL") returned -84 [0152.665] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67 [0152.665] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81 [0152.665] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67 [0152.665] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82 [0152.665] _wcsicmp (_String1="\"C", _String2="START") returned -81 [0152.665] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66 [0152.665] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73 [0152.665] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75 [0152.665] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78 [0152.665] _wcsicmp (_String1="\"C", _String2="POPD") returned -78 [0152.665] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63 [0152.665] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68 [0152.665] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64 [0152.665] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65 [0152.665] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75 [0152.665] _wcsicmp (_String1="\"C", _String2="DIR") returned -66 [0152.665] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67 [0152.665] _wcsicmp (_String1="\"C", _String2="DEL") returned -66 [0152.665] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82 [0152.665] _wcsicmp (_String1="\"C", _String2="COPY") returned -65 [0152.665] _wcsicmp (_String1="\"C", _String2="CD") returned -65 [0152.665] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65 [0152.665] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80 [0152.665] _wcsicmp (_String1="\"C", _String2="REN") returned -80 [0152.665] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67 [0152.666] _wcsicmp (_String1="\"C", _String2="SET") returned -81 [0152.666] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78 [0152.666] _wcsicmp (_String1="\"C", _String2="DATE") returned -66 [0152.666] _wcsicmp (_String1="\"C", _String2="TIME") returned -82 [0152.666] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78 [0152.666] _wcsicmp (_String1="\"C", _String2="MD") returned -75 [0152.666] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75 [0152.666] _wcsicmp (_String1="\"C", _String2="RD") returned -80 [0152.666] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80 [0152.666] _wcsicmp (_String1="\"C", _String2="PATH") returned -78 [0152.666] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69 [0152.666] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81 [0152.666] _wcsicmp (_String1="\"C", _String2="CLS") returned -65 [0152.666] _wcsicmp (_String1="\"C", _String2="CALL") returned -65 [0152.666] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84 [0152.666] _wcsicmp (_String1="\"C", _String2="VER") returned -84 [0152.666] _wcsicmp (_String1="\"C", _String2="VOL") returned -84 [0152.666] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67 [0152.666] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81 [0152.666] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67 [0152.666] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82 [0152.666] _wcsicmp (_String1="\"C", _String2="START") returned -81 [0152.666] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66 [0152.666] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73 [0152.666] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75 [0152.666] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78 [0152.666] _wcsicmp (_String1="\"C", _String2="POPD") returned -78 [0152.666] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63 [0152.666] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68 [0152.666] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64 [0152.666] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65 [0152.667] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75 [0152.667] _wcsicmp (_String1="\"C", _String2="FOR") returned -68 [0152.667] _wcsicmp (_String1="\"C", _String2="IF") returned -71 [0152.667] _wcsicmp (_String1="\"C", _String2="REM") returned -80 [0152.667] GetProcessHeap () returned 0x45f0000 [0152.667] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x210) returned 0x45fac38 [0152.667] GetProcessHeap () returned 0x45f0000 [0152.667] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x7e) returned 0x45fae50 [0152.667] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0152.667] GetProcessHeap () returned 0x45f0000 [0152.668] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x418) returned 0x45f05c8 [0152.668] SetErrorMode (uMode=0x0) returned 0x0 [0152.668] SetErrorMode (uMode=0x1) returned 0x0 [0152.668] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\.", nBufferLength=0x208, lpBuffer=0x45f05d0, lpFilePart=0x19f57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp", lpFilePart=0x19f57c*="Temp") returned 0x28 [0152.668] SetErrorMode (uMode=0x0) returned 0x1 [0152.668] GetProcessHeap () returned 0x45f0000 [0152.668] RtlReAllocateHeap (Heap=0x45f0000, Flags=0x0, Ptr=0x45f05c8, Size=0x7a) returned 0x45f05c8 [0152.668] GetProcessHeap () returned 0x45f0000 [0152.668] RtlSizeHeap (HeapHandle=0x45f0000, Flags=0x0, MemoryPointer=0x45f05c8) returned 0x7a [0152.668] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\.") returned 1 [0152.668] GetProcessHeap () returned 0x45f0000 [0152.668] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x60) returned 0x45faed8 [0152.668] GetProcessHeap () returned 0x45f0000 [0152.668] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0xb4) returned 0x45faf40 [0152.668] GetProcessHeap () returned 0x45f0000 [0152.668] RtlReAllocateHeap (Heap=0x45f0000, Flags=0x0, Ptr=0x45faf40, Size=0x60) returned 0x45faf40 [0152.668] GetProcessHeap () returned 0x45f0000 [0152.669] RtlSizeHeap (HeapHandle=0x45f0000, Flags=0x0, MemoryPointer=0x45faf40) returned 0x60 [0152.669] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1cf4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0152.669] GetProcessHeap () returned 0x45f0000 [0152.669] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0xe0) returned 0x45fafa8 [0152.673] GetProcessHeap () returned 0x45f0000 [0152.673] RtlReAllocateHeap (Heap=0x45f0000, Flags=0x0, Ptr=0x45fafa8, Size=0x76) returned 0x45fafa8 [0152.673] GetProcessHeap () returned 0x45f0000 [0152.673] RtlSizeHeap (HeapHandle=0x45f0000, Flags=0x0, MemoryPointer=0x45fafa8) returned 0x76 [0152.673] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0152.674] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpB6E4.tmp.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmpb6e4.tmp.bat"), fInfoLevelId=0x1, lpFindFileData=0x19f328, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f328) returned 0x45fb028 [0152.674] GetProcessHeap () returned 0x45f0000 [0152.674] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x0, Size=0x14) returned 0x45f74f8 [0152.674] FindClose (in: hFindFile=0x45fb028 | out: hFindFile=0x45fb028) returned 1 [0152.675] _wcsicmp (_String1=".bat", _String2=".CMD") returned -1 [0152.675] _wcsicmp (_String1=".bat", _String2=".BAT") returned 0 [0152.675] GetConsoleTitleW (in: lpConsoleTitle=0x19f7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0152.675] GetProcessHeap () returned 0x45f0000 [0152.675] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x11c) returned 0x45fb028 [0152.676] ApiSetQueryApiSetPresence () returned 0x0 [0152.676] ResolveDelayLoadedAPI () returned 0x720614a0 [0152.935] SaferWorker () returned 0x0 [0152.989] SetErrorMode (uMode=0x0) returned 0x0 [0152.989] SetErrorMode (uMode=0x1) returned 0x0 [0152.989] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpB6E4.tmp.bat", nBufferLength=0x104, lpBuffer=0x45fac40, lpFilePart=0x19f6ac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpB6E4.tmp.bat", lpFilePart=0x19f6ac*="tmpB6E4.tmp.bat") returned 0x38 [0152.989] SetErrorMode (uMode=0x0) returned 0x1 [0152.989] GetProcessHeap () returned 0x45f0000 [0152.989] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x7e) returned 0x45f0ef8 [0152.989] CmdBatNotificationStub () returned 0x1 [0152.989] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpB6E4.tmp.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmpb6e4.tmp.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x19f73c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0152.989] _open_osfhandle (_OSFileHandle=0xb4, _Flags=8) returned 3 [0152.989] _get_osfhandle (_FileHandle=3) returned 0xb4 [0152.989] SetFilePointer (in: hFile=0xb4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.990] _get_osfhandle (_FileHandle=3) returned 0xb4 [0152.990] SetFilePointer (in: hFile=0xb4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0152.990] ReadFile (in: hFile=0xb4, lpBuffer=0x1db960, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x19f6c4, lpOverlapped=0x0 | out: lpBuffer=0x1db960*, lpNumberOfBytesRead=0x19f6c4*=0xa5, lpOverlapped=0x0) returned 1 [0152.991] SetFilePointer (in: hFile=0xb4, lDistanceToMove=11, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb [0152.991] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x1db960, cbMultiByte=11, lpWideCharStr=0x1c67e0, cchWideChar=8191 | out: lpWideCharStr="@echo off\r\n") returned 11 [0152.992] _get_osfhandle (_FileHandle=3) returned 0xb4 [0152.992] GetFileType (hFile=0xb4) returned 0x1 [0152.992] _get_osfhandle (_FileHandle=3) returned 0xb4 [0152.992] SetFilePointer (in: hFile=0xb4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb [0152.992] GetProcessHeap () returned 0x45f0000 [0152.992] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x400a) returned 0x45fbce0 [0152.992] GetProcessHeap () returned 0x45f0000 [0152.993] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x45fbce0) returned 1 [0152.993] GetProcessHeap () returned 0x45f0000 [0152.993] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x58) returned 0x45f0cf0 [0152.993] _wcsicmp (_String1="echo", _String2=")") returned 60 [0152.993] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0152.993] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0152.993] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0152.993] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0152.993] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0152.994] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0152.994] GetProcessHeap () returned 0x45f0000 [0152.994] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x58) returned 0x46082f0 [0152.994] GetProcessHeap () returned 0x45f0000 [0152.994] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x12) returned 0x45f7698 [0152.994] GetProcessHeap () returned 0x45f0000 [0152.994] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x12) returned 0x45f75f8 [0152.995] _tell (_FileHandle=3) returned 11 [0152.996] _close (_FileHandle=3) returned 0 [0152.996] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0152.996] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0152.996] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0152.996] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0152.996] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0152.996] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0152.996] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0152.996] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0152.996] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0152.996] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0152.996] GetConsoleTitleW (in: lpConsoleTitle=0x19f2f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0153.058] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0153.058] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0153.059] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0153.059] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0153.059] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0153.059] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0153.059] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0153.059] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0153.059] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0153.059] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0153.059] GetProcessHeap () returned 0x45f0000 [0153.059] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x1c) returned 0x45f0f80 [0153.059] GetProcessHeap () returned 0x45f0000 [0153.059] RtlReAllocateHeap (Heap=0x45f0000, Flags=0x0, Ptr=0x45f0f80, Size=0x12) returned 0x45f0f80 [0153.059] GetProcessHeap () returned 0x45f0000 [0153.059] RtlSizeHeap (HeapHandle=0x45f0000, Flags=0x0, MemoryPointer=0x45f0f80) returned 0x12 [0153.060] GetProcessHeap () returned 0x45f0000 [0153.060] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x1c) returned 0x45fb1c8 [0153.060] _wcsnicmp (_String1="off", _String2="off", _MaxCount=0x3) returned 0 [0153.060] _get_osfhandle (_FileHandle=1) returned 0x3c [0153.060] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1 [0153.072] _get_osfhandle (_FileHandle=1) returned 0x3c [0153.072] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x1cf40c | out: lpMode=0x1cf40c) returned 1 [0153.074] _get_osfhandle (_FileHandle=0) returned 0x38 [0153.074] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0x1cf408 | out: lpMode=0x1cf408) returned 1 [0153.184] SetConsoleInputExeNameW () returned 0x1 [0153.185] GetConsoleOutputCP () returned 0x1b5 [0153.207] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1cf460 | out: lpCPInfo=0x1cf460) returned 1 [0153.207] SetThreadUILanguage (LangId=0x0) returned 0x409 [0153.296] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpB6E4.tmp.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmpb6e4.tmp.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x19f73c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0153.297] _open_osfhandle (_OSFileHandle=0xb4, _Flags=8) returned 3 [0153.297] _get_osfhandle (_FileHandle=3) returned 0xb4 [0153.297] SetFilePointer (in: hFile=0xb4, lDistanceToMove=11, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb [0153.297] GetProcessHeap () returned 0x45f0000 [0153.297] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x45fb1c8) returned 1 [0153.297] GetProcessHeap () returned 0x45f0000 [0153.297] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x45f0f80) returned 1 [0153.297] GetProcessHeap () returned 0x45f0000 [0153.297] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x45f75f8) returned 1 [0153.297] GetProcessHeap () returned 0x45f0000 [0153.297] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x45f7698) returned 1 [0153.297] GetProcessHeap () returned 0x45f0000 [0153.297] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x46082f0) returned 1 [0153.297] GetProcessHeap () returned 0x45f0000 [0153.298] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x45f0cf0) returned 1 [0153.298] _get_osfhandle (_FileHandle=3) returned 0xb4 [0153.298] SetFilePointer (in: hFile=0xb4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb [0153.298] ReadFile (in: hFile=0xb4, lpBuffer=0x1db960, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x19f6c4, lpOverlapped=0x0 | out: lpBuffer=0x1db960*, lpNumberOfBytesRead=0x19f6c4*=0x9a, lpOverlapped=0x0) returned 1 [0153.298] SetFilePointer (in: hFile=0xb4, lDistanceToMove=28, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1c [0153.298] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x1db960, cbMultiByte=17, lpWideCharStr=0x1c67e0, cchWideChar=8191 | out: lpWideCharStr="timeout 3 > NUL\r\n") returned 17 [0153.299] _get_osfhandle (_FileHandle=3) returned 0xb4 [0153.299] GetFileType (hFile=0xb4) returned 0x1 [0153.299] _get_osfhandle (_FileHandle=3) returned 0xb4 [0153.299] SetFilePointer (in: hFile=0xb4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1c [0153.299] GetProcessHeap () returned 0x45f0000 [0153.299] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x400a) returned 0x45fbce0 [0153.299] GetProcessHeap () returned 0x45f0000 [0153.300] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x45fbce0) returned 1 [0153.300] _wcsicmp (_String1="timeout", _String2=")") returned 75 [0153.300] _wcsicmp (_String1="FOR", _String2="timeout") returned -14 [0153.300] _wcsicmp (_String1="FOR/?", _String2="timeout") returned -14 [0153.300] _wcsicmp (_String1="IF", _String2="timeout") returned -11 [0153.300] _wcsicmp (_String1="IF/?", _String2="timeout") returned -11 [0153.300] _wcsicmp (_String1="REM", _String2="timeout") returned -2 [0153.300] _wcsicmp (_String1="REM/?", _String2="timeout") returned -2 [0153.300] GetProcessHeap () returned 0x45f0000 [0153.300] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x58) returned 0x45f0cf0 [0153.300] GetProcessHeap () returned 0x45f0000 [0153.300] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x18) returned 0x45f76f8 [0153.301] GetProcessHeap () returned 0x45f0000 [0153.301] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x10) returned 0x4608188 [0153.301] GetProcessHeap () returned 0x45f0000 [0153.301] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x20) returned 0x45f0f80 [0153.301] GetProcessHeap () returned 0x45f0000 [0153.301] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x10) returned 0x4608050 [0153.302] _tell (_FileHandle=3) returned 28 [0153.302] _close (_FileHandle=3) returned 0 [0153.302] _wcsicmp (_String1="timeout", _String2="DIR") returned 16 [0153.302] _wcsicmp (_String1="timeout", _String2="ERASE") returned 15 [0153.302] _wcsicmp (_String1="timeout", _String2="DEL") returned 16 [0153.302] _wcsicmp (_String1="timeout", _String2="TYPE") returned -16 [0153.302] _wcsicmp (_String1="timeout", _String2="COPY") returned 17 [0153.302] _wcsicmp (_String1="timeout", _String2="CD") returned 17 [0153.303] _wcsicmp (_String1="timeout", _String2="CHDIR") returned 17 [0153.303] _wcsicmp (_String1="timeout", _String2="RENAME") returned 2 [0153.303] _wcsicmp (_String1="timeout", _String2="REN") returned 2 [0153.303] _wcsicmp (_String1="timeout", _String2="ECHO") returned 15 [0153.303] _wcsicmp (_String1="timeout", _String2="SET") returned 1 [0153.303] _wcsicmp (_String1="timeout", _String2="PAUSE") returned 4 [0153.303] _wcsicmp (_String1="timeout", _String2="DATE") returned 16 [0153.303] _wcsicmp (_String1="timeout", _String2="TIME") returned 111 [0153.303] _wcsicmp (_String1="timeout", _String2="PROMPT") returned 4 [0153.303] _wcsicmp (_String1="timeout", _String2="MD") returned 7 [0153.303] _wcsicmp (_String1="timeout", _String2="MKDIR") returned 7 [0153.303] _wcsicmp (_String1="timeout", _String2="RD") returned 2 [0153.303] _wcsicmp (_String1="timeout", _String2="RMDIR") returned 2 [0153.303] _wcsicmp (_String1="timeout", _String2="PATH") returned 4 [0153.303] _wcsicmp (_String1="timeout", _String2="GOTO") returned 13 [0153.303] _wcsicmp (_String1="timeout", _String2="SHIFT") returned 1 [0153.303] _wcsicmp (_String1="timeout", _String2="CLS") returned 17 [0153.303] _wcsicmp (_String1="timeout", _String2="CALL") returned 17 [0153.303] _wcsicmp (_String1="timeout", _String2="VERIFY") returned -2 [0153.303] _wcsicmp (_String1="timeout", _String2="VER") returned -2 [0153.303] _wcsicmp (_String1="timeout", _String2="VOL") returned -2 [0153.303] _wcsicmp (_String1="timeout", _String2="EXIT") returned 15 [0153.303] _wcsicmp (_String1="timeout", _String2="SETLOCAL") returned 1 [0153.303] _wcsicmp (_String1="timeout", _String2="ENDLOCAL") returned 15 [0153.303] _wcsicmp (_String1="timeout", _String2="TITLE") returned -7 [0153.303] _wcsicmp (_String1="timeout", _String2="START") returned 1 [0153.303] _wcsicmp (_String1="timeout", _String2="DPATH") returned 16 [0153.303] _wcsicmp (_String1="timeout", _String2="KEYS") returned 9 [0153.303] _wcsicmp (_String1="timeout", _String2="MOVE") returned 7 [0153.303] _wcsicmp (_String1="timeout", _String2="PUSHD") returned 4 [0153.304] _wcsicmp (_String1="timeout", _String2="POPD") returned 4 [0153.304] _wcsicmp (_String1="timeout", _String2="ASSOC") returned 19 [0153.304] _wcsicmp (_String1="timeout", _String2="FTYPE") returned 14 [0153.304] _wcsicmp (_String1="timeout", _String2="BREAK") returned 18 [0153.304] _wcsicmp (_String1="timeout", _String2="COLOR") returned 17 [0153.304] _wcsicmp (_String1="timeout", _String2="MKLINK") returned 7 [0153.304] _wcsnicmp (_String1="time", _String2="cmd ", _MaxCount=0x4) returned 17 [0153.304] GetProcessHeap () returned 0x45f0000 [0153.304] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x418) returned 0x46082f0 [0153.304] SetErrorMode (uMode=0x0) returned 0x0 [0153.304] SetErrorMode (uMode=0x1) returned 0x0 [0153.304] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x46082f8, lpFilePart=0x19f51c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19f51c*="Desktop") returned 0x1d [0153.304] SetErrorMode (uMode=0x0) returned 0x1 [0153.304] GetProcessHeap () returned 0x45f0000 [0153.304] RtlReAllocateHeap (Heap=0x45f0000, Flags=0x0, Ptr=0x46082f0, Size=0x54) returned 0x46082f0 [0153.304] GetProcessHeap () returned 0x45f0000 [0153.304] RtlSizeHeap (HeapHandle=0x45f0000, Flags=0x0, MemoryPointer=0x46082f0) returned 0x54 [0153.304] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x1cf4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0153.304] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0153.305] GetProcessHeap () returned 0x45f0000 [0153.305] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x110) returned 0x4608350 [0153.305] GetProcessHeap () returned 0x45f0000 [0153.305] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x218) returned 0x4608468 [0153.308] GetProcessHeap () returned 0x45f0000 [0153.308] RtlReAllocateHeap (Heap=0x45f0000, Flags=0x0, Ptr=0x4608468, Size=0x112) returned 0x4608468 [0153.308] GetProcessHeap () returned 0x45f0000 [0153.308] RtlSizeHeap (HeapHandle=0x45f0000, Flags=0x0, MemoryPointer=0x4608468) returned 0x112 [0153.308] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1cf4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0153.308] GetProcessHeap () returned 0x45f0000 [0153.308] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0xe0) returned 0x4608588 [0153.309] GetProcessHeap () returned 0x45f0000 [0153.309] RtlReAllocateHeap (Heap=0x45f0000, Flags=0x0, Ptr=0x4608588, Size=0x76) returned 0x4608588 [0153.309] GetProcessHeap () returned 0x45f0000 [0153.309] RtlSizeHeap (HeapHandle=0x45f0000, Flags=0x0, MemoryPointer=0x4608588) returned 0x76 [0153.309] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0153.310] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\timeout.*" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\timeout.*"), fInfoLevelId=0x1, lpFindFileData=0x19f2a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f2a8) returned 0xffffffff [0153.310] GetLastError () returned 0x2 [0153.310] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0153.310] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\timeout.*" (normalized: "c:\\windows\\syswow64\\timeout.*"), fInfoLevelId=0x1, lpFindFileData=0x19f2a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f2a8) returned 0x4608608 [0153.310] GetProcessHeap () returned 0x45f0000 [0153.310] RtlReAllocateHeap (Heap=0x45f0000, Flags=0x0, Ptr=0x45f74f8, Size=0x4) returned 0x45f7e40 [0153.310] FindClose (in: hFindFile=0x4608608 | out: hFindFile=0x4608608) returned 1 [0153.310] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\timeout.COM" (normalized: "c:\\windows\\syswow64\\timeout.com"), fInfoLevelId=0x1, lpFindFileData=0x19f2a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f2a8) returned 0xffffffff [0153.311] GetLastError () returned 0x2 [0153.311] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\timeout.EXE" (normalized: "c:\\windows\\syswow64\\timeout.exe"), fInfoLevelId=0x1, lpFindFileData=0x19f2a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19f2a8) returned 0x4608608 [0153.311] FindClose (in: hFindFile=0x4608608 | out: hFindFile=0x4608608) returned 1 [0153.311] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0153.311] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0153.311] GetProcessHeap () returned 0x45f0000 [0153.311] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x18) returned 0x45f75f8 [0153.311] _get_osfhandle (_FileHandle=1) returned 0x3c [0153.311] _get_osfhandle (_FileHandle=1) returned 0x3c [0153.311] _get_osfhandle (_FileHandle=1) returned 0x3c [0153.311] GetFileType (hFile=0x3c) returned 0x2 [0153.311] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c [0153.311] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x19f4f4 | out: lpMode=0x19f4f4) returned 1 [0153.417] _dup (_FileHandle=1) returned 3 [0153.417] _close (_FileHandle=1) returned 0 [0153.417] _wcsicmp (_String1="NUL", _String2="con") returned 11 [0153.417] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x19f4d4, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c [0153.889] _open_osfhandle (_OSFileHandle=0x3c, _Flags=8) returned 1 [0153.889] GetConsoleTitleW (in: lpConsoleTitle=0x19f2f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0153.903] _wcsicmp (_String1="timeout", _String2="DIR") returned 16 [0153.903] _wcsicmp (_String1="timeout", _String2="ERASE") returned 15 [0153.904] _wcsicmp (_String1="timeout", _String2="DEL") returned 16 [0153.904] _wcsicmp (_String1="timeout", _String2="TYPE") returned -16 [0153.904] _wcsicmp (_String1="timeout", _String2="COPY") returned 17 [0153.904] _wcsicmp (_String1="timeout", _String2="CD") returned 17 [0153.904] _wcsicmp (_String1="timeout", _String2="CHDIR") returned 17 [0153.904] _wcsicmp (_String1="timeout", _String2="RENAME") returned 2 [0153.904] _wcsicmp (_String1="timeout", _String2="REN") returned 2 [0153.904] _wcsicmp (_String1="timeout", _String2="ECHO") returned 15 [0153.904] _wcsicmp (_String1="timeout", _String2="SET") returned 1 [0153.904] _wcsicmp (_String1="timeout", _String2="PAUSE") returned 4 [0153.904] _wcsicmp (_String1="timeout", _String2="DATE") returned 16 [0153.904] _wcsicmp (_String1="timeout", _String2="TIME") returned 111 [0153.904] _wcsicmp (_String1="timeout", _String2="PROMPT") returned 4 [0153.904] _wcsicmp (_String1="timeout", _String2="MD") returned 7 [0153.904] _wcsicmp (_String1="timeout", _String2="MKDIR") returned 7 [0153.904] _wcsicmp (_String1="timeout", _String2="RD") returned 2 [0153.904] _wcsicmp (_String1="timeout", _String2="RMDIR") returned 2 [0153.904] _wcsicmp (_String1="timeout", _String2="PATH") returned 4 [0153.904] _wcsicmp (_String1="timeout", _String2="GOTO") returned 13 [0153.904] _wcsicmp (_String1="timeout", _String2="SHIFT") returned 1 [0153.904] _wcsicmp (_String1="timeout", _String2="CLS") returned 17 [0153.904] _wcsicmp (_String1="timeout", _String2="CALL") returned 17 [0153.904] _wcsicmp (_String1="timeout", _String2="VERIFY") returned -2 [0153.904] _wcsicmp (_String1="timeout", _String2="VER") returned -2 [0153.904] _wcsicmp (_String1="timeout", _String2="VOL") returned -2 [0153.904] _wcsicmp (_String1="timeout", _String2="EXIT") returned 15 [0153.904] _wcsicmp (_String1="timeout", _String2="SETLOCAL") returned 1 [0153.905] _wcsicmp (_String1="timeout", _String2="ENDLOCAL") returned 15 [0153.905] _wcsicmp (_String1="timeout", _String2="TITLE") returned -7 [0153.905] _wcsicmp (_String1="timeout", _String2="START") returned 1 [0153.905] _wcsicmp (_String1="timeout", _String2="DPATH") returned 16 [0153.905] _wcsicmp (_String1="timeout", _String2="KEYS") returned 9 [0153.905] _wcsicmp (_String1="timeout", _String2="MOVE") returned 7 [0153.905] _wcsicmp (_String1="timeout", _String2="PUSHD") returned 4 [0153.905] _wcsicmp (_String1="timeout", _String2="POPD") returned 4 [0153.905] _wcsicmp (_String1="timeout", _String2="ASSOC") returned 19 [0153.905] _wcsicmp (_String1="timeout", _String2="FTYPE") returned 14 [0153.905] _wcsicmp (_String1="timeout", _String2="BREAK") returned 18 [0153.905] _wcsicmp (_String1="timeout", _String2="COLOR") returned 17 [0153.905] _wcsicmp (_String1="timeout", _String2="MKLINK") returned 7 [0153.905] _wcsicmp (_String1="timeout", _String2="DIR") returned 16 [0153.905] _wcsicmp (_String1="timeout", _String2="ERASE") returned 15 [0153.905] _wcsicmp (_String1="timeout", _String2="DEL") returned 16 [0153.905] _wcsicmp (_String1="timeout", _String2="TYPE") returned -16 [0153.905] _wcsicmp (_String1="timeout", _String2="COPY") returned 17 [0153.905] _wcsicmp (_String1="timeout", _String2="CD") returned 17 [0153.905] _wcsicmp (_String1="timeout", _String2="CHDIR") returned 17 [0153.905] _wcsicmp (_String1="timeout", _String2="RENAME") returned 2 [0153.905] _wcsicmp (_String1="timeout", _String2="REN") returned 2 [0153.905] _wcsicmp (_String1="timeout", _String2="ECHO") returned 15 [0153.906] _wcsicmp (_String1="timeout", _String2="SET") returned 1 [0153.906] _wcsicmp (_String1="timeout", _String2="PAUSE") returned 4 [0153.906] _wcsicmp (_String1="timeout", _String2="DATE") returned 16 [0153.906] _wcsicmp (_String1="timeout", _String2="TIME") returned 111 [0153.906] _wcsicmp (_String1="timeout", _String2="PROMPT") returned 4 [0153.906] _wcsicmp (_String1="timeout", _String2="MD") returned 7 [0153.906] _wcsicmp (_String1="timeout", _String2="MKDIR") returned 7 [0153.906] _wcsicmp (_String1="timeout", _String2="RD") returned 2 [0153.906] _wcsicmp (_String1="timeout", _String2="RMDIR") returned 2 [0153.906] _wcsicmp (_String1="timeout", _String2="PATH") returned 4 [0153.906] _wcsicmp (_String1="timeout", _String2="GOTO") returned 13 [0153.906] _wcsicmp (_String1="timeout", _String2="SHIFT") returned 1 [0153.906] _wcsicmp (_String1="timeout", _String2="CLS") returned 17 [0153.906] _wcsicmp (_String1="timeout", _String2="CALL") returned 17 [0153.906] _wcsicmp (_String1="timeout", _String2="VERIFY") returned -2 [0153.906] _wcsicmp (_String1="timeout", _String2="VER") returned -2 [0153.906] _wcsicmp (_String1="timeout", _String2="VOL") returned -2 [0153.906] _wcsicmp (_String1="timeout", _String2="EXIT") returned 15 [0153.906] _wcsicmp (_String1="timeout", _String2="SETLOCAL") returned 1 [0153.906] _wcsicmp (_String1="timeout", _String2="ENDLOCAL") returned 15 [0153.906] _wcsicmp (_String1="timeout", _String2="TITLE") returned -7 [0153.906] _wcsicmp (_String1="timeout", _String2="START") returned 1 [0153.906] _wcsicmp (_String1="timeout", _String2="DPATH") returned 16 [0153.906] _wcsicmp (_String1="timeout", _String2="KEYS") returned 9 [0153.906] _wcsicmp (_String1="timeout", _String2="MOVE") returned 7 [0153.906] _wcsicmp (_String1="timeout", _String2="PUSHD") returned 4 [0153.907] _wcsicmp (_String1="timeout", _String2="POPD") returned 4 [0153.907] _wcsicmp (_String1="timeout", _String2="ASSOC") returned 19 [0153.907] _wcsicmp (_String1="timeout", _String2="FTYPE") returned 14 [0153.907] _wcsicmp (_String1="timeout", _String2="BREAK") returned 18 [0153.907] _wcsicmp (_String1="timeout", _String2="COLOR") returned 17 [0153.907] _wcsicmp (_String1="timeout", _String2="MKLINK") returned 7 [0153.907] _wcsicmp (_String1="timeout", _String2="FOR") returned 14 [0153.907] _wcsicmp (_String1="timeout", _String2="IF") returned 11 [0153.907] _wcsicmp (_String1="timeout", _String2="REM") returned 2 [0153.907] GetProcessHeap () returned 0x45f0000 [0153.907] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x210) returned 0x4608608 [0153.907] GetProcessHeap () returned 0x45f0000 [0153.907] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x20) returned 0x45fb1c8 [0153.907] _wcsnicmp (_String1="time", _String2="cmd ", _MaxCount=0x4) returned 17 [0153.907] GetProcessHeap () returned 0x45f0000 [0153.907] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x418) returned 0x4608820 [0153.907] SetErrorMode (uMode=0x0) returned 0x0 [0153.907] SetErrorMode (uMode=0x1) returned 0x0 [0153.907] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x4608828, lpFilePart=0x19edfc | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x19edfc*="Desktop") returned 0x1d [0153.907] SetErrorMode (uMode=0x0) returned 0x1 [0153.908] GetProcessHeap () returned 0x45f0000 [0153.908] RtlReAllocateHeap (Heap=0x45f0000, Flags=0x0, Ptr=0x4608820, Size=0x54) returned 0x4608820 [0153.908] GetProcessHeap () returned 0x45f0000 [0153.908] RtlSizeHeap (HeapHandle=0x45f0000, Flags=0x0, MemoryPointer=0x4608820) returned 0x54 [0153.908] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x1cf4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0153.908] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0153.908] GetProcessHeap () returned 0x45f0000 [0153.908] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x110) returned 0x4608880 [0153.908] GetProcessHeap () returned 0x45f0000 [0153.908] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x218) returned 0x4608998 [0153.908] GetProcessHeap () returned 0x45f0000 [0153.908] RtlReAllocateHeap (Heap=0x45f0000, Flags=0x0, Ptr=0x4608998, Size=0x112) returned 0x4608998 [0153.908] GetProcessHeap () returned 0x45f0000 [0153.908] RtlSizeHeap (HeapHandle=0x45f0000, Flags=0x0, MemoryPointer=0x4608998) returned 0x112 [0153.908] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1cf4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0153.908] GetProcessHeap () returned 0x45f0000 [0153.908] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0xe0) returned 0x4608ab8 [0153.908] GetProcessHeap () returned 0x45f0000 [0153.908] RtlReAllocateHeap (Heap=0x45f0000, Flags=0x0, Ptr=0x4608ab8, Size=0x76) returned 0x4608ab8 [0153.908] GetProcessHeap () returned 0x45f0000 [0153.908] RtlSizeHeap (HeapHandle=0x45f0000, Flags=0x0, MemoryPointer=0x4608ab8) returned 0x76 [0153.908] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0153.909] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\timeout.*" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\timeout.*"), fInfoLevelId=0x1, lpFindFileData=0x19eb88, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19eb88) returned 0xffffffff [0153.909] GetLastError () returned 0x2 [0153.909] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0153.909] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\timeout.*" (normalized: "c:\\windows\\syswow64\\timeout.*"), fInfoLevelId=0x1, lpFindFileData=0x19eb88, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19eb88) returned 0x4608b38 [0153.909] FindClose (in: hFindFile=0x4608b38 | out: hFindFile=0x4608b38) returned 1 [0153.910] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\timeout.COM" (normalized: "c:\\windows\\syswow64\\timeout.com"), fInfoLevelId=0x1, lpFindFileData=0x19eb88, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19eb88) returned 0xffffffff [0153.910] GetLastError () returned 0x2 [0153.910] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\timeout.EXE" (normalized: "c:\\windows\\syswow64\\timeout.exe"), fInfoLevelId=0x1, lpFindFileData=0x19eb88, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19eb88) returned 0x4608b38 [0153.910] FindClose (in: hFindFile=0x4608b38 | out: hFindFile=0x4608b38) returned 1 [0153.910] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0153.910] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0153.910] GetConsoleTitleW (in: lpConsoleTitle=0x19f07c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0153.911] InitializeProcThreadAttributeList (in: lpAttributeList=0x19efa8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19ef8c | out: lpAttributeList=0x19efa8, lpSize=0x19ef8c) returned 1 [0153.911] UpdateProcThreadAttribute (in: lpAttributeList=0x19efa8, dwFlags=0x0, Attribute=0x60001, lpValue=0x19ef94, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19efa8, lpPreviousValue=0x0) returned 1 [0153.911] GetStartupInfoW (in: lpStartupInfo=0x19efe0 | out: lpStartupInfo=0x19efe0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0153.911] GetProcessHeap () returned 0x45f0000 [0153.911] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x18) returned 0x45f77b8 [0153.911] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0153.911] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0153.911] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0153.911] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0153.911] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0153.911] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0153.911] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0153.911] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0153.911] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0153.911] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0153.911] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0153.911] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0153.911] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0153.911] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0153.911] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0153.912] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0153.912] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0153.912] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0153.912] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0153.912] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0153.912] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0153.912] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0153.912] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0153.912] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0153.912] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0153.912] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0153.912] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0153.912] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0153.912] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0153.912] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0153.912] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0153.912] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0153.912] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0153.912] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0153.912] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0153.912] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0153.912] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0153.912] GetProcessHeap () returned 0x45f0000 [0153.912] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x45f77b8) returned 1 [0153.912] GetProcessHeap () returned 0x45f0000 [0153.913] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0xa) returned 0x4608068 [0153.913] lstrcmpW (lpString1="\\timeout.exe", lpString2="\\XCOPY.EXE") returned -1 [0153.916] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\timeout.exe", lpCommandLine="timeout 3 ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19ef30*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="timeout 3 ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19ef7c | out: lpCommandLine="timeout 3 ", lpProcessInformation=0x19ef7c*(hProcess=0xbc, hThread=0xb8, dwProcessId=0x664, dwThreadId=0xaf8)) returned 1 [0155.705] CloseHandle (hObject=0xb8) returned 1 [0155.705] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0155.705] GetProcessHeap () returned 0x45f0000 [0155.706] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x45f9de0) returned 1 [0155.706] GetEnvironmentStringsW () returned 0x45f9de0* [0155.706] GetProcessHeap () returned 0x45f0000 [0155.706] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0xa76) returned 0x4609028 [0155.706] memcpy (in: _Dst=0x4609028, _Src=0x45f9de0, _Size=0xa76 | out: _Dst=0x4609028) returned 0x4609028 [0155.706] FreeEnvironmentStringsA (penv="=") returned 1 [0155.706] WaitForSingleObject (hHandle=0xbc, dwMilliseconds=0xffffffff) returned 0x0 [0159.717] GetExitCodeProcess (in: hProcess=0xbc, lpExitCode=0x19ef14 | out: lpExitCode=0x19ef14*=0x0) returned 1 [0159.717] CloseHandle (hObject=0xbc) returned 1 [0159.718] _vsnwprintf (in: _Buffer=0x19effc, _BufferCount=0x13, _Format="%08X", _ArgList=0x19ef1c | out: _Buffer="00000000") returned 8 [0159.718] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0159.719] GetProcessHeap () returned 0x45f0000 [0159.719] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x4609028) returned 1 [0159.719] GetEnvironmentStringsW () returned 0x45fb260* [0159.719] GetProcessHeap () returned 0x45f0000 [0159.719] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0xa9c) returned 0x45fbd08 [0159.719] memcpy (in: _Dst=0x45fbd08, _Src=0x45fb260, _Size=0xa9c | out: _Dst=0x45fbd08) returned 0x45fbd08 [0159.719] FreeEnvironmentStringsA (penv="=") returned 1 [0159.719] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0159.719] GetProcessHeap () returned 0x45f0000 [0159.720] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x45fbd08) returned 1 [0159.720] GetEnvironmentStringsW () returned 0x45fb260* [0159.720] GetProcessHeap () returned 0x45f0000 [0159.720] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0xa9c) returned 0x45fbd08 [0159.720] memcpy (in: _Dst=0x45fbd08, _Src=0x45fb260, _Size=0xa9c | out: _Dst=0x45fbd08) returned 0x45fbd08 [0159.720] FreeEnvironmentStringsA (penv="=") returned 1 [0159.720] GetProcessHeap () returned 0x45f0000 [0159.720] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x4608068) returned 1 [0159.720] DeleteProcThreadAttributeList (in: lpAttributeList=0x19efa8 | out: lpAttributeList=0x19efa8) [0159.720] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0 [0159.720] _close (_FileHandle=3) returned 0 [0159.720] _get_osfhandle (_FileHandle=1) returned 0x3c [0159.720] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1 [0159.723] _get_osfhandle (_FileHandle=1) returned 0x3c [0159.723] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x1cf40c | out: lpMode=0x1cf40c) returned 1 [0159.727] _get_osfhandle (_FileHandle=0) returned 0x38 [0159.727] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0x1cf408 | out: lpMode=0x1cf408) returned 1 [0159.731] _get_osfhandle (_FileHandle=0) returned 0x38 [0159.731] SetConsoleMode (hConsoleHandle=0x38, dwMode=0x1a7) returned 1 [0159.733] SetConsoleInputExeNameW () returned 0x1 [0159.733] GetConsoleOutputCP () returned 0x1b5 [0159.736] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1cf460 | out: lpCPInfo=0x1cf460) returned 1 [0159.736] SetThreadUILanguage (LangId=0x0) returned 0x409 [0159.738] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpB6E4.tmp.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmpb6e4.tmp.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x19f73c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4 [0159.738] _open_osfhandle (_OSFileHandle=0xb4, _Flags=8) returned 3 [0159.738] _get_osfhandle (_FileHandle=3) returned 0xb4 [0159.738] SetFilePointer (in: hFile=0xb4, lDistanceToMove=28, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1c [0159.738] GetProcessHeap () returned 0x45f0000 [0159.739] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x4608ab8) returned 1 [0159.739] GetProcessHeap () returned 0x45f0000 [0159.739] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x4608998) returned 1 [0159.739] GetProcessHeap () returned 0x45f0000 [0159.739] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x4608880) returned 1 [0159.739] GetProcessHeap () returned 0x45f0000 [0159.740] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x4608820) returned 1 [0159.740] GetProcessHeap () returned 0x45f0000 [0159.740] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x45fb1c8) returned 1 [0159.740] GetProcessHeap () returned 0x45f0000 [0159.740] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x4608608) returned 1 [0159.740] GetProcessHeap () returned 0x45f0000 [0159.740] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x45f75f8) returned 1 [0159.740] GetProcessHeap () returned 0x45f0000 [0159.741] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x4608588) returned 1 [0159.741] GetProcessHeap () returned 0x45f0000 [0159.741] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x4608468) returned 1 [0159.741] GetProcessHeap () returned 0x45f0000 [0159.741] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x4608350) returned 1 [0159.741] GetProcessHeap () returned 0x45f0000 [0159.742] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x46082f0) returned 1 [0159.742] GetProcessHeap () returned 0x45f0000 [0159.742] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x4608050) returned 1 [0159.742] GetProcessHeap () returned 0x45f0000 [0159.742] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x45f0f80) returned 1 [0159.742] GetProcessHeap () returned 0x45f0000 [0159.742] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x4608188) returned 1 [0159.742] GetProcessHeap () returned 0x45f0000 [0159.742] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x45f76f8) returned 1 [0159.742] GetProcessHeap () returned 0x45f0000 [0159.742] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x45f0cf0) returned 1 [0159.743] _get_osfhandle (_FileHandle=3) returned 0xb4 [0159.743] SetFilePointer (in: hFile=0xb4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1c [0159.743] ReadFile (in: hFile=0xb4, lpBuffer=0x1db960, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x19f6c4, lpOverlapped=0x0 | out: lpBuffer=0x1db960*, lpNumberOfBytesRead=0x19f6c4*=0x89, lpOverlapped=0x0) returned 1 [0159.743] SetFilePointer (in: hFile=0xb4, lDistanceToMove=90, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5a [0159.743] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x1db960, cbMultiByte=62, lpWideCharStr=0x1c67e0, cchWideChar=8191 | out: lpWideCharStr="START \"\" \"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe\"\r\n") returned 62 [0159.743] _get_osfhandle (_FileHandle=3) returned 0xb4 [0159.743] GetFileType (hFile=0xb4) returned 0x1 [0159.744] _get_osfhandle (_FileHandle=3) returned 0xb4 [0159.744] SetFilePointer (in: hFile=0xb4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5a [0159.744] GetProcessHeap () returned 0x45f0000 [0159.744] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x400a) returned 0x460a550 [0159.744] GetProcessHeap () returned 0x45f0000 [0159.745] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x460a550) returned 1 [0159.745] _wcsicmp (_String1="START", _String2=")") returned 74 [0159.745] _wcsicmp (_String1="FOR", _String2="START") returned -13 [0159.745] _wcsicmp (_String1="FOR/?", _String2="START") returned -13 [0159.745] _wcsicmp (_String1="IF", _String2="START") returned -10 [0159.745] _wcsicmp (_String1="IF/?", _String2="START") returned -10 [0159.745] _wcsicmp (_String1="REM", _String2="START") returned -1 [0159.745] _wcsicmp (_String1="REM/?", _String2="START") returned -1 [0159.745] GetProcessHeap () returned 0x45f0000 [0159.745] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x58) returned 0x45f0cf0 [0159.745] GetProcessHeap () returned 0x45f0000 [0159.745] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x14) returned 0x45f7558 [0159.746] GetProcessHeap () returned 0x45f0000 [0159.746] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x78) returned 0x45f81f8 [0159.746] _tell (_FileHandle=3) returned 90 [0159.746] _close (_FileHandle=3) returned 0 [0159.747] _wcsicmp (_String1="START", _String2="DIR") returned 15 [0159.747] _wcsicmp (_String1="START", _String2="ERASE") returned 14 [0159.747] _wcsicmp (_String1="START", _String2="DEL") returned 15 [0159.747] _wcsicmp (_String1="START", _String2="TYPE") returned -1 [0159.747] _wcsicmp (_String1="START", _String2="COPY") returned 16 [0159.747] _wcsicmp (_String1="START", _String2="CD") returned 16 [0159.747] _wcsicmp (_String1="START", _String2="CHDIR") returned 16 [0159.747] _wcsicmp (_String1="START", _String2="RENAME") returned 1 [0159.747] _wcsicmp (_String1="START", _String2="REN") returned 1 [0159.747] _wcsicmp (_String1="START", _String2="ECHO") returned 14 [0159.747] _wcsicmp (_String1="START", _String2="SET") returned 15 [0159.748] _wcsicmp (_String1="START", _String2="PAUSE") returned 3 [0159.748] _wcsicmp (_String1="START", _String2="DATE") returned 15 [0159.748] _wcsicmp (_String1="START", _String2="TIME") returned -1 [0159.748] _wcsicmp (_String1="START", _String2="PROMPT") returned 3 [0159.748] _wcsicmp (_String1="START", _String2="MD") returned 6 [0159.748] _wcsicmp (_String1="START", _String2="MKDIR") returned 6 [0159.748] _wcsicmp (_String1="START", _String2="RD") returned 1 [0159.748] _wcsicmp (_String1="START", _String2="RMDIR") returned 1 [0159.748] _wcsicmp (_String1="START", _String2="PATH") returned 3 [0159.748] _wcsicmp (_String1="START", _String2="GOTO") returned 12 [0159.748] _wcsicmp (_String1="START", _String2="SHIFT") returned 12 [0159.748] _wcsicmp (_String1="START", _String2="CLS") returned 16 [0159.748] _wcsicmp (_String1="START", _String2="CALL") returned 16 [0159.748] _wcsicmp (_String1="START", _String2="VERIFY") returned -3 [0159.748] _wcsicmp (_String1="START", _String2="VER") returned -3 [0159.748] _wcsicmp (_String1="START", _String2="VOL") returned -3 [0159.748] _wcsicmp (_String1="START", _String2="EXIT") returned 14 [0159.748] _wcsicmp (_String1="START", _String2="SETLOCAL") returned 15 [0159.748] _wcsicmp (_String1="START", _String2="ENDLOCAL") returned 14 [0159.748] _wcsicmp (_String1="START", _String2="TITLE") returned -1 [0159.748] _wcsicmp (_String1="START", _String2="START") returned 0 [0159.748] GetConsoleTitleW (in: lpConsoleTitle=0x19f2f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0159.751] _wcsicmp (_String1="START", _String2="DIR") returned 15 [0159.751] _wcsicmp (_String1="START", _String2="ERASE") returned 14 [0159.751] _wcsicmp (_String1="START", _String2="DEL") returned 15 [0159.751] _wcsicmp (_String1="START", _String2="TYPE") returned -1 [0159.751] _wcsicmp (_String1="START", _String2="COPY") returned 16 [0159.751] _wcsicmp (_String1="START", _String2="CD") returned 16 [0159.751] _wcsicmp (_String1="START", _String2="CHDIR") returned 16 [0159.751] _wcsicmp (_String1="START", _String2="RENAME") returned 1 [0159.751] _wcsicmp (_String1="START", _String2="REN") returned 1 [0159.751] _wcsicmp (_String1="START", _String2="ECHO") returned 14 [0159.751] _wcsicmp (_String1="START", _String2="SET") returned 15 [0159.751] _wcsicmp (_String1="START", _String2="PAUSE") returned 3 [0159.751] _wcsicmp (_String1="START", _String2="DATE") returned 15 [0159.751] _wcsicmp (_String1="START", _String2="TIME") returned -1 [0159.751] _wcsicmp (_String1="START", _String2="PROMPT") returned 3 [0159.751] _wcsicmp (_String1="START", _String2="MD") returned 6 [0159.751] _wcsicmp (_String1="START", _String2="MKDIR") returned 6 [0159.751] _wcsicmp (_String1="START", _String2="RD") returned 1 [0159.752] _wcsicmp (_String1="START", _String2="RMDIR") returned 1 [0159.752] _wcsicmp (_String1="START", _String2="PATH") returned 3 [0159.752] _wcsicmp (_String1="START", _String2="GOTO") returned 12 [0159.752] _wcsicmp (_String1="START", _String2="SHIFT") returned 12 [0159.752] _wcsicmp (_String1="START", _String2="CLS") returned 16 [0159.752] _wcsicmp (_String1="START", _String2="CALL") returned 16 [0159.752] _wcsicmp (_String1="START", _String2="VERIFY") returned -3 [0159.752] _wcsicmp (_String1="START", _String2="VER") returned -3 [0159.752] _wcsicmp (_String1="START", _String2="VOL") returned -3 [0159.752] _wcsicmp (_String1="START", _String2="EXIT") returned 14 [0159.752] _wcsicmp (_String1="START", _String2="SETLOCAL") returned 15 [0159.752] _wcsicmp (_String1="START", _String2="ENDLOCAL") returned 14 [0159.752] _wcsicmp (_String1="START", _String2="TITLE") returned -1 [0159.752] _wcsicmp (_String1="START", _String2="START") returned 0 [0159.752] GetProcessHeap () returned 0x45f0000 [0159.752] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0xe8) returned 0x4608c68 [0159.752] GetProcessHeap () returned 0x45f0000 [0159.752] RtlReAllocateHeap (Heap=0x45f0000, Flags=0x0, Ptr=0x4608c68, Size=0x78) returned 0x4608c68 [0159.752] GetProcessHeap () returned 0x45f0000 [0159.752] RtlSizeHeap (HeapHandle=0x45f0000, Flags=0x0, MemoryPointer=0x4608c68) returned 0x78 [0159.752] GetProcessHeap () returned 0x45f0000 [0159.752] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x84) returned 0x4608ce8 [0159.755] GetStdHandle (nStdHandle=0xfffffff6) returned 0x38 [0159.755] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c [0159.755] GetStdHandle (nStdHandle=0xfffffff4) returned 0x40 [0159.755] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="DIR") returned -1 [0159.755] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="ERASE") returned -2 [0159.755] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="DEL") returned -1 [0159.755] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="TYPE") returned -17 [0159.755] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="COPY") returned -53 [0159.755] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="CD") returned -42 [0159.755] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="CHDIR") returned -46 [0159.755] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="RENAME") returned -15 [0159.755] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="REN") returned -15 [0159.755] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="ECHO") returned -2 [0159.755] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="SET") returned -16 [0159.755] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="PAUSE") returned -13 [0159.755] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="DATE") returned -1 [0159.755] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="TIME") returned -17 [0159.755] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="PROMPT") returned -13 [0159.755] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="MD") returned -10 [0159.755] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="MKDIR") returned -10 [0159.755] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="RD") returned -15 [0159.755] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="RMDIR") returned -15 [0159.755] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="PATH") returned -13 [0159.756] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="GOTO") returned -4 [0159.756] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="SHIFT") returned -16 [0159.756] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="CLS") returned -50 [0159.756] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="CALL") returned -39 [0159.756] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="VERIFY") returned -19 [0159.756] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="VER") returned -19 [0159.756] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="VOL") returned -19 [0159.756] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="EXIT") returned -2 [0159.756] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="SETLOCAL") returned -16 [0159.756] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="ENDLOCAL") returned -2 [0159.756] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="TITLE") returned -17 [0159.756] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="START") returned -16 [0159.756] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="DPATH") returned -1 [0159.756] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="KEYS") returned -8 [0159.756] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="MOVE") returned -10 [0159.756] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="PUSHD") returned -13 [0159.756] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="POPD") returned -13 [0159.756] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="ASSOC") returned 2 [0159.756] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="FTYPE") returned -3 [0159.756] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="BREAK") returned 1 [0159.756] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="COLOR") returned -53 [0159.756] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="MKLINK") returned -10 [0159.756] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="FOR") returned -3 [0159.756] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="IF") returned -6 [0159.756] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", _String2="REM") returned -15 [0159.756] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0159.756] GetProcessHeap () returned 0x45f0000 [0159.757] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x418) returned 0x46082f0 [0159.757] SetErrorMode (uMode=0x0) returned 0x0 [0159.757] SetErrorMode (uMode=0x1) returned 0x0 [0159.757] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.", nBufferLength=0x208, lpBuffer=0x46082f8, lpFilePart=0x182b24 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming", lpFilePart=0x182b24*="Roaming") returned 0x25 [0159.757] SetErrorMode (uMode=0x0) returned 0x1 [0159.757] GetProcessHeap () returned 0x45f0000 [0159.757] RtlReAllocateHeap (Heap=0x45f0000, Flags=0x0, Ptr=0x46082f0, Size=0x6c) returned 0x46082f0 [0159.757] GetProcessHeap () returned 0x45f0000 [0159.757] RtlSizeHeap (HeapHandle=0x45f0000, Flags=0x0, MemoryPointer=0x46082f0) returned 0x6c [0159.757] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.") returned 1 [0159.757] GetProcessHeap () returned 0x45f0000 [0159.757] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x5a) returned 0x4608d78 [0159.757] GetProcessHeap () returned 0x45f0000 [0159.757] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0xa8) returned 0x4608de0 [0159.757] GetProcessHeap () returned 0x45f0000 [0159.757] RtlReAllocateHeap (Heap=0x45f0000, Flags=0x0, Ptr=0x4608de0, Size=0x5a) returned 0x4608de0 [0159.757] GetProcessHeap () returned 0x45f0000 [0159.757] RtlSizeHeap (HeapHandle=0x45f0000, Flags=0x0, MemoryPointer=0x4608de0) returned 0x5a [0159.757] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1cf4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0159.757] GetProcessHeap () returned 0x45f0000 [0159.757] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0xe0) returned 0x4608368 [0159.757] GetProcessHeap () returned 0x45f0000 [0159.758] RtlReAllocateHeap (Heap=0x45f0000, Flags=0x0, Ptr=0x4608368, Size=0x76) returned 0x4608368 [0159.758] GetProcessHeap () returned 0x45f0000 [0159.758] RtlSizeHeap (HeapHandle=0x45f0000, Flags=0x0, MemoryPointer=0x4608368) returned 0x76 [0159.758] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0159.758] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\svchost.exe"), fInfoLevelId=0x1, lpFindFileData=0x1828d0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1828d0) returned 0x4608e48 [0159.758] FindClose (in: hFindFile=0x4608e48 | out: hFindFile=0x4608e48) returned 1 [0159.758] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0159.758] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0159.758] GetStartupInfoW (in: lpStartupInfo=0x182e28 | out: lpStartupInfo=0x182e28*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0159.759] InitializeProcThreadAttributeList (in: lpAttributeList=0x0, dwAttributeCount=0x2, dwFlags=0x0, lpSize=0x182dc4 | out: lpAttributeList=0x0, lpSize=0x182dc4) returned 0 [0159.759] GetLastError () returned 0x7a [0159.759] GetProcessHeap () returned 0x45f0000 [0159.759] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x2c) returned 0x4608e48 [0159.759] InitializeProcThreadAttributeList (in: lpAttributeList=0x4608e48, dwAttributeCount=0x2, dwFlags=0x0, lpSize=0x182dc4 | out: lpAttributeList=0x4608e48, lpSize=0x182dc4) returned 1 [0159.759] UpdateProcThreadAttribute (in: lpAttributeList=0x4608e48, dwFlags=0x0, Attribute=0x60001, lpValue=0x182ddc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x4608e48, lpPreviousValue=0x0) returned 1 [0159.759] CreateProcessW (in: lpApplicationName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", lpCommandLine="\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80410, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x182de0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x38, hStdOutput=0x3c, hStdError=0x40), lpProcessInformation=0x182dcc | out: lpCommandLine="\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe\" ", lpProcessInformation=0x182dcc*(hProcess=0xbc, hThread=0xb4, dwProcessId=0xc40, dwThreadId=0xb1c)) returned 1 [0161.295] DeleteProcThreadAttributeList (in: lpAttributeList=0x4608e48 | out: lpAttributeList=0x4608e48) [0161.295] GetProcessHeap () returned 0x45f0000 [0161.295] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x4608e48) returned 1 [0161.295] GetLastError () returned 0x0 [0161.295] ResumeThread (hThread=0xb4) returned 0x0 [0161.295] CloseHandle (hObject=0xb4) returned 1 [0161.296] CloseHandle (hObject=0xbc) returned 1 [0161.296] _get_osfhandle (_FileHandle=1) returned 0x3c [0161.296] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1 [0161.385] _get_osfhandle (_FileHandle=1) returned 0x3c [0161.385] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x1cf40c | out: lpMode=0x1cf40c) returned 1 [0161.484] _get_osfhandle (_FileHandle=0) returned 0x38 [0161.484] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0x1cf408 | out: lpMode=0x1cf408) returned 1 [0161.767] SetConsoleInputExeNameW () returned 0x1 [0161.767] GetConsoleOutputCP () returned 0x1b5 [0161.793] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1cf460 | out: lpCPInfo=0x1cf460) returned 1 [0161.793] SetThreadUILanguage (LangId=0x0) returned 0x409 [0162.014] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpB6E4.tmp.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmpb6e4.tmp.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x19f73c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xbc [0162.014] _open_osfhandle (_OSFileHandle=0xbc, _Flags=8) returned 3 [0162.018] _get_osfhandle (_FileHandle=3) returned 0xbc [0162.018] SetFilePointer (in: hFile=0xbc, lDistanceToMove=90, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x5a [0162.019] GetProcessHeap () returned 0x45f0000 [0162.019] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x4608368) returned 1 [0162.019] GetProcessHeap () returned 0x45f0000 [0162.020] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x4608de0) returned 1 [0162.020] GetProcessHeap () returned 0x45f0000 [0162.020] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x4608d78) returned 1 [0162.020] GetProcessHeap () returned 0x45f0000 [0162.021] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x46082f0) returned 1 [0162.021] GetProcessHeap () returned 0x45f0000 [0162.021] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x4608ce8) returned 1 [0162.021] GetProcessHeap () returned 0x45f0000 [0162.021] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x4608c68) returned 1 [0162.022] GetProcessHeap () returned 0x45f0000 [0162.022] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x45f81f8) returned 1 [0162.022] GetProcessHeap () returned 0x45f0000 [0162.022] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x45f7558) returned 1 [0162.022] GetProcessHeap () returned 0x45f0000 [0162.023] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x45f0cf0) returned 1 [0162.023] _get_osfhandle (_FileHandle=3) returned 0xbc [0162.023] SetFilePointer (in: hFile=0xbc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x5a [0162.024] ReadFile (in: hFile=0xbc, lpBuffer=0x1db960, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x19f6c4, lpOverlapped=0x0 | out: lpBuffer=0x1db960*, lpNumberOfBytesRead=0x19f6c4*=0x4b, lpOverlapped=0x0) returned 1 [0162.024] SetFilePointer (in: hFile=0xbc, lDistanceToMove=136, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x88 [0162.024] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x1db960, cbMultiByte=46, lpWideCharStr=0x1c67e0, cchWideChar=8191 | out: lpWideCharStr="CD C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\\r\ng\\svchost.exe\"\r\n") returned 46 [0162.024] _get_osfhandle (_FileHandle=3) returned 0xbc [0162.024] GetFileType (hFile=0xbc) returned 0x1 [0162.025] _get_osfhandle (_FileHandle=3) returned 0xbc [0162.025] SetFilePointer (in: hFile=0xbc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x88 [0162.025] GetProcessHeap () returned 0x45f0000 [0162.025] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x400a) returned 0x460a550 [0162.025] GetProcessHeap () returned 0x45f0000 [0162.025] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x460a550) returned 1 [0162.025] _wcsicmp (_String1="CD", _String2=")") returned 58 [0162.025] _wcsicmp (_String1="FOR", _String2="CD") returned 3 [0162.025] _wcsicmp (_String1="FOR/?", _String2="CD") returned 3 [0162.025] _wcsicmp (_String1="IF", _String2="CD") returned 6 [0162.025] _wcsicmp (_String1="IF/?", _String2="CD") returned 6 [0162.026] _wcsicmp (_String1="REM", _String2="CD") returned 15 [0162.026] _wcsicmp (_String1="REM/?", _String2="CD") returned 15 [0162.026] GetProcessHeap () returned 0x45f0000 [0162.026] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x58) returned 0x45f0cf0 [0162.026] GetProcessHeap () returned 0x45f0000 [0162.026] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0xe) returned 0x46080f8 [0162.026] GetProcessHeap () returned 0x45f0000 [0162.026] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x5e) returned 0x45fcc50 [0162.027] _tell (_FileHandle=3) returned 136 [0162.027] _close (_FileHandle=3) returned 0 [0162.027] _wcsicmp (_String1="CD", _String2="DIR") returned -1 [0162.027] _wcsicmp (_String1="CD", _String2="ERASE") returned -2 [0162.029] _wcsicmp (_String1="CD", _String2="DEL") returned -1 [0162.029] _wcsicmp (_String1="CD", _String2="TYPE") returned -17 [0162.030] _wcsicmp (_String1="CD", _String2="COPY") returned -11 [0162.030] _wcsicmp (_String1="CD", _String2="CD") returned 0 [0162.030] GetConsoleTitleW (in: lpConsoleTitle=0x19f2f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0162.108] _wcsicmp (_String1="CD", _String2="DIR") returned -1 [0162.108] _wcsicmp (_String1="CD", _String2="ERASE") returned -2 [0162.108] _wcsicmp (_String1="CD", _String2="DEL") returned -1 [0162.108] _wcsicmp (_String1="CD", _String2="TYPE") returned -17 [0162.108] _wcsicmp (_String1="CD", _String2="COPY") returned -11 [0162.108] _wcsicmp (_String1="CD", _String2="CD") returned 0 [0162.108] GetProcessHeap () returned 0x45f0000 [0162.108] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0xb4) returned 0x4608c68 [0162.108] GetProcessHeap () returned 0x45f0000 [0162.108] RtlReAllocateHeap (Heap=0x45f0000, Flags=0x0, Ptr=0x4608c68, Size=0x5e) returned 0x4608c68 [0162.108] GetProcessHeap () returned 0x45f0000 [0162.108] RtlSizeHeap (HeapHandle=0x45f0000, Flags=0x0, MemoryPointer=0x4608c68) returned 0x5e [0162.108] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0162.108] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0162.108] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x19f0a8, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x19f0a0, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x19f0a0*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0162.109] GetProcessHeap () returned 0x45f0000 [0162.109] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x64) returned 0x45fa7e8 [0162.109] GetProcessHeap () returned 0x45f0000 [0162.109] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0xb4) returned 0x4608cd0 [0162.109] GetProcessHeap () returned 0x45f0000 [0162.109] RtlReAllocateHeap (Heap=0x45f0000, Flags=0x0, Ptr=0x4608cd0, Size=0x5e) returned 0x4608cd0 [0162.109] GetProcessHeap () returned 0x45f0000 [0162.109] RtlSizeHeap (HeapHandle=0x45f0000, Flags=0x0, MemoryPointer=0x4608cd0) returned 0x5e [0162.109] _wcsnicmp (_String1="C:", _String2="/D", _MaxCount=0x2) returned 52 [0162.109] GetProcessHeap () returned 0x45f0000 [0162.109] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x5c) returned 0x45fc910 [0162.109] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19ee4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0162.109] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\", nBufferLength=0x104, lpBuffer=0x19ee4c, lpFilePart=0x19ee44 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\", lpFilePart=0x19ee44*=0x0) returned 0x29 [0162.109] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp")) returned 0x10 [0162.109] FindFirstFileW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), lpFindFileData=0x19ebc8 | out: lpFindFileData=0x19ebc8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x46087c0 [0162.109] FindClose (in: hFindFile=0x46087c0 | out: hFindFile=0x46087c0) returned 1 [0162.110] memcpy (in: _Dst=0x19ee52, _Src=0x19ebf4, _Size=0xa | out: _Dst=0x19ee52) returned 0x19ee52 [0162.110] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX" (normalized: "c:\\users\\rdhj0cnfevzx"), lpFindFileData=0x19ebc8 | out: lpFindFileData=0x19ebc8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x46087c0 [0162.110] FindClose (in: hFindFile=0x46087c0 | out: hFindFile=0x46087c0) returned 1 [0162.110] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16 [0162.110] memcpy (in: _Dst=0x19ee5e, _Src=0x19ebf4, _Size=0x18 | out: _Dst=0x19ee5e) returned 0x19ee5e [0162.110] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata"), lpFindFileData=0x19ebc8 | out: lpFindFileData=0x19ebc8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 0x46087c0 [0162.110] FindClose (in: hFindFile=0x46087c0 | out: hFindFile=0x46087c0) returned 1 [0162.110] memcpy (in: _Dst=0x19ee78, _Src=0x19ebf4, _Size=0xe | out: _Dst=0x19ee78) returned 0x19ee78 [0162.110] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local"), lpFindFileData=0x19ebc8 | out: lpFindFileData=0x19ebc8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x50b344cd, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x50b344cd, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Local", cAlternateFileName="")) returned 0x46087c0 [0162.110] FindClose (in: hFindFile=0x46087c0 | out: hFindFile=0x46087c0) returned 1 [0162.110] memcpy (in: _Dst=0x19ee88, _Src=0x19ebf4, _Size=0xa | out: _Dst=0x19ee88) returned 0x19ee88 [0162.111] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp"), lpFindFileData=0x19ebc8 | out: lpFindFileData=0x19ebc8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x9d979e84, ftLastAccessTime.dwHighDateTime=0x1d8a8c5, ftLastWriteTime.dwLowDateTime=0x9d979e84, ftLastWriteTime.dwHighDateTime=0x1d8a8c5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0x46087c0 [0162.111] FindClose (in: hFindFile=0x46087c0 | out: hFindFile=0x46087c0) returned 1 [0162.111] memcpy (in: _Dst=0x19ee94, _Src=0x19ebf4, _Size=0x8 | out: _Dst=0x19ee94) returned 0x19ee94 [0162.111] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp")) returned 0x10 [0162.111] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp")) returned 1 [0162.111] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp") returned 1 [0162.111] GetProcessHeap () returned 0x45f0000 [0162.112] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x45fbd08) returned 1 [0162.112] GetEnvironmentStringsW () returned 0x45fb570* [0162.112] GetProcessHeap () returned 0x45f0000 [0162.112] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0xab2) returned 0x45fda78 [0162.112] memcpy (in: _Dst=0x45fda78, _Src=0x45fb570, _Size=0xab2 | out: _Dst=0x45fda78) returned 0x45fda78 [0162.112] FreeEnvironmentStringsA (penv="=") returned 1 [0162.112] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1d7720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp") returned 0x28 [0162.112] GetProcessHeap () returned 0x45f0000 [0162.113] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x45fc910) returned 1 [0162.113] _get_osfhandle (_FileHandle=1) returned 0x3c [0162.113] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1 [0162.118] _get_osfhandle (_FileHandle=1) returned 0x3c [0162.118] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x1cf40c | out: lpMode=0x1cf40c) returned 1 [0162.120] _get_osfhandle (_FileHandle=0) returned 0x38 [0162.120] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0x1cf408 | out: lpMode=0x1cf408) returned 1 [0162.123] SetConsoleInputExeNameW () returned 0x1 [0162.123] GetConsoleOutputCP () returned 0x1b5 [0162.150] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1cf460 | out: lpCPInfo=0x1cf460) returned 1 [0162.150] SetThreadUILanguage (LangId=0x0) returned 0x409 [0162.156] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpB6E4.tmp.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmpb6e4.tmp.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x19f73c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x28 [0162.157] _open_osfhandle (_OSFileHandle=0x28, _Flags=8) returned 3 [0162.157] _get_osfhandle (_FileHandle=3) returned 0x28 [0162.157] SetFilePointer (in: hFile=0x28, lDistanceToMove=136, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x88 [0162.157] GetProcessHeap () returned 0x45f0000 [0162.157] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x4608cd0) returned 1 [0162.158] GetProcessHeap () returned 0x45f0000 [0162.158] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x45fa7e8) returned 1 [0162.158] GetProcessHeap () returned 0x45f0000 [0162.158] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x4608c68) returned 1 [0162.158] GetProcessHeap () returned 0x45f0000 [0162.158] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x45fcc50) returned 1 [0162.158] GetProcessHeap () returned 0x45f0000 [0162.158] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x46080f8) returned 1 [0162.159] GetProcessHeap () returned 0x45f0000 [0162.159] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x45f0cf0) returned 1 [0162.159] _get_osfhandle (_FileHandle=3) returned 0x28 [0162.159] SetFilePointer (in: hFile=0x28, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x88 [0162.159] ReadFile (in: hFile=0x28, lpBuffer=0x1db960, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x19f6c4, lpOverlapped=0x0 | out: lpBuffer=0x1db960*, lpNumberOfBytesRead=0x19f6c4*=0x1d, lpOverlapped=0x0) returned 1 [0162.159] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x1db960, cbMultiByte=29, lpWideCharStr=0x1c67e0, cchWideChar=8191 | out: lpWideCharStr="DEL \"tmpB6E4.tmp.bat\" /f /q\r\nata\\Local\\Temp\\\r\ng\\svchost.exe\"\r\n") returned 29 [0162.160] _get_osfhandle (_FileHandle=3) returned 0x28 [0162.160] GetFileType (hFile=0x28) returned 0x1 [0162.160] _get_osfhandle (_FileHandle=3) returned 0x28 [0162.160] SetFilePointer (in: hFile=0x28, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xa5 [0162.160] GetProcessHeap () returned 0x45f0000 [0162.160] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x400a) returned 0x46092d0 [0162.160] GetProcessHeap () returned 0x45f0000 [0162.160] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x46092d0) returned 1 [0162.160] _wcsicmp (_String1="DEL", _String2=")") returned 59 [0162.160] _wcsicmp (_String1="FOR", _String2="DEL") returned 2 [0162.160] _wcsicmp (_String1="FOR/?", _String2="DEL") returned 2 [0162.160] _wcsicmp (_String1="IF", _String2="DEL") returned 5 [0162.161] _wcsicmp (_String1="IF/?", _String2="DEL") returned 5 [0162.161] _wcsicmp (_String1="REM", _String2="DEL") returned 14 [0162.161] _wcsicmp (_String1="REM/?", _String2="DEL") returned 14 [0162.161] GetProcessHeap () returned 0x45f0000 [0162.161] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x58) returned 0x45f0cf0 [0162.161] GetProcessHeap () returned 0x45f0000 [0162.161] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x10) returned 0x4608158 [0162.161] GetProcessHeap () returned 0x45f0000 [0162.161] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x3a) returned 0x46087c0 [0162.161] _tell (_FileHandle=3) returned 165 [0162.161] _close (_FileHandle=3) returned 0 [0162.162] _wcsicmp (_String1="DEL", _String2="DIR") returned -4 [0162.162] _wcsicmp (_String1="DEL", _String2="ERASE") returned -1 [0162.162] _wcsicmp (_String1="DEL", _String2="DEL") returned 0 [0162.162] GetConsoleTitleW (in: lpConsoleTitle=0x19f2f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0162.164] _wcsicmp (_String1="DEL", _String2="DIR") returned -4 [0162.164] _wcsicmp (_String1="DEL", _String2="ERASE") returned -1 [0162.165] _wcsicmp (_String1="DEL", _String2="DEL") returned 0 [0162.165] GetProcessHeap () returned 0x45f0000 [0162.165] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x6c) returned 0x45fa7e8 [0162.165] GetProcessHeap () returned 0x45f0000 [0162.165] RtlReAllocateHeap (Heap=0x45f0000, Flags=0x0, Ptr=0x45fa7e8, Size=0x3e) returned 0x45fa7e8 [0162.165] GetProcessHeap () returned 0x45f0000 [0162.165] RtlSizeHeap (HeapHandle=0x45f0000, Flags=0x0, MemoryPointer=0x45fa7e8) returned 0x3e [0162.165] GetProcessHeap () returned 0x45f0000 [0162.165] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x42) returned 0x4608518 [0162.165] GetProcessHeap () returned 0x45f0000 [0162.165] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x6c) returned 0x4608568 [0162.165] GetProcessHeap () returned 0x45f0000 [0162.165] RtlReAllocateHeap (Heap=0x45f0000, Flags=0x0, Ptr=0x4608568, Size=0x3e) returned 0x4608568 [0162.165] GetProcessHeap () returned 0x45f0000 [0162.165] RtlSizeHeap (HeapHandle=0x45f0000, Flags=0x0, MemoryPointer=0x4608568) returned 0x3e [0162.165] GetProcessHeap () returned 0x45f0000 [0162.165] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x28) returned 0x45fa830 [0162.165] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x19f098 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp") returned 0x28 [0162.165] GetProcessHeap () returned 0x45f0000 [0162.165] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x38) returned 0x46085b0 [0162.165] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x19e108 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp") returned 0x28 [0162.165] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x19e33c, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x19e340, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x19e33c*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0162.166] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0162.166] GetProcessHeap () returned 0x45f0000 [0162.166] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x2c) returned 0x46085f0 [0162.166] GetProcessHeap () returned 0x45f0000 [0162.166] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x258) returned 0x45fb570 [0162.166] _wcsicmp (_String1="tmpB6E4.tmp.bat", _String2=".") returned 70 [0162.166] _wcsicmp (_String1="tmpB6E4.tmp.bat", _String2="..") returned 70 [0162.166] GetFileAttributesW (lpFileName="tmpB6E4.tmp.