# Flog Txt Version 1 # Analyzer Version: 4.6.0 # Analyzer Build Date: Jul 8 2022 06:26:21 # Log Creation Date: 05.08.2022 12:16:58.986 Process: id = "1" image_name = "740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe" page_root = "0x34a95000" os_pid = "0xc04" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x7b4" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe\" " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fa87" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 117 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 118 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 119 start_va = 0x50000 end_va = 0x14ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 120 start_va = 0x150000 end_va = 0x153fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 121 start_va = 0x160000 end_va = 0x162fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 122 start_va = 0x170000 end_va = 0x171fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 123 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 124 start_va = 0x400000 end_va = 0x9e9fff monitored = 1 entry_point = 0x9d8e6e region_type = mapped_file name = "740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe") Region: id = 125 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 126 start_va = 0x7ff5fffd0000 end_va = 0x7ff5ffff2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffd0000" filename = "" Region: id = 127 start_va = 0x7ffa16770000 end_va = 0x7ffa16930fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 266 start_va = 0x9f0000 end_va = 0xc0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 267 start_va = 0x7ff9ffb40000 end_va = 0x7ff9ffba7fff monitored = 1 entry_point = 0x7ff9ffb44970 region_type = mapped_file name = "mscoree.dll" filename = "\\Windows\\System32\\mscoree.dll" (normalized: "c:\\windows\\system32\\mscoree.dll") Region: id = 268 start_va = 0x7ffa15160000 end_va = 0x7ffa1520cfff monitored = 0 entry_point = 0x7ffa151781a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 269 start_va = 0x7ffa13130000 end_va = 0x7ffa13317fff monitored = 0 entry_point = 0x7ffa1315ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 270 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 271 start_va = 0x7ff5ffed0000 end_va = 0x7ff5fffcffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5ffed0000" filename = "" Region: id = 272 start_va = 0x9f0000 end_va = 0xaadfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 273 start_va = 0xb10000 end_va = 0xc0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b10000" filename = "" Region: id = 274 start_va = 0xc10000 end_va = 0xcaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 275 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 276 start_va = 0x7ffa15090000 end_va = 0x7ffa15136fff monitored = 0 entry_point = 0x7ffa150a58d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 277 start_va = 0x7ffa13cc0000 end_va = 0x7ffa13d5cfff monitored = 0 entry_point = 0x7ffa13cc78a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 278 start_va = 0xcb0000 end_va = 0xdaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cb0000" filename = "" Region: id = 279 start_va = 0x7ffa14070000 end_va = 0x7ffa140cafff monitored = 0 entry_point = 0x7ffa140838b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 280 start_va = 0x7ffa145c0000 end_va = 0x7ffa146dbfff monitored = 0 entry_point = 0x7ffa146002b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 281 start_va = 0xdb0000 end_va = 0xecffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000db0000" filename = "" Region: id = 282 start_va = 0x180000 end_va = 0x186fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 283 start_va = 0x7ff9ffaa0000 end_va = 0x7ff9ffb3cfff monitored = 1 entry_point = 0x7ff9ffaa1010 region_type = mapped_file name = "mscoreei.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\mscoreei.dll") Region: id = 284 start_va = 0x190000 end_va = 0x196fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 285 start_va = 0x7ffa14ba0000 end_va = 0x7ffa14bf1fff monitored = 0 entry_point = 0x7ffa14baf530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 286 start_va = 0x7ffa14340000 end_va = 0x7ffa145bcfff monitored = 0 entry_point = 0x7ffa14414970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 287 start_va = 0x7ffa13320000 end_va = 0x7ffa13389fff monitored = 0 entry_point = 0x7ffa13356d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 288 start_va = 0x7ffa13ee0000 end_va = 0x7ffa14065fff monitored = 0 entry_point = 0x7ffa13f2ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 289 start_va = 0x7ffa13d80000 end_va = 0x7ffa13ed5fff monitored = 0 entry_point = 0x7ffa13d8a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 290 start_va = 0x1a0000 end_va = 0x1d8fff monitored = 0 entry_point = 0x1a12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 291 start_va = 0xed0000 end_va = 0x1057fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ed0000" filename = "" Region: id = 292 start_va = 0x7ffa141e0000 end_va = 0x7ffa1421afff monitored = 0 entry_point = 0x7ffa141e12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 293 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 294 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 295 start_va = 0x1060000 end_va = 0x11e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001060000" filename = "" Region: id = 296 start_va = 0x11f0000 end_va = 0x25effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011f0000" filename = "" Region: id = 297 start_va = 0x25f0000 end_va = 0x2bd2fff monitored = 1 entry_point = 0x2bc8e6e region_type = mapped_file name = "740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe") Region: id = 298 start_va = 0x7ffa12e10000 end_va = 0x7ffa12e1efff monitored = 0 entry_point = 0x7ffa12e13210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 299 start_va = 0x7ffa114c0000 end_va = 0x7ffa114c9fff monitored = 0 entry_point = 0x7ffa114c1350 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 300 start_va = 0x7ff9fa810000 end_va = 0x7ff9fb1f5fff monitored = 1 entry_point = 0x7ff9fa815b60 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\clr.dll") Region: id = 301 start_va = 0x7ff9ff590000 end_va = 0x7ff9ff686fff monitored = 0 entry_point = 0x7ff9ff5b4d80 region_type = mapped_file name = "msvcr120_clr0400.dll" filename = "\\Windows\\System32\\msvcr120_clr0400.dll" (normalized: "c:\\windows\\system32\\msvcr120_clr0400.dll") Region: id = 302 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 303 start_va = 0x1d0000 end_va = 0x1dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 304 start_va = 0x1e0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 305 start_va = 0x7ff99b0f0000 end_va = 0x7ff99b0fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff99b0f0000" filename = "" Region: id = 306 start_va = 0x7ff99b100000 end_va = 0x7ff99b10ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff99b100000" filename = "" Region: id = 307 start_va = 0x7ff99b110000 end_va = 0x7ff99b19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff99b110000" filename = "" Region: id = 308 start_va = 0x7ff99b1a0000 end_va = 0x7ff99b20ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff99b1a0000" filename = "" Region: id = 309 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 310 start_va = 0xab0000 end_va = 0xab0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ab0000" filename = "" Region: id = 311 start_va = 0x25f0000 end_va = 0x272ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025f0000" filename = "" Region: id = 312 start_va = 0x25f0000 end_va = 0x271ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025f0000" filename = "" Region: id = 313 start_va = 0x2720000 end_va = 0x272ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002720000" filename = "" Region: id = 314 start_va = 0xdb0000 end_va = 0xeaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000db0000" filename = "" Region: id = 315 start_va = 0xec0000 end_va = 0xecffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ec0000" filename = "" Region: id = 316 start_va = 0xac0000 end_va = 0xacffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 317 start_va = 0x2730000 end_va = 0x1a72ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002730000" filename = "" Region: id = 318 start_va = 0x1a730000 end_va = 0x1aa9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a730000" filename = "" Region: id = 319 start_va = 0x25f0000 end_va = 0x26fafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025f0000" filename = "" Region: id = 320 start_va = 0x2710000 end_va = 0x271ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002710000" filename = "" Region: id = 321 start_va = 0x1aaa0000 end_va = 0x1ab9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aaa0000" filename = "" Region: id = 322 start_va = 0x1aba0000 end_va = 0x1aed6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 323 start_va = 0x7ff9f9320000 end_va = 0x7ff9fa807fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "mscorlib.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\mscorlib\\f89061884b75dab0e3967d7221e5290d\\mscorlib.