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmpb6e4.tmp.bat")) returned 0x20 [0162.166] GetProcessHeap () returned 0x45f0000 [0162.166] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x210) returned 0x4608c68 [0162.166] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4608c70 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp") returned 0x28 [0162.166] SetErrorMode (uMode=0x0) returned 0x0 [0162.166] SetErrorMode (uMode=0x1) returned 0x0 [0162.166] GetFullPathNameW (in: lpFileName="tmpB6E4.tmp.bat", nBufferLength=0x104, lpBuffer=0x19e768, lpFilePart=0x19e73c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpB6E4.tmp.bat", lpFilePart=0x19e73c*="tmpB6E4.tmp.bat") returned 0x38 [0162.166] SetErrorMode (uMode=0x0) returned 0x1 [0162.167] GetProcessHeap () returned 0x45f0000 [0162.167] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x258) returned 0x45fb7d0 [0162.167] _wcsicmp (_String1="tmpB6E4.tmp.bat", _String2=".") returned 70 [0162.167] _wcsicmp (_String1="tmpB6E4.tmp.bat", _String2="..") returned 70 [0162.167] GetFileAttributesW (lpFileName="tmpB6E4.tmp.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmpb6e4.tmp.bat")) returned 0x20 [0162.167] GetProcessHeap () returned 0x45f0000 [0162.167] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x28) returned 0x45f0878 [0162.167] GetProcessHeap () returned 0x45f0000 [0162.167] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x5a) returned 0x45fcd20 [0162.167] GetProcessHeap () returned 0x45f0000 [0162.167] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x5a) returned 0x45fcb18 [0162.167] GetProcessHeap () returned 0x45f0000 [0162.167] RtlAllocateHeap (HeapHandle=0x45f0000, Flags=0x8, Size=0x808) returned 0x45fba30 [0162.167] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpB6E4.tmp.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmpb6e4.tmp.bat"), fInfoLevelId=0x0, lpFindFileData=0x45fba3c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x45fba3c) returned 0x4608628 [0162.167] RtlDosPathNameToRelativeNtPathName_U_WithStatus () returned 0x0 [0162.167] NtOpenFile (in: FileHandle=0x19e63c, DesiredAccess=0x10000, ObjectAttributes=0x19e604*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpB6E4.tmp.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmpb6e4.tmp.bat"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19e62c, ShareAccess=0x4, OpenOptions=0x5040 | out: FileHandle=0x19e63c*=0xb4, IoStatusBlock=0x19e62c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0162.169] RtlReleaseRelativeName () returned 0x19e61c [0162.169] RtlFreeAnsiString (AnsiString="\\") [0162.169] NtQueryVolumeInformationFile (in: FileHandle=0xb4, IoStatusBlock=0x19e568, FsInformation=0x19e570, Length=0x8, FsInformationClass=0x4 | out: IoStatusBlock=0x19e568, FsInformation=0x19e570) returned 0x0 [0162.169] CloseHandle (hObject=0xb4) returned 1 [0162.171] FindNextFileW (in: hFindFile=0x4608628, lpFindFileData=0x45fba3c | out: lpFindFileData=0x45fba3c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d979e84, ftCreationTime.dwHighDateTime=0x1d8a8c5, ftLastAccessTime.dwLowDateTime=0x9d979e84, ftLastAccessTime.dwHighDateTime=0x1d8a8c5, ftLastWriteTime.dwLowDateTime=0x9d97ece5, ftLastWriteTime.dwHighDateTime=0x1d8a8c5, nFileSizeHigh=0x0, nFileSizeLow=0xa5, dwReserved0=0x0, dwReserved1=0x0, cFileName="tmpB6E4.tmp.bat", cAlternateFileName="TMPB6E~1.BAT")) returned 0 [0162.172] GetLastError () returned 0x12 [0162.172] FindClose (in: hFindFile=0x4608628 | out: hFindFile=0x4608628) returned 1 [0162.172] GetProcessHeap () returned 0x45f0000 [0162.172] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x45fba30) returned 1 [0162.173] GetProcessHeap () returned 0x45f0000 [0162.173] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x45fcb18) returned 1 [0162.173] GetProcessHeap () returned 0x45f0000 [0162.173] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x45f0878) returned 1 [0162.173] GetProcessHeap () returned 0x45f0000 [0162.174] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x45fcd20) returned 1 [0162.174] GetProcessHeap () returned 0x45f0000 [0162.174] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x45fb7d0) returned 1 [0162.174] GetProcessHeap () returned 0x45f0000 [0162.174] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x4608c68) returned 1 [0162.174] GetProcessHeap () returned 0x45f0000 [0162.174] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x45fb570) returned 1 [0162.174] GetProcessHeap () returned 0x45f0000 [0162.175] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x46085f0) returned 1 [0162.175] GetProcessHeap () returned 0x45f0000 [0162.175] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x46085b0) returned 1 [0162.175] GetProcessHeap () returned 0x45f0000 [0162.175] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x45fa830) returned 1 [0162.175] GetProcessHeap () returned 0x45f0000 [0162.176] RtlFreeHeap (HeapHandle=0x45f0000, Flags=0x0, BaseAddress=0x4608568) returned 1 [0162.176] _get_osfhandle (_FileHandle=1) returned 0x3c [0162.176] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1 [0162.177] _get_osfhandle (_FileHandle=1) returned 0x3c [0162.177] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x1cf40c | out: lpMode=0x1cf40c) returned 1 [0162.192] _get_osfhandle (_FileHandle=0) returned 0x38 [0162.192] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0x1cf408 | out: lpMode=0x1cf408) returned 1 [0162.377] SetConsoleInputExeNameW () returned 0x1 [0162.377] GetConsoleOutputCP () returned 0x1b5 [0162.485] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1cf460 | out: lpCPInfo=0x1cf460) returned 1 [0162.485] SetThreadUILanguage (LangId=0x0) returned 0x409 [0162.676] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpB6E4.tmp.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmpb6e4.tmp.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x19f73c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0162.677] GetLastError () returned 0x2 [0162.677] _get_osfhandle (_FileHandle=2) returned 0x40 [0162.677] GetFileType (hFile=0x40) returned 0x2 [0162.677] GetStdHandle (nStdHandle=0xfffffff4) returned 0x40 [0162.677] GetConsoleMode (in: hConsoleHandle=0x40, lpMode=0x19f6d4 | out: lpMode=0x19f6d4) returned 1 [0162.816] _get_osfhandle (_FileHandle=2) returned 0x40 [0162.816] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x40, lpConsoleScreenBufferInfo=0x19f724 | out: lpConsoleScreenBufferInfo=0x19f724) returned 1 [0163.090] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236c, dwLanguageId=0x0, lpBuffer=0x1d7940, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The batch file cannot be found.\r\n") returned 0x21 [0163.327] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236c, dwLanguageId=0x0, lpBuffer=0x1d7940, nSize=0x2000, Arguments=0x19f754 | out: lpBuffer="The batch file cannot be found.\r\n") returned 0x21 [0163.327] WriteConsoleW (in: hConsoleOutput=0x40, lpBuffer=0x1d7940*, nNumberOfCharsToWrite=0x21, lpNumberOfCharsWritten=0x19f708, lpReserved=0x0 | out: lpBuffer=0x1d7940*, lpNumberOfCharsWritten=0x19f708*=0x21) returned 1 [0163.746] CmdBatNotificationStub () returned 0x1 [0163.746] _get_osfhandle (_FileHandle=1) returned 0x3c [0163.746] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1 [0163.828] _get_osfhandle (_FileHandle=1) returned 0x3c [0163.828] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x1cf40c | out: lpMode=0x1cf40c) returned 1 [0163.893] _get_osfhandle (_FileHandle=0) returned 0x38 [0163.893] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0x1cf408 | out: lpMode=0x1cf408) returned 1 [0163.907] SetConsoleInputExeNameW () returned 0x1 [0163.908] GetConsoleOutputCP () returned 0x1b5 [0163.913] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1cf460 | out: lpCPInfo=0x1cf460) returned 1 [0163.913] SetThreadUILanguage (LangId=0x0) returned 0x409 [0163.919] exit (_Code=1) Thread: id = 19 os_tid = 0xc50 Process: id = "4" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x73a8b000" os_pid = "0xcac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xcbc" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fa87" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 452 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 453 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 454 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 455 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 456 start_va = 0x400000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 457 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 458 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 459 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 460 start_va = 0x7ff637930000 end_va = 0x7ff637940fff monitored = 0 entry_point = 0x7ff6379316b0 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 461 start_va = 0x7ffa16770000 end_va = 0x7ffa16930fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 467 start_va = 0x600000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 468 start_va = 0x7ffa15160000 end_va = 0x7ffa1520cfff monitored = 0 entry_point = 0x7ffa151781a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 469 start_va = 0x7ffa13130000 end_va = 0x7ffa13317fff monitored = 0 entry_point = 0x7ffa1315ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 470 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 471 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 472 start_va = 0x90000 end_va = 0x14dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 473 start_va = 0x7ffa13cc0000 end_va = 0x7ffa13d5cfff monitored = 0 entry_point = 0x7ffa13cc78a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 474 start_va = 0x150000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 475 start_va = 0x600000 end_va = 0x6effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 476 start_va = 0x720000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 477 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 498 start_va = 0x7ffa0abf0000 end_va = 0x7ffa0ac48fff monitored = 0 entry_point = 0x7ffa0abffbf0 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 506 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 507 start_va = 0x7ffa14340000 end_va = 0x7ffa145bcfff monitored = 0 entry_point = 0x7ffa14414970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 508 start_va = 0x7ffa145c0000 end_va = 0x7ffa146dbfff monitored = 0 entry_point = 0x7ffa146002b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 509 start_va = 0x7ffa13320000 end_va = 0x7ffa13389fff monitored = 0 entry_point = 0x7ffa13356d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 510 start_va = 0x7ffa13d80000 end_va = 0x7ffa13ed5fff monitored = 0 entry_point = 0x7ffa13d8a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 511 start_va = 0x7ffa13ee0000 end_va = 0x7ffa14065fff monitored = 0 entry_point = 0x7ffa13f2ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 515 start_va = 0x1a0000 end_va = 0x1a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 516 start_va = 0x7ffa13b70000 end_va = 0x7ffa13cb2fff monitored = 0 entry_point = 0x7ffa13b98210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 517 start_va = 0x7ffa14070000 end_va = 0x7ffa140cafff monitored = 0 entry_point = 0x7ffa140838b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 518 start_va = 0x7ffa141e0000 end_va = 0x7ffa1421afff monitored = 0 entry_point = 0x7ffa141e12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 523 start_va = 0x7ffa147c0000 end_va = 0x7ffa14880fff monitored = 0 entry_point = 0x7ffa147e0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 524 start_va = 0x7ffa11220000 end_va = 0x7ffa113a5fff monitored = 0 entry_point = 0x7ffa1126d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 532 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 533 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 534 start_va = 0x820000 end_va = 0x9a7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 535 start_va = 0x9b0000 end_va = 0xb30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009b0000" filename = "" Region: id = 536 start_va = 0xb40000 end_va = 0x1f3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b40000" filename = "" Region: id = 537 start_va = 0x1f40000 end_va = 0x202ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f40000" filename = "" Region: id = 540 start_va = 0x600000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 541 start_va = 0x6e0000 end_va = 0x6effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 542 start_va = 0x7ffa15210000 end_va = 0x7ffa1676efff monitored = 0 entry_point = 0x7ffa153711f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 543 start_va = 0x7ffa13390000 end_va = 0x7ffa133d2fff monitored = 0 entry_point = 0x7ffa133a4b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 544 start_va = 0x7ffa13520000 end_va = 0x7ffa13b63fff monitored = 0 entry_point = 0x7ffa136e64b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 548 start_va = 0x7ffa15090000 end_va = 0x7ffa15136fff monitored = 0 entry_point = 0x7ffa150a58d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 549 start_va = 0x7ffa14ba0000 end_va = 0x7ffa14bf1fff monitored = 0 entry_point = 0x7ffa14baf530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 552 start_va = 0x7ffa12e10000 end_va = 0x7ffa12e1efff monitored = 0 entry_point = 0x7ffa12e13210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 553 start_va = 0x7ffa12e80000 end_va = 0x7ffa12f34fff monitored = 0 entry_point = 0x7ffa12ec22e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 557 start_va = 0x7ffa12dc0000 end_va = 0x7ffa12e0afff monitored = 0 entry_point = 0x7ffa12dc35f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 558 start_va = 0x7ffa12d90000 end_va = 0x7ffa12da3fff monitored = 0 entry_point = 0x7ffa12d952e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 559 start_va = 0x7ffa11710000 end_va = 0x7ffa117a5fff monitored = 0 entry_point = 0x7ffa11735570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 562 start_va = 0x640000 end_va = 0x6dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 564 start_va = 0x2030000 end_va = 0x2366fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 565 start_va = 0x50000 end_va = 0x70fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cmd.exe.mui" filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui") Region: id = 566 start_va = 0x640000 end_va = 0x699fff monitored = 1 entry_point = 0x6553f0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 567 start_va = 0x6d0000 end_va = 0x6dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 572 start_va = 0x2370000 end_va = 0x2581fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002370000" filename = "" Region: id = 573 start_va = 0x2590000 end_va = 0x27a9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002590000" filename = "" Region: id = 574 start_va = 0x27b0000 end_va = 0x28bafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027b0000" filename = "" Region: id = 575 start_va = 0x28c0000 end_va = 0x2adafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028c0000" filename = "" Region: id = 580 start_va = 0x2ae0000 end_va = 0x2bf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ae0000" filename = "" Region: id = 582 start_va = 0x640000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 583 start_va = 0x7ffa14a40000 end_va = 0x7ffa14b99fff monitored = 0 entry_point = 0x7ffa14a838e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 584 start_va = 0x50000 end_va = 0x50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 585 start_va = 0x1f40000 end_va = 0x1ffbfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 586 start_va = 0x2020000 end_va = 0x202ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002020000" filename = "" Region: id = 587 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 588 start_va = 0x7ffa10610000 end_va = 0x7ffa10631fff monitored = 0 entry_point = 0x7ffa10611a40 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 589 start_va = 0x7ffa11410000 end_va = 0x7ffa11422fff monitored = 0 entry_point = 0x7ffa11412760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 597 start_va = 0x7ffa12ba0000 end_va = 0x7ffa12bf5fff monitored = 0 entry_point = 0x7ffa12bb0bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 598 start_va = 0x60000 end_va = 0x66fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 599 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 600 start_va = 0x80000 end_va = 0x80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 601 start_va = 0x1d0000 end_va = 0x1d4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 602 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "conhostv2.dll.mui" filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui") Region: id = 603 start_va = 0x1f0000 end_va = 0x1f1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 604 start_va = 0x7ffa080f0000 end_va = 0x7ffa08363fff monitored = 0 entry_point = 0x7ffa08160400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 605 start_va = 0x680000 end_va = 0x680fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 606 start_va = 0x690000 end_va = 0x691fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Thread: id = 12 os_tid = 0xca8 Thread: id = 14 os_tid = 0xc6c Thread: id = 17 os_tid = 0xc5c Thread: id = 18 os_tid = 0xc54 Process: id = "5" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x73a24000" os_pid = "0xca4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0xcb4" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fa87" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 478 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 479 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 480 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 481 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 482 start_va = 0x400000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 483 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 484 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 485 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 486 start_va = 0x7ff637930000 end_va = 0x7ff637940fff monitored = 0 entry_point = 0x7ff6379316b0 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 487 start_va = 0x7ffa16770000 end_va = 0x7ffa16930fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 488 start_va = 0x600000 end_va = 0x8dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 489 start_va = 0x7ffa15160000 end_va = 0x7ffa1520cfff monitored = 0 entry_point = 0x7ffa151781a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 490 start_va = 0x7ffa13130000 end_va = 0x7ffa13317fff monitored = 0 entry_point = 0x7ffa1315ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 491 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 492 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 493 start_va = 0x90000 end_va = 0x14dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 494 start_va = 0x7ffa13cc0000 end_va = 0x7ffa13d5cfff monitored = 0 entry_point = 0x7ffa13cc78a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 495 start_va = 0x150000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 496 start_va = 0x190000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 497 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 499 start_va = 0x7ffa0abf0000 end_va = 0x7ffa0ac48fff monitored = 0 entry_point = 0x7ffa0abffbf0 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 500 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 501 start_va = 0x1f0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 502 start_va = 0x7ffa14340000 end_va = 0x7ffa145bcfff monitored = 0 entry_point = 0x7ffa14414970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 503 start_va = 0x7ffa145c0000 end_va = 0x7ffa146dbfff monitored = 0 entry_point = 0x7ffa146002b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 504 start_va = 0x7ffa13320000 end_va = 0x7ffa13389fff monitored = 0 entry_point = 0x7ffa13356d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 505 start_va = 0x7ffa13d80000 end_va = 0x7ffa13ed5fff monitored = 0 entry_point = 0x7ffa13d8a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 512 start_va = 0x7ffa13ee0000 end_va = 0x7ffa14065fff monitored = 0 entry_point = 0x7ffa13f2ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 513 start_va = 0x1a0000 end_va = 0x1a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 514 start_va = 0x7ffa13b70000 end_va = 0x7ffa13cb2fff monitored = 0 entry_point = 0x7ffa13b98210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 519 start_va = 0x7ffa14070000 end_va = 0x7ffa140cafff monitored = 0 entry_point = 0x7ffa140838b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 520 start_va = 0x7ffa141e0000 end_va = 0x7ffa1421afff monitored = 0 entry_point = 0x7ffa141e12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 521 start_va = 0x7ffa147c0000 end_va = 0x7ffa14880fff monitored = 0 entry_point = 0x7ffa147e0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 522 start_va = 0x7ffa11220000 end_va = 0x7ffa113a5fff monitored = 0 entry_point = 0x7ffa1126d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 525 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 526 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 527 start_va = 0x600000 end_va = 0x787fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 528 start_va = 0x7e0000 end_va = 0x8dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 529 start_va = 0x8e0000 end_va = 0xa60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 530 start_va = 0xa70000 end_va = 0x1e6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a70000" filename = "" Region: id = 531 start_va = 0x1e70000 end_va = 0x1fcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 538 start_va = 0x790000 end_va = 0x7cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 539 start_va = 0x7ffa15210000 end_va = 0x7ffa1676efff monitored = 0 entry_point = 0x7ffa153711f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 545 start_va = 0x7ffa13390000 end_va = 0x7ffa133d2fff monitored = 0 entry_point = 0x7ffa133a4b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 546 start_va = 0x7ffa13520000 end_va = 0x7ffa13b63fff monitored = 0 entry_point = 0x7ffa136e64b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 547 start_va = 0x7ffa15090000 end_va = 0x7ffa15136fff monitored = 0 entry_point = 0x7ffa150a58d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 550 start_va = 0x7ffa14ba0000 end_va = 0x7ffa14bf1fff monitored = 0 entry_point = 0x7ffa14baf530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 551 start_va = 0x7ffa12e10000 end_va = 0x7ffa12e1efff monitored = 0 entry_point = 0x7ffa12e13210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 554 start_va = 0x7ffa12e80000 end_va = 0x7ffa12f34fff monitored = 0 entry_point = 0x7ffa12ec22e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 555 start_va = 0x7ffa12dc0000 end_va = 0x7ffa12e0afff monitored = 0 entry_point = 0x7ffa12dc35f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 556 start_va = 0x7ffa12d90000 end_va = 0x7ffa12da3fff monitored = 0 entry_point = 0x7ffa12d952e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 560 start_va = 0x7ffa11710000 end_va = 0x7ffa117a5fff monitored = 0 entry_point = 0x7ffa11735570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 561 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 563 start_va = 0x1fd0000 end_va = 0x2306fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 568 start_va = 0x50000 end_va = 0x70fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cmd.exe.mui" filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui") Region: id = 569 start_va = 0x80000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 570 start_va = 0x1e70000 end_va = 0x1ec9fff monitored = 1 entry_point = 0x1e853f0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 571 start_va = 0x1fc0000 end_va = 0x1fcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fc0000" filename = "" Region: id = 576 start_va = 0x2310000 end_va = 0x2523fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 577 start_va = 0x2530000 end_va = 0x2746fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002530000" filename = "" Region: id = 578 start_va = 0x1e70000 end_va = 0x1f84fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 579 start_va = 0x2750000 end_va = 0x2964fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 581 start_va = 0x2970000 end_va = 0x2a80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002970000" filename = "" Thread: id = 13 os_tid = 0xca0 Thread: id = 15 os_tid = 0xc68 Thread: id = 16 os_tid = 0xc60 Process: id = "6" image_name = "schtasks.exe" filename = "c:\\windows\\syswow64\\schtasks.exe" page_root = "0x58dc4000" os_pid = "0x438" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xcbc" cmd_line = "schtasks /create /f /sc onlogon /rl highest /tn \"svchost\" /tr '\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe\"' " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fa87" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 616 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 617 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 618 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 619 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 620 start_va = 0xa0000 end_va = 0xdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 621 start_va = 0x2f0000 end_va = 0x321fff monitored = 1 entry_point = 0x3105b0 region_type = mapped_file name = "schtasks.exe" filename = "\\Windows\\SysWOW64\\schtasks.exe" (normalized: "c:\\windows\\syswow64\\schtasks.exe") Region: id = 622 start_va = 0x330000 end_va = 0x432ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 623 start_va = 0x4400000 end_va = 0x45fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 624 start_va = 0x771d0000 end_va = 0x7734afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 625 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 626 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 627 start_va = 0x7fff0000 end_va = 0x7dfa1676ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 628 start_va = 0x7dfa16770000 end_va = 0x7ffa1676ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfa16770000" filename = "" Region: id = 629 start_va = 0x7ffa16770000 end_va = 0x7ffa16930fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 630 start_va = 0x7ffa16931000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffa16931000" filename = "" Region: id = 631 start_va = 0xe0000 end_va = 0xe3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 632 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 633 start_va = 0x100000 end_va = 0x101fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 642 start_va = 0x110000 end_va = 0x20ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 643 start_va = 0x640d0000 end_va = 0x6411ffff monitored = 0 entry_point = 0x640e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 646 start_va = 0x64050000 end_va = 0x640c9fff monitored = 0 entry_point = 0x64063290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 647 start_va = 0x76720000 end_va = 0x767fffff monitored = 0 entry_point = 0x76733980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 648 start_va = 0x64120000 end_va = 0x64127fff monitored = 0 entry_point = 0x641217c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 649 start_va = 0x4600000 end_va = 0x480ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004600000" filename = "" Region: id = 650 start_va = 0x76720000 end_va = 0x767fffff monitored = 0 entry_point = 0x76733980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 651 start_va = 0x76910000 end_va = 0x76a8dfff monitored = 0 entry_point = 0x769c1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 652 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 653 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 654 start_va = 0x110000 end_va = 0x1cdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 655 start_va = 0x200000 end_va = 0x20ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 656 start_va = 0x76a90000 end_va = 0x76b4dfff monitored = 0 entry_point = 0x76ac5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 657 start_va = 0x210000 end_va = 0x24ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 658 start_va = 0x250000 end_va = 0x28ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 659 start_va = 0x76680000 end_va = 0x76711fff monitored = 0 entry_point = 0x766b8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 660 start_va = 0x762b0000 end_va = 0x7646cfff monitored = 0 entry_point = 0x76392a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 661 start_va = 0x76c00000 end_va = 0x76cacfff monitored = 0 entry_point = 0x76c14f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 662 start_va = 0x73f00000 end_va = 0x73f1dfff monitored = 0 entry_point = 0x73f0b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 663 start_va = 0x73ef0000 end_va = 0x73ef9fff monitored = 0 entry_point = 0x73ef2a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 664 start_va = 0x76840000 end_va = 0x76897fff monitored = 0 entry_point = 0x768825c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 665 start_va = 0x76cb0000 end_va = 0x76cf3fff monitored = 0 entry_point = 0x76cc9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 666 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 667 start_va = 0x4600000 end_va = 0x46dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004600000" filename = "" Region: id = 668 start_va = 0x4710000 end_va = 0x480ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004710000" filename = "" Region: id = 669 start_va = 0x4810000 end_va = 0x48f9fff monitored = 0 entry_point = 0x484d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 670 start_va = 0x1d0000 end_va = 0x1e2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "schtasks.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\schtasks.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\schtasks.exe.mui") Region: id = 671 start_va = 0x4810000 end_va = 0x4b46fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 672 start_va = 0x76d50000 end_va = 0x76d5bfff monitored = 0 entry_point = 0x76d53930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 673 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 674 start_va = 0x74340000 end_va = 0x743c3fff monitored = 0 entry_point = 0x74366220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 675 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 676 start_va = 0x71df0000 end_va = 0x71e7bfff monitored = 0 entry_point = 0x71e2a6c0 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\SysWOW64\\taskschd.dll" (normalized: "c:\\windows\\syswow64\\taskschd.dll") Region: id = 678 start_va = 0x71e80000 end_va = 0x71eacfff monitored = 0 entry_point = 0x71e92b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Thread: id = 21 os_tid = 0xc44 [0153.172] GetModuleHandleA (lpModuleName=0x0) returned 0x2f0000 [0153.172] __set_app_type (_Type=0x1) [0153.172] __p__fmode () returned 0x76b44d6c [0153.172] __p__commode () returned 0x76b45b1c [0153.173] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x310840) returned 0x0 [0153.173] __wgetmainargs (in: _Argc=0x31ade0, _Argv=0x31ade4, _Env=0x31ade8, _DoWildCard=0, _StartInfo=0x31adf4 | out: _Argc=0x31ade0, _Argv=0x31ade4, _Env=0x31ade8) returned 0 [0153.174] _onexit (_Func=0x312bc0) returned 0x312bc0 [0153.174] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0153.174] WinSqmIsOptedIn () returned 0x0 [0153.174] GetProcessHeap () returned 0x4710000 [0153.174] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x10) returned 0x4717668 [0153.174] RtlRestoreLastWin32Error () returned 0x0 [0153.175] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x0, Condition=0x2) returned 0x18 [0153.175] VerSetConditionMask (ConditionMask=0x18, TypeMask=0x80000000, Condition=0x1) returned 0x1b [0153.175] VerSetConditionMask (ConditionMask=0x1b, TypeMask=0x80000000, Condition=0x20) returned 0x1801b [0153.175] RtlVerifyVersionInfo (VersionInfo=0xdf9f8, TypeMask=0x3, ConditionMask=0x1801b) returned 0x0 [0153.175] GetProcessHeap () returned 0x4710000 [0153.175] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x10) returned 0x4717710 [0153.175] lstrlenW (lpString="") returned 0 [0153.175] GetProcessHeap () returned 0x4710000 [0153.175] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x2) returned 0x4713eb0 [0153.175] GetProcessHeap () returned 0x4710000 [0153.175] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x4714148 [0153.175] GetProcessHeap () returned 0x4710000 [0153.175] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x10) returned 0x4717578 [0153.176] GetProcessHeap () returned 0x4710000 [0153.176] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x4713f10 [0153.176] GetProcessHeap () returned 0x4710000 [0153.176] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x4713f30 [0153.176] GetProcessHeap () returned 0x4710000 [0153.176] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x4713f50 [0153.176] GetProcessHeap () returned 0x4710000 [0153.176] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x4713b40 [0153.176] GetProcessHeap () returned 0x4710000 [0153.176] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x10) returned 0x4717680 [0153.176] GetProcessHeap () returned 0x4710000 [0153.176] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x4713b60 [0153.176] GetProcessHeap () returned 0x4710000 [0153.176] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x4713b80 [0153.176] GetProcessHeap () returned 0x4710000 [0153.176] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x47138d8 [0153.176] GetProcessHeap () returned 0x4710000 [0153.176] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x47138f8 [0153.176] GetProcessHeap () returned 0x4710000 [0153.176] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x10) returned 0x47176f8 [0153.176] GetProcessHeap () returned 0x4710000 [0153.176] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x4713918 [0153.176] GetProcessHeap () returned 0x4710000 [0153.176] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x47128c8 [0153.177] GetProcessHeap () returned 0x4710000 [0153.177] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x47128e8 [0153.177] GetProcessHeap () returned 0x4710000 [0153.177] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x4712908 [0153.177] SetThreadUILanguage (LangId=0x0) returned 0x409 [0153.189] RtlRestoreLastWin32Error () returned 0x0 [0153.189] GetProcessHeap () returned 0x4710000 [0153.189] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x47196d0 [0153.189] GetProcessHeap () returned 0x4710000 [0153.189] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x4719630 [0153.189] GetProcessHeap () returned 0x4710000 [0153.189] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x47197d0 [0153.189] GetProcessHeap () returned 0x4710000 [0153.189] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x47194f0 [0153.189] GetProcessHeap () returned 0x4710000 [0153.189] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x4719650 [0153.189] GetProcessHeap () returned 0x4710000 [0153.189] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x10) returned 0x4717698 [0153.189] _memicmp (_Buf1=0x4717698, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.189] GetProcessHeap () returned 0x4710000 [0153.189] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x208) returned 0x4718e08 [0153.189] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4718e08, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\schtasks.exe" (normalized: "c:\\windows\\syswow64\\schtasks.exe")) returned 0x20 [0153.190] GetFileVersionInfoSizeExW (in: dwFlags=0x1, lpwstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", lpdwHandle=0xdfb04 | out: lpdwHandle=0xdfb04) returned 0x76c [0153.208] GetProcessHeap () returned 0x4710000 [0153.208] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x776) returned 0x4719ee0 [0153.208] GetFileVersionInfoExW (in: dwFlags=0x3, lpwstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", dwHandle=0x0, dwLen=0x776, lpData=0x4719ee0 | out: lpData=0x4719ee0) returned 1 [0153.208] VerQueryValueW (in: pBlock=0x4719ee0, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xdfb0c, puLen=0xdfb10 | out: lplpBuffer=0xdfb0c*=0x471a290, puLen=0xdfb10) returned 1 [0153.211] _memicmp (_Buf1=0x4717698, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.211] _vsnwprintf (in: _Buffer=0x4718e08, _BufferCount=0x3f, _Format="\\StringFileInfo\\%04x%04x\\InternalName", _ArgList=0xdfaf0 | out: _Buffer="\\StringFileInfo\\040904b0\\InternalName") returned 37 [0153.212] VerQueryValueW (in: pBlock=0x4719ee0, lpSubBlock="\\StringFileInfo\\040904b0\\InternalName", lplpBuffer=0xdfb1c, puLen=0xdfb18 | out: lplpBuffer=0xdfb1c*=0x471a0c0, puLen=0xdfb18) returned 1 [0153.212] lstrlenW (lpString="schtasks.exe") returned 12 [0153.212] lstrlenW (lpString="schtasks.exe") returned 12 [0153.212] lstrlenW (lpString=".EXE") returned 4 [0153.212] StrStrIW (lpFirst="schtasks.exe", lpSrch=".EXE") returned=".exe" [0153.213] lstrlenW (lpString="schtasks.exe") returned 12 [0153.213] lstrlenW (lpString=".EXE") returned 4 [0153.213] _memicmp (_Buf1=0x4717698, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.213] lstrlenW (lpString="schtasks") returned 8 [0153.213] GetProcessHeap () returned 0x4710000 [0153.213] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x4719470 [0153.213] GetProcessHeap () returned 0x4710000 [0153.213] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x47197f0 [0153.213] GetProcessHeap () returned 0x4710000 [0153.213] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x4719450 [0153.213] GetProcessHeap () returned 0x4710000 [0153.213] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x47197b0 [0153.213] GetProcessHeap () returned 0x4710000 [0153.213] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x10) returned 0x4717560 [0153.213] _memicmp (_Buf1=0x4717560, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.213] GetProcessHeap () returned 0x4710000 [0153.214] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0xa0) returned 0x4719018 [0153.214] GetProcessHeap () returned 0x4710000 [0153.214] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x4719810 [0153.214] GetProcessHeap () returned 0x4710000 [0153.214] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x47195d0 [0153.214] GetProcessHeap () returned 0x4710000 [0153.214] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x4719610 [0153.214] GetProcessHeap () returned 0x4710000 [0153.214] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x10) returned 0x47175c0 [0153.214] _memicmp (_Buf1=0x47175c0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.214] GetProcessHeap () returned 0x4710000 [0153.214] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x200) returned 0x471a8c0 [0153.214] LoadStringW (in: hInstance=0x0, uID=0x15ed, lpBuffer=0x471a8c0, cchBufferMax=256 | out: lpBuffer="Type \"%s /?\" for usage.") returned 0x17 [0153.215] lstrlenW (lpString="Type \"%s /?\" for usage.") returned 23 [0153.215] GetProcessHeap () returned 0x4710000 [0153.215] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x30) returned 0x47126d0 [0153.215] _vsnwprintf (in: _Buffer=0x4719018, _BufferCount=0x4f, _Format="Type \"%s /?\" for usage.", _ArgList=0xdfaf4 | out: _Buffer="Type \"SCHTASKS /?\" for usage.") returned 29 [0153.215] GetProcessHeap () returned 0x4710000 [0153.215] GetProcessHeap () returned 0x4710000 [0153.215] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4719ee0) returned 1 [0153.215] GetProcessHeap () returned 0x4710000 [0153.215] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4719ee0) returned 0x776 [0153.216] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4719ee0) returned 1 [0153.216] RtlRestoreLastWin32Error () returned 0x0 [0153.216] GetThreadLocale () returned 0x409 [0153.216] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0153.216] lstrlenW (lpString="?") returned 1 [0153.216] GetThreadLocale () returned 0x409 [0153.216] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0153.216] lstrlenW (lpString="create") returned 6 [0153.216] GetThreadLocale () returned 0x409 [0153.216] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0153.216] lstrlenW (lpString="delete") returned 6 [0153.217] GetThreadLocale () returned 0x409 [0153.217] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0153.217] lstrlenW (lpString="query") returned 5 [0153.217] GetThreadLocale () returned 0x409 [0153.217] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0153.217] lstrlenW (lpString="change") returned 6 [0153.217] GetThreadLocale () returned 0x409 [0153.217] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0153.217] lstrlenW (lpString="run") returned 3 [0153.217] GetThreadLocale () returned 0x409 [0153.217] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0153.217] lstrlenW (lpString="end") returned 3 [0153.217] GetThreadLocale () returned 0x409 [0153.217] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0153.217] lstrlenW (lpString="showsid") returned 7 [0153.217] GetThreadLocale () returned 0x409 [0153.217] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0153.217] RtlRestoreLastWin32Error () returned 0x0 [0153.217] RtlRestoreLastWin32Error () returned 0x0 [0153.217] lstrlenW (lpString="/create") returned 7 [0153.217] lstrlenW (lpString="-/") returned 2 [0153.217] StrChrIW (lpStart="-/", wMatch=0x46d002f) returned="/" [0153.217] lstrlenW (lpString="?") returned 1 [0153.217] lstrlenW (lpString="?") returned 1 [0153.218] GetProcessHeap () returned 0x4710000 [0153.218] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x10) returned 0x4717620 [0153.218] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.218] GetProcessHeap () returned 0x4710000 [0153.218] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0xa) returned 0x47176b0 [0153.219] lstrlenW (lpString="create") returned 6 [0153.219] GetProcessHeap () returned 0x4710000 [0153.219] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x10) returned 0x47175f0 [0153.219] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.219] GetProcessHeap () returned 0x4710000 [0153.219] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x4719690 [0153.219] _vsnwprintf (in: _Buffer=0x47176b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|?|") returned 3 [0153.219] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|create|") returned 8 [0153.219] lstrlenW (lpString="|?|") returned 3 [0153.219] lstrlenW (lpString="|create|") returned 8 [0153.219] RtlRestoreLastWin32Error () returned 0x490 [0153.219] lstrlenW (lpString="create") returned 6 [0153.219] lstrlenW (lpString="create") returned 6 [0153.219] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.219] GetProcessHeap () returned 0x4710000 [0153.219] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x47176b0) returned 1 [0153.219] GetProcessHeap () returned 0x4710000 [0153.219] RtlReAllocateHeap (Heap=0x4710000, Flags=0xc, Ptr=0x47176b0, Size=0x14) returned 0x47196f0 [0153.219] lstrlenW (lpString="create") returned 6 [0153.219] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.219] _vsnwprintf (in: _Buffer=0x47196f0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|create|") returned 8 [0153.220] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|create|") returned 8 [0153.220] lstrlenW (lpString="|create|") returned 8 [0153.220] lstrlenW (lpString="|create|") returned 8 [0153.220] StrStrIW (lpFirst="|create|", lpSrch="|create|") returned="|create|" [0153.220] RtlRestoreLastWin32Error () returned 0x0 [0153.220] RtlRestoreLastWin32Error () returned 0x0 [0153.220] RtlRestoreLastWin32Error () returned 0x0 [0153.220] lstrlenW (lpString="/f") returned 2 [0153.220] lstrlenW (lpString="-/") returned 2 [0153.220] StrChrIW (lpStart="-/", wMatch=0x46d002f) returned="/" [0153.220] lstrlenW (lpString="?") returned 1 [0153.220] lstrlenW (lpString="?") returned 1 [0153.220] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.220] lstrlenW (lpString="f") returned 1 [0153.220] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.220] _vsnwprintf (in: _Buffer=0x47196f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|?|") returned 3 [0153.220] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|f|") returned 3 [0153.220] lstrlenW (lpString="|?|") returned 3 [0153.220] lstrlenW (lpString="|f|") returned 3 [0153.220] StrStrIW (lpFirst="|?|", lpSrch="|f|") returned 0x0 [0153.220] RtlRestoreLastWin32Error () returned 0x490 [0153.220] lstrlenW (lpString="create") returned 6 [0153.220] lstrlenW (lpString="create") returned 6 [0153.220] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.221] lstrlenW (lpString="f") returned 1 [0153.221] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.221] _vsnwprintf (in: _Buffer=0x47196f0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|create|") returned 8 [0153.221] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|f|") returned 3 [0153.221] lstrlenW (lpString="|create|") returned 8 [0153.221] lstrlenW (lpString="|f|") returned 3 [0153.221] StrStrIW (lpFirst="|create|", lpSrch="|f|") returned 0x0 [0153.221] RtlRestoreLastWin32Error () returned 0x490 [0153.221] lstrlenW (lpString="delete") returned 6 [0153.221] lstrlenW (lpString="delete") returned 6 [0153.221] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.221] lstrlenW (lpString="f") returned 1 [0153.221] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.221] _vsnwprintf (in: _Buffer=0x47196f0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|delete|") returned 8 [0153.221] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|f|") returned 3 [0153.221] lstrlenW (lpString="|delete|") returned 8 [0153.221] lstrlenW (lpString="|f|") returned 3 [0153.221] StrStrIW (lpFirst="|delete|", lpSrch="|f|") returned 0x0 [0153.221] RtlRestoreLastWin32Error () returned 0x490 [0153.221] lstrlenW (lpString="query") returned 5 [0153.221] lstrlenW (lpString="query") returned 5 [0153.221] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.222] lstrlenW (lpString="f") returned 1 [0153.222] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.222] _vsnwprintf (in: _Buffer=0x47196f0, _BufferCount=0x8, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|query|") returned 7 [0153.222] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|f|") returned 3 [0153.222] lstrlenW (lpString="|query|") returned 7 [0153.222] lstrlenW (lpString="|f|") returned 3 [0153.222] StrStrIW (lpFirst="|query|", lpSrch="|f|") returned 0x0 [0153.222] RtlRestoreLastWin32Error () returned 0x490 [0153.222] lstrlenW (lpString="change") returned 6 [0153.222] lstrlenW (lpString="change") returned 6 [0153.222] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.222] lstrlenW (lpString="f") returned 1 [0153.222] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.222] _vsnwprintf (in: _Buffer=0x47196f0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|change|") returned 8 [0153.222] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|f|") returned 3 [0153.222] lstrlenW (lpString="|change|") returned 8 [0153.222] lstrlenW (lpString="|f|") returned 3 [0153.222] StrStrIW (lpFirst="|change|", lpSrch="|f|") returned 0x0 [0153.222] RtlRestoreLastWin32Error () returned 0x490 [0153.222] lstrlenW (lpString="run") returned 3 [0153.222] lstrlenW (lpString="run") returned 3 [0153.222] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.222] lstrlenW (lpString="f") returned 1 [0153.222] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.223] _vsnwprintf (in: _Buffer=0x47196f0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|run|") returned 5 [0153.223] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|f|") returned 3 [0153.223] lstrlenW (lpString="|run|") returned 5 [0153.223] lstrlenW (lpString="|f|") returned 3 [0153.223] StrStrIW (lpFirst="|run|", lpSrch="|f|") returned 0x0 [0153.223] RtlRestoreLastWin32Error () returned 0x490 [0153.223] lstrlenW (lpString="end") returned 3 [0153.223] lstrlenW (lpString="end") returned 3 [0153.223] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.223] lstrlenW (lpString="f") returned 1 [0153.223] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.223] _vsnwprintf (in: _Buffer=0x47196f0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|end|") returned 5 [0153.223] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|f|") returned 3 [0153.223] lstrlenW (lpString="|end|") returned 5 [0153.223] lstrlenW (lpString="|f|") returned 3 [0153.223] StrStrIW (lpFirst="|end|", lpSrch="|f|") returned 0x0 [0153.223] RtlRestoreLastWin32Error () returned 0x490 [0153.223] lstrlenW (lpString="showsid") returned 7 [0153.223] lstrlenW (lpString="showsid") returned 7 [0153.223] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.223] GetProcessHeap () returned 0x4710000 [0153.223] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x47196f0) returned 1 [0153.223] GetProcessHeap () returned 0x4710000 [0153.223] RtlReAllocateHeap (Heap=0x4710000, Flags=0xc, Ptr=0x47196f0, Size=0x16) returned 0x4719550 [0153.223] lstrlenW (lpString="f") returned 1 [0153.223] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.224] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0xa, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|showsid|") returned 9 [0153.224] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|f|") returned 3 [0153.224] lstrlenW (lpString="|showsid|") returned 9 [0153.224] lstrlenW (lpString="|f|") returned 3 [0153.224] StrStrIW (lpFirst="|showsid|", lpSrch="|f|") returned 0x0 [0153.224] RtlRestoreLastWin32Error () returned 0x490 [0153.224] RtlRestoreLastWin32Error () returned 0x490 [0153.224] RtlRestoreLastWin32Error () returned 0x0 [0153.224] lstrlenW (lpString="/f") returned 2 [0153.224] StrChrIW (lpStart="/f", wMatch=0x3a) returned 0x0 [0153.224] RtlRestoreLastWin32Error () returned 0x490 [0153.224] RtlRestoreLastWin32Error () returned 0x0 [0153.224] lstrlenW (lpString="/f") returned 2 [0153.224] GetProcessHeap () returned 0x4710000 [0153.224] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x6) returned 0x4713f70 [0153.224] GetProcessHeap () returned 0x4710000 [0153.224] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x47196f0 [0153.224] RtlRestoreLastWin32Error () returned 0x0 [0153.224] RtlRestoreLastWin32Error () returned 0x0 [0153.224] lstrlenW (lpString="/sc") returned 3 [0153.224] lstrlenW (lpString="-/") returned 2 [0153.224] StrChrIW (lpStart="-/", wMatch=0x46d002f) returned="/" [0153.224] lstrlenW (lpString="?") returned 1 [0153.224] lstrlenW (lpString="?") returned 1 [0153.224] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.224] lstrlenW (lpString="sc") returned 2 [0153.225] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.225] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|?|") returned 3 [0153.225] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|sc|") returned 4 [0153.225] lstrlenW (lpString="|?|") returned 3 [0153.225] lstrlenW (lpString="|sc|") returned 4 [0153.225] RtlRestoreLastWin32Error () returned 0x490 [0153.225] lstrlenW (lpString="create") returned 6 [0153.225] lstrlenW (lpString="create") returned 6 [0153.225] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.225] lstrlenW (lpString="sc") returned 2 [0153.225] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.225] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|create|") returned 8 [0153.225] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|sc|") returned 4 [0153.225] lstrlenW (lpString="|create|") returned 8 [0153.225] lstrlenW (lpString="|sc|") returned 4 [0153.225] StrStrIW (lpFirst="|create|", lpSrch="|sc|") returned 0x0 [0153.225] RtlRestoreLastWin32Error () returned 0x490 [0153.225] lstrlenW (lpString="delete") returned 6 [0153.225] lstrlenW (lpString="delete") returned 6 [0153.225] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.225] lstrlenW (lpString="sc") returned 2 [0153.225] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.225] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|delete|") returned 8 [0153.226] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|sc|") returned 4 [0153.226] lstrlenW (lpString="|delete|") returned 8 [0153.226] lstrlenW (lpString="|sc|") returned 4 [0153.226] StrStrIW (lpFirst="|delete|", lpSrch="|sc|") returned 0x0 [0153.226] RtlRestoreLastWin32Error () returned 0x490 [0153.226] lstrlenW (lpString="query") returned 5 [0153.226] lstrlenW (lpString="query") returned 5 [0153.226] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.226] lstrlenW (lpString="sc") returned 2 [0153.226] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.226] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x8, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|query|") returned 7 [0153.226] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|sc|") returned 4 [0153.226] lstrlenW (lpString="|query|") returned 7 [0153.226] lstrlenW (lpString="|sc|") returned 4 [0153.226] StrStrIW (lpFirst="|query|", lpSrch="|sc|") returned 0x0 [0153.226] RtlRestoreLastWin32Error () returned 0x490 [0153.226] lstrlenW (lpString="change") returned 6 [0153.226] lstrlenW (lpString="change") returned 6 [0153.226] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.226] lstrlenW (lpString="sc") returned 2 [0153.226] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.226] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|change|") returned 8 [0153.227] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|sc|") returned 4 [0153.227] lstrlenW (lpString="|change|") returned 8 [0153.227] lstrlenW (lpString="|sc|") returned 4 [0153.227] StrStrIW (lpFirst="|change|", lpSrch="|sc|") returned 0x0 [0153.227] RtlRestoreLastWin32Error () returned 0x490 [0153.227] lstrlenW (lpString="run") returned 3 [0153.227] lstrlenW (lpString="run") returned 3 [0153.227] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.227] lstrlenW (lpString="sc") returned 2 [0153.227] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.227] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|run|") returned 5 [0153.227] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|sc|") returned 4 [0153.227] lstrlenW (lpString="|run|") returned 5 [0153.227] lstrlenW (lpString="|sc|") returned 4 [0153.227] StrStrIW (lpFirst="|run|", lpSrch="|sc|") returned 0x0 [0153.227] RtlRestoreLastWin32Error () returned 0x490 [0153.227] lstrlenW (lpString="end") returned 3 [0153.227] lstrlenW (lpString="end") returned 3 [0153.227] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.227] lstrlenW (lpString="sc") returned 2 [0153.227] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.227] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|end|") returned 5 [0153.227] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|sc|") returned 4 [0153.227] lstrlenW (lpString="|end|") returned 5 [0153.228] lstrlenW (lpString="|sc|") returned 4 [0153.228] StrStrIW (lpFirst="|end|", lpSrch="|sc|") returned 0x0 [0153.228] RtlRestoreLastWin32Error () returned 0x490 [0153.228] lstrlenW (lpString="showsid") returned 7 [0153.228] lstrlenW (lpString="showsid") returned 7 [0153.228] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.228] lstrlenW (lpString="sc") returned 2 [0153.228] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.228] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0xa, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|showsid|") returned 9 [0153.228] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|sc|") returned 4 [0153.228] lstrlenW (lpString="|showsid|") returned 9 [0153.228] lstrlenW (lpString="|sc|") returned 4 [0153.228] StrStrIW (lpFirst="|showsid|", lpSrch="|sc|") returned 0x0 [0153.228] RtlRestoreLastWin32Error () returned 0x490 [0153.228] RtlRestoreLastWin32Error () returned 0x490 [0153.228] RtlRestoreLastWin32Error () returned 0x0 [0153.228] lstrlenW (lpString="/sc") returned 3 [0153.228] StrChrIW (lpStart="/sc", wMatch=0x3a) returned 0x0 [0153.228] RtlRestoreLastWin32Error () returned 0x490 [0153.228] RtlRestoreLastWin32Error () returned 0x0 [0153.228] lstrlenW (lpString="/sc") returned 3 [0153.228] GetProcessHeap () returned 0x4710000 [0153.228] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x8) returned 0x4712928 [0153.228] GetProcessHeap () returned 0x4710000 [0153.228] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x4719710 [0153.228] RtlRestoreLastWin32Error () returned 0x0 [0153.229] RtlRestoreLastWin32Error () returned 0x0 [0153.229] lstrlenW (lpString="onlogon") returned 7 [0153.229] lstrlenW (lpString="-/") returned 2 [0153.229] StrChrIW (lpStart="-/", wMatch=0x46d006f) returned 0x0 [0153.229] RtlRestoreLastWin32Error () returned 0x490 [0153.229] RtlRestoreLastWin32Error () returned 0x490 [0153.229] RtlRestoreLastWin32Error () returned 0x0 [0153.229] lstrlenW (lpString="onlogon") returned 7 [0153.229] StrChrIW (lpStart="onlogon", wMatch=0x3a) returned 0x0 [0153.229] RtlRestoreLastWin32Error () returned 0x490 [0153.229] RtlRestoreLastWin32Error () returned 0x0 [0153.229] lstrlenW (lpString="onlogon") returned 7 [0153.229] GetProcessHeap () returned 0x4710000 [0153.229] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x10) returned 0x4717650 [0153.229] GetProcessHeap () returned 0x4710000 [0153.229] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x47194d0 [0153.229] RtlRestoreLastWin32Error () returned 0x0 [0153.229] RtlRestoreLastWin32Error () returned 0x0 [0153.229] lstrlenW (lpString="/rl") returned 3 [0153.229] lstrlenW (lpString="-/") returned 2 [0153.229] StrChrIW (lpStart="-/", wMatch=0x46d002f) returned="/" [0153.229] lstrlenW (lpString="?") returned 1 [0153.229] lstrlenW (lpString="?") returned 1 [0153.229] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.229] lstrlenW (lpString="rl") returned 2 [0153.229] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.230] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|?|") returned 3 [0153.230] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|rl|") returned 4 [0153.230] lstrlenW (lpString="|?|") returned 3 [0153.230] lstrlenW (lpString="|rl|") returned 4 [0153.230] RtlRestoreLastWin32Error () returned 0x490 [0153.230] lstrlenW (lpString="create") returned 6 [0153.230] lstrlenW (lpString="create") returned 6 [0153.230] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.230] lstrlenW (lpString="rl") returned 2 [0153.230] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.230] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|create|") returned 8 [0153.230] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|rl|") returned 4 [0153.230] lstrlenW (lpString="|create|") returned 8 [0153.230] lstrlenW (lpString="|rl|") returned 4 [0153.230] StrStrIW (lpFirst="|create|", lpSrch="|rl|") returned 0x0 [0153.230] RtlRestoreLastWin32Error () returned 0x490 [0153.230] lstrlenW (lpString="delete") returned 6 [0153.230] lstrlenW (lpString="delete") returned 6 [0153.230] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.230] lstrlenW (lpString="rl") returned 2 [0153.231] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.231] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|delete|") returned 8 [0153.231] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|rl|") returned 4 [0153.231] lstrlenW (lpString="|delete|") returned 8 [0153.231] lstrlenW (lpString="|rl|") returned 4 [0153.231] StrStrIW (lpFirst="|delete|", lpSrch="|rl|") returned 0x0 [0153.231] RtlRestoreLastWin32Error () returned 0x490 [0153.231] lstrlenW (lpString="query") returned 5 [0153.231] lstrlenW (lpString="query") returned 5 [0153.231] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.231] lstrlenW (lpString="rl") returned 2 [0153.231] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.231] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x8, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|query|") returned 7 [0153.231] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|rl|") returned 4 [0153.231] lstrlenW (lpString="|query|") returned 7 [0153.231] lstrlenW (lpString="|rl|") returned 4 [0153.231] StrStrIW (lpFirst="|query|", lpSrch="|rl|") returned 0x0 [0153.231] RtlRestoreLastWin32Error () returned 0x490 [0153.231] lstrlenW (lpString="change") returned 6 [0153.231] lstrlenW (lpString="change") returned 6 [0153.231] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.231] lstrlenW (lpString="rl") returned 2 [0153.232] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.232] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|change|") returned 8 [0153.232] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|rl|") returned 4 [0153.232] lstrlenW (lpString="|change|") returned 8 [0153.232] lstrlenW (lpString="|rl|") returned 4 [0153.232] StrStrIW (lpFirst="|change|", lpSrch="|rl|") returned 0x0 [0153.232] RtlRestoreLastWin32Error () returned 0x490 [0153.232] lstrlenW (lpString="run") returned 3 [0153.232] lstrlenW (lpString="run") returned 3 [0153.232] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.232] lstrlenW (lpString="rl") returned 2 [0153.232] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.232] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|run|") returned 5 [0153.232] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|rl|") returned 4 [0153.232] lstrlenW (lpString="|run|") returned 5 [0153.232] lstrlenW (lpString="|rl|") returned 4 [0153.232] StrStrIW (lpFirst="|run|", lpSrch="|rl|") returned 0x0 [0153.232] RtlRestoreLastWin32Error () returned 0x490 [0153.232] lstrlenW (lpString="end") returned 3 [0153.232] lstrlenW (lpString="end") returned 3 [0153.232] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.232] lstrlenW (lpString="rl") returned 2 [0153.232] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.232] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|end|") returned 5 [0153.233] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|rl|") returned 4 [0153.233] lstrlenW (lpString="|end|") returned 5 [0153.233] lstrlenW (lpString="|rl|") returned 4 [0153.233] StrStrIW (lpFirst="|end|", lpSrch="|rl|") returned 0x0 [0153.233] RtlRestoreLastWin32Error () returned 0x490 [0153.233] lstrlenW (lpString="showsid") returned 7 [0153.233] lstrlenW (lpString="showsid") returned 7 [0153.233] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.233] lstrlenW (lpString="rl") returned 2 [0153.233] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.233] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0xa, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|showsid|") returned 9 [0153.233] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|rl|") returned 4 [0153.233] lstrlenW (lpString="|showsid|") returned 9 [0153.233] lstrlenW (lpString="|rl|") returned 4 [0153.234] StrStrIW (lpFirst="|showsid|", lpSrch="|rl|") returned 0x0 [0153.234] RtlRestoreLastWin32Error () returned 0x490 [0153.234] RtlRestoreLastWin32Error () returned 0x490 [0153.234] RtlRestoreLastWin32Error () returned 0x0 [0153.234] lstrlenW (lpString="/rl") returned 3 [0153.234] StrChrIW (lpStart="/rl", wMatch=0x3a) returned 0x0 [0153.234] RtlRestoreLastWin32Error () returned 0x490 [0153.234] RtlRestoreLastWin32Error () returned 0x0 [0153.234] lstrlenW (lpString="/rl") returned 3 [0153.234] GetProcessHeap () returned 0x4710000 [0153.234] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x8) returned 0x4713938 [0153.234] GetProcessHeap () returned 0x4710000 [0153.234] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x4719510 [0153.234] RtlRestoreLastWin32Error () returned 0x0 [0153.234] RtlRestoreLastWin32Error () returned 0x0 [0153.234] lstrlenW (lpString="highest") returned 7 [0153.234] lstrlenW (lpString="-/") returned 2 [0153.234] StrChrIW (lpStart="-/", wMatch=0x46d0068) returned 0x0 [0153.234] RtlRestoreLastWin32Error () returned 0x490 [0153.234] RtlRestoreLastWin32Error () returned 0x490 [0153.234] RtlRestoreLastWin32Error () returned 0x0 [0153.234] lstrlenW (lpString="highest") returned 7 [0153.234] StrChrIW (lpStart="highest", wMatch=0x3a) returned 0x0 [0153.234] RtlRestoreLastWin32Error () returned 0x490 [0153.234] RtlRestoreLastWin32Error () returned 0x0 [0153.234] lstrlenW (lpString="highest") returned 7 [0153.234] GetProcessHeap () returned 0x4710000 [0153.234] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x10) returned 0x4717638 [0153.234] GetProcessHeap () returned 0x4710000 [0153.234] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x4719670 [0153.235] RtlRestoreLastWin32Error () returned 0x0 [0153.235] RtlRestoreLastWin32Error () returned 0x0 [0153.235] lstrlenW (lpString="/tn") returned 3 [0153.235] lstrlenW (lpString="-/") returned 2 [0153.235] StrChrIW (lpStart="-/", wMatch=0x46d002f) returned="/" [0153.235] lstrlenW (lpString="?") returned 1 [0153.235] lstrlenW (lpString="?") returned 1 [0153.235] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.235] lstrlenW (lpString="tn") returned 2 [0153.235] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.235] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|?|") returned 3 [0153.235] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|tn|") returned 4 [0153.235] lstrlenW (lpString="|?|") returned 3 [0153.235] lstrlenW (lpString="|tn|") returned 4 [0153.235] RtlRestoreLastWin32Error () returned 0x490 [0153.235] lstrlenW (lpString="create") returned 6 [0153.235] lstrlenW (lpString="create") returned 6 [0153.235] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.235] lstrlenW (lpString="tn") returned 2 [0153.235] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.235] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|create|") returned 8 [0153.235] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|tn|") returned 4 [0153.235] lstrlenW (lpString="|create|") returned 8 [0153.236] lstrlenW (lpString="|tn|") returned 4 [0153.236] StrStrIW (lpFirst="|create|", lpSrch="|tn|") returned 0x0 [0153.236] RtlRestoreLastWin32Error () returned 0x490 [0153.236] lstrlenW (lpString="delete") returned 6 [0153.236] lstrlenW (lpString="delete") returned 6 [0153.236] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.236] lstrlenW (lpString="tn") returned 2 [0153.236] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.236] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|delete|") returned 8 [0153.236] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|tn|") returned 4 [0153.236] lstrlenW (lpString="|delete|") returned 8 [0153.236] lstrlenW (lpString="|tn|") returned 4 [0153.236] StrStrIW (lpFirst="|delete|", lpSrch="|tn|") returned 0x0 [0153.236] RtlRestoreLastWin32Error () returned 0x490 [0153.236] lstrlenW (lpString="query") returned 5 [0153.236] lstrlenW (lpString="query") returned 5 [0153.236] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.236] lstrlenW (lpString="tn") returned 2 [0153.236] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.236] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x8, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|query|") returned 7 [0153.236] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|tn|") returned 4 [0153.236] lstrlenW (lpString="|query|") returned 7 [0153.236] lstrlenW (lpString="|tn|") returned 4 [0153.236] StrStrIW (lpFirst="|query|", lpSrch="|tn|") returned 0x0 [0153.236] RtlRestoreLastWin32Error () returned 0x490 [0153.237] lstrlenW (lpString="change") returned 6 [0153.237] lstrlenW (lpString="change") returned 6 [0153.237] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.237] lstrlenW (lpString="tn") returned 2 [0153.237] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.237] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|change|") returned 8 [0153.237] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|tn|") returned 4 [0153.237] lstrlenW (lpString="|change|") returned 8 [0153.237] lstrlenW (lpString="|tn|") returned 4 [0153.237] StrStrIW (lpFirst="|change|", lpSrch="|tn|") returned 0x0 [0153.237] RtlRestoreLastWin32Error () returned 0x490 [0153.237] lstrlenW (lpString="run") returned 3 [0153.237] lstrlenW (lpString="run") returned 3 [0153.237] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.237] lstrlenW (lpString="tn") returned 2 [0153.237] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.237] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|run|") returned 5 [0153.237] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|tn|") returned 4 [0153.237] lstrlenW (lpString="|run|") returned 5 [0153.237] lstrlenW (lpString="|tn|") returned 4 [0153.237] StrStrIW (lpFirst="|run|", lpSrch="|tn|") returned 0x0 [0153.237] RtlRestoreLastWin32Error () returned 0x490 [0153.237] lstrlenW (lpString="end") returned 3 [0153.237] lstrlenW (lpString="end") returned 3 [0153.238] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.238] lstrlenW (lpString="tn") returned 2 [0153.238] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.238] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|end|") returned 5 [0153.238] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|tn|") returned 4 [0153.238] lstrlenW (lpString="|end|") returned 5 [0153.238] lstrlenW (lpString="|tn|") returned 4 [0153.238] StrStrIW (lpFirst="|end|", lpSrch="|tn|") returned 0x0 [0153.238] RtlRestoreLastWin32Error () returned 0x490 [0153.238] lstrlenW (lpString="showsid") returned 7 [0153.238] lstrlenW (lpString="showsid") returned 7 [0153.238] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.238] lstrlenW (lpString="tn") returned 2 [0153.238] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.238] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0xa, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|showsid|") returned 9 [0153.238] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|tn|") returned 4 [0153.238] lstrlenW (lpString="|showsid|") returned 9 [0153.238] lstrlenW (lpString="|tn|") returned 4 [0153.238] StrStrIW (lpFirst="|showsid|", lpSrch="|tn|") returned 0x0 [0153.238] RtlRestoreLastWin32Error () returned 0x490 [0153.238] RtlRestoreLastWin32Error () returned 0x490 [0153.238] RtlRestoreLastWin32Error () returned 0x0 [0153.238] lstrlenW (lpString="/tn") returned 3 [0153.238] StrChrIW (lpStart="/tn", wMatch=0x3a) returned 0x0 [0153.239] RtlRestoreLastWin32Error () returned 0x490 [0153.239] RtlRestoreLastWin32Error () returned 0x0 [0153.239] lstrlenW (lpString="/tn") returned 3 [0153.239] GetProcessHeap () returned 0x4710000 [0153.239] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x8) returned 0x4713ba0 [0153.239] GetProcessHeap () returned 0x4710000 [0153.239] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x4719530 [0153.239] RtlRestoreLastWin32Error () returned 0x0 [0153.239] RtlRestoreLastWin32Error () returned 0x0 [0153.239] lstrlenW (lpString="svchost") returned 7 [0153.239] lstrlenW (lpString="-/") returned 2 [0153.239] StrChrIW (lpStart="-/", wMatch=0x46d0073) returned 0x0 [0153.239] RtlRestoreLastWin32Error () returned 0x490 [0153.239] RtlRestoreLastWin32Error () returned 0x490 [0153.239] RtlRestoreLastWin32Error () returned 0x0 [0153.239] lstrlenW (lpString="svchost") returned 7 [0153.239] StrChrIW (lpStart="svchost", wMatch=0x3a) returned 0x0 [0153.239] RtlRestoreLastWin32Error () returned 0x490 [0153.239] RtlRestoreLastWin32Error () returned 0x0 [0153.239] lstrlenW (lpString="svchost") returned 7 [0153.239] GetProcessHeap () returned 0x4710000 [0153.239] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x10) returned 0x47176b0 [0153.239] GetProcessHeap () returned 0x4710000 [0153.239] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x4719570 [0153.239] RtlRestoreLastWin32Error () returned 0x0 [0153.239] RtlRestoreLastWin32Error () returned 0x0 [0153.239] lstrlenW (lpString="/tr") returned 3 [0153.239] lstrlenW (lpString="-/") returned 2 [0153.239] StrChrIW (lpStart="-/", wMatch=0x46d002f) returned="/" [0153.240] lstrlenW (lpString="?") returned 1 [0153.240] lstrlenW (lpString="?") returned 1 [0153.240] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.240] lstrlenW (lpString="tr") returned 2 [0153.240] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.240] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|?|") returned 3 [0153.240] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|tr|") returned 4 [0153.240] lstrlenW (lpString="|?|") returned 3 [0153.240] lstrlenW (lpString="|tr|") returned 4 [0153.240] RtlRestoreLastWin32Error () returned 0x490 [0153.240] lstrlenW (lpString="create") returned 6 [0153.240] lstrlenW (lpString="create") returned 6 [0153.240] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.240] lstrlenW (lpString="tr") returned 2 [0153.240] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.240] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|create|") returned 8 [0153.240] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|tr|") returned 4 [0153.240] lstrlenW (lpString="|create|") returned 8 [0153.240] lstrlenW (lpString="|tr|") returned 4 [0153.240] StrStrIW (lpFirst="|create|", lpSrch="|tr|") returned 0x0 [0153.240] RtlRestoreLastWin32Error () returned 0x490 [0153.240] lstrlenW (lpString="delete") returned 6 [0153.240] lstrlenW (lpString="delete") returned 6 [0153.240] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.241] lstrlenW (lpString="tr") returned 2 [0153.241] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.241] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|delete|") returned 8 [0153.241] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|tr|") returned 4 [0153.241] lstrlenW (lpString="|delete|") returned 8 [0153.241] lstrlenW (lpString="|tr|") returned 4 [0153.241] StrStrIW (lpFirst="|delete|", lpSrch="|tr|") returned 0x0 [0153.241] RtlRestoreLastWin32Error () returned 0x490 [0153.241] lstrlenW (lpString="query") returned 5 [0153.241] lstrlenW (lpString="query") returned 5 [0153.241] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.241] lstrlenW (lpString="tr") returned 2 [0153.241] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.241] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x8, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|query|") returned 7 [0153.241] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|tr|") returned 4 [0153.241] lstrlenW (lpString="|query|") returned 7 [0153.241] lstrlenW (lpString="|tr|") returned 4 [0153.241] StrStrIW (lpFirst="|query|", lpSrch="|tr|") returned 0x0 [0153.241] RtlRestoreLastWin32Error () returned 0x490 [0153.241] lstrlenW (lpString="change") returned 6 [0153.241] lstrlenW (lpString="change") returned 6 [0153.241] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.241] lstrlenW (lpString="tr") returned 2 [0153.242] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.242] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|change|") returned 8 [0153.242] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|tr|") returned 4 [0153.242] lstrlenW (lpString="|change|") returned 8 [0153.242] lstrlenW (lpString="|tr|") returned 4 [0153.242] StrStrIW (lpFirst="|change|", lpSrch="|tr|") returned 0x0 [0153.242] RtlRestoreLastWin32Error () returned 0x490 [0153.242] lstrlenW (lpString="run") returned 3 [0153.242] lstrlenW (lpString="run") returned 3 [0153.242] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.242] lstrlenW (lpString="tr") returned 2 [0153.242] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.242] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|run|") returned 5 [0153.242] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|tr|") returned 4 [0153.242] lstrlenW (lpString="|run|") returned 5 [0153.242] lstrlenW (lpString="|tr|") returned 4 [0153.242] StrStrIW (lpFirst="|run|", lpSrch="|tr|") returned 0x0 [0153.242] RtlRestoreLastWin32Error () returned 0x490 [0153.242] lstrlenW (lpString="end") returned 3 [0153.242] lstrlenW (lpString="end") returned 3 [0153.242] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.242] lstrlenW (lpString="tr") returned 2 [0153.242] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.242] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|end|") returned 5 [0153.242] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|tr|") returned 4 [0153.243] lstrlenW (lpString="|end|") returned 5 [0153.243] lstrlenW (lpString="|tr|") returned 4 [0153.243] StrStrIW (lpFirst="|end|", lpSrch="|tr|") returned 0x0 [0153.243] RtlRestoreLastWin32Error () returned 0x490 [0153.243] lstrlenW (lpString="showsid") returned 7 [0153.243] lstrlenW (lpString="showsid") returned 7 [0153.243] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.243] lstrlenW (lpString="tr") returned 2 [0153.243] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.243] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0xa, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|showsid|") returned 9 [0153.243] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|tr|") returned 4 [0153.243] lstrlenW (lpString="|showsid|") returned 9 [0153.243] lstrlenW (lpString="|tr|") returned 4 [0153.243] StrStrIW (lpFirst="|showsid|", lpSrch="|tr|") returned 0x0 [0153.243] RtlRestoreLastWin32Error () returned 0x490 [0153.243] RtlRestoreLastWin32Error () returned 0x490 [0153.243] RtlRestoreLastWin32Error () returned 0x0 [0153.243] lstrlenW (lpString="/tr") returned 3 [0153.243] StrChrIW (lpStart="/tr", wMatch=0x3a) returned 0x0 [0153.243] RtlRestoreLastWin32Error () returned 0x490 [0153.243] RtlRestoreLastWin32Error () returned 0x0 [0153.243] lstrlenW (lpString="/tr") returned 3 [0153.243] GetProcessHeap () returned 0x4710000 [0153.243] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x8) returned 0x4714510 [0153.243] GetProcessHeap () returned 0x4710000 [0153.243] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x4719590 [0153.243] RtlRestoreLastWin32Error () returned 0x0 [0153.244] RtlRestoreLastWin32Error () returned 0x0 [0153.244] lstrlenW (lpString="'C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe'") returned 51 [0153.244] lstrlenW (lpString="-/") returned 2 [0153.244] StrChrIW (lpStart="-/", wMatch=0x46d0027) returned 0x0 [0153.244] RtlRestoreLastWin32Error () returned 0x490 [0153.244] RtlRestoreLastWin32Error () returned 0x490 [0153.244] RtlRestoreLastWin32Error () returned 0x0 [0153.244] lstrlenW (lpString="'C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe'") returned 51 [0153.244] StrChrIW (lpStart="'C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe'", wMatch=0x3a) returned=":\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe'" [0153.244] lstrlenW (lpString="'C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe'") returned 51 [0153.244] GetProcessHeap () returned 0x4710000 [0153.244] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x10) returned 0x471ac48 [0153.244] _memicmp (_Buf1=0x471ac48, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.244] GetProcessHeap () returned 0x4710000 [0153.244] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0xe) returned 0x471ac18 [0153.245] GetProcessHeap () returned 0x4710000 [0153.245] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x10) returned 0x471aba0 [0153.245] _memicmp (_Buf1=0x471aba0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.245] GetProcessHeap () returned 0x4710000 [0153.245] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x6a) returned 0x4713ce0 [0153.245] RtlRestoreLastWin32Error () returned 0x7a [0153.245] RtlRestoreLastWin32Error () returned 0x0 [0153.245] RtlRestoreLastWin32Error () returned 0x0 [0153.245] lstrlenW (lpString="'C") returned 2 [0153.245] lstrlenW (lpString="-/") returned 2 [0153.245] StrChrIW (lpStart="-/", wMatch=0x4710027) returned 0x0 [0153.245] RtlRestoreLastWin32Error () returned 0x490 [0153.245] RtlRestoreLastWin32Error () returned 0x490 [0153.245] RtlRestoreLastWin32Error () returned 0x0 [0153.245] lstrlenW (lpString="'C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe'") returned 51 [0153.245] GetProcessHeap () returned 0x4710000 [0153.245] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x68) returned 0x4713d58 [0153.245] GetProcessHeap () returned 0x4710000 [0153.245] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x47195b0 [0153.245] RtlRestoreLastWin32Error () returned 0x0 [0153.245] GetProcessHeap () returned 0x4710000 [0153.245] GetProcessHeap () returned 0x4710000 [0153.245] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4713f70) returned 1 [0153.245] GetProcessHeap () returned 0x4710000 [0153.245] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4713f70) returned 0x6 [0153.246] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4713f70) returned 1 [0153.246] GetProcessHeap () returned 0x4710000 [0153.246] GetProcessHeap () returned 0x4710000 [0153.246] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x47196f0) returned 1 [0153.246] GetProcessHeap () returned 0x4710000 [0153.246] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x47196f0) returned 0x14 [0153.246] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x47196f0) returned 1 [0153.246] GetProcessHeap () returned 0x4710000 [0153.246] GetProcessHeap () returned 0x4710000 [0153.246] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4712928) returned 1 [0153.246] GetProcessHeap () returned 0x4710000 [0153.246] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4712928) returned 0x8 [0153.246] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4712928) returned 1 [0153.246] GetProcessHeap () returned 0x4710000 [0153.246] GetProcessHeap () returned 0x4710000 [0153.246] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4719710) returned 1 [0153.246] GetProcessHeap () returned 0x4710000 [0153.246] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4719710) returned 0x14 [0153.246] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4719710) returned 1 [0153.246] GetProcessHeap () returned 0x4710000 [0153.246] GetProcessHeap () returned 0x4710000 [0153.246] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4717650) returned 1 [0153.246] GetProcessHeap () returned 0x4710000 [0153.246] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4717650) returned 0x10 [0153.246] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4717650) returned 1 [0153.246] GetProcessHeap () returned 0x4710000 [0153.247] GetProcessHeap () returned 0x4710000 [0153.247] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x47194d0) returned 1 [0153.247] GetProcessHeap () returned 0x4710000 [0153.247] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x47194d0) returned 0x14 [0153.247] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x47194d0) returned 1 [0153.247] GetProcessHeap () returned 0x4710000 [0153.247] GetProcessHeap () returned 0x4710000 [0153.247] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4713938) returned 1 [0153.247] GetProcessHeap () returned 0x4710000 [0153.247] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4713938) returned 0x8 [0153.247] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4713938) returned 1 [0153.247] GetProcessHeap () returned 0x4710000 [0153.247] GetProcessHeap () returned 0x4710000 [0153.247] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4719510) returned 1 [0153.247] GetProcessHeap () returned 0x4710000 [0153.247] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4719510) returned 0x14 [0153.247] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4719510) returned 1 [0153.247] GetProcessHeap () returned 0x4710000 [0153.247] GetProcessHeap () returned 0x4710000 [0153.247] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4717638) returned 1 [0153.247] GetProcessHeap () returned 0x4710000 [0153.247] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4717638) returned 0x10 [0153.247] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4717638) returned 1 [0153.247] GetProcessHeap () returned 0x4710000 [0153.247] GetProcessHeap () returned 0x4710000 [0153.247] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4719670) returned 1 [0153.247] GetProcessHeap () returned 0x4710000 [0153.247] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4719670) returned 0x14 [0153.248] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4719670) returned 1 [0153.248] GetProcessHeap () returned 0x4710000 [0153.248] GetProcessHeap () returned 0x4710000 [0153.248] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4713ba0) returned 1 [0153.248] GetProcessHeap () returned 0x4710000 [0153.248] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4713ba0) returned 0x8 [0153.248] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4713ba0) returned 1 [0153.248] GetProcessHeap () returned 0x4710000 [0153.248] GetProcessHeap () returned 0x4710000 [0153.248] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4719530) returned 1 [0153.248] GetProcessHeap () returned 0x4710000 [0153.248] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4719530) returned 0x14 [0153.248] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4719530) returned 1 [0153.248] GetProcessHeap () returned 0x4710000 [0153.248] GetProcessHeap () returned 0x4710000 [0153.248] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x47176b0) returned 1 [0153.248] GetProcessHeap () returned 0x4710000 [0153.248] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x47176b0) returned 0x10 [0153.248] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x47176b0) returned 1 [0153.248] GetProcessHeap () returned 0x4710000 [0153.248] GetProcessHeap () returned 0x4710000 [0153.248] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4719570) returned 1 [0153.248] GetProcessHeap () returned 0x4710000 [0153.248] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4719570) returned 0x14 [0153.248] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4719570) returned 1 [0153.248] GetProcessHeap () returned 0x4710000 [0153.248] GetProcessHeap () returned 0x4710000 [0153.248] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4714510) returned 1 [0153.249] GetProcessHeap () returned 0x4710000 [0153.249] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4714510) returned 0x8 [0153.249] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4714510) returned 1 [0153.252] GetProcessHeap () returned 0x4710000 [0153.253] GetProcessHeap () returned 0x4710000 [0153.253] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4719590) returned 1 [0153.253] GetProcessHeap () returned 0x4710000 [0153.253] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4719590) returned 0x14 [0153.253] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4719590) returned 1 [0153.253] GetProcessHeap () returned 0x4710000 [0153.253] GetProcessHeap () returned 0x4710000 [0153.253] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4713d58) returned 1 [0153.253] GetProcessHeap () returned 0x4710000 [0153.253] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4713d58) returned 0x68 [0153.253] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4713d58) returned 1 [0153.253] GetProcessHeap () returned 0x4710000 [0153.253] GetProcessHeap () returned 0x4710000 [0153.253] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x47195b0) returned 1 [0153.253] GetProcessHeap () returned 0x4710000 [0153.253] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x47195b0) returned 0x14 [0153.253] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x47195b0) returned 1 [0153.254] GetProcessHeap () returned 0x4710000 [0153.254] GetProcessHeap () returned 0x4710000 [0153.254] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4717668) returned 1 [0153.254] GetProcessHeap () returned 0x4710000 [0153.254] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4717668) returned 0x10 [0153.254] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4717668) returned 1 [0153.254] RtlRestoreLastWin32Error () returned 0x0 [0153.254] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x0, Condition=0x2) returned 0x18 [0153.254] VerSetConditionMask (ConditionMask=0x18, TypeMask=0x80000000, Condition=0x1) returned 0x1b [0153.254] VerSetConditionMask (ConditionMask=0x1b, TypeMask=0x80000000, Condition=0x20) returned 0x1801b [0153.254] RtlVerifyVersionInfo (VersionInfo=0xdce60, TypeMask=0x3, ConditionMask=0x1801b) returned 0x0 [0153.254] RtlRestoreLastWin32Error () returned 0x0 [0153.254] lstrlenW (lpString="create") returned 6 [0153.254] StrChrIW (lpStart="create", wMatch=0x7c) returned 0x0 [0153.254] RtlRestoreLastWin32Error () returned 0x490 [0153.254] RtlRestoreLastWin32Error () returned 0x0 [0153.254] lstrlenW (lpString="create") returned 6 [0153.254] GetProcessHeap () returned 0x4710000 [0153.254] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x47194d0 [0153.255] GetProcessHeap () returned 0x4710000 [0153.255] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x10) returned 0x471ade0 [0153.255] _memicmp (_Buf1=0x471ade0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.255] GetProcessHeap () returned 0x4710000 [0153.255] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x16) returned 0x47195f0 [0153.255] RtlRestoreLastWin32Error () returned 0x0 [0153.255] _memicmp (_Buf1=0x4717698, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.255] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4718e08, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\schtasks.exe" (normalized: "c:\\windows\\syswow64\\schtasks.exe")) returned 0x20 [0153.255] GetFileVersionInfoSizeExW (in: dwFlags=0x1, lpwstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", lpdwHandle=0xdcf6c | out: lpdwHandle=0xdcf6c) returned 0x76c [0153.255] GetProcessHeap () returned 0x4710000 [0153.255] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x776) returned 0x4719ee0 [0153.255] GetFileVersionInfoExW (in: dwFlags=0x3, lpwstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", dwHandle=0x0, dwLen=0x776, lpData=0x4719ee0 | out: lpData=0x4719ee0) returned 1 [0153.255] VerQueryValueW (in: pBlock=0x4719ee0, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xdcf74, puLen=0xdcf78 | out: lplpBuffer=0xdcf74*=0x471a290, puLen=0xdcf78) returned 1 [0153.255] _memicmp (_Buf1=0x4717698, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.255] _vsnwprintf (in: _Buffer=0x4718e08, _BufferCount=0x3f, _Format="\\StringFileInfo\\%04x%04x\\InternalName", _ArgList=0xdcf58 | out: _Buffer="\\StringFileInfo\\040904b0\\InternalName") returned 37 [0153.255] VerQueryValueW (in: pBlock=0x4719ee0, lpSubBlock="\\StringFileInfo\\040904b0\\InternalName", lplpBuffer=0xdcf84, puLen=0xdcf80 | out: lplpBuffer=0xdcf84*=0x471a0c0, puLen=0xdcf80) returned 1 [0153.255] lstrlenW (lpString="schtasks.exe") returned 12 [0153.255] lstrlenW (lpString="schtasks.exe") returned 12 [0153.255] lstrlenW (lpString=".EXE") returned 4 [0153.255] StrStrIW (lpFirst="schtasks.exe", lpSrch=".EXE") returned=".exe" [0153.256] lstrlenW (lpString="schtasks.exe") returned 12 [0153.256] lstrlenW (lpString=".EXE") returned 4 [0153.256] lstrlenW (lpString="schtasks") returned 8 [0153.256] lstrlenW (lpString="/create") returned 7 [0153.256] _memicmp (_Buf1=0x4717698, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.256] _vsnwprintf (in: _Buffer=0x4718e08, _BufferCount=0x19, _Format="%s %s", _ArgList=0xdcf58 | out: _Buffer="schtasks /create") returned 16 [0153.256] _memicmp (_Buf1=0x4717560, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.256] GetProcessHeap () returned 0x4710000 [0153.256] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x4719570 [0153.256] _memicmp (_Buf1=0x47175c0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.256] LoadStringW (in: hInstance=0x0, uID=0x15ed, lpBuffer=0x471a8c0, cchBufferMax=256 | out: lpBuffer="Type \"%s /?\" for usage.") returned 0x17 [0153.256] lstrlenW (lpString="Type \"%s /?\" for usage.") returned 23 [0153.256] GetProcessHeap () returned 0x4710000 [0153.256] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x30) returned 0x47190c0 [0153.256] _vsnwprintf (in: _Buffer=0x4719018, _BufferCount=0x4f, _Format="Type \"%s /?\" for usage.", _ArgList=0xdcf5c | out: _Buffer="Type \"SCHTASKS /CREATE /?\" for usage.") returned 37 [0153.256] GetProcessHeap () returned 0x4710000 [0153.256] GetProcessHeap () returned 0x4710000 [0153.256] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4719ee0) returned 1 [0153.256] GetProcessHeap () returned 0x4710000 [0153.256] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4719ee0) returned 0x776 [0153.257] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4719ee0) returned 1 [0153.257] RtlRestoreLastWin32Error () returned 0x0 [0153.257] GetThreadLocale () returned 0x409 [0153.257] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0153.257] lstrlenW (lpString="create") returned 6 [0153.257] GetThreadLocale () returned 0x409 [0153.257] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0153.257] lstrlenW (lpString="?") returned 1 [0153.257] GetThreadLocale () returned 0x409 [0153.257] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0153.257] lstrlenW (lpString="s") returned 1 [0153.257] GetThreadLocale () returned 0x409 [0153.257] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0153.257] lstrlenW (lpString="u") returned 1 [0153.257] GetThreadLocale () returned 0x409 [0153.257] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0153.257] lstrlenW (lpString="p") returned 1 [0153.257] GetThreadLocale () returned 0x409 [0153.257] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0153.257] lstrlenW (lpString="ru") returned 2 [0153.257] GetThreadLocale () returned 0x409 [0153.257] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0153.257] lstrlenW (lpString="rp") returned 2 [0153.257] GetThreadLocale () returned 0x409 [0153.257] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0153.257] lstrlenW (lpString="sc") returned 2 [0153.258] GetThreadLocale () returned 0x409 [0153.258] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0153.258] lstrlenW (lpString="mo") returned 2 [0153.258] GetThreadLocale () returned 0x409 [0153.258] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0153.258] lstrlenW (lpString="d") returned 1 [0153.258] GetThreadLocale () returned 0x409 [0153.258] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0153.258] lstrlenW (lpString="m") returned 1 [0153.258] GetThreadLocale () returned 0x409 [0153.258] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0153.258] lstrlenW (lpString="i") returned 1 [0153.258] GetThreadLocale () returned 0x409 [0153.258] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0153.258] lstrlenW (lpString="tn") returned 2 [0153.258] GetThreadLocale () returned 0x409 [0153.258] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0153.258] lstrlenW (lpString="tr") returned 2 [0153.258] GetThreadLocale () returned 0x409 [0153.258] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0153.258] lstrlenW (lpString="st") returned 2 [0153.258] GetThreadLocale () returned 0x409 [0153.258] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0153.258] lstrlenW (lpString="sd") returned 2 [0153.258] GetThreadLocale () returned 0x409 [0153.258] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0153.258] lstrlenW (lpString="ed") returned 2 [0153.258] GetThreadLocale () returned 0x409 [0153.258] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0153.258] lstrlenW (lpString="it") returned 2 [0153.258] GetThreadLocale () returned 0x409 [0153.258] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0153.258] lstrlenW (lpString="et") returned 2 [0153.259] GetThreadLocale () returned 0x409 [0153.259] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0153.259] lstrlenW (lpString="k") returned 1 [0153.259] GetThreadLocale () returned 0x409 [0153.259] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0153.259] lstrlenW (lpString="du") returned 2 [0153.259] GetThreadLocale () returned 0x409 [0153.259] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0153.259] lstrlenW (lpString="ri") returned 2 [0153.259] GetThreadLocale () returned 0x409 [0153.259] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0153.259] lstrlenW (lpString="z") returned 1 [0153.259] GetThreadLocale () returned 0x409 [0153.259] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0153.259] lstrlenW (lpString="f") returned 1 [0153.259] GetThreadLocale () returned 0x409 [0153.259] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0153.259] lstrlenW (lpString="v1") returned 2 [0153.259] GetThreadLocale () returned 0x409 [0153.259] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0153.259] lstrlenW (lpString="xml") returned 3 [0153.259] GetThreadLocale () returned 0x409 [0153.259] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0153.259] lstrlenW (lpString="ec") returned 2 [0153.259] GetThreadLocale () returned 0x409 [0153.259] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0153.259] lstrlenW (lpString="rl") returned 2 [0153.259] GetThreadLocale () returned 0x409 [0153.259] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0153.259] lstrlenW (lpString="delay") returned 5 [0153.259] GetThreadLocale () returned 0x409 [0153.259] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0153.259] lstrlenW (lpString="np") returned 2 [0153.260] GetThreadLocale () returned 0x409 [0153.260] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0153.260] lstrlenW (lpString="hresult") returned 7 [0153.260] RtlRestoreLastWin32Error () returned 0x0 [0153.260] RtlRestoreLastWin32Error () returned 0x0 [0153.260] lstrlenW (lpString="/create") returned 7 [0153.260] lstrlenW (lpString="-/") returned 2 [0153.260] StrChrIW (lpStart="-/", wMatch=0x46d002f) returned="/" [0153.260] lstrlenW (lpString="create") returned 6 [0153.260] lstrlenW (lpString="create") returned 6 [0153.260] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.260] lstrlenW (lpString="create") returned 6 [0153.260] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.260] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|create|") returned 8 [0153.260] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|create|") returned 8 [0153.260] lstrlenW (lpString="|create|") returned 8 [0153.260] lstrlenW (lpString="|create|") returned 8 [0153.260] StrStrIW (lpFirst="|create|", lpSrch="|create|") returned="|create|" [0153.260] RtlRestoreLastWin32Error () returned 0x0 [0153.260] RtlRestoreLastWin32Error () returned 0x0 [0153.260] RtlRestoreLastWin32Error () returned 0x0 [0153.260] lstrlenW (lpString="/f") returned 2 [0153.260] lstrlenW (lpString="-/") returned 2 [0153.260] StrChrIW (lpStart="-/", wMatch=0x46d002f) returned="/" [0153.260] lstrlenW (lpString="create") returned 6 [0153.260] lstrlenW (lpString="create") returned 6 [0153.260] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.260] lstrlenW (lpString="f") returned 1 [0153.260] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.260] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|create|") returned 8 [0153.261] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3 [0153.261] lstrlenW (lpString="|create|") returned 8 [0153.261] lstrlenW (lpString="|f|") returned 3 [0153.261] StrStrIW (lpFirst="|create|", lpSrch="|f|") returned 0x0 [0153.261] RtlRestoreLastWin32Error () returned 0x490 [0153.261] lstrlenW (lpString="?") returned 1 [0153.261] lstrlenW (lpString="?") returned 1 [0153.261] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.261] lstrlenW (lpString="f") returned 1 [0153.261] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.261] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|?|") returned 3 [0153.261] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3 [0153.261] lstrlenW (lpString="|?|") returned 3 [0153.261] lstrlenW (lpString="|f|") returned 3 [0153.261] StrStrIW (lpFirst="|?|", lpSrch="|f|") returned 0x0 [0153.261] RtlRestoreLastWin32Error () returned 0x490 [0153.261] lstrlenW (lpString="s") returned 1 [0153.261] lstrlenW (lpString="s") returned 1 [0153.261] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.261] lstrlenW (lpString="f") returned 1 [0153.261] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.261] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|s|") returned 3 [0153.261] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3 [0153.261] lstrlenW (lpString="|s|") returned 3 [0153.261] lstrlenW (lpString="|f|") returned 3 [0153.261] StrStrIW (lpFirst="|s|", lpSrch="|f|") returned 0x0 [0153.261] RtlRestoreLastWin32Error () returned 0x490 [0153.261] lstrlenW (lpString="u") returned 1 [0153.262] lstrlenW (lpString="u") returned 1 [0153.262] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.262] lstrlenW (lpString="f") returned 1 [0153.262] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.262] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|u|") returned 3 [0153.262] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3 [0153.262] lstrlenW (lpString="|u|") returned 3 [0153.262] lstrlenW (lpString="|f|") returned 3 [0153.262] StrStrIW (lpFirst="|u|", lpSrch="|f|") returned 0x0 [0153.262] RtlRestoreLastWin32Error () returned 0x490 [0153.262] lstrlenW (lpString="p") returned 1 [0153.262] lstrlenW (lpString="p") returned 1 [0153.262] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.262] lstrlenW (lpString="f") returned 1 [0153.262] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.262] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|p|") returned 3 [0153.262] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3 [0153.262] lstrlenW (lpString="|p|") returned 3 [0153.262] lstrlenW (lpString="|f|") returned 3 [0153.262] StrStrIW (lpFirst="|p|", lpSrch="|f|") returned 0x0 [0153.262] RtlRestoreLastWin32Error () returned 0x490 [0153.262] lstrlenW (lpString="ru") returned 2 [0153.262] lstrlenW (lpString="ru") returned 2 [0153.262] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.262] lstrlenW (lpString="f") returned 1 [0153.262] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.263] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|ru|") returned 4 [0153.263] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3 [0153.263] lstrlenW (lpString="|ru|") returned 4 [0153.263] lstrlenW (lpString="|f|") returned 3 [0153.263] StrStrIW (lpFirst="|ru|", lpSrch="|f|") returned 0x0 [0153.263] RtlRestoreLastWin32Error () returned 0x490 [0153.263] lstrlenW (lpString="rp") returned 2 [0153.263] lstrlenW (lpString="rp") returned 2 [0153.263] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.263] lstrlenW (lpString="f") returned 1 [0153.263] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.263] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rp|") returned 4 [0153.263] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3 [0153.263] lstrlenW (lpString="|rp|") returned 4 [0153.263] lstrlenW (lpString="|f|") returned 3 [0153.263] StrStrIW (lpFirst="|rp|", lpSrch="|f|") returned 0x0 [0153.263] RtlRestoreLastWin32Error () returned 0x490 [0153.263] lstrlenW (lpString="sc") returned 2 [0153.263] lstrlenW (lpString="sc") returned 2 [0153.263] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.263] lstrlenW (lpString="f") returned 1 [0153.263] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.263] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|sc|") returned 4 [0153.263] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3 [0153.263] lstrlenW (lpString="|sc|") returned 4 [0153.263] lstrlenW (lpString="|f|") returned 3 [0153.263] StrStrIW (lpFirst="|sc|", lpSrch="|f|") returned 0x0 [0153.263] RtlRestoreLastWin32Error () returned 0x490 [0153.263] lstrlenW (lpString="mo") returned 2 [0153.264] lstrlenW (lpString="mo") returned 2 [0153.264] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.264] lstrlenW (lpString="f") returned 1 [0153.264] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.264] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|mo|") returned 4 [0153.264] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3 [0153.264] lstrlenW (lpString="|mo|") returned 4 [0153.264] lstrlenW (lpString="|f|") returned 3 [0153.264] StrStrIW (lpFirst="|mo|", lpSrch="|f|") returned 0x0 [0153.264] RtlRestoreLastWin32Error () returned 0x490 [0153.264] lstrlenW (lpString="d") returned 1 [0153.264] lstrlenW (lpString="d") returned 1 [0153.264] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.264] lstrlenW (lpString="f") returned 1 [0153.264] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.264] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|d|") returned 3 [0153.264] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3 [0153.264] lstrlenW (lpString="|d|") returned 3 [0153.264] lstrlenW (lpString="|f|") returned 3 [0153.264] StrStrIW (lpFirst="|d|", lpSrch="|f|") returned 0x0 [0153.264] RtlRestoreLastWin32Error () returned 0x490 [0153.264] lstrlenW (lpString="m") returned 1 [0153.265] lstrlenW (lpString="m") returned 1 [0153.265] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.265] lstrlenW (lpString="f") returned 1 [0153.265] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.265] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|m|") returned 3 [0153.265] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3 [0153.265] lstrlenW (lpString="|m|") returned 3 [0153.265] lstrlenW (lpString="|f|") returned 3 [0153.265] StrStrIW (lpFirst="|m|", lpSrch="|f|") returned 0x0 [0153.265] RtlRestoreLastWin32Error () returned 0x490 [0153.265] lstrlenW (lpString="i") returned 1 [0153.265] lstrlenW (lpString="i") returned 1 [0153.265] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.265] lstrlenW (lpString="f") returned 1 [0153.265] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.265] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|i|") returned 3 [0153.265] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3 [0153.265] lstrlenW (lpString="|i|") returned 3 [0153.265] lstrlenW (lpString="|f|") returned 3 [0153.265] StrStrIW (lpFirst="|i|", lpSrch="|f|") returned 0x0 [0153.265] RtlRestoreLastWin32Error () returned 0x490 [0153.265] lstrlenW (lpString="tn") returned 2 [0153.265] lstrlenW (lpString="tn") returned 2 [0153.265] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.265] lstrlenW (lpString="f") returned 1 [0153.265] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.265] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tn|") returned 4 [0153.265] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3 [0153.266] lstrlenW (lpString="|tn|") returned 4 [0153.266] lstrlenW (lpString="|f|") returned 3 [0153.266] StrStrIW (lpFirst="|tn|", lpSrch="|f|") returned 0x0 [0153.266] RtlRestoreLastWin32Error () returned 0x490 [0153.266] lstrlenW (lpString="tr") returned 2 [0153.266] lstrlenW (lpString="tr") returned 2 [0153.266] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.266] lstrlenW (lpString="f") returned 1 [0153.266] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.266] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tr|") returned 4 [0153.266] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3 [0153.266] lstrlenW (lpString="|tr|") returned 4 [0153.266] lstrlenW (lpString="|f|") returned 3 [0153.266] StrStrIW (lpFirst="|tr|", lpSrch="|f|") returned 0x0 [0153.266] RtlRestoreLastWin32Error () returned 0x490 [0153.266] lstrlenW (lpString="st") returned 2 [0153.266] lstrlenW (lpString="st") returned 2 [0153.266] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.266] lstrlenW (lpString="f") returned 1 [0153.266] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.266] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|st|") returned 4 [0153.266] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3 [0153.266] lstrlenW (lpString="|st|") returned 4 [0153.266] lstrlenW (lpString="|f|") returned 3 [0153.266] StrStrIW (lpFirst="|st|", lpSrch="|f|") returned 0x0 [0153.266] RtlRestoreLastWin32Error () returned 0x490 [0153.266] lstrlenW (lpString="sd") returned 2 [0153.266] lstrlenW (lpString="sd") returned 2 [0153.266] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.266] lstrlenW (lpString="f") returned 1 [0153.267] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.267] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|sd|") returned 4 [0153.267] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3 [0153.267] lstrlenW (lpString="|sd|") returned 4 [0153.267] lstrlenW (lpString="|f|") returned 3 [0153.267] StrStrIW (lpFirst="|sd|", lpSrch="|f|") returned 0x0 [0153.267] RtlRestoreLastWin32Error () returned 0x490 [0153.267] lstrlenW (lpString="ed") returned 2 [0153.267] lstrlenW (lpString="ed") returned 2 [0153.267] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.267] lstrlenW (lpString="f") returned 1 [0153.267] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.267] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|ed|") returned 4 [0153.267] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3 [0153.267] lstrlenW (lpString="|ed|") returned 4 [0153.267] lstrlenW (lpString="|f|") returned 3 [0153.267] StrStrIW (lpFirst="|ed|", lpSrch="|f|") returned 0x0 [0153.267] RtlRestoreLastWin32Error () returned 0x490 [0153.267] lstrlenW (lpString="it") returned 2 [0153.267] lstrlenW (lpString="it") returned 2 [0153.267] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.267] lstrlenW (lpString="f") returned 1 [0153.267] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.267] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|it|") returned 4 [0153.267] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3 [0153.267] lstrlenW (lpString="|it|") returned 4 [0153.267] lstrlenW (lpString="|f|") returned 3 [0153.267] StrStrIW (lpFirst="|it|", lpSrch="|f|") returned 0x0 [0153.267] RtlRestoreLastWin32Error () returned 0x490 [0153.268] lstrlenW (lpString="et") returned 2 [0153.268] lstrlenW (lpString="et") returned 2 [0153.268] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.268] lstrlenW (lpString="f") returned 1 [0153.268] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.268] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|et|") returned 4 [0153.268] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3 [0153.268] lstrlenW (lpString="|et|") returned 4 [0153.268] lstrlenW (lpString="|f|") returned 3 [0153.268] StrStrIW (lpFirst="|et|", lpSrch="|f|") returned 0x0 [0153.268] RtlRestoreLastWin32Error () returned 0x490 [0153.268] lstrlenW (lpString="k") returned 1 [0153.268] lstrlenW (lpString="k") returned 1 [0153.268] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.268] lstrlenW (lpString="f") returned 1 [0153.268] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.268] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|k|") returned 3 [0153.268] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3 [0153.268] lstrlenW (lpString="|k|") returned 3 [0153.268] lstrlenW (lpString="|f|") returned 3 [0153.268] StrStrIW (lpFirst="|k|", lpSrch="|f|") returned 0x0 [0153.268] RtlRestoreLastWin32Error () returned 0x490 [0153.268] lstrlenW (lpString="du") returned 2 [0153.268] lstrlenW (lpString="du") returned 2 [0153.268] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.268] lstrlenW (lpString="f") returned 1 [0153.268] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.268] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|du|") returned 4 [0153.269] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3 [0153.269] lstrlenW (lpString="|du|") returned 4 [0153.269] lstrlenW (lpString="|f|") returned 3 [0153.269] StrStrIW (lpFirst="|du|", lpSrch="|f|") returned 0x0 [0153.269] RtlRestoreLastWin32Error () returned 0x490 [0153.269] lstrlenW (lpString="ri") returned 2 [0153.269] lstrlenW (lpString="ri") returned 2 [0153.269] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.269] lstrlenW (lpString="f") returned 1 [0153.269] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.269] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|ri|") returned 4 [0153.269] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3 [0153.269] lstrlenW (lpString="|ri|") returned 4 [0153.269] lstrlenW (lpString="|f|") returned 3 [0153.269] StrStrIW (lpFirst="|ri|", lpSrch="|f|") returned 0x0 [0153.269] RtlRestoreLastWin32Error () returned 0x490 [0153.269] lstrlenW (lpString="z") returned 1 [0153.269] lstrlenW (lpString="z") returned 1 [0153.269] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.269] lstrlenW (lpString="f") returned 1 [0153.269] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.269] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|z|") returned 3 [0153.269] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3 [0153.269] lstrlenW (lpString="|z|") returned 3 [0153.269] lstrlenW (lpString="|f|") returned 3 [0153.269] StrStrIW (lpFirst="|z|", lpSrch="|f|") returned 0x0 [0153.269] RtlRestoreLastWin32Error () returned 0x490 [0153.269] lstrlenW (lpString="f") returned 1 [0153.269] lstrlenW (lpString="f") returned 1 [0153.269] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.270] lstrlenW (lpString="f") returned 1 [0153.270] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.270] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3 [0153.270] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3 [0153.270] lstrlenW (lpString="|f|") returned 3 [0153.270] lstrlenW (lpString="|f|") returned 3 [0153.270] StrStrIW (lpFirst="|f|", lpSrch="|f|") returned="|f|" [0153.270] RtlRestoreLastWin32Error () returned 0x0 [0153.270] RtlRestoreLastWin32Error () returned 0x0 [0153.270] RtlRestoreLastWin32Error () returned 0x0 [0153.270] lstrlenW (lpString="/sc") returned 3 [0153.270] lstrlenW (lpString="-/") returned 2 [0153.270] StrChrIW (lpStart="-/", wMatch=0x46d002f) returned="/" [0153.270] lstrlenW (lpString="create") returned 6 [0153.270] lstrlenW (lpString="create") returned 6 [0153.270] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.270] lstrlenW (lpString="sc") returned 2 [0153.270] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.270] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|create|") returned 8 [0153.270] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|sc|") returned 4 [0153.270] lstrlenW (lpString="|create|") returned 8 [0153.270] lstrlenW (lpString="|sc|") returned 4 [0153.270] StrStrIW (lpFirst="|create|", lpSrch="|sc|") returned 0x0 [0153.270] RtlRestoreLastWin32Error () returned 0x490 [0153.270] lstrlenW (lpString="?") returned 1 [0153.270] lstrlenW (lpString="?") returned 1 [0153.270] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.270] lstrlenW (lpString="sc") returned 2 [0153.270] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.271] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|?|") returned 3 [0153.271] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|sc|") returned 4 [0153.271] lstrlenW (lpString="|?|") returned 3 [0153.271] lstrlenW (lpString="|sc|") returned 4 [0153.271] RtlRestoreLastWin32Error () returned 0x490 [0153.271] lstrlenW (lpString="s") returned 1 [0153.271] lstrlenW (lpString="s") returned 1 [0153.271] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.271] lstrlenW (lpString="sc") returned 2 [0153.271] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.271] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|s|") returned 3 [0153.271] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|sc|") returned 4 [0153.271] lstrlenW (lpString="|s|") returned 3 [0153.271] lstrlenW (lpString="|sc|") returned 4 [0153.271] RtlRestoreLastWin32Error () returned 0x490 [0153.271] lstrlenW (lpString="u") returned 1 [0153.271] lstrlenW (lpString="u") returned 1 [0153.271] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.271] lstrlenW (lpString="sc") returned 2 [0153.271] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.271] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|u|") returned 3 [0153.271] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|sc|") returned 4 [0153.271] lstrlenW (lpString="|u|") returned 3 [0153.271] lstrlenW (lpString="|sc|") returned 4 [0153.271] RtlRestoreLastWin32Error () returned 0x490 [0153.271] lstrlenW (lpString="p") returned 1 [0153.271] lstrlenW (lpString="p") returned 1 [0153.271] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.271] lstrlenW (lpString="sc") returned 2 [0153.271] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.272] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|p|") returned 3 [0153.272] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|sc|") returned 4 [0153.272] lstrlenW (lpString="|p|") returned 3 [0153.272] lstrlenW (lpString="|sc|") returned 4 [0153.272] RtlRestoreLastWin32Error () returned 0x490 [0153.272] lstrlenW (lpString="ru") returned 2 [0153.272] lstrlenW (lpString="ru") returned 2 [0153.272] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.272] lstrlenW (lpString="sc") returned 2 [0153.272] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.272] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|ru|") returned 4 [0153.272] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|sc|") returned 4 [0153.272] lstrlenW (lpString="|ru|") returned 4 [0153.272] lstrlenW (lpString="|sc|") returned 4 [0153.272] StrStrIW (lpFirst="|ru|", lpSrch="|sc|") returned 0x0 [0153.272] RtlRestoreLastWin32Error () returned 0x490 [0153.272] lstrlenW (lpString="rp") returned 2 [0153.272] lstrlenW (lpString="rp") returned 2 [0153.272] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.272] lstrlenW (lpString="sc") returned 2 [0153.272] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.272] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rp|") returned 4 [0153.272] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|sc|") returned 4 [0153.272] lstrlenW (lpString="|rp|") returned 4 [0153.272] lstrlenW (lpString="|sc|") returned 4 [0153.272] StrStrIW (lpFirst="|rp|", lpSrch="|sc|") returned 0x0 [0153.272] RtlRestoreLastWin32Error () returned 0x490 [0153.272] lstrlenW (lpString="sc") returned 2 [0153.272] lstrlenW (lpString="sc") returned 2 [0153.273] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.273] lstrlenW (lpString="sc") returned 2 [0153.273] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.273] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|sc|") returned 4 [0153.273] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|sc|") returned 4 [0153.273] lstrlenW (lpString="|sc|") returned 4 [0153.273] lstrlenW (lpString="|sc|") returned 4 [0153.273] StrStrIW (lpFirst="|sc|", lpSrch="|sc|") returned="|sc|" [0153.273] RtlRestoreLastWin32Error () returned 0x0 [0153.273] RtlRestoreLastWin32Error () returned 0x0 [0153.273] lstrlenW (lpString="onlogon") returned 7 [0153.273] lstrlenW (lpString="-/") returned 2 [0153.273] StrChrIW (lpStart="-/", wMatch=0x46d006f) returned 0x0 [0153.273] RtlRestoreLastWin32Error () returned 0x490 [0153.273] RtlRestoreLastWin32Error () returned 0x490 [0153.273] RtlRestoreLastWin32Error () returned 0x0 [0153.273] lstrlenW (lpString="onlogon") returned 7 [0153.273] StrChrIW (lpStart="onlogon", wMatch=0x3a) returned 0x0 [0153.273] RtlRestoreLastWin32Error () returned 0x490 [0153.273] RtlRestoreLastWin32Error () returned 0x0 [0153.273] GetProcessHeap () returned 0x4710000 [0153.273] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x10) returned 0x471ad38 [0153.273] _memicmp (_Buf1=0x471ad38, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.273] lstrlenW (lpString="onlogon") returned 7 [0153.273] GetProcessHeap () returned 0x4710000 [0153.273] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x10) returned 0x471ad80 [0153.273] lstrlenW (lpString="onlogon") returned 7 [0153.273] lstrlenW (lpString=" \x09") returned 2 [0153.273] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0153.273] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0153.274] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0153.274] StrChrW (lpStart=" \x09", wMatch=0x6c) returned 0x0 [0153.274] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0153.274] StrChrW (lpStart=" \x09", wMatch=0x67) returned 0x0 [0153.274] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0153.274] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0153.274] GetLastError () returned 0x0 [0153.274] lstrlenW (lpString="onlogon") returned 7 [0153.274] lstrlenW (lpString="onlogon") returned 7 [0153.274] RtlRestoreLastWin32Error () returned 0x0 [0153.274] RtlRestoreLastWin32Error () returned 0x0 [0153.274] lstrlenW (lpString="/rl") returned 3 [0153.274] lstrlenW (lpString="-/") returned 2 [0153.274] StrChrIW (lpStart="-/", wMatch=0x46d002f) returned="/" [0153.274] lstrlenW (lpString="create") returned 6 [0153.274] lstrlenW (lpString="create") returned 6 [0153.274] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.274] lstrlenW (lpString="rl") returned 2 [0153.274] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.274] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|create|") returned 8 [0153.274] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4 [0153.274] lstrlenW (lpString="|create|") returned 8 [0153.274] lstrlenW (lpString="|rl|") returned 4 [0153.274] StrStrIW (lpFirst="|create|", lpSrch="|rl|") returned 0x0 [0153.274] RtlRestoreLastWin32Error () returned 0x490 [0153.274] lstrlenW (lpString="?") returned 1 [0153.274] lstrlenW (lpString="?") returned 1 [0153.274] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.274] lstrlenW (lpString="rl") returned 2 [0153.274] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.275] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|?|") returned 3 [0153.275] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4 [0153.275] lstrlenW (lpString="|?|") returned 3 [0153.275] lstrlenW (lpString="|rl|") returned 4 [0153.275] RtlRestoreLastWin32Error () returned 0x490 [0153.275] lstrlenW (lpString="s") returned 1 [0153.275] lstrlenW (lpString="s") returned 1 [0153.275] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.275] lstrlenW (lpString="rl") returned 2 [0153.275] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.275] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|s|") returned 3 [0153.275] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4 [0153.275] lstrlenW (lpString="|s|") returned 3 [0153.275] lstrlenW (lpString="|rl|") returned 4 [0153.275] RtlRestoreLastWin32Error () returned 0x490 [0153.275] lstrlenW (lpString="u") returned 1 [0153.275] lstrlenW (lpString="u") returned 1 [0153.275] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.275] lstrlenW (lpString="rl") returned 2 [0153.275] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.275] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|u|") returned 3 [0153.275] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4 [0153.275] lstrlenW (lpString="|u|") returned 3 [0153.275] lstrlenW (lpString="|rl|") returned 4 [0153.275] RtlRestoreLastWin32Error () returned 0x490 [0153.275] lstrlenW (lpString="p") returned 1 [0153.275] lstrlenW (lpString="p") returned 1 [0153.275] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.276] lstrlenW (lpString="rl") returned 2 [0153.276] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.276] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|p|") returned 3 [0153.276] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4 [0153.276] lstrlenW (lpString="|p|") returned 3 [0153.276] lstrlenW (lpString="|rl|") returned 4 [0153.276] RtlRestoreLastWin32Error () returned 0x490 [0153.276] lstrlenW (lpString="ru") returned 2 [0153.276] lstrlenW (lpString="ru") returned 2 [0153.276] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.276] lstrlenW (lpString="rl") returned 2 [0153.276] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.276] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|ru|") returned 4 [0153.276] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4 [0153.276] lstrlenW (lpString="|ru|") returned 4 [0153.276] lstrlenW (lpString="|rl|") returned 4 [0153.276] StrStrIW (lpFirst="|ru|", lpSrch="|rl|") returned 0x0 [0153.276] RtlRestoreLastWin32Error () returned 0x490 [0153.276] lstrlenW (lpString="rp") returned 2 [0153.276] lstrlenW (lpString="rp") returned 2 [0153.276] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.276] lstrlenW (lpString="rl") returned 2 [0153.276] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.276] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rp|") returned 4 [0153.276] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4 [0153.276] lstrlenW (lpString="|rp|") returned 4 [0153.276] lstrlenW (lpString="|rl|") returned 4 [0153.276] StrStrIW (lpFirst="|rp|", lpSrch="|rl|") returned 0x0 [0153.276] RtlRestoreLastWin32Error () returned 0x490 [0153.277] lstrlenW (lpString="sc") returned 2 [0153.277] lstrlenW (lpString="sc") returned 2 [0153.277] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.277] lstrlenW (lpString="rl") returned 2 [0153.277] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.277] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|sc|") returned 4 [0153.277] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4 [0153.277] lstrlenW (lpString="|sc|") returned 4 [0153.277] lstrlenW (lpString="|rl|") returned 4 [0153.277] StrStrIW (lpFirst="|sc|", lpSrch="|rl|") returned 0x0 [0153.277] RtlRestoreLastWin32Error () returned 0x490 [0153.277] lstrlenW (lpString="mo") returned 2 [0153.277] lstrlenW (lpString="mo") returned 2 [0153.277] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.277] lstrlenW (lpString="rl") returned 2 [0153.277] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.277] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|mo|") returned 4 [0153.277] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4 [0153.277] lstrlenW (lpString="|mo|") returned 4 [0153.277] lstrlenW (lpString="|rl|") returned 4 [0153.277] StrStrIW (lpFirst="|mo|", lpSrch="|rl|") returned 0x0 [0153.277] RtlRestoreLastWin32Error () returned 0x490 [0153.277] lstrlenW (lpString="d") returned 1 [0153.277] lstrlenW (lpString="d") returned 1 [0153.277] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.277] lstrlenW (lpString="rl") returned 2 [0153.277] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.277] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|d|") returned 3 [0153.277] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4 [0153.277] lstrlenW (lpString="|d|") returned 3 [0153.278] lstrlenW (lpString="|rl|") returned 4 [0153.278] RtlRestoreLastWin32Error () returned 0x490 [0153.278] lstrlenW (lpString="m") returned 1 [0153.278] lstrlenW (lpString="m") returned 1 [0153.278] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.278] lstrlenW (lpString="rl") returned 2 [0153.278] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.278] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|m|") returned 3 [0153.278] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4 [0153.278] lstrlenW (lpString="|m|") returned 3 [0153.278] lstrlenW (lpString="|rl|") returned 4 [0153.278] RtlRestoreLastWin32Error () returned 0x490 [0153.278] lstrlenW (lpString="i") returned 1 [0153.278] lstrlenW (lpString="i") returned 1 [0153.278] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.278] lstrlenW (lpString="rl") returned 2 [0153.278] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.278] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|i|") returned 3 [0153.278] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4 [0153.278] lstrlenW (lpString="|i|") returned 3 [0153.278] lstrlenW (lpString="|rl|") returned 4 [0153.278] RtlRestoreLastWin32Error () returned 0x490 [0153.278] lstrlenW (lpString="tn") returned 2 [0153.278] lstrlenW (lpString="tn") returned 2 [0153.278] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.278] lstrlenW (lpString="rl") returned 2 [0153.278] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.278] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tn|") returned 4 [0153.278] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4 [0153.278] lstrlenW (lpString="|tn|") returned 4 [0153.278] lstrlenW (lpString="|rl|") returned 4 [0153.279] StrStrIW (lpFirst="|tn|", lpSrch="|rl|") returned 0x0 [0153.279] RtlRestoreLastWin32Error () returned 0x490 [0153.279] lstrlenW (lpString="tr") returned 2 [0153.279] lstrlenW (lpString="tr") returned 2 [0153.279] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.279] lstrlenW (lpString="rl") returned 2 [0153.279] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.279] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tr|") returned 4 [0153.279] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4 [0153.279] lstrlenW (lpString="|tr|") returned 4 [0153.279] lstrlenW (lpString="|rl|") returned 4 [0153.279] StrStrIW (lpFirst="|tr|", lpSrch="|rl|") returned 0x0 [0153.279] RtlRestoreLastWin32Error () returned 0x490 [0153.279] lstrlenW (lpString="st") returned 2 [0153.279] lstrlenW (lpString="st") returned 2 [0153.279] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.279] lstrlenW (lpString="rl") returned 2 [0153.279] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.279] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|st|") returned 4 [0153.279] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4 [0153.279] lstrlenW (lpString="|st|") returned 4 [0153.279] lstrlenW (lpString="|rl|") returned 4 [0153.279] StrStrIW (lpFirst="|st|", lpSrch="|rl|") returned 0x0 [0153.279] RtlRestoreLastWin32Error () returned 0x490 [0153.279] lstrlenW (lpString="sd") returned 2 [0153.279] lstrlenW (lpString="sd") returned 2 [0153.279] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.279] lstrlenW (lpString="rl") returned 2 [0153.279] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.279] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|sd|") returned 4 [0153.280] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4 [0153.280] lstrlenW (lpString="|sd|") returned 4 [0153.280] lstrlenW (lpString="|rl|") returned 4 [0153.280] StrStrIW (lpFirst="|sd|", lpSrch="|rl|") returned 0x0 [0153.280] RtlRestoreLastWin32Error () returned 0x490 [0153.280] lstrlenW (lpString="ed") returned 2 [0153.280] lstrlenW (lpString="ed") returned 2 [0153.280] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.280] lstrlenW (lpString="rl") returned 2 [0153.280] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.280] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|ed|") returned 4 [0153.280] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4 [0153.280] lstrlenW (lpString="|ed|") returned 4 [0153.280] lstrlenW (lpString="|rl|") returned 4 [0153.280] StrStrIW (lpFirst="|ed|", lpSrch="|rl|") returned 0x0 [0153.280] RtlRestoreLastWin32Error () returned 0x490 [0153.280] lstrlenW (lpString="it") returned 2 [0153.280] lstrlenW (lpString="it") returned 2 [0153.280] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.280] lstrlenW (lpString="rl") returned 2 [0153.280] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.280] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|it|") returned 4 [0153.280] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4 [0153.280] lstrlenW (lpString="|it|") returned 4 [0153.280] lstrlenW (lpString="|rl|") returned 4 [0153.280] StrStrIW (lpFirst="|it|", lpSrch="|rl|") returned 0x0 [0153.280] RtlRestoreLastWin32Error () returned 0x490 [0153.280] lstrlenW (lpString="et") returned 2 [0153.280] lstrlenW (lpString="et") returned 2 [0153.280] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.280] lstrlenW (lpString="rl") returned 2 [0153.281] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.281] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|et|") returned 4 [0153.281] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4 [0153.281] lstrlenW (lpString="|et|") returned 4 [0153.281] lstrlenW (lpString="|rl|") returned 4 [0153.281] StrStrIW (lpFirst="|et|", lpSrch="|rl|") returned 0x0 [0153.281] RtlRestoreLastWin32Error () returned 0x490 [0153.281] lstrlenW (lpString="k") returned 1 [0153.281] lstrlenW (lpString="k") returned 1 [0153.281] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.281] lstrlenW (lpString="rl") returned 2 [0153.281] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.281] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|k|") returned 3 [0153.281] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4 [0153.281] lstrlenW (lpString="|k|") returned 3 [0153.281] lstrlenW (lpString="|rl|") returned 4 [0153.281] RtlRestoreLastWin32Error () returned 0x490 [0153.281] lstrlenW (lpString="du") returned 2 [0153.281] lstrlenW (lpString="du") returned 2 [0153.281] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.281] lstrlenW (lpString="rl") returned 2 [0153.281] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.281] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|du|") returned 4 [0153.281] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4 [0153.281] lstrlenW (lpString="|du|") returned 4 [0153.281] lstrlenW (lpString="|rl|") returned 4 [0153.281] StrStrIW (lpFirst="|du|", lpSrch="|rl|") returned 0x0 [0153.281] RtlRestoreLastWin32Error () returned 0x490 [0153.281] lstrlenW (lpString="ri") returned 2 [0153.281] lstrlenW (lpString="ri") returned 2 [0153.281] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.282] lstrlenW (lpString="rl") returned 2 [0153.282] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.282] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|ri|") returned 4 [0153.282] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4 [0153.282] lstrlenW (lpString="|ri|") returned 4 [0153.282] lstrlenW (lpString="|rl|") returned 4 [0153.282] StrStrIW (lpFirst="|ri|", lpSrch="|rl|") returned 0x0 [0153.282] RtlRestoreLastWin32Error () returned 0x490 [0153.282] lstrlenW (lpString="z") returned 1 [0153.282] lstrlenW (lpString="z") returned 1 [0153.282] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.282] lstrlenW (lpString="rl") returned 2 [0153.282] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.282] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|z|") returned 3 [0153.282] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4 [0153.282] lstrlenW (lpString="|z|") returned 3 [0153.282] lstrlenW (lpString="|rl|") returned 4 [0153.282] RtlRestoreLastWin32Error () returned 0x490 [0153.282] lstrlenW (lpString="f") returned 1 [0153.282] lstrlenW (lpString="f") returned 1 [0153.282] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.282] lstrlenW (lpString="rl") returned 2 [0153.282] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.282] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3 [0153.284] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4 [0153.284] lstrlenW (lpString="|f|") returned 3 [0153.284] lstrlenW (lpString="|rl|") returned 4 [0153.284] RtlRestoreLastWin32Error () returned 0x490 [0153.284] lstrlenW (lpString="v1") returned 2 [0153.284] lstrlenW (lpString="v1") returned 2 [0153.284] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.284] lstrlenW (lpString="rl") returned 2 [0153.284] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.284] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|v1|") returned 4 [0153.284] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4 [0153.284] lstrlenW (lpString="|v1|") returned 4 [0153.284] lstrlenW (lpString="|rl|") returned 4 [0153.284] StrStrIW (lpFirst="|v1|", lpSrch="|rl|") returned 0x0 [0153.284] RtlRestoreLastWin32Error () returned 0x490 [0153.284] lstrlenW (lpString="xml") returned 3 [0153.284] lstrlenW (lpString="xml") returned 3 [0153.284] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.284] lstrlenW (lpString="rl") returned 2 [0153.284] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.284] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|xml|") returned 5 [0153.284] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4 [0153.284] lstrlenW (lpString="|xml|") returned 5 [0153.284] lstrlenW (lpString="|rl|") returned 4 [0153.284] StrStrIW (lpFirst="|xml|", lpSrch="|rl|") returned 0x0 [0153.285] RtlRestoreLastWin32Error () returned 0x490 [0153.285] lstrlenW (lpString="ec") returned 2 [0153.285] lstrlenW (lpString="ec") returned 2 [0153.285] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.285] lstrlenW (lpString="rl") returned 2 [0153.285] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.285] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|ec|") returned 4 [0153.285] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4 [0153.285] lstrlenW (lpString="|ec|") returned 4 [0153.285] lstrlenW (lpString="|rl|") returned 4 [0153.285] StrStrIW (lpFirst="|ec|", lpSrch="|rl|") returned 0x0 [0153.285] RtlRestoreLastWin32Error () returned 0x490 [0153.285] lstrlenW (lpString="rl") returned 2 [0153.285] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.285] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.285] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4 [0153.285] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4 [0153.285] StrStrIW (lpFirst="|rl|", lpSrch="|rl|") returned="|rl|" [0153.285] RtlRestoreLastWin32Error () returned 0x0 [0153.285] RtlRestoreLastWin32Error () returned 0x0 [0153.285] lstrlenW (lpString="highest") returned 7 [0153.285] StrChrIW (lpStart="-/", wMatch=0x46d0068) returned 0x0 [0153.285] RtlRestoreLastWin32Error () returned 0x490 [0153.285] RtlRestoreLastWin32Error () returned 0x490 [0153.285] RtlRestoreLastWin32Error () returned 0x0 [0153.285] lstrlenW (lpString="highest") returned 7 [0153.285] StrChrIW (lpStart="highest", wMatch=0x3a) returned 0x0 [0153.285] RtlRestoreLastWin32Error () returned 0x490 [0153.286] RtlRestoreLastWin32Error () returned 0x0 [0153.286] _memicmp (_Buf1=0x471ad38, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.286] lstrlenW (lpString="highest") returned 7 [0153.286] lstrlenW (lpString="highest") returned 7 [0153.286] lstrlenW (lpString=" \x09") returned 2 [0153.286] StrChrW (lpStart=" \x09", wMatch=0x68) returned 0x0 [0153.286] StrChrW (lpStart=" \x09", wMatch=0x68) returned 0x0 [0153.286] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0153.286] StrChrW (lpStart=" \x09", wMatch=0x67) returned 0x0 [0153.286] StrChrW (lpStart=" \x09", wMatch=0x68) returned 0x0 [0153.286] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0153.286] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0153.286] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0153.286] GetLastError () returned 0x0 [0153.286] lstrlenW (lpString="highest") returned 7 [0153.286] lstrlenW (lpString="highest") returned 7 [0153.286] RtlRestoreLastWin32Error () returned 0x0 [0153.286] RtlRestoreLastWin32Error () returned 0x0 [0153.286] lstrlenW (lpString="/tn") returned 3 [0153.286] lstrlenW (lpString="-/") returned 2 [0153.286] StrChrIW (lpStart="-/", wMatch=0x46d002f) returned="/" [0153.286] lstrlenW (lpString="create") returned 6 [0153.286] lstrlenW (lpString="create") returned 6 [0153.286] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.286] lstrlenW (lpString="tn") returned 2 [0153.286] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.286] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|create|") returned 8 [0153.286] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tn|") returned 4 [0153.286] lstrlenW (lpString="|create|") returned 8 [0153.286] lstrlenW (lpString="|tn|") returned 4 [0153.286] StrStrIW (lpFirst="|create|", lpSrch="|tn|") returned 0x0 [0153.286] RtlRestoreLastWin32Error () returned 0x490 [0153.286] lstrlenW (lpString="?") returned 1 [0153.287] lstrlenW (lpString="?") returned 1 [0153.287] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.287] lstrlenW (lpString="tn") returned 2 [0153.287] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.287] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|?|") returned 3 [0153.287] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tn|") returned 4 [0153.287] lstrlenW (lpString="|?|") returned 3 [0153.287] lstrlenW (lpString="|tn|") returned 4 [0153.287] RtlRestoreLastWin32Error () returned 0x490 [0153.287] lstrlenW (lpString="s") returned 1 [0153.287] lstrlenW (lpString="s") returned 1 [0153.287] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.287] lstrlenW (lpString="tn") returned 2 [0153.287] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.287] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|s|") returned 3 [0153.287] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tn|") returned 4 [0153.287] lstrlenW (lpString="|s|") returned 3 [0153.287] lstrlenW (lpString="|tn|") returned 4 [0153.287] RtlRestoreLastWin32Error () returned 0x490 [0153.287] lstrlenW (lpString="u") returned 1 [0153.287] lstrlenW (lpString="u") returned 1 [0153.287] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.287] lstrlenW (lpString="tn") returned 2 [0153.287] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.288] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|u|") returned 3 [0153.288] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tn|") returned 4 [0153.288] lstrlenW (lpString="|u|") returned 3 [0153.288] lstrlenW (lpString="|tn|") returned 4 [0153.288] RtlRestoreLastWin32Error () returned 0x490 [0153.288] lstrlenW (lpString="p") returned 1 [0153.288] lstrlenW (lpString="p") returned 1 [0153.288] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.288] lstrlenW (lpString="tn") returned 2 [0153.288] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.288] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|p|") returned 3 [0153.288] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tn|") returned 4 [0153.288] lstrlenW (lpString="|p|") returned 3 [0153.288] lstrlenW (lpString="|tn|") returned 4 [0153.288] RtlRestoreLastWin32Error () returned 0x490 [0153.288] lstrlenW (lpString="ru") returned 2 [0153.288] lstrlenW (lpString="ru") returned 2 [0153.288] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.288] lstrlenW (lpString="tn") returned 2 [0153.288] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.288] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|ru|") returned 4 [0153.288] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tn|") returned 4 [0153.288] lstrlenW (lpString="|ru|") returned 4 [0153.288] lstrlenW (lpString="|tn|") returned 4 [0153.288] StrStrIW (lpFirst="|ru|", lpSrch="|tn|") returned 0x0 [0153.288] RtlRestoreLastWin32Error () returned 0x490 [0153.288] lstrlenW (lpString="rp") returned 2 [0153.288] lstrlenW (lpString="rp") returned 2 [0153.289] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.289] lstrlenW (lpString="tn") returned 2 [0153.289] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.289] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rp|") returned 4 [0153.289] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tn|") returned 4 [0153.289] lstrlenW (lpString="|rp|") returned 4 [0153.289] lstrlenW (lpString="|tn|") returned 4 [0153.289] StrStrIW (lpFirst="|rp|", lpSrch="|tn|") returned 0x0 [0153.289] RtlRestoreLastWin32Error () returned 0x490 [0153.289] lstrlenW (lpString="sc") returned 2 [0153.289] lstrlenW (lpString="sc") returned 2 [0153.289] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.289] lstrlenW (lpString="tn") returned 2 [0153.289] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.289] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|sc|") returned 4 [0153.289] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tn|") returned 4 [0153.289] lstrlenW (lpString="|sc|") returned 4 [0153.289] lstrlenW (lpString="|tn|") returned 4 [0153.289] StrStrIW (lpFirst="|sc|", lpSrch="|tn|") returned 0x0 [0153.289] RtlRestoreLastWin32Error () returned 0x490 [0153.289] lstrlenW (lpString="mo") returned 2 [0153.289] lstrlenW (lpString="mo") returned 2 [0153.290] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.290] lstrlenW (lpString="tn") returned 2 [0153.290] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.290] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|mo|") returned 4 [0153.290] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tn|") returned 4 [0153.290] lstrlenW (lpString="|mo|") returned 4 [0153.290] lstrlenW (lpString="|tn|") returned 4 [0153.290] StrStrIW (lpFirst="|mo|", lpSrch="|tn|") returned 0x0 [0153.290] RtlRestoreLastWin32Error () returned 0x490 [0153.290] lstrlenW (lpString="d") returned 1 [0153.290] lstrlenW (lpString="d") returned 1 [0153.290] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.290] lstrlenW (lpString="tn") returned 2 [0153.290] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.290] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|d|") returned 3 [0153.290] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tn|") returned 4 [0153.290] lstrlenW (lpString="|d|") returned 3 [0153.290] lstrlenW (lpString="|tn|") returned 4 [0153.290] RtlRestoreLastWin32Error () returned 0x490 [0153.290] lstrlenW (lpString="m") returned 1 [0153.290] lstrlenW (lpString="m") returned 1 [0153.290] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.290] lstrlenW (lpString="tn") returned 2 [0153.290] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.290] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|m|") returned 3 [0153.290] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tn|") returned 4 [0153.290] lstrlenW (lpString="|m|") returned 3 [0153.290] lstrlenW (lpString="|tn|") returned 4 [0153.290] RtlRestoreLastWin32Error () returned 0x490 [0153.290] lstrlenW (lpString="i") returned 1 [0153.291] lstrlenW (lpString="i") returned 1 [0153.291] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.291] lstrlenW (lpString="tn") returned 2 [0153.291] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.291] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|i|") returned 3 [0153.291] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tn|") returned 4 [0153.291] lstrlenW (lpString="|i|") returned 3 [0153.291] lstrlenW (lpString="|tn|") returned 4 [0153.291] RtlRestoreLastWin32Error () returned 0x490 [0153.291] lstrlenW (lpString="tn") returned 2 [0153.291] lstrlenW (lpString="tn") returned 2 [0153.291] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.291] lstrlenW (lpString="tn") returned 2 [0153.291] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.291] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tn|") returned 4 [0153.291] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tn|") returned 4 [0153.291] lstrlenW (lpString="|tn|") returned 4 [0153.291] lstrlenW (lpString="|tn|") returned 4 [0153.291] StrStrIW (lpFirst="|tn|", lpSrch="|tn|") returned="|tn|" [0153.291] RtlRestoreLastWin32Error () returned 0x0 [0153.291] RtlRestoreLastWin32Error () returned 0x0 [0153.291] lstrlenW (lpString="svchost") returned 7 [0153.291] lstrlenW (lpString="-/") returned 2 [0153.291] StrChrIW (lpStart="-/", wMatch=0x46d0073) returned 0x0 [0153.291] RtlRestoreLastWin32Error () returned 0x490 [0153.291] RtlRestoreLastWin32Error () returned 0x490 [0153.291] RtlRestoreLastWin32Error () returned 0x0 [0153.291] lstrlenW (lpString="svchost") returned 7 [0153.291] StrChrIW (lpStart="svchost", wMatch=0x3a) returned 0x0 [0153.291] RtlRestoreLastWin32Error () returned 0x490 [0153.291] RtlRestoreLastWin32Error () returned 0x0 [0153.292] lstrlenW (lpString="svchost") returned 7 [0153.292] RtlRestoreLastWin32Error () returned 0x0 [0153.292] RtlRestoreLastWin32Error () returned 0x0 [0153.292] lstrlenW (lpString="/tr") returned 3 [0153.292] lstrlenW (lpString="-/") returned 2 [0153.292] StrChrIW (lpStart="-/", wMatch=0x46d002f) returned="/" [0153.292] lstrlenW (lpString="create") returned 6 [0153.292] lstrlenW (lpString="create") returned 6 [0153.292] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.292] lstrlenW (lpString="tr") returned 2 [0153.292] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.292] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|create|") returned 8 [0153.292] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tr|") returned 4 [0153.292] lstrlenW (lpString="|create|") returned 8 [0153.292] lstrlenW (lpString="|tr|") returned 4 [0153.292] StrStrIW (lpFirst="|create|", lpSrch="|tr|") returned 0x0 [0153.292] RtlRestoreLastWin32Error () returned 0x490 [0153.292] lstrlenW (lpString="?") returned 1 [0153.292] lstrlenW (lpString="?") returned 1 [0153.292] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.292] lstrlenW (lpString="tr") returned 2 [0153.292] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.292] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|?|") returned 3 [0153.292] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tr|") returned 4 [0153.292] lstrlenW (lpString="|?