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\mscorlib\\f89061884b75dab0e3967d7221e5290d\\mscorlib.ni.dll") Region: id = 324 start_va = 0x7ffa13b70000 end_va = 0x7ffa13cb2fff monitored = 0 entry_point = 0x7ffa13b98210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 325 start_va = 0x1aee0000 end_va = 0x1af9ffff monitored = 0 entry_point = 0x1af00da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 326 start_va = 0x1aee0000 end_va = 0x1afbcfff monitored = 0 entry_point = 0x1af3e0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 327 start_va = 0x7ffa11710000 end_va = 0x7ffa117a5fff monitored = 0 entry_point = 0x7ffa11735570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 328 start_va = 0x1aee0000 end_va = 0x1b0bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aee0000" filename = "" Region: id = 329 start_va = 0x7ff5ffe30000 end_va = 0x7ff5ffecffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff5ffe30000" filename = "" Region: id = 330 start_va = 0x7ff5ffe20000 end_va = 0x7ff5ffe2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff5ffe20000" filename = "" Region: id = 331 start_va = 0x7ff99b210000 end_va = 0x7ff99b21ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff99b210000" filename = "" Region: id = 332 start_va = 0x7ff99b220000 end_va = 0x7ff99b25ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff99b220000" filename = "" Region: id = 333 start_va = 0x7ff9ff2c0000 end_va = 0x7ff9ff3cdfff monitored = 1 entry_point = 0x7ff9ff2c1080 region_type = mapped_file name = "clrjit.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\clrjit.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\clrjit.dll") Region: id = 334 start_va = 0x7ffa147c0000 end_va = 0x7ffa14880fff monitored = 0 entry_point = 0x7ffa147e0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 335 start_va = 0xac0000 end_va = 0xacffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 336 start_va = 0x1aee0000 end_va = 0x1af7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aee0000" filename = "" Region: id = 337 start_va = 0x1b0b0000 end_va = 0x1b0bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b0b0000" filename = "" Region: id = 338 start_va = 0x7ff9f86d0000 end_va = 0x7ff9f9313fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\60b77585c8aa9cfd1b30a64092c81041\\System.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system\\60b77585c8aa9cfd1b30a64092c81041\\system.ni.dll") Region: id = 339 start_va = 0xad0000 end_va = 0xadffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 340 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 341 start_va = 0xaf0000 end_va = 0xafffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 342 start_va = 0xb00000 end_va = 0xb0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 343 start_va = 0xad0000 end_va = 0xadffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 344 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 345 start_va = 0xaf0000 end_va = 0xafffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 346 start_va = 0xb00000 end_va = 0xb0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 347 start_va = 0xc10000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 348 start_va = 0xca0000 end_va = 0xcaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ca0000" filename = "" Region: id = 349 start_va = 0xc20000 end_va = 0xc2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 350 start_va = 0xc30000 end_va = 0xc3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 351 start_va = 0xc40000 end_va = 0xc4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Region: id = 352 start_va = 0xc50000 end_va = 0xc5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 353 start_va = 0xc60000 end_va = 0xc6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c60000" filename = "" Region: id = 354 start_va = 0xc70000 end_va = 0xc7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c70000" filename = "" Region: id = 355 start_va = 0xc80000 end_va = 0xc8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c80000" filename = "" Region: id = 356 start_va = 0xc90000 end_va = 0xc9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c90000" filename = "" Region: id = 357 start_va = 0xeb0000 end_va = 0xebffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 358 start_va = 0x2700000 end_va = 0x270ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002700000" filename = "" Region: id = 359 start_va = 0x1aee0000 end_va = 0x1aeeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aee0000" filename = "" Region: id = 360 start_va = 0x1af70000 end_va = 0x1af7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af70000" filename = "" Region: id = 361 start_va = 0x1aef0000 end_va = 0x1aefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aef0000" filename = "" Region: id = 362 start_va = 0x1af00000 end_va = 0x1af0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af00000" filename = "" Region: id = 363 start_va = 0x1af10000 end_va = 0x1af2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af10000" filename = "" Region: id = 364 start_va = 0x1af30000 end_va = 0x1af3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af30000" filename = "" Region: id = 365 start_va = 0x1af40000 end_va = 0x1af4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af40000" filename = "" Region: id = 366 start_va = 0x1af50000 end_va = 0x1af5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af50000" filename = "" Region: id = 367 start_va = 0x7ffa15210000 end_va = 0x7ffa1676efff monitored = 0 entry_point = 0x7ffa153711f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 368 start_va = 0x7ffa13390000 end_va = 0x7ffa133d2fff monitored = 0 entry_point = 0x7ffa133a4b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 369 start_va = 0x7ffa13520000 end_va = 0x7ffa13b63fff monitored = 0 entry_point = 0x7ffa136e64b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 370 start_va = 0x7ffa12e80000 end_va = 0x7ffa12f34fff monitored = 0 entry_point = 0x7ffa12ec22e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 371 start_va = 0x7ffa12dc0000 end_va = 0x7ffa12e0afff monitored = 0 entry_point = 0x7ffa12dc35f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 372 start_va = 0x7ffa12d90000 end_va = 0x7ffa12da3fff monitored = 0 entry_point = 0x7ffa12d952e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 373 start_va = 0xad0000 end_va = 0xad0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ad0000" filename = "" Region: id = 374 start_va = 0x7ffa12c20000 end_va = 0x7ffa12c48fff monitored = 0 entry_point = 0x7ffa12c34530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 375 start_va = 0x7ffa12710000 end_va = 0x7ffa12726fff monitored = 0 entry_point = 0x7ffa127179d0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 376 start_va = 0x7ffa123a0000 end_va = 0x7ffa123d3fff monitored = 0 entry_point = 0x7ffa123bae70 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 377 start_va = 0x7ffa12830000 end_va = 0x7ffa1283afff monitored = 0 entry_point = 0x7ffa128319a0 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 378 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 379 start_va = 0xaf0000 end_va = 0xafffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 380 start_va = 0xb00000 end_va = 0xb0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 381 start_va = 0xc10000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 382 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 383 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 384 start_va = 0xaf0000 end_va = 0xafffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 385 start_va = 0xb00000 end_va = 0xb0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 386 start_va = 0xc10000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 387 start_va = 0x1af80000 end_va = 0x1b07ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af80000" filename = "" Region: id = 388 start_va = 0x1b0c0000 end_va = 0x1b484fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000001b0c0000" filename = "" Region: id = 389 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 390 start_va = 0x1b490000 end_va = 0x1b58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b490000" filename = "" Region: id = 391 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 392 start_va = 0xaf0000 end_va = 0xafffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 393 start_va = 0xb00000 end_va = 0xb0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 394 start_va = 0xc10000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 395 start_va = 0xc20000 end_va = 0xc2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 396 start_va = 0xc30000 end_va = 0xc3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 397 start_va = 0xc40000 end_va = 0xc4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Region: id = 398 start_va = 0xc50000 end_va = 0xc5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 399 start_va = 0xc60000 end_va = 0xc6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c60000" filename = "" Region: id = 400 start_va = 0xc70000 end_va = 0xc7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c70000" filename = "" Region: id = 401 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 402 start_va = 0x1b590000 end_va = 0x1b68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b590000" filename = "" Region: id = 403 start_va = 0xaf0000 end_va = 0xafffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 404 start_va = 0xc80000 end_va = 0xc8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c80000" filename = "" Region: id = 405 start_va = 0xc90000 end_va = 0xc9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c90000" filename = "" Region: id = 406 start_va = 0xeb0000 end_va = 0xebffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 407 start_va = 0x2700000 end_va = 0x270ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002700000" filename = "" Region: id = 408 start_va = 0x1aee0000 end_va = 0x1aeeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aee0000" filename = "" Region: id = 409 start_va = 0x1aef0000 end_va = 0x1aefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aef0000" filename = "" Region: id = 410 start_va = 0x1af00000 end_va = 0x1af0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af00000" filename = "" Region: id = 411 start_va = 0x1af10000 end_va = 0x1af1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af10000" filename = "" Region: id = 412 start_va = 0x1af20000 end_va = 0x1af2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af20000" filename = "" Region: id = 413 start_va = 0x1af30000 end_va = 0x1af3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af30000" filename = "" Region: id = 414 start_va = 0x1af40000 end_va = 0x1af5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af40000" filename = "" Region: id = 415 start_va = 0x1af60000 end_va = 0x1af6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af60000" filename = "" Region: id = 416 start_va = 0x1b080000 end_va = 0x1b08ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b080000" filename = "" Region: id = 417 start_va = 0x1b090000 end_va = 0x1b09ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b090000" filename = "" Region: id = 418 start_va = 0x1b0a0000 end_va = 0x1b0affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b0a0000" filename = "" Region: id = 419 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 420 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 421 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 422 start_va = 0xaf0000 end_va = 0xafffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 423 start_va = 0xb00000 end_va = 0xb0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 424 start_va = 0xc10000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 425 start_va = 0xc20000 end_va = 0xc2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 426 start_va = 0xc30000 end_va = 0xc3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 427 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 428 start_va = 0xaf0000 end_va = 0xafffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 429 start_va = 0xb00000 end_va = 0xb0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 430 start_va = 0xc10000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 431 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 432 start_va = 0xaf0000 end_va = 0xafffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 433 start_va = 0xb00000 end_va = 0xb0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 434 start_va = 0xc10000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 435 start_va = 0xc20000 end_va = 0xc2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 436 start_va = 0xc30000 end_va = 0xc3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 437 start_va = 0xc40000 end_va = 0xc4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Region: id = 438 start_va = 0xc50000 end_va = 0xc5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 439 start_va = 0x7ff99b260000 end_va = 0x7ff99b26ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff99b260000" filename = "" Region: id = 440 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 441 start_va = 0xaf0000 end_va = 0xafffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 442 start_va = 0xb00000 end_va = 0xb0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 443 start_va = 0xc10000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 444 start_va = 0xc20000 end_va = 0xc2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 445 start_va = 0xc30000 end_va = 0xc3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 446 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 447 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 448 start_va = 0xaf0000 end_va = 0xafffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 449 start_va = 0xb00000 end_va = 0xb0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 450 start_va = 0xc10000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 451 start_va = 0xc20000 end_va = 0xc2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 452 start_va = 0xc30000 end_va = 0xc3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 453 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 454 start_va = 0xaf0000 end_va = 0xafffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 455 start_va = 0xb00000 end_va = 0xb0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 456 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 457 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 458 start_va = 0xaf0000 end_va = 0xafffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 459 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 460 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 461 start_va = 0x7ff99b270000 end_va = 0x7ff99b27ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff99b270000" filename = "" Region: id = 462 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 463 start_va = 0xaf0000 end_va = 0xafffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 464 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 465 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 466 start_va = 0xaf0000 end_va = 0xafffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 467 start_va = 0xb00000 end_va = 0xb0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 468 start_va = 0xc10000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 469 start_va = 0xc20000 end_va = 0xc2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 470 start_va = 0xc30000 end_va = 0xc3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 471 start_va = 0xc40000 end_va = 0xc4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Region: id = 472 start_va = 0xc50000 end_va = 0xc5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 473 start_va = 0xc60000 end_va = 0xc6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c60000" filename = "" Region: id = 474 start_va = 0xc70000 end_va = 0xc7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c70000" filename = "" Region: id = 475 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 476 start_va = 0xaf0000 end_va = 0xafffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 477 start_va = 0xb00000 end_va = 0xb0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 478 start_va = 0xc10000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 479 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 480 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 481 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 482 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 483 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 484 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 485 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 486 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 487 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 488 start_va = 0xaf0000 end_va = 0xafffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 489 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 490 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 491 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 492 start_va = 0xaf0000 end_va = 0xafffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 493 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 494 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 495 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 496 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 497 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 498 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 499 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 500 start_va = 0xaf0000 end_va = 0xafffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 501 start_va = 0xb00000 end_va = 0xb0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 502 start_va = 0xc10000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 503 start_va = 0xc20000 end_va = 0xc2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 504 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 505 start_va = 0x1b690000 end_va = 0x1be38fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000001b690000" filename = "" Region: id = 506 start_va = 0x7ff99b280000 end_va = 0x7ff99b2cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff99b280000" filename = "" Region: id = 507 start_va = 0x7ff99b2d0000 end_va = 0x7ff99b2dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff99b2d0000" filename = "" Region: id = 508 start_va = 0x7ff99b2e0000 end_va = 0x7ff99b2effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff99b2e0000" filename = "" Region: id = 509 start_va = 0x7ff99b2f0000 end_va = 