|") returned 3 [0153.292] lstrlenW (lpString="|tr|") returned 4 [0153.292] RtlRestoreLastWin32Error () returned 0x490 [0153.292] lstrlenW (lpString="s") returned 1 [0153.292] lstrlenW (lpString="s") returned 1 [0153.292] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.292] lstrlenW (lpString="tr") returned 2 [0153.292] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.293] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|s|") returned 3 [0153.293] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tr|") returned 4 [0153.293] lstrlenW (lpString="|s|") returned 3 [0153.293] lstrlenW (lpString="|tr|") returned 4 [0153.293] RtlRestoreLastWin32Error () returned 0x490 [0153.293] lstrlenW (lpString="u") returned 1 [0153.293] lstrlenW (lpString="u") returned 1 [0153.293] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.293] lstrlenW (lpString="tr") returned 2 [0153.293] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.293] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|u|") returned 3 [0153.293] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tr|") returned 4 [0153.293] lstrlenW (lpString="|u|") returned 3 [0153.293] lstrlenW (lpString="|tr|") returned 4 [0153.293] RtlRestoreLastWin32Error () returned 0x490 [0153.293] lstrlenW (lpString="p") returned 1 [0153.293] lstrlenW (lpString="p") returned 1 [0153.293] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.293] lstrlenW (lpString="tr") returned 2 [0153.293] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.293] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|p|") returned 3 [0153.293] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tr|") returned 4 [0153.293] lstrlenW (lpString="|p|") returned 3 [0153.293] lstrlenW (lpString="|tr|") returned 4 [0153.293] RtlRestoreLastWin32Error () returned 0x490 [0153.293] lstrlenW (lpString="ru") returned 2 [0153.293] lstrlenW (lpString="ru") returned 2 [0153.293] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.293] lstrlenW (lpString="tr") returned 2 [0153.293] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.293] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|ru|") returned 4 [0153.293] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tr|") returned 4 [0153.294] lstrlenW (lpString="|ru|") returned 4 [0153.294] lstrlenW (lpString="|tr|") returned 4 [0153.294] StrStrIW (lpFirst="|ru|", lpSrch="|tr|") returned 0x0 [0153.294] RtlRestoreLastWin32Error () returned 0x490 [0153.294] lstrlenW (lpString="rp") returned 2 [0153.294] lstrlenW (lpString="rp") returned 2 [0153.294] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.294] lstrlenW (lpString="tr") returned 2 [0153.294] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.294] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rp|") returned 4 [0153.294] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tr|") returned 4 [0153.294] lstrlenW (lpString="|rp|") returned 4 [0153.294] lstrlenW (lpString="|tr|") returned 4 [0153.294] StrStrIW (lpFirst="|rp|", lpSrch="|tr|") returned 0x0 [0153.294] RtlRestoreLastWin32Error () returned 0x490 [0153.294] lstrlenW (lpString="sc") returned 2 [0153.294] lstrlenW (lpString="sc") returned 2 [0153.294] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.294] lstrlenW (lpString="tr") returned 2 [0153.294] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.294] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|sc|") returned 4 [0153.294] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tr|") returned 4 [0153.294] lstrlenW (lpString="|sc|") returned 4 [0153.294] lstrlenW (lpString="|tr|") returned 4 [0153.294] StrStrIW (lpFirst="|sc|", lpSrch="|tr|") returned 0x0 [0153.294] RtlRestoreLastWin32Error () returned 0x490 [0153.294] lstrlenW (lpString="mo") returned 2 [0153.294] lstrlenW (lpString="mo") returned 2 [0153.294] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.294] lstrlenW (lpString="tr") returned 2 [0153.294] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.294] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|mo|") returned 4 [0153.295] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tr|") returned 4 [0153.295] lstrlenW (lpString="|mo|") returned 4 [0153.295] lstrlenW (lpString="|tr|") returned 4 [0153.295] StrStrIW (lpFirst="|mo|", lpSrch="|tr|") returned 0x0 [0153.295] RtlRestoreLastWin32Error () returned 0x490 [0153.295] lstrlenW (lpString="d") returned 1 [0153.295] lstrlenW (lpString="d") returned 1 [0153.295] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.295] lstrlenW (lpString="tr") returned 2 [0153.295] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.295] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|d|") returned 3 [0153.295] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tr|") returned 4 [0153.295] lstrlenW (lpString="|d|") returned 3 [0153.295] lstrlenW (lpString="|tr|") returned 4 [0153.295] RtlRestoreLastWin32Error () returned 0x490 [0153.295] lstrlenW (lpString="m") returned 1 [0153.295] lstrlenW (lpString="m") returned 1 [0153.295] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.295] lstrlenW (lpString="tr") returned 2 [0153.295] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.295] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|m|") returned 3 [0153.295] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tr|") returned 4 [0153.295] lstrlenW (lpString="|m|") returned 3 [0153.295] lstrlenW (lpString="|tr|") returned 4 [0153.295] RtlRestoreLastWin32Error () returned 0x490 [0153.295] lstrlenW (lpString="i") returned 1 [0153.295] lstrlenW (lpString="i") returned 1 [0153.295] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.295] lstrlenW (lpString="tr") returned 2 [0153.295] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.295] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|i|") returned 3 [0153.295] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tr|") returned 4 [0153.312] lstrlenW (lpString="|i|") returned 3 [0153.312] lstrlenW (lpString="|tr|") returned 4 [0153.312] RtlRestoreLastWin32Error () returned 0x490 [0153.312] lstrlenW (lpString="tn") returned 2 [0153.312] lstrlenW (lpString="tn") returned 2 [0153.312] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.312] lstrlenW (lpString="tr") returned 2 [0153.312] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.312] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tn|") returned 4 [0153.312] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tr|") returned 4 [0153.312] lstrlenW (lpString="|tn|") returned 4 [0153.312] lstrlenW (lpString="|tr|") returned 4 [0153.312] StrStrIW (lpFirst="|tn|", lpSrch="|tr|") returned 0x0 [0153.312] RtlRestoreLastWin32Error () returned 0x490 [0153.312] lstrlenW (lpString="tr") returned 2 [0153.312] lstrlenW (lpString="tr") returned 2 [0153.312] _memicmp (_Buf1=0x4717620, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.312] lstrlenW (lpString="tr") returned 2 [0153.312] _memicmp (_Buf1=0x47175f0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.312] _vsnwprintf (in: _Buffer=0x4719550, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tr|") returned 4 [0153.312] _vsnwprintf (in: _Buffer=0x4719690, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tr|") returned 4 [0153.312] lstrlenW (lpString="|tr|") returned 4 [0153.312] lstrlenW (lpString="|tr|") returned 4 [0153.313] StrStrIW (lpFirst="|tr|", lpSrch="|tr|") returned="|tr|" [0153.313] RtlRestoreLastWin32Error () returned 0x0 [0153.313] RtlRestoreLastWin32Error () returned 0x0 [0153.313] lstrlenW (lpString="'C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe'") returned 51 [0153.313] lstrlenW (lpString="-/") returned 2 [0153.313] StrChrIW (lpStart="-/", wMatch=0x46d0027) returned 0x0 [0153.313] RtlRestoreLastWin32Error () returned 0x490 [0153.313] RtlRestoreLastWin32Error () returned 0x490 [0153.313] RtlRestoreLastWin32Error () returned 0x0 [0153.313] lstrlenW (lpString="'C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe'") returned 51 [0153.313] StrChrIW (lpStart="'C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe'", wMatch=0x3a) returned=":\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe'" [0153.313] lstrlenW (lpString="'C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe'") returned 51 [0153.313] _memicmp (_Buf1=0x471ac48, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.313] _memicmp (_Buf1=0x471aba0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.313] RtlRestoreLastWin32Error () returned 0x7a [0153.313] RtlRestoreLastWin32Error () returned 0x0 [0153.313] RtlRestoreLastWin32Error () returned 0x0 [0153.313] lstrlenW (lpString="'C") returned 2 [0153.313] lstrlenW (lpString="-/") returned 2 [0153.313] StrChrIW (lpStart="-/", wMatch=0x4710027) returned 0x0 [0153.313] RtlRestoreLastWin32Error () returned 0x490 [0153.313] RtlRestoreLastWin32Error () returned 0x490 [0153.313] RtlRestoreLastWin32Error () returned 0x0 [0153.313] _memicmp (_Buf1=0x471ad38, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.313] lstrlenW (lpString="'C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe'") returned 51 [0153.313] GetProcessHeap () returned 0x4710000 [0153.313] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x471ad80) returned 1 [0153.313] GetProcessHeap () returned 0x4710000 [0153.313] RtlReAllocateHeap (Heap=0x4710000, Flags=0xc, Ptr=0x471ad80, Size=0x68) returned 0x4713d58 [0153.313] lstrlenW (lpString="'C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe'") returned 51 [0153.313] lstrlenW (lpString=" \x09") returned 2 [0153.313] StrChrW (lpStart=" \x09", wMatch=0x27) returned 0x0 [0153.313] StrChrW (lpStart=" \x09", wMatch=0x27) returned 0x0 [0153.313] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0153.313] StrChrW (lpStart=" \x09", wMatch=0x3a) returned 0x0 [0153.314] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0153.314] StrChrW (lpStart=" \x09", wMatch=0x55) returned 0x0 [0153.314] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0153.314] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0153.314] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0153.314] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0153.314] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0153.314] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0153.314] StrChrW (lpStart=" \x09", wMatch=0x44) returned 0x0 [0153.314] StrChrW (lpStart=" \x09", wMatch=0x68) returned 0x0 [0153.314] StrChrW (lpStart=" \x09", wMatch=0x4a) returned 0x0 [0153.314] StrChrW (lpStart=" \x09", wMatch=0x30) returned 0x0 [0153.314] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0153.314] StrChrW (lpStart=" \x09", wMatch=0x4e) returned 0x0 [0153.314] StrChrW (lpStart=" \x09", wMatch=0x46) returned 0x0 [0153.314] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0153.314] StrChrW (lpStart=" \x09", wMatch=0x76) returned 0x0 [0153.314] StrChrW (lpStart=" \x09", wMatch=0x7a) returned 0x0 [0153.314] StrChrW (lpStart=" \x09", wMatch=0x58) returned 0x0 [0153.314] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0153.314] StrChrW (lpStart=" \x09", wMatch=0x41) returned 0x0 [0153.314] StrChrW (lpStart=" \x09", wMatch=0x70) returned 0x0 [0153.314] StrChrW (lpStart=" \x09", wMatch=0x70) returned 0x0 [0153.314] StrChrW (lpStart=" \x09", wMatch=0x44) returned 0x0 [0153.314] StrChrW (lpStart=" \x09", wMatch=0x61) returned 0x0 [0153.314] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0153.314] StrChrW (lpStart=" \x09", wMatch=0x61) returned 0x0 [0153.314] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0153.314] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0153.314] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0153.314] StrChrW (lpStart=" \x09", wMatch=0x61) returned 0x0 [0153.314] StrChrW (lpStart=" \x09", wMatch=0x6d) returned 0x0 [0153.314] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0153.314] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0153.315] StrChrW (lpStart=" \x09", wMatch=0x67) returned 0x0 [0153.315] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0153.315] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0153.315] StrChrW (lpStart=" \x09", wMatch=0x76) returned 0x0 [0153.315] StrChrW (lpStart=" \x09", wMatch=0x63) returned 0x0 [0153.315] StrChrW (lpStart=" \x09", wMatch=0x68) returned 0x0 [0153.315] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0153.315] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0153.315] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0153.315] StrChrW (lpStart=" \x09", wMatch=0x2e) returned 0x0 [0153.315] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0153.315] StrChrW (lpStart=" \x09", wMatch=0x78) returned 0x0 [0153.315] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0153.315] StrChrW (lpStart=" \x09", wMatch=0x27) returned 0x0 [0153.315] GetLastError () returned 0x0 [0153.315] lstrlenW (lpString="'C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe'") returned 51 [0153.315] lstrlenW (lpString="'C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe'") returned 51 [0153.315] RtlRestoreLastWin32Error () returned 0x0 [0153.315] GetProcessHeap () returned 0x4710000 [0153.315] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x4719510 [0153.315] _memicmp (_Buf1=0x47175c0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.315] LoadStringW (in: hInstance=0x0, uID=0x20d, lpBuffer=0x471a8c0, cchBufferMax=256 | out: lpBuffer="LIMITED") returned 0x7 [0153.315] lstrlenW (lpString="LIMITED") returned 7 [0153.315] GetProcessHeap () returned 0x4710000 [0153.315] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x10) returned 0x471ac90 [0153.315] GetThreadLocale () returned 0x409 [0153.315] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="highest", cchCount1=-1, lpString2="LIMITED", cchCount2=-1) returned 1 [0153.315] GetProcessHeap () returned 0x4710000 [0153.315] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x4719590 [0153.315] _memicmp (_Buf1=0x47175c0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.315] LoadStringW (in: hInstance=0x0, uID=0x20e, lpBuffer=0x471a8c0, cchBufferMax=256 | out: lpBuffer="HIGHEST") returned 0x7 [0153.316] lstrlenW (lpString="HIGHEST") returned 7 [0153.316] GetProcessHeap () returned 0x4710000 [0153.316] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x10) returned 0x471ab28 [0153.316] GetThreadLocale () returned 0x409 [0153.316] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="highest", cchCount1=-1, lpString2="HIGHEST", cchCount2=-1) returned 2 [0153.316] GetProcessHeap () returned 0x4710000 [0153.316] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x4719530 [0153.316] _memicmp (_Buf1=0x47175c0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.316] LoadStringW (in: hInstance=0x0, uID=0x1ae, lpBuffer=0x471a8c0, cchBufferMax=256 | out: lpBuffer="MINUTE") returned 0x6 [0153.316] lstrlenW (lpString="MINUTE") returned 6 [0153.316] GetProcessHeap () returned 0x4710000 [0153.316] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0xe) returned 0x471ad50 [0153.316] GetThreadLocale () returned 0x409 [0153.316] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="onlogon", cchCount1=-1, lpString2="MINUTE", cchCount2=-1) returned 3 [0153.316] GetProcessHeap () returned 0x4710000 [0153.316] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x47195b0 [0153.316] _memicmp (_Buf1=0x47175c0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.316] LoadStringW (in: hInstance=0x0, uID=0x1af, lpBuffer=0x471a8c0, cchBufferMax=256 | out: lpBuffer="HOURLY") returned 0x6 [0153.316] lstrlenW (lpString="HOURLY") returned 6 [0153.316] GetProcessHeap () returned 0x4710000 [0153.316] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0xe) returned 0x471acc0 [0153.316] GetThreadLocale () returned 0x409 [0153.316] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="onlogon", cchCount1=-1, lpString2="HOURLY", cchCount2=-1) returned 3 [0153.316] GetProcessHeap () returned 0x4710000 [0153.316] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x4719670 [0153.316] _memicmp (_Buf1=0x47175c0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.316] LoadStringW (in: hInstance=0x0, uID=0x1b0, lpBuffer=0x471a8c0, cchBufferMax=256 | out: lpBuffer="DAILY") returned 0x5 [0153.316] lstrlenW (lpString="DAILY") returned 5 [0153.316] GetProcessHeap () returned 0x4710000 [0153.316] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0xc) returned 0x471adc8 [0153.317] GetThreadLocale () returned 0x409 [0153.317] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="onlogon", cchCount1=-1, lpString2="DAILY", cchCount2=-1) returned 3 [0153.317] GetProcessHeap () returned 0x4710000 [0153.317] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x4719770 [0153.317] _memicmp (_Buf1=0x47175c0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.317] LoadStringW (in: hInstance=0x0, uID=0x1b1, lpBuffer=0x471a8c0, cchBufferMax=256 | out: lpBuffer="WEEKLY") returned 0x6 [0153.317] lstrlenW (lpString="WEEKLY") returned 6 [0153.317] GetProcessHeap () returned 0x4710000 [0153.317] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0xe) returned 0x471ad68 [0153.317] GetThreadLocale () returned 0x409 [0153.317] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="onlogon", cchCount1=-1, lpString2="WEEKLY", cchCount2=-1) returned 1 [0153.317] GetProcessHeap () returned 0x4710000 [0153.317] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x14) returned 0x47196b0 [0153.317] _memicmp (_Buf1=0x47175c0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.317] LoadStringW (in: hInstance=0x0, uID=0x1b2, lpBuffer=0x471a8c0, cchBufferMax=256 | out: lpBuffer="MONTHLY") returned 0x7 [0153.317] lstrlenW (lpString="MONTHLY") returned 7 [0153.317] GetProcessHeap () returned 0x4710000 [0153.317] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x10) returned 0x471ac00 [0153.317] GetThreadLocale () returned 0x409 [0153.317] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="onlogon", cchCount1=-1, lpString2="MONTHLY", cchCount2=-1) returned 3 [0153.317] _memicmp (_Buf1=0x47175c0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.317] LoadStringW (in: hInstance=0x0, uID=0x1b3, lpBuffer=0x471a8c0, cchBufferMax=256 | out: lpBuffer="ONCE") returned 0x4 [0153.317] lstrlenW (lpString="ONCE") returned 4 [0153.317] GetProcessHeap () returned 0x4710000 [0153.317] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0xa) returned 0x471abe8 [0153.317] GetThreadLocale () returned 0x409 [0153.317] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="onlogon", cchCount1=-1, lpString2="ONCE", cchCount2=-1) returned 3 [0153.317] _memicmp (_Buf1=0x47175c0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.317] LoadStringW (in: hInstance=0x0, uID=0x1b4, lpBuffer=0x471a8c0, cchBufferMax=256 | out: lpBuffer="ONSTART") returned 0x7 [0153.317] lstrlenW (lpString="ONSTART") returned 7 [0153.317] GetThreadLocale () returned 0x409 [0153.317] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="onlogon", cchCount1=-1, lpString2="ONSTART", cchCount2=-1) returned 1 [0153.318] _memicmp (_Buf1=0x47175c0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.318] LoadStringW (in: hInstance=0x0, uID=0x1b5, lpBuffer=0x471a8c0, cchBufferMax=256 | out: lpBuffer="ONLOGON") returned 0x7 [0153.318] lstrlenW (lpString="ONLOGON") returned 7 [0153.318] GetThreadLocale () returned 0x409 [0153.318] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="onlogon", cchCount1=-1, lpString2="ONLOGON", cchCount2=-1) returned 2 [0153.318] RtlRestoreLastWin32Error () returned 0x0 [0153.318] GetProcessHeap () returned 0x4710000 [0153.318] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x1fc) returned 0x4719ee0 [0153.318] _memicmp (_Buf1=0x47175c0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.318] LoadStringW (in: hInstance=0x0, uID=0x1d7, lpBuffer=0x471a8c0, cchBufferMax=256 | out: lpBuffer="First") returned 0x5 [0153.318] lstrlenW (lpString="First") returned 5 [0153.318] _memicmp (_Buf1=0x47175c0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.318] LoadStringW (in: hInstance=0x0, uID=0x1d8, lpBuffer=0x471a8c0, cchBufferMax=256 | out: lpBuffer="Second") returned 0x6 [0153.318] lstrlenW (lpString="Second") returned 6 [0153.318] _memicmp (_Buf1=0x47175c0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.318] LoadStringW (in: hInstance=0x0, uID=0x1d9, lpBuffer=0x471a8c0, cchBufferMax=256 | out: lpBuffer="Third") returned 0x5 [0153.318] lstrlenW (lpString="Third") returned 5 [0153.318] _memicmp (_Buf1=0x47175c0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.318] LoadStringW (in: hInstance=0x0, uID=0x1da, lpBuffer=0x471a8c0, cchBufferMax=256 | out: lpBuffer="Fourth") returned 0x6 [0153.318] lstrlenW (lpString="Fourth") returned 6 [0153.318] _memicmp (_Buf1=0x47175c0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.318] LoadStringW (in: hInstance=0x0, uID=0x1db, lpBuffer=0x471a8c0, cchBufferMax=256 | out: lpBuffer="Last") returned 0x4 [0153.318] lstrlenW (lpString="Last") returned 4 [0153.318] _memicmp (_Buf1=0x47175c0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.318] LoadStringW (in: hInstance=0x0, uID=0x1d7, lpBuffer=0x471a8c0, cchBufferMax=256 | out: lpBuffer="First") returned 0x5 [0153.318] lstrlenW (lpString="First") returned 5 [0153.318] _memicmp (_Buf1=0x47175c0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.319] LoadStringW (in: hInstance=0x0, uID=0x1d8, lpBuffer=0x471a8c0, cchBufferMax=256 | out: lpBuffer="Second") returned 0x6 [0153.319] lstrlenW (lpString="Second") returned 6 [0153.319] _memicmp (_Buf1=0x47175c0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.319] LoadStringW (in: hInstance=0x0, uID=0x1d9, lpBuffer=0x471a8c0, cchBufferMax=256 | out: lpBuffer="Third") returned 0x5 [0153.319] lstrlenW (lpString="Third") returned 5 [0153.319] GetProcessHeap () returned 0x4710000 [0153.319] GetProcessHeap () returned 0x4710000 [0153.319] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x471abe8) returned 1 [0153.319] GetProcessHeap () returned 0x4710000 [0153.319] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x471abe8) returned 0xa [0153.319] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x471abe8) returned 1 [0153.319] GetProcessHeap () returned 0x4710000 [0153.319] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0xc) returned 0x471ab70 [0153.319] _memicmp (_Buf1=0x47175c0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.319] LoadStringW (in: hInstance=0x0, uID=0x1da, lpBuffer=0x471a8c0, cchBufferMax=256 | out: lpBuffer="Fourth") returned 0x6 [0153.319] lstrlenW (lpString="Fourth") returned 6 [0153.319] _memicmp (_Buf1=0x47175c0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.319] LoadStringW (in: hInstance=0x0, uID=0x1db, lpBuffer=0x471a8c0, cchBufferMax=256 | out: lpBuffer="Last") returned 0x4 [0153.319] lstrlenW (lpString="Last") returned 4 [0153.319] GetLocaleInfoW (in: Locale=0x400, LCType=0x21, lpLCData=0xdcde8, cchData=128 | out: lpLCData="0") returned 2 [0153.319] _memicmp (_Buf1=0x47175c0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.319] LoadStringW (in: hInstance=0x0, uID=0x19c, lpBuffer=0x471a8c0, cchBufferMax=256 | out: lpBuffer="mm/dd/yyyy") returned 0xa [0153.320] lstrlenW (lpString="mm/dd/yyyy") returned 10 [0153.320] GetProcessHeap () returned 0x4710000 [0153.320] GetProcessHeap () returned 0x4710000 [0153.320] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x471ac90) returned 1 [0153.320] GetProcessHeap () returned 0x4710000 [0153.320] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x471ac90) returned 0x10 [0153.320] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x471ac90) returned 1 [0153.320] GetProcessHeap () returned 0x4710000 [0153.320] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x16) returned 0x47196f0 [0153.320] GetLocaleInfoW (in: Locale=0x400, LCType=0x21, lpLCData=0xdcdec, cchData=128 | out: lpLCData="0") returned 2 [0153.320] _memicmp (_Buf1=0x47175c0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0153.320] LoadStringW (in: hInstance=0x0, uID=0x19c, lpBuffer=0x471a8c0, cchBufferMax=256 | out: lpBuffer="mm/dd/yyyy") returned 0xa [0153.320] lstrlenW (lpString="mm/dd/yyyy") returned 10 [0153.320] GetProcessHeap () returned 0x4710000 [0153.320] GetProcessHeap () returned 0x4710000 [0153.320] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x471ab28) returned 1 [0153.320] GetProcessHeap () returned 0x4710000 [0153.320] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x471ab28) returned 0x10 [0153.320] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x471ab28) returned 1 [0153.320] GetProcessHeap () returned 0x4710000 [0153.320] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x16) returned 0x4719710 [0153.320] GetLocalTime (in: lpSystemTime=0xdcfcc | out: lpSystemTime=0xdcfcc*(wYear=0x7e6, wMonth=0x8, wDayOfWeek=0x5, wDay=0x5, wHour=0xe, wMinute=0x13, wSecond=0x32, wMilliseconds=0x364)) [0153.320] GetLocalTime (in: lpSystemTime=0xdd480 | out: lpSystemTime=0xdd480*(wYear=0x7e6, wMonth=0x8, wDayOfWeek=0x5, wDay=0x5, wHour=0xe, wMinute=0x13, wSecond=0x32, wMilliseconds=0x364)) [0153.320] lstrlenW (lpString="") returned 0 [0153.321] lstrlenW (lpString="") returned 0 [0153.321] lstrlenW (lpString="") returned 0 [0153.321] lstrlenW (lpString="") returned 0 [0153.321] lstrlenW (lpString="") returned 0 [0153.321] lstrlenW (lpString="") returned 0 [0153.321] lstrlenW (lpString="") returned 0 [0153.321] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0153.326] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0153.405] CoCreateInstance (in: rclsid=0x2f26c0*(Data1=0xf87369f, Data2=0xa4e5, Data3=0x4cfc, Data4=([0]=0xbd, [1]=0x3e, [2]=0x73, [3]=0xe6, [4]=0x15, [5]=0x45, [6]=0x72, [7]=0xdd)), pUnkOuter=0x0, dwClsContext=0x17, riid=0x2f26d0*(Data1=0x2faba4c7, Data2=0x4da9, Data3=0x4013, Data4=([0]=0x96, [1]=0x97, [2]=0x20, [3]=0xcc, [4]=0x3f, [5]=0xd4, [6]=0xf, [7]=0x85)), ppv=0xdd39c | out: ppv=0xdd39c*=0x46d37e0) returned 0x0 [0153.899] TaskScheduler:ITaskService:Connect (This=0x46d37e0, serverName=0xdd34c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), user=0xdd35c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), domain=0xdd36c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), password=0xdd37c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0)) returned 0x0 [0153.926] TaskScheduler:ITaskService:GetFolder (in: This=0x46d37e0, Path=0x0, ppFolder=0xdd464 | out: ppFolder=0xdd464*=0x46d3908) returned 0x0 [0153.928] TaskScheduler:ITaskService:NewTask (in: This=0x46d37e0, flags=0x0, ppDefinition=0xdd474 | out: ppDefinition=0xdd474*=0x46d3958) returned 0x0 [0153.929] ITaskDefinition:get_Actions (in: This=0x46d3958, ppActions=0xdd3e8 | out: ppActions=0xdd3e8*=0x46d39a8) returned 0x0 [0153.929] IActionCollection:Create (in: This=0x46d39a8, Type=0, ppAction=0xdd3ec | out: ppAction=0xdd3ec*=0x46d3c00) returned 0x0 [0153.929] lstrlenW (lpString="'C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe'") returned 51 [0153.929] lstrlenW (lpString="'C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe'") returned 51 [0153.929] lstrlenW (lpString=" ") returned 1 [0153.930] StrChrW (lpStart=" ", wMatch=0x27) returned 0x0 [0153.930] StrChrW (lpStart=" ", wMatch=0x27) returned 0x0 [0153.930] StrChrW (lpStart=" ", wMatch=0x43) returned 0x0 [0153.930] StrChrW (lpStart=" ", wMatch=0x3a) returned 0x0 [0153.930] StrChrW (lpStart=" ", wMatch=0x5c) returned 0x0 [0153.930] StrChrW (lpStart=" ", wMatch=0x55) returned 0x0 [0153.930] StrChrW (lpStart=" ", wMatch=0x73) returned 0x0 [0153.930] StrChrW (lpStart=" ", wMatch=0x65) returned 0x0 [0153.930] StrChrW (lpStart=" ", wMatch=0x72) returned 0x0 [0153.930] StrChrW (lpStart=" ", wMatch=0x73) returned 0x0 [0153.930] StrChrW (lpStart=" ", wMatch=0x5c) returned 0x0 [0153.930] StrChrW (lpStart=" ", wMatch=0x52) returned 0x0 [0153.930] StrChrW (lpStart=" ", wMatch=0x44) returned 0x0 [0153.930] StrChrW (lpStart=" ", wMatch=0x68) returned 0x0 [0153.930] StrChrW (lpStart=" ", wMatch=0x4a) returned 0x0 [0153.930] StrChrW (lpStart=" ", wMatch=0x30) returned 0x0 [0153.930] StrChrW (lpStart=" ", wMatch=0x43) returned 0x0 [0153.930] StrChrW (lpStart=" ", wMatch=0x4e) returned 0x0 [0153.930] StrChrW (lpStart=" ", wMatch=0x46) returned 0x0 [0153.930] StrChrW (lpStart=" ", wMatch=0x65) returned 0x0 [0153.930] StrChrW (lpStart=" ", wMatch=0x76) returned 0x0 [0153.930] StrChrW (lpStart=" ", wMatch=0x7a) returned 0x0 [0153.930] StrChrW (lpStart=" ", wMatch=0x58) returned 0x0 [0153.930] StrChrW (lpStart=" ", wMatch=0x5c) returned 0x0 [0153.930] StrChrW (lpStart=" ", wMatch=0x41) returned 0x0 [0153.930] StrChrW (lpStart=" ", wMatch=0x70) returned 0x0 [0153.931] StrChrW (lpStart=" ", wMatch=0x70) returned 0x0 [0153.931] StrChrW (lpStart=" ", wMatch=0x44) returned 0x0 [0153.931] StrChrW (lpStart=" ", wMatch=0x61) returned 0x0 [0153.931] StrChrW (lpStart=" ", wMatch=0x74) returned 0x0 [0153.931] StrChrW (lpStart=" ", wMatch=0x61) returned 0x0 [0153.931] StrChrW (lpStart=" ", wMatch=0x5c) returned 0x0 [0153.931] StrChrW (lpStart=" ", wMatch=0x52) returned 0x0 [0153.931] StrChrW (lpStart=" ", wMatch=0x6f) returned 0x0 [0153.931] StrChrW (lpStart=" ", wMatch=0x61) returned 0x0 [0153.931] StrChrW (lpStart=" ", wMatch=0x6d) returned 0x0 [0153.931] StrChrW (lpStart=" ", wMatch=0x69) returned 0x0 [0153.931] StrChrW (lpStart=" ", wMatch=0x6e) returned 0x0 [0153.931] StrChrW (lpStart=" ", wMatch=0x67) returned 0x0 [0153.931] StrChrW (lpStart=" ", wMatch=0x5c) returned 0x0 [0153.931] StrChrW (lpStart=" ", wMatch=0x73) returned 0x0 [0153.931] StrChrW (lpStart=" ", wMatch=0x76) returned 0x0 [0153.931] StrChrW (lpStart=" ", wMatch=0x63) returned 0x0 [0153.931] StrChrW (lpStart=" ", wMatch=0x68) returned 0x0 [0153.931] StrChrW (lpStart=" ", wMatch=0x6f) returned 0x0 [0153.931] StrChrW (lpStart=" ", wMatch=0x73) returned 0x0 [0153.931] StrChrW (lpStart=" ", wMatch=0x74) returned 0x0 [0153.931] StrChrW (lpStart=" ", wMatch=0x2e) returned 0x0 [0153.931] StrChrW (lpStart=" ", wMatch=0x65) returned 0x0 [0153.931] StrChrW (lpStart=" ", wMatch=0x78) returned 0x0 [0153.931] StrChrW (lpStart=" ", wMatch=0x65) returned 0x0 [0153.931] StrChrW (lpStart=" ", wMatch=0x27) returned 0x0 [0153.932] IUnknown:Release (This=0x46d3c00) returned 0x1 [0153.932] IUnknown:Release (This=0x46d39a8) returned 0x1 [0153.932] ITaskDefinition:get_Triggers (in: This=0x46d3958, ppTriggers=0xdcfb8 | out: ppTriggers=0xdcfb8*=0x46d3b48) returned 0x0 [0153.932] ITriggerCollection:Create (in: This=0x46d3b48, Type=9, ppTrigger=0xdcfcc | out: ppTrigger=0xdcfcc*=0x46d3c40) returned 0x0 [0153.932] IUnknown:QueryInterface (in: This=0x46d3c40, riid=0x2f13b4*(Data1=0x72dade38, Data2=0xfae4, Data3=0x4b3e, Data4=([0]=0xba, [1]=0xf4, [2]=0x5d, [3]=0x0, [4]=0x9a, [5]=0xf0, [6]=0x2b, [7]=0x1c)), ppvObject=0xdcfb4 | out: ppvObject=0xdcfb4*=0x46d3c40) returned 0x0 [0153.933] IUnknown:Release (This=0x46d3c40) returned 0x2 [0153.933] _vsnwprintf (in: _Buffer=0xdcf3c, _BufferCount=0x1f, _Format="%04u-%02u-%02dT%02u:%02u:00", _ArgList=0xdcf1c | out: _Buffer="2022-08-05T14:19:00") returned 19 [0153.933] ITrigger:put_StartBoundary (This=0x46d3c40, StartBoundary="2022-08-05T14:19:00") returned 0x0 [0153.933] lstrlenW (lpString="") returned 0 [0153.933] lstrlenW (lpString="") returned 0 [0153.933] lstrlenW (lpString="") returned 0 [0153.933] lstrlenW (lpString="") returned 0 [0153.933] IUnknown:Release (This=0x46d3c40) returned 0x1 [0153.933] IUnknown:Release (This=0x46d3b48) returned 0x1 [0153.933] ITaskDefinition:get_Settings (in: This=0x46d3958, ppSettings=0xdd3f4 | out: ppSettings=0xdd3f4*=0x46d3a60) returned 0x0 [0153.934] lstrlenW (lpString="") returned 0 [0153.934] IUnknown:Release (This=0x46d3a60) returned 0x3 [0153.934] GetLocalTime (in: lpSystemTime=0xdd2e8 | out: lpSystemTime=0xdd2e8*(wYear=0x7e6, wMonth=0x8, wDayOfWeek=0x5, wDay=0x5, wHour=0xe, wMinute=0x13, wSecond=0x33, wMilliseconds=0x1dd)) [0153.934] ResolveDelayLoadedAPI () returned 0x73f0c5f0 [0153.934] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0xdd2f8, nSize=0xdd2e0 | out: lpNameBuffer="XC64ZB\\RDhJ0CNFevzX", nSize=0xdd2e0) returned 0x1 [0153.935] ITaskDefinition:get_RegistrationInfo (in: This=0x46d3958, ppRegistrationInfo=0xdd2e4 | out: ppRegistrationInfo=0xdd2e4*=0x46d39f0) returned 0x0 [0153.935] IRegistrationInfo:put_Author (This=0x46d39f0, Author="XC64ZB\\RDhJ0CNFevzX") returned 0x0 [0153.935] _vsnwprintf (in: _Buffer=0xdd2f8, _BufferCount=0x7f, _Format="%d-%02d-%02dT%02d:%02d:%02d", _ArgList=0xdd2b8 | out: _Buffer="2022-08-05T14:19:51") returned 19 [0153.935] IRegistrationInfo:put_Date (This=0x46d39f0, Date="2022-08-05T14:19:51") returned 0x0 [0153.935] IUnknown:Release (This=0x46d39f0) returned 0x1 [0153.935] malloc (_Size=0xc) returned 0x46d3cd0 [0153.936] free (_Block=0x46d3cd0) [0153.936] lstrlenW (lpString="") returned 0 [0153.936] ITaskDefinition:get_Principal (in: This=0x46d3958, ppPrincipal=0xdd47c | out: ppPrincipal=0xdd47c*=0x46d3b88) returned 0x0 [0153.936] IPrincipal:put_RunLevel (This=0x46d3b88, RunLevel=1) returned 0x0 [0153.936] IUnknown:Release (This=0x46d3b88) returned 0x1 [0153.936] malloc (_Size=0xc) returned 0x46d3cd0 [0153.936] ITaskFolder:RegisterTaskDefinition (in: This=0x46d3908, Path="svchost", pDefinition=0x46d3958, flags=6, UserId=0xdd3d8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), password=0xdd3e8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), LogonType=3, sddl=0xdd3fc*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), ppTask=0xdd444 | out: ppTask=0xdd444*=0x46d2a18) returned 0x0 [0155.611] free (_Block=0x46d3cd0) [0155.611] _memicmp (_Buf1=0x47175c0, _Buf2=0x2f2708, _Size=0x7) returned 0 [0155.612] LoadStringW (in: hInstance=0x0, uID=0x12e, lpBuffer=0x471a8c0, cchBufferMax=256 | out: lpBuffer="SUCCESS: The scheduled task \"%s\" has successfully been created.\n") returned 0x40 [0155.612] lstrlenW (lpString="SUCCESS: The scheduled task \"%s\" has successfully been created.\n") returned 64 [0155.612] GetProcessHeap () returned 0x4710000 [0155.612] GetProcessHeap () returned 0x4710000 [0155.612] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x471ad50) returned 1 [0155.612] GetProcessHeap () returned 0x4710000 [0155.612] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x471ad50) returned 0xe [0155.612] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x471ad50) returned 1 [0155.612] GetProcessHeap () returned 0x4710000 [0155.612] RtlAllocateHeap (HeapHandle=0x4710000, Flags=0xc, Size=0x82) returned 0x4729460 [0155.612] _vsnwprintf (in: _Buffer=0xdd898, _BufferCount=0x1fb, _Format="SUCCESS: The scheduled task \"%s\" has successfully been created.\n", _ArgList=0xdd40c | out: _Buffer="SUCCESS: The scheduled task \"svchost\" has successfully been created.\n") returned 69 [0155.613] __iob_func () returned 0x76b41208 [0155.613] _fileno (_File=0x76b41228) returned 1 [0155.613] _errno () returned 0x46d05b0 [0155.613] _get_osfhandle (_FileHandle=1) returned 0x3c [0155.613] _errno () returned 0x46d05b0 [0155.613] GetFileType (hFile=0x3c) returned 0x2 [0155.613] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c [0155.613] GetFileType (hFile=0x3c) returned 0x2 [0155.613] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xdd3e0 | out: lpMode=0xdd3e0) returned 1 [0155.711] __iob_func () returned 0x76b41208 [0155.711] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c [0155.711] lstrlenW (lpString="SUCCESS: The scheduled task \"svchost\" has successfully been created.\n") returned 69 [0155.711] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0xdd898*, nNumberOfCharsToWrite=0x45, lpNumberOfCharsWritten=0xdd404, lpReserved=0x0 | out: lpBuffer=0xdd898*, lpNumberOfCharsWritten=0xdd404*=0x45) returned 1 [0155.866] IUnknown:Release (This=0x46d2a18) returned 0x0 [0155.866] TaskScheduler:IUnknown:Release (This=0x46d3958) returned 0x0 [0155.866] TaskScheduler:IUnknown:Release (This=0x46d3908) returned 0x0 [0155.866] TaskScheduler:IUnknown:Release (This=0x46d37e0) returned 0x0 [0155.869] lstrlenW (lpString="") returned 0 [0155.869] GetProcessHeap () returned 0x4710000 [0155.869] GetProcessHeap () returned 0x4710000 [0155.869] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4719ee0) returned 1 [0155.869] GetProcessHeap () returned 0x4710000 [0155.869] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4719ee0) returned 0x1fc [0155.869] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4719ee0) returned 1 [0155.869] GetProcessHeap () returned 0x4710000 [0155.869] GetProcessHeap () returned 0x4710000 [0155.869] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x47195f0) returned 1 [0155.869] GetProcessHeap () returned 0x4710000 [0155.870] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x47195f0) returned 0x16 [0155.870] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x47195f0) returned 1 [0155.870] GetProcessHeap () returned 0x4710000 [0155.870] GetProcessHeap () returned 0x4710000 [0155.870] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x471ade0) returned 1 [0155.870] GetProcessHeap () returned 0x4710000 [0155.870] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x471ade0) returned 0x10 [0155.870] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x471ade0) returned 1 [0155.870] GetProcessHeap () returned 0x4710000 [0155.870] GetProcessHeap () returned 0x4710000 [0155.870] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x47194d0) returned 1 [0155.870] GetProcessHeap () returned 0x4710000 [0155.870] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x47194d0) returned 0x14 [0155.870] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x47194d0) returned 1 [0155.870] GetProcessHeap () returned 0x4710000 [0155.870] GetProcessHeap () returned 0x4710000 [0155.870] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4719018) returned 1 [0155.870] GetProcessHeap () returned 0x4710000 [0155.870] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4719018) returned 0xa0 [0155.870] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4719018) returned 1 [0155.870] GetProcessHeap () returned 0x4710000 [0155.870] GetProcessHeap () returned 0x4710000 [0155.870] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4717560) returned 1 [0155.870] GetProcessHeap () returned 0x4710000 [0155.870] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4717560) returned 0x10 [0155.870] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4717560) returned 1 [0155.870] GetProcessHeap () returned 0x4710000 [0155.871] GetProcessHeap () returned 0x4710000 [0155.871] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x47197b0) returned 1 [0155.871] GetProcessHeap () returned 0x4710000 [0155.871] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x47197b0) returned 0x14 [0155.871] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x47197b0) returned 1 [0155.871] GetProcessHeap () returned 0x4710000 [0155.871] GetProcessHeap () returned 0x4710000 [0155.871] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4713d58) returned 1 [0155.871] GetProcessHeap () returned 0x4710000 [0155.871] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4713d58) returned 0x68 [0155.871] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4713d58) returned 1 [0155.871] GetProcessHeap () returned 0x4710000 [0155.871] GetProcessHeap () returned 0x4710000 [0155.871] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x471ad38) returned 1 [0155.871] GetProcessHeap () returned 0x4710000 [0155.871] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x471ad38) returned 0x10 [0155.871] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x471ad38) returned 1 [0155.871] GetProcessHeap () returned 0x4710000 [0155.871] GetProcessHeap () returned 0x4710000 [0155.871] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4719450) returned 1 [0155.871] GetProcessHeap () returned 0x4710000 [0155.871] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4719450) returned 0x14 [0155.871] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4719450) returned 1 [0155.871] GetProcessHeap () returned 0x4710000 [0155.871] GetProcessHeap () returned 0x4710000 [0155.871] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4713ce0) returned 1 [0155.871] GetProcessHeap () returned 0x4710000 [0155.871] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4713ce0) returned 0x6a [0155.872] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4713ce0) returned 1 [0155.872] GetProcessHeap () returned 0x4710000 [0155.872] GetProcessHeap () returned 0x4710000 [0155.872] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x471aba0) returned 1 [0155.872] GetProcessHeap () returned 0x4710000 [0155.872] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x471aba0) returned 0x10 [0155.872] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x471aba0) returned 1 [0155.872] GetProcessHeap () returned 0x4710000 [0155.872] GetProcessHeap () returned 0x4710000 [0155.872] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x47197f0) returned 1 [0155.872] GetProcessHeap () returned 0x4710000 [0155.872] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x47197f0) returned 0x14 [0155.872] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x47197f0) returned 1 [0155.872] GetProcessHeap () returned 0x4710000 [0155.872] GetProcessHeap () returned 0x4710000 [0155.872] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x471ac18) returned 1 [0155.872] GetProcessHeap () returned 0x4710000 [0155.872] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x471ac18) returned 0xe [0155.872] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x471ac18) returned 1 [0155.872] GetProcessHeap () returned 0x4710000 [0155.872] GetProcessHeap () returned 0x4710000 [0155.872] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x471ac48) returned 1 [0155.872] GetProcessHeap () returned 0x4710000 [0155.872] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x471ac48) returned 0x10 [0155.872] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x471ac48) returned 1 [0155.873] GetProcessHeap () returned 0x4710000 [0155.873] GetProcessHeap () returned 0x4710000 [0155.873] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4719470) returned 1 [0155.873] GetProcessHeap () returned 0x4710000 [0155.873] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4719470) returned 0x14 [0155.873] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4719470) returned 1 [0155.873] GetProcessHeap () returned 0x4710000 [0155.873] GetProcessHeap () returned 0x4710000 [0155.873] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4718e08) returned 1 [0155.873] GetProcessHeap () returned 0x4710000 [0155.873] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4718e08) returned 0x208 [0155.873] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4718e08) returned 1 [0155.873] GetProcessHeap () returned 0x4710000 [0155.873] GetProcessHeap () returned 0x4710000 [0155.873] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4717698) returned 1 [0155.873] GetProcessHeap () returned 0x4710000 [0155.873] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4717698) returned 0x10 [0155.874] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4717698) returned 1 [0155.874] GetProcessHeap () returned 0x4710000 [0155.874] GetProcessHeap () returned 0x4710000 [0155.874] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4719650) returned 1 [0155.874] GetProcessHeap () returned 0x4710000 [0155.874] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4719650) returned 0x14 [0155.874] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4719650) returned 1 [0155.874] GetProcessHeap () returned 0x4710000 [0155.874] GetProcessHeap () returned 0x4710000 [0155.874] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x471a8c0) returned 1 [0155.874] GetProcessHeap () returned 0x4710000 [0155.874] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x471a8c0) returned 0x200 [0155.874] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x471a8c0) returned 1 [0155.874] GetProcessHeap () returned 0x4710000 [0155.874] GetProcessHeap () returned 0x4710000 [0155.874] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x47175c0) returned 1 [0155.874] GetProcessHeap () returned 0x4710000 [0155.874] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x47175c0) returned 0x10 [0155.874] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x47175c0) returned 1 [0155.874] GetProcessHeap () returned 0x4710000 [0155.874] GetProcessHeap () returned 0x4710000 [0155.874] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4719630) returned 1 [0155.875] GetProcessHeap () returned 0x4710000 [0155.875] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4719630) returned 0x14 [0155.875] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4719630) returned 1 [0155.875] GetProcessHeap () returned 0x4710000 [0155.875] GetProcessHeap () returned 0x4710000 [0155.875] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4719690) returned 1 [0155.875] GetProcessHeap () returned 0x4710000 [0155.875] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4719690) returned 0x14 [0155.875] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4719690) returned 1 [0155.875] GetProcessHeap () returned 0x4710000 [0155.875] GetProcessHeap () returned 0x4710000 [0155.875] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x47175f0) returned 1 [0155.875] GetProcessHeap () returned 0x4710000 [0155.875] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x47175f0) returned 0x10 [0155.875] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x47175f0) returned 1 [0155.875] GetProcessHeap () returned 0x4710000 [0155.875] GetProcessHeap () returned 0x4710000 [0155.875] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x47128c8) returned 1 [0155.875] GetProcessHeap () returned 0x4710000 [0155.875] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x47128c8) returned 0x14 [0155.875] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x47128c8) returned 1 [0155.875] GetProcessHeap () returned 0x4710000 [0155.875] GetProcessHeap () returned 0x4710000 [0155.875] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4719550) returned 1 [0155.875] GetProcessHeap () returned 0x4710000 [0155.875] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4719550) returned 0x16 [0155.875] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4719550) returned 1 [0155.875] GetProcessHeap () returned 0x4710000 [0155.875] GetProcessHeap () returned 0x4710000 [0155.875] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4717620) returned 1 [0155.875] GetProcessHeap () returned 0x4710000 [0155.876] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4717620) returned 0x10 [0155.876] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4717620) returned 1 [0155.876] GetProcessHeap () returned 0x4710000 [0155.876] GetProcessHeap () returned 0x4710000 [0155.876] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4713918) returned 1 [0155.876] GetProcessHeap () returned 0x4710000 [0155.876] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4713918) returned 0x14 [0155.876] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4713918) returned 1 [0155.876] GetProcessHeap () returned 0x4710000 [0155.876] GetProcessHeap () returned 0x4710000 [0155.876] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4713eb0) returned 1 [0155.876] GetProcessHeap () returned 0x4710000 [0155.876] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4713eb0) returned 0x2 [0155.876] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4713eb0) returned 1 [0155.876] GetProcessHeap () returned 0x4710000 [0155.876] GetProcessHeap () returned 0x4710000 [0155.876] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4714148) returned 1 [0155.876] GetProcessHeap () returned 0x4710000 [0155.876] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4714148) returned 0x14 [0155.876] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4714148) returned 1 [0155.876] GetProcessHeap () returned 0x4710000 [0155.876] GetProcessHeap () returned 0x4710000 [0155.876] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4713f10) returned 1 [0155.876] GetProcessHeap () returned 0x4710000 [0155.876] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4713f10) returned 0x14 [0155.876] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4713f10) returned 1 [0155.876] GetProcessHeap () returned 0x4710000 [0155.876] GetProcessHeap () returned 0x4710000 [0155.876] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4713f30) returned 1 [0155.876] GetProcessHeap () returned 0x4710000 [0155.876] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4713f30) returned 0x14 [0155.876] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4713f30) returned 1 [0155.876] GetProcessHeap () returned 0x4710000 [0155.876] GetProcessHeap () returned 0x4710000 [0155.876] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4713f50) returned 1 [0155.876] GetProcessHeap () returned 0x4710000 [0155.877] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4713f50) returned 0x14 [0155.877] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4713f50) returned 1 [0155.877] GetProcessHeap () returned 0x4710000 [0155.877] GetProcessHeap () returned 0x4710000 [0155.877] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4719810) returned 1 [0155.877] GetProcessHeap () returned 0x4710000 [0155.877] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4719810) returned 0x14 [0155.877] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4719810) returned 1 [0155.877] GetProcessHeap () returned 0x4710000 [0155.877] GetProcessHeap () returned 0x4710000 [0155.877] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x471ab70) returned 1 [0155.877] GetProcessHeap () returned 0x4710000 [0155.877] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x471ab70) returned 0xc [0155.877] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x471ab70) returned 1 [0155.877] GetProcessHeap () returned 0x4710000 [0155.877] GetProcessHeap () returned 0x4710000 [0155.877] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x47195d0) returned 1 [0155.877] GetProcessHeap () returned 0x4710000 [0155.877] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x47195d0) returned 0x14 [0155.877] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x47195d0) returned 1 [0155.877] GetProcessHeap () returned 0x4710000 [0155.877] GetProcessHeap () returned 0x4710000 [0155.877] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x47126d0) returned 1 [0155.877] GetProcessHeap () returned 0x4710000 [0155.877] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x47126d0) returned 0x30 [0155.878] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x47126d0) returned 1 [0155.878] GetProcessHeap () returned 0x4710000 [0155.878] GetProcessHeap () returned 0x4710000 [0155.878] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4719610) returned 1 [0155.878] GetProcessHeap () returned 0x4710000 [0155.878] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4719610) returned 0x14 [0155.878] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4719610) returned 1 [0155.878] GetProcessHeap () returned 0x4710000 [0155.878] GetProcessHeap () returned 0x4710000 [0155.878] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x47190c0) returned 1 [0155.878] GetProcessHeap () returned 0x4710000 [0155.878] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x47190c0) returned 0x30 [0155.878] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x47190c0) returned 1 [0155.878] GetProcessHeap () returned 0x4710000 [0155.878] GetProcessHeap () returned 0x4710000 [0155.878] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4719570) returned 1 [0155.878] GetProcessHeap () returned 0x4710000 [0155.878] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4719570) returned 0x14 [0155.879] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4719570) returned 1 [0155.879] GetProcessHeap () returned 0x4710000 [0155.879] GetProcessHeap () returned 0x4710000 [0155.879] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x47196f0) returned 1 [0155.879] GetProcessHeap () returned 0x4710000 [0155.879] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x47196f0) returned 0x16 [0155.879] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x47196f0) returned 1 [0155.879] GetProcessHeap () returned 0x4710000 [0155.879] GetProcessHeap () returned 0x4710000 [0155.879] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4719510) returned 1 [0155.879] GetProcessHeap () returned 0x4710000 [0155.879] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4719510) returned 0x14 [0155.879] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4719510) returned 1 [0155.879] GetProcessHeap () returned 0x4710000 [0155.879] GetProcessHeap () returned 0x4710000 [0155.879] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4719710) returned 1 [0155.879] GetProcessHeap () returned 0x4710000 [0155.879] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4719710) returned 0x16 [0155.879] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4719710) returned 1 [0155.879] GetProcessHeap () returned 0x4710000 [0155.879] GetProcessHeap () returned 0x4710000 [0155.879] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4719590) returned 1 [0155.879] GetProcessHeap () returned 0x4710000 [0155.879] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4719590) returned 0x14 [0155.879] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4719590) returned 1 [0155.879] GetProcessHeap () returned 0x4710000 [0155.879] GetProcessHeap () returned 0x4710000 [0155.879] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4729460) returned 1 [0155.879] GetProcessHeap () returned 0x4710000 [0155.879] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4729460) returned 0x82 [0155.880] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4729460) returned 1 [0155.880] GetProcessHeap () returned 0x4710000 [0155.880] GetProcessHeap () returned 0x4710000 [0155.880] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4719530) returned 1 [0155.880] GetProcessHeap () returned 0x4710000 [0155.880] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4719530) returned 0x14 [0155.880] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4719530) returned 1 [0155.880] GetProcessHeap () returned 0x4710000 [0155.880] GetProcessHeap () returned 0x4710000 [0155.880] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x471acc0) returned 1 [0155.880] GetProcessHeap () returned 0x4710000 [0155.880] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x471acc0) returned 0xe [0155.880] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x471acc0) returned 1 [0155.880] GetProcessHeap () returned 0x4710000 [0155.880] GetProcessHeap () returned 0x4710000 [0155.880] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x47195b0) returned 1 [0155.880] GetProcessHeap () returned 0x4710000 [0155.880] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x47195b0) returned 0x14 [0155.880] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x47195b0) returned 1 [0155.880] GetProcessHeap () returned 0x4710000 [0155.880] GetProcessHeap () returned 0x4710000 [0155.880] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x471adc8) returned 1 [0155.880] GetProcessHeap () returned 0x4710000 [0155.880] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x471adc8) returned 0xc [0155.881] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x471adc8) returned 1 [0155.881] GetProcessHeap () returned 0x4710000 [0155.881] GetProcessHeap () returned 0x4710000 [0155.881] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4719670) returned 1 [0155.881] GetProcessHeap () returned 0x4710000 [0155.881] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4719670) returned 0x14 [0155.881] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4719670) returned 1 [0155.881] GetProcessHeap () returned 0x4710000 [0155.881] GetProcessHeap () returned 0x4710000 [0155.881] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x471ad68) returned 1 [0155.881] GetProcessHeap () returned 0x4710000 [0155.881] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x471ad68) returned 0xe [0155.881] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x471ad68) returned 1 [0155.881] GetProcessHeap () returned 0x4710000 [0155.881] GetProcessHeap () returned 0x4710000 [0155.881] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4719770) returned 1 [0155.881] GetProcessHeap () returned 0x4710000 [0155.881] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4719770) returned 0x14 [0155.881] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4719770) returned 1 [0155.881] GetProcessHeap () returned 0x4710000 [0155.881] GetProcessHeap () returned 0x4710000 [0155.881] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x471ac00) returned 1 [0155.881] GetProcessHeap () returned 0x4710000 [0155.881] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x471ac00) returned 0x10 [0155.881] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x471ac00) returned 1 [0155.881] GetProcessHeap () returned 0x4710000 [0155.881] GetProcessHeap () returned 0x4710000 [0155.882] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x47196b0) returned 1 [0155.882] GetProcessHeap () returned 0x4710000 [0155.882] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x47196b0) returned 0x14 [0155.882] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x47196b0) returned 1 [0155.882] GetProcessHeap () returned 0x4710000 [0155.882] GetProcessHeap () returned 0x4710000 [0155.882] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4717578) returned 1 [0155.882] GetProcessHeap () returned 0x4710000 [0155.882] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4717578) returned 0x10 [0155.882] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4717578) returned 1 [0155.882] GetProcessHeap () returned 0x4710000 [0155.882] GetProcessHeap () returned 0x4710000 [0155.882] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4713b40) returned 1 [0155.882] GetProcessHeap () returned 0x4710000 [0155.882] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4713b40) returned 0x14 [0155.882] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4713b40) returned 1 [0155.882] GetProcessHeap () returned 0x4710000 [0155.882] GetProcessHeap () returned 0x4710000 [0155.882] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4713b60) returned 1 [0155.882] GetProcessHeap () returned 0x4710000 [0155.882] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4713b60) returned 0x14 [0155.882] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4713b60) returned 1 [0155.882] GetProcessHeap () returned 0x4710000 [0155.882] GetProcessHeap () returned 0x4710000 [0155.882] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4713b80) returned 1 [0155.882] GetProcessHeap () returned 0x4710000 [0155.883] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4713b80) returned 0x14 [0155.883] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4713b80) returned 1 [0155.883] GetProcessHeap () returned 0x4710000 [0155.883] GetProcessHeap () returned 0x4710000 [0155.883] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x47138d8) returned 1 [0155.883] GetProcessHeap () returned 0x4710000 [0155.883] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x47138d8) returned 0x14 [0155.883] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x47138d8) returned 1 [0155.883] GetProcessHeap () returned 0x4710000 [0155.883] GetProcessHeap () returned 0x4710000 [0155.883] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4717680) returned 1 [0155.883] GetProcessHeap () returned 0x4710000 [0155.883] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4717680) returned 0x10 [0155.883] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4717680) returned 1 [0155.883] GetProcessHeap () returned 0x4710000 [0155.883] GetProcessHeap () returned 0x4710000 [0155.883] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x47138f8) returned 1 [0155.883] GetProcessHeap () returned 0x4710000 [0155.883] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x47138f8) returned 0x14 [0155.883] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x47138f8) returned 1 [0155.883] GetProcessHeap () returned 0x4710000 [0155.883] GetProcessHeap () returned 0x4710000 [0155.883] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x47128e8) returned 1 [0155.883] GetProcessHeap () returned 0x4710000 [0155.883] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x47128e8) returned 0x14 [0155.883] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x47128e8) returned 1 [0155.884] GetProcessHeap () returned 0x4710000 [0155.884] GetProcessHeap () returned 0x4710000 [0155.884] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x47196d0) returned 1 [0155.884] GetProcessHeap () returned 0x4710000 [0155.884] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x47196d0) returned 0x14 [0155.884] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x47196d0) returned 1 [0155.884] GetProcessHeap () returned 0x4710000 [0155.884] GetProcessHeap () returned 0x4710000 [0155.884] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x47197d0) returned 1 [0155.884] GetProcessHeap () returned 0x4710000 [0155.884] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x47197d0) returned 0x14 [0155.884] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x47197d0) returned 1 [0155.884] GetProcessHeap () returned 0x4710000 [0155.884] GetProcessHeap () returned 0x4710000 [0155.884] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x47194f0) returned 1 [0155.884] GetProcessHeap () returned 0x4710000 [0155.884] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x47194f0) returned 0x14 [0155.884] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x47194f0) returned 1 [0155.884] GetProcessHeap () returned 0x4710000 [0155.884] GetProcessHeap () returned 0x4710000 [0155.884] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x47176f8) returned 1 [0155.884] GetProcessHeap () returned 0x4710000 [0155.884] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x47176f8) returned 0x10 [0155.884] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x47176f8) returned 1 [0155.884] GetProcessHeap () returned 0x4710000 [0155.884] GetProcessHeap () returned 0x4710000 [0155.884] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4712908) returned 1 [0155.884] GetProcessHeap () returned 0x4710000 [0155.884] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4712908) returned 0x14 [0155.884] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4712908) returned 1 [0155.884] GetProcessHeap () returned 0x4710000 [0155.884] GetProcessHeap () returned 0x4710000 [0155.884] HeapValidate (hHeap=0x4710000, dwFlags=0x0, lpMem=0x4717710) returned 1 [0155.885] GetProcessHeap () returned 0x4710000 [0155.885] RtlSizeHeap (HeapHandle=0x4710000, Flags=0x0, MemoryPointer=0x4717710) returned 0x10 [0155.885] RtlFreeHeap (HeapHandle=0x4710000, Flags=0x0, BaseAddress=0x4717710) returned 1 [0155.885] exit (_Code=0) Thread: id = 22 os_tid = 0x654 Process: id = "7" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x75956000" os_pid = "0x360" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "created_scheduled_job" parent_id = "6" os_parent_pid = "0x214" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\DcpSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\lfsvc" [0xa], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\RetailDemo" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\UsoSvc" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000abff" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 697 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 698 start_va = 0x20000 end_va = 0x20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 699 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 700 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 701 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 702 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 703 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 704 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 705 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 706 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 707 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 708 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 709 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 710 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 711 start_va = 0x410000 end_va = 0x410fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 712 start_va = 0x430000 end_va = 0x430fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "usocore.dll.mui" filename = "\\Windows\\System32\\en-US\\usocore.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\usocore.dll.mui") Region: id = 713 start_va = 0x440000 end_va = 0x441fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "dosvc.dll.mui" filename = "\\Windows\\System32\\en-US\\dosvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\dosvc.dll.mui") Region: id = 714 start_va = 0x450000 end_va = 0x454fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll" filename = "\\Windows\\System32\\winnlsres.dll" (normalized: "c:\\windows\\system32\\winnlsres.dll") Region: id = 715 start_va = 0x460000 end_va = 0x46ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll.mui" filename = "\\Windows\\System32\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winnlsres.dll.mui") Region: id = 716 start_va = 0x470000 end_va = 0x472fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "mswsock.dll.mui" filename = "\\Windows\\System32\\en-US\\mswsock.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\mswsock.dll.mui") Region: id = 717 start_va = 0x480000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 718 start_va = 0x540000 end_va = 0x546fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 719 start_va = 0x550000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 720 start_va = 0x5d0000 end_va = 0x5d6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 721 start_va = 0x5e0000 end_va = 0x5e6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 722 start_va = 0x5f0000 end_va = 0x5f1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 723 start_va = 0x600000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 724 start_va = 0x700000 end_va = 0x887fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000700000" filename = "" Region: id = 725 start_va = 0x890000 end_va = 0x890fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000890000" filename = "" Region: id = 726 start_va = 0x8a0000 end_va = 0x8a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008a0000" filename = "" Region: id = 727 start_va = 0x8b0000 end_va = 0x8bcfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "gpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\gpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\gpsvc.dll.mui") Region: id = 728 start_va = 0x8c0000 end_va = 0x8c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008c0000" filename = "" Region: id = 729 start_va = 0x8e0000 end_va = 0x8e3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 730 start_va = 0x8f0000 end_va = 0x8f6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008f0000" filename = "" Region: id = 731 start_va = 0x900000 end_va = 0x9fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 732 start_va = 0xa00000 end_va = 0xb80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a00000" filename = "" Region: id = 733 start_va = 0xb90000 end_va = 0xc8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 734 start_va = 0xc90000 end_va = 0xc93fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 735 start_va = 0xca0000 end_va = 0xcb0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "propsys.dll.mui" filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui") Region: id = 736 start_va = 0xcc0000 end_va = 0xcc6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 737 start_va = 0xcd0000 end_va = 0xd14fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000c.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db") Region: id = 738 start_va = 0xd20000 end_va = 0xd2cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 739 start_va = 0xd30000 end_va = 0xd36fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d30000" filename = "" Region: id = 740 start_va = 0xdc0000 end_va = 0xdc8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "vsstrace.dll.mui" filename = "\\Windows\\System32\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\vsstrace.dll.mui") Region: id = 741 start_va = 0xdd0000 end_va = 0xdd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 742 start_va = 0xde0000 end_va = 0xde1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "activeds.dll.mui" filename = "\\Windows\\System32\\en-US\\activeds.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\activeds.dll.mui") Region: id = 743 start_va = 0xdf0000 end_va = 0xdf9fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "crypt32.dll.mui" filename = "\\Windows\\System32\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\crypt32.dll.mui") Region: id = 744 start_va = 0xe00000 end_va = 0xefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e00000" filename = "" Region: id = 745 start_va = 0xf00000 end_va = 0xffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 746 start_va = 0x1000000 end_va = 0x1336fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 747 start_va = 0x1340000 end_va = 0x13bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001340000" filename = "" Region: id = 748 start_va = 0x13c0000 end_va = 0x13d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1256.nls" filename = "\\Windows\\System32\\C_1256.NLS" (normalized: "c:\\windows\\system32\\c_1256.nls") Region: id = 749 start_va = 0x13e0000 end_va = 0x13e6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000013e0000" filename = "" Region: id = 750 start_va = 0x13f0000 end_va = 0x1400fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1251.nls" filename = "\\Windows\\System32\\C_1251.NLS" (normalized: "c:\\windows\\system32\\c_1251.nls") Region: id = 751 start_va = 0x1410000 end_va = 0x1420fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1254.nls" filename = "\\Windows\\System32\\C_1254.NLS" (normalized: "c:\\windows\\system32\\c_1254.nls") Region: id = 752 start_va = 0x1430000 end_va = 0x1430fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001430000" filename = "" Region: id = 753 start_va = 0x1440000 end_va = 0x153ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001440000" filename = "" Region: id = 754 start_va = 0x1540000 end_va = 0x15bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001540000" filename = "" Region: id = 755 start_va = 0x15c0000 end_va = 0x15c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000015c0000" filename = "" Region: id = 756 start_va = 0x15d0000 end_va = 0x15e0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1250.nls" filename = "\\Windows\\System32\\C_1250.NLS" (normalized: "c:\\windows\\system32\\c_1250.nls") Region: id = 757 start_va = 0x15f0000 end_va = 0x15f1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000015f0000" filename = "" Region: id = 758 start_va = 0x1600000 end_va = 0x16fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001600000" filename = "" Region: id = 759 start_va = 0x1700000 end_va = 0x17fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001700000" filename = "" Region: id = 760 start_va = 0x1800000 end_va = 0x18dffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 761 start_va = 0x18e0000 end_va = 0x18f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1253.nls" filename = "\\Windows\\System32\\C_1253.NLS" (normalized: "c:\\windows\\system32\\c_1253.nls") Region: id = 762 start_va = 0x1900000 end_va = 0x19fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 763 start_va = 0x1a00000 end_va = 0x1a7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a00000" filename = "" Region: id = 764 start_va = 0x1a80000 end_va = 0x1b7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a80000" filename = "" Region: id = 765 start_va = 0x1b80000 end_va = 0x1c7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b80000" filename = "" Region: id = 766 start_va = 0x1c80000 end_va = 0x1cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c80000" filename = "" Region: id = 767 start_va = 0x1d00000 end_va = 0x1d7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d00000" filename = "" Region: id = 768 start_va = 0x1d80000 end_va = 0x1e7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d80000" filename = "" Region: id = 769 start_va = 0x1e80000 end_va = 0x1f7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e80000" filename = "" Region: id = 770 start_va = 0x1f80000 end_va = 0x207ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f80000" filename = "" Region: id = 771 start_va = 0x2080000 end_va = 0x217ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002080000" filename = "" Region: id = 772 start_va = 0x2180000 end_va = 0x227ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002180000" filename = "" Region: id = 773 start_va = 0x2280000 end_va = 0x237ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002280000" filename = "" Region: id = 774 start_va = 0x2380000 end_va = 0x247ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002380000" filename = "" Region: id = 775 start_va = 0x2480000 end_va = 0x2490fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1257.nls" filename = "\\Windows\\System32\\C_1257.NLS" (normalized: "c:\\windows\\system32\\c_1257.nls") Region: id = 776 start_va = 0x24a0000 end_va = 0x24b0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1255.nls" filename = "\\Windows\\System32\\C_1255.NLS" (normalized: "c:\\windows\\system32\\c_1255.nls") Region: id = 777 start_va = 0x24c0000 end_va = 0x24e7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_932.nls" filename = "\\Windows\\System32\\C_932.NLS" (normalized: "c:\\windows\\system32\\c_932.nls") Region: id = 778 start_va = 0x2500000 end_va = 0x25fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002500000" filename = "" Region: id = 779 start_va = 0x2600000 end_va = 0x26fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002600000" filename = "" Region: id = 780 start_va = 0x2700000 end_va = 0x27fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002700000" filename = "" Region: id = 781 start_va = 0x2800000 end_va = 0x28fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002800000" filename = "" Region: id = 782 start_va = 0x2900000 end_va = 0x29fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002900000" filename = "" Region: id = 783 start_va = 0x2a00000 end_va = 0x2afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a00000" filename = "" Region: id = 784 start_va = 0x2b00000 end_va = 0x2bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b00000" filename = "" Region: id = 785 start_va = 0x2c00000 end_va = 0x2c8dfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 786 start_va = 0x2c90000 end_va = 0x2cc0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_949.nls" filename = "\\Windows\\System32\\C_949.NLS" (normalized: "c:\\windows\\system32\\c_949.nls") Region: id = 787 start_va = 0x2cd0000 end_va = 0x2ce0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_874.nls" filename = "\\Windows\\System32\\C_874.NLS" (normalized: "c:\\windows\\system32\\c_874.nls") Region: id = 788 start_va = 0x2cf0000 end_va = 0x2d00fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1258.nls" filename = "\\Windows\\System32\\C_1258.NLS" (normalized: "c:\\windows\\system32\\c_1258.nls") Region: id = 789 start_va = 0x2d10000 end_va = 0x2e0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d10000" filename = "" Region: id = 790 start_va = 0x2e10000 end_va = 0x2f0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e10000" filename = "" Region: id = 791 start_va = 0x2f10000 end_va = 0x300ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f10000" filename = "" Region: id = 792 start_va = 0x3010000 end_va = 0x310ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 793 start_va = 0x3110000 end_va = 0x3140fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_936.nls" filename = "\\Windows\\System32\\C_936.NLS" (normalized: "c:\\windows\\system32\\c_936.nls") Region: id = 794 start_va = 0x3150000 end_va = 0x3180fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_950.nls" filename = "\\Windows\\System32\\C_950.NLS" (normalized: "c:\\windows\\system32\\c_950.nls") Region: id = 795 start_va = 0x3190000 end_va = 0x328ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003190000" filename = "" Region: id = 796 start_va = 0x3290000 end_va = 0x330ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003290000" filename = "" Region: id = 797 start_va = 0x3310000 end_va = 0x338ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003310000" filename = "" Region: id = 798 start_va = 0x3390000 end_va = 0x3396fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003390000" filename = "" Region: id = 799 start_va = 0x3410000 end_va = 0x3416fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003410000" filename = "" Region: id = 800 start_va = 0x3420000 end_va = 0x351ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003420000" filename = "" Region: id = 801 start_va = 0x3570000 end_va = 0x35effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003570000" filename = "" Region: id = 802 start_va = 0x35f0000 end_va = 0x366ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 803 start_va = 0x3670000 end_va = 0x376ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003670000" filename = "" Region: id = 804 start_va = 0x3770000 end_va = 0x386ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003770000" filename = "" Region: id = 805 start_va = 0x3870000 end_va = 0x38effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 806 start_va = 0x3900000 end_va = 0x39fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003900000" filename = "" Region: id = 807 start_va = 0x3a00000 end_va = 0x3afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003a00000" filename = "" Region: id = 808 start_va = 0x3b00000 end_va = 0x3bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003b00000" filename = "" Region: id = 809 start_va = 0x3c00000 end_va = 0x3c7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003c00000" filename = "" Region: id = 810 start_va = 0x3c80000 end_va = 0x3cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003c80000" filename = "" Region: id = 811 start_va = 0x3d80000 end_va = 0x3dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003d80000" filename = "" Region: id = 812 start_va = 0x3e00000 end_va = 0x3e7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003e00000" filename = "" Region: id = 813 start_va = 0x3f00000 end_va = 0x3ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003f00000" filename = "" Region: id = 814 start_va = 0x4000000 end_va = 0x40fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004000000" filename = "" Region: id = 815 start_va = 0x4100000 end_va = 0x41fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004100000" filename = "" Region: id = 816 start_va = 0x4200000 end_va = 0x42fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 817 start_va = 0x4300000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004300000" filename = "" Region: id = 818 start_va = 0x4400000 end_va = 0x44fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 819 start_va = 0x4500000 end_va = 0x45fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004500000" filename = "" Region: id = 820 start_va = 0x4600000 end_va = 0x46fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004600000" filename = "" Region: id = 821 start_va = 0x4700000 end_va = 0x47fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004700000" filename = "" Region: id = 822 start_va = 0x4800000 end_va = 0x48fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004800000" filename = "" Region: id = 823 start_va = 0x4900000 end_va = 0x49fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004900000" filename = "" Region: id = 824 start_va = 0x4a00000 end_va = 0x4afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004a00000" filename = "" Region: id = 825 start_va = 0x4c00000 end_va = 0x4cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004c00000" filename = "" Region: id = 826 start_va = 0x4d00000 end_va = 0x4dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004d00000" filename = "" Region: id = 827 start_va = 0x4f00000 end_va = 0x4ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004f00000" filename = "" Region: id = 828 start_va = 0x5000000 end_va = 0x50fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005000000" filename = "" Region: id = 829 start_va = 0x5100000 end_va = 0x51fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005100000" filename = "" Region: id = 830 start_va = 0x5200000 end_va = 0x52fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005200000" filename = "" Region: id = 831 start_va = 0x5600000 end_va = 0x56fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005600000" filename = "" Region: id = 832 start_va = 0x5900000 end_va = 0x59fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005900000" filename = "" Region: id = 833 start_va = 0x5a00000 end_va = 0x5afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005a00000" filename = "" Region: id = 834 start_va = 0x5b00000 end_va = 0x5bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005b00000" filename = "" Region: id = 835 start_va = 0x5c00000 end_va = 0x5cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005c00000" filename = "" Region: id = 836 start_va = 0x5d00000 end_va = 0x5dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005d00000" filename = "" Region: id = 837 start_va = 0x5e00000 end_va = 0x5efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005e00000" filename = "" Region: id = 838 start_va = 0x5f00000 end_va = 0x5ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005f00000" filename = "" Region: id = 839 start_va = 0x6000000 end_va = 0x60fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006000000" filename = "" Region: id = 840 start_va = 0x6100000 end_va = 0x61fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006100000" filename = "" Region: id = 841 start_va = 0x6200000 end_va = 0x62fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006200000" filename = "" Region: id = 842 start_va = 0x6300000 end_va = 0x63fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006300000" filename = "" Region: id = 843 start_va = 0x6400000 end_va = 0x64fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006400000" filename = "" Region: id = 844 start_va = 0x6500000 end_va = 0x65fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006500000" filename = "" Region: id = 845 start_va = 0x6600000 end_va = 0x66fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006600000" filename = "" Region: id = 846 start_va = 0x6700000 end_va = 0x67fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006700000" filename = "" Region: id = 847 start_va = 0x6800000 end_va = 0x68fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006800000" filename = "" Region: id = 848 start_va = 0x6900000 end_va = 0x69fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006900000" filename = "" Region: id = 849 start_va = 0x6a00000 end_va = 0x6afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006a00000" filename = "" Region: id = 850 start_va = 0x6b00000 end_va = 0x6bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006b00000" filename = "" Region: id = 851 start_va = 0x6c00000 end_va = 0x6cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006c00000" filename = "" Region: id = 852 start_va = 0x6d00000 end_va = 0x6dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006d00000" filename = "" Region: id = 853 start_va = 0x6e00000 end_va = 0x6efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006e00000" filename = "" Region: id = 854 start_va = 0x6f00000 end_va = 0x6ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006f00000" filename = "" Region: id = 855 start_va = 0x7000000 end_va = 0x70fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007000000" filename = "" Region: id = 856 start_va = 0x7100000 end_va = 0x71fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007100000" filename = "" Region: id = 857 start_va = 0x7400000 end_va = 0x74fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007400000" filename = "" Region: id = 858 start_va = 0x7500000 end_va = 0x75fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007500000" filename = "" Region: id = 859 start_va = 0x7600000 end_va = 0x76fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007600000" filename = "" Region: id = 860 start_va = 0x7700000 end_va = 0x77fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007700000" filename = "" Region: id = 861 start_va = 0x7800000 end_va = 0x78fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007800000" filename = "" Region: id = 862 start_va = 0x7900000 end_va = 0x79fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007900000" filename = "" Region: id = 863 start_va = 0x7a00000 end_va = 0x7afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007a00000" filename = "" Region: id = 864 start_va = 0x7f00000 end_va = 0x7ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007f00000" filename = "" Region: id = 865 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 866 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 867 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 868 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 869 start_va = 0x7ff681250000 end_va = 0x7ff68125cfff monitored = 0 entry_point = 0x7ff681253980 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 870 start_va = 0x7ff9feee0000 end_va = 0x7ff9ff18ffff monitored = 0 entry_point = 0x7ff9feee1cf0 region_type = mapped_file name = "netshell.dll" filename = "\\Windows\\System32\\netshell.dll" (normalized: "c:\\windows\\system32\\netshell.dll") Region: id = 871 start_va = 0x7ff9ff1d0000 end_va = 0x7ff9ff2a4fff monitored = 0 entry_point = 0x7ff9ff1ecf80 region_type = mapped_file name = "wuapi.dll" filename = "\\Windows\\System32\\wuapi.dll" (normalized: "c:\\windows\\system32\\wuapi.dll") Region: id = 872 start_va = 0x7ff9ff2b0000 end_va = 0x7ff9ff2f3fff monitored = 0 entry_point = 0x7ff9ff2d83e0 region_type = mapped_file name = "updatehandlers.dll" filename = "\\Windows\\System32\\updatehandlers.dll" (normalized: "c:\\windows\\system32\\updatehandlers.dll") Region: id = 873 start_va = 0x7ff9ff300000 end_va = 0x7ff9ff321fff monitored = 0 entry_point = 0x7ff9ff312540 region_type = mapped_file name = "updatepolicy.dll" filename = "\\Windows\\System32\\updatepolicy.dll" (normalized: "c:\\windows\\system32\\updatepolicy.dll") Region: id = 874 start_va = 0x7ff9ff370000 end_va = 0x7ff9ff3effff monitored = 0 entry_point = 0x7ff9ff39d280 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 875 start_va = 0x7ff9ff3f0000 end_va = 0x7ff9ff42efff monitored = 0 entry_point = 0x7ff9ff4182d0 region_type = mapped_file name = "tcpipcfg.dll" filename = "\\Windows\\System32\\tcpipcfg.dll" (normalized: "c:\\windows\\system32\\tcpipcfg.dll") Region: id = 876 start_va = 0x7ff9ff430000 end_va = 0x7ff9ff465fff monitored = 0 entry_point = 0x7ff9ff4327f0 region_type = mapped_file name = "windows.networking.hostname.dll" filename = "\\Windows\\System32\\Windows.Networking.HostName.dll" (normalized: "c:\\windows\\system32\\windows.networking.hostname.dll") Region: id = 877 start_va = 0x7ff9ff490000 end_va = 0x7ff9ff4ecfff monitored = 0 entry_point = 0x7ff9ff4be510 region_type = mapped_file name = "usocore.dll" filename = "\\Windows\\System32\\usocore.dll" (normalized: "c:\\windows\\system32\\usocore.dll") Region: id = 878 start_va = 0x7ff9ff4f0000 end_va = 0x7ff9ff501fff monitored = 0 entry_point = 0x7ff9ff4f1a80 region_type = mapped_file name = "bitsproxy.dll" filename = "\\Windows\\System32\\BitsProxy.dll" (normalized: "c:\\windows\\system32\\bitsproxy.dll") Region: id = 879 start_va = 0x7ff9ff670000 end_va = 0x7ff9ff6a1fff monitored = 0 entry_point = 0x7ff9ff67b0c0 region_type = mapped_file name = "shacct.dll" filename = "\\Windows\\System32\\shacct.dll" (normalized: "c:\\windows\\system32\\shacct.dll") Region: id = 880 start_va = 0x7ff9ffb80000 end_va = 0x7ff9ffb93fff monitored = 0 entry_point = 0x7ff9ffb82a00 region_type = mapped_file name = "bitsigd.dll" filename = "\\Windows\\System32\\bitsigd.dll" (normalized: "c:\\windows\\system32\\bitsigd.dll") Region: id = 881 start_va = 0x7ffa00110000 end_va = 0x7ffa0021efff monitored = 0 entry_point = 0x7ffa0014c010 region_type = mapped_file name = "dosvc.dll" filename = "\\Windows\\System32\\dosvc.dll" (normalized: "c:\\windows\\system32\\dosvc.dll") Region: id = 882 start_va = 0x7ffa00260000 end_va = 0x7ffa002c6fff monitored = 0 entry_point = 0x7ffa0026b160 region_type = mapped_file name = "upnp.dll" filename = "\\Windows\\System32\\upnp.dll" (normalized: "c:\\windows\\system32\\upnp.dll") Region: id = 883 start_va = 0x7ffa00c80000 end_va = 0x7ffa00c90fff monitored = 0 entry_point = 0x7ffa00c828d0 region_type = mapped_file name = "credentialmigrationhandler.dll" filename = "\\Windows\\System32\\CredentialMigrationHandler.dll" (normalized: "c:\\windows\\system32\\credentialmigrationhandler.dll") Region: id = 884 start_va = 0x7ffa01260000 end_va = 0x7ffa01277fff monitored = 0 entry_point = 0x7ffa01261b10 region_type = mapped_file name = "locationframeworkinternalps.dll" filename = "\\Windows\\System32\\LocationFrameworkInternalPS.dll" (normalized: "c:\\windows\\system32\\locationframeworkinternalps.dll") Region: id = 885 start_va = 0x7ffa01540000 end_va = 0x7ffa0165cfff monitored = 0 entry_point = 0x7ffa0156fe60 region_type = mapped_file name = "qmgr.dll" filename = "\\Windows\\System32\\qmgr.dll" (normalized: "c:\\windows\\system32\\qmgr.dll") Region: id = 886 start_va = 0x7ffa01690000 end_va = 0x7ffa016a3fff monitored = 0 entry_point = 0x7ffa01693710 region_type = mapped_file name = "mskeyprotect.dll" filename = "\\Windows\\System32\\mskeyprotect.dll" (normalized: "c:\\windows\\system32\\mskeyprotect.dll") Region: id = 887 start_va = 0x7ffa01740000 end_va = 0x7ffa0175dfff monitored = 0 entry_point = 0x7ffa0174ef80 region_type = mapped_file name = "ncryptsslp.dll" filename = "\\Windows\\System32\\ncryptsslp.dll" (normalized: "c:\\windows\\system32\\ncryptsslp.dll") Region: id = 888 start_va = 0x7ffa069a0000 end_va = 0x7ffa069b5fff monitored = 0 entry_point = 0x7ffa069a1d50 region_type = mapped_file name = "wwapi.dll" filename = "\\Windows\\System32\\wwapi.dll" (normalized: "c:\\windows\\system32\\wwapi.dll") Region: id = 889 start_va = 0x7ffa07a20000 end_va = 0x7ffa07a30fff monitored = 0 entry_point = 0x7ffa07a27480 region_type = mapped_file name = "tetheringclient.dll" filename = "\\Windows\\System32\\tetheringclient.dll" (normalized: "c:\\windows\\system32\\tetheringclient.dll") Region: id = 890 start_va = 0x7ffa07a40000 end_va = 0x7ffa07ac3fff monitored = 0 entry_point = 0x7ffa07a58d50 region_type = mapped_file name = "wbemess.dll" filename = "\\Windows\\System32\\wbem\\wbemess.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemess.dll") Region: id = 891 start_va = 0x7ffa07ad0000 end_va = 0x7ffa07ae5fff monitored = 0 entry_point = 0x7ffa07ad55e0 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 892 start_va = 0x7ffa07af0000 end_va = 0x7ffa07bc5fff monitored = 0 entry_point = 0x7ffa07b1a800 region_type = mapped_file name = "wmiprvsd.dll" filename = "\\Windows\\System32\\wbem\\WmiPrvSD.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprvsd.dll") Region: id = 893 start_va = 0x7ffa07c20000 end_va = 0x7ffa07c83fff monitored = 0 entry_point = 0x7ffa07c3bed0 region_type = mapped_file name = "repdrvfs.dll" filename = "\\Windows\\System32\\wbem\\repdrvfs.dll" (normalized: "c:\\windows\\system32\\wbem\\repdrvfs.dll") Region: id = 894 start_va = 0x7ffa07c90000 end_va = 0x7ffa07cb4fff monitored = 0 entry_point = 0x7ffa07c99900 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 895 start_va = 0x7ffa07cc0000 end_va = 0x7ffa07cd3fff monitored = 0 entry_point = 0x7ffa07cc1800 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 896 start_va = 0x7ffa07ce0000 end_va = 0x7ffa07dd5fff monitored = 0 entry_point = 0x7ffa07d19590 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 897 start_va = 0x7ffa07de0000 end_va = 0x7ffa07e53fff monitored = 0 entry_point = 0x7ffa07df5eb0 region_type = mapped_file name = "esscli.dll" filename = "\\Windows\\System32\\wbem\\esscli.dll" (normalized: "c:\\windows\\system32\\wbem\\esscli.dll") Region: id = 898 start_va = 0x7ffa07e60000 end_va = 0x7ffa07f96fff monitored = 0 entry_point = 0x7ffa07ea0480 region_type = mapped_file name = "wbemcore.dll" filename = "\\Windows\\System32\\wbem\\wbemcore.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemcore.dll") Region: id = 899 start_va = 0x7ffa08390000 end_va = 0x7ffa083a0fff monitored = 0 entry_point = 0x7ffa08392fc0 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 900 start_va = 0x7ffa083b0000 end_va = 0x7ffa083cdfff monitored = 0 entry_point = 0x7ffa083b3a40 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 901 start_va = 0x7ffa083d0000 end_va = 0x7ffa08451fff monitored = 0 entry_point = 0x7ffa083d2a10 region_type = mapped_file name = "hnetcfg.dll" filename = "\\Windows\\System32\\hnetcfg.dll" (normalized: "c:\\windows\\system32\\hnetcfg.dll") Region: id = 902 start_va = 0x7ffa08460000 end_va = 0x7ffa08475fff monitored = 0 entry_point = 0x7ffa08461af0 region_type = mapped_file name = "napinsp.dll" filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll") Region: id = 903 start_va = 0x7ffa08480000 end_va = 0x7ffa08499fff monitored = 0 entry_point = 0x7ffa08482330 region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll") Region: id = 904 start_va = 0x7ffa088d0000 end_va = 0x7ffa08915fff monitored = 0 entry_point = 0x7ffa088d79a0 region_type = mapped_file name = "adsldp.dll" filename = "\\Windows\\System32\\adsldp.dll" (normalized: "c:\\windows\\system32\\adsldp.dll") Region: id = 905 start_va = 0x7ffa08940000 end_va = 0x7ffa0894efff monitored = 0 entry_point = 0x7ffa08944960 region_type = mapped_file name = "nci.dll" filename = "\\Windows\\System32\\nci.dll" (normalized: "c:\\windows\\system32\\nci.dll") Region: id = 906 start_va = 0x7ffa08a00000 end_va = 0x7ffa08a0bfff monitored = 0 entry_point = 0x7ffa08a035c0 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 907 start_va = 0x7ffa08a10000 end_va = 0x7ffa08a4ffff monitored = 0 entry_point = 0x7ffa08a1cbe0 region_type = mapped_file name = "adsldpc.dll" filename = "\\Windows\\System32\\adsldpc.dll" (normalized: "c:\\windows\\system32\\adsldpc.dll") Region: id = 908 start_va = 0x7ffa08a50000 end_va = 0x7ffa08a96fff monitored = 0 entry_point = 0x7ffa08a51d10 region_type = mapped_file name = "activeds.dll" filename = "\\Windows\\System32\\activeds.dll" (normalized: "c:\\windows\\system32\\activeds.dll") Region: id = 909 start_va = 0x7ffa08ae0000 end_va = 0x7ffa08b21fff monitored = 0 entry_point = 0x7ffa08ae3670 region_type = mapped_file name = "wdscore.dll" filename = "\\Windows\\System32\\wdscore.dll" (normalized: "c:\\windows\\system32\\wdscore.dll") Region: id = 910 start_va = 0x7ffa08e00000 end_va = 0x7ffa08e1efff monitored = 0 entry_point = 0x7ffa08e037e0 region_type = mapped_file name = "netsetupapi.dll" filename = "\\Windows\\System32\\NetSetupApi.dll" (normalized: "c:\\windows\\system32\\netsetupapi.dll") Region: id = 911 start_va = 0x7ffa08e20000 end_va = 0x7ffa08e98fff monitored = 0 entry_point = 0x7ffa08e276a0 region_type = mapped_file name = "netsetupshim.dll" filename = "\\Windows\\System32\\NetSetupShim.dll" (normalized: "c:\\windows\\system32\\netsetupshim.dll") Region: id = 912 start_va = 0x7ffa08eb0000 end_va = 0x7ffa08eeffff monitored = 0 entry_point = 0x7ffa08ec6c60 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 913 start_va = 0x7ffa08f10000 end_va = 0x7ffa08f27fff monitored = 0 entry_point = 0x7ffa08f14e10 region_type = mapped_file name = "adhsvc.dll" filename = "\\Windows\\System32\\adhsvc.dll" (normalized: "c:\\windows\\system32\\adhsvc.dll") Region: id = 914 start_va = 0x7ffa08f30000 end_va = 0x7ffa08f54fff monitored = 0 entry_point = 0x7ffa08f35ca0 region_type = mapped_file name = "httpprxm.dll" filename = "\\Windows\\System32\\httpprxm.dll" (normalized: "c:\\windows\\system32\\httpprxm.dll") Region: id = 915 start_va = 0x7ffa08f60000 end_va = 0x7ffa090e1fff monitored = 0 entry_point = 0x7ffa08f782a0 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 916 start_va = 0x7ffa090f0000 end_va = 0x7ffa09192fff monitored = 0 entry_point = 0x7ffa090f2c10 region_type = mapped_file name = "clusapi.dll" filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll") Region: id = 917 start_va = 0x7ffa091a0000 end_va = 0x7ffa091f1fff monitored = 0 entry_point = 0x7ffa091a5770 region_type = mapped_file name = "resutils.dll" filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll") Region: id = 918 start_va = 0x7ffa09200000 end_va = 0x7ffa0922dfff monitored = 1 entry_point = 0x7ffa09202300 region_type = mapped_file name = "wmidcom.dll" filename = "\\Windows\\System32\\wmidcom.dll" (normalized: "c:\\windows\\system32\\wmidcom.dll") Region: id = 919 start_va = 0x7ffa09230000 end_va = 0x7ffa0928dfff monitored = 0 entry_point = 0x7ffa09235080 region_type = mapped_file name = "miutils.dll" filename = "\\Windows\\System32\\miutils.dll" (normalized: "c:\\windows\\system32\\miutils.dll") Region: id = 920 start_va = 0x7ffa09290000 end_va = 0x7ffa092affff monitored = 0 entry_point = 0x7ffa09291f50 region_type = mapped_file name = "mi.dll" filename = "\\Windows\\System32\\mi.dll" (normalized: "c:\\windows\\system32\\mi.dll") Region: id = 921 start_va = 0x7ffa092b0000 end_va = 0x7ffa092b8fff monitored = 0 entry_point = 0x7ffa092b18f0 region_type = mapped_file name = "sscoreext.dll" filename = "\\Windows\\System32\\sscoreext.dll" (normalized: "c:\\windows\\system32\\sscoreext.dll") Region: id = 922 start_va = 0x7ffa092c0000 end_va = 0x7ffa092d0fff monitored = 0 entry_point = 0x7ffa092c1d30 region_type = mapped_file name = "sscore.dll" filename = "\\Windows\\System32\\sscore.dll" (normalized: "c:\\windows\\system32\\sscore.dll") Region: id = 923 start_va = 0x7ffa09330000 end_va = 0x7ffa09347fff monitored = 0 entry_point = 0x7ffa09332000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 924 start_va = 0x7ffa09350000 end_va = 0x7ffa09390fff monitored = 0 entry_point = 0x7ffa09353750 region_type = mapped_file name = "sqmapi.dll" filename = "\\Windows\\System32\\sqmapi.dll" (normalized: "c:\\windows\\system32\\sqmapi.dll") Region: id = 925 start_va = 0x7ffa09430000 end_va = 0x7ffa0947bfff monitored = 0 entry_point = 0x7ffa09445310 region_type = mapped_file name = "srvsvc.dll" filename = "\\Windows\\System32\\srvsvc.dll" (normalized: "c:\\windows\\system32\\srvsvc.dll") Region: id = 926 start_va = 0x7ffa09490000 end_va = 0x7ffa0950efff monitored = 0 entry_point = 0x7ffa094a7110 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 927 start_va = 0x7ffa09510000 end_va = 0x7ffa0954bfff monitored = 0 entry_point = 0x7ffa09516aa0 region_type = mapped_file name = "wmisvc.dll" filename = "\\Windows\\System32\\wbem\\WMIsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wmisvc.dll") Region: id = 928 start_va = 0x7ffa09c80000 end_va = 0x7ffa09c88fff monitored = 0 entry_point = 0x7ffa09c821d0 region_type = mapped_file name = "httpprxc.dll" filename = "\\Windows\\System32\\httpprxc.dll" (normalized: "c:\\windows\\system32\\httpprxc.dll") Region: id = 929 start_va = 0x7ffa09c90000 end_va = 0x7ffa09cc4fff monitored = 0 entry_point = 0x7ffa09c9a270 region_type = mapped_file name = "fwpolicyiomgr.dll" filename = "\\Windows\\System32\\fwpolicyiomgr.dll" (normalized: "c:\\windows\\system32\\fwpolicyiomgr.dll") Region: id = 930 start_va = 0x7ffa0a560000 end_va = 0x7ffa0a652fff monitored = 0 entry_point = 0x7ffa0a585d80 region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 931 start_va = 0x7ffa0ac50000 end_va = 0x7ffa0ac59fff monitored = 0 entry_point = 0x7ffa0ac514c0 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 932 start_va = 0x7ffa0afc0000 end_va = 0x7ffa0afd1fff monitored = 0 entry_point = 0x7ffa0afc3580 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 933 start_va = 0x7ffa0b050000 end_va = 0x7ffa0b06afff monitored = 0 entry_point = 0x7ffa0b051040 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 934 start_va = 0x7ffa0b300000 end_va = 0x7ffa0b314fff monitored = 0 entry_point = 0x7ffa0b302dc0 region_type = mapped_file name = "ondemandconnroutehelper.dll" filename = "\\Windows\\System32\\OnDemandConnRouteHelper.dll" (normalized: "c:\\windows\\system32\\ondemandconnroutehelper.dll") Region: id = 935 start_va = 0x7ffa0b320000 end_va = 0x7ffa0b32dfff monitored = 0 entry_point = 0x7ffa0b321460 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 936 start_va = 0x7ffa0b330000 end_va = 0x7ffa0b33bfff monitored = 0 entry_point = 0x7ffa0b332830 region_type = mapped_file name = "bi.dll" filename = "\\Windows\\System32\\bi.dll" (normalized: "c:\\windows\\system32\\bi.dll") Region: id = 937 start_va = 0x7ffa0b340000 end_va = 0x7ffa0b34ffff monitored = 0 entry_point = 0x7ffa0b341700 region_type = mapped_file name = "proximityservicepal.dll" filename = "\\Windows\\System32\\ProximityServicePal.dll" (normalized: "c:\\windows\\system32\\proximityservicepal.dll") Region: id = 938 start_va = 0x7ffa0b350000 end_va = 0x7ffa0b358fff monitored = 0 entry_point = 0x7ffa0b351ed0 region_type = mapped_file name = "proximitycommonpal.dll" filename = "\\Windows\\System32\\ProximityCommonPal.dll" (normalized: "c:\\windows\\system32\\proximitycommonpal.dll") Region: id = 939 start_va = 0x7ffa0b360000 end_va = 0x7ffa0b38cfff monitored = 0 entry_point = 0x7ffa0b362290 region_type = mapped_file name = "proximitycommon.dll" filename = "\\Windows\\System32\\ProximityCommon.dll" (normalized: "c:\\windows\\system32\\proximitycommon.dll") Region: id = 940 start_va = 0x7ffa0b390000 end_va = 0x7ffa0b3e1fff monitored = 0 entry_point = 0x7ffa0b3938e0 region_type = mapped_file name = "proximityservice.dll" filename = "\\Windows\\System32\\ProximityService.dll" (normalized: "c:\\windows\\system32\\proximityservice.dll") Region: id = 941 start_va = 0x7ffa0b4a0000 end_va = 0x7ffa0b4b4fff monitored = 0 entry_point = 0x7ffa0b4a3460 region_type = mapped_file name = "ssdpapi.dll" filename = "\\Windows\\System32\\ssdpapi.dll" (normalized: "c:\\windows\\system32\\ssdpapi.dll") Region: id = 942 start_va = 0x7ffa0b4c0000 end_va = 0x7ffa0b559fff monitored = 0 entry_point = 0x7ffa0b4dada0 region_type = mapped_file name = "shsvcs.dll" filename = "\\Windows\\System32\\shsvcs.dll" (normalized: "c:\\windows\\system32\\shsvcs.dll") Region: id = 943 start_va = 0x7ffa0b640000 end_va = 0x7ffa0b6a6fff monitored = 0 entry_point = 0x7ffa0b6463e0 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 944 start_va = 0x7ffa0b7a0000 end_va = 0x7ffa0b7aafff monitored = 0 entry_point = 0x7ffa0b7a1d30 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 945 start_va = 0x7ffa0b800000 end_va = 0x7ffa0b8bffff monitored = 0 entry_point = 0x7ffa0b82fd20 region_type = mapped_file name = "fveapi.dll" filename = "\\Windows\\System32\\fveapi.dll" (normalized: "c:\\windows\\system32\\fveapi.dll") Region: id = 946 start_va = 0x7ffa0b9f0000 end_va = 0x7ffa0ba09fff monitored = 0 entry_point = 0x7ffa0b9f2430 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 947 start_va = 0x7ffa0ba10000 end_va = 0x7ffa0ba25fff monitored = 0 entry_point = 0x7ffa0ba119f0 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 948 start_va = 0x7ffa0baf0000 end_va = 0x7ffa0bb27fff monitored = 0 entry_point = 0x7ffa0bb08cc0 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 949 start_va = 0x7ffa0bbe0000 end_va = 0x7ffa0bc8dfff monitored = 0 entry_point = 0x7ffa0bbf80c0 region_type = mapped_file name = "windows.networking.connectivity.dll" filename = "\\Windows\\System32\\Windows.Networking.Connectivity.dll" (normalized: "c:\\windows\\system32\\windows.networking.connectivity.dll") Region: id = 950 start_va = 0x7ffa0bc90000 end_va = 0x7ffa0bca1fff monitored = 0 entry_point = 0x7ffa0bc99260 region_type = mapped_file name = "rilproxy.dll" filename = "\\Windows\\System32\\rilproxy.dll" (normalized: "c:\\windows\\system32\\rilproxy.dll") Region: id = 951 start_va = 0x7ffa0bcb0000 end_va = 0x7ffa0bd60fff monitored = 0 entry_point = 0x7ffa0bd288b0 region_type = mapped_file name = "cellularapi.dll" filename = "\\Windows\\System32\\CellularAPI.dll" (normalized: "c:\\windows\\system32\\cellularapi.dll") Region: id = 952 start_va = 0x7ffa0bd70000 end_va = 0x7ffa0bd83fff monitored = 0 entry_point = 0x7ffa0bd72d50 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 953 start_va = 0x7ffa0bdc0000 end_va = 0x7ffa0bddcfff monitored = 0 entry_point = 0x7ffa0bdc4f60 region_type = mapped_file name = "appinfo.dll" filename = "\\Windows\\System32\\appinfo.dll" (normalized: "c:\\windows\\system32\\appinfo.dll") Region: id = 954 start_va = 0x7ffa0c070000 end_va = 0x7ffa0c102fff monitored = 0 entry_point = 0x7ffa0c079680 region_type = mapped_file name = "msvcp_win.dll" filename = "\\Windows\\System32\\msvcp_win.dll" (normalized: "c:\\windows\\system32\\msvcp_win.dll") Region: id = 955 start_va = 0x7ffa0c2b0000 end_va = 0x7ffa0c2d4fff monitored = 0 entry_point = 0x7ffa0c2c2f20 region_type = mapped_file name = "wificonnapi.dll" filename = "\\Windows\\System32\\wificonnapi.dll" (normalized: "c:\\windows\\system32\\wificonnapi.dll") Region: id = 956 start_va = 0x7ffa0c2e0000 end_va = 0x7ffa0c2f0fff monitored = 0 entry_point = 0x7ffa0c2e7ea0 region_type = mapped_file name = "dcpapi.dll" filename = "\\Windows\\System32\\dcpapi.dll" (normalized: "c:\\windows\\system32\\dcpapi.dll") Region: id = 957 start_va = 0x7ffa0c300000 end_va = 0x7ffa0c318fff monitored = 0 entry_point = 0x7ffa0c304520 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 958 start_va = 0x7ffa0c9a0000 end_va = 0x7ffa0c9befff monitored = 0 entry_point = 0x7ffa0c9a4960 region_type = mapped_file name = "ncprov.dll" filename = "\\Windows\\System32\\wbem\\NCProv.dll" (normalized: "c:\\windows\\system32\\wbem\\ncprov.dll") Region: id = 959 start_va = 0x7ffa0ca80000 end_va = 0x7ffa0ca99fff monitored = 0 entry_point = 0x7ffa0ca82cf0 region_type = mapped_file name = "locationpelegacywinlocation.dll" filename = "\\Windows\\System32\\LocationPeLegacyWinLocation.dll" (normalized: "c:\\windows\\system32\\locationpelegacywinlocation.dll") Region: id = 960 start_va = 0x7ffa0ce40000 end_va = 0x7ffa0d1c1fff monitored = 0 entry_point = 0x7ffa0ce91220 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 961 start_va = 0x7ffa0e2c0000 end_va = 0x7ffa0e3cdfff monitored = 0 entry_point = 0x7ffa0e30eaa0 region_type = mapped_file name = "mrmcorer.dll" filename = "\\Windows\\System32\\MrmCoreR.dll" (normalized: "c:\\windows\\system32\\mrmcorer.dll") Region: id = 962 start_va = 0x7ffa0e440000 end_va = 0x7ffa0e456fff monitored = 0 entry_point = 0x7ffa0e447520 region_type = mapped_file name = "usoapi.dll" filename = "\\Windows\\System32\\usoapi.dll" (normalized: "c:\\windows\\system32\\usoapi.dll") Region: id = 963 start_va = 0x7ffa0e460000 end_va = 0x7ffa0e477fff monitored = 0 entry_point = 0x7ffa0e46b850 region_type = mapped_file name = "dmcmnutils.dll" filename = "\\Windows\\System32\\dmcmnutils.dll" (normalized: "c:\\windows\\system32\\dmcmnutils.dll") Region: id = 964 start_va = 0x7ffa0e6d0000 end_va = 0x7ffa0e724fff monitored = 0 entry_point = 0x7ffa0e6d3fb0 region_type = mapped_file name = "policymanager.dll" filename = "\\Windows\\System32\\policymanager.dll" (normalized: "c:\\windows\\system32\\policymanager.dll") Region: id = 965 start_va = 0x7ffa0e730000 end_va = 0x7ffa0e766fff monitored = 0 entry_point = 0x7ffa0e736020 region_type = mapped_file name = "gnssadapter.dll" filename = "\\Windows\\System32\\GnssAdapter.dll" (normalized: "c:\\windows\\system32\\gnssadapter.dll") Region: id = 966 start_va = 0x7ffa0e770000 end_va = 0x7ffa0e78ffff monitored = 0 entry_point = 0x7ffa0e7739a0 region_type = mapped_file name = "locationwinpalmisc.dll" filename = "\\Windows\\System32\\LocationWinPalMisc.dll" (normalized: "c:\\windows\\system32\\locationwinpalmisc.dll") Region: id = 967 start_va = 0x7ffa0e790000 end_va = 0x7ffa0e7a6fff monitored = 0 entry_point = 0x7ffa0e795630 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 968 start_va = 0x7ffa0e7b0000 end_va = 0x7ffa0e7c2fff monitored = 0 entry_point = 0x7ffa0e7b57f0 region_type = mapped_file name = "themeservice.dll" filename = "\\Windows\\System32\\themeservice.dll" (normalized: "c:\\windows\\system32\\themeservice.dll") Region: id = 969 start_va = 0x7ffa0e7d0000 end_va = 0x7ffa0e849fff monitored = 0 entry_point = 0x7ffa0e7f7630 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 970 start_va = 0x7ffa0e850000 end_va = 0x7ffa0e87dfff monitored = 0 entry_point = 0x7ffa0e857550 region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 971 start_va = 0x7ffa0e880000 end_va = 0x7ffa0e895fff monitored = 0 entry_point = 0x7ffa0e881b60 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 972 start_va = 0x7ffa0e8a0000 end_va = 0x7ffa0e903fff monitored = 0 entry_point = 0x7ffa0e8b5ae0 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 973 start_va = 0x7ffa0ead0000 end_va = 0x7ffa0eb10fff monitored = 0 entry_point = 0x7ffa0ead4840 region_type = mapped_file name = "usermgrproxy.dll" filename = "\\Windows\\System32\\UserMgrProxy.dll" (normalized: "c:\\windows\\system32\\usermgrproxy.dll") Region: id = 974 start_va = 0x7ffa0eb20000 end_va = 0x7ffa0eb2bfff monitored = 0 entry_point = 0x7ffa0eb214d0 region_type = mapped_file name = "locationframeworkps.dll" filename = "\\Windows\\System32\\LocationFrameworkPS.dll" (normalized: "c:\\windows\\system32\\locationframeworkps.dll") Region: id = 975 start_va = 0x7ffa0eb30000 end_va = 0x7ffa0ec65fff monitored = 0 entry_point = 0x7ffa0eb5f350 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 976 start_va = 0x7ffa0ec70000 end_va = 0x7ffa0ed55fff monitored = 0 entry_point = 0x7ffa0ec8cf10 region_type = mapped_file name = "usermgr.dll" filename = "\\Windows\\System32\\usermgr.dll" (normalized: "c:\\windows\\system32\\usermgr.dll") Region: id = 977 start_va = 0x7ffa0ed60000 end_va = 0x7ffa0ee27fff monitored = 0 entry_point = 0x7ffa0eda13f0 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 978 start_va = 0x7ffa0ee30000 end_va = 0x7ffa0ee90fff monitored = 0 entry_point = 0x7ffa0ee34b50 region_type = mapped_file name = "wlanapi.dll" filename = "\\Windows\\System32\\wlanapi.dll" (normalized: "c:\\windows\\system32\\wlanapi.dll") Region: id = 979 start_va = 0x7ffa0eea0000 end_va = 0x7ffa0f01bfff monitored = 0 entry_point = 0x7ffa0eef1650 region_type = mapped_file name = "locationframework.dll" filename = "\\Windows\\System32\\LocationFramework.dll" (normalized: "c:\\windows\\system32\\locationframework.dll") Region: id = 980 start_va = 0x7ffa0f020000 end_va = 0x7ffa0f02afff monitored = 0 entry_point = 0x7ffa0f021770 region_type = mapped_file name = "lfsvc.dll" filename = "\\Windows\\System32\\lfsvc.dll" (normalized: "c:\\windows\\system32\\lfsvc.dll") Region: id = 981 start_va = 0x7ffa0f030000 end_va = 0x7ffa0f06dfff monitored = 0 entry_point = 0x7ffa0f03a050 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 982 start_va = 0x7ffa0f070000 end_va = 0x7ffa0f096fff monitored = 0 entry_point = 0x7ffa0f073bf0 region_type = mapped_file name = "profsvcext.dll" filename = "\\Windows\\System32\\profsvcext.dll" (normalized: "c:\\windows\\system32\\profsvcext.dll") Region: id = 983 start_va = 0x7ffa0f0a0000 end_va = 0x7ffa0f0e9fff monitored = 0 entry_point = 0x7ffa0f0aac30 region_type = mapped_file name = "deviceaccess.dll" filename = "\\Windows\\System32\\deviceaccess.dll" (normalized: "c:\\windows\\system32\\deviceaccess.dll") Region: id = 984 start_va = 0x7ffa0f0f0000 end_va = 0x7ffa0f144fff monitored = 0 entry_point = 0x7ffa0f0ffc00 region_type = mapped_file name = "profsvc.dll" filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll") Region: id = 985 start_va = 0x7ffa0f190000 end_va = 0x7ffa0f221fff monitored = 0 entry_point = 0x7ffa0f1da780 region_type = mapped_file name = "msvcp110_win.dll" filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll") Region: id = 986 start_va = 0x7ffa0f2b0000 end_va = 0x7ffa0f2bcfff monitored = 0 entry_point = 0x7ffa0f2b1420 region_type = mapped_file name = "winrnr.dll" filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll") Region: id = 987 start_va = 0x7ffa0f2d0000 end_va = 0x7ffa0f2dffff monitored = 0 entry_point = 0x7ffa0f2d2c60 region_type = mapped_file name = "usermgrcli.dll" filename = "\\Windows\\System32\\usermgrcli.dll" (normalized: "c:\\windows\\system32\\usermgrcli.dll") Region: id = 988 start_va = 0x7ffa0f2e0000 end_va = 0x7ffa0f2ecfff monitored = 0 entry_point = 0x7ffa0f2e2ca0 region_type = mapped_file name = "csystemeventsbrokerclient.dll" filename = "\\Windows\\System32\\CSystemEventsBrokerClient.dll" (normalized: "c:\\windows\\system32\\csystemeventsbrokerclient.dll") Region: id = 989 start_va = 0x7ffa0f2f0000 end_va = 0x7ffa0f31efff monitored = 0 entry_point = 0x7ffa0f2f8910 region_type = mapped_file name = "wptaskscheduler.dll" filename = "\\Windows\\System32\\WPTaskScheduler.dll" (normalized: "c:\\windows\\system32\\wptaskscheduler.dll") Region: id = 990 start_va = 0x7ffa0f370000 end_va = 0x7ffa0f3ddfff monitored = 0 entry_point = 0x7ffa0f377f60 region_type = mapped_file name = "taskcomp.dll" filename = "\\Windows\\System32\\taskcomp.dll" (normalized: "c:\\windows\\system32\\taskcomp.dll") Region: id = 991 start_va = 0x7ffa0f3e0000 end_va = 0x7ffa0f3f0fff monitored = 0 entry_point = 0x7ffa0f3e3320 region_type = mapped_file name = "wmiclnt.dll" filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll") Region: id = 992 start_va = 0x7ffa0f430000 end_va = 0x7ffa0f465fff monitored = 0 entry_point = 0x7ffa0f440070 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 993 start_va = 0x7ffa0fc30000 end_va = 0x7ffa0fc70fff monitored = 0 entry_point = 0x7ffa0fc47eb0 region_type = mapped_file name = "ubpm.dll" filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll") Region: id = 994 start_va = 0x7ffa0fc80000 end_va = 0x7ffa0fd7bfff monitored = 0 entry_point = 0x7ffa0fcb6df0 region_type = mapped_file name = "schedsvc.dll" filename = "\\Windows\\System32\\schedsvc.dll" (normalized: "c:\\windows\\system32\\schedsvc.dll") Region: id = 995 start_va = 0x7ffa0fe10000 end_va = 0x7ffa0fecefff monitored = 0 entry_point = 0x7ffa0fe31c50 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 996 start_va = 0x7ffa0ff20000 end_va = 0x7ffa0ff29fff monitored = 0 entry_point = 0x7ffa0ff21660 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 997 start_va = 0x7ffa0ff30000 end_va = 0x7ffa0ff47fff monitored = 0 entry_point = 0x7ffa0ff35910 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 998 start_va = 0x7ffa0ff50000 end_va = 0x7ffa1009cfff monitored = 0 entry_point = 0x7ffa0ff93da0 region_type = mapped_file name = "gpsvc.dll" filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll") Region: id = 999 start_va = 0x7ffa10cc0000 end_va = 0x7ffa11152fff monitored = 0 entry_point = 0x7ffa10ccf760 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 1000 start_va = 0x7ffa11160000 end_va = 0x7ffa111c6fff monitored = 0 entry_point = 0x7ffa1117e710 region_type = mapped_file name = "bcp47langs.dll" filename = "\\Windows\\System32\\BCP47Langs.dll" (normalized: "c:\\windows\\system32\\bcp47langs.dll") Region: id = 1001 start_va = 0x7ffa11220000 end_va = 0x7ffa113a5fff monitored = 0 entry_point = 0x7ffa1126d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 1002 start_va = 0x7ffa113b0000 end_va = 0x7ffa113cbfff monitored = 0 entry_point = 0x7ffa113b37a0 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 1003 start_va = 0x7ffa113d0000 end_va = 0x7ffa113dafff monitored = 0 entry_point = 0x7ffa113d1de0 region_type = mapped_file name = "bitsperf.dll" filename = "\\Windows\\System32\\bitsperf.dll" (normalized: "c:\\windows\\system32\\bitsperf.dll") Region: id = 1004 start_va = 0x7ffa11410000 end_va = 0x7ffa11422fff monitored = 0 entry_point = 0x7ffa11412760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1005 start_va = 0x7ffa114c0000 end_va = 0x7ffa114c9fff monitored = 0 entry_point = 0x7ffa114c1350 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 1006 start_va = 0x7ffa11550000 end_va = 0x7ffa11557fff monitored = 0 entry_point = 0x7ffa115513b0 region_type = mapped_file name = "dmiso8601utils.dll" filename = "\\Windows\\System32\\dmiso8601utils.dll" (normalized: "c:\\windows\\system32\\dmiso8601utils.dll") Region: id = 1007 start_va = 0x7ffa11580000 end_va = 0x7ffa115f8fff monitored = 0 entry_point = 0x7ffa1159fb90 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 1008 start_va = 0x7ffa11600000 end_va = 0x7ffa11607fff monitored = 0 entry_point = 0x7ffa116013e0 region_type = mapped_file name = "dabapi.dll" filename = "\\Windows\\System32\\dabapi.dll" (normalized: "c:\\windows\\system32\\dabapi.dll") Region: id = 1009 start_va = 0x7ffa11640000 end_va = 0x7ffa1167ffff monitored = 0 entry_point = 0x7ffa11651960 region_type = mapped_file name = "brokerlib.dll" filename = "\\Windows\\System32\\BrokerLib.dll" (normalized: "c:\\windows\\system32\\brokerlib.dll") Region: id = 1010 start_va = 0x7ffa117d0000 end_va = 0x7ffa117f6fff monitored = 0 entry_point = 0x7ffa117d7940 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 1011 start_va = 0x7ffa11800000 end_va = 0x7ffa118a9fff monitored = 0 entry_point = 0x7ffa11827910 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 1012 start_va = 0x7ffa118b0000 end_va = 0x7ffa119affff monitored = 0 entry_point = 0x7ffa118f0f80 region_type = mapped_file name = "twinapi.appcore.dll" filename = "\\Windows\\System32\\twinapi.appcore.dll" (normalized: "c:\\windows\\system32\\twinapi.appcore.dll") Region: id = 1013 start_va = 0x7ffa11a40000 end_va = 0x7ffa11a4bfff monitored = 0 entry_point = 0x7ffa11a42480 region_type = mapped_file name = "sysntfy.dll" filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll") Region: id = 1014 start_va = 0x7ffa11b10000 end_va = 0x7ffa11b41fff monitored = 0 entry_point = 0x7ffa11b22340 region_type = mapped_file name = "fwbase.dll" filename = "\\Windows\\System32\\fwbase.dll" (normalized: "c:\\windows\\system32\\fwbase.dll") Region: id = 1015 start_va = 0x7ffa11d80000 end_va = 0x7ffa11d8bfff monitored = 0 entry_point = 0x7ffa11d82790 region_type = mapped_file name = "hid.dll" filename = "\\Windows\\System32\\hid.dll" (normalized: "c:\\windows\\system32\\hid.dll") Region: id = 1016 start_va = 0x7ffa11d90000 end_va = 0x7ffa11db3fff monitored = 0 entry_point = 0x7ffa11d93260 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 1017 start_va = 0x7ffa11f30000 end_va = 0x7ffa12023fff monitored = 0 entry_point = 0x7ffa11f3a960 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 1018 start_va = 0x7ffa12080000 end_va = 0x7ffa120c8fff monitored = 0 entry_point = 0x7ffa1208a090 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 1019 start_va = 0x7ffa121a0000 end_va = 0x7ffa121abfff monitored = 0 entry_point = 0x7ffa121a27e0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1020 start_va = 0x7ffa12280000 end_va = 0x7ffa122b0fff monitored = 0 entry_point = 0x7ffa12287d10 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 1021 start_va = 0x7ffa122e0000 end_va = 0x7ffa12359fff monitored = 0 entry_point = 0x7ffa12301a50 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll") Region: id = 1022 start_va = 0x7ffa123a0000 end_va = 0x7ffa123d3fff monitored = 0 entry_point = 0x7ffa123bae70 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1023 start_va = 0x7ffa123e0000 end_va = 0x7ffa123e9fff monitored = 0 entry_point = 0x7ffa123e1830 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll") Region: id = 1024 start_va = 0x7ffa124f0000 end_va = 0x7ffa1250efff monitored = 0 entry_point = 0x7ffa124f5d30 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 1025 start_va = 0x7ffa12660000 end_va = 0x7ffa126bbfff monitored = 0 entry_point = 0x7ffa12676f70 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1026 start_va = 0x7ffa12710000 end_va = 0x7ffa12726fff monitored = 0 entry_point = 0x7ffa127179d0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1027 start_va = 0x7ffa12830000 end_va = 0x7ffa1283afff monitored = 0 entry_point = 0x7ffa128319a0 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1028 start_va = 0x7ffa12870000 end_va = 0x7ffa12890fff monitored = 0 entry_point = 0x7ffa12880250 region_type = mapped_file name = "joinutil.dll" filename = "\\Windows\\System32\\joinutil.dll" (normalized: "c:\\windows\\system32\\joinutil.dll") Region: id = 1029 start_va = 0x7ffa128c0000 end_va = 0x7ffa128f9fff monitored = 0 entry_point = 0x7ffa128c8d20 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 1030 start_va = 0x7ffa12900000 end_va = 0x7ffa12926fff monitored = 0 entry_point = 0x7ffa12910aa0 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 1031 start_va = 0x7ffa12a10000 end_va = 0x7ffa12a3cfff monitored = 0 entry_point = 0x7ffa12a29d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1032 start_va = 0x7ffa12ba0000 end_va = 0x7ffa12bf5fff monitored = 0 entry_point = 0x7ffa12bb0bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1033 start_va = 0x7ffa12c00000 end_va = 0x7ffa12c18fff monitored = 0 entry_point = 0x7ffa12c05e10 region_type = mapped_file name = "eventaggregation.dll" filename = "\\Windows\\System32\\EventAggregation.dll" (normalized: "c:\\windows\\system32\\eventaggregation.dll") Region: id = 1034 start_va = 0x7ffa12c20000 end_va = 0x7ffa12c48fff monitored = 0 entry_point = 0x7ffa12c34530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 1035 start_va = 0x7ffa12c50000 end_va = 0x7ffa12ce8fff monitored = 0 entry_point = 0x7ffa12c7f4e0 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 1036 start_va = 0x7ffa12d90000 end_va = 0x7ffa12da3fff monitored = 0 entry_point = 0x7ffa12d952e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1037 start_va = 0x7ffa12db0000 end_va = 0x7ffa12dbffff monitored = 0 entry_point = 0x7ffa12db56e0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 1038 start_va = 0x7ffa12dc0000 end_va = 0x7ffa12e0afff monitored = 0 entry_point = 0x7ffa12dc35f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1039 start_va = 0x7ffa12e10000 end_va = 0x7ffa12e1efff monitored = 0 entry_point = 0x7ffa12e13210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1040 start_va = 0x7ffa12e20000 end_va = 0x7ffa12e74fff monitored = 0 entry_point = 0x7ffa12e37970 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 1041 start_va = 0x7ffa12e80000 end_va = 0x7ffa12f34fff monitored = 0 entry_point = 0x7ffa12ec22e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 1042 start_va = 0x7ffa12f40000 end_va = 0x7ffa13106fff monitored = 0 entry_point = 0x7ffa12f9db80 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 1043 start_va = 0x7ffa13110000 end_va = 0x7ffa13126fff monitored = 0 entry_point = 0x7ffa13111390 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 1044 start_va = 0x7ffa13130000 end_va = 0x7ffa13317fff monitored = 0 entry_point = 0x7ffa1315ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1045 start_va = 0x7ffa13320000 end_va = 0x7ffa13389fff monitored = 0 entry_point = 0x7ffa13356d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1046 start_va = 0x7ffa13390000 end_va = 0x7ffa133d2fff monitored = 0 entry_point = 0x7ffa133a4b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1047 start_va = 0x7ffa133e0000 end_va = 0x7ffa13465fff monitored = 0 entry_point = 0x7ffa133ed8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 1048 start_va = 0x7ffa13520000 end_va = 0x7ffa13b63fff monitored = 0 entry_point = 0x7ffa136e64b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 1049 start_va = 0x7ffa13b70000 end_va = 0x7ffa13cb2fff monitored = 0 entry_point = 0x7ffa13b98210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1050 start_va = 0x7ffa13cc0000 end_va = 0x7ffa13d5cfff monitored = 0 entry_point = 0x7ffa13cc78a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1051 start_va = 0x7ffa13d60000 end_va = 0x7ffa13d67fff monitored = 0 entry_point = 0x7ffa13d61ea0 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1052 start_va = 0x7ffa13d80000 end_va = 0x7ffa13ed5fff monitored = 0 entry_point = 0x7ffa13d8a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1053 start_va = 0x7ffa13ee0000 end_va = 0x7ffa14065fff monitored = 0 entry_point = 0x7ffa13f2ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1054 start_va = 0x7ffa14070000 end_va = 0x7ffa140cafff monitored = 0 entry_point = 0x7ffa140838b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1055 start_va = 0x7ffa14220000 end_va = 0x7ffa142c6fff monitored = 0 entry_point = 0x7ffa1422b4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1056 start_va = 0x7ffa14340000 end_va = 0x7ffa145bcfff monitored = 0 entry_point = 0x7ffa14414970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1057 start_va = 0x7ffa145c0000 end_va = 0x7ffa146dbfff monitored = 0 entry_point = 0x7ffa146002b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1058 start_va = 0x7ffa146e0000 end_va = 0x7ffa1474afff monitored = 0 entry_point = 0x7ffa146f90c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1059 start_va = 0x7ffa147c0000 end_va = 0x7ffa14880fff monitored = 0 entry_point = 0x7ffa147e0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1060 start_va = 0x7ffa14ba0000 end_va = 0x7ffa14bf1fff monitored = 0 entry_point = 0x7ffa14baf530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1061 start_va = 0x7ffa14c00000 end_va = 0x7ffa15028fff monitored = 0 entry_point = 0x7ffa14c28740 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 1062 start_va = 0x7ffa15030000 end_va = 0x7ffa1508bfff monitored = 0 entry_point = 0x7ffa1504b720 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 1063 start_va = 0x7ffa15090000 end_va = 0x7ffa15136fff monitored = 0 entry_point = 0x7ffa150a58d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1064 start_va = 0x7ffa15160000 end_va = 0x7ffa1520cfff monitored = 0 entry_point = 0x7ffa151781a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1065 start_va = 0x7ffa15210000 end_va = 0x7ffa1676efff monitored = 0 entry_point = 0x7ffa153711f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1066 start_va = 0x7ffa16770000 end_va = 0x7ffa16930fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1240 start_va = 0x420000 end_va = 0x420fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 1241 start_va = 0x7300000 end_va = 0x73fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007300000" filename = "" Region: id = 1242 start_va = 0x7b00000 end_va = 0x7bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007b00000" filename = "" Region: id = 1243 start_va = 0x7c00000 end_va = 0x7cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007c00000" filename = "" Region: id = 1244 start_va = 0x7d00000 end_va = 0x7dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007d00000" filename = "" Region: id = 1245 start_va = 0x7e00000 end_va = 0x7efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007e00000" filename = "" Thread: id = 23 os_tid = 0x4ec Thread: id = 24 os_tid = 0x11d8 Thread: id = 25 os_tid = 0x2a4 Thread: id = 26 os_tid = 0x3b8 Thread: id = 27 os_tid = 0x3fc Thread: id = 28 os_tid = 0x430 Thread: id = 29 os_tid = 0x4f0 Thread: id = 30 os_tid = 0xba8 Thread: id = 31 os_tid = 0x9dc Thread: id = 32 os_tid = 0x9d8 Thread: id = 33 os_tid = 0x630 Thread: id = 34 os_tid = 0x6a4 Thread: id = 35 os_tid = 0x288 Thread: id = 36 os_tid = 0xaa0 Thread: id = 37 os_tid = 0x8cc Thread: id = 38 os_tid = 0x86c Thread: id = 39 os_tid = 0x860 Thread: id = 40 os_tid = 0x7c0 Thread: id = 41 os_tid = 0x444 Thread: id = 42 os_tid = 0x778 Thread: id = 43 os_tid = 0x568 Thread: id = 44 os_tid = 0x40c Thread: id = 45 os_tid = 0x670 Thread: id = 46 os_tid = 0x158 Thread: id = 47 os_tid = 0x7e0 Thread: id = 48 os_tid = 0x534 Thread: id = 49 os_tid = 0x5d4 Thread: id = 50 os_tid = 0x3ac Thread: id = 51 os_tid = 0x2c0 Thread: id = 52 os_tid = 0x384 Thread: id = 53 os_tid = 0xaf0 Thread: id = 54 os_tid = 0x3a8 Thread: id = 55 os_tid = 0xbc4 Thread: id = 56 os_tid = 0x804 Thread: id = 57 os_tid = 0x820 Thread: id = 58 os_tid = 0x6e4 Thread: id = 59 os_tid = 0x72c Thread: id = 60 os_tid = 0xa78 Thread: id = 61 os_tid = 0x958 Thread: id = 62 os_tid = 0xa1c Thread: id = 63 os_tid = 0xa08 Thread: id = 64 os_tid = 0xac0 Thread: id = 65 os_tid = 0xab4 Thread: id = 66 os_tid = 0xad4 Thread: id = 67 os_tid = 0xae4 Thread: id = 68 os_tid = 0xad8 Thread: id = 69 os_tid = 0xadc Thread: id = 70 os_tid = 0xa50 Thread: id = 71 os_tid = 0xbec Thread: id = 72 os_tid = 0x668 Thread: id = 73 os_tid = 0x5ec Thread: id = 74 os_tid = 0x780 Thread: id = 75 os_tid = 0x728 Thread: id = 76 os_tid = 0x5e0 Thread: id = 77 os_tid = 0x508 Thread: id = 78 os_tid = 0x428 Thread: id = 79 os_tid = 0x7e4 Thread: id = 80 os_tid = 0x7dc Thread: id = 81 os_tid = 0x7d8 Thread: id = 82 os_tid = 0x7cc Thread: id = 83 os_tid = 0x7c4 Thread: id = 84 os_tid = 0x7b0 Thread: id = 85 os_tid = 0x788 Thread: id = 86 os_tid = 0x744 Thread: id = 87 os_tid = 0x448 Thread: id = 88 os_tid = 0x6f8 Thread: id = 89 os_tid = 0x6d4 Thread: id = 90 os_tid = 0x648 Thread: id = 91 os_tid = 0x640 Thread: id = 92 os_tid = 0x62c Thread: id = 93 os_tid = 0x530 Thread: id = 94 os_tid = 0x4a8 Thread: id = 95 os_tid = 0x2ac Thread: id = 96 os_tid = 0x270 Thread: id = 97 os_tid = 0x154 Thread: id = 98 os_tid = 0x1b8 Thread: id = 99 os_tid = 0x1bc Thread: id = 100 os_tid = 0x180 Thread: id = 101 os_tid = 0x188 Thread: id = 102 os_tid = 0x148 Thread: id = 103 os_tid = 0x12c Thread: id = 104 os_tid = 0xfc Thread: id = 105 os_tid = 0x60 Thread: id = 106 os_tid = 0x3f0 Thread: id = 107 os_tid = 0x3e8 Thread: id = 108 os_tid = 0x364 Thread: id = 115 os_tid = 0xce4 Thread: id = 116 os_tid = 0xce8 Thread: id = 117 os_tid = 0xcec Thread: id = 118 os_tid = 0xcf0 Thread: id = 119 os_tid = 0x119c Process: id = "8" image_name = "timeout.exe" filename = "c:\\windows\\syswow64\\timeout.exe" page_root = "0x72ebf000" os_pid = "0x664" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0xcb4" cmd_line = "timeout 3 " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fa87" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 679 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 680 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 681 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 682 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 683 start_va = 0xa0000 end_va = 0xdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 684 start_va = 0xe0000 end_va = 0xe3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 685 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 686 start_va = 0x100000 end_va = 0x101fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 687 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 688 start_va = 0xa60000 end_va = 0xa69fff monitored = 1 entry_point = 0xa64fb0 region_type = mapped_file name = "timeout.exe" filename = "\\Windows\\SysWOW64\\timeout.exe" (normalized: "c:\\windows\\syswow64\\timeout.exe") Region: id = 689 start_va = 0xa70000 end_va = 0x4a6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a70000" filename = "" Region: id = 690 start_va = 0x771d0000 end_va = 0x7734afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 691 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 692 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 693 start_va = 0x7fff0000 end_va = 0x7dfa1676ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 694 start_va = 0x7dfa16770000 end_va = 0x7ffa1676ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfa16770000" filename = "" Region: id = 695 start_va = 0x7ffa16770000 end_va = 0x7ffa16930fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 696 start_va = 0x7ffa16931000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffa16931000" filename = "" Region: id = 1067 start_va = 0x400000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1068 start_va = 0x640d0000 end_va = 0x6411ffff monitored = 0 entry_point = 0x640e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1069 start_va = 0x64050000 end_va = 0x640c9fff monitored = 0 entry_point = 0x64063290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1070 start_va = 0x76720000 end_va = 0x767fffff monitored = 0 entry_point = 0x76733980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1071 start_va = 0x64120000 end_va = 0x64127fff monitored = 0 entry_point = 0x641217c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1072 start_va = 0x5f0000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 1073 start_va = 0x76720000 end_va = 0x767fffff monitored = 0 entry_point = 0x76733980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1074 start_va = 0x76910000 end_va = 0x76a8dfff monitored = 0 entry_point = 0x769c1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1075 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1076 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 1077 start_va = 0x110000 end_va = 0x1cdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1078 start_va = 0x743d0000 end_va = 0x74516fff monitored = 0 entry_point = 0x743e1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1079 start_va = 0x74ab0000 end_va = 0x74bfefff monitored = 0 entry_point = 0x74b66820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1080 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1081 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 1082 start_va = 0x5e0000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 1083 start_va = 0x73f30000 end_va = 0x73f8efff monitored = 0 entry_point = 0x73f34af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 1084 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1085 start_va = 0x76cb0000 end_va = 0x76cf3fff monitored = 0 entry_point = 0x76cc9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1086 start_va = 0x76c00000 end_va = 0x76cacfff monitored = 0 entry_point = 0x76c14f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1087 start_va = 0x73f00000 end_va = 0x73f1dfff monitored = 0 entry_point = 0x73f0b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1088 start_va = 0x73ef0000 end_va = 0x73ef9fff monitored = 0 entry_point = 0x73ef2a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1089 start_va = 0x76840000 end_va = 0x76897fff monitored = 0 entry_point = 0x768825c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 1090 start_va = 0x76d00000 end_va = 0x76d44fff monitored = 0 entry_point = 0x76d1de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 1091 start_va = 0x76a90000 end_va = 0x76b4dfff monitored = 0 entry_point = 0x76ac5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1092 start_va = 0x762b0000 end_va = 0x7646cfff monitored = 0 entry_point = 0x76392a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 1093 start_va = 0x72050000 end_va = 0x72057fff monitored = 0 entry_point = 0x720517b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 1094 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1095 start_va = 0x800000 end_va = 0x987fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 1096 start_va = 0x741b0000 end_va = 0x741dafff monitored = 0 entry_point = 0x741b5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1097 start_va = 0x4a70000 end_va = 0x4bf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004a70000" filename = "" Region: id = 1098 start_va = 0x4c00000 end_va = 0x5ffffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004c00000" filename = "" Region: id = 1099 start_va = 0x30000 end_va = 0x32fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "timeout.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\timeout.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\timeout.exe.mui") Region: id = 1100 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 1101 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 1102 start_va = 0x480000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 1103 start_va = 0x6000000 end_va = 0x6336fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 109 os_tid = 0xaf8 [0156.853] GetModuleHandleA (lpModuleName=0x0) returned 0xa60000 [0156.853] __set_app_type (_Type=0x1) [0156.853] __p__fmode () returned 0x76b44d6c [0156.853] __p__commode () returned 0x76b45b1c [0156.853] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xa64fe0) returned 0x0 [0156.853] __wgetmainargs (in: _Argc=0xa66018, _Argv=0xa6601c, _Env=0xa66020, _DoWildCard=0, _StartInfo=0xa6602c | out: _Argc=0xa66018, _Argv=0xa6601c, _Env=0xa66020) returned 0 [0156.854] SetThreadUILanguage (LangId=0x0) returned 0x409 [0156.950] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0156.950] SetLastError (dwErrCode=0x0) [0156.950] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x0, Condition=0x2) returned 0x18 [0156.950] VerSetConditionMask (ConditionMask=0x18, TypeMask=0x80000000, Condition=0x1) returned 0x1b [0156.950] VerSetConditionMask (ConditionMask=0x1b, TypeMask=0x80000000, Condition=0x20) returned 0x1801b [0156.950] RtlVerifyVersionInfo (VersionInfo=0xdf7d8, TypeMask=0x3, ConditionMask=0x1801b) returned 0x0 [0156.950] GetProcessHeap () returned 0x700000 [0156.950] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x10) returned 0x7074b8 [0156.950] lstrlenW (lpString="") returned 0 [0156.950] GetProcessHeap () returned 0x700000 [0156.950] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x2) returned 0x706cf0 [0156.950] GetProcessHeap () returned 0x700000 [0156.950] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x14) returned 0x708670 [0156.950] GetProcessHeap () returned 0x700000 [0156.950] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x10) returned 0x7074e8 [0156.950] GetProcessHeap () returned 0x700000 [0156.950] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x14) returned 0x7071b8 [0156.951] GetProcessHeap () returned 0x700000 [0156.951] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x14) returned 0x7073c8 [0156.951] GetProcessHeap () returned 0x700000 [0156.951] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x14) returned 0x7027f8 [0156.951] GetProcessHeap () returned 0x700000 [0156.951] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x14) returned 0x703588 [0156.951] GetProcessHeap () returned 0x700000 [0156.951] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x10) returned 0x707470 [0156.951] GetProcessHeap () returned 0x700000 [0156.951] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x14) returned 0x706f80 [0156.951] GetProcessHeap () returned 0x700000 [0156.951] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x14) returned 0x706fa0 [0156.951] GetProcessHeap () returned 0x700000 [0156.951] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x14) returned 0x706fc0 [0156.951] GetProcessHeap () returned 0x700000 [0156.951] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x14) returned 0x707a38 [0156.951] GetProcessHeap () returned 0x700000 [0156.952] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x10) returned 0x707518 [0156.952] GetProcessHeap () returned 0x700000 [0156.952] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x14) returned 0x70c298 [0156.952] GetProcessHeap () returned 0x700000 [0156.952] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x14) returned 0x70c1f8 [0156.952] GetProcessHeap () returned 0x700000 [0156.952] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x14) returned 0x70c158 [0156.952] GetProcessHeap () returned 0x700000 [0156.952] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x14) returned 0x70bfb8 [0156.952] SetThreadUILanguage (LangId=0x0) returned 0x409 [0156.960] SetLastError (dwErrCode=0x0) [0156.960] GetProcessHeap () returned 0x700000 [0156.960] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x14) returned 0x70c0b8 [0156.960] GetProcessHeap () returned 0x700000 [0156.960] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x14) returned 0x70c2b8 [0156.960] GetProcessHeap () returned 0x700000 [0156.960] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x14) returned 0x70c0f8 [0156.960] GetProcessHeap () returned 0x700000 [0156.960] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x14) returned 0x70c0d8 [0156.960] GetProcessHeap () returned 0x700000 [0156.960] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x14) returned 0x70c218 [0156.960] GetProcessHeap () returned 0x700000 [0156.960] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x10) returned 0x707578 [0156.960] _memicmp (_Buf1=0x707578, _Buf2=0xa610ac, _Size=0x7) returned 0 [0156.960] GetProcessHeap () returned 0x700000 [0156.960] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x208) returned 0x70c358 [0156.960] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x70c358, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\timeout.exe" (normalized: "c:\\windows\\syswow64\\timeout.exe")) returned 0x1f [0156.961] GetFileVersionInfoSizeExW (in: dwFlags=0x1, lpwstrFilename="C:\\Windows\\SysWOW64\\timeout.exe", lpdwHandle=0xdf8e4 | out: lpdwHandle=0xdf8e4) returned 0x76c [0156.961] GetProcessHeap () returned 0x700000 [0156.961] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x776) returned 0x70c568 [0156.961] GetFileVersionInfoExW (in: dwFlags=0x3, lpwstrFilename="C:\\Windows\\SysWOW64\\timeout.exe", dwHandle=0x0, dwLen=0x776, lpData=0x70c568 | out: lpData=0x70c568) returned 1 [0156.961] VerQueryValueW (in: pBlock=0x70c568, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xdf8ec, puLen=0xdf8f0 | out: lplpBuffer=0xdf8ec*=0x70c918, puLen=0xdf8f0) returned 1 [0156.964] _memicmp (_Buf1=0x707578, _Buf2=0xa610ac, _Size=0x7) returned 0 [0156.964] _vsnwprintf (in: _Buffer=0x70c358, _BufferCount=0x3f, _Format="\\StringFileInfo\\%04x%04x\\InternalName", _ArgList=0xdf8d0 | out: _Buffer="\\StringFileInfo\\040904b0\\InternalName") returned 37 [0156.965] VerQueryValueW (in: pBlock=0x70c568, lpSubBlock="\\StringFileInfo\\040904b0\\InternalName", lplpBuffer=0xdf8fc, puLen=0xdf8f8 | out: lplpBuffer=0xdf8fc*=0x70c74c, puLen=0xdf8f8) returned 1 [0156.965] lstrlenW (lpString="timeout.exe") returned 11 [0156.965] lstrlenW (lpString="timeout.exe") returned 11 [0156.965] lstrlenW (lpString=".EXE") returned 4 [0156.965] StrStrIW (lpFirst="timeout.exe", lpSrch=".EXE") returned=".exe" [0156.965] lstrlenW (lpString="timeout.exe") returned 11 [0156.965] lstrlenW (lpString=".EXE") returned 4 [0156.965] _memicmp (_Buf1=0x707578, _Buf2=0xa610ac, _Size=0x7) returned 0 [0156.965] lstrlenW (lpString="timeout") returned 7 [0156.966] GetProcessHeap () returned 0x700000 [0156.966] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x14) returned 0x70c338 [0156.966] GetProcessHeap () returned 0x700000 [0156.966] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x14) returned 0x70c1b8 [0156.966] GetProcessHeap () returned 0x700000 [0156.966] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x14) returned 0x70c198 [0156.966] GetProcessHeap () returned 0x700000 [0156.966] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x14) returned 0x70c178 [0156.966] GetProcessHeap () returned 0x700000 [0156.966] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x10) returned 0x70cff8 [0156.966] _memicmp (_Buf1=0x70cff8, _Buf2=0xa610ac, _Size=0x7) returned 0 [0156.966] GetProcessHeap () returned 0x700000 [0156.966] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0xa0) returned 0x70e160 [0156.967] GetProcessHeap () returned 0x700000 [0156.967] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x14) returned 0x70c078 [0156.967] GetProcessHeap () returned 0x700000 [0156.967] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x14) returned 0x70c278 [0156.967] GetProcessHeap () returned 0x700000 [0156.967] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x14) returned 0x70c2d8 [0156.967] GetProcessHeap () returned 0x700000 [0156.967] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x10) returned 0x70cf98 [0156.967] _memicmp (_Buf1=0x70cf98, _Buf2=0xa610ac, _Size=0x7) returned 0 [0156.967] GetProcessHeap () returned 0x700000 [0156.967] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x200) returned 0x70e228 [0156.967] LoadStringW (in: hInstance=0x0, uID=0x15ed, lpBuffer=0x70e228, cchBufferMax=256 | out: lpBuffer="Type \"%s /?\" for usage.") returned 0x17 [0156.967] lstrlenW (lpString="Type \"%s /?\" for usage.") returned 23 [0156.967] GetProcessHeap () returned 0x700000 [0156.967] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x30) returned 0x7083f8 [0156.967] _vsnwprintf (in: _Buffer=0x70e160, _BufferCount=0x4f, _Format="Type \"%s /?\" for usage.", _ArgList=0xdf8d4 | out: _Buffer="Type \"TIMEOUT /?