0x7ff99b2fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff99b2f0000" filename = "" Region: id = 510 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 511 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 512 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 513 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 514 start_va = 0xaf0000 end_va = 0xafffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 515 start_va = 0xb00000 end_va = 0xb0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 516 start_va = 0xc10000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 517 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 518 start_va = 0xaf0000 end_va = 0xafffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 519 start_va = 0xb00000 end_va = 0xb0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 520 start_va = 0xc10000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 521 start_va = 0xc20000 end_va = 0xc2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 522 start_va = 0xc30000 end_va = 0xc3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 523 start_va = 0xc40000 end_va = 0xc4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Region: id = 524 start_va = 0xc50000 end_va = 0xc5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 525 start_va = 0xc60000 end_va = 0xc6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c60000" filename = "" Region: id = 526 start_va = 0xc70000 end_va = 0xc7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c70000" filename = "" Region: id = 527 start_va = 0xc80000 end_va = 0xc8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c80000" filename = "" Region: id = 528 start_va = 0xc90000 end_va = 0xc9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c90000" filename = "" Region: id = 529 start_va = 0xeb0000 end_va = 0xebffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 530 start_va = 0x2700000 end_va = 0x270ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002700000" filename = "" Region: id = 531 start_va = 0x1aee0000 end_va = 0x1aeeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aee0000" filename = "" Region: id = 532 start_va = 0x1aef0000 end_va = 0x1aefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aef0000" filename = "" Region: id = 533 start_va = 0x1af00000 end_va = 0x1af0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af00000" filename = "" Region: id = 534 start_va = 0x1af10000 end_va = 0x1af2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af10000" filename = "" Region: id = 535 start_va = 0x1af30000 end_va = 0x1af3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af30000" filename = "" Region: id = 536 start_va = 0x1af40000 end_va = 0x1af4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af40000" filename = "" Region: id = 537 start_va = 0x1af50000 end_va = 0x1af5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af50000" filename = "" Region: id = 538 start_va = 0xc10000 end_va = 0xc71fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "mscorrc.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscorrc.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\mscorrc.dll") Region: id = 539 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 540 start_va = 0xaf0000 end_va = 0xafffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 541 start_va = 0xb00000 end_va = 0xb0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 542 start_va = 0xc80000 end_va = 0xc8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c80000" filename = "" Region: id = 543 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 544 start_va = 0xaf0000 end_va = 0xafffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 545 start_va = 0xb00000 end_va = 0xb0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 546 start_va = 0xc80000 end_va = 0xc8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c80000" filename = "" Region: id = 547 start_va = 0xae0000 end_va = 0xafdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ae0000" filename = "" Region: id = 548 start_va = 0xb00000 end_va = 0xb0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 549 start_va = 0x1be40000 end_va = 0x1bf3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001be40000" filename = "" Region: id = 550 start_va = 0xb00000 end_va = 0xb0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 551 start_va = 0xc80000 end_va = 0xc8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c80000" filename = "" Region: id = 552 start_va = 0xb00000 end_va = 0xb0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 553 start_va = 0x1bf40000 end_va = 0x1c03ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001bf40000" filename = "" Region: id = 554 start_va = 0xc80000 end_va = 0xc8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c80000" filename = "" Region: id = 555 start_va = 0xc90000 end_va = 0xc9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c90000" filename = "" Region: id = 556 start_va = 0xeb0000 end_va = 0xebffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 557 start_va = 0x2700000 end_va = 0x270ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002700000" filename = "" Region: id = 558 start_va = 0x1aee0000 end_va = 0x1aeeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aee0000" filename = "" Region: id = 559 start_va = 0x1aef0000 end_va = 0x1aefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aef0000" filename = "" Region: id = 560 start_va = 0x1af00000 end_va = 0x1af0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af00000" filename = "" Region: id = 561 start_va = 0x1af10000 end_va = 0x1af1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af10000" filename = "" Region: id = 562 start_va = 0x1af20000 end_va = 0x1af2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af20000" filename = "" Region: id = 563 start_va = 0x1af30000 end_va = 0x1af3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af30000" filename = "" Region: id = 564 start_va = 0x1af40000 end_va = 0x1af4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af40000" filename = "" Region: id = 565 start_va = 0x1af50000 end_va = 0x1af5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af50000" filename = "" Region: id = 566 start_va = 0x1af60000 end_va = 0x1af6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af60000" filename = "" Region: id = 567 start_va = 0x1b080000 end_va = 0x1b08ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b080000" filename = "" Region: id = 568 start_va = 0x1b090000 end_va = 0x1b09ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b090000" filename = "" Region: id = 569 start_va = 0x1b0a0000 end_va = 0x1b0affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b0a0000" filename = "" Region: id = 570 start_va = 0x1c040000 end_va = 0x1c04ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001c040000" filename = "" Region: id = 571 start_va = 0x1c050000 end_va = 0x1c05ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001c050000" filename = "" Region: id = 572 start_va = 0x1c060000 end_va = 0x1c06ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001c060000" filename = "" Region: id = 573 start_va = 0x1c070000 end_va = 0x1c08ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001c070000" filename = "" Region: id = 574 start_va = 0x1c090000 end_va = 0x1c09ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001c090000" filename = "" Region: id = 575 start_va = 0x1c0a0000 end_va = 0x1c0affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001c0a0000" filename = "" Region: id = 576 start_va = 0x1c0b0000 end_va = 0x1c0bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001c0b0000" filename = "" Region: id = 577 start_va = 0x1c0c0000 end_va = 0x1c0cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001c0c0000" filename = "" Region: id = 578 start_va = 0x7ff9fb900000 end_va = 0x7ff9fbaeafff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.drawing.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Drawing\\43de4a177616225e9b6262468e1c3b53\\System.Drawing.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.drawing\\43de4a177616225e9b6262468e1c3b53\\system.drawing.ni.dll") Region: id = 579 start_va = 0x7ff9f77d0000 end_va = 0x7ff9f86c0fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.windows.forms.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Windows.Forms\\37004ddc6f466d807c52ca3b7f9f9827\\System.Windows.Forms.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.windows.forms\\37004ddc6f466d807c52ca3b7f9f9827\\system.windows.forms.ni.dll") Region: id = 580 start_va = 0x7ff99b300000 end_va = 0x7ff99b30ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff99b300000" filename = "" Region: id = 581 start_va = 0xb00000 end_va = 0xb0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 582 start_va = 0xb00000 end_va = 0xb0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 583 start_va = 0xc80000 end_va = 0xc8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c80000" filename = "" Region: id = 584 start_va = 0xc90000 end_va = 0xc9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c90000" filename = "" Region: id = 585 start_va = 0xeb0000 end_va = 0xebffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 586 start_va = 0x2700000 end_va = 0x270ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002700000" filename = "" Region: id = 587 start_va = 0x1aee0000 end_va = 0x1aeeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aee0000" filename = "" Region: id = 588 start_va = 0x1aef0000 end_va = 0x1aefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aef0000" filename = "" Region: id = 589 start_va = 0x1af00000 end_va = 0x1af0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af00000" filename = "" Region: id = 590 start_va = 0x7ff9f6e40000 end_va = 0x7ff9f77c1fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.core.