\" for usage.") returned 28 [0156.967] GetProcessHeap () returned 0x700000 [0156.970] GetProcessHeap () returned 0x700000 [0156.970] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x70c568) returned 1 [0156.970] GetProcessHeap () returned 0x700000 [0156.970] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x70c568) returned 0x776 [0156.971] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x70c568 | out: hHeap=0x700000) returned 1 [0156.971] SetLastError (dwErrCode=0x0) [0156.971] GetThreadLocale () returned 0x409 [0156.971] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0156.971] lstrlenW (lpString="?") returned 1 [0156.971] GetThreadLocale () returned 0x409 [0156.971] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0156.971] GetThreadLocale () returned 0x409 [0156.971] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0156.971] lstrlenW (lpString="nobreak") returned 7 [0156.971] SetLastError (dwErrCode=0x0) [0156.971] SetLastError (dwErrCode=0x0) [0156.971] lstrlenW (lpString="3") returned 1 [0156.971] SetLastError (dwErrCode=0x490) [0156.971] SetLastError (dwErrCode=0x0) [0156.971] lstrlenW (lpString="3") returned 1 [0156.971] StrChrIW (lpStart="3", wMatch=0x3a) returned 0x0 [0156.972] SetLastError (dwErrCode=0x490) [0156.972] SetLastError (dwErrCode=0x0) [0156.972] GetProcessHeap () returned 0x700000 [0156.972] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x10) returned 0x70ce48 [0156.972] _memicmp (_Buf1=0x70ce48, _Buf2=0xa610ac, _Size=0x7) returned 0 [0156.972] lstrlenW (lpString="3") returned 1 [0156.972] GetProcessHeap () returned 0x700000 [0156.972] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x4) returned 0x707aa0 [0156.972] lstrlenW (lpString="3") returned 1 [0156.972] lstrlenW (lpString=" \x09") returned 2 [0156.972] StrChrW (lpStart=" \x09", wMatch=0x33) returned 0x0 [0156.972] StrChrW (lpStart=" \x09", wMatch=0x33) returned 0x0 [0156.972] GetLastError () returned 0x0 [0156.972] lstrlenW (lpString="3") returned 1 [0156.972] lstrlenW (lpString="3") returned 1 [0156.972] SetLastError (dwErrCode=0x0) [0156.972] _errno () returned 0x4b05b0 [0156.972] wcstol (in: _String="3", _EndPtr=0xdfab8, _Radix=10 | out: _EndPtr=0xdfab8*="") returned 3 [0156.972] lstrlenW (lpString="") returned 0 [0156.972] _errno () returned 0x4b05b0 [0156.972] time (in: timer=0xdfae0 | out: timer=0xdfae0) returned 0x62ed0aea [0156.973] GetStdHandle (nStdHandle=0xfffffff6) returned 0x38 [0156.973] GetFileType (hFile=0x38) returned 0x2 [0156.973] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xdfab0 | out: lpMode=0xdfab0) returned 1 [0156.975] GetStdHandle (nStdHandle=0xfffffff6) returned 0x38 [0156.975] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xdfad0 | out: lpMode=0xdfad0) returned 1 [0156.975] SetConsoleMode (hConsoleHandle=0x38, dwMode=0x1a1) returned 1 [0156.976] GetNumberOfConsoleInputEvents (in: hConsoleInput=0x38, lpNumberOfEvents=0xdfad4 | out: lpNumberOfEvents=0xdfad4) returned 1 [0156.976] FlushConsoleInputBuffer (hConsoleInput=0x38) returned 1 [0156.976] GetProcessHeap () returned 0x700000 [0156.976] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x14) returned 0x70c1d8 [0156.976] _memicmp (_Buf1=0x70cf98, _Buf2=0xa610ac, _Size=0x7) returned 0 [0156.976] LoadStringW (in: hInstance=0x0, uID=0x98, lpBuffer=0x70e228, cchBufferMax=256 | out: lpBuffer="\nWaiting for %*lu") returned 0x11 [0156.976] lstrlenW (lpString="\nWaiting for %*lu") returned 17 [0156.976] GetProcessHeap () returned 0x700000 [0156.976] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x24) returned 0x7036a8 [0156.976] _vsnwprintf (in: _Buffer=0xdfd24, _BufferCount=0xfd, _Format="\nWaiting for %*lu", _ArgList=0xdfa9c | out: _Buffer="\nWaiting for 3") returned 14 [0156.976] __iob_func () returned 0x76b41208 [0156.977] _fileno (_File=0x76b41228) returned 1 [0156.977] _errno () returned 0x4b05b0 [0156.977] _get_osfhandle (_FileHandle=1) returned 0x3c [0156.977] _errno () returned 0x4b05b0 [0156.977] GetFileType (hFile=0x3c) returned 0x2 [0156.977] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c [0156.977] GetFileType (hFile=0x3c) returned 0x2 [0156.977] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xdfa74 | out: lpMode=0xdfa74) returned 0 [0156.977] lstrlenW (lpString="\nWaiting for 3") returned 14 [0156.977] GetConsoleOutputCP () returned 0x1b5 [0156.977] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\nWaiting for 3", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0156.977] GetConsoleOutputCP () returned 0x1b5 [0156.978] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\nWaiting for 3", cchWideChar=14, lpMultiByteStr=0xa66360, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\nWaiting for 3", lpUsedDefaultChar=0x0) returned 14 [0156.978] fprintf (in: _File=0x76b41228, _Format="%s" | out: _File=0x76b41228) returned 14 [0156.978] fflush (in: _File=0x76b41228 | out: _File=0x76b41228) returned 0 [0156.978] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c [0156.978] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x3c, lpConsoleScreenBufferInfo=0xdfae8 | out: lpConsoleScreenBufferInfo=0xdfae8) returned 0 [0156.978] GetProcessHeap () returned 0x700000 [0156.978] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x14) returned 0x70c118 [0156.979] _memicmp (_Buf1=0x70cf98, _Buf2=0xa610ac, _Size=0x7) returned 0 [0156.979] LoadStringW (in: hInstance=0x0, uID=0xa0, lpBuffer=0x70e228, cchBufferMax=256 | out: lpBuffer=" seconds, press a key to continue ...") returned 0x25 [0156.979] lstrlenW (lpString=" seconds, press a key to continue ...") returned 37 [0156.979] GetProcessHeap () returned 0x700000 [0156.979] RtlAllocateHeap (HeapHandle=0x700000, Flags=0xc, Size=0x4c) returned 0x707008 [0156.979] __iob_func () returned 0x76b41208 [0156.979] _fileno (_File=0x76b41228) returned 1 [0156.979] _errno () returned 0x4b05b0 [0156.979] _get_osfhandle (_FileHandle=1) returned 0x3c [0156.979] _errno () returned 0x4b05b0 [0156.979] GetFileType (hFile=0x3c) returned 0x2 [0156.979] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c [0156.979] GetFileType (hFile=0x3c) returned 0x2 [0156.979] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xdfa74 | out: lpMode=0xdfa74) returned 0 [0156.979] lstrlenW (lpString=" seconds, press a key to continue ...") returned 37 [0156.979] GetConsoleOutputCP () returned 0x1b5 [0156.979] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" seconds, press a key to continue ...", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0156.980] GetConsoleOutputCP () returned 0x1b5 [0156.980] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" seconds, press a key to continue ...", cchWideChar=37, lpMultiByteStr=0xa66360, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" seconds, press a key to continue ...", lpUsedDefaultChar=0x0) returned 37 [0156.980] fprintf (in: _File=0x76b41228, _Format="%s" | out: _File=0x76b41228) returned 37 [0156.980] fflush (in: _File=0x76b41228 | out: _File=0x76b41228) returned 0 [0156.980] PeekConsoleInputW (in: hConsoleInput=0x38, lpBuffer=0xdfb00, nLength=0x2, lpNumberOfEventsRead=0xdfad4 | out: lpBuffer=0xdfb00, lpNumberOfEventsRead=0xdfad4) returned 1 [0156.981] time (in: timer=0xdfae0 | out: timer=0xdfae0) returned 0x62ed0aea [0156.981] Sleep (dwMilliseconds=0x64) [0157.164] PeekConsoleInputW (in: hConsoleInput=0x38, lpBuffer=0xdfb00, nLength=0x2, lpNumberOfEventsRead=0xdfad4 | out: lpBuffer=0xdfb00, lpNumberOfEventsRead=0xdfad4) returned 1 [0157.175] time (in: timer=0xdfae0 | out: timer=0xdfae0) returned 0x62ed0aea [0157.175] Sleep (dwMilliseconds=0x64) [0157.303] PeekConsoleInputW (in: hConsoleInput=0x38, lpBuffer=0xdfb00, nLength=0x2, lpNumberOfEventsRead=0xdfad4 | out: lpBuffer=0xdfb00, lpNumberOfEventsRead=0xdfad4) returned 1 [0157.307] time (in: timer=0xdfae0 | out: timer=0xdfae0) returned 0x62ed0aea [0157.307] Sleep (dwMilliseconds=0x64) [0157.435] PeekConsoleInputW (in: hConsoleInput=0x38, lpBuffer=0xdfb00, nLength=0x2, lpNumberOfEventsRead=0xdfad4 | out: lpBuffer=0xdfb00, lpNumberOfEventsRead=0xdfad4) returned 1 [0157.439] time (in: timer=0xdfae0 | out: timer=0xdfae0) returned 0x62ed0aea [0157.439] Sleep (dwMilliseconds=0x64) [0157.546] PeekConsoleInputW (in: hConsoleInput=0x38, lpBuffer=0xdfb00, nLength=0x2, lpNumberOfEventsRead=0xdfad4 | out: lpBuffer=0xdfb00, lpNumberOfEventsRead=0xdfad4) returned 1 [0157.550] time (in: timer=0xdfae0 | out: timer=0xdfae0) returned 0x62ed0aeb [0157.550] _vsnwprintf (in: _Buffer=0xdfd24, _BufferCount=0xfd, _Format="%s%*lu", _ArgList=0xdfa98 | out: _Buffer="\x082") returned 2 [0157.551] SetConsoleCursorPosition (hConsoleOutput=0x3c, dwCursorPosition=0x0) returned 0 [0157.551] __iob_func () returned 0x76b41208 [0157.551] _fileno (_File=0x76b41228) returned 1 [0157.551] _errno () returned 0x4b05b0 [0157.551] _get_osfhandle (_FileHandle=1) returned 0x3c [0157.551] _errno () returned 0x4b05b0 [0157.551] GetFileType (hFile=0x3c) returned 0x2 [0157.551] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c [0157.551] GetFileType (hFile=0x3c) returned 0x2 [0157.551] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xdfa74 | out: lpMode=0xdfa74) returned 0 [0157.551] lstrlenW (lpString="\x082") returned 2 [0157.551] GetConsoleOutputCP () returned 0x1b5 [0157.558] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\x082", cchWideChar=2, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 2 [0157.558] GetConsoleOutputCP () returned 0x1b5 [0157.562] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\x082", cchWideChar=2, lpMultiByteStr=0xa66360, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x082", lpUsedDefaultChar=0x0) returned 2 [0157.562] fprintf (in: _File=0x76b41228, _Format="%s" | out: _File=0x76b41228) returned 2 [0157.562] fflush (in: _File=0x76b41228 | out: _File=0x76b41228) returned 0 [0157.562] Sleep (dwMilliseconds=0x64) [0157.724] PeekConsoleInputW (in: hConsoleInput=0x38, lpBuffer=0xdfb00, nLength=0x2, lpNumberOfEventsRead=0xdfad4 | out: lpBuffer=0xdfb00, lpNumberOfEventsRead=0xdfad4) returned 1 [0157.728] time (in: timer=0xdfae0 | out: timer=0xdfae0) returned 0x62ed0aeb [0157.728] Sleep (dwMilliseconds=0x64) [0157.878] PeekConsoleInputW (in: hConsoleInput=0x38, lpBuffer=0xdfb00, nLength=0x2, lpNumberOfEventsRead=0xdfad4 | out: lpBuffer=0xdfb00, lpNumberOfEventsRead=0xdfad4) returned 1 [0157.882] time (in: timer=0xdfae0 | out: timer=0xdfae0) returned 0x62ed0aeb [0157.882] Sleep (dwMilliseconds=0x64) [0157.990] PeekConsoleInputW (in: hConsoleInput=0x38, lpBuffer=0xdfb00, nLength=0x2, lpNumberOfEventsRead=0xdfad4 | out: lpBuffer=0xdfb00, lpNumberOfEventsRead=0xdfad4) returned 1 [0158.016] time (in: timer=0xdfae0 | out: timer=0xdfae0) returned 0x62ed0aeb [0158.016] Sleep (dwMilliseconds=0x64) [0158.173] PeekConsoleInputW (in: hConsoleInput=0x38, lpBuffer=0xdfb00, nLength=0x2, lpNumberOfEventsRead=0xdfad4 | out: lpBuffer=0xdfb00, lpNumberOfEventsRead=0xdfad4) returned 1 [0158.176] time (in: timer=0xdfae0 | out: timer=0xdfae0) returned 0x62ed0aeb [0158.176] Sleep (dwMilliseconds=0x64) [0158.356] PeekConsoleInputW (in: hConsoleInput=0x38, lpBuffer=0xdfb00, nLength=0x2, lpNumberOfEventsRead=0xdfad4 | out: lpBuffer=0xdfb00, lpNumberOfEventsRead=0xdfad4) returned 1 [0158.361] time (in: timer=0xdfae0 | out: timer=0xdfae0) returned 0x62ed0aeb [0158.361] Sleep (dwMilliseconds=0x64) [0158.527] PeekConsoleInputW (in: hConsoleInput=0x38, lpBuffer=0xdfb00, nLength=0x2, lpNumberOfEventsRead=0xdfad4 | out: lpBuffer=0xdfb00, lpNumberOfEventsRead=0xdfad4) returned 1 [0158.535] time (in: timer=0xdfae0 | out: timer=0xdfae0) returned 0x62ed0aec [0158.535] _vsnwprintf (in: _Buffer=0xdfd24, _BufferCount=0xfd, _Format="%s%*lu", _ArgList=0xdfa98 | out: _Buffer="\x081") returned 2 [0158.535] SetConsoleCursorPosition (hConsoleOutput=0x3c, dwCursorPosition=0x0) returned 0 [0158.535] __iob_func () returned 0x76b41208 [0158.535] _fileno (_File=0x76b41228) returned 1 [0158.535] _errno () returned 0x4b05b0 [0158.535] _get_osfhandle (_FileHandle=1) returned 0x3c [0158.535] _errno () returned 0x4b05b0 [0158.536] GetFileType (hFile=0x3c) returned 0x2 [0158.536] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c [0158.536] GetFileType (hFile=0x3c) returned 0x2 [0158.536] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xdfa74 | out: lpMode=0xdfa74) returned 0 [0158.536] lstrlenW (lpString="\x081") returned 2 [0158.536] GetConsoleOutputCP () returned 0x1b5 [0158.539] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\x081", cchWideChar=2, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 2 [0158.539] GetConsoleOutputCP () returned 0x1b5 [0158.545] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\x081", cchWideChar=2, lpMultiByteStr=0xa66360, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x081", lpUsedDefaultChar=0x0) returned 2 [0158.545] fprintf (in: _File=0x76b41228, _Format="%s" | out: _File=0x76b41228) returned 2 [0158.545] fflush (in: _File=0x76b41228 | out: _File=0x76b41228) returned 0 [0158.545] Sleep (dwMilliseconds=0x64) [0158.685] PeekConsoleInputW (in: hConsoleInput=0x38, lpBuffer=0xdfb00, nLength=0x2, lpNumberOfEventsRead=0xdfad4 | out: lpBuffer=0xdfb00, lpNumberOfEventsRead=0xdfad4) returned 1 [0158.692] time (in: timer=0xdfae0 | out: timer=0xdfae0) returned 0x62ed0aec [0158.692] Sleep (dwMilliseconds=0x64) [0158.828] PeekConsoleInputW (in: hConsoleInput=0x38, lpBuffer=0xdfb00, nLength=0x2, lpNumberOfEventsRead=0xdfad4 | out: lpBuffer=0xdfb00, lpNumberOfEventsRead=0xdfad4) returned 1 [0158.831] time (in: timer=0xdfae0 | out: timer=0xdfae0) returned 0x62ed0aec [0158.831] Sleep (dwMilliseconds=0x64) [0158.943] PeekConsoleInputW (in: hConsoleInput=0x38, lpBuffer=0xdfb00, nLength=0x2, lpNumberOfEventsRead=0xdfad4 | out: lpBuffer=0xdfb00, lpNumberOfEventsRead=0xdfad4) returned 1 [0158.947] time (in: timer=0xdfae0 | out: timer=0xdfae0) returned 0x62ed0aec [0158.947] Sleep (dwMilliseconds=0x64) [0159.143] PeekConsoleInputW (in: hConsoleInput=0x38, lpBuffer=0xdfb00, nLength=0x2, lpNumberOfEventsRead=0xdfad4 | out: lpBuffer=0xdfb00, lpNumberOfEventsRead=0xdfad4) returned 1 [0159.153] time (in: timer=0xdfae0 | out: timer=0xdfae0) returned 0x62ed0aec [0159.153] Sleep (dwMilliseconds=0x64) [0159.271] PeekConsoleInputW (in: hConsoleInput=0x38, lpBuffer=0xdfb00, nLength=0x2, lpNumberOfEventsRead=0xdfad4 | out: lpBuffer=0xdfb00, lpNumberOfEventsRead=0xdfad4) returned 1 [0159.304] time (in: timer=0xdfae0 | out: timer=0xdfae0) returned 0x62ed0aec [0159.304] Sleep (dwMilliseconds=0x64) [0159.446] PeekConsoleInputW (in: hConsoleInput=0x38, lpBuffer=0xdfb00, nLength=0x2, lpNumberOfEventsRead=0xdfad4 | out: lpBuffer=0xdfb00, lpNumberOfEventsRead=0xdfad4) returned 1 [0159.451] time (in: timer=0xdfae0 | out: timer=0xdfae0) returned 0x62ed0aed [0159.451] _vsnwprintf (in: _Buffer=0xdfd24, _BufferCount=0xfd, _Format="%s%*lu", _ArgList=0xdfa98 | out: _Buffer="\x080") returned 2 [0159.451] SetConsoleCursorPosition (hConsoleOutput=0x3c, dwCursorPosition=0x0) returned 0 [0159.451] __iob_func () returned 0x76b41208 [0159.451] _fileno (_File=0x76b41228) returned 1 [0159.452] _errno () returned 0x4b05b0 [0159.452] _get_osfhandle (_FileHandle=1) returned 0x3c [0159.452] _errno () returned 0x4b05b0 [0159.452] GetFileType (hFile=0x3c) returned 0x2 [0159.452] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c [0159.452] GetFileType (hFile=0x3c) returned 0x2 [0159.452] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xdfa74 | out: lpMode=0xdfa74) returned 0 [0159.452] lstrlenW (lpString="\x080") returned 2 [0159.452] GetConsoleOutputCP () returned 0x1b5 [0159.454] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\x080", cchWideChar=2, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 2 [0159.454] GetConsoleOutputCP () returned 0x1b5 [0159.456] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\x080", cchWideChar=2, lpMultiByteStr=0xa66360, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x080", lpUsedDefaultChar=0x0) returned 2 [0159.456] fprintf (in: _File=0x76b41228, _Format="%s" | out: _File=0x76b41228) returned 2 [0159.457] fflush (in: _File=0x76b41228 | out: _File=0x76b41228) returned 0 [0159.457] Sleep (dwMilliseconds=0x64) [0159.561] __iob_func () returned 0x76b41208 [0159.561] _fileno (_File=0x76b41228) returned 1 [0159.561] _errno () returned 0x4b05b0 [0159.561] _get_osfhandle (_FileHandle=1) returned 0x3c [0159.561] _errno () returned 0x4b05b0 [0159.561] GetFileType (hFile=0x3c) returned 0x2 [0159.561] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c [0159.562] GetFileType (hFile=0x3c) returned 0x2 [0159.562] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xdfa74 | out: lpMode=0xdfa74) returned 0 [0159.562] lstrlenW (lpString="\n") returned 1 [0159.562] GetConsoleOutputCP () returned 0x1b5 [0159.569] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\n", cchWideChar=1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1 [0159.569] GetConsoleOutputCP () returned 0x1b5 [0159.638] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\n", cchWideChar=1, lpMultiByteStr=0xa66360, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\n", lpUsedDefaultChar=0x0) returned 1 [0159.638] fprintf (in: _File=0x76b41228, _Format="%s" | out: _File=0x76b41228) returned 1 [0159.638] fflush (in: _File=0x76b41228 | out: _File=0x76b41228) returned 0 [0159.638] GetProcessHeap () returned 0x700000 [0159.638] GetProcessHeap () returned 0x700000 [0159.638] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x70e160) returned 1 [0159.638] GetProcessHeap () returned 0x700000 [0159.638] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x70e160) returned 0xa0 [0159.639] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x70e160 | out: hHeap=0x700000) returned 1 [0159.640] GetProcessHeap () returned 0x700000 [0159.640] GetProcessHeap () returned 0x700000 [0159.640] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x70cff8) returned 1 [0159.640] GetProcessHeap () returned 0x700000 [0159.640] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x70cff8) returned 0x10 [0159.640] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x70cff8 | out: hHeap=0x700000) returned 1 [0159.640] GetProcessHeap () returned 0x700000 [0159.640] GetProcessHeap () returned 0x700000 [0159.640] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x70c178) returned 1 [0159.640] GetProcessHeap () returned 0x700000 [0159.640] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x70c178) returned 0x14 [0159.640] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x70c178 | out: hHeap=0x700000) returned 1 [0159.640] GetProcessHeap () returned 0x700000 [0159.640] GetProcessHeap () returned 0x700000 [0159.640] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x707aa0) returned 1 [0159.640] GetProcessHeap () returned 0x700000 [0159.640] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x707aa0) returned 0x4 [0159.640] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x707aa0 | out: hHeap=0x700000) returned 1 [0159.640] GetProcessHeap () returned 0x700000 [0159.640] GetProcessHeap () returned 0x700000 [0159.640] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x70ce48) returned 1 [0159.640] GetProcessHeap () returned 0x700000 [0159.640] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x70ce48) returned 0x10 [0159.640] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x70ce48 | out: hHeap=0x700000) returned 1 [0159.640] GetProcessHeap () returned 0x700000 [0159.640] GetProcessHeap () returned 0x700000 [0159.641] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x70c198) returned 1 [0159.641] GetProcessHeap () returned 0x700000 [0159.641] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x70c198) returned 0x14 [0159.641] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x70c198 | out: hHeap=0x700000) returned 1 [0159.641] GetProcessHeap () returned 0x700000 [0159.641] GetProcessHeap () returned 0x700000 [0159.641] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x70c358) returned 1 [0159.641] GetProcessHeap () returned 0x700000 [0159.641] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x70c358) returned 0x208 [0159.641] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x70c358 | out: hHeap=0x700000) returned 1 [0159.641] GetProcessHeap () returned 0x700000 [0159.641] GetProcessHeap () returned 0x700000 [0159.641] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x707578) returned 1 [0159.641] GetProcessHeap () returned 0x700000 [0159.641] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x707578) returned 0x10 [0159.642] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x707578 | out: hHeap=0x700000) returned 1 [0159.642] GetProcessHeap () returned 0x700000 [0159.642] GetProcessHeap () returned 0x700000 [0159.642] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x70c218) returned 1 [0159.642] GetProcessHeap () returned 0x700000 [0159.642] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x70c218) returned 0x14 [0159.642] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x70c218 | out: hHeap=0x700000) returned 1 [0159.642] GetProcessHeap () returned 0x700000 [0159.642] GetProcessHeap () returned 0x700000 [0159.642] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x70e228) returned 1 [0159.642] GetProcessHeap () returned 0x700000 [0159.642] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x70e228) returned 0x200 [0159.642] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x70e228 | out: hHeap=0x700000) returned 1 [0159.642] GetProcessHeap () returned 0x700000 [0159.642] GetProcessHeap () returned 0x700000 [0159.643] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x70cf98) returned 1 [0159.643] GetProcessHeap () returned 0x700000 [0159.643] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x70cf98) returned 0x10 [0159.643] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x70cf98 | out: hHeap=0x700000) returned 1 [0159.643] GetProcessHeap () returned 0x700000 [0159.643] GetProcessHeap () returned 0x700000 [0159.643] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x70c2b8) returned 1 [0159.643] GetProcessHeap () returned 0x700000 [0159.643] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x70c2b8) returned 0x14 [0159.643] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x70c2b8 | out: hHeap=0x700000) returned 1 [0159.643] GetProcessHeap () returned 0x700000 [0159.643] GetProcessHeap () returned 0x700000 [0159.643] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x706cf0) returned 1 [0159.643] GetProcessHeap () returned 0x700000 [0159.643] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x706cf0) returned 0x2 [0159.643] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x706cf0 | out: hHeap=0x700000) returned 1 [0159.643] GetProcessHeap () returned 0x700000 [0159.643] GetProcessHeap () returned 0x700000 [0159.643] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x708670) returned 1 [0159.643] GetProcessHeap () returned 0x700000 [0159.643] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x708670) returned 0x14 [0159.643] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x708670 | out: hHeap=0x700000) returned 1 [0159.643] GetProcessHeap () returned 0x700000 [0159.643] GetProcessHeap () returned 0x700000 [0159.643] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x7071b8) returned 1 [0159.643] GetProcessHeap () returned 0x700000 [0159.643] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x7071b8) returned 0x14 [0159.644] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x7071b8 | out: hHeap=0x700000) returned 1 [0159.644] GetProcessHeap () returned 0x700000 [0159.644] GetProcessHeap () returned 0x700000 [0159.644] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x7073c8) returned 1 [0159.644] GetProcessHeap () returned 0x700000 [0159.644] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x7073c8) returned 0x14 [0159.644] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x7073c8 | out: hHeap=0x700000) returned 1 [0159.644] GetProcessHeap () returned 0x700000 [0159.644] GetProcessHeap () returned 0x700000 [0159.644] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x7027f8) returned 1 [0159.645] GetProcessHeap () returned 0x700000 [0159.645] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x7027f8) returned 0x14 [0159.645] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x7027f8 | out: hHeap=0x700000) returned 1 [0159.645] GetProcessHeap () returned 0x700000 [0159.645] GetProcessHeap () returned 0x700000 [0159.645] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x70c078) returned 1 [0159.645] GetProcessHeap () returned 0x700000 [0159.645] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x70c078) returned 0x14 [0159.645] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x70c078 | out: hHeap=0x700000) returned 1 [0159.645] GetProcessHeap () returned 0x700000 [0159.645] GetProcessHeap () returned 0x700000 [0159.645] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x70c278) returned 1 [0159.645] GetProcessHeap () returned 0x700000 [0159.645] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x70c278) returned 0x14 [0159.646] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x70c278 | out: hHeap=0x700000) returned 1 [0159.646] GetProcessHeap () returned 0x700000 [0159.646] GetProcessHeap () returned 0x700000 [0159.646] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x7083f8) returned 1 [0159.646] GetProcessHeap () returned 0x700000 [0159.646] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x7083f8) returned 0x30 [0159.646] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x7083f8 | out: hHeap=0x700000) returned 1 [0159.646] GetProcessHeap () returned 0x700000 [0159.646] GetProcessHeap () returned 0x700000 [0159.646] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x70c2d8) returned 1 [0159.646] GetProcessHeap () returned 0x700000 [0159.646] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x70c2d8) returned 0x14 [0159.646] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x70c2d8 | out: hHeap=0x700000) returned 1 [0159.646] GetProcessHeap () returned 0x700000 [0159.647] GetProcessHeap () returned 0x700000 [0159.647] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x7036a8) returned 1 [0159.647] GetProcessHeap () returned 0x700000 [0159.647] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x7036a8) returned 0x24 [0159.647] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x7036a8 | out: hHeap=0x700000) returned 1 [0159.647] GetProcessHeap () returned 0x700000 [0159.647] GetProcessHeap () returned 0x700000 [0159.647] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x70c1d8) returned 1 [0159.647] GetProcessHeap () returned 0x700000 [0159.647] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x70c1d8) returned 0x14 [0159.647] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x70c1d8 | out: hHeap=0x700000) returned 1 [0159.647] GetProcessHeap () returned 0x700000 [0159.647] GetProcessHeap () returned 0x700000 [0159.647] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x707008) returned 1 [0159.648] GetProcessHeap () returned 0x700000 [0159.648] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x707008) returned 0x4c [0159.648] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x707008 | out: hHeap=0x700000) returned 1 [0159.648] GetProcessHeap () returned 0x700000 [0159.648] GetProcessHeap () returned 0x700000 [0159.648] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x70c118) returned 1 [0159.648] GetProcessHeap () returned 0x700000 [0159.648] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x70c118) returned 0x14 [0159.648] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x70c118 | out: hHeap=0x700000) returned 1 [0159.648] GetProcessHeap () returned 0x700000 [0159.648] GetProcessHeap () returned 0x700000 [0159.648] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x7074e8) returned 1 [0159.648] GetProcessHeap () returned 0x700000 [0159.648] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x7074e8) returned 0x10 [0159.648] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x7074e8 | out: hHeap=0x700000) returned 1 [0159.648] GetProcessHeap () returned 0x700000 [0159.648] GetProcessHeap () returned 0x700000 [0159.648] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x703588) returned 1 [0159.648] GetProcessHeap () returned 0x700000 [0159.648] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x703588) returned 0x14 [0159.649] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x703588 | out: hHeap=0x700000) returned 1 [0159.649] GetProcessHeap () returned 0x700000 [0159.649] GetProcessHeap () returned 0x700000 [0159.649] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x706f80) returned 1 [0159.649] GetProcessHeap () returned 0x700000 [0159.649] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x706f80) returned 0x14 [0159.649] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x706f80 | out: hHeap=0x700000) returned 1 [0159.649] GetProcessHeap () returned 0x700000 [0159.649] GetProcessHeap () returned 0x700000 [0159.649] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x706fa0) returned 1 [0159.649] GetProcessHeap () returned 0x700000 [0159.649] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x706fa0) returned 0x14 [0159.649] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x706fa0 | out: hHeap=0x700000) returned 1 [0159.649] GetProcessHeap () returned 0x700000 [0159.649] GetProcessHeap () returned 0x700000 [0159.649] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x706fc0) returned 1 [0159.649] GetProcessHeap () returned 0x700000 [0159.649] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x706fc0) returned 0x14 [0159.649] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x706fc0 | out: hHeap=0x700000) returned 1 [0159.649] GetProcessHeap () returned 0x700000 [0159.649] GetProcessHeap () returned 0x700000 [0159.649] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x707470) returned 1 [0159.649] GetProcessHeap () returned 0x700000 [0159.649] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x707470) returned 0x10 [0159.649] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x707470 | out: hHeap=0x700000) returned 1 [0159.650] GetProcessHeap () returned 0x700000 [0159.650] GetProcessHeap () returned 0x700000 [0159.650] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x707a38) returned 1 [0159.650] GetProcessHeap () returned 0x700000 [0159.650] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x707a38) returned 0x14 [0159.650] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x707a38 | out: hHeap=0x700000) returned 1 [0159.650] GetProcessHeap () returned 0x700000 [0159.650] GetProcessHeap () returned 0x700000 [0159.650] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x70c298) returned 1 [0159.650] GetProcessHeap () returned 0x700000 [0159.650] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x70c298) returned 0x14 [0159.650] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x70c298 | out: hHeap=0x700000) returned 1 [0159.650] GetProcessHeap () returned 0x700000 [0159.650] GetProcessHeap () returned 0x700000 [0159.650] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x70c1f8) returned 1 [0159.650] GetProcessHeap () returned 0x700000 [0159.650] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x70c1f8) returned 0x14 [0159.650] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x70c1f8 | out: hHeap=0x700000) returned 1 [0159.650] GetProcessHeap () returned 0x700000 [0159.650] GetProcessHeap () returned 0x700000 [0159.650] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x70c158) returned 1 [0159.650] GetProcessHeap () returned 0x700000 [0159.650] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x70c158) returned 0x14 [0159.650] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x70c158 | out: hHeap=0x700000) returned 1 [0159.650] GetProcessHeap () returned 0x700000 [0159.650] GetProcessHeap () returned 0x700000 [0159.650] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x70c0b8) returned 1 [0159.650] GetProcessHeap () returned 0x700000 [0159.651] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x70c0b8) returned 0x14 [0159.651] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x70c0b8 | out: hHeap=0x700000) returned 1 [0159.651] GetProcessHeap () returned 0x700000 [0159.651] GetProcessHeap () returned 0x700000 [0159.651] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x70c0f8) returned 1 [0159.651] GetProcessHeap () returned 0x700000 [0159.651] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x70c0f8) returned 0x14 [0159.651] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x70c0f8 | out: hHeap=0x700000) returned 1 [0159.651] GetProcessHeap () returned 0x700000 [0159.651] GetProcessHeap () returned 0x700000 [0159.651] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x70c0d8) returned 1 [0159.651] GetProcessHeap () returned 0x700000 [0159.651] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x70c0d8) returned 0x14 [0159.651] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x70c0d8 | out: hHeap=0x700000) returned 1 [0159.651] GetProcessHeap () returned 0x700000 [0159.651] GetProcessHeap () returned 0x700000 [0159.651] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x70c338) returned 1 [0159.651] GetProcessHeap () returned 0x700000 [0159.651] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x70c338) returned 0x14 [0159.651] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x70c338 | out: hHeap=0x700000) returned 1 [0159.651] GetProcessHeap () returned 0x700000 [0159.651] GetProcessHeap () returned 0x700000 [0159.651] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x70c1b8) returned 1 [0159.651] GetProcessHeap () returned 0x700000 [0159.651] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x70c1b8) returned 0x14 [0159.651] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x70c1b8 | out: hHeap=0x700000) returned 1 [0159.652] GetProcessHeap () returned 0x700000 [0159.652] GetProcessHeap () returned 0x700000 [0159.652] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x707518) returned 1 [0159.652] GetProcessHeap () returned 0x700000 [0159.652] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x707518) returned 0x10 [0159.652] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x707518 | out: hHeap=0x700000) returned 1 [0159.652] GetProcessHeap () returned 0x700000 [0159.652] GetProcessHeap () returned 0x700000 [0159.652] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x70bfb8) returned 1 [0159.652] GetProcessHeap () returned 0x700000 [0159.652] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x70bfb8) returned 0x14 [0159.652] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x70bfb8 | out: hHeap=0x700000) returned 1 [0159.652] GetProcessHeap () returned 0x700000 [0159.652] GetProcessHeap () returned 0x700000 [0159.652] HeapValidate (hHeap=0x700000, dwFlags=0x0, lpMem=0x7074b8) returned 1 [0159.652] GetProcessHeap () returned 0x700000 [0159.652] RtlSizeHeap (HeapHandle=0x700000, Flags=0x0, MemoryPointer=0x7074b8) returned 0x10 [0159.652] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x7074b8 | out: hHeap=0x700000) returned 1 [0159.652] SetConsoleCtrlHandler (HandlerRoutine=0x0, Add=0) returned 1 [0159.653] exit (_Code=0) Thread: id = 110 os_tid = 0x1090 Process: id = "9" image_name = "svchost.exe" filename = "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\svchost.exe" page_root = "0x72df8000" os_pid = "0xc40" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0xcb4" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe\" " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fa87" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1105 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1106 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1107 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1108 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 1109 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 1110 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 1111 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 1112 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1113 start_va = 0x400000 end_va = 0x411fff monitored = 1 entry_point = 0x40d0ae region_type = mapped_file name = "svchost.exe" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\svchost.exe") Region: id = 1114 start_va = 0x771d0000 end_va = 0x7734afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1115 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1116 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1117 start_va = 0x7fff0000 end_va = 0x7ffa1676ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1118 start_va = 0x7ffa16770000 end_va = 0x7ffa16930fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1119 start_va = 0x7ffa16931000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffa16931000" filename = "" Region: id = 1121 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1122 start_va = 0x420000 end_va = 0x556fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 1123 start_va = 0x560000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 1124 start_va = 0x600000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 1125 start_va = 0x640d0000 end_va = 0x6411ffff monitored = 0 entry_point = 0x640e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1126 start_va = 0x64050000 end_va = 0x640c9fff monitored = 0 entry_point = 0x64063290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1127 start_va = 0x76720000 end_va = 0x767fffff monitored = 0 entry_point = 0x76733980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1128 start_va = 0x64120000 end_va = 0x64127fff monitored = 0 entry_point = 0x641217c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1129 start_va = 0x700000 end_va = 0x8b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 1130 start_va = 0x8c0000 end_va = 0xabffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Region: id = 1131 start_va = 0x900000 end_va = 0x9fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 1132 start_va = 0x71e20000 end_va = 0x71e78fff monitored = 1 entry_point = 0x71e30780 region_type = mapped_file name = "mscoree.dll" filename = "\\Windows\\SysWOW64\\mscoree.dll" (normalized: "c:\\windows\\syswow64\\mscoree.dll") Region: id = 1133 start_va = 0x76720000 end_va = 0x767fffff monitored = 0 entry_point = 0x76733980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1134 start_va = 0x76910000 end_va = 0x76a8dfff monitored = 0 entry_point = 0x769c1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1135 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1136 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 1137 start_va = 0x420000 end_va = 0x4ddfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1138 start_va = 0x550000 end_va = 0x556fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1139 start_va = 0x700000 end_va = 0x853fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 1140 start_va = 0x8b0000 end_va = 0x8b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 1141 start_va = 0xa00000 end_va = 0xbfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a00000" filename = "" Region: id = 1142 start_va = 0xa00000 end_va = 0xafffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a00000" filename = "" Region: id = 1143 start_va = 0x76600000 end_va = 0x7667afff monitored = 0 entry_point = 0x7661e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1144 start_va = 0x76a90000 end_va = 0x76b4dfff monitored = 0 entry_point = 0x76ac5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1145 start_va = 0x4e0000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 1146 start_va = 0x700000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 1147 start_va = 0x850000 end_va = 0x853fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000850000" filename = "" Region: id = 1148 start_va = 0x76cb0000 end_va = 0x76cf3fff monitored = 0 entry_point = 0x76cc9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1149 start_va = 0x76c00000 end_va = 0x76cacfff monitored = 0 entry_point = 0x76c14f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1150 start_va = 0x73f00000 end_va = 0x73f1dfff monitored = 0 entry_point = 0x73f0b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1151 start_va = 0x73ef0000 end_va = 0x73ef9fff monitored = 0 entry_point = 0x73ef2a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1152 start_va = 0x76840000 end_va = 0x76897fff monitored = 0 entry_point = 0x768825c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 1153 start_va = 0xb00000 end_va = 0xc63fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 1154 start_va = 0xc70000 end_va = 0xe6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c70000" filename = "" Region: id = 1155 start_va = 0xd00000 end_va = 0xdfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 1156 start_va = 0x71da0000 end_va = 0x71e1cfff monitored = 1 entry_point = 0x71db0db0 region_type = mapped_file name = "mscoreei.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscoreei.dll") Region: id = 1157 start_va = 0x76d00000 end_va = 0x76d44fff monitored = 0 entry_point = 0x76d1de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 1158 start_va = 0x762b0000 end_va = 0x7646cfff monitored = 0 entry_point = 0x76392a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 1159 start_va = 0x74ab0000 end_va = 0x74bfefff monitored = 0 entry_point = 0x74b66820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1160 start_va = 0x743d0000 end_va = 0x74516fff monitored = 0 entry_point = 0x743e1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1161 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1162 start_va = 0xe00000 end_va = 0xf87fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e00000" filename = "" Region: id = 1163 start_va = 0x741b0000 end_va = 0x741dafff monitored = 0 entry_point = 0x741b5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1164 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1165 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1166 start_va = 0xf90000 end_va = 0x1110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f90000" filename = "" Region: id = 1167 start_va = 0x1120000 end_va = 0x251ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001120000" filename = "" Region: id = 1168 start_va = 0x1d0000 end_va = 0x1dbfff monitored = 1 entry_point = 0x1dd0ae region_type = mapped_file name = "svchost.exe" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\svchost.exe") Region: id = 1169 start_va = 0x76d50000 end_va = 0x76d5bfff monitored = 0 entry_point = 0x76d53930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 1170 start_va = 0x72050000 end_va = 0x72057fff monitored = 0 entry_point = 0x720517b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 1171 start_va = 0x2520000 end_va = 0x2c00fff monitored = 1 entry_point = 0x254cd70 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll") Region: id = 1172 start_va = 0x6ed60000 end_va = 0x6f440fff monitored = 1 entry_point = 0x6ed8cd70 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll") Region: id = 1173 start_va = 0x71ca0000 end_va = 0x71d94fff monitored = 0 entry_point = 0x71cf4160 region_type = mapped_file name = "msvcr120_clr0400.dll" filename = "\\Windows\\SysWOW64\\msvcr120_clr0400.dll" (normalized: "c:\\windows\\syswow64\\msvcr120_clr0400.dll") Region: id = 1174 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 1175 start_va = 0x1e0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 1176 start_va = 0x1f0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 1177 start_va = 0x520000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 1178 start_va = 0x530000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 1179 start_va = 0x540000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 1180 start_va = 0x560000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 1181 start_va = 0x570000 end_va = 0x570fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 1182 start_va = 0x580000 end_va = 0x580fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 1183 start_va = 0xb00000 end_va = 0xba3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 1184 start_va = 0xc60000 end_va = 0xc63fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c60000" filename = "" Region: id = 1185 start_va = 0x2520000 end_va = 0x26a3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002520000" filename = "" Region: id = 1186 start_va = 0x26b0000 end_va = 0x28affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026b0000" filename = "" Region: id = 1187 start_va = 0x2700000 end_va = 0x27fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002700000" filename = "" Region: id = 1188 start_va = 0x590000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 1189 start_va = 0x2520000 end_va = 0x261ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002520000" filename = "" Region: id = 1190 start_va = 0x26a0000 end_va = 0x26a3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026a0000" filename = "" Region: id = 1191 start_va = 0x5d0000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 1192 start_va = 0x2800000 end_va = 0x47fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002800000" filename = "" Region: id = 1193 start_va = 0xb00000 end_va = 0xb9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 1194 start_va = 0xba0000 end_va = 0xba3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 1195 start_va = 0x800000 end_va = 0x83ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000800000" filename = "" Region: id = 1196 start_va = 0x4800000 end_va = 0x48fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004800000" filename = "" Region: id = 1197 start_va = 0x4900000 end_va = 0x4c36fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1199 start_va = 0x6daa0000 end_va = 0x6ed51fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "mscorlib.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\mscorlib\\7582400666d289c016013ad0f6e0e3e6\\mscorlib.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\mscorlib\\7582400666d289c016013ad0f6e0e3e6\\mscorlib.ni.dll") Region: id = 1200 start_va = 0x74dc0000 end_va = 0x74eaafff monitored = 0 entry_point = 0x74dfd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1201 start_va = 0xbb0000 end_va = 0xc40fff monitored = 0 entry_point = 0xbe8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1202 start_va = 0x5d0000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 1203 start_va = 0x71c20000 end_va = 0x71c9ffff monitored = 1 entry_point = 0x71c21180 region_type = mapped_file name = "clrjit.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clrjit.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clrjit.dll") Region: id = 1204 start_va = 0x76680000 end_va = 0x76711fff monitored = 0 entry_point = 0x766b8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1205 start_va = 0x5e0000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 1206 start_va = 0x5f0000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 1207 start_va = 0x5f0000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 1208 start_va = 0x6d0d0000 end_va = 0x6da9bfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System\\1be7a15b1f33bf22e4f53aaf45518c77\\System.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system\\1be7a15b1f33bf22e4f53aaf45518c77\\system.ni.dll") Region: id = 1209 start_va = 0x5f0000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 1210 start_va = 0x70010000 end_va = 0x70022fff monitored = 0 entry_point = 0x70019950 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 1211 start_va = 0x72860000 end_va = 0x7288efff monitored = 0 entry_point = 0x728795e0 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1212 start_va = 0x70350000 end_va = 0x7036afff monitored = 0 entry_point = 0x70359050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 1213 start_va = 0x4d00000 end_va = 0x4dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004d00000" filename = "" Region: id = 1214 start_va = 0x6c9a0000 end_va = 0x6d0c0fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.core.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Core\\eb4cca4f06a15158c3f7e2c56516729b\\System.Core.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.core\\eb4cca4f06a15158c3f7e2c56516729b\\system.core.ni.dll") Region: id = 1215 start_va = 0x5f0000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 1216 start_va = 0x4e00000 end_va = 0x4ee3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004e00000" filename = "" Region: id = 1217 start_va = 0x4ef0000 end_va = 0x50effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004ef0000" filename = "" Region: id = 1218 start_va = 0x4f00000 end_va = 0x4ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004f00000" filename = "" Region: id = 1219 start_va = 0x5f0000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 1220 start_va = 0x73f90000 end_va = 0x74107fff monitored = 0 entry_point = 0x73fe8a90 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 1221 start_va = 0x764c0000 end_va = 0x764cdfff monitored = 0 entry_point = 0x764c5410 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 1222 start_va = 0x840000 end_va = 0x849fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "crypt32.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\crypt32.dll.mui") Region: id = 1223 start_va = 0x73f20000 end_va = 0x73f2efff monitored = 0 entry_point = 0x73f22e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 1224 start_va = 0x74eb0000 end_va = 0x762aefff monitored = 0 entry_point = 0x7506b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 1225 start_va = 0x76800000 end_va = 0x76836fff monitored = 0 entry_point = 0x76803b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 1226 start_va = 0x745b0000 end_va = 0x74aa8fff monitored = 0 entry_point = 0x747b7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 1227 start_va = 0x74520000 end_va = 0x745acfff monitored = 0 entry_point = 0x74569b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 1228 start_va = 0x76470000 end_va = 0x764b3fff monitored = 0 entry_point = 0x76477410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 1229 start_va = 0x860000 end_va = 0x860fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000860000" filename = "" Region: id = 1230 start_va = 0x5e430000 end_va = 0x5e4cbfff monitored = 1 entry_point = 0x5e4be9a6 region_type = mapped_file name = "microsoft.visualbasic.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\v4.0_10.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualBasic.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_msil\\microsoft.visualbasic\\v4.0_10.0.0.0__b03f5f7f11d50a3a\\microsoft.visualbasic.dll") Region: id = 1231 start_va = 0xbb0000 end_va = 0xc4bfff monitored = 1 entry_point = 0xc3e9a6 region_type = mapped_file name = "microsoft.visualbasic.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\v4.0_10.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualBasic.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_msil\\microsoft.visualbasic\\v4.0_10.0.0.0__b03f5f7f11d50a3a\\microsoft.visualbasic.dll") Region: id = 1232 start_va = 0x870000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 1233 start_va = 0x764d0000 end_va = 0x764d5fff monitored = 0 entry_point = 0x764d1460 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll") Region: id = 1234 start_va = 0x870000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 1235 start_va = 0x880000 end_va = 0x88ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 1236 start_va = 0x71b20000 end_va = 0x71c10fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.configuration.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Configuration\\fe4b221b4109f0c78f57a792500699b5\\System.Configuration.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.configuration\\fe4b221b4109f0c78f57a792500699b5\\system.configuration.ni.dll") Region: id = 1237 start_va = 0x6c280000 end_va = 0x6c99dfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.xml.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Xml\\4fbda26d781323081b45526da6e87b35\\System.Xml.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.xml\\4fbda26d781323081b45526da6e87b35\\system.xml.ni.dll") Region: id = 1238 start_va = 0x73f30000 end_va = 0x73f8efff monitored = 0 entry_point = 0x73f34af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 1239 start_va = 0x70210000 end_va = 0x7025efff monitored = 0 entry_point = 0x7021d850 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Thread: id = 111 os_tid = 0xb1c [0163.751] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0163.760] RoInitialize () returned 0x1 [0163.760] RoUninitialize () returned 0x0 [0170.593] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x95c5b0) returned 1 [0170.596] CryptGetProvParam (in: hProv=0x95c5b0, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x1 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1 [0170.597] CoTaskMemAlloc (cb=0x20) returned 0x943248 [0170.597] CryptGetProvParam (in: hProv=0x95c5b0, dwParam=0x1, pbData=0x943248, pdwDataLen=0x19f3bc, dwFlags=0x1 | out: pbData=0x943248, pdwDataLen=0x19f3bc) returned 1 [0170.598] CoTaskMemFree (pv=0x943248) [0170.598] CryptGetProvParam (in: hProv=0x95c5b0, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1 [0170.598] CoTaskMemAlloc (cb=0x20) returned 0x943248 [0170.598] CryptGetProvParam (in: hProv=0x95c5b0, dwParam=0x1, pbData=0x943248, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x943248, pdwDataLen=0x19f3bc) returned 1 [0170.598] CoTaskMemFree (pv=0x943248) [0170.598] CryptGetProvParam (in: hProv=0x95c5b0, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1 [0170.598] CoTaskMemAlloc (cb=0x20) returned 0x943248 [0170.598] CryptGetProvParam (in: hProv=0x95c5b0, dwParam=0x1, pbData=0x943248, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x943248, pdwDataLen=0x19f3bc) returned 1 [0170.598] CoTaskMemFree (pv=0x943248) [0170.598] CryptGetProvParam (in: hProv=0x95c5b0, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1 [0170.598] CoTaskMemAlloc (cb=0x20) returned 0x943248 [0170.598] CryptGetProvParam (in: hProv=0x95c5b0, dwParam=0x1, pbData=0x943248, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x943248, pdwDataLen=0x19f3bc) returned 1 [0170.598] CoTaskMemFree (pv=0x943248) [0170.598] CryptGetProvParam (in: hProv=0x95c5b0, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1 [0170.599] CoTaskMemAlloc (cb=0x20) returned 0x943248 [0170.599] CryptGetProvParam (in: hProv=0x95c5b0, dwParam=0x1, pbData=0x943248, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x943248, pdwDataLen=0x19f3bc) returned 1 [0170.599] CoTaskMemFree (pv=0x943248) [0170.599] CryptGetProvParam (in: hProv=0x95c5b0, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1 [0170.599] CoTaskMemAlloc (cb=0x20) returned 0x943248 [0170.599] CryptGetProvParam (in: hProv=0x95c5b0, dwParam=0x1, pbData=0x943248, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x943248, pdwDataLen=0x19f3bc) returned 1 [0170.599] CoTaskMemFree (pv=0x943248) [0170.599] CryptGetProvParam (in: hProv=0x95c5b0, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1 [0170.599] CoTaskMemAlloc (cb=0x20) returned 0x943248 [0170.599] CryptGetProvParam (in: hProv=0x95c5b0, dwParam=0x1, pbData=0x943248, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x943248, pdwDataLen=0x19f3bc) returned 1 [0170.599] CoTaskMemFree (pv=0x943248) [0170.599] CryptGetProvParam (in: hProv=0x95c5b0, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1 [0170.599] CoTaskMemAlloc (cb=0x20) returned 0x943248 [0170.599] CryptGetProvParam (in: hProv=0x95c5b0, dwParam=0x1, pbData=0x943248, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x943248, pdwDataLen=0x19f3bc) returned 1 [0170.599] CoTaskMemFree (pv=0x943248) [0170.599] CryptGetProvParam (in: hProv=0x95c5b0, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1 [0170.599] CoTaskMemAlloc (cb=0x20) returned 0x943248 [0170.599] CryptGetProvParam (in: hProv=0x95c5b0, dwParam=0x1, pbData=0x943248, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x943248, pdwDataLen=0x19f3bc) returned 1 [0170.599] CoTaskMemFree (pv=0x943248) [0170.599] CryptGetProvParam (in: hProv=0x95c5b0, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1 [0170.599] CoTaskMemAlloc (cb=0x20) returned 0x943248 [0170.599] CryptGetProvParam (in: hProv=0x95c5b0, dwParam=0x1, pbData=0x943248, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x943248, pdwDataLen=0x19f3bc) returned 1 [0170.599] CoTaskMemFree (pv=0x943248) [0170.599] CryptGetProvParam (in: hProv=0x95c5b0, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1 [0170.600] CoTaskMemAlloc (cb=0x20) returned 0x943248 [0170.600] CryptGetProvParam (in: hProv=0x95c5b0, dwParam=0x1, pbData=0x943248, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x943248, pdwDataLen=0x19f3bc) returned 1 [0170.600] CoTaskMemFree (pv=0x943248) [0170.600] CryptGetProvParam (in: hProv=0x95c5b0, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1 [0170.600] CoTaskMemAlloc (cb=0x20) returned 0x943248 [0170.600] CryptGetProvParam (in: hProv=0x95c5b0, dwParam=0x1, pbData=0x943248, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x943248, pdwDataLen=0x19f3bc) returned 1 [0170.600] CoTaskMemFree (pv=0x943248) [0170.600] CryptGetProvParam (in: hProv=0x95c5b0, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1 [0170.600] CoTaskMemAlloc (cb=0x20) returned 0x943248 [0170.600] CryptGetProvParam (in: hProv=0x95c5b0, dwParam=0x1, pbData=0x943248, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x943248, pdwDataLen=0x19f3bc) returned 1 [0170.600] CoTaskMemFree (pv=0x943248) [0170.600] CryptGetProvParam (in: hProv=0x95c5b0, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1 [0170.600] CoTaskMemAlloc (cb=0x20) returned 0x943248 [0170.600] CryptGetProvParam (in: hProv=0x95c5b0, dwParam=0x1, pbData=0x943248, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x943248, pdwDataLen=0x19f3bc) returned 1 [0170.600] CoTaskMemFree (pv=0x943248) [0170.600] CryptGetProvParam (in: hProv=0x95c5b0, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1 [0170.600] CoTaskMemAlloc (cb=0x20) returned 0x943248 [0170.600] CryptGetProvParam (in: hProv=0x95c5b0, dwParam=0x1, pbData=0x943248, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x943248, pdwDataLen=0x19f3bc) returned 1 [0170.600] CoTaskMemFree (pv=0x943248) [0170.600] CryptGetProvParam (in: hProv=0x95c5b0, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1 [0170.600] CoTaskMemAlloc (cb=0x20) returned 0x943248 [0170.600] CryptGetProvParam (in: hProv=0x95c5b0, dwParam=0x1, pbData=0x943248, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x943248, pdwDataLen=0x19f3bc) returned 1 [0170.600] CoTaskMemFree (pv=0x943248) [0170.600] CryptGetProvParam (in: hProv=0x95c5b0, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1 [0170.600] CoTaskMemAlloc (cb=0x20) returned 0x943248 [0170.600] CryptGetProvParam (in: hProv=0x95c5b0, dwParam=0x1, pbData=0x943248, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x943248, pdwDataLen=0x19f3bc) returned 1 [0170.601] CoTaskMemFree (pv=0x943248) [0170.601] CryptGetProvParam (in: hProv=0x95c5b0, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1 [0170.601] CoTaskMemAlloc (cb=0x20) returned 0x943248 [0170.601] CryptGetProvParam (in: hProv=0x95c5b0, dwParam=0x1, pbData=0x943248, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x943248, pdwDataLen=0x19f3bc) returned 1 [0170.601] CoTaskMemFree (pv=0x943248) [0170.601] CryptGetProvParam (in: hProv=0x95c5b0, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1 [0170.601] CoTaskMemAlloc (cb=0x20) returned 0x943248 [0170.601] CryptGetProvParam (in: hProv=0x95c5b0, dwParam=0x1, pbData=0x943248, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x943248, pdwDataLen=0x19f3bc) returned 1 [0170.601] CoTaskMemFree (pv=0x943248) [0170.601] CryptGetProvParam (in: hProv=0x95c5b0, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1 [0170.601] CoTaskMemAlloc (cb=0x20) returned 0x943248 [0170.601] CryptGetProvParam (in: hProv=0x95c5b0, dwParam=0x1, pbData=0x943248, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x943248, pdwDataLen=0x19f3bc) returned 1 [0170.601] CoTaskMemFree (pv=0x943248) [0170.601] CryptGetProvParam (in: hProv=0x95c5b0, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 0 [0170.604] CryptImportKey (in: hProv=0x95c5b0, pbData=0x28d82d8, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x91a9d8) returned 1 [0170.605] CryptContextAddRef (hProv=0x95c5b0, pdwReserved=0x0, dwFlags=0x0) returned 1 [0170.614] BCryptGetFipsAlgorithmMode (in: pfEnabled=0x19f3e8 | out: pfEnabled=0x19f3e8) returned 0x0 [0170.620] CryptContextAddRef (hProv=0x95c5b0, pdwReserved=0x0, dwFlags=0x0) returned 1 [0170.620] CryptDuplicateKey (in: hKey=0x91a9d8, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x91a8f8) returned 1 [0170.620] CryptContextAddRef (hProv=0x95c5b0, pdwReserved=0x0, dwFlags=0x0) returned 1 [0170.621] CryptSetKeyParam (hKey=0x91a8f8, dwParam=0x4, pbData=0x28d8cb8*=0x1, dwFlags=0x0) returned 1 [0170.621] CryptSetKeyParam (hKey=0x91a8f8, dwParam=0x1, pbData=0x28d8c84, dwFlags=0x0) returned 1 [0170.623] CryptDecrypt (in: hKey=0x91a8f8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x28d8d98, pdwDataLen=0x19f3f8 | out: pbData=0x28d8d98, pdwDataLen=0x19f3f8) returned 1 [0170.643] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\AppContext", ulOptions=0x0, samDesired=0x20019, phkResult=0x19de18 | out: phkResult=0x19de18*=0x0) returned 0x2 [0170.645] CryptDecrypt (in: hKey=0x91a8f8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28d8ea8, pdwDataLen=0x19f3f8 | out: pbData=0x28d8ea8, pdwDataLen=0x19f3f8) returned 0 [0170.646] CryptDestroyKey (hKey=0x91a9d8) returned 1 [0170.646] CryptReleaseContext (hProv=0x95c5b0, dwFlags=0x0) returned 1 [0170.646] CryptReleaseContext (hProv=0x95c5b0, dwFlags=0x0) returned 1 [0170.646] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x95c530) returned 1 [0170.647] CryptImportKey (in: hProv=0x95c530, pbData=0x28da778, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x91a968) returned 1 [0170.647] CryptContextAddRef (hProv=0x95c530, pdwReserved=0x0, dwFlags=0x0) returned 1 [0170.647] CryptContextAddRef (hProv=0x95c530, pdwReserved=0x0, dwFlags=0x0) returned 1 [0170.647] CryptDuplicateKey (in: hKey=0x91a968, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x91a9d8) returned 1 [0170.647] CryptContextAddRef (hProv=0x95c530, pdwReserved=0x0, dwFlags=0x0) returned 1 [0170.647] CryptSetKeyParam (hKey=0x91a9d8, dwParam=0x4, pbData=0x28daee0*=0x1, dwFlags=0x0) returned 1 [0170.647] CryptSetKeyParam (hKey=0x91a9d8, dwParam=0x1, pbData=0x28daeac, dwFlags=0x0) returned 1 [0170.647] CryptDecrypt (in: hKey=0x91a9d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x28dafc4, pdwDataLen=0x19f3c8 | out: pbData=0x28dafc4, pdwDataLen=0x19f3c8) returned 1 [0170.648] CryptDecrypt (in: hKey=0x91a9d8, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x28db00c, pdwDataLen=0x19f3f8 | out: pbData=0x28db00c, pdwDataLen=0x19f3f8) returned 1 [0170.648] CryptDecrypt (in: hKey=0x91a9d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28db03c, pdwDataLen=0x19f3f8 | out: pbData=0x28db03c, pdwDataLen=0x19f3f8) returned 0 [0170.648] CryptDestroyKey (hKey=0x91a968) returned 1 [0170.648] CryptReleaseContext (hProv=0x95c530, dwFlags=0x0) returned 1 [0170.648] CryptReleaseContext (hProv=0x95c530, dwFlags=0x0) returned 1 [0170.648] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x95c630) returned 1 [0170.649] CryptImportKey (in: hProv=0x95c630, pbData=0x28db1c8, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x91a738) returned 1 [0170.649] CryptContextAddRef (hProv=0x95c630, pdwReserved=0x0, dwFlags=0x0) returned 1 [0170.649] CryptContextAddRef (hProv=0x95c630, pdwReserved=0x0, dwFlags=0x0) returned 1 [0170.649] CryptDuplicateKey (in: hKey=0x91a738, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x91a968) returned 1 [0170.649] CryptContextAddRef (hProv=0x95c630, pdwReserved=0x0, dwFlags=0x0) returned 1 [0170.649] CryptSetKeyParam (hKey=0x91a968, dwParam=0x4, pbData=0x28db920*=0x1, dwFlags=0x0) returned 1 [0170.649] CryptSetKeyParam (hKey=0x91a968, dwParam=0x1, pbData=0x28db8ec, dwFlags=0x0) returned 1 [0170.649] CryptDecrypt (in: hKey=0x91a968, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x28dba00, pdwDataLen=0x19f3f8 | out: pbData=0x28dba00, pdwDataLen=0x19f3f8) returned 1 [0170.650] CryptDecrypt (in: hKey=0x91a968, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28dba30, pdwDataLen=0x19f3f8 | out: pbData=0x28dba30, pdwDataLen=0x19f3f8) returned 0 [0170.650] CryptDestroyKey (hKey=0x91a738) returned 1 [0170.650] CryptReleaseContext (hProv=0x95c630, dwFlags=0x0) returned 1 [0170.650] CryptReleaseContext (hProv=0x95c630, dwFlags=0x0) returned 1 [0170.650] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x95c4b0) returned 1 [0170.650] CryptImportKey (in: hProv=0x95c4b0, pbData=0x28dbb8c, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x91a738) returned 1 [0170.651] CryptContextAddRef (hProv=0x95c4b0, pdwReserved=0x0, dwFlags=0x0) returned 1 [0170.651] CryptContextAddRef (hProv=0x95c4b0, pdwReserved=0x0, dwFlags=0x0) returned 1 [0170.651] CryptDuplicateKey (in: hKey=0x91a738, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x91ac78) returned 1 [0170.651] CryptContextAddRef (hProv=0x95c4b0, pdwReserved=0x0, dwFlags=0x0) returned 1 [0170.651] CryptSetKeyParam (hKey=0x91ac78, dwParam=0x4, pbData=0x28dc2e4*=0x1, dwFlags=0x0) returned 1 [0170.651] CryptSetKeyParam (hKey=0x91ac78, dwParam=0x1, pbData=0x28dc2b0, dwFlags=0x0) returned 1 [0170.652] CryptDecrypt (in: hKey=0x91ac78, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x28dc3c4, pdwDataLen=0x19f3f8 | out: pbData=0x28dc3c4, pdwDataLen=0x19f3f8) returned 1 [0170.652] CryptDecrypt (in: hKey=0x91ac78, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28dc3f0, pdwDataLen=0x19f3f8 | out: pbData=0x28dc3f0, pdwDataLen=0x19f3f8) returned 0 [0170.652] CryptDestroyKey (hKey=0x91a738) returned 1 [0170.652] CryptReleaseContext (hProv=0x95c4b0, dwFlags=0x0) returned 1 [0170.652] CryptReleaseContext (hProv=0x95c4b0, dwFlags=0x0) returned 1 [0170.652] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x95c030) returned 1 [0170.653] CryptImportKey (in: hProv=0x95c030, pbData=0x28dc554, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x91a738) returned 1 [0170.653] CryptContextAddRef (hProv=0x95c030, pdwReserved=0x0, dwFlags=0x0) returned 1 [0170.653] CryptContextAddRef (hProv=0x95c030, pdwReserved=0x0, dwFlags=0x0) returned 1 [0170.653] CryptDuplicateKey (in: hKey=0x91a738, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x91ad90) returned 1 [0170.653] CryptContextAddRef (hProv=0x95c030, pdwReserved=0x0, dwFlags=0x0) returned 1 [0170.653] CryptSetKeyParam (hKey=0x91ad90, dwParam=0x4, pbData=0x28dccbc*=0x1, dwFlags=0x0) returned 1 [0170.653] CryptSetKeyParam (hKey=0x91ad90, dwParam=0x1, pbData=0x28dcc88, dwFlags=0x0) returned 1 [0170.653] CryptDecrypt (in: hKey=0x91ad90, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x28dcda0, pdwDataLen=0x19f3c8 | out: pbData=0x28dcda0, pdwDataLen=0x19f3c8) returned 1 [0170.653] CryptDecrypt (in: hKey=0x91ad90, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x28dcde8, pdwDataLen=0x19f3f8 | out: pbData=0x28dcde8, pdwDataLen=0x19f3f8) returned 1 [0170.654] CryptDecrypt (in: hKey=0x91ad90, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28dce14, pdwDataLen=0x19f3f8 | out: pbData=0x28dce14, pdwDataLen=0x19f3f8) returned 0 [0170.654] CryptDestroyKey (hKey=0x91a738) returned 1 [0170.654] CryptReleaseContext (hProv=0x95c030, dwFlags=0x0) returned 1 [0170.654] CryptReleaseContext (hProv=0x95c030, dwFlags=0x0) returned 1 [0170.654] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x95c330) returned 1 [0170.654] CryptImportKey (in: hProv=0x95c330, pbData=0x28dcf98, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x91a738) returned 1 [0170.654] CryptContextAddRef (hProv=0x95c330, pdwReserved=0x0, dwFlags=0x0) returned 1 [0170.655] CryptContextAddRef (hProv=0x95c330, pdwReserved=0x0, dwFlags=0x0) returned 1 [0170.655] CryptDuplicateKey (in: hKey=0x91a738, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x91ad20) returned 1 [0170.655] CryptContextAddRef (hProv=0x95c330, pdwReserved=0x0, dwFlags=0x0) returned 1 [0170.655] CryptSetKeyParam (hKey=0x91ad20, dwParam=0x4, pbData=0x28dd6f0*=0x1, dwFlags=0x0) returned 1 [0170.655] CryptSetKeyParam (hKey=0x91ad20, dwParam=0x1, pbData=0x28dd6bc, dwFlags=0x0) returned 1 [0170.655] CryptDecrypt (in: hKey=0x91ad20, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x28dd7d0, pdwDataLen=0x19f3f8 | out: pbData=0x28dd7d0, pdwDataLen=0x19f3f8) returned 1 [0170.655] CryptDecrypt (in: hKey=0x91ad20, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28dd7fc, pdwDataLen=0x19f3f8 | out: pbData=0x28dd7fc, pdwDataLen=0x19f3f8) returned 0 [0170.655] CryptDestroyKey (hKey=0x91a738) returned 1 [0170.655] CryptReleaseContext (hProv=0x95c330, dwFlags=0x0) returned 1 [0170.655] CryptReleaseContext (hProv=0x95c330, dwFlags=0x0) returned 1 [0170.655] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x95c230) returned 1 [0170.656] CryptImportKey (in: hProv=0x95c230, pbData=0x28dd950, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x91a738) returned 1 [0170.656] CryptContextAddRef (hProv=0x95c230, pdwReserved=0x0, dwFlags=0x0) returned 1 [0170.657] CryptContextAddRef (hProv=0x95c230, pdwReserved=0x0, dwFlags=0x0) returned 1 [0170.657] CryptDuplicateKey (in: hKey=0x91a738, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x91ab98) returned 1 [0170.657] CryptContextAddRef (hProv=0x95c230, pdwReserved=0x0, dwFlags=0x0) returned 1 [0170.657] CryptSetKeyParam (hKey=0x91ab98, dwParam=0x4, pbData=0x28de0a8*=0x1, dwFlags=0x0) returned 1 [0170.658] CryptSetKeyParam (hKey=0x91ab98, dwParam=0x1, pbData=0x28de074, dwFlags=0x0) returned 1 [0170.658] CryptDecrypt (in: hKey=0x91ab98, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x28de188, pdwDataLen=0x19f3f8 | out: pbData=0x28de188, pdwDataLen=0x19f3f8) returned 1 [0170.658] CryptDecrypt (in: hKey=0x91ab98, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28de1b8, pdwDataLen=0x19f3f8 | out: pbData=0x28de1b8, pdwDataLen=0x19f3f8) returned 0 [0170.658] CryptDestroyKey (hKey=0x91a738) returned 1 [0170.658] CryptReleaseContext (hProv=0x95c230, dwFlags=0x0) returned 1 [0170.658] CryptReleaseContext (hProv=0x95c230, dwFlags=0x0) returned 1 [0170.658] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x95c430) returned 1 [0170.659] CryptImportKey (in: hProv=0x95c430, pbData=0x28de310, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x91a738) returned 1 [0170.659] CryptContextAddRef (hProv=0x95c430, pdwReserved=0x0, dwFlags=0x0) returned 1 [0170.660] CryptContextAddRef (hProv=0x95c430, pdwReserved=0x0, dwFlags=0x0) returned 1 [0170.660] CryptDuplicateKey (in: hKey=0x91a738, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x91ae00) returned 1 [0170.660] CryptContextAddRef (hProv=0x95c430, pdwReserved=0x0, dwFlags=0x0) returned 1 [0170.660] CryptSetKeyParam (hKey=0x91ae00, dwParam=0x4, pbData=0x28dea68*=0x1, dwFlags=0x0) returned 1 [0170.660] CryptSetKeyParam (hKey=0x91ae00, dwParam=0x1, pbData=0x28dea34, dwFlags=0x0) returned 1 [0170.660] CryptDecrypt (in: hKey=0x91ae00, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x28deb48, pdwDataLen=0x19f3f8 | out: pbData=0x28deb48, pdwDataLen=0x19f3f8) returned 1 [0170.660] CryptDecrypt (in: hKey=0x91ae00, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28deb78, pdwDataLen=0x19f3f8 | out: pbData=0x28deb78, pdwDataLen=0x19f3f8) returned 0 [0170.660] CryptDestroyKey (hKey=0x91a738) returned 1 [0170.660] CryptReleaseContext (hProv=0x95c430, dwFlags=0x0) returned 1 [0170.660] CryptReleaseContext (hProv=0x95c430, dwFlags=0x0) returned 1 [0170.660] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x95c2b0) returned 1 [0170.661] CryptImportKey (in: hProv=0x95c2b0, pbData=0x28decd0, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x91a738) returned 1 [0170.661] CryptContextAddRef (hProv=0x95c2b0, pdwReserved=0x0, dwFlags=0x0) returned 1 [0170.661] CryptContextAddRef (hProv=0x95c2b0, pdwReserved=0x0, dwFlags=0x0) returned 1 [0170.661] CryptDuplicateKey (in: hKey=0x91a738, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x91ab28) returned 1 [0170.661] CryptContextAddRef (hProv=0x95c2b0, pdwReserved=0x0, dwFlags=0x0) returned 1 [0170.661] CryptSetKeyParam (hKey=0x91ab28, dwParam=0x4, pbData=0x28df428*=0x1, dwFlags=0x0) returned 1 [0170.661] CryptSetKeyParam (hKey=0x91ab28, dwParam=0x1, pbData=0x28df3f4, dwFlags=0x0) returned 1 [0170.661] CryptDecrypt (in: hKey=0x91ab28, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x28df508, pdwDataLen=0x19f3f8 | out: pbData=0x28df508, pdwDataLen=0x19f3f8) returned 1 [0170.662] CryptDecrypt (in: hKey=0x91ab28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28df538, pdwDataLen=0x19f3f8 | out: pbData=0x28df538, pdwDataLen=0x19f3f8) returned 0 [0170.662] CryptDestroyKey (hKey=0x91a738) returned 1 [0170.662] CryptReleaseContext (hProv=0x95c2b0, dwFlags=0x0) returned 1 [0170.662] CryptReleaseContext (hProv=0x95c2b0, dwFlags=0x0) returned 1 [0170.675] GetUserNameW (in: lpBuffer=0x19f20c, pcbBuffer=0x19f484 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x19f484) returned 1 [0170.682] GetComputerNameW (in: lpBuffer=0x19f20c, nSize=0x19f484 | out: lpBuffer="XC64ZB", nSize=0x19f484) returned 1 [0170.683] CoTaskMemAlloc (cb=0x20c) returned 0x951c68 [0170.683] GetSystemDirectoryW (in: lpBuffer=0x951c68, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0170.683] CoTaskMemFree (pv=0x951c68) [0170.687] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x19eea4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0170.690] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x19f440) returned 1 [0170.690] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x19f46c, lpTotalNumberOfBytes=0x19f464, lpTotalNumberOfFreeBytes=0x19f45c | out: lpFreeBytesAvailableToCaller=0x19f46c, lpTotalNumberOfBytes=0x19f464, lpTotalNumberOfFreeBytes=0x19f45c) returned 1 [0170.690] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x19f43c) returned 1 [0170.716] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x95c730) returned 1 [0170.717] CryptImportKey (in: hProv=0x95c730, pbData=0x28e1604, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x91ac08) returned 1 [0170.717] CryptContextAddRef (hProv=0x95c730, pdwReserved=0x0, dwFlags=0x0) returned 1 [0170.718] CryptContextAddRef (hProv=0x95c730, pdwReserved=0x0, dwFlags=0x0) returned 1 [0170.718] CryptDuplicateKey (in: hKey=0x91ac08, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x91ac40) returned 1 [0170.718] CryptContextAddRef (hProv=0x95c730, pdwReserved=0x0, dwFlags=0x0) returned 1 [0170.718] CryptSetKeyParam (hKey=0x91ac40, dwParam=0x4, pbData=0x28e22bc*=0x1, dwFlags=0x0) returned 1 [0170.718] CryptSetKeyParam (hKey=0x91ac40, dwParam=0x1, pbData=0x28e2288, dwFlags=0x0) returned 1 [0170.718] CryptDecrypt (in: hKey=0x91ac40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x28e28c0, pdwDataLen=0x19f3c8 | out: pbData=0x28e28c0, pdwDataLen=0x19f3c8) returned 1 [0170.718] CryptDecrypt (in: hKey=0x91ac40, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x28e2b98, pdwDataLen=0x19f3f8 | out: pbData=0x28e2b98, pdwDataLen=0x19f3f8) returned 1 [0170.718] CryptDecrypt (in: hKey=0x91ac40, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28e2bcc, pdwDataLen=0x19f3f8 | out: pbData=0x28e2bcc, pdwDataLen=0x19f3f8) returned 0 [0170.718] CryptDestroyKey (hKey=0x91ac08) returned 1 [0170.719] CryptReleaseContext (hProv=0x95c730, dwFlags=0x0) returned 1 [0170.719] CryptReleaseContext (hProv=0x95c730, dwFlags=0x0) returned 1 [0170.719] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x95c3b0) returned 1 [0170.719] CryptImportKey (in: hProv=0x95c3b0, pbData=0x28e3c28, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x91ac08) returned 1 [0170.719] CryptContextAddRef (hProv=0x95c3b0, pdwReserved=0x0, dwFlags=0x0) returned 1 [0170.721] CryptContextAddRef (hProv=0x95c3b0, pdwReserved=0x0, dwFlags=0x0) returned 1 [0170.721] CryptDuplicateKey (in: hKey=0x91ac08, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x91af50) returned 1 [0170.721] CryptContextAddRef (hProv=0x95c3b0, pdwReserved=0x0, dwFlags=0x0) returned 1 [0170.721] CryptSetKeyParam (hKey=0x91af50, dwParam=0x4, pbData=0x28e50e0*=0x1, dwFlags=0x0) returned 1 [0170.721] CryptSetKeyParam (hKey=0x91af50, dwParam=0x1, pbData=0x28e50ac, dwFlags=0x0) returned 1 [0170.721] CryptDecrypt (in: hKey=0x91af50, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x28e5ee4, pdwDataLen=0x19f3c8 | out: pbData=0x28e5ee4, pdwDataLen=0x19f3c8) returned 1 [0170.721] CryptDecrypt (in: hKey=0x91af50, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x28e65bc, pdwDataLen=0x19f3f8 | out: pbData=0x28e65bc, pdwDataLen=0x19f3f8) returned 1 [0170.721] CryptDecrypt (in: hKey=0x91af50, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x28e65e4, pdwDataLen=0x19f3f8 | out: pbData=0x28e65e4, pdwDataLen=0x19f3f8) returned 0 [0170.721] CryptDestroyKey (hKey=0x91ac08) returned 1 [0170.721] CryptReleaseContext (hProv=0x95c3b0, dwFlags=0x0) returned 1 [0170.722] CryptReleaseContext (hProv=0x95c3b0, dwFlags=0x0) returned 1 [0170.744] CertDuplicateCertificateContext (pCertContext=0x941650) returned 0x941650 [0170.771] LocalAlloc (uFlags=0x0, uBytes=0x2a) returned 0x963040 [0170.773] CryptFindOIDInfo (dwKeyType=0x2, pvKey=0x963040, dwGroupId=0x3) returned 0x0 [0171.685] LocalFree (hMem=0x963040) returned 0x0 [0171.686] LocalAlloc (uFlags=0x0, uBytes=0x2a) returned 0x963040 [0171.686] CryptFindOIDInfo (dwKeyType=0x2, pvKey=0x963040, dwGroupId=0x0) returned 0x0 [0171.693] LocalFree (hMem=0x963040) returned 0x0 [0171.695] LocalAlloc (uFlags=0x0, uBytes=0x15) returned 0x914bc0 [0171.695] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x914bc0, dwGroupId=0x0) returned 0x73f9d6c0 [0171.699] CryptDecodeObject (in: dwCertEncodingType=0x10001, lpszStructType=0x13, pbEncoded=0x28e8818, cbEncoded=0x20e, dwFlags=0x0, pvStructInfo=0x0, pcbStructInfo=0x19f434 | out: pvStructInfo=0x0, pcbStructInfo=0x19f434) returned 1 [0171.699] LocalAlloc (uFlags=0x0, uBytes=0x214) returned 0x9549c0 [0171.699] CryptDecodeObject (in: dwCertEncodingType=0x10001, lpszStructType=0x13, pbEncoded=0x28e8818, cbEncoded=0x20e, dwFlags=0x0, pvStructInfo=0x9549c0, pcbStructInfo=0x19f434 | out: pvStructInfo=0x9549c0, pcbStructInfo=0x19f434) returned 1 [0171.700] LocalFree (hMem=0x9549c0) returned 0x0 [0171.775] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", nBufferLength=0x105, lpBuffer=0x19eda4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", lpFilePart=0x0) returned 0x43 [0171.776] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", nBufferLength=0x105, lpBuffer=0x19ee08, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", lpFilePart=0x0) returned 0x43 [0171.776] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x19f2b0) returned 1 [0171.776] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x19f32c | out: lpFileInformation=0x19f32c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56a29ff, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97df7583, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97df7583, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x8c8f)) returned 1 [0171.777] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x19f2ac) returned 1 [0171.827] CoTaskMemAlloc (cb=0x2e) returned 0x963b50 [0171.835] CryptFindOIDInfo (dwKeyType=0x2, pvKey=0x963b50, dwGroupId=0x1) returned 0x0 [0171.835] CryptFindOIDInfo (dwKeyType=0x2, pvKey=0x963b50, dwGroupId=0x0) returned 0x0 [0171.835] CoTaskMemFree (pv=0x963b50) [0171.845] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="AsyncMutex_6SI8OkPnk") returned 0x2ec [0172.050] ExpandEnvironmentStringsW (in: lpSrc="%AppData%", lpDst=0x19f328, nSize=0x64 | out: lpDst="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming") returned 0x26 [0172.050] ExpandEnvironmentStringsW (in: lpSrc="%AppData%", lpDst=0x19f328, nSize=0x64 | out: lpDst="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming") returned 0x26 [0172.051] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", nBufferLength=0x105, lpBuffer=0x19ef24, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe", lpFilePart=0x0) returned 0x31 [0172.053] GetCurrentProcessId () returned 0xc40 [0172.058] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x19ecc4 | out: lpLuid=0x19ecc4*(LowPart=0x14, HighPart=0)) returned 1 [0172.060] GetCurrentProcess () returned 0xffffffff [0172.060] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x19ecc0 | out: TokenHandle=0x19ecc0*=0x2fc) returned 1 [0172.060] AdjustTokenPrivileges (in: TokenHandle=0x2fc, DisableAllPrivileges=0, NewState=0x290a36c*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0172.061] CloseHandle (hObject=0x2fc) returned 1 [0172.062] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xc40) returned 0x2fc [0172.071] EnumProcessModules (in: hProcess=0x2fc, lphModule=0x290a3b0, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x290a3b0, lpcbNeeded=0x19f434) returned 1 [0172.073] GetModuleInformation (in: hProcess=0x2fc, hModule=0x400000, lpmodinfo=0x290a4f0, cb=0xc | out: lpmodinfo=0x290a4f0*(lpBaseOfDll=0x400000, SizeOfImage=0x12000, EntryPoint=0x0)) returned 1 [0172.073] CoTaskMemAlloc (cb=0x804) returned 0x96e020 [0172.073] GetModuleBaseNameW (in: hProcess=0x2fc, hModule=0x400000, lpBaseName=0x96e020, nSize=0x800 | out: lpBaseName="svchost.exe") returned 0xb [0172.074] CoTaskMemFree (pv=0x96e020) [0172.074] CoTaskMemAlloc (cb=0x804) returned 0x96e020 [0172.074] GetModuleFileNameExW (in: hProcess=0x2fc, hModule=0x400000, lpFilename=0x96e020, nSize=0x800 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\svchost.exe")) returned 0x31 [0172.075] CoTaskMemFree (pv=0x96e020) [0172.075] CloseHandle (hObject=0x2fc) returned 1 [0172.087] SetThreadExecutionState (esFlags=0x80000003) returned 0x80000000 [0174.221] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe.config", nBufferLength=0x105, lpBuffer=0x19ed60, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe.config", lpFilePart=0x0) returned 0x38 [0176.170] GetCurrentProcess () returned 0xffffffff [0176.170] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19f0c0 | out: TokenHandle=0x19f0c0*=0x2fc) returned 1 [0176.174] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", nBufferLength=0x105, lpBuffer=0x19eb58, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", lpFilePart=0x0) returned 0x2e [0176.274] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x19f0b8 | out: lpFileInformation=0x19f0b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56a29ff, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97df7583, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97df7583, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x8c8f)) returned 1 [0176.276] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", nBufferLength=0x105, lpBuffer=0x19eb24, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", lpFilePart=0x0) returned 0x43 [0176.276] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x19f0c0 | out: lpFileInformation=0x19f0c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56a29ff, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97df7583, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97df7583, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x8c8f)) returned 1 [0176.277] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", nBufferLength=0x105, lpBuffer=0x19eac0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", lpFilePart=0x0) returned 0x43 [0176.277] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x19eff8) returned 1 [0176.277] CreateFileW (lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x304 [0176.278] GetFileType (hFile=0x304) returned 0x1 [0176.278] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x19eff4) returned 1 [0176.278] GetFileType (hFile=0x304) returned 0x1 [0177.072] GetFileSize (in: hFile=0x304, lpFileSizeHigh=0x19f0b4 | out: lpFileSizeHigh=0x19f0b4*=0x0) returned 0x8c8f [0177.072] ReadFile (in: hFile=0x304, lpBuffer=0x290fe40, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19f070, lpOverlapped=0x0 | out: lpBuffer=0x290fe40*, lpNumberOfBytesRead=0x19f070*=0x1000, lpOverlapped=0x0) returned 1 [0177.519] ReadFile (in: hFile=0x304, lpBuffer=0x290fe40, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19ef20, lpOverlapped=0x0 | out: lpBuffer=0x290fe40*, lpNumberOfBytesRead=0x19ef20*=0x1000, lpOverlapped=0x0) returned 1 [0177.520] ReadFile (in: hFile=0x304, lpBuffer=0x290fe40, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19edd4, lpOverlapped=0x0 | out: lpBuffer=0x290fe40*, lpNumberOfBytesRead=0x19edd4*=0x1000, lpOverlapped=0x0) returned 1 [0177.521] ReadFile (in: hFile=0x304, lpBuffer=0x290fe40, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19edd4, lpOverlapped=0x0 | out: lpBuffer=0x290fe40*, lpNumberOfBytesRead=0x19edd4*=0x1000, lpOverlapped=0x0) returned 1 [0177.521] ReadFile (in: hFile=0x304, lpBuffer=0x290fe40, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19edd4, lpOverlapped=0x0 | out: lpBuffer=0x290fe40*, lpNumberOfBytesRead=0x19edd4*=0x1000, lpOverlapped=0x0) returned 1 [0177.521] ReadFile (in: hFile=0x304, lpBuffer=0x290fe40, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19ed0c, lpOverlapped=0x0 | out: lpBuffer=0x290fe40*, lpNumberOfBytesRead=0x19ed0c*=0x1000, lpOverlapped=0x0) returned 1 [0177.524] ReadFile (in: hFile=0x304, lpBuffer=0x290fe40, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19ee8c, lpOverlapped=0x0 | out: lpBuffer=0x290fe40*, lpNumberOfBytesRead=0x19ee8c*=0x1000, lpOverlapped=0x0) returned 1 [0177.525] ReadFile (in: hFile=0x304, lpBuffer=0x290fe40, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19ed9c, lpOverlapped=0x0 | out: lpBuffer=0x290fe40*, lpNumberOfBytesRead=0x19ed9c*=0x1000, lpOverlapped=0x0) returned 1 [0177.525] ReadFile (in: hFile=0x304, lpBuffer=0x290fe40, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19ed9c, lpOverlapped=0x0 | out: lpBuffer=0x290fe40*, lpNumberOfBytesRead=0x19ed9c*=0xc8f, lpOverlapped=0x0) returned 1 [0177.526] ReadFile (in: hFile=0x304, lpBuffer=0x290fe40, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19ee5c, lpOverlapped=0x0 | out: lpBuffer=0x290fe40*, lpNumberOfBytesRead=0x19ee5c*=0x0, lpOverlapped=0x0) returned 1 [0177.779] CloseHandle (hObject=0x304) returned 1 [0177.781] GetCurrentProcess () returned 0xffffffff [0177.781] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19f204 | out: TokenHandle=0x19f204*=0x304) returned 1 [0177.782] GetCurrentProcess () returned 0xffffffff [0177.782] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19f204 | out: TokenHandle=0x19f204*=0x308) returned 1 [0177.782] GetCurrentProcess () returned 0xffffffff [0177.782] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19f0c0 | out: TokenHandle=0x19f0c0*=0x30c) returned 1 [0177.782] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe.config" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\svchost.exe.config"), fInfoLevelId=0x0, lpFileInformation=0x19f0b8 | out: lpFileInformation=0x19f0b8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0177.810] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe.config", nBufferLength=0x105, lpBuffer=0x19eb24, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe.config", lpFilePart=0x0) returned 0x38 [0177.810] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\svchost.exe.config" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\svchost.exe.config"), fInfoLevelId=0x0, lpFileInformation=0x19f0c0 | out: lpFileInformation=0x19f0c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0177.810] GetCurrentProcess () returned 0xffffffff [0177.811] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19f204 | out: TokenHandle=0x19f204*=0x310) returned 1 [0177.811] GetCurrentProcess () returned 0xffffffff [0177.811] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19f204 | out: TokenHandle=0x19f204*=0x314) returned 1 [0177.827] GetCurrentProcess () returned 0xffffffff [0177.827] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19f064 | out: TokenHandle=0x19f064*=0x318) returned 1 [0177.958] GetCurrentProcess () returned 0xffffffff [0177.958] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19f074 | out: TokenHandle=0x19f074*=0x31c) returned 1 [0177.981] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x19f258 | out: lpWSAData=0x19f258) returned 0 [0177.991] WSASocketW (af=2, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x0) returned 0x344 [0178.780] setsockopt (s=0x344, level=65535, optname=128, optval="\x01", optlen=4) returned -1 [0178.781] closesocket (s=0x344) returned 0 [0178.781] WSASocketW (af=23, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x0) returned 0x344 [0178.783] setsockopt (s=0x344, level=65535, optname=128, optval="\x01", optlen=4) returned -1 [0178.783] closesocket (s=0x344) returned 0 [0178.787] GetCurrentProcess () returned 0xffffffff [0178.787] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19f0a0 | out: TokenHandle=0x19f0a0*=0x344) returned 1 [0178.792] GetCurrentProcess () returned 0xffffffff [0178.792] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19f0b0 | out: TokenHandle=0x19f0b0*=0x348) returned 1 [0178.870] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x34c [0178.913] setsockopt (s=0x34c, level=65535, optname=4098, optval="", optlen=4) returned 0 [0178.913] setsockopt (s=0x34c, level=65535, optname=4097, optval="", optlen=4) returned 0 [0179.023] WSAConnect (s=0x34c, name=0x292eec0*(sa_family=2, sin_port=0x1e1b, sin_addr="127.0.0.1"), namelen=16, lpCallerData=0x0, lpCalleeData=0x0, lpSQOS=0x0, lpGQOS=0x0) Thread: id = 112 os_tid = 0xc08 Thread: id = 113 os_tid = 0xc04 Thread: id = 114 os_tid = 0xb58 [0163.761] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0163.761] RoInitialize () returned 0x1 [0163.761] RoUninitialize () returned 0x0 Process: id = "10" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x4cbb5000" os_pid = "0x364" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "created_scheduled_job" parent_id = "6" os_parent_pid = "0x214" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\DcpSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\lfsvc" [0xa], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\RetailDemo" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\UsoSvc" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000b24f" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 1341 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1342 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1343 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1344 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1345 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 1346 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1347 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1348 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1349 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 1350 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 1351 start_va = 0x7ff63a3d0000 end_va = 0x7ff63a3dcfff monitored = 0 entry_point = 0x7ff63a3d3980 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 1352 start_va = 0x7ffa59cf0000 end_va = 0x7ffa59eb0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1470 start_va = 0x400000 end_va = 0x566fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1471 start_va = 0x570000 end_va = 0x76ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 1472 start_va = 0x600000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 1473 start_va = 0x7ffa57930000 end_va = 0x7ffa579dcfff monitored = 0 entry_point = 0x7ffa579481a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1474 start_va = 0x7ffa564c0000 end_va = 0x7ffa566a7fff monitored = 0 entry_point = 0x7ffa564eba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1475 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1476 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 1477 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1478 start_va = 0x7ffa58360000 end_va = 0x7ffa583bafff monitored = 0 entry_point = 0x7ffa583738b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1479 start_va = 0x7ffa579e0000 end_va = 0x7ffa57afbfff monitored = 0 entry_point = 0x7ffa57a202b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1480 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1481 start_va = 0x560000 end_va = 0x566fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 1482 start_va = 0x7ffa554b0000 end_va = 0x7ffa555a3fff monitored = 0 entry_point = 0x7ffa554ba960 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 1483 start_va = 0x7ffa570f0000 end_va = 0x7ffa5736cfff monitored = 0 entry_point = 0x7ffa571c4970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1484 start_va = 0x7ffa59c50000 end_va = 0x7ffa59cecfff monitored = 0 entry_point = 0x7ffa59c578a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1485 start_va = 0x7ffa563a0000 end_va = 0x7ffa56409fff monitored = 0 entry_point = 0x7ffa563d6d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1486 start_va = 0x700000 end_va = 0x7f6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 1487 start_va = 0x800000 end_va = 0x9fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000800000" filename = "" Region: id = 1488 start_va = 0x800000 end_va = 0x8fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000800000" filename = "" Region: id = 1489 start_va = 0x480000 end_va = 0x55cfff monitored = 0 entry_point = 0x4de0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1490 start_va = 0x7ffa56390000 end_va = 0x7ffa5639efff monitored = 0 entry_point = 0x7ffa56393210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1491 start_va = 0x7ffa57d80000 end_va = 0x7ffa57ed5fff monitored = 0 entry_point = 0x7ffa57d8a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1492 start_va = 0x7ffa577a0000 end_va = 0x7ffa57925fff monitored = 0 entry_point = 0x7ffa577effc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1493 start_va = 0x480000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 1494 start_va = 0x900000 end_va = 0xa87fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000900000" filename = "" Region: id = 1495 start_va = 0xa90000 end_va = 0xc10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a90000" filename = "" Region: id = 1496 start_va = 0x20000 end_va = 0x20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 1497 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1498 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 1499 start_va = 0xc20000 end_va = 0xde6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 1500 start_va = 0xdf0000 end_va = 0xfeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000df0000" filename = "" Region: id = 1501 start_va = 0xe00000 end_va = 0xefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e00000" filename = "" Region: id = 1502 start_va = 0xc20000 end_va = 0xd1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 1503 start_va = 0xde0000 end_va = 0xde6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 1504 start_va = 0x7ffa51160000 end_va = 0x7ffa512acfff monitored = 0 entry_point = 0x7ffa511a3da0 region_type = mapped_file name = "gpsvc.dll" filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll") Region: id = 1505 start_va = 0x7ffa54fc0000 end_va = 0x7ffa54fcbfff monitored = 0 entry_point = 0x7ffa54fc2480 region_type = mapped_file name = "sysntfy.dll" filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll") Region: id = 1506 start_va = 0x7ffa51110000 end_va = 0x7ffa51127fff monitored = 0 entry_point = 0x7ffa51115910 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 1507 start_va = 0x7ffa51100000 end_va = 0x7ffa51109fff monitored = 0 entry_point = 0x7ffa51101660 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 1508 start_va = 0x7ffa583c0000 end_va = 0x7ffa58480fff monitored = 0 entry_point = 0x7ffa583e0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1509 start_va = 0xf00000 end_va = 0x1042fff monitored = 0 entry_point = 0xf28210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1510 start_va = 0x700000 end_va = 0x7a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 1511 start_va = 0x7f0000 end_va = 0x7f6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 1512 start_va = 0xf00000 end_va = 0x10fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 1513 start_va = 0xf00000 end_va = 0xffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 1514 start_va = 0x1000000 end_va = 0x1336fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1515 start_va = 0x1340000 end_va = 0x143ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001340000" filename = "" Region: id = 1516 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 1517 start_va = 0x7ffa57cc0000 end_va = 0x7ffa57d66fff monitored = 0 entry_point = 0x7ffa57ccb4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1518 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 1519 start_va = 0x7ffa50ac0000 end_va = 0x7ffa50b7efff monitored = 0 entry_point = 0x7ffa50ae1c50 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 1520 start_va = 0x1440000 end_va = 0x153ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001440000" filename = "" Region: id = 1521 start_va = 0x1540000 end_va = 0x163ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001540000" filename = "" Region: id = 1522 start_va = 0x7ffa509c0000 end_va = 0x7ffa50abbfff monitored = 0 entry_point = 0x7ffa509f6df0 region_type = mapped_file name = "schedsvc.dll" filename = "\\Windows\\System32\\schedsvc.dll" (normalized: "c:\\windows\\system32\\schedsvc.dll") Region: id = 1523 start_va = 0x7ffa50970000 end_va = 0x7ffa509b0fff monitored = 0 entry_point = 0x7ffa50987eb0 region_type = mapped_file name = "ubpm.dll" filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll") Region: id = 1524 start_va = 0x7ffa56180000 end_va = 0x7ffa56198fff monitored = 0 entry_point = 0x7ffa56185e10 region_type = mapped_file name = "eventaggregation.dll" filename = "\\Windows\\System32\\EventAggregation.dll" (normalized: "c:\\windows\\system32\\eventaggregation.dll") Region: id = 1525 start_va = 0xc20000 end_va = 0xd96fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 1526 start_va = 0x1640000 end_va = 0x173ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001640000" filename = "" Region: id = 1527 start_va = 0x1740000 end_va = 0x193ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001740000" filename = "" Region: id = 1528 start_va = 0x1800000 end_va = 0x18fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001800000" filename = "" Region: id = 1529 start_va = 0x7ffa555b0000 end_va = 0x7ffa555f8fff monitored = 0 entry_point = 0x7ffa555ba090 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 1530 start_va = 0x7ffa56330000 end_va = 0x7ffa5637afff monitored = 0 entry_point = 0x7ffa563335f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1531 start_va = 0x7ffa50950000 end_va = 0x7ffa50960fff monitored = 0 entry_point = 0x7ffa50953320 region_type = mapped_file name = "wmiclnt.dll" filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll") Region: id = 1532 start_va = 0x7ffa55ff0000 end_va = 0x7ffa5601cfff monitored = 0 entry_point = 0x7ffa56009d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1533 start_va = 0x540000 end_va = 0x540fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 1534 start_va = 0x540000 end_va = 0x540fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 1535 start_va = 0x7ffa561a0000 end_va = 0x7ffa561c8fff monitored = 0 entry_point = 0x7ffa561b4530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 1536 start_va = 0x570000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 1537 start_va = 0xc20000 end_va = 0xd1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 1538 start_va = 0xd90000 end_va = 0xd96fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d90000" filename = "" Region: id = 1539 start_va = 0x7ffa508d0000 end_va = 0x7ffa5093dfff monitored = 0 entry_point = 0x7ffa508d7f60 region_type = mapped_file name = "taskcomp.dll" filename = "\\Windows\\System32\\taskcomp.dll" (normalized: "c:\\windows\\system32\\taskcomp.dll") Region: id = 1540 start_va = 0x7ffa55800000 end_va = 0x7ffa55830fff monitored = 0 entry_point = 0x7ffa55807d10 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 1541 start_va = 0x1900000 end_va = 0x19fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 1542 start_va = 0x1a00000 end_va = 0x1afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a00000" filename = "" Region: id = 1543 start_va = 0x700000 end_va = 0x77ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 1544 start_va = 0x7a0000 end_va = 0x7a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 1545 start_va = 0x7ffa506a0000 end_va = 0x7ffa506f4fff monitored = 0 entry_point = 0x7ffa506afc00 region_type = mapped_file name = "profsvc.dll" filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll") Region: id = 1546 start_va = 0x7ffa56310000 end_va = 0x7ffa56323fff monitored = 0 entry_point = 0x7ffa563152e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1547 start_va = 0x1b00000 end_va = 0x1bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b00000" filename = "" Region: id = 1548 start_va = 0x1740000 end_va = 0x17bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001740000" filename = "" Region: id = 1549 start_va = 0x7ffa50640000 end_va = 0x7ffa5066efff monitored = 0 entry_point = 0x7ffa50648910 region_type = mapped_file name = "wptaskscheduler.dll" filename = "\\Windows\\System32\\WPTaskScheduler.dll" (normalized: "c:\\windows\\system32\\wptaskscheduler.dll") Region: id = 1550 start_va = 0x7ffa58490000 end_va = 0x7ffa58536fff monitored = 0 entry_point = 0x7ffa584a58d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1551 start_va = 0x7ffa50630000 end_va = 0x7ffa5063cfff monitored = 0 entry_point = 0x7ffa50632ca0 region_type = mapped_file name = "csystemeventsbrokerclient.dll" filename = "\\Windows\\System32\\CSystemEventsBrokerClient.dll" (normalized: "c:\\windows\\system32\\csystemeventsbrokerclient.dll") Region: id = 1552 start_va = 0x1c00000 end_va = 0x1c7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c00000" filename = "" Region: id = 1553 start_va = 0x7ffa57b00000 end_va = 0x7ffa57b6afff monitored = 0 entry_point = 0x7ffa57b190c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1554 start_va = 0x7ffa55be0000 end_va = 0x7ffa55c3bfff monitored = 0 entry_point = 0x7ffa55bf6f70 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1555 start_va = 0x7ffa50480000 end_va = 0x7ffa504c1fff monitored = 0 entry_point = 0x7ffa504827d0 region_type = mapped_file name = "mstask.dll" filename = "\\Windows\\System32\\mstask.dll" (normalized: "c:\\windows\\system32\\mstask.dll") Region: id = 1556 start_va = 0x540000 end_va = 0x541fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 1557 start_va = 0x7ffa50450000 end_va = 0x7ffa50476fff monitored = 0 entry_point = 0x7ffa50453bf0 region_type = mapped_file name = "profsvcext.dll" filename = "\\Windows\\System32\\profsvcext.dll" (normalized: "c:\\windows\\system32\\profsvcext.dll") Region: id = 1558 start_va = 0x7ffa57ef0000 end_va = 0x7ffa57f4bfff monitored = 0 entry_point = 0x7ffa57f0b720 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 1559 start_va = 0x7ffa55a70000 end_va = 0x7ffa55a8efff monitored = 0 entry_point = 0x7ffa55a75d30 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 1560 start_va = 0x7ffa586f0000 end_va = 0x7ffa59c4efff monitored = 0 entry_point = 0x7ffa588511f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1561 start_va = 0x7ffa55720000 end_va = 0x7ffa5572bfff monitored = 0 entry_point = 0x7ffa557227e0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1562 start_va = 0x1c80000 end_va = 0x1cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c80000" filename = "" Region: id = 1563 start_va = 0x7ffa56410000 end_va = 0x7ffa56452fff monitored = 0 entry_point = 0x7ffa56424b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1564 start_va = 0x7ffa56a10000 end_va = 0x7ffa57053fff monitored = 0 entry_point = 0x7ffa56bd64b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 1565 start_va = 0x7ffa581f0000 end_va = 0x7ffa58241fff monitored = 0 entry_point = 0x7ffa581ff530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1566 start_va = 0x7ffa56760000 end_va = 0x7ffa56814fff monitored = 0 entry_point = 0x7ffa567a22e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 1567 start_va = 0x7ffa503c0000 end_va = 0x7ffa503fdfff monitored = 0 entry_point = 0x7ffa503ca050 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 1568 start_va = 0x550000 end_va = 0x550fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1569 start_va = 0x1d00000 end_va = 0x1ddcfff monitored = 0 entry_point = 0x1d5e0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1570 start_va = 0x1d00000 end_va = 0x1dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d00000" filename = "" Region: id = 1571 start_va = 0x7ffa54b00000 end_va = 0x7ffa54b12fff monitored = 0 entry_point = 0x7ffa54b02760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1572 start_va = 0x7ffa55e40000 end_va = 0x7ffa55e95fff monitored = 0 entry_point = 0x7ffa55e50bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1573 start_va = 0x1e00000 end_va = 0x1efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e00000" filename = "" Region: id = 1574 start_va = 0x7ffa503b0000 end_va = 0x7ffa503bafff monitored = 0 entry_point = 0x7ffa503b1770 region_type = mapped_file name = "lfsvc.dll" filename = "\\Windows\\System32\\lfsvc.dll" (normalized: "c:\\windows\\system32\\lfsvc.dll") Region: id = 1575 start_va = 0x7ffa50510000 end_va = 0x7ffa505a1fff monitored = 0 entry_point = 0x7ffa5055a780 region_type = mapped_file name = "msvcp110_win.dll" filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll") Region: id = 1576 start_va = 0x7ffa50230000 end_va = 0x7ffa503abfff monitored = 0 entry_point = 0x7ffa50281650 region_type = mapped_file name = "locationframework.dll" filename = "\\Windows\\System32\\LocationFramework.dll" (normalized: "c:\\windows\\system32\\locationframework.dll") Region: id = 1577 start_va = 0x7ffa56820000 end_va = 0x7ffa569e6fff monitored = 0 entry_point = 0x7ffa5687db80 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 1578 start_va = 0x7ffa54150000 end_va = 0x7ffa5418ffff monitored = 0 entry_point = 0x7ffa54161960 region_type = mapped_file name = "brokerlib.dll" filename = "\\Windows\\System32\\BrokerLib.dll" (normalized: "c:\\windows\\system32\\brokerlib.dll") Region: id = 1579 start_va = 0x7ffa501c0000 end_va = 0x7ffa50220fff monitored = 0 entry_point = 0x7ffa501c4b50 region_type = mapped_file name = "wlanapi.dll" filename = "\\Windows\\System32\\wlanapi.dll" (normalized: "c:\\windows\\system32\\wlanapi.dll") Region: id = 1580 start_va = 0x7ffa56380000 end_va = 0x7ffa5638ffff monitored = 0 entry_point = 0x7ffa563856e0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 1581 start_va = 0x7ffa500f0000 end_va = 0x7ffa501b7fff monitored = 0 entry_point = 0x7ffa501313f0 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 1582 start_va = 0x7ffa51030000 end_va = 0x7ffa51065fff monitored = 0 entry_point = 0x7ffa51040070 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 1583 start_va = 0x1f00000 end_va = 0x1ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f00000" filename = "" Region: id = 1584 start_va = 0x7ffa55310000 end_va = 0x7ffa55333fff monitored = 0 entry_point = 0x7ffa55313260 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 1585 start_va = 0x7ffa50000000 end_va = 0x7ffa500e5fff monitored = 0 entry_point = 0x7ffa5001cf10 region_type = mapped_file name = "usermgr.dll" filename = "\\Windows\\System32\\usermgr.dll" (normalized: "c:\\windows\\system32\\usermgr.dll") Region: id = 1586 start_va = 0x7ffa51fe0000 end_va = 0x7ffa52115fff monitored = 0 entry_point = 0x7ffa5200f350 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 1587 start_va = 0x7ffa50940000 end_va = 0x7ffa5094ffff monitored = 0 entry_point = 0x7ffa50942c60 region_type = mapped_file name = "usermgrcli.dll" filename = "\\Windows\\System32\\usermgrcli.dll" (normalized: "c:\\windows\\system32\\usermgrcli.dll") Region: id = 1588 start_va = 0x7ffa4fff0000 end_va = 0x7ffa4fffbfff monitored = 0 entry_point = 0x7ffa4fff14d0 region_type = mapped_file name = "locationframeworkps.dll" filename = "\\Windows\\System32\\LocationFrameworkPS.dll" (normalized: "c:\\windows\\system32\\locationframeworkps.dll") Region: id = 1589 start_va = 0x2000000 end_va = 0x20fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002000000" filename = "" Region: id = 1590 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 1591 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 1594 start_va = 0x2100000 end_va = 0x21fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002100000" filename = "" Region: id = 1595 start_va = 0x7ffa4fda0000 end_va = 0x7ffa4fdb5fff monitored = 0 entry_point = 0x7ffa4fda1b60 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1596 start_va = 0x2200000 end_va = 0x22fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002200000" filename = "" Region: id = 1597 start_va = 0x2300000 end_va = 0x23fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 1598 start_va = 0x7ffa4fd50000 end_va = 0x7ffa4fd90fff monitored = 0 entry_point = 0x7ffa4fd54840 region_type = mapped_file name = "usermgrproxy.dll" filename = "\\Windows\\System32\\UserMgrProxy.dll" (normalized: "c:\\windows\\system32\\usermgrproxy.dll") Region: id = 1599 start_va = 0x7ffa4fcb0000 end_va = 0x7ffa4fcc2fff monitored = 0 entry_point = 0x7ffa4fcb57f0 region_type = mapped_file name = "themeservice.dll" filename = "\\Windows\\System32\\themeservice.dll" (normalized: "c:\\windows\\system32\\themeservice.dll") Region: id = 1600 start_va = 0x7ffa53be0000 end_va = 0x7ffa53be7fff monitored = 0 entry_point = 0x7ffa53be13e0 region_type = mapped_file name = "dabapi.dll" filename = "\\Windows\\System32\\dabapi.dll" (normalized: "c:\\windows\\system32\\dabapi.dll") Region: id = 1601 start_va = 0x7ffa4fc80000 end_va = 0x7ffa4fcadfff monitored = 0 entry_point = 0x7ffa4fc87550 region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 1602 start_va = 0x7ffa55df0000 end_va = 0x7ffa55e10fff monitored = 0 entry_point = 0x7ffa55e00250 region_type = mapped_file name = "joinutil.dll" filename = "\\Windows\\System32\\joinutil.dll" (normalized: "c:\\windows\\system32\\joinutil.dll") Region: id = 1603 start_va = 0x7ffa4fc60000 end_va = 0x7ffa4fc7ffff monitored = 0 entry_point = 0x7ffa4fc639a0 region_type = mapped_file name = "locationwinpalmisc.dll" filename = "\\Windows\\System32\\LocationWinPalMisc.dll" (normalized: "c:\\windows\\system32\\locationwinpalmisc.dll") Region: id = 1604 start_va = 0x7ffa54d30000 end_va = 0x7ffa54d56fff monitored = 0 entry_point = 0x7ffa54d37940 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 1605 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 1606 start_va = 0x7ffa4fc20000 end_va = 0x7ffa4fc56fff monitored = 0 entry_point = 0x7ffa4fc26020 region_type = mapped_file name = "gnssadapter.dll" filename = "\\Windows\\System32\\GnssAdapter.dll" (normalized: "c:\\windows\\system32\\gnssadapter.dll") Region: id = 1607 start_va = 0x7ffa4fbc0000 end_va = 0x7ffa4fc14fff monitored = 0 entry_point = 0x7ffa4fbc3fb0 region_type = mapped_file name = "policymanager.dll" filename = "\\Windows\\System32\\policymanager.dll" (normalized: "c:\\windows\\system32\\policymanager.dll") Region: id = 1608 start_va = 0x2400000 end_va = 0x24fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002400000" filename = "" Region: id = 1609 start_va = 0x2500000 end_va = 0x25fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002500000" filename = "" Region: id = 1610 start_va = 0x7ffa4fba0000 end_va = 0x7ffa4fbb9fff monitored = 0 entry_point = 0x7ffa4fba2cf0 region_type = mapped_file name = "locationpelegacywinlocation.dll" filename = "\\Windows\\System32\\LocationPeLegacyWinLocation.dll" (normalized: "c:\\windows\\system32\\locationpelegacywinlocation.dll") Region: id = 1611 start_va = 0x7ffa57b70000 end_va = 0x7ffa57cb2fff monitored = 0 entry_point = 0x7ffa57b98210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1612 start_va = 0x7ffa4fb80000 end_va = 0x7ffa4fb96fff monitored = 0 entry_point = 0x7ffa4fb85630 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 1613 start_va = 0x780000 end_va = 0x780fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 1614 start_va = 0x7ffa4f9b0000 end_va = 0x7ffa4f9c0fff monitored = 0 entry_point = 0x7ffa4f9b7ea0 region_type = mapped_file name = "dcpapi.dll" filename = "\\Windows\\System32\\dcpapi.dll" (normalized: "c:\\windows\\system32\\dcpapi.dll") Region: id = 1615 start_va = 0x7ffa4f980000 end_va = 0x7ffa4f9a4fff monitored = 0 entry_point = 0x7ffa4f992f20 region_type = mapped_file name = "wificonnapi.dll" filename = "\\Windows\\System32\\wificonnapi.dll" (normalized: "c:\\windows\\system32\\wificonnapi.dll") Region: id = 1616 start_va = 0x7ffa4f940000 end_va = 0x7ffa4f978fff monitored = 0 entry_point = 0x7ffa4f949c90 region_type = mapped_file name = "aepic.dll" filename = "\\Windows\\System32\\aepic.dll" (normalized: "c:\\windows\\system32\\aepic.dll") Region: id = 1617 start_va = 0x7ffa4f920000 end_va = 0x7ffa4f930fff monitored = 0 entry_point = 0x7ffa4f923e10 region_type = mapped_file name = "sfc_os.dll" filename = "\\Windows\\System32\\sfc_os.dll" (normalized: "c:\\windows\\system32\\sfc_os.dll") Region: id = 1618 start_va = 0x7ffa51c50000 end_va = 0x7ffa51fd1fff monitored = 0 entry_point = 0x7ffa51ca1220 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 1619 start_va = 0x7ffa4f860000 end_va = 0x7ffa4f910fff monitored = 0 entry_point = 0x7ffa4f8d88b0 region_type = mapped_file name = "cellularapi.dll" filename = "\\Windows\\System32\\CellularAPI.dll" (normalized: "c:\\windows\\system32\\cellularapi.dll") Region: id = 1620 start_va = 0x7ffa4f960000 end_va = 0x7ffa4f971fff monitored = 0 entry_point = 0x7ffa4f969260 region_type = mapped_file name = "rilproxy.dll" filename = "\\Windows\\System32\\rilproxy.dll" (normalized: "c:\\windows\\system32\\rilproxy.dll") Region: id = 1621 start_va = 0x7ffa4f7b0000 end_va = 0x7ffa4f85dfff monitored = 0 entry_point = 0x7ffa4f7c80c0 region_type = mapped_file name = "windows.networking.connectivity.dll" filename = "\\Windows\\System32\\Windows.Networking.Connectivity.dll" (normalized: "c:\\windows\\system32\\windows.networking.connectivity.dll") Region: id = 1622 start_va = 0x2500000 end_va = 0x26fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002500000" filename = "" Region: id = 1623 start_va = 0x2500000 end_va = 0x25fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002500000" filename = "" Region: id = 1626 start_va = 0x7ffa54aa0000 end_va = 0x7ffa54abbfff monitored = 0 entry_point = 0x7ffa54aa37a0 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 1627 start_va = 0x790000 end_va = 0x79cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "gpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\gpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\gpsvc.dll.mui") Region: id = 1628 start_va = 0x1e00000 end_va = 0x1e7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e00000" filename = "" Region: id = 1629 start_va = 0x2600000 end_va = 0x26fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002600000" filename = "" Region: id = 1630 start_va = 0x7ffa4f330000 end_va = 0x7ffa4f3c9fff monitored = 0 entry_point = 0x7ffa4f34ada0 region_type = mapped_file name = "shsvcs.dll" filename = "\\Windows\\System32\\shsvcs.dll" (normalized: "c:\\windows\\system32\\shsvcs.dll") Region: id = 1631 start_va = 0x7ffa4f190000 end_va = 0x7ffa4f24ffff monitored = 0 entry_point = 0x7ffa4f1bfd20 region_type = mapped_file name = "fveapi.dll" filename = "\\Windows\\System32\\fveapi.dll" (normalized: "c:\\windows\\system32\\fveapi.dll") Region: id = 1632 start_va = 0x7ffa4f320000 end_va = 0x7ffa4f32bfff monitored = 0 entry_point = 0x7ffa4f322830 region_type = mapped_file name = "bi.dll" filename = "\\Windows\\System32\\bi.dll" (normalized: "c:\\windows\\system32\\bi.dll") Region: id = 1633 start_va = 0x2700000 end_va = 0x27fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002700000" filename = "" Region: id = 1646 start_va = 0x7b0000 end_va = 0x7b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 1647 start_va = 0x1640000 end_va = 0x16bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001640000" filename = "" Region: id = 1648 start_va = 0x7ffa4f110000 end_va = 0x7ffa4f161fff monitored = 0 entry_point = 0x7ffa4f1138e0 region_type = mapped_file name = "proximityservice.dll" filename = "\\Windows\\System32\\ProximityService.dll" (normalized: "c:\\windows\\system32\\proximityservice.dll") Region: id = 1649 start_va = 0x7ffa4f0e0000 end_va = 0x7ffa4f10cfff monitored = 0 entry_point = 0x7ffa4f0e2290 region_type = mapped_file name = "proximitycommon.dll" filename = "\\Windows\\System32\\ProximityCommon.dll" (normalized: "c:\\windows\\system32\\proximitycommon.dll") Region: id = 1650 start_va = 0x7ffa4f0d0000 end_va = 0x7ffa4f0d8fff monitored = 0 entry_point = 0x7ffa4f0d1ed0 region_type = mapped_file name = "proximitycommonpal.dll" filename = "\\Windows\\System32\\ProximityCommonPal.dll" (normalized: "c:\\windows\\system32\\proximitycommonpal.dll") Region: id = 1651 start_va = 0x7ffa4f5c0000 end_va = 0x7ffa4f5f7fff monitored = 0 entry_point = 0x7ffa4f5d8cc0 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1652 start_va = 0x7ffa4f0c0000 end_va = 0x7ffa4f0cffff monitored = 0 entry_point = 0x7ffa4f0c1700 region_type = mapped_file name = "proximityservicepal.dll" filename = "\\Windows\\System32\\ProximityServicePal.dll" (normalized: "c:\\windows\\system32\\proximityservicepal.dll") Region: id = 1653 start_va = 0x7ffa57060000 end_va = 0x7ffa570e5fff monitored = 0 entry_point = 0x7ffa5706d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 1654 start_va = 0x7ffa55190000 end_va = 0x7ffa551c1fff monitored = 0 entry_point = 0x7ffa551a2340 region_type = mapped_file name = "fwbase.dll" filename = "\\Windows\\System32\\fwbase.dll" (normalized: "c:\\windows\\system32\\fwbase.dll") Region: id = 1655 start_va = 0x7ffa4fdc0000 end_va = 0x7ffa4fe23fff monitored = 0 entry_point = 0x7ffa4fdd5ae0 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 1656 start_va = 0x7ffa55300000 end_va = 0x7ffa5530bfff monitored = 0 entry_point = 0x7ffa55302790 region_type = mapped_file name = "hid.dll" filename = "\\Windows\\System32\\hid.dll" (normalized: "c:\\windows\\system32\\hid.dll") Region: id = 1667 start_va = 0x7ffa55db0000 end_va = 0x7ffa55dbafff monitored = 0 entry_point = 0x7ffa55db19a0 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1668 start_va = 0x7ffa4e920000 end_va = 0x7ffa4e92dfff monitored = 0 entry_point = 0x7ffa4e921460 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 1762 start_va = 0x7ffa54910000 end_va = 0x7ffa54a95fff monitored = 0 entry_point = 0x7ffa5495d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 1765 start_va = 0x7b0000 end_va = 0x7b3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1769 start_va = 0xd20000 end_va = 0xd64fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000c.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db") Region: id = 1770 start_va = 0x7c0000 end_va = 0x7c3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1771 start_va = 0x2800000 end_va = 0x288dfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 1772 start_va = 0x7d0000 end_va = 0x7e0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "propsys.dll.mui" filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui") Region: id = 1773 start_va = 0x2890000 end_va = 0x2a8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002890000" filename = "" Region: id = 1774 start_va = 0x2900000 end_va = 0x29fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002900000" filename = "" Region: id = 1811 start_va = 0x7ffa54ac0000 end_va = 0x7ffa54af1fff monitored = 0 entry_point = 0x7ffa54acb0c0 region_type = mapped_file name = "shacct.dll" filename = "\\Windows\\System32\\shacct.dll" (normalized: "c:\\windows\\system32\\shacct.dll") Region: id = 1812 start_va = 0x7ffa4e2e0000 end_va = 0x7ffa4e37afff monitored = 0 entry_point = 0x7ffa4e2e7220 region_type = mapped_file name = "settingsync.dll" filename = "\\Windows\\System32\\SettingSync.dll" (normalized: "c:\\windows\\system32\\settingsync.dll") Region: id = 1813 start_va = 0xd70000 end_va = 0xd71fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 1814 start_va = 0x2a00000 end_va = 0x2adffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 1819 start_va = 0x7ffa4e2c0000 end_va = 0x7ffa4e2d0fff monitored = 0 entry_point = 0x7ffa4e2c28d0 region_type = mapped_file name = "credentialmigrationhandler.dll" filename = "\\Windows\\System32\\CredentialMigrationHandler.dll" (normalized: "c:\\windows\\system32\\credentialmigrationhandler.dll") Region: id = 1820 start_va = 0x2ae0000 end_va = 0x2bdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ae0000" filename = "" Region: id = 1821 start_va = 0x16c0000 end_va = 0x173ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016c0000" filename = "" Region: id = 1822 start_va = 0x7ffa4fcd0000 end_va = 0x7ffa4fd49fff monitored = 0 entry_point = 0x7ffa4fcf7630 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 1823 start_va = 0xd80000 end_va = 0xd80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d80000" filename = "" Region: id = 1824 start_va = 0x7ffa561d0000 end_va = 0x7ffa56268fff monitored = 0 entry_point = 0x7ffa561ff4e0 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 1825 start_va = 0xd80000 end_va = 0xd81fff monitored = 0 entry_point = 0xd85630 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 1826 start_va = 0xda0000 end_va = 0xda4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "stdole2.tlb" filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb") Region: id = 1907 start_va = 0xd80000 end_va = 0xd80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d80000" filename = "" Region: id = 1921 start_va = 0xd80000 end_va = 0xd81fff monitored = 0 entry_point = 0xd85630 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 1922 start_va = 0xda0000 end_va = 0xda4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "stdole2.tlb" filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb") Region: id = 1926 start_va = 0xda0000 end_va = 0xda4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "stdole2.tlb" filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb") Region: id = 1937 start_va = 0x7ffa4dcf0000 end_va = 0x7ffa4dd33fff monitored = 0 entry_point = 0x7ffa4dcfc010 region_type = mapped_file name = "execmodelclient.dll" filename = "\\Windows\\System32\\ExecModelClient.dll" (normalized: "c:\\windows\\system32\\execmodelclient.dll") Region: id = 1938 start_va = 0x7ffa53bf0000 end_va = 0x7ffa53cadfff monitored = 0 entry_point = 0x7ffa53c32d40 region_type = mapped_file name = "coremessaging.dll" filename = "\\Windows\\System32\\CoreMessaging.dll" (normalized: "c:\\windows\\system32\\coremessaging.dll") Region: id = 1939 start_va = 0x7ffa50400000 end_va = 0x7ffa50449fff monitored = 0 entry_point = 0x7ffa5040ac30 region_type = mapped_file name = "deviceaccess.dll" filename = "\\Windows\\System32\\deviceaccess.dll" (normalized: "c:\\windows\\system32\\deviceaccess.dll") Region: id = 1940 start_va = 0xd80000 end_va = 0xd80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d80000" filename = "" Region: id = 1945 start_va = 0xda0000 end_va = 0xda0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000da0000" filename = "" Region: id = 1946 start_va = 0x2be0000 end_va = 0x2cdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002be0000" filename = "" Region: id = 1947 start_va = 0x7ffa543b0000 end_va = 0x7ffa54842fff monitored = 0 entry_point = 0x7ffa543bf760 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 1958 start_va = 0x1e80000 end_va = 0x1efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e80000" filename = "" Region: id = 1959 start_va = 0x2ce0000 end_va = 0x2ddffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ce0000" filename = "" Region: id = 1960 start_va = 0x2ae0000 end_va = 0x2bdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ae0000" filename = "" Region: id = 1961 start_va = 0x7ffa4bbf0000 end_va = 0x7ffa4bc2bfff monitored = 0 entry_point = 0x7ffa4bbf6aa0 region_type = mapped_file name = "wmisvc.dll" filename = "\\Windows\\System32\\wbem\\WMIsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wmisvc.dll") Region: id = 1969 start_va = 0x7ffa4b930000 end_va = 0x7ffa4b9aefff monitored = 0 entry_point = 0x7ffa4b947110 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 1970 start_va = 0x7ffa4b8e0000 end_va = 0x7ffa4b92bfff monitored = 0 entry_point = 0x7ffa4b8f5310 region_type = mapped_file name = "srvsvc.dll" filename = "\\Windows\\System32\\srvsvc.dll" (normalized: "c:\\windows\\system32\\srvsvc.dll") Region: id = 1971 start_va = 0x7ffa57d70000 end_va = 0x7ffa57d77fff monitored = 0 entry_point = 0x7ffa57d71ea0 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1972 start_va = 0x7ffa4f4a0000 end_va = 0x7ffa4f4aafff monitored = 0 entry_point = 0x7ffa4f4a1d30 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1973 start_va = 0xda0000 end_va = 0xda0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Region: id = 1974 start_va = 0x17c0000 end_va = 0x17f1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netmsg.dll.mui" filename = "\\Windows\\System32\\en-US\\netmsg.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netmsg.dll.mui") Region: id = 1976 start_va = 0x2de0000 end_va = 0x2edffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002de0000" filename = "" Region: id = 1978 start_va = 0xda0000 end_va = 0xda0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 1979 start_va = 0x2ee0000 end_va = 0x2fdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ee0000" filename = "" Region: id = 1980 start_va = 0xda0000 end_va = 0xda0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 1981 start_va = 0xda0000 end_va = 0xda0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 1982 start_va = 0xda0000 end_va = 0xda0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 1983 start_va = 0xda0000 end_va = 0xda0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 1984 start_va = 0xda0000 end_va = 0xda0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 1985 start_va = 0xda0000 end_va = 0xda0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 1986 start_va = 0xda0000 end_va = 0xda0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 1987 start_va = 0xda0000 end_va = 0xda0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 1988 start_va = 0xda0000 end_va = 0xda0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 1989 start_va = 0xda0000 end_va = 0xda0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 1990 start_va = 0xda0000 end_va = 0xda0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 1991 start_va = 0xda0000 end_va = 0xda0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 1992 start_va = 0xda0000 end_va = 0xda0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 1993 start_va = 0xda0000 end_va = 0xda0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 1994 start_va = 0xda0000 end_va = 0xda0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 1995 start_va = 0xda0000 end_va = 0xda0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 1996 start_va = 0x7ffa4af40000 end_va = 0x7ffa4af50fff monitored = 0 entry_point = 0x7ffa4af41d30 region_type = mapped_file name = "sscore.dll" filename = "\\Windows\\System32\\sscore.dll" (normalized: "c:\\windows\\system32\\sscore.dll") Region: id = 2177 start_va = 0x7ffa4af30000 end_va = 0x7ffa4af38fff monitored = 0 entry_point = 0x7ffa4af318f0 region_type = mapped_file name = "sscoreext.dll" filename = "\\Windows\\System32\\sscoreext.dll" (normalized: "c:\\windows\\system32\\sscoreext.dll") Region: id = 2178 start_va = 0x7ffa4af00000 end_va = 0x7ffa4af1ffff monitored = 0 entry_point = 0x7ffa4af01f50 region_type = mapped_file name = "mi.dll" filename = "\\Windows\\System32\\mi.dll" (normalized: "c:\\windows\\system32\\mi.dll") Region: id = 2179 start_va = 0x7ffa4aea0000 end_va = 0x7ffa4aefdfff monitored = 0 entry_point = 0x7ffa4aea5080 region_type = mapped_file name = "miutils.dll" filename = "\\Windows\\System32\\miutils.dll" (normalized: "c:\\windows\\system32\\miutils.dll") Region: id = 2180 start_va = 0x7ffa4ada0000 end_va = 0x7ffa4ae92fff monitored = 0 entry_point = 0x7ffa4adc5d80 region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2181 start_va = 0x7ffa4f3e0000 end_va = 0x7ffa4f446fff monitored = 0 entry_point = 0x7ffa4f3e63e0 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2182 start_va = 0x7ffa4ea30000 end_va = 0x7ffa4ea43fff monitored = 0 entry_point = 0x7ffa4ea32d50 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 2183 start_va = 0x7ffa4ad70000 end_va = 0x7ffa4ad9dfff monitored = 1 entry_point = 0x7ffa4ad72300 region_type = mapped_file name = "wmidcom.dll" filename = "\\Windows\\System32\\wmidcom.dll" (normalized: "c:\\windows\\system32\\wmidcom.dll") Region: id = 2184 start_va = 0x7ffa55960000 end_va = 0x7ffa55969fff monitored = 0 entry_point = 0x7ffa55961830 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll") Region: id = 2185 start_va = 0x7ffa57370000 end_va = 0x7ffa57798fff monitored = 0 entry_point = 0x7ffa57398740 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 2186 start_va = 0x2fe0000 end_va = 0x30dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002fe0000" filename = "" Region: id = 2187 start_va = 0x7ffa4ad20000 end_va = 0x7ffa4ad60fff monitored = 0 entry_point = 0x7ffa4ad23750 region_type = mapped_file name = "sqmapi.dll" filename = "\\Windows\\System32\\sqmapi.dll" (normalized: "c:\\windows\\system32\\sqmapi.dll") Region: id = 2188 start_va = 0x7ffa4acc0000 end_va = 0x7ffa4ad11fff monitored = 0 entry_point = 0x7ffa4acc5770 region_type = mapped_file name = "resutils.dll" filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll") Region: id = 2189 start_va = 0x7ffa4ac10000 end_va = 0x7ffa4acb2fff monitored = 0 entry_point = 0x7ffa4ac12c10 region_type = mapped_file name = "clusapi.dll" filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll") Region: id = 2190 start_va = 0x7ffa55ee0000 end_va = 0x7ffa55f06fff monitored = 0 entry_point = 0x7ffa55ef0aa0 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 2191 start_va = 0x7ffa55ea0000 end_va = 0x7ffa55ed9fff monitored = 0 entry_point = 0x7ffa55ea8d20 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 2196 start_va = 0x7ffa4abe0000 end_va = 0x7ffa4ac04fff monitored = 0 entry_point = 0x7ffa4abe5ca0 region_type = mapped_file name = "httpprxm.dll" filename = "\\Windows\\System32\\httpprxm.dll" (normalized: "c:\\windows\\system32\\httpprxm.dll") Region: id = 2197 start_va = 0x7ffa4abc0000 end_va = 0x7ffa4abd7fff monitored = 0 entry_point = 0x7ffa4abc4e10 region_type = mapped_file name = "adhsvc.dll" filename = "\\Windows\\System32\\adhsvc.dll" (normalized: "c:\\windows\\system32\\adhsvc.dll") Region: id = 2206 start_va = 0x7ffa4d680000 end_va = 0x7ffa4d688fff monitored = 0 entry_point = 0x7ffa4d6821d0 region_type = mapped_file name = "httpprxc.dll" filename = "\\Windows\\System32\\httpprxc.dll" (normalized: "c:\\windows\\system32\\httpprxc.dll") Region: id = 2207 start_va = 0x2de0000 end_va = 0x2e5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002de0000" filename = "" Region: id = 2208 start_va = 0x7ffa4f920000 end_va = 0x7ffa4f935fff monitored = 0 entry_point = 0x7ffa4f9219f0 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 2209 start_va = 0x2e60000 end_va = 0x2edffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e60000" filename = "" Region: id = 2210 start_va = 0x7ffa4f500000 end_va = 0x7ffa4f519fff monitored = 0 entry_point = 0x7ffa4f502430 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 2211 start_va = 0x30e0000 end_va = 0x315ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000030e0000" filename = "" Region: id = 2212 start_va = 0x7ffa55c90000 end_va = 0x7ffa55ca6fff monitored = 0 entry_point = 0x7ffa55c979d0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2213 start_va = 0x7ffa55920000 end_va = 0x7ffa55953fff monitored = 0 entry_point = 0x7ffa5593ae70 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2214 start_va = 0x3160000 end_va = 0x32b6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003160000" filename = "" Region: id = 2215 start_va = 0x3160000 end_va = 0x3266fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003160000" filename = "" Region: id = 2216 start_va = 0x32b0000 end_va = 0x32b6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000032b0000" filename = "" Region: id = 2217 start_va = 0x3160000 end_va = 0x325ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003160000" filename = "" Region: id = 2218 start_va = 0x3260000 end_va = 0x3266fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003260000" filename = "" Region: id = 2219 start_va = 0x32c0000 end_va = 0x333ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000032c0000" filename = "" Region: id = 2220 start_va = 0x3340000 end_va = 0x34d6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003340000" filename = "" Region: id = 2221 start_va = 0xda0000 end_va = 0xdacfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 2222 start_va = 0x7ffa4ee60000 end_va = 0x7ffa4eed8fff monitored = 0 entry_point = 0x7ffa4ee676a0 region_type = mapped_file name = "netsetupshim.dll" filename = "\\Windows\\System32\\NetSetupShim.dll" (normalized: "c:\\windows\\system32\\netsetupshim.dll") Region: id = 2223 start_va = 0xdb0000 end_va = 0xdb1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 2224 start_va = 0x7ffa4ee40000 end_va = 0x7ffa4ee5efff monitored = 0 entry_point = 0x7ffa4ee437e0 region_type = mapped_file name = "netsetupapi.dll" filename = "\\Windows\\System32\\NetSetupApi.dll" (normalized: "c:\\windows\\system32\\netsetupapi.dll") Region: id = 2225 start_va = 0x3340000 end_va = 0x33bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003340000" filename = "" Region: id = 2226 start_va = 0x34d0000 end_va = 0x34d6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000034d0000" filename = "" Region: id = 2227 start_va = 0x33c0000 end_va = 0x343ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000033c0000" filename = "" Region: id = 2228 start_va = 0x3440000 end_va = 0x34bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 2229 start_va = 0x7ffa4ee00000 end_va = 0x7ffa4ee3ffff monitored = 0 entry_point = 0x7ffa4ee16c60 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 2230 start_va = 0x34e0000 end_va = 0x355ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000034e0000" filename = "" Region: id = 2231 start_va = 0x7ffa4aa00000 end_va = 0x7ffa4aa46fff monitored = 0 entry_point = 0x7ffa4aa01d10 region_type = mapped_file name = "activeds.dll" filename = "\\Windows\\System32\\activeds.dll" (normalized: "c:\\windows\\system32\\activeds.dll") Region: id = 2232 start_va = 0x3560000 end_va = 0x35dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003560000" filename = "" Region: id = 2233 start_va = 0x7ffa4e9c0000 end_va = 0x7ffa4e9fffff monitored = 0 entry_point = 0x7ffa4e9ccbe0 region_type = mapped_file name = "adsldpc.dll" filename = "\\Windows\\System32\\adsldpc.dll" (normalized: "c:\\windows\\system32\\adsldpc.dll") Region: id = 2234 start_va = 0x35e0000 end_va = 0x37dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 2235 start_va = 0x3600000 end_va = 0x36fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003600000" filename = "" Region: id = 2236 start_va = 0x7ffa4eb80000 end_va = 0x7ffa4ebc1fff monitored = 0 entry_point = 0x7ffa4eb83670 region_type = mapped_file name = "wdscore.dll" filename = "\\Windows\\System32\\wdscore.dll" (normalized: "c:\\windows\\system32\\wdscore.dll") Region: id = 2237 start_va = 0x3700000 end_va = 0x377ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003700000" filename = "" Region: id = 2238 start_va = 0x7ffa4eb30000 end_va = 0x7ffa4eb75fff monitored = 0 entry_point = 0x7ffa4eb379a0 region_type = mapped_file name = "adsldp.dll" filename = "\\Windows\\System32\\adsldp.dll" (normalized: "c:\\windows\\system32\\adsldp.dll") Region: id = 2239 start_va = 0x7ffa56460000 end_va = 0x7ffa564b4fff monitored = 0 entry_point = 0x7ffa56477970 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 2240 start_va = 0x550000 end_va = 0x550fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 2241 start_va = 0x550000 end_va = 0x550fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 2243 start_va = 0xdc0000 end_va = 0xddbfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "activeds.tlb" filename = "\\Windows\\System32\\activeds.tlb" (normalized: "c:\\windows\\system32\\activeds.tlb") Region: id = 2244 start_va = 0x3780000 end_va = 0x37fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003780000" filename = "" Region: id = 2265 start_va = 0x7ffa569f0000 end_va = 0x7ffa56a06fff monitored = 0 entry_point = 0x7ffa569f1390 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 2300 start_va = 0x3800000 end_va = 0x38fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003800000" filename = "" Region: id = 2303 start_va = 0x7ffa54210000 end_va = 0x7ffa5421bfff monitored = 0 entry_point = 0x7ffa542135c0 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 2305 start_va = 0x7ffa4e220000 end_va = 0x7ffa4e231fff monitored = 0 entry_point = 0x7ffa4e223580 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 2306 start_va = 0x7ffa54d80000 end_va = 0x7ffa54e29fff monitored = 0 entry_point = 0x7ffa54da7910 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 2325 start_va = 0x3900000 end_va = 0x39fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003900000" filename = "" Region: id = 2326 start_va = 0x7ffa4e7d0000 end_va = 0x7ffa4e7d9fff monitored = 0 entry_point = 0x7ffa4e7d14c0 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 2351 start_va = 0x550000 end_va = 0x551fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "activeds.dll.mui" filename = "\\Windows\\System32\\en-US\\activeds.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\activeds.dll.mui") Region: id = 2352 start_va = 0x7ffa4d690000 end_va = 0x7ffa4d6c4fff monitored = 0 entry_point = 0x7ffa4d69a270 region_type = mapped_file name = "fwpolicyiomgr.dll" filename = "\\Windows\\System32\\fwpolicyiomgr.dll" (normalized: "c:\\windows\\system32\\fwpolicyiomgr.dll") Region: id = 2353 start_va = 0xdc0000 end_va = 0xddbfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "activeds.tlb" filename = "\\Windows\\System32\\activeds.tlb" (normalized: "c:\\windows\\system32\\activeds.tlb") Region: id = 2355 start_va = 0xdf0000 end_va = 0xdf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000df0000" filename = "" Region: id = 2360 start_va = 0x3a00000 end_va = 0x3afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003a00000" filename = "" Region: id = 2361 start_va = 0x3b00000 end_va = 0x3bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003b00000" filename = "" Region: id = 2362 start_va = 0xdf0000 end_va = 0xdf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000df0000" filename = "" Region: id = 2363 start_va = 0x3c00000 end_va = 0x3cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003c00000" filename = "" Thread: id = 120 os_tid = 0x368 Thread: id = 121 os_tid = 0x3ac Thread: id = 122 os_tid = 0x3cc Thread: id = 123 os_tid = 0x148 [0301.177] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0301.178] CoCreateInstance (in: rclsid=0x7ffa4ad87f78*(Data1=0x323, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7ffa4ad87f88*(Data1=0x146, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x6d4860 | out: ppv=0x6d4860*=0x7ffa57329610) returned 0x0 [0301.178] CoCreateInstance (in: rclsid=0x7ffa4ad87f58*(Data1=0x34e, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7ffa4ad87f68*(Data1=0x1da, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x6d4858 | out: ppv=0x6d4858*=0x294f240) returned 0x0 [0301.179] SetEvent (hEvent=0xb0c) returned 1 [0301.183] WaitForSingleObject (hHandle=0xb08, dwMilliseconds=0xffffffff) Thread: id = 124 os_tid = 0x150 Thread: id = 125 os_tid = 0x154 Thread: id = 126 os_tid = 0x160 Thread: id = 127 os_tid = 0x164 Thread: id = 128 os_tid = 0x15c Thread: id = 129 os_tid = 0x178 Thread: id = 130 os_tid = 0x174 Thread: id = 131 os_tid = 0x1c8 Thread: id = 132 os_tid = 0x1b4 Thread: id = 133 os_tid = 0x264 Thread: id = 134 os_tid = 0x8 Thread: id = 135 os_tid = 0x284 Thread: id = 136 os_tid = 0x2ac Thread: id = 137 os_tid = 0x2d0 Thread: id = 138 os_tid = 0x2cc Thread: id = 139 os_tid = 0x2ec Thread: id = 140 os_tid = 0x18c Thread: id = 141 os_tid = 0x408 Thread: id = 142 os_tid = 0x40c Thread: id = 143 os_tid = 0x424 Thread: id = 144 os_tid = 0x4a0 Thread: id = 145 os_tid = 0x4d8 Thread: id = 146 os_tid = 0x4e8 Thread: id = 147 os_tid = 0x488 Thread: id = 170 os_tid = 0x604 Thread: id = 177 os_tid = 0x608 Thread: id = 182 os_tid = 0x640 Thread: id = 188 os_tid = 0x69c Thread: id = 189 os_tid = 0x700 Thread: id = 192 os_tid = 0x6fc Thread: id = 193 os_tid = 0x758 [0301.016] malloc (_Size=0x100) returned 0x83f120 [0301.019] PublishDebugMessage () returned 0x1 [0301.019] GetProcessHeap () returned 0x560000 [0301.019] RtlAllocateHeap (HeapHandle=0x560000, Flags=0x0, Size=0x108) returned 0x6d4760 [0301.019] GetProcessHeap () returned 0x560000 [0301.019] RtlAllocateHeap (HeapHandle=0x560000, Flags=0x0, Size=0x18) returned 0x294f3c0 [0301.019] GetProcessHeap () returned 0x560000 [0301.019] RtlAllocateHeap (HeapHandle=0x560000, Flags=0x0, Size=0x18) returned 0x294f2c0 [0301.019] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xb00 [0301.019] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xb04 [0301.019] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xb08 [0301.020] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xb0c [0301.026] CreateThreadpoolWork (in: pfnwk=0x7ffa4ad71e90, pv=0x6d4760, pcbe=0x2bdf790 | out: pv=0x6d4760) returned 0x291f9c0 [0301.026] TpPostWork () returned 0x3 [0301.026] WaitForSingleObject (hHandle=0xb0c, dwMilliseconds=0xffffffff) returned 0x0 [0301.179] CloseHandle (hObject=0xb0c) returned 1 [0301.179] PublishDebugMessage () returned 0x1 [0301.179] GetProcessHeap () returned 0x560000 [0301.179] RtlAllocateHeap (HeapHandle=0x560000, Flags=0x0, Size=0x58) returned 0x2955f50 [0301.179] GetProcessHeap () returned 0x560000 [0301.179] RtlAllocateHeap (HeapHandle=0x560000, Flags=0x0, Size=0xc) returned 0x297e020 [0301.180] memcpy (in: _Dst=0x297e020, _Src=0x297dff0, _Size=0xc | out: _Dst=0x297e020) returned 0x297e020 [0301.180] GetProcessHeap () returned 0x560000 [0301.180] RtlAllocateHeap (HeapHandle=0x560000, Flags=0x0, Size=0xc) returned 0x297e110 [0301.180] memcpy (in: _Dst=0x297e110, _Src=0x297dfc0, _Size=0xc | out: _Dst=0x297e110) returned 0x297e110 [0301.180] PublishDebugMessage () returned 0x1 [0301.180] GetProcessHeap () returned 0x560000 [0301.180] RtlAllocateHeap (HeapHandle=0x560000, Flags=0x0, Size=0x198) returned 0x2560ac0 [0301.180] ??0WMISchema@@QEAA@XZ () returned 0x2560ac0 [0301.180] GetProcessHeap () returned 0x560000 [0301.180] RtlAllocateHeap (HeapHandle=0x560000, Flags=0x0, Size=0x30) returned 0x2934200 [0301.180] GetProcessHeap () returned 0x560000 [0301.180] RtlAllocateHeap (HeapHandle=0x560000, Flags=0x0, Size=0x30) returned 0x2933d50 [0301.180] GetProcessHeap () returned 0x560000 [0301.180] RtlAllocateHeap (HeapHandle=0x560000, Flags=0x0, Size=0x18) returned 0x294e9c0 [0301.180] GetProcessHeap () returned 0x560000 [0301.180] RtlAllocateHeap (HeapHandle=0x560000, Flags=0x0, Size=0x28) returned 0x2934520 [0301.180] PublishDebugMessage () returned 0x1 [0301.180] GetCurrentThread () returned 0xfffffffffffffffe [0301.180] OpenThreadToken (in: ThreadHandle=0xfffffffffffffffe, DesiredAccess=0x2e, OpenAsSelf=1, TokenHandle=0x2560c38 | out: TokenHandle=0x2560c38*=0xb0c) returned 1 [0301.181] GetTokenInformation (in: TokenHandle=0xb0c, TokenInformationClass=0x3, TokenInformation=0x2bdf710, TokenInformationLength=0x10, ReturnLength=0x2bdf750 | out: TokenInformation=0x2bdf710, ReturnLength=0x2bdf750) returned 0 [0301.181] GetLastError () returned 0x7a [0301.181] GetProcessHeap () returned 0x560000 [0301.181] RtlAllocateHeap (HeapHandle=0x560000, Flags=0x0, Size=0x148) returned 0x298bd40 [0301.181] GetTokenInformation (in: TokenHandle=0xb0c, TokenInformationClass=0x3, TokenInformation=0x298bd40, TokenInformationLength=0x148, ReturnLength=0x2bdf750 | out: TokenInformation=0x298bd40, ReturnLength=0x2bdf750) returned 1 [0301.181] AdjustTokenPrivileges (in: TokenHandle=0xb0c, DisableAllPrivileges=0, NewState=0x298bd40*(PrivilegesCount=0x1b, Privileges=((Luid.LowPart=0x3, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=3, Attributes=0x5), (Luid.LowPart=0x2, Luid.HighPart=7, Attributes=0x0), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xa), (Luid.LowPart=0x2, Luid.HighPart=11, Attributes=0x0), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=3, Attributes=0xe), (Luid.LowPart=0x3, Luid.HighPart=15, Attributes=0x0), (Luid.LowPart=0x10, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x0, Luid.HighPart=3, Attributes=0x16), (Luid.LowPart=0x2, Luid.HighPart=23, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x0, Luid.HighPart=3, Attributes=0x23), (Luid.LowPart=0x3, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x40280000), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0301.181] GetProcessHeap () returned 0x560000 [0301.181] RtlFreeHeap (HeapHandle=0x560000, Flags=0x0, BaseAddress=0x298bd40) returned 1 [0301.181] ClassCache_New () returned 0x0 [0301.181] ResultToHRESULT () returned 0x0 [0301.182] PublishDebugMessage () returned 0x1 [0301.182] GetProcessHeap () returned 0x560000 [0301.182] RtlAllocateHeap (HeapHandle=0x560000, Flags=0x0, Size=0x18) returned 0x294f600 [0301.182] PublishDebugMessage () returned 0x1 Thread: id = 195 os_tid = 0x790 Thread: id = 196 os_tid = 0x7a8 Thread: id = 215 os_tid = 0x7d4 Thread: id = 217 os_tid = 0x404 Thread: id = 218 os_tid = 0x2d0 Thread: id = 219 os_tid = 0x2fc Thread: id = 220 os_tid = 0x430 Thread: id = 221 os_tid = 0x424 Thread: id = 222 os_tid = 0x42c Thread: id = 223 os_tid = 0x458 Thread: id = 224 os_tid = 0x470 Thread: id = 226 os_tid = 0x464 Thread: id = 227 os_tid = 0x4b0 Thread: id = 230 os_tid = 0x4cc Thread: id = 233 os_tid = 0x5a4 Thread: id = 238 os_tid = 0x5f4 Thread: id = 241 os_tid = 0x3b0 Thread: id = 242 os_tid = 0x3c0 Thread: id = 244 os_tid = 0x754 Process: id = "11" image_name = "taskhostw.exe" filename = "c:\\windows\\system32\\taskhostw.exe" page_root = "0x163d2000" os_pid = "0x4dc" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0x364" cmd_line = "taskhostw.exe SYSTEM" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\DcpSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\lfsvc" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\RetailDemo" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\UsoSvc" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000b24f" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 1634 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1635 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1636 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1637 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1638 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 1639 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1640 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1641 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1642 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 1643 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 1644 start_va = 0x7ff717150000 end_va = 0x7ff717168fff monitored = 0 entry_point = 0x7ff7171559b0 region_type = mapped_file name = "taskhostw.exe" filename = "\\Windows\\System32\\taskhostw.exe" (normalized: "c:\\windows\\system32\\taskhostw.exe") Region: id = 1645 start_va = 0x7ffa59cf0000 end_va = 0x7ffa59eb0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1657 start_va = 0x400000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1658 start_va = 0x7ffa57930000 end_va = 0x7ffa579dcfff monitored = 0 entry_point = 0x7ffa579481a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1659 start_va = 0x7ffa564c0000 end_va = 0x7ffa566a7fff monitored = 0 entry_point = 0x7ffa564eba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1660 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1661 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 1662 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1663 start_va = 0x7ffa59c50000 end_va = 0x7ffa59cecfff monitored = 0 entry_point = 0x7ffa59c578a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1664 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1665 start_va = 0x4d0000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 1666 start_va = 0x7ffa579e0000 end_va = 0x7ffa57afbfff monitored = 0 entry_point = 0x7ffa57a202b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1785 start_va = 0x7ffa570f0000 end_va = 0x7ffa5736cfff monitored = 0 entry_point = 0x7ffa571c4970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1786 start_va = 0x7ffa563a0000 end_va = 0x7ffa56409fff monitored = 0 entry_point = 0x7ffa563d6d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1787 start_va = 0x7ffa583c0000 end_va = 0x7ffa58480fff monitored = 0 entry_point = 0x7ffa583e0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1788 start_va = 0x5d0000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 1789 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1790 start_va = 0x660000 end_va = 0x7a2fff monitored = 0 entry_point = 0x688210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1791 start_va = 0x660000 end_va = 0x73cfff monitored = 0 entry_point = 0x6be0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1792 start_va = 0x7ffa56390000 end_va = 0x7ffa5639efff monitored = 0 entry_point = 0x7ffa56393210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1793 start_va = 0x1c0000 end_va = 0x1c6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1794 start_va = 0x7ffa57d80000 end_va = 0x7ffa57ed5fff monitored = 0 entry_point = 0x7ffa57d8a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1795 start_va = 0x7ffa577a0000 end_va = 0x7ffa57925fff monitored = 0 entry_point = 0x7ffa577effc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1796 start_va = 0x660000 end_va = 0x7e7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 1797 start_va = 0x7f0000 end_va = 0x970fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1798 start_va = 0x980000 end_va = 0xa3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000980000" filename = "" Region: id = 1808 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskhostw.exe.mui" filename = "\\Windows\\System32\\en-US\\taskhostw.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskhostw.exe.mui") Region: id = 1809 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 1810 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 1887 start_va = 0x7ffa58360000 end_va = 0x7ffa583bafff monitored = 0 entry_point = 0x7ffa583738b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1951 start_va = 0x480000 end_va = 0x480fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 1952 start_va = 0x5d0000 end_va = 0x64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 1953 start_va = 0x650000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 1954 start_va = 0xa40000 end_va = 0xabffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 1955 start_va = 0x7ffa57cc0000 end_va = 0x7ffa57d66fff monitored = 0 entry_point = 0x7ffa57ccb4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1956 start_va = 0x490000 end_va = 0x490fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 1957 start_va = 0x7ffa4cce0000 end_va = 0x7ffa4ccf0fff monitored = 0 entry_point = 0x7ffa4cce6710 region_type = mapped_file name = "tpmtasks.dll" filename = "\\Windows\\System32\\TpmTasks.dll" (normalized: "c:\\windows\\system32\\tpmtasks.dll") Region: id = 1962 start_va = 0x7ffa58490000 end_va = 0x7ffa58536fff monitored = 0 entry_point = 0x7ffa584a58d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1963 start_va = 0x7ffa4bb60000 end_va = 0x7ffa4bbcdfff monitored = 0 entry_point = 0x7ffa4bbae6c0 region_type = mapped_file name = "tpmcoreprovisioning.dll" filename = "\\Windows\\System32\\TpmCoreProvisioning.dll" (normalized: "c:\\windows\\system32\\tpmcoreprovisioning.dll") Region: id = 2198 start_va = 0x7ffa56820000 end_va = 0x7ffa569e6fff monitored = 0 entry_point = 0x7ffa5687db80 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 2199 start_va = 0x7ffa56380000 end_va = 0x7ffa5638ffff monitored = 0 entry_point = 0x7ffa563856e0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 2200 start_va = 0x7ffa55ee0000 end_va = 0x7ffa55f06fff monitored = 0 entry_point = 0x7ffa55ef0aa0 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 2201 start_va = 0x7ffa500f0000 end_va = 0x7ffa501b7fff monitored = 0 entry_point = 0x7ffa501313f0 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 2202 start_va = 0x7ffa503c0000 end_va = 0x7ffa503fdfff monitored = 0 entry_point = 0x7ffa503ca050 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 2203 start_va = 0x7ffa55720000 end_va = 0x7ffa5572bfff monitored = 0 entry_point = 0x7ffa557227e0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 2204 start_va = 0x7ffa561a0000 end_va = 0x7ffa561c8fff monitored = 0 entry_point = 0x7ffa561b4530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 2205 start_va = 0x7ffa55ea0000 end_va = 0x7ffa55ed9fff monitored = 0 entry_point = 0x7ffa55ea8d20 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 2253 start_va = 0xac0000 end_va = 0xb3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 2256 start_va = 0x7ffa54c60000 end_va = 0x7ffa54c6efff monitored = 0 entry_point = 0x7ffa54c62c50 region_type = mapped_file name = "dimsjob.dll" filename = "\\Windows\\System32\\dimsjob.dll" (normalized: "c:\\windows\\system32\\dimsjob.dll") Region: id = 2309 start_va = 0xb40000 end_va = 0xbbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b40000" filename = "" Region: id = 2338 start_va = 0x4a0000 end_va = 0x4a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 2339 start_va = 0xbc0000 end_va = 0xc3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bc0000" filename = "" Region: id = 2340 start_va = 0x7ffa4aa00000 end_va = 0x7ffa4aa46fff monitored = 0 entry_point = 0x7ffa4aa01d10 region_type = mapped_file name = "activeds.dll" filename = "\\Windows\\System32\\activeds.dll" (normalized: "c:\\windows\\system32\\activeds.dll") Region: id = 2341 start_va = 0x7ffa4e9c0000 end_va = 0x7ffa4e9fffff monitored = 0 entry_point = 0x7ffa4e9ccbe0 region_type = mapped_file name = "adsldpc.dll" filename = "\\Windows\\System32\\adsldpc.dll" (normalized: "c:\\windows\\system32\\adsldpc.dll") Region: id = 2342 start_va = 0x7ffa57ef0000 end_va = 0x7ffa57f4bfff monitored = 0 entry_point = 0x7ffa57f0b720 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 2343 start_va = 0x7ffa55760000 end_va = 0x7ffa5576cfff monitored = 0 entry_point = 0x7ffa55761fe0 region_type = mapped_file name = "tbs.dll" filename = "\\Windows\\System32\\tbs.dll" (normalized: "c:\\windows\\system32\\tbs.dll") Region: id = 2347 start_va = 0x7ffa4ee00000 end_va = 0x7ffa4ee3ffff monitored = 0 entry_point = 0x7ffa4ee16c60 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 2348 start_va = 0xc40000 end_va = 0xd1cfff monitored = 0 entry_point = 0xc9e0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2358 start_va = 0xc40000 end_va = 0xcbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Thread: id = 148 os_tid = 0x4e0 Thread: id = 165 os_tid = 0x558 Thread: id = 190 os_tid = 0x6a4 Thread: id = 191 os_tid = 0x6a0 Thread: id = 229 os_tid = 0x460 Thread: id = 239 os_tid = 0x184 Thread: id = 240 os_tid = 0x5b0 Process: id = "12" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x4f21f000" os_pid = "0x128" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "10" os_parent_pid = "0x214" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AJRouter" [0xa], "NT SERVICE\\bthserv" [0xa], "NT SERVICE\\CDPSvc" [0xa], "NT SERVICE\\EventSystem" [0xa], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\FontCache" [0xa], "NT SERVICE\\LicenseManager" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\PhoneSvc" [0xa], "NT SERVICE\\RemoteRegistry" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\tzautoupdate" [0xe], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT SERVICE\\workfolderssvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d560" [0xc000000f], "LOCAL" [0x7] Region: id = 1669 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1670 start_va = 0x20000 end_va = 0x20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 1671 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1672 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1673 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1674 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 1675 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1676 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1677 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1678 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 1679 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 1680 start_va = 0x1f0000 end_va = 0x1f6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 1681 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1682 start_va = 0x400000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1683 start_va = 0x500000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 1684 start_va = 0x580000 end_va = 0x580fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 1685 start_va = 0x590000 end_va = 0x590fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 1686 start_va = 0x5a0000 end_va = 0x5a1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netprofmsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\netprofmsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netprofmsvc.dll.mui") Region: id = 1687 start_va = 0x5f0000 end_va = 0x5f6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 1688 start_va = 0x600000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 1689 start_va = 0x700000 end_va = 0x887fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000700000" filename = "" Region: id = 1690 start_va = 0x890000 end_va = 0xa10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000890000" filename = "" Region: id = 1691 start_va = 0xa20000 end_va = 0xadffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a20000" filename = "" Region: id = 1692 start_va = 0xae0000 end_va = 0xb5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 1693 start_va = 0xbf0000 end_va = 0xbf6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bf0000" filename = "" Region: id = 1694 start_va = 0xc00000 end_va = 0xcfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c00000" filename = "" Region: id = 1695 start_va = 0xd20000 end_va = 0xd68fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "~fontcache-system.dat" filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-System.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-system.dat") Region: id = 1696 start_va = 0xe00000 end_va = 0xefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e00000" filename = "" Region: id = 1697 start_va = 0xf00000 end_va = 0xffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 1698 start_va = 0x1000000 end_va = 0x10fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 1699 start_va = 0x1100000 end_va = 0x11fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001100000" filename = "" Region: id = 1700 start_va = 0x1200000 end_va = 0x12fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 1701 start_va = 0x1300000 end_va = 0x13fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Region: id = 1702 start_va = 0x1400000 end_va = 0x23fffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "~fontcache-fontface.dat" filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-FontFace.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-fontface.dat") Region: id = 1703 start_va = 0x2400000 end_va = 0x2736fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1704 start_va = 0x2740000 end_va = 0x2803fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "segoeuisl.ttf" filename = "\\Windows\\Fonts\\segoeuisl.ttf" (normalized: "c:\\windows\\fonts\\segoeuisl.ttf") Region: id = 1705 start_va = 0x2900000 end_va = 0x29fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002900000" filename = "" Region: id = 1706 start_va = 0x2b00000 end_va = 0x2bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b00000" filename = "" Region: id = 1707 start_va = 0x2cb0000 end_va = 0x2daffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002cb0000" filename = "" Region: id = 1708 start_va = 0x2e00000 end_va = 0x2efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e00000" filename = "" Region: id = 1709 start_va = 0x3540000 end_va = 0x3d3ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "~fontcache-s-1-5-18.dat" filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-S-1-5-18.