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Core\\d1da4b8a843ec63bb8be25f8202bedc1\\System.Core.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.core\\d1da4b8a843ec63bb8be25f8202bedc1\\system.core.ni.dll") Region: id = 591 start_va = 0x7ff9ff460000 end_va = 0x7ff9ff581fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.configuration.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Configuration\\2fe311002b76e58f2f89f897a32b62a2\\System.Configuration.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.configuration\\2fe311002b76e58f2f89f897a32b62a2\\system.configuration.ni.dll") Region: id = 592 start_va = 0x7ff9f6590000 end_va = 0x7ff9f6e35fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.xml.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Xml\\c2f35cb9621b8ca33a05759bbb0683c1\\System.Xml.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.xml\\c2f35cb9621b8ca33a05759bbb0683c1\\system.xml.ni.dll") Region: id = 593 start_va = 0x7ffa142d0000 end_va = 0x7ffa142d7fff monitored = 0 entry_point = 0x7ffa142d10b0 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 594 start_va = 0x1c040000 end_va = 0x1c13ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001c040000" filename = "" Region: id = 595 start_va = 0x1c140000 end_va = 0x1c23ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001c140000" filename = "" Region: id = 596 start_va = 0xb00000 end_va = 0xb00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b00000" filename = "" Region: id = 597 start_va = 0xb00000 end_va = 0xb01fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b00000" filename = "" Region: id = 598 start_va = 0xc80000 end_va = 0xc8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c80000" filename = "" Region: id = 599 start_va = 0x1c240000 end_va = 0x1c4affff monitored = 0 entry_point = 0x1c2b0400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 600 start_va = 0x7ffa080f0000 end_va = 0x7ffa08363fff monitored = 0 entry_point = 0x7ffa08160400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 601 start_va = 0xc80000 end_va = 0xc80fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 602 start_va = 0xc90000 end_va = 0xc91fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c90000" filename = "" Region: id = 603 start_va = 0x7ffa10610000 end_va = 0x7ffa10631fff monitored = 0 entry_point = 0x7ffa10611a40 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 604 start_va = 0xc80000 end_va = 0xc8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c80000" filename = "" Region: id = 605 start_va = 0xeb0000 end_va = 0xebffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 606 start_va = 0x2700000 end_va = 0x270ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002700000" filename = "" Region: id = 607 start_va = 0x1aee0000 end_va = 0x1aeeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aee0000" filename = "" Region: id = 608 start_va = 0x1aef0000 end_va = 0x1aefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aef0000" filename = "" Region: id = 609 start_va = 0x1af00000 end_va = 0x1af0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af00000" filename = "" Region: id = 610 start_va = 0x7ffa14a40000 end_va = 0x7ffa14b99fff monitored = 0 entry_point = 0x7ffa14a838e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 611 start_va = 0xc80000 end_va = 0xc80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c80000" filename = "" Region: id = 612 start_va = 0x1c240000 end_va = 0x1c2fbfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000001c240000" filename = "" Region: id = 613 start_va = 0xc80000 end_va = 0xc83fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c80000" filename = "" Region: id = 614 start_va = 0xeb0000 end_va = 0xeb6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 615 start_va = 0x2700000 end_va = 0x2700fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002700000" filename = "" Region: id = 616 start_va = 0x1aee0000 end_va = 0x1aee4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 617 start_va = 0x1aef0000 end_va = 0x1aefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aef0000" filename = "" Region: id = 618 start_va = 0x1aef0000 end_va = 0x1aefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aef0000" filename = "" Region: id = 619 start_va = 0x1aef0000 end_va = 0x1aefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aef0000" filename = "" Region: id = 620 start_va = 0x1aef0000 end_va = 0x1aefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aef0000" filename = "" Region: id = 621 start_va = 0x1aef0000 end_va = 0x1aefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aef0000" filename = "" Region: id = 622 start_va = 0x1af00000 end_va = 0x1af0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af00000" filename = "" Region: id = 623 start_va = 0x1af10000 end_va = 0x1af1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af10000" filename = "" Region: id = 624 start_va = 0x1aef0000 end_va = 0x1aefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aef0000" filename = "" Region: id = 625 start_va = 0x1af00000 end_va = 0x1af0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af00000" filename = "" Region: id = 626 start_va = 0x1af10000 end_va = 0x1af1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af10000" filename = "" Region: id = 627 start_va = 0x1af20000 end_va = 0x1af2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af20000" filename = "" Region: id = 628 start_va = 0x1af30000 end_va = 0x1af3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af30000" filename = "" Region: id = 629 start_va = 0x1af40000 end_va = 0x1af4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af40000" filename = "" Region: id = 630 start_va = 0x1af50000 end_va = 0x1af5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af50000" filename = "" Region: id = 631 start_va = 0x1aef0000 end_va = 0x1aefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aef0000" filename = "" Region: id = 632 start_va = 0x1af00000 end_va = 0x1af0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af00000" filename = "" Region: id = 633 start_va = 0x1af10000 end_va = 0x1af1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af10000" filename = "" Region: id = 634 start_va = 0x1af20000 end_va = 0x1af2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af20000" filename = "" Region: id = 635 start_va = 0x1af30000 end_va = 0x1af3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af30000" filename = "" Region: id = 636 start_va = 0x1af40000 end_va = 0x1af4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af40000" filename = "" Region: id = 637 start_va = 0x1aef0000 end_va = 0x1aefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aef0000" filename = "" Region: id = 638 start_va = 0x1aef0000 end_va = 0x1aefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aef0000" filename = "" Region: id = 639 start_va = 0x1aef0000 end_va = 0x1aefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aef0000" filename = "" Region: id = 640 start_va = 0x1af00000 end_va = 0x1af0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af00000" filename = "" Region: id = 641 start_va = 0x1af10000 end_va = 0x1af1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af10000" filename = "" Region: id = 642 start_va = 0x1af20000 end_va = 0x1af2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af20000" filename = "" Region: id = 643 start_va = 0x1af30000 end_va = 0x1af3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af30000" filename = "" Region: id = 644 start_va = 0x1af40000 end_va = 0x1af4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af40000" filename = "" Region: id = 645 start_va = 0x1aef0000 end_va = 0x1aefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aef0000" filename = "" Region: id = 646 start_va = 0x1af00000 end_va = 0x1af0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af00000" filename = "" Region: id = 647 start_va = 0x1af10000 end_va = 0x1af1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af10000" filename = "" Region: id = 648 start_va = 0x1af20000 end_va = 0x1af2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af20000" filename = "" Region: id = 649 start_va = 0x1af30000 end_va = 0x1af3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af30000" filename = "" Region: id = 650 start_va = 0x1af40000 end_va = 0x1af4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af40000" filename = "" Region: id = 651 start_va = 0x1af50000 end_va = 0x1af5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af50000" filename = "" Region: id = 652 start_va = 0x1aef0000 end_va = 0x1aefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aef0000" filename = "" Region: id = 653 start_va = 0x1af00000 end_va = 0x1af0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af00000" filename = "" Region: id = 654 start_va = 0x1af10000 end_va = 0x1af1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af10000" filename = "" Region: id = 655 start_va = 0x1af20000 end_va = 0x1af2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af20000" filename = "" Region: id = 656 start_va = 0x1af30000 end_va = 0x1af3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af30000" filename = "" Region: id = 657 start_va = 0x1af40000 end_va = 0x1af4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af40000" filename = "" Region: id = 658 start_va = 0x1aef0000 end_va = 0x1aefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aef0000" filename = "" Region: id = 659 start_va = 0x1af00000 end_va = 0x1af0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af00000" filename = "" Region: id = 660 start_va = 0x1af10000 end_va = 0x1af1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af10000" filename = "" Region: id = 661 start_va = 0x1af20000 end_va = 0x1af2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af20000" filename = "" Region: id = 662 start_va = 0x1aef0000 end_va = 0x1aefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aef0000" filename = "" Region: id = 663 start_va = 0x1aef0000 end_va = 0x1aefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aef0000" filename = "" Region: id = 664 start_va = 0x1aef0000 end_va = 0x1aefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aef0000" filename = "" Region: id = 665 start_va = 0x1aef0000 end_va = 0x1aefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aef0000" filename = "" Region: id = 666 start_va = 0x1aef0000 end_va = 0x1aefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aef0000" filename = "" Region: id = 667 start_va = 0x1aef0000 end_va = 0x1aefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aef0000" filename = "" Region: id = 668 start_va = 0x1c300000 end_va = 0x1c3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001c300000" filename = "" Region: id = 669 start_va = 0x1aef0000 end_va = 0x1aefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aef0000" filename = "" Region: id = 670 start_va = 0x7ff99b310000 end_va = 0x7ff99b31ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff99b310000" filename = "" Region: id = 671 start_va = 0x1af00000 end_va = 0x1af0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af00000" filename = "" Region: id = 672 start_va = 0x1af10000 end_va = 0x1af1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af10000" filename = "" Region: id = 673 start_va = 0x1af20000 end_va = 0x1af2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af20000" filename = "" Region: id = 674 start_va = 0x1af30000 end_va = 0x1af3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af30000" filename = "" Region: id = 675 start_va = 0x7ffa12f40000 end_va = 0x7ffa13106fff monitored = 0 entry_point = 0x7ffa12f9db80 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 676 start_va = 0x7ffa12db0000 end_va = 0x7ffa12dbffff monitored = 0 entry_point = 0x7ffa12db56e0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 677 start_va = 0x1aef0000 end_va = 0x1aefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aef0000" filename = "" Region: id = 678 start_va = 0x1aef0000 end_va = 0x1aefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aef0000" filename = "" Region: id = 679 start_va = 0x1af00000 end_va = 0x1af0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af00000" filename = "" Region: id = 680 start_va = 0x1af10000 end_va = 0x1af1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af10000" filename = "" Region: id = 681 start_va = 0x1af20000 end_va = 0x1af2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af20000" filename = "" Region: id = 682 start_va = 0x1af30000 end_va = 0x1af3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af30000" filename = "" Region: id = 683 start_va = 0x7ff99b320000 end_va = 0x7ff99b32ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff99b320000" filename = "" Region: id = 684 start_va = 0x1aef0000 end_va = 0x1aefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aef0000" filename = "" Region: id = 685 start_va = 0x1aef0000 end_va = 0x1aef9fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "crypt32.dll.mui" filename = "\\Windows\\System32\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\crypt32.dll.mui") Region: id = 686 start_va = 0x1af00000 end_va = 0x1af0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af00000" filename = "" Region: id = 687 start_va = 0x1af00000 end_va = 0x1af0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af00000" filename = "" Region: id = 688 start_va = 0x1af00000 end_va = 0x1af0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af00000" filename = "" Region: id = 689 start_va = 0x1af00000 end_va = 0x1af0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af00000" filename = "" Region: id = 690 start_va = 0x1af00000 end_va = 0x1af0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af00000" filename = "" Region: id = 691 start_va = 0x7ffa12a10000 end_va = 0x7ffa12a3cfff monitored = 0 entry_point = 0x7ffa12a29d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 692 start_va = 0x1af00000 end_va = 0x1af0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af00000" filename = "" Region: id = 693 start_va = 0x1af00000 end_va = 0x1af0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af00000" filename = "" Region: id = 694 start_va = 0x1af10000 end_va = 0x1af1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af10000" filename = "" Region: id = 695 start_va = 0x1af20000 end_va = 0x1af2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af20000" filename = "" Region: id = 696 start_va = 0x7ffa12280000 end_va = 0x7ffa122b0fff monitored = 0 entry_point = 0x7ffa12287d10 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 697 start_va = 0x7ffa0b700000 end_va = 0x7ffa0b79bfff monitored = 0 entry_point = 0x7ffa0b7596a0 region_type = mapped_file name = "efswrt.dll" filename = "\\Windows\\System32\\efswrt.dll" (normalized: "c:\\windows\\system32\\efswrt.dll") Region: id = 698 start_va = 0x7ffa0eb30000 end_va = 0x7ffa0ec65fff monitored = 0 entry_point = 0x7ffa0eb5f350 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 699 start_va = 0x7ffa07530000 end_va = 0x7ffa0757ffff monitored = 0 entry_point = 0x7ffa07532580 region_type = mapped_file name = "edputil.dll" filename = "\\Windows\\System32\\edputil.dll" (normalized: "c:\\windows\\system32\\edputil.dll") Region: id = 700 start_va = 0x1c400000 end_va = 0x1c5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001c400000" filename = "" Region: id = 701 start_va = 0x1af00000 end_va = 0x1af0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af00000" filename = "" Region: id = 702 start_va = 0x1af00000 end_va = 0x1af0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af00000" filename = "" Region: id = 703 start_va = 0x1af10000 end_va = 0x1af1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af10000" filename = "" Region: id = 716 start_va = 0x7ff99b330000 end_va = 0x7ff99b33ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff99b330000" filename = "" Region: id = 723 start_va = 0x1c600000 end_va = 0x1c6dcfff monitored = 0 entry_point = 0x1c65e0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 733 start_va = 0x1c600000 end_va = 0x1c6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001c600000" filename = "" Region: id = 1316 start_va = 0x1af00000 end_va = 0x1af00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000001af00000" filename = "" Region: id = 1317 start_va = 0x1af80000 end_va = 0x1b07ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af80000" filename = "" Region: id = 1318 start_va = 0x1af00000 end_va = 0x1af0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af00000" filename = "" Region: id = 1319 start_va = 0x1af00000 end_va = 0x1af0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af00000" filename = "" Region: id = 1320 start_va = 0x1af10000 end_va = 0x1af1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001af10000" filename = "" Thread: id = 1 os_tid = 0x5f4 [0093.335] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0 [0096.145] RoInitialize () returned 0x1 [0096.145] RoUninitialize () returned 0x0 [0098.049] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\AppContext", ulOptions=0x0, samDesired=0x20019, phkResult=0x14acf8 | out: phkResult=0x14acf8*=0x0) returned 0x2 [0098.062] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe", nBufferLength=0x105, lpBuffer=0x14d730, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe", lpFilePart=0x0) returned 0x62 [0098.071] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe", nBufferLength=0x105, lpBuffer=0x14d5b0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe", lpFilePart=0x0) returned 0x62 [0103.329] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\config\\machine.config", nBufferLength=0x105, lpBuffer=0x14d3f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\config\\machine.config", lpFilePart=0x0) returned 0x45 [0103.345] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\config\\machine.config", nBufferLength=0x105, lpBuffer=0x14d530, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\config\\machine.config", lpFilePart=0x0) returned 