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-s-1-5-18.dat") Region: id = 1710 start_va = 0x3d40000 end_va = 0x3e3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003d40000" filename = "" Region: id = 1711 start_va = 0x3e40000 end_va = 0x3f3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003e40000" filename = "" Region: id = 1712 start_va = 0x3f40000 end_va = 0x403ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003f40000" filename = "" Region: id = 1713 start_va = 0x4040000 end_va = 0x413ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004040000" filename = "" Region: id = 1714 start_va = 0x4140000 end_va = 0x423ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004140000" filename = "" Region: id = 1715 start_va = 0x4240000 end_va = 0x433ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004240000" filename = "" Region: id = 1716 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1717 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 1718 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 1719 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 1720 start_va = 0x7ff63a3d0000 end_va = 0x7ff63a3dcfff monitored = 0 entry_point = 0x7ff63a3d3980 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 1721 start_va = 0x7ffa4e920000 end_va = 0x7ffa4e92dfff monitored = 0 entry_point = 0x7ffa4e921460 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 1722 start_va = 0x7ffa4efd0000 end_va = 0x7ffa4f05afff monitored = 0 entry_point = 0x7ffa4efed2a0 region_type = mapped_file name = "netprofmsvc.dll" filename = "\\Windows\\System32\\netprofmsvc.dll" (normalized: "c:\\windows\\system32\\netprofmsvc.dll") Region: id = 1723 start_va = 0x7ffa4f950000 end_va = 0x7ffa4f95cfff monitored = 0 entry_point = 0x7ffa4f952650 region_type = mapped_file name = "nsisvc.dll" filename = "\\Windows\\System32\\nsisvc.dll" (normalized: "c:\\windows\\system32\\nsisvc.dll") Region: id = 1724 start_va = 0x7ffa4fcd0000 end_va = 0x7ffa4fd49fff monitored = 0 entry_point = 0x7ffa4fcf7630 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 1725 start_va = 0x7ffa4fff0000 end_va = 0x7ffa4fffbfff monitored = 0 entry_point = 0x7ffa4fff14d0 region_type = mapped_file name = "locationframeworkps.dll" filename = "\\Windows\\System32\\LocationFrameworkPS.dll" (normalized: "c:\\windows\\system32\\locationframeworkps.dll") Region: id = 1726 start_va = 0x7ffa50400000 end_va = 0x7ffa50449fff monitored = 0 entry_point = 0x7ffa5040ac30 region_type = mapped_file name = "deviceaccess.dll" filename = "\\Windows\\System32\\deviceaccess.dll" (normalized: "c:\\windows\\system32\\deviceaccess.dll") Region: id = 1727 start_va = 0x7ffa504d0000 end_va = 0x7ffa50502fff monitored = 0 entry_point = 0x7ffa504dd5a0 region_type = mapped_file name = "biwinrt.dll" filename = "\\Windows\\System32\\biwinrt.dll" (normalized: "c:\\windows\\system32\\biwinrt.dll") Region: id = 1728 start_va = 0x7ffa50510000 end_va = 0x7ffa505a1fff monitored = 0 entry_point = 0x7ffa5055a780 region_type = mapped_file name = "msvcp110_win.dll" filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll") Region: id = 1729 start_va = 0x7ffa505b0000 end_va = 0x7ffa50628fff monitored = 0 entry_point = 0x7ffa505c7800 region_type = mapped_file name = "geolocation.dll" filename = "\\Windows\\System32\\Geolocation.dll" (normalized: "c:\\windows\\system32\\geolocation.dll") Region: id = 1730 start_va = 0x7ffa50670000 end_va = 0x7ffa50698fff monitored = 0 entry_point = 0x7ffa506824d0 region_type = mapped_file name = "fontprovider.dll" filename = "\\Windows\\System32\\FontProvider.dll" (normalized: "c:\\windows\\system32\\fontprovider.dll") Region: id = 1731 start_va = 0x7ffa50700000 end_va = 0x7ffa508a1fff monitored = 0 entry_point = 0x7ffa5074c2d0 region_type = mapped_file name = "fntcache.dll" filename = "\\Windows\\System32\\FntCache.dll" (normalized: "c:\\windows\\system32\\fntcache.dll") Region: id = 1732 start_va = 0x7ffa508b0000 end_va = 0x7ffa508c9fff monitored = 0 entry_point = 0x7ffa508bb670 region_type = mapped_file name = "tzautoupdate.dll" filename = "\\Windows\\System32\\tzautoupdate.dll" (normalized: "c:\\windows\\system32\\tzautoupdate.dll") Region: id = 1733 start_va = 0x7ffa51030000 end_va = 0x7ffa51065fff monitored = 0 entry_point = 0x7ffa51040070 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 1734 start_va = 0x7ffa51110000 end_va = 0x7ffa51127fff monitored = 0 entry_point = 0x7ffa51115910 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 1735 start_va = 0x7ffa54e30000 end_va = 0x7ffa54f2ffff monitored = 0 entry_point = 0x7ffa54e70f80 region_type = mapped_file name = "twinapi.appcore.dll" filename = "\\Windows\\System32\\twinapi.appcore.dll" (normalized: "c:\\windows\\system32\\twinapi.appcore.dll") Region: id = 1736 start_va = 0x7ffa554b0000 end_va = 0x7ffa555a3fff monitored = 0 entry_point = 0x7ffa554ba960 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 1737 start_va = 0x7ffa55a70000 end_va = 0x7ffa55a8efff monitored = 0 entry_point = 0x7ffa55a75d30 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 1738 start_va = 0x7ffa561a0000 end_va = 0x7ffa561c8fff monitored = 0 entry_point = 0x7ffa561b4530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 1739 start_va = 0x7ffa56310000 end_va = 0x7ffa56323fff monitored = 0 entry_point = 0x7ffa563152e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1740 start_va = 0x7ffa56390000 end_va = 0x7ffa5639efff monitored = 0 entry_point = 0x7ffa56393210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1741 start_va = 0x7ffa563a0000 end_va = 0x7ffa56409fff monitored = 0 entry_point = 0x7ffa563d6d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1742 start_va = 0x7ffa564c0000 end_va = 0x7ffa566a7fff monitored = 0 entry_point = 0x7ffa564eba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1743 start_va = 0x7ffa56760000 end_va = 0x7ffa56814fff monitored = 0 entry_point = 0x7ffa567a22e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 1744 start_va = 0x7ffa570f0000 end_va = 0x7ffa5736cfff monitored = 0 entry_point = 0x7ffa571c4970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1745 start_va = 0x7ffa577a0000 end_va = 0x7ffa57925fff monitored = 0 entry_point = 0x7ffa577effc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1746 start_va = 0x7ffa57930000 end_va = 0x7ffa579dcfff monitored = 0 entry_point = 0x7ffa579481a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1747 start_va = 0x7ffa579e0000 end_va = 0x7ffa57afbfff monitored = 0 entry_point = 0x7ffa57a202b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1748 start_va = 0x7ffa57b70000 end_va = 0x7ffa57cb2fff monitored = 0 entry_point = 0x7ffa57b98210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1749 start_va = 0x7ffa57cc0000 end_va = 0x7ffa57d66fff monitored = 0 entry_point = 0x7ffa57ccb4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1750 start_va = 0x7ffa57d70000 end_va = 0x7ffa57d77fff monitored = 0 entry_point = 0x7ffa57d71ea0 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1751 start_va = 0x7ffa57d80000 end_va = 0x7ffa57ed5fff monitored = 0 entry_point = 0x7ffa57d8a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1752 start_va = 0x7ffa58360000 end_va = 0x7ffa583bafff monitored = 0 entry_point = 0x7ffa583738b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1753 start_va = 0x7ffa583c0000 end_va = 0x7ffa58480fff monitored = 0 entry_point = 0x7ffa583e0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1754 start_va = 0x7ffa58490000 end_va = 0x7ffa58536fff monitored = 0 entry_point = 0x7ffa584a58d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1755 start_va = 0x7ffa59c50000 end_va = 0x7ffa59cecfff monitored = 0 entry_point = 0x7ffa59c578a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1756 start_va = 0x7ffa59cf0000 end_va = 0x7ffa59eb0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1759 start_va = 0x5b0000 end_va = 0x5ddfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 1760 start_va = 0x4340000 end_va = 0x443ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004340000" filename = "" Region: id = 1761 start_va = 0x7ffa500f0000 end_va = 0x7ffa501b7fff monitored = 0 entry_point = 0x7ffa501313f0 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 1763 start_va = 0x7ffa57b00000 end_va = 0x7ffa57b6afff monitored = 0 entry_point = 0x7ffa57b190c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1764 start_va = 0x2740000 end_va = 0x2813fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "segoeuil.ttf" filename = "\\Windows\\Fonts\\segoeuil.ttf" (normalized: "c:\\windows\\fonts\\segoeuil.ttf") Region: id = 1766 start_va = 0x2f00000 end_va = 0x30fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f00000" filename = "" Region: id = 1767 start_va = 0x2f00000 end_va = 0x2ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f00000" filename = "" Region: id = 1768 start_va = 0x7ffa55be0000 end_va = 0x7ffa55c3bfff monitored = 0 entry_point = 0x7ffa55bf6f70 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1775 start_va = 0x2820000 end_va = 0x28e3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "segoeuisl.ttf" filename = "\\Windows\\Fonts\\segoeuisl.ttf" (normalized: "c:\\windows\\fonts\\segoeuisl.ttf") Region: id = 1776 start_va = 0x7ffa4f5c0000 end_va = 0x7ffa4f5f7fff monitored = 0 entry_point = 0x7ffa4f5d8cc0 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1777 start_va = 0x7ffa4f4a0000 end_va = 0x7ffa4f4aafff monitored = 0 entry_point = 0x7ffa4f4a1d30 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1778 start_va = 0x7ffa56330000 end_va = 0x7ffa5637afff monitored = 0 entry_point = 0x7ffa563335f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1779 start_va = 0x4440000 end_va = 0x453ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004440000" filename = "" Region: id = 1780 start_va = 0x7ffa4f920000 end_va = 0x7ffa4f935fff monitored = 0 entry_point = 0x7ffa4f9219f0 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 1781 start_va = 0x7ffa4f500000 end_va = 0x7ffa4f519fff monitored = 0 entry_point = 0x7ffa4f502430 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 1782 start_va = 0x7ffa54d80000 end_va = 0x7ffa54e29fff monitored = 0 entry_point = 0x7ffa54da7910 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 1783 start_va = 0x4540000 end_va = 0x463ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004540000" filename = "" Region: id = 1784 start_va = 0x7ffa4e7d0000 end_va = 0x7ffa4e7d9fff monitored = 0 entry_point = 0x7ffa4e7d14c0 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 1799 start_va = 0x2a00000 end_va = 0x2adffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 1800 start_va = 0x7ffa4e7a0000 end_va = 0x7ffa4e7b3fff monitored = 0 entry_point = 0x7ffa4e7a1a50 region_type = mapped_file name = "wlanradiomanager.dll" filename = "\\Windows\\System32\\WlanRadioManager.dll" (normalized: "c:\\windows\\system32\\wlanradiomanager.dll") Region: id = 1801 start_va = 0x7ffa501c0000 end_va = 0x7ffa50220fff monitored = 0 entry_point = 0x7ffa501c4b50 region_type = mapped_file name = "wlanapi.dll" filename = "\\Windows\\System32\\wlanapi.dll" (normalized: "c:\\windows\\system32\\wlanapi.dll") Region: id = 1802 start_va = 0x7ffa4e780000 end_va = 0x7ffa4e798fff monitored = 0 entry_point = 0x7ffa4e782180 region_type = mapped_file name = "bthradiomedia.dll" filename = "\\Windows\\System32\\BthRadioMedia.dll" (normalized: "c:\\windows\\system32\\bthradiomedia.dll") Region: id = 1803 start_va = 0x7ffa56410000 end_va = 0x7ffa56452fff monitored = 0 entry_point = 0x7ffa56424b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1804 start_va = 0x7ffa54d30000 end_va = 0x7ffa54d56fff monitored = 0 entry_point = 0x7ffa54d37940 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 1805 start_va = 0x7ffa4e690000 end_va = 0x7ffa4e6adfff monitored = 0 entry_point = 0x7ffa4e691690 region_type = mapped_file name = "bluetoothapis.dll" filename = "\\Windows\\System32\\BluetoothApis.dll" (normalized: "c:\\windows\\system32\\bluetoothapis.dll") Region: id = 1806 start_va = 0x4640000 end_va = 0x473ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004640000" filename = "" Region: id = 1807 start_va = 0x7ffa55310000 end_va = 0x7ffa55333fff monitored = 0 entry_point = 0x7ffa55313260 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 1975 start_va = 0x4740000 end_va = 0x483ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004740000" filename = "" Region: id = 1977 start_va = 0x7ffa4bbd0000 end_va = 0x7ffa4bbecfff monitored = 0 entry_point = 0x7ffa4bbd6190 region_type = mapped_file name = "wdi.dll" filename = "\\Windows\\System32\\wdi.dll" (normalized: "c:\\windows\\system32\\wdi.dll") Region: id = 2192 start_va = 0x4840000 end_va = 0x493ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004840000" filename = "" Region: id = 2193 start_va = 0xb60000 end_va = 0xb71fff monitored = 0 entry_point = 0xb87630 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 2194 start_va = 0x7ffa561d0000 end_va = 0x7ffa56268fff monitored = 0 entry_point = 0x7ffa561ff4e0 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 2195 start_va = 0x5e0000 end_va = 0x5e4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "stdole2.tlb" filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb") Region: id = 2245 start_va = 0x4940000 end_va = 0x4a3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004940000" filename = "" Region: id = 2264 start_va = 0x7ffa54b60000 end_va = 0x7ffa54b77fff monitored = 0 entry_point = 0x7ffa54b64a20 region_type = mapped_file name = "perftrack.dll" filename = "\\Windows\\System32\\perftrack.dll" (normalized: "c:\\windows\\system32\\perftrack.dll") Region: id = 2301 start_va = 0xb80000 end_va = 0xb81fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b80000" filename = "" Region: id = 2327 start_va = 0x3000000 end_va = 0x31fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2328 start_va = 0x3000000 end_va = 0x30fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Thread: id = 149 os_tid = 0x578 Thread: id = 150 os_tid = 0x574 Thread: id = 151 os_tid = 0x570 Thread: id = 152 os_tid = 0x56c Thread: id = 153 os_tid = 0x568 Thread: id = 154 os_tid = 0x560 Thread: id = 155 os_tid = 0x534 Thread: id = 156 os_tid = 0x420 Thread: id = 157 os_tid = 0x268 Thread: id = 158 os_tid = 0x260 Thread: id = 159 os_tid = 0x210 Thread: id = 160 os_tid = 0x170 Thread: id = 161 os_tid = 0x1b0 Thread: id = 162 os_tid = 0x180 Thread: id = 163 os_tid = 0x14c Thread: id = 164 os_tid = 0x12c Thread: id = 166 os_tid = 0x58c Thread: id = 167 os_tid = 0x59c Thread: id = 168 os_tid = 0x5a8 Thread: id = 169 os_tid = 0x5c0 Thread: id = 194 os_tid = 0x784 Thread: id = 216 os_tid = 0x7fc Thread: id = 231 os_tid = 0x60 Process: id = "13" image_name = "sihost.exe" filename = "c:\\windows\\system32\\sihost.exe" page_root = "0x1219a000" os_pid = "0x60c" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0x364" cmd_line = "sihost.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00012274" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1827 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1828 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1829 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1830 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1831 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 1832 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1833 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1834 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 1835 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 1836 start_va = 0x7ff7b4940000 end_va = 0x7ff7b4955fff monitored = 0 entry_point = 0x7ff7b4945190 region_type = mapped_file name = "sihost.exe" filename = "\\Windows\\System32\\sihost.exe" (normalized: "c:\\windows\\system32\\sihost.exe") Region: id = 1837 start_va = 0x7ffa59cf0000 end_va = 0x7ffa59eb0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1838 start_va = 0x400000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1839 start_va = 0x7ffa57930000 end_va = 0x7ffa579dcfff monitored = 0 entry_point = 0x7ffa579481a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1840 start_va = 0x7ffa564c0000 end_va = 0x7ffa566a7fff monitored = 0 entry_point = 0x7ffa564eba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1841 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1842 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 1843 start_va = 0xf0000 end_va = 0x1adfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1844 start_va = 0x7ffa59c50000 end_va = 0x7ffa59cecfff monitored = 0 entry_point = 0x7ffa59c578a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1845 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1846 start_va = 0x4b0000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 1847 start_va = 0x7ffa570f0000 end_va = 0x7ffa5736cfff monitored = 0 entry_point = 0x7ffa571c4970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1848 start_va = 0x7ffa579e0000 end_va = 0x7ffa57afbfff monitored = 0 entry_point = 0x7ffa57a202b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1849 start_va = 0x7ffa563a0000 end_va = 0x7ffa56409fff monitored = 0 entry_point = 0x7ffa563d6d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1850 start_va = 0x7ffa58360000 end_va = 0x7ffa583bafff monitored = 0 entry_point = 0x7ffa583738b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1851 start_va = 0x7ffa58490000 end_va = 0x7ffa58536fff monitored = 0 entry_point = 0x7ffa584a58d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1852 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1853 start_va = 0x7ffa55800000 end_va = 0x7ffa55830fff monitored = 0 entry_point = 0x7ffa55807d10 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 1854 start_va = 0x7ffa53bf0000 end_va = 0x7ffa53cadfff monitored = 0 entry_point = 0x7ffa53c32d40 region_type = mapped_file name = "coremessaging.dll" filename = "\\Windows\\System32\\CoreMessaging.dll" (normalized: "c:\\windows\\system32\\coremessaging.dll") Region: id = 1855 start_va = 0x5b0000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 1856 start_va = 0x7ffa4df90000 end_va = 0x7ffa4e217fff monitored = 0 entry_point = 0x7ffa4dfef670 region_type = mapped_file name = "coreuicomponents.dll" filename = "\\Windows\\System32\\CoreUIComponents.dll" (normalized: "c:\\windows\\system32\\coreuicomponents.dll") Region: id = 1866 start_va = 0x7ffa56390000 end_va = 0x7ffa5639efff monitored = 0 entry_point = 0x7ffa56393210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1867 start_va = 0x7ffa57d80000 end_va = 0x7ffa57ed5fff monitored = 0 entry_point = 0x7ffa57d8a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1868 start_va = 0x7ffa577a0000 end_va = 0x7ffa57925fff monitored = 0 entry_point = 0x7ffa577effc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1869 start_va = 0x7ffa56760000 end_va = 0x7ffa56814fff monitored = 0 entry_point = 0x7ffa567a22e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 1870 start_va = 0x7ffa51fe0000 end_va = 0x7ffa52115fff monitored = 0 entry_point = 0x7ffa5200f350 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 1871 start_va = 0x630000 end_va = 0x7dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 1872 start_va = 0x1b0000 end_va = 0x1b6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1873 start_va = 0x1c0000 end_va = 0x1f8fff monitored = 0 entry_point = 0x1c12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1874 start_va = 0x630000 end_va = 0x7b7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 1875 start_va = 0x7d0000 end_va = 0x7dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 1876 start_va = 0x7ffa58110000 end_va = 0x7ffa5814afff monitored = 0 entry_point = 0x7ffa581112f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1877 start_va = 0x7e0000 end_va = 0x960fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 1878 start_va = 0x970000 end_va = 0x1d6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000970000" filename = "" Region: id = 1879 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1880 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 1881 start_va = 0x1d70000 end_va = 0x1e4cfff monitored = 0 entry_point = 0x1dce0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1882 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 1883 start_va = 0x7ffa57cc0000 end_va = 0x7ffa57d66fff monitored = 0 entry_point = 0x7ffa57ccb4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1884 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 1885 start_va = 0x7ffa4df70000 end_va = 0x7ffa4df8dfff monitored = 0 entry_point = 0x7ffa4df75340 region_type = mapped_file name = "desktopshellext.dll" filename = "\\Windows\\System32\\DesktopShellExt.dll" (normalized: "c:\\windows\\system32\\desktopshellext.dll") Region: id = 1886 start_va = 0x7ffa4df50000 end_va = 0x7ffa4df61fff monitored = 0 entry_point = 0x7ffa4df55110 region_type = mapped_file name = "windows.shell.servicehostbuilder.dll" filename = "\\Windows\\System32\\Windows.Shell.ServiceHostBuilder.dll" (normalized: "c:\\windows\\system32\\windows.shell.servicehostbuilder.dll") Region: id = 1888 start_va = 0x1d70000 end_va = 0x1e6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d70000" filename = "" Region: id = 1889 start_va = 0x1e70000 end_va = 0x1f4cfff monitored = 0 entry_point = 0x1ece0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1890 start_va = 0x1e70000 end_va = 0x1eeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 1891 start_va = 0x1ef0000 end_va = 0x1f6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ef0000" filename = "" Region: id = 1892 start_va = 0x1f70000 end_va = 0x1feffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f70000" filename = "" Region: id = 1893 start_va = 0x7ffa543b0000 end_va = 0x7ffa54842fff monitored = 0 entry_point = 0x7ffa543bf760 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 1894 start_va = 0x7ffa4de70000 end_va = 0x7ffa4df49fff monitored = 0 entry_point = 0x7ffa4dec03b0 region_type = mapped_file name = "modernexecserver.dll" filename = "\\Windows\\System32\\modernexecserver.dll" (normalized: "c:\\windows\\system32\\modernexecserver.dll") Region: id = 1895 start_va = 0x7ffa583c0000 end_va = 0x7ffa58480fff monitored = 0 entry_point = 0x7ffa583e0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1896 start_va = 0x7ffa56330000 end_va = 0x7ffa5637afff monitored = 0 entry_point = 0x7ffa563335f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1897 start_va = 0x7ffa55090000 end_va = 0x7ffa550b9fff monitored = 0 entry_point = 0x7ffa55098b90 region_type = mapped_file name = "rmclient.dll" filename = "\\Windows\\System32\\rmclient.dll" (normalized: "c:\\windows\\system32\\rmclient.dll") Region: id = 1898 start_va = 0x7ffa4de20000 end_va = 0x7ffa4de6afff monitored = 0 entry_point = 0x7ffa4de37b70 region_type = mapped_file name = "veeventdispatcher.dll" filename = "\\Windows\\System32\\VEEventDispatcher.dll" (normalized: "c:\\windows\\system32\\veeventdispatcher.dll") Region: id = 1899 start_va = 0x7ffa54e30000 end_va = 0x7ffa54f2ffff monitored = 0 entry_point = 0x7ffa54e70f80 region_type = mapped_file name = "twinapi.appcore.dll" filename = "\\Windows\\System32\\twinapi.appcore.dll" (normalized: "c:\\windows\\system32\\twinapi.appcore.dll") Region: id = 1900 start_va = 0x7ffa561a0000 end_va = 0x7ffa561c8fff monitored = 0 entry_point = 0x7ffa561b4530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 1901 start_va = 0x7ffa50510000 end_va = 0x7ffa505a1fff monitored = 0 entry_point = 0x7ffa5055a780 region_type = mapped_file name = "msvcp110_win.dll" filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll") Region: id = 1902 start_va = 0x1ff0000 end_va = 0x2132fff monitored = 0 entry_point = 0x2018210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1903 start_va = 0x1ff0000 end_va = 0x20cffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 1904 start_va = 0x20d0000 end_va = 0x214ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020d0000" filename = "" Region: id = 1905 start_va = 0x7ffa54c90000 end_va = 0x7ffa54d25fff monitored = 0 entry_point = 0x7ffa54cb5570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 1906 start_va = 0x2150000 end_va = 0x22bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002150000" filename = "" Region: id = 1908 start_va = 0x7ffa4ddd0000 end_va = 0x7ffa4de00fff monitored = 0 entry_point = 0x7ffa4ddd3400 region_type = mapped_file name = "clipboardserver.dll" filename = "\\Windows\\System32\\ClipboardServer.dll" (normalized: "c:\\windows\\system32\\clipboardserver.dll") Region: id = 1909 start_va = 0x7ffa4dd70000 end_va = 0x7ffa4ddccfff monitored = 0 entry_point = 0x7ffa4dd80080 region_type = mapped_file name = "activationmanager.dll" filename = "\\Windows\\System32\\ActivationManager.dll" (normalized: "c:\\windows\\system32\\activationmanager.dll") Region: id = 1910 start_va = 0x7ffa4dd40000 end_va = 0x7ffa4dd62fff monitored = 0 entry_point = 0x7ffa4dd43020 region_type = mapped_file name = "appointmentactivation.dll" filename = "\\Windows\\System32\\AppointmentActivation.dll" (normalized: "c:\\windows\\system32\\appointmentactivation.dll") Region: id = 1911 start_va = 0x2150000 end_va = 0x21cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002150000" filename = "" Region: id = 1912 start_va = 0x22b0000 end_va = 0x22bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000022b0000" filename = "" Region: id = 1913 start_va = 0x7ffa57b70000 end_va = 0x7ffa57cb2fff monitored = 0 entry_point = 0x7ffa57b98210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1914 start_va = 0x7ffa4fd50000 end_va = 0x7ffa4fd90fff monitored = 0 entry_point = 0x7ffa4fd54840 region_type = mapped_file name = "usermgrproxy.dll" filename = "\\Windows\\System32\\UserMgrProxy.dll" (normalized: "c:\\windows\\system32\\usermgrproxy.dll") Region: id = 1915 start_va = 0x21d0000 end_va = 0x224ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021d0000" filename = "" Region: id = 1916 start_va = 0x7ffa50940000 end_va = 0x7ffa5094ffff monitored = 0 entry_point = 0x7ffa50942c60 region_type = mapped_file name = "usermgrcli.dll" filename = "\\Windows\\System32\\usermgrcli.dll" (normalized: "c:\\windows\\system32\\usermgrcli.dll") Region: id = 1917 start_va = 0x22c0000 end_va = 0x23bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000022c0000" filename = "" Region: id = 1918 start_va = 0x23c0000 end_va = 0x2bbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000023c0000" filename = "" Region: id = 1919 start_va = 0x2bc0000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002bc0000" filename = "" Region: id = 1920 start_va = 0x2c40000 end_va = 0x2cbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 1923 start_va = 0x2cc0000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002cc0000" filename = "" Region: id = 1924 start_va = 0x7ffa4dcf0000 end_va = 0x7ffa4dd33fff monitored = 0 entry_point = 0x7ffa4dcfc010 region_type = mapped_file name = "execmodelclient.dll" filename = "\\Windows\\System32\\ExecModelClient.dll" (normalized: "c:\\windows\\system32\\execmodelclient.dll") Region: id = 1925 start_va = 0x7ffa4dce0000 end_va = 0x7ffa4dcedfff monitored = 0 entry_point = 0x7ffa4dce2690 region_type = mapped_file name = "notificationplatformcomponent.dll" filename = "\\Windows\\System32\\notificationplatformcomponent.dll" (normalized: "c:\\windows\\system32\\notificationplatformcomponent.dll") Region: id = 1927 start_va = 0x7ffa4dc40000 end_va = 0x7ffa4dcd6fff monitored = 0 entry_point = 0x7ffa4dc54fd0 region_type = mapped_file name = "appcontracts.dll" filename = "\\Windows\\System32\\AppContracts.dll" (normalized: "c:\\windows\\system32\\appcontracts.dll") Region: id = 1928 start_va = 0x7ffa4db90000 end_va = 0x7ffa4dc31fff monitored = 0 entry_point = 0x7ffa4db92b20 region_type = mapped_file name = "sharehost.dll" filename = "\\Windows\\System32\\ShareHost.dll" (normalized: "c:\\windows\\system32\\sharehost.dll") Region: id = 1929 start_va = 0x7ffa581f0000 end_va = 0x7ffa58241fff monitored = 0 entry_point = 0x7ffa581ff530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1930 start_va = 0x7ffa56a10000 end_va = 0x7ffa57053fff monitored = 0 entry_point = 0x7ffa56bd64b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 1931 start_va = 0x7ffa56410000 end_va = 0x7ffa56452fff monitored = 0 entry_point = 0x7ffa56424b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1932 start_va = 0x7ffa56310000 end_va = 0x7ffa56323fff monitored = 0 entry_point = 0x7ffa563152e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1933 start_va = 0x7ffa4db80000 end_va = 0x7ffa4db88fff monitored = 0 entry_point = 0x7ffa4db81480 region_type = mapped_file name = "wpportinglibrary.dll" filename = "\\Windows\\System32\\WpPortingLibrary.dll" (normalized: "c:\\windows\\system32\\wpportinglibrary.dll") Region: id = 1934 start_va = 0x7ffa4d920000 end_va = 0x7ffa4db7cfff monitored = 0 entry_point = 0x7ffa4d9a8610 region_type = mapped_file name = "twinui.appcore.dll" filename = "\\Windows\\System32\\twinui.appcore.dll" (normalized: "c:\\windows\\system32\\twinui.appcore.dll") Region: id = 1935 start_va = 0x2d40000 end_va = 0x2dbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d40000" filename = "" Region: id = 1936 start_va = 0x7ffa4d880000 end_va = 0x7ffa4d894fff monitored = 0 entry_point = 0x7ffa4d881ab0 region_type = mapped_file name = "execmodelproxy.dll" filename = "\\Windows\\System32\\execmodelproxy.dll" (normalized: "c:\\windows\\system32\\execmodelproxy.dll") Region: id = 1944 start_va = 0x2dc0000 end_va = 0x2e3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002dc0000" filename = "" Region: id = 1997 start_va = 0x2e40000 end_va = 0x2ebffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e40000" filename = "" Thread: id = 171 os_tid = 0x610 Thread: id = 172 os_tid = 0x614 Thread: id = 173 os_tid = 0x61c Thread: id = 174 os_tid = 0x620 Thread: id = 175 os_tid = 0x624 Thread: id = 176 os_tid = 0x628 Thread: id = 178 os_tid = 0x630 Thread: id = 179 os_tid = 0x634 Thread: id = 180 os_tid = 0x638 Thread: id = 181 os_tid = 0x63c Thread: id = 183 os_tid = 0x644 Thread: id = 184 os_tid = 0x648 Thread: id = 185 os_tid = 0x65c Thread: id = 186 os_tid = 0x67c Thread: id = 187 os_tid = 0x688 Process: id = "14" image_name = "explorer.exe" filename = "c:\\windows\\explorer.exe" page_root = "0x11720000" os_pid = "0x690" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "rpc_server" parent_id = "13" os_parent_pid = "0x674" cmd_line = "C:\\Windows\\Explorer.EXE" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00012274" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1998 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1999 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2000 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2001 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2002 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 2003 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 2004 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 2005 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2006 start_va = 0x1c0000 end_va = 0x1c6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2007 start_va = 0x1d0000 end_va = 0x1d7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "explorer.exe.mui" filename = "\\Windows\\en-US\\explorer.exe.mui" (normalized: "c:\\windows\\en-us\\explorer.exe.mui") Region: id = 2008 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 2009 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 2010 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2011 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 2012 start_va = 0x410000 end_va = 0x410fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 2013 start_va = 0x420000 end_va = 0x420fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 2014 start_va = 0x430000 end_va = 0x430fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 2015 start_va = 0x440000 end_va = 0x443fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 2016 start_va = 0x450000 end_va = 0x466fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000017.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db") Region: id = 2017 start_va = 0x470000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 2018 start_va = 0x570000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 2019 start_va = 0x5f0000 end_va = 0x777fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 2020 start_va = 0x780000 end_va = 0x780fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 2021 start_va = 0x790000 end_va = 0x791fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 2022 start_va = 0x7a0000 end_va = 0x7affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 2023 start_va = 0x7b0000 end_va = 0x930fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007b0000" filename = "" Region: id = 2024 start_va = 0x940000 end_va = 0x1d3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 2025 start_va = 0x1d40000 end_va = 0x1d57fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000015.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.1.ver0x0000000000000015.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\{3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000015.db") Region: id = 2026 start_va = 0x1d60000 end_va = 0x1d61fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001d60000" filename = "" Region: id = 2027 start_va = 0x1d70000 end_va = 0x1d9dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001d70000" filename = "" Region: id = 2028 start_va = 0x1da0000 end_va = 0x1da1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001da0000" filename = "" Region: id = 2029 start_va = 0x1db0000 end_va = 0x1db1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001db0000" filename = "" Region: id = 2030 start_va = 0x1dc0000 end_va = 0x1e3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001dc0000" filename = "" Region: id = 2031 start_va = 0x1e40000 end_va = 0x1ebffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e40000" filename = "" Region: id = 2032 start_va = 0x1ec0000 end_va = 0x1ec1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "oleaccrc.dll" filename = "\\Windows\\System32\\oleaccrc.dll" (normalized: "c:\\windows\\system32\\oleaccrc.dll") Region: id = 2033 start_va = 0x1ed0000 end_va = 0x1ed4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "oleaccrc.dll.mui" filename = "\\Windows\\System32\\en-US\\oleaccrc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\oleaccrc.dll.mui") Region: id = 2034 start_va = 0x1ee0000 end_va = 0x1ee3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ee0000" filename = "" Region: id = 2035 start_va = 0x1ef0000 end_va = 0x1ef6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ef0000" filename = "" Region: id = 2036 start_va = 0x1f00000 end_va = 0x1f01fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f00000" filename = "" Region: id = 2037 start_va = 0x1f10000 end_va = 0x1f1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f10000" filename = "" Region: id = 2038 start_va = 0x1f20000 end_va = 0x2256fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2039 start_va = 0x2260000 end_va = 0x22dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002260000" filename = "" Region: id = 2040 start_va = 0x22e0000 end_va = 0x235ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000022e0000" filename = "" Region: id = 2041 start_va = 0x2360000 end_va = 0x23c0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "shell32.dll.mui" filename = "\\Windows\\System32\\en-US\\shell32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\shell32.dll.mui") Region: id = 2042 start_va = 0x23d0000 end_va = 0x24affff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 2043 start_va = 0x24b0000 end_va = 0x252ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000024b0000" filename = "" Region: id = 2044 start_va = 0x2530000 end_va = 0x25affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002530000" filename = "" Region: id = 2045 start_va = 0x25b0000 end_va = 0x262ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 2046 start_va = 0x2630000 end_va = 0x26ebfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002630000" filename = "" Region: id = 2047 start_va = 0x26f0000 end_va = 0x27effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026f0000" filename = "" Region: id = 2048 start_va = 0x27f0000 end_va = 0x382ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 2049 start_va = 0x3830000 end_va = 0x3830fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003830000" filename = "" Region: id = 2050 start_va = 0x3840000 end_va = 0x3840fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003840000" filename = "" Region: id = 2051 start_va = 0x3850000 end_va = 0x3850fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003850000" filename = "" Region: id = 2052 start_va = 0x3860000 end_va = 0x3861fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003860000" filename = "" Region: id = 2053 start_va = 0x3870000 end_va = 0x38effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 2054 start_va = 0x38f0000 end_va = 0x38f1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000038f0000" filename = "" Region: id = 2055 start_va = 0x3900000 end_va = 0x3900fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003900000" filename = "" Region: id = 2056 start_va = 0x3910000 end_va = 0x3910fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003910000" filename = "" Region: id = 2057 start_va = 0x3920000 end_va = 0x3920fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003920000" filename = "" Region: id = 2058 start_va = 0x3930000 end_va = 0x3a2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003930000" filename = "" Region: id = 2059 start_va = 0x3a30000 end_va = 0x3a30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003a30000" filename = "" Region: id = 2060 start_va = 0x3a40000 end_va = 0x3a4ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003a40000" filename = "" Region: id = 2061 start_va = 0x3a50000 end_va = 0x3a5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003a50000" filename = "" Region: id = 2062 start_va = 0x3a60000 end_va = 0x3a6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003a60000" filename = "" Region: id = 2063 start_va = 0x3a70000 end_va = 0x3a70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003a70000" filename = "" Region: id = 2064 start_va = 0x3a80000 end_va = 0x3a80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003a80000" filename = "" Region: id = 2065 start_va = 0x3a90000 end_va = 0x3a90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003a90000" filename = "" Region: id = 2066 start_va = 0x3aa0000 end_va = 0x3aa3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 2067 start_va = 0x3ab0000 end_va = 0x3ab0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003ab0000" filename = "" Region: id = 2068 start_va = 0x3ac0000 end_va = 0x3ac0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003ac0000" filename = "" Region: id = 2069 start_va = 0x3ad0000 end_va = 0x3ad0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003ad0000" filename = "" Region: id = 2070 start_va = 0x3ae0000 end_va = 0x3ae1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003ae0000" filename = "" Region: id = 2071 start_va = 0x3af0000 end_va = 0x3b28fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003af0000" filename = "" Region: id = 2072 start_va = 0x3b30000 end_va = 0x3b30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003b30000" filename = "" Region: id = 2073 start_va = 0x3b40000 end_va = 0x3b40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003b40000" filename = "" Region: id = 2074 start_va = 0x3b50000 end_va = 0x3b51fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003b50000" filename = "" Region: id = 2075 start_va = 0x3b60000 end_va = 0x3b83fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003b60000" filename = "" Region: id = 2076 start_va = 0x3b90000 end_va = 0x3bb3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003b90000" filename = "" Region: id = 2077 start_va = 0x3bc0000 end_va = 0x3bc1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003bc0000" filename = "" Region: id = 2078 start_va = 0x3bd0000 end_va = 0x3c4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003bd0000" filename = "" Region: id = 2079 start_va = 0x3c50000 end_va = 0x3c53fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 2080 start_va = 0x3c60000 end_va = 0x3ca4fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000c.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db") Region: id = 2081 start_va = 0x3cb0000 end_va = 0x3cb3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 2082 start_va = 0x3cc0000 end_va = 0x3d4dfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 2083 start_va = 0x3d50000 end_va = 0x3d60fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "propsys.dll.mui" filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui") Region: id = 2084 start_va = 0x3d70000 end_va = 0x3d71fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003d70000" filename = "" Region: id = 2085 start_va = 0x3d80000 end_va = 0x3d83fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 2086 start_va = 0x3d90000 end_va = 0x3d91fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003d90000" filename = "" Region: id = 2087 start_va = 0x3da0000 end_va = 0x3db8fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000016.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.1.ver0x0000000000000016.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\{3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000016.db") Region: id = 2088 start_va = 0x3df0000 end_va = 0x3e6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003df0000" filename = "" Region: id = 2089 start_va = 0x3e70000 end_va = 0x3eeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003e70000" filename = "" Region: id = 2090 start_va = 0x3ef0000 end_va = 0x3ef0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003ef0000" filename = "" Region: id = 2091 start_va = 0x3f00000 end_va = 0x3f7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003f00000" filename = "" Region: id = 2092 start_va = 0x3f80000 end_va = 0x3ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003f80000" filename = "" Region: id = 2093 start_va = 0x4000000 end_va = 0x40fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004000000" filename = "" Region: id = 2094 start_va = 0x4100000 end_va = 0x417ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004100000" filename = "" Region: id = 2095 start_va = 0x4180000 end_va = 0x4b7ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004180000" filename = "" Region: id = 2096 start_va = 0x4b80000 end_va = 0x4bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004b80000" filename = "" Region: id = 2097 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2098 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 2099 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 2100 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 2101 start_va = 0x7ff7f4b70000 end_va = 0x7ff7f4fb7fff monitored = 0 entry_point = 0x7ff7f4c0e090 region_type = mapped_file name = "explorer.exe" filename = "\\Windows\\explorer.exe" (normalized: "c:\\windows\\explorer.exe") Region: id = 2102 start_va = 0x7ffa4b130000 end_va = 0x7ffa4b469fff monitored = 0 entry_point = 0x7ffa4b138520 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\System32\\msi.dll" (normalized: "c:\\windows\\system32\\msi.dll") Region: id = 2103 start_va = 0x7ffa4b470000 end_va = 0x7ffa4b479fff monitored = 0 entry_point = 0x7ffa4b471350 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 2104 start_va = 0x7ffa4b480000 end_va = 0x7ffa4b489fff monitored = 0 entry_point = 0x7ffa4b482e50 region_type = mapped_file name = "msiltcfg.dll" filename = "\\Windows\\System32\\msiltcfg.dll" (normalized: "c:\\windows\\system32\\msiltcfg.dll") Region: id = 2105 start_va = 0x7ffa4b490000 end_va = 0x7ffa4b638fff monitored = 0 entry_point = 0x7ffa4b4e4060 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10586.0_none_0bdd1d3064f6384a\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10586.0_none_0bdd1d3064f6384a\\gdiplus.dll") Region: id = 2106 start_va = 0x7ffa4b640000 end_va = 0x7ffa4b8dffff monitored = 0 entry_point = 0x7ffa4b6451e0 region_type = mapped_file name = "gameux.dll" filename = "\\Windows\\System32\\gameux.dll" (normalized: "c:\\windows\\system32\\gameux.dll") Region: id = 2107 start_va = 0x7ffa4bc80000 end_va = 0x7ffa4bc8bfff monitored = 0 entry_point = 0x7ffa4bc818b0 region_type = mapped_file name = "wldp.dll" filename = "\\Windows\\System32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll") Region: id = 2108 start_va = 0x7ffa4bc90000 end_va = 0x7ffa4bcdcfff monitored = 0 entry_point = 0x7ffa4bc9d180 region_type = mapped_file name = "windows.immersiveshell.serviceprovider.dll" filename = "\\Windows\\System32\\windows.immersiveshell.serviceprovider.dll" (normalized: "c:\\windows\\system32\\windows.immersiveshell.serviceprovider.dll") Region: id = 2109 start_va = 0x7ffa4bce0000 end_va = 0x7ffa4c7eafff monitored = 0 entry_point = 0x7ffa4be2a540 region_type = mapped_file name = "twinui.dll" filename = "\\Windows\\System32\\twinui.dll" (normalized: "c:\\windows\\system32\\twinui.dll") Region: id = 2110 start_va = 0x7ffa4c7f0000 end_va = 0x7ffa4c83ffff monitored = 0 entry_point = 0x7ffa4c7f2580 region_type = mapped_file name = "edputil.dll" filename = "\\Windows\\System32\\edputil.dll" (normalized: "c:\\windows\\system32\\edputil.dll") Region: id = 2111 start_va = 0x7ffa4c840000 end_va = 0x7ffa4ccdffff monitored = 0 entry_point = 0x7ffa4c8d8740 region_type = mapped_file name = "explorerframe.dll" filename = "\\Windows\\System32\\ExplorerFrame.dll" (normalized: "c:\\windows\\system32\\explorerframe.dll") Region: id = 2112 start_va = 0x7ffa4cd00000 end_va = 0x7ffa4cd49fff monitored = 0 entry_point = 0x7ffa4cd05800 region_type = mapped_file name = "dataexchange.dll" filename = "\\Windows\\System32\\DataExchange.dll" (normalized: "c:\\windows\\system32\\dataexchange.dll") Region: id = 2113 start_va = 0x7ffa4ce40000 end_va = 0x7ffa4cea9fff monitored = 0 entry_point = 0x7ffa4ce55e90 region_type = mapped_file name = "oleacc.dll" filename = "\\Windows\\System32\\oleacc.dll" (normalized: "c:\\windows\\system32\\oleacc.dll") Region: id = 2114 start_va = 0x7ffa4d170000 end_va = 0x7ffa4d1d4fff monitored = 0 entry_point = 0x7ffa4d174c50 region_type = mapped_file name = "sndvolsso.dll" filename = "\\Windows\\System32\\SndVolSSO.dll" (normalized: "c:\\windows\\system32\\sndvolsso.dll") Region: id = 2115 start_va = 0x7ffa4d1e0000 end_va = 0x7ffa4d453fff monitored = 0 entry_point = 0x7ffa4d250400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 2116 start_va = 0x7ffa4d460000 end_va = 0x7ffa4d52dfff monitored = 0 entry_point = 0x7ffa4d4914c0 region_type = mapped_file name = "tokenbroker.dll" filename = "\\Windows\\System32\\TokenBroker.dll" (normalized: "c:\\windows\\system32\\tokenbroker.dll") Region: id = 2117 start_va = 0x7ffa4d530000 end_va = 0x7ffa4d628fff monitored = 0 entry_point = 0x7ffa4d578000 region_type = mapped_file name = "settingsynccore.dll" filename = "\\Windows\\System32\\SettingSyncCore.dll" (normalized: "c:\\windows\\system32\\settingsynccore.dll") Region: id = 2118 start_va = 0x7ffa4d630000 end_va = 0x7ffa4d644fff monitored = 0 entry_point = 0x7ffa4d632c90 region_type = mapped_file name = "settingsyncpolicy.dll" filename = "\\Windows\\System32\\SettingSyncPolicy.dll" (normalized: "c:\\windows\\system32\\settingsyncpolicy.dll") Region: id = 2119 start_va = 0x7ffa4d6d0000 end_va = 0x7ffa4d780fff monitored = 0 entry_point = 0x7ffa4d6e08f0 region_type = mapped_file name = "twinapi.dll" filename = "\\Windows\\System32\\twinapi.dll" (normalized: "c:\\windows\\system32\\twinapi.dll") Region: id = 2120 start_va = 0x7ffa4ea00000 end_va = 0x7ffa4ea27fff monitored = 0 entry_point = 0x7ffa4ea08c10 region_type = mapped_file name = "idstore.dll" filename = "\\Windows\\System32\\IDStore.dll" (normalized: "c:\\windows\\system32\\idstore.dll") Region: id = 2121 start_va = 0x7ffa4faa0000 end_va = 0x7ffa4fb0ffff monitored = 0 entry_point = 0x7ffa4fac2960 region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 2122 start_va = 0x7ffa4fbc0000 end_va = 0x7ffa4fc14fff monitored = 0 entry_point = 0x7ffa4fbc3fb0 region_type = mapped_file name = "policymanager.dll" filename = "\\Windows\\System32\\policymanager.dll" (normalized: "c:\\windows\\system32\\policymanager.dll") Region: id = 2123 start_va = 0x7ffa50510000 end_va = 0x7ffa505a1fff monitored = 0 entry_point = 0x7ffa5055a780 region_type = mapped_file name = "msvcp110_win.dll" filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll") Region: id = 2124 start_va = 0x7ffa51a90000 end_va = 0x7ffa51c4cfff monitored = 0 entry_point = 0x7ffa51abaf90 region_type = mapped_file name = "windows.ui.immersive.dll" filename = "\\Windows\\System32\\Windows.UI.Immersive.dll" (normalized: "c:\\windows\\system32\\windows.ui.immersive.dll") Region: id = 2125 start_va = 0x7ffa51fe0000 end_va = 0x7ffa52115fff monitored = 0 entry_point = 0x7ffa5200f350 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 2126 start_va = 0x7ffa53210000 end_va = 0x7ffa5331dfff monitored = 0 entry_point = 0x7ffa5325eaa0 region_type = mapped_file name = "mrmcorer.dll" filename = "\\Windows\\System32\\MrmCoreR.dll" (normalized: "c:\\windows\\system32\\mrmcorer.dll") Region: id = 2127 start_va = 0x7ffa53670000 end_va = 0x7ffa53820fff monitored = 0 entry_point = 0x7ffa537061a0 region_type = mapped_file name = "windowscodecs.dll" filename = "\\Windows\\System32\\WindowsCodecs.dll" (normalized: "c:\\windows\\system32\\windowscodecs.dll") Region: id = 2128 start_va = 0x7ffa53830000 end_va = 0x7ffa538d1fff monitored = 0 entry_point = 0x7ffa53850a40 region_type = mapped_file name = "dxgi.dll" filename = "\\Windows\\System32\\dxgi.dll" (normalized: "c:\\windows\\system32\\dxgi.dll") Region: id = 2129 start_va = 0x7ffa538e0000 end_va = 0x7ffa53b87fff monitored = 0 entry_point = 0x7ffa53973250 region_type = mapped_file name = "d3d11.dll" filename = "\\Windows\\System32\\d3d11.dll" (normalized: "c:\\windows\\system32\\d3d11.dll") Region: id = 2130 start_va = 0x7ffa53b90000 end_va = 0x7ffa53bb1fff monitored = 0 entry_point = 0x7ffa53b91a40 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 2131 start_va = 0x7ffa53cb0000 end_va = 0x7ffa53d92fff monitored = 0 entry_point = 0x7ffa53ce7da0 region_type = mapped_file name = "dcomp.dll" filename = "\\Windows\\System32\\dcomp.dll" (normalized: "c:\\windows\\system32\\dcomp.dll") Region: id = 2132 start_va = 0x7ffa540a0000 end_va = 0x7ffa54118fff monitored = 0 entry_point = 0x7ffa540bfb90 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 2133 start_va = 0x7ffa543b0000 end_va = 0x7ffa54842fff monitored = 0 entry_point = 0x7ffa543bf760 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 2134 start_va = 0x7ffa54850000 end_va = 0x7ffa548b6fff monitored = 0 entry_point = 0x7ffa5486e710 region_type = mapped_file name = "bcp47langs.dll" filename = "\\Windows\\System32\\BCP47Langs.dll" (normalized: "c:\\windows\\system32\\bcp47langs.dll") Region: id = 2135 start_va = 0x7ffa54910000 end_va = 0x7ffa54a95fff monitored = 0 entry_point = 0x7ffa5495d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2136 start_va = 0x7ffa54aa0000 end_va = 0x7ffa54abbfff monitored = 0 entry_point = 0x7ffa54aa37a0 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 2137 start_va = 0x7ffa54b00000 end_va = 0x7ffa54b12fff monitored = 0 entry_point = 0x7ffa54b02760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2138 start_va = 0x7ffa54b20000 end_va = 0x7ffa54b44fff monitored = 0 entry_point = 0x7ffa54b22300 region_type = mapped_file name = "sppc.dll" filename = "\\Windows\\System32\\sppc.dll" (normalized: "c:\\windows\\system32\\sppc.dll") Region: id = 2139 start_va = 0x7ffa54b80000 end_va = 0x7ffa54ba4fff monitored = 0 entry_point = 0x7ffa54b95220 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 2140 start_va = 0x7ffa54c90000 end_va = 0x7ffa54d25fff monitored = 0 entry_point = 0x7ffa54cb5570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 2141 start_va = 0x7ffa54d30000 end_va = 0x7ffa54d56fff monitored = 0 entry_point = 0x7ffa54d37940 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 2142 start_va = 0x7ffa54e30000 end_va = 0x7ffa54f2ffff monitored = 0 entry_point = 0x7ffa54e70f80 region_type = mapped_file name = "twinapi.appcore.dll" filename = "\\Windows\\System32\\twinapi.appcore.dll" (normalized: "c:\\windows\\system32\\twinapi.appcore.dll") Region: id = 2143 start_va = 0x7ffa55800000 end_va = 0x7ffa55830fff monitored = 0 entry_point = 0x7ffa55807d10 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 2144 start_va = 0x7ffa55a70000 end_va = 0x7ffa55a8efff monitored = 0 entry_point = 0x7ffa55a75d30 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 2145 start_va = 0x7ffa55c90000 end_va = 0x7ffa55ca6fff monitored = 0 entry_point = 0x7ffa55c979d0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2146 start_va = 0x7ffa55e40000 end_va = 0x7ffa55e95fff monitored = 0 entry_point = 0x7ffa55e50bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2147 start_va = 0x7ffa55ff0000 end_va = 0x7ffa5601cfff monitored = 0 entry_point = 0x7ffa56009d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2148 start_va = 0x7ffa561a0000 end_va = 0x7ffa561c8fff monitored = 0 entry_point = 0x7ffa561b4530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 2149 start_va = 0x7ffa56310000 end_va = 0x7ffa56323fff monitored = 0 entry_point = 0x7ffa563152e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 2150 start_va = 0x7ffa56330000 end_va = 0x7ffa5637afff monitored = 0 entry_point = 0x7ffa563335f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2151 start_va = 0x7ffa56380000 end_va = 0x7ffa5638ffff monitored = 0 entry_point = 0x7ffa563856e0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 2152 start_va = 0x7ffa56390000 end_va = 0x7ffa5639efff monitored = 0 entry_point = 0x7ffa56393210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 2153 start_va = 0x7ffa563a0000 end_va = 0x7ffa56409fff monitored = 0 entry_point = 0x7ffa563d6d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 2154 start_va = 0x7ffa56410000 end_va = 0x7ffa56452fff monitored = 0 entry_point = 0x7ffa56424b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2155 start_va = 0x7ffa56460000 end_va = 0x7ffa564b4fff monitored = 0 entry_point = 0x7ffa56477970 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 2156 start_va = 0x7ffa564c0000 end_va = 0x7ffa566a7fff monitored = 0 entry_point = 0x7ffa564eba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2157 start_va = 0x7ffa56760000 end_va = 0x7ffa56814fff monitored = 0 entry_point = 0x7ffa567a22e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 2158 start_va = 0x7ffa56820000 end_va = 0x7ffa569e6fff monitored = 0 entry_point = 0x7ffa5687db80 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 2159 start_va = 0x7ffa56a10000 end_va = 0x7ffa57053fff monitored = 0 entry_point = 0x7ffa56bd64b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 2160 start_va = 0x7ffa570f0000 end_va = 0x7ffa5736cfff monitored = 0 entry_point = 0x7ffa571c4970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2161 start_va = 0x7ffa577a0000 end_va = 0x7ffa57925fff monitored = 0 entry_point = 0x7ffa577effc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2162 start_va = 0x7ffa57930000 end_va = 0x7ffa579dcfff monitored = 0 entry_point = 0x7ffa579481a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2163 start_va = 0x7ffa579e0000 end_va = 0x7ffa57afbfff monitored = 0 entry_point = 0x7ffa57a202b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2164 start_va = 0x7ffa57b70000 end_va = 0x7ffa57cb2fff monitored = 0 entry_point = 0x7ffa57b98210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2165 start_va = 0x7ffa57cc0000 end_va = 0x7ffa57d66fff monitored = 0 entry_point = 0x7ffa57ccb4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2166 start_va = 0x7ffa57d80000 end_va = 0x7ffa57ed5fff monitored = 0 entry_point = 0x7ffa57d8a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2167 start_va = 0x7ffa57fb0000 end_va = 0x7ffa58109fff monitored = 0 entry_point = 0x7ffa57ff38e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2168 start_va = 0x7ffa58110000 end_va = 0x7ffa5814afff monitored = 0 entry_point = 0x7ffa581112f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2169 start_va = 0x7ffa58150000 end_va = 0x7ffa581befff monitored = 0 entry_point = 0x7ffa58175f70 region_type = mapped_file name = "coml2.dll" filename = "\\Windows\\System32\\coml2.dll" (normalized: "c:\\windows\\system32\\coml2.dll") Region: id = 2170 start_va = 0x7ffa581f0000 end_va = 0x7ffa58241fff monitored = 0 entry_point = 0x7ffa581ff530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2171 start_va = 0x7ffa58360000 end_va = 0x7ffa583bafff monitored = 0 entry_point = 0x7ffa583738b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2172 start_va = 0x7ffa583c0000 end_va = 0x7ffa58480fff monitored = 0 entry_point = 0x7ffa583e0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2173 start_va = 0x7ffa58490000 end_va = 0x7ffa58536fff monitored = 0 entry_point = 0x7ffa584a58d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2174 start_va = 0x7ffa586f0000 end_va = 0x7ffa59c4efff monitored = 0 entry_point = 0x7ffa588511f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 2175 start_va = 0x7ffa59c50000 end_va = 0x7ffa59cecfff monitored = 0 entry_point = 0x7ffa59c578a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2176 start_va = 0x7ffa59cf0000 end_va = 0x7ffa59eb0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2242 start_va = 0x4c00000 end_va = 0x4c7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004c00000" filename = "" Region: id = 2246 start_va = 0x4c80000 end_va = 0x4cc9fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "transcodedwallpaper" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\windows\\themes\\transcodedwallpaper") Region: id = 2247 start_va = 0x4c80000 end_va = 0x5171fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004c80000" filename = "" Region: id = 2248 start_va = 0x5180000 end_va = 0x51c2fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cachedimage_1440_900_pos4.jpg" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\CachedImage_1440_900_POS4.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\windows\\themes\\cachedfiles\\cachedimage_1440_900_pos4.jpg") Region: id = 2249 start_va = 0x7ffa4d920000 end_va = 0x7ffa4db7cfff monitored = 0 entry_point = 0x7ffa4d9a8610 region_type = mapped_file name = "twinui.appcore.dll" filename = "\\Windows\\System32\\twinui.appcore.dll" (normalized: "c:\\windows\\system32\\twinui.appcore.dll") Region: id = 2250 start_va = 0x7ffa53bf0000 end_va = 0x7ffa53cadfff monitored = 0 entry_point = 0x7ffa53c32d40 region_type = mapped_file name = "coremessaging.dll" filename = "\\Windows\\System32\\CoreMessaging.dll" (normalized: "c:\\windows\\system32\\coremessaging.dll") Region: id = 2251 start_va = 0x7ffa4df90000 end_va = 0x7ffa4e217fff monitored = 0 entry_point = 0x7ffa4dfef670 region_type = mapped_file name = "coreuicomponents.dll" filename = "\\Windows\\System32\\CoreUIComponents.dll" (normalized: "c:\\windows\\system32\\coreuicomponents.dll") Region: id = 2252 start_va = 0x7ffa54220000 end_va = 0x7ffa5433ffff monitored = 0 entry_point = 0x7ffa54258310 region_type = mapped_file name = "applicationframe.dll" filename = "\\Windows\\System32\\ApplicationFrame.dll" (normalized: "c:\\windows\\system32\\applicationframe.dll") Region: id = 2254 start_va = 0x5180000 end_va = 0x51c9fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "transcodedwallpaper" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\windows\\themes\\transcodedwallpaper") Region: id = 2255 start_va = 0x7ffa512d0000 end_va = 0x7ffa51814fff monitored = 0 entry_point = 0x7ffa5146a450 region_type = mapped_file name = "d2d1.dll" filename = "\\Windows\\System32\\d2d1.dll" (normalized: "c:\\windows\\system32\\d2d1.dll") Region: id = 2257 start_va = 0x5180000 end_va = 0x51fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005180000" filename = "" Region: id = 2258 start_va = 0x7ffa54bf0000 end_va = 0x7ffa54c5cfff monitored = 0 entry_point = 0x7ffa54bfd750 region_type = mapped_file name = "photometadatahandler.dll" filename = "\\Windows\\System32\\PhotoMetadataHandler.dll" (normalized: "c:\\windows\\system32\\photometadatahandler.dll") Region: id = 2259 start_va = 0x5200000 end_va = 0x56f2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005200000" filename = "" Region: id = 2260 start_va = 0x5700000 end_va = 0x5efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005700000" filename = "" Region: id = 2261 start_va = 0x5f00000 end_va = 0x63f1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005f00000" filename = "" Region: id = 2262 start_va = 0x7ffa53540000 end_va = 0x7ffa5361afff monitored = 0 entry_point = 0x7ffa535528b0 region_type = mapped_file name = "ntshrui.dll" filename = "\\Windows\\System32\\ntshrui.dll" (normalized: "c:\\windows\\system32\\ntshrui.dll") Region: id = 2263 start_va = 0x7ffa54bc0000 end_va = 0x7ffa54be5fff monitored = 0 entry_point = 0x7ffa54bc1cf0 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 2266 start_va = 0x3b60000 end_va = 0x3b67fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windows.storage.dll.mui" filename = "\\Windows\\System32\\en-US\\windows.storage.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\windows.storage.dll.mui") Region: id = 2267 start_va = 0x7ffa4e220000 end_va = 0x7ffa4e231fff monitored = 0 entry_point = 0x7ffa4e223580 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 2268 start_va = 0x7ffa55720000 end_va = 0x7ffa5572bfff monitored = 0 entry_point = 0x7ffa557227e0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 2269 start_va = 0x3b70000 end_va = 0x3b93fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003b70000" filename = "" Region: id = 2270 start_va = 0x3ba0000 end_va = 0x3ba8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003ba0000" filename = "" Region: id = 2271 start_va = 0x3bb0000 end_va = 0x3bb8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003bb0000" filename = "" Region: id = 2272 start_va = 0x3dc0000 end_va = 0x3de3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003dc0000" filename = "" Region: id = 2273 start_va = 0x5200000 end_va = 0x52fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005200000" filename = "" Region: id = 2274 start_va = 0x5300000 end_va = 0x5301fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005300000" filename = "" Region: id = 2275 start_va = 0x7ffa548c0000 end_va = 0x7ffa5490cfff monitored = 0 entry_point = 0x7ffa548d7de0 region_type = mapped_file name = "thumbcache.dll" filename = "\\Windows\\System32\\thumbcache.dll" (normalized: "c:\\windows\\system32\\thumbcache.dll") Region: id = 2276 start_va = 0x5310000 end_va = 0x5311fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005310000" filename = "" Region: id = 2277 start_va = 0x5320000 end_va = 0x5321fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_idx.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_idx.db") Region: id = 2278 start_va = 0x5330000 end_va = 0x5330fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_48.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_48.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_48.db") Region: id = 2279 start_va = 0x5320000 end_va = 0x5320fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll.mui" filename = "\\Windows\\System32\\en-US\\imageres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\imageres.dll.mui") Region: id = 2280 start_va = 0x6400000 end_va = 0x901ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 2281 start_va = 0x5320000 end_va = 0x5321fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_idx.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_idx.db") Region: id = 2282 start_va = 0x5330000 end_va = 0x5330fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_48.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_48.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_48.db") Region: id = 2283 start_va = 0x3dc0000 end_va = 0x3dc1fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_idx.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_idx.db") Region: id = 2284 start_va = 0x5320000 end_va = 0x5367fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005320000" filename = "" Region: id = 2285 start_va = 0x3dd0000 end_va = 0x3dd0fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_48.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_48.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_48.db") Region: id = 2286 start_va = 0x3dc0000 end_va = 0x3dc0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll.mui" filename = "\\Windows\\System32\\en-US\\imageres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\imageres.dll.mui") Region: id = 2287 start_va = 0x6400000 end_va = 0x901ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 2288 start_va = 0x3dc0000 end_va = 0x3dc1fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_idx.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_idx.db") Region: id = 2289 start_va = 0x3dd0000 end_va = 0x3dd0fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_48.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_48.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_48.db") Region: id = 2290 start_va = 0x3dd0000 end_va = 0x3dd0fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_48.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_48.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_48.db") Region: id = 2291 start_va = 0x3dc0000 end_va = 0x3dc0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll.mui" filename = "\\Windows\\System32\\en-US\\imageres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\imageres.dll.mui") Region: id = 2292 start_va = 0x6400000 end_va = 0x901ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 2293 start_va = 0x3dc0000 end_va = 0x3dc1fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_idx.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_idx.db") Region: id = 2294 start_va = 0x3dd0000 end_va = 0x3dd0fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_48.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_48.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_48.db") Region: id = 2295 start_va = 0x3dc0000 end_va = 0x3dc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003dc0000" filename = "" Region: id = 2296 start_va = 0x3dd0000 end_va = 0x3dd3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003dd0000" filename = "" Region: id = 2297 start_va = 0x5370000 end_va = 0x53b7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005370000" filename = "" Region: id = 2298 start_va = 0x53c0000 end_va = 0x55bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000053c0000" filename = "" Region: id = 2299 start_va = 0x55c0000 end_va = 0x563ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000055c0000" filename = "" Region: id = 2302 start_va = 0x7ffa54bb0000 end_va = 0x7ffa54bbcfff monitored = 0 entry_point = 0x7ffa54bb1ea0 region_type = mapped_file name = "linkinfo.dll" filename = "\\Windows\\System32\\linkinfo.dll" (normalized: "c:\\windows\\system32\\linkinfo.dll") Region: id = 2304 start_va = 0x3de0000 end_va = 0x3deffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003de0000" filename = "" Region: id = 2307 start_va = 0x3de0000 end_va = 0x3de1fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_idx.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_idx.db") Region: id = 2308 start_va = 0x5640000 end_va = 0x5640fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_48.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_48.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_48.db") Region: id = 2310 start_va = 0x7ffa51c50000 end_va = 0x7ffa51fd1fff monitored = 0 entry_point = 0x7ffa51ca1220 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 2311 start_va = 0x5650000 end_va = 0x56cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005650000" filename = "" Region: id = 2312 start_va = 0x56d0000 end_va = 0x56d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll.mui" filename = "\\Windows\\System32\\en-US\\imageres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\imageres.dll.mui") Region: id = 2313 start_va = 0x6400000 end_va = 0x901ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 2314 start_va = 0x6400000 end_va = 0x6cf2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wmploc.dll" filename = "\\Windows\\System32\\wmploc.DLL" (normalized: "c:\\windows\\system32\\wmploc.dll") Region: id = 2315 start_va = 0x6d00000 end_va = 0x6d7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006d00000" filename = "" Region: id = 2316 start_va = 0x6d80000 end_va = 0x6dd7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wmploc.dll.mui" filename = "\\Windows\\System32\\en-US\\wmploc.DLL.mui" (normalized: "c:\\windows\\system32\\en-us\\wmploc.dll.mui") Region: id = 2317 start_va = 0x6400000 end_va = 0x6cf2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wmploc.dll" filename = "\\Windows\\System32\\wmploc.DLL" (normalized: "c:\\windows\\system32\\wmploc.dll") Region: id = 2318 start_va = 0x6d80000 end_va = 0x6dd7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wmploc.dll.mui" filename = "\\Windows\\System32\\en-US\\wmploc.DLL.mui" (normalized: "c:\\windows\\system32\\en-us\\wmploc.dll.mui") Region: id = 2319 start_va = 0x7ffa53160000 end_va = 0x7ffa53208fff monitored = 0 entry_point = 0x7ffa53189010 region_type = mapped_file name = "windows.ui.dll" filename = "\\Windows\\System32\\Windows.UI.dll" (normalized: "c:\\windows\\system32\\windows.ui.dll") Region: id = 2320 start_va = 0x6400000 end_va = 0x651ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006400000" filename = "" Region: id = 2321 start_va = 0x6d80000 end_va = 0x6dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006d80000" filename = "" Region: id = 2322 start_va = 0x6e00000 end_va = 0x6e7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006e00000" filename = "" Region: id = 2323 start_va = 0x56d0000 end_va = 0x56d1fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_idx.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_idx.db") Region: id = 2324 start_va = 0x6400000 end_va = 0x64fffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_48.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_48.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_48.db") Region: id = 2329 start_va = 0x7ffa53320000 end_va = 0x7ffa53533fff monitored = 0 entry_point = 0x7ffa53321000 region_type = mapped_file name = "grooveex.dll" filename = "\\PROGRA~1\\MICROS~1\\Office16\\GROOVEEX.DLL" (normalized: "c:\\program files\\micros~1\\office16\\grooveex.dll") Region: id = 2330 start_va = 0x55c0000 end_va = 0x55c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000055c0000" filename = "" Region: id = 2331 start_va = 0x7ffa52e40000 end_va = 0x7ffa52e58fff monitored = 0 entry_point = 0x7ffa52e4ee50 region_type = mapped_file name = "vcruntime140.dll" filename = "\\Windows\\System32\\vcruntime140.dll" (normalized: "c:\\windows\\system32\\vcruntime140.dll") Region: id = 2332 start_va = 0x7ffa52da0000 end_va = 0x7ffa52e30fff monitored = 0 entry_point = 0x7ffa52df2430 region_type = mapped_file name = "msvcp140.dll" filename = "\\Windows\\System32\\msvcp140.dll" (normalized: "c:\\windows\\system32\\msvcp140.dll") Region: id = 2333 start_va = 0x7ffa554b0000 end_va = 0x7ffa555a3fff monitored = 0 entry_point = 0x7ffa554ba960 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 2334 start_va = 0x7ffa54190000 end_va = 0x7ffa5419bfff monitored = 0 entry_point = 0x7ffa54194150 region_type = mapped_file name = "vcruntime140_1.dll" filename = "\\Windows\\System32\\vcruntime140_1.dll" (normalized: "c:\\windows\\system32\\vcruntime140_1.dll") Region: id = 2335 start_va = 0x55d0000 end_va = 0x55d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000055d0000" filename = "" Region: id = 2336 start_va = 0x6500000 end_va = 0x66b8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "office.odf" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\cultures\\office.odf") Region: id = 2337 start_va = 0x180000000 end_va = 0x18087dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "grooveintlresource.dll" filename = "\\PROGRA~1\\MICROS~1\\Office16\\1033\\GrooveIntlResource.dll" (normalized: "c:\\program files\\micros~1\\office16\\1033\\grooveintlresource.dll") Region: id = 2344 start_va = 0x7ffa52d60000 end_va = 0x7ffa52d96fff monitored = 0 entry_point = 0x7ffa52d620a0 region_type = mapped_file name = "ehstorshell.dll" filename = "\\Windows\\System32\\EhStorShell.dll" (normalized: "c:\\windows\\system32\\ehstorshell.dll") Region: id = 2345 start_va = 0x7ffa57370000 end_va = 0x7ffa57798fff monitored = 0 entry_point = 0x7ffa57398740 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 2346 start_va = 0x7ffa52c90000 end_va = 0x7ffa52d55fff monitored = 0 entry_point = 0x7ffa52c93ac0 region_type = mapped_file name = "cscui.dll" filename = "\\Windows\\System32\\cscui.dll" (normalized: "c:\\windows\\system32\\cscui.dll") Region: id = 2349 start_va = 0x55e0000 end_va = 0x55e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000055e0000" filename = "" Region: id = 2350 start_va = 0x7ffa4fda0000 end_va = 0x7ffa4fdb5fff monitored = 0 entry_point = 0x7ffa4fda1b60 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 2354 start_va = 0x66c0000 end_va = 0x6bbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000066c0000" filename = "" Region: id = 2356 start_va = 0x7ffa52c00000 end_va = 0x7ffa52c76fff monitored = 0 entry_point = 0x7ffa52c02af0 region_type = mapped_file name = "provsvc.dll" filename = "\\Windows\\System32\\provsvc.dll" (normalized: "c:\\windows\\system32\\provsvc.dll") Region: id = 2357 start_va = 0x7ffa57b00000 end_va = 0x7ffa57b6afff monitored = 0 entry_point = 0x7ffa57b190c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2359 start_va = 0x7ffa4fd50000 end_va = 0x7ffa4fd90fff monitored = 0 entry_point = 0x7ffa4fd54840 region_type = mapped_file name = "usermgrproxy.dll" filename = "\\Windows\\System32\\UserMgrProxy.dll" (normalized: "c:\\windows\\system32\\usermgrproxy.dll") Region: id = 2364 start_va = 0x6e80000 end_va = 0x6efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006e80000" filename = "" Region: id = 2365 start_va = 0x6f00000 end_va = 0x6f7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006f00000" filename = "" Region: id = 2366 start_va = 0x7ffa52b20000 end_va = 0x7ffa52bf9fff monitored = 0 entry_point = 0x7ffa52b53c00 region_type = mapped_file name = "wpncore.dll" filename = "\\Windows\\System32\\wpncore.dll" (normalized: "c:\\windows\\system32\\wpncore.dll") Thread: id = 197 os_tid = 0x780 Thread: id = 198 os_tid = 0x77c Thread: id = 199 os_tid = 0x74c Thread: id = 200 os_tid = 0x740 Thread: id = 201 os_tid = 0x720 Thread: id = 202 os_tid = 0x71c Thread: id = 203 os_tid = 0x714 Thread: id = 204 os_tid = 0x710 Thread: id = 205 os_tid = 0x6e4 Thread: id = 206 os_tid = 0x6e8 Thread: id = 207 os_tid = 0x6e0 Thread: id = 208 os_tid = 0x6dc Thread: id = 209 os_tid = 0x6c4 Thread: id = 210 os_tid = 0x6c0 Thread: id = 211 os_tid = 0x6bc Thread: id = 212 os_tid = 0x6ac Thread: id = 213 os_tid = 0x698 Thread: id = 214 os_tid = 0x694 Thread: id = 225 os_tid = 0x474 Thread: id = 228 os_tid = 0x550 Thread: id = 232 os_tid = 0x1cc Thread: id = 234 os_tid = 0x230 Thread: id = 235 os_tid = 0x5cc Thread: id = 236 os_tid = 0x5d0 Thread: id = 237 os_tid = 0x2a8 Thread: id = 243 os_tid = 0x668 Thread: id = 245 os_tid = 0x2f8