0x45 [0103.347] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x14d980) returned 1 [0103.348] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x14da60 | out: lpFileInformation=0x14da60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5fdfbae, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x982bc0b8, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x982bc0b8, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x8c8f)) returned 1 [0103.348] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x14d940) returned 1 [0103.717] BCryptGetFipsAlgorithmMode (in: pfEnabled=0x14da20 | out: pfEnabled=0x14da20) returned 0x0 [0104.141] VirtualProtect (in: lpAddress=0x4023cc, dwSize=0x2f0, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.142] memcpy (in: _Dst=0x4023cc, _Src=0x27de0c0, _Size=0x2f0 | out: _Dst=0x4023cc) returned 0x4023cc [0104.143] VirtualProtect (in: lpAddress=0x4023cc, dwSize=0x2f0, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.143] VirtualProtect (in: lpAddress=0x4026bc, dwSize=0x360, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.144] memcpy (in: _Dst=0x4026bc, _Src=0x27de3c8, _Size=0x360 | out: _Dst=0x4026bc) returned 0x4026bc [0104.145] VirtualProtect (in: lpAddress=0x4026bc, dwSize=0x360, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.146] VirtualProtect (in: lpAddress=0x402a1c, dwSize=0x28a, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.146] memcpy (in: _Dst=0x402a1c, _Src=0x27de740, _Size=0x28a | out: _Dst=0x402a1c) returned 0x402a1c [0104.147] VirtualProtect (in: lpAddress=0x402a1c, dwSize=0x28a, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.148] VirtualProtect (in: lpAddress=0x402cb8, dwSize=0x53, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.148] memcpy (in: _Dst=0x402cb8, _Src=0x27de9e8, _Size=0x53 | out: _Dst=0x402cb8) returned 0x402cb8 [0104.148] VirtualProtect (in: lpAddress=0x402cb8, dwSize=0x53, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.148] VirtualProtect (in: lpAddress=0x402d0c, dwSize=0x17b, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.149] memcpy (in: _Dst=0x402d0c, _Src=0x27dea58, _Size=0x17b | out: _Dst=0x402d0c) returned 0x402d0c [0104.149] VirtualProtect (in: lpAddress=0x402d0c, dwSize=0x17b, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.150] VirtualProtect (in: lpAddress=0x402e98, dwSize=0x1bc, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.150] memcpy (in: _Dst=0x402e98, _Src=0x27debf0, _Size=0x1bc | out: _Dst=0x402e98) returned 0x402e98 [0104.151] VirtualProtect (in: lpAddress=0x402e98, dwSize=0x1bc, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.152] VirtualProtect (in: lpAddress=0x403064, dwSize=0x3d3, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.153] memcpy (in: _Dst=0x403064, _Src=0x27dedc8, _Size=0x3d3 | out: _Dst=0x403064) returned 0x403064 [0104.153] VirtualProtect (in: lpAddress=0x403064, dwSize=0x3d3, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.153] VirtualProtect (in: lpAddress=0x40346c, dwSize=0xac, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.153] memcpy (in: _Dst=0x40346c, _Src=0x27df1b8, _Size=0xac | out: _Dst=0x40346c) returned 0x40346c [0104.153] VirtualProtect (in: lpAddress=0x40346c, dwSize=0xac, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.153] VirtualProtect (in: lpAddress=0x403518, dwSize=0x27a, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.154] memcpy (in: _Dst=0x403518, _Src=0x27df280, _Size=0x27a | out: _Dst=0x403518) returned 0x403518 [0104.154] VirtualProtect (in: lpAddress=0x403518, dwSize=0x27a, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.154] VirtualProtect (in: lpAddress=0x4037a4, dwSize=0x117, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.154] memcpy (in: _Dst=0x4037a4, _Src=0x27df518, _Size=0x117 | out: _Dst=0x4037a4) returned 0x4037a4 [0104.154] VirtualProtect (in: lpAddress=0x4037a4, dwSize=0x117, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.155] VirtualProtect (in: lpAddress=0x4038bc, dwSize=0x3c, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.155] memcpy (in: _Dst=0x4038bc, _Src=0x27df648, _Size=0x3c | out: _Dst=0x4038bc) returned 0x4038bc [0104.155] VirtualProtect (in: lpAddress=0x4038bc, dwSize=0x3c, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.155] VirtualProtect (in: lpAddress=0x4038f8, dwSize=0x53, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.156] memcpy (in: _Dst=0x4038f8, _Src=0x27df6a0, _Size=0x53 | out: _Dst=0x4038f8) returned 0x4038f8 [0104.156] VirtualProtect (in: lpAddress=0x4038f8, dwSize=0x53, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.156] VirtualProtect (in: lpAddress=0x40394c, dwSize=0x31, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.156] memcpy (in: _Dst=0x40394c, _Src=0x27df710, _Size=0x31 | out: _Dst=0x40394c) returned 0x40394c [0104.156] VirtualProtect (in: lpAddress=0x40394c, dwSize=0x31, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.157] VirtualProtect (in: lpAddress=0x403980, dwSize=0x31, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.157] memcpy (in: _Dst=0x403980, _Src=0x27df760, _Size=0x31 | out: _Dst=0x403980) returned 0x403980 [0104.157] VirtualProtect (in: lpAddress=0x403980, dwSize=0x31, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.157] VirtualProtect (in: lpAddress=0x4039b4, dwSize=0x40, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.157] memcpy (in: _Dst=0x4039b4, _Src=0x27df7b0, _Size=0x40 | out: _Dst=0x4039b4) returned 0x4039b4 [0104.157] VirtualProtect (in: lpAddress=0x4039b4, dwSize=0x40, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.158] VirtualProtect (in: lpAddress=0x4039f4, dwSize=0x1d, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.158] memcpy (in: _Dst=0x4039f4, _Src=0x27df808, _Size=0x1d | out: _Dst=0x4039f4) returned 0x4039f4 [0104.158] VirtualProtect (in: lpAddress=0x4039f4, dwSize=0x1d, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.158] VirtualProtect (in: lpAddress=0x403a14, dwSize=0x70, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.158] memcpy (in: _Dst=0x403a14, _Src=0x27df840, _Size=0x70 | out: _Dst=0x403a14) returned 0x403a14 [0104.158] VirtualProtect (in: lpAddress=0x403a14, dwSize=0x70, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.159] VirtualProtect (in: lpAddress=0x403a84, dwSize=0x6d, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.159] memcpy (in: _Dst=0x403a84, _Src=0x27df8c8, _Size=0x6d | out: _Dst=0x403a84) returned 0x403a84 [0104.159] VirtualProtect (in: lpAddress=0x403a84, dwSize=0x6d, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.159] VirtualProtect (in: lpAddress=0x403af4, dwSize=0x68, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.159] memcpy (in: _Dst=0x403af4, _Src=0x27df950, _Size=0x68 | out: _Dst=0x403af4) returned 0x403af4 [0104.160] VirtualProtect (in: lpAddress=0x403af4, dwSize=0x68, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.160] VirtualProtect (in: lpAddress=0x403b5c, dwSize=0x9e, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.160] memcpy (in: _Dst=0x403b5c, _Src=0x27df9d0, _Size=0x9e | out: _Dst=0x403b5c) returned 0x403b5c [0104.160] VirtualProtect (in: lpAddress=0x403b5c, dwSize=0x9e, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.160] VirtualProtect (in: lpAddress=0x403bfc, dwSize=0xf9, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.161] memcpy (in: _Dst=0x403bfc, _Src=0x27dfa88, _Size=0xf9 | out: _Dst=0x403bfc) returned 0x403bfc [0104.161] VirtualProtect (in: lpAddress=0x403bfc, dwSize=0xf9, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.161] VirtualProtect (in: lpAddress=0x403cf8, dwSize=0x69, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.161] memcpy (in: _Dst=0x403cf8, _Src=0x27dfba0, _Size=0x69 | out: _Dst=0x403cf8) returned 0x403cf8 [0104.161] VirtualProtect (in: lpAddress=0x403cf8, dwSize=0x69, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.162] VirtualProtect (in: lpAddress=0x403d64, dwSize=0x49, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.162] memcpy (in: _Dst=0x403d64, _Src=0x27dfc28, _Size=0x49 | out: _Dst=0x403d64) returned 0x403d64 [0104.162] VirtualProtect (in: lpAddress=0x403d64, dwSize=0x49, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.162] VirtualProtect (in: lpAddress=0x403db0, dwSize=0x37, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.162] memcpy (in: _Dst=0x403db0, _Src=0x27dfc90, _Size=0x37 | out: _Dst=0x403db0) returned 0x403db0 [0104.162] VirtualProtect (in: lpAddress=0x403db0, dwSize=0x37, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.163] VirtualProtect (in: lpAddress=0x403de8, dwSize=0xcb, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.163] memcpy (in: _Dst=0x403de8, _Src=0x27dfce0, _Size=0xcb | out: _Dst=0x403de8) returned 0x403de8 [0104.163] VirtualProtect (in: lpAddress=0x403de8, dwSize=0xcb, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.163] VirtualProtect (in: lpAddress=0x403eb4, dwSize=0x22, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.163] memcpy (in: _Dst=0x403eb4, _Src=0x27dfdc8, _Size=0x22 | out: _Dst=0x403eb4) returned 0x403eb4 [0104.164] VirtualProtect (in: lpAddress=0x403eb4, dwSize=0x22, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.164] VirtualProtect (in: lpAddress=0x403ed8, dwSize=0x157, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.164] memcpy (in: _Dst=0x403ed8, _Src=0x27dfe08, _Size=0x157 | out: _Dst=0x403ed8) returned 0x403ed8 [0104.164] VirtualProtect (in: lpAddress=0x403ed8, dwSize=0x157, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.165] VirtualProtect (in: lpAddress=0x404030, dwSize=0x1e8, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.165] memcpy (in: _Dst=0x404030, _Src=0x27dff78, _Size=0x1e8 | out: _Dst=0x404030) returned 0x404030 [0104.165] VirtualProtect (in: lpAddress=0x404030, dwSize=0x1e8, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.165] VirtualProtect (in: lpAddress=0x404218, dwSize=0x21, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.165] memcpy (in: _Dst=0x404218, _Src=0x27e0178, _Size=0x21 | out: _Dst=0x404218) returned 0x404218 [0104.165] VirtualProtect (in: lpAddress=0x404218, dwSize=0x21, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.166] VirtualProtect (in: lpAddress=0x40423c, dwSize=0xfa, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.166] memcpy (in: _Dst=0x40423c, _Src=0x27e01b8, _Size=0xfa | out: _Dst=0x40423c) returned 0x40423c [0104.166] VirtualProtect (in: lpAddress=0x40423c, dwSize=0xfa, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.166] VirtualProtect (in: lpAddress=0x404338, dwSize=0x261, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.166] memcpy (in: _Dst=0x404338, _Src=0x27e02d0, _Size=0x261 | out: _Dst=0x404338) returned 0x404338 [0104.166] VirtualProtect (in: lpAddress=0x404338, dwSize=0x261, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.166] VirtualProtect (in: lpAddress=0x40459c, dwSize=0xdd, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.167] memcpy (in: _Dst=0x40459c, _Src=0x27e0550, _Size=0xdd | out: _Dst=0x40459c) returned 0x40459c [0104.167] VirtualProtect (in: lpAddress=0x40459c, dwSize=0xdd, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.170] VirtualProtect (in: lpAddress=0x40467c, dwSize=0x10f, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.170] memcpy (in: _Dst=0x40467c, _Src=0x27e0648, _Size=0x10f | out: _Dst=0x40467c) returned 0x40467c [0104.170] VirtualProtect (in: lpAddress=0x40467c, dwSize=0x10f, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.171] VirtualProtect (in: lpAddress=0x40478c, dwSize=0xf6, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.171] memcpy (in: _Dst=0x40478c, _Src=0x27e0770, _Size=0xf6 | out: _Dst=0x40478c) returned 0x40478c [0104.171] VirtualProtect (in: lpAddress=0x40478c, dwSize=0xf6, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.171] VirtualProtect (in: lpAddress=0x404884, dwSize=0xf0, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.171] memcpy (in: _Dst=0x404884, _Src=0x27e0880, _Size=0xf0 | out: _Dst=0x404884) returned 0x404884 [0104.171] VirtualProtect (in: lpAddress=0x404884, dwSize=0xf0, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.172] VirtualProtect (in: lpAddress=0x404974, dwSize=0x14e, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.172] memcpy (in: _Dst=0x404974, _Src=0x27e0988, _Size=0x14e | out: _Dst=0x404974) returned 0x404974 [0104.172] VirtualProtect (in: lpAddress=0x404974, dwSize=0x14e, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.172] VirtualProtect (in: lpAddress=0x404ac4, dwSize=0x1d6, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.172] memcpy (in: _Dst=0x404ac4, _Src=0x27e0af0, _Size=0x1d6 | out: _Dst=0x404ac4) returned 0x404ac4 [0104.172] VirtualProtect (in: lpAddress=0x404ac4, dwSize=0x1d6, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.172] VirtualProtect (in: lpAddress=0x404c9c, dwSize=0x135, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.173] memcpy (in: _Dst=0x404c9c, _Src=0x27e0ce0, _Size=0x135 | out: _Dst=0x404c9c) returned 0x404c9c [0104.173] VirtualProtect (in: lpAddress=0x404c9c, dwSize=0x135, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.173] VirtualProtect (in: lpAddress=0x404dd4, dwSize=0x28, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.173] memcpy (in: _Dst=0x404dd4, _Src=0x27e0e30, _Size=0x28 | out: _Dst=0x404dd4) returned 0x404dd4 [0104.173] VirtualProtect (in: lpAddress=0x404dd4, dwSize=0x28, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.173] VirtualProtect (in: lpAddress=0x404dfc, dwSize=0xc0, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.174] memcpy (in: _Dst=0x404dfc, _Src=0x27e0e70, _Size=0xc0 | out: _Dst=0x404dfc) returned 0x404dfc [0104.174] VirtualProtect (in: lpAddress=0x404dfc, dwSize=0xc0, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.174] VirtualProtect (in: lpAddress=0x404ebc, dwSize=0x313, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.174] memcpy (in: _Dst=0x404ebc, _Src=0x27e0f48, _Size=0x313 | out: _Dst=0x404ebc) returned 0x404ebc [0104.174] VirtualProtect (in: lpAddress=0x404ebc, dwSize=0x313, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.175] VirtualProtect (in: lpAddress=0x4051d0, dwSize=0x856, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.175] memcpy (in: _Dst=0x4051d0, _Src=0x27e1278, _Size=0x856 | out: _Dst=0x4051d0) returned 0x4051d0 [0104.175] VirtualProtect (in: lpAddress=0x4051d0, dwSize=0x856, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.175] VirtualProtect (in: lpAddress=0x405a28, dwSize=0x180, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.175] memcpy (in: _Dst=0x405a28, _Src=0x27e1ae8, _Size=0x180 | out: _Dst=0x405a28) returned 0x405a28 [0104.176] VirtualProtect (in: lpAddress=0x405a28, dwSize=0x180, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.176] VirtualProtect (in: lpAddress=0x405ba8, dwSize=0x8f, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.176] memcpy (in: _Dst=0x405ba8, _Src=0x27e1c80, _Size=0x8f | out: _Dst=0x405ba8) returned 0x405ba8 [0104.176] VirtualProtect (in: lpAddress=0x405ba8, dwSize=0x8f, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.176] VirtualProtect (in: lpAddress=0x405c38, dwSize=0xdc, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.177] memcpy (in: _Dst=0x405c38, _Src=0x27e1d28, _Size=0xdc | out: _Dst=0x405c38) returned 0x405c38 [0104.177] VirtualProtect (in: lpAddress=0x405c38, dwSize=0xdc, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.177] VirtualProtect (in: lpAddress=0x405d14, dwSize=0x102, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.177] memcpy (in: _Dst=0x405d14, _Src=0x27e1e20, _Size=0x102 | out: _Dst=0x405d14) returned 0x405d14 [0104.177] VirtualProtect (in: lpAddress=0x405d14, dwSize=0x102, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.177] VirtualProtect (in: lpAddress=0x405e18, dwSize=0x77, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.177] memcpy (in: _Dst=0x405e18, _Src=0x27e1f40, _Size=0x77 | out: _Dst=0x405e18) returned 0x405e18 [0104.178] VirtualProtect (in: lpAddress=0x405e18, dwSize=0x77, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.178] VirtualProtect (in: lpAddress=0x405e90, dwSize=0x1e5, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.179] memcpy (in: _Dst=0x405e90, _Src=0x27e1fd0, _Size=0x1e5 | out: _Dst=0x405e90) returned 0x405e90 [0104.179] VirtualProtect (in: lpAddress=0x405e90, dwSize=0x1e5, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.179] VirtualProtect (in: lpAddress=0x406078, dwSize=0x157, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.179] memcpy (in: _Dst=0x406078, _Src=0x27e21d0, _Size=0x157 | out: _Dst=0x406078) returned 0x406078 [0104.179] VirtualProtect (in: lpAddress=0x406078, dwSize=0x157, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.180] VirtualProtect (in: lpAddress=0x4061d0, dwSize=0xbe, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.180] memcpy (in: _Dst=0x4061d0, _Src=0x27e2340, _Size=0xbe | out: _Dst=0x4061d0) returned 0x4061d0 [0104.180] VirtualProtect (in: lpAddress=0x4061d0, dwSize=0xbe, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.180] VirtualProtect (in: lpAddress=0x406290, dwSize=0x2e, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.180] memcpy (in: _Dst=0x406290, _Src=0x27e2418, _Size=0x2e | out: _Dst=0x406290) returned 0x406290 [0104.180] VirtualProtect (in: lpAddress=0x406290, dwSize=0x2e, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.181] VirtualProtect (in: lpAddress=0x4062c0, dwSize=0x30, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.181] memcpy (in: _Dst=0x4062c0, _Src=0x27e2460, _Size=0x30 | out: _Dst=0x4062c0) returned 0x4062c0 [0104.181] VirtualProtect (in: lpAddress=0x4062c0, dwSize=0x30, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.181] VirtualProtect (in: lpAddress=0x4062f0, dwSize=0x21, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.181] memcpy (in: _Dst=0x4062f0, _Src=0x27e24a8, _Size=0x21 | out: _Dst=0x4062f0) returned 0x4062f0 [0104.181] VirtualProtect (in: lpAddress=0x4062f0, dwSize=0x21, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.182] VirtualProtect (in: lpAddress=0x406314, dwSize=0xf7, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.182] memcpy (in: _Dst=0x406314, _Src=0x27e24e8, _Size=0xf7 | out: _Dst=0x406314) returned 0x406314 [0104.182] VirtualProtect (in: lpAddress=0x406314, dwSize=0xf7, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.182] VirtualProtect (in: lpAddress=0x40640c, dwSize=0xfa, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.182] memcpy (in: _Dst=0x40640c, _Src=0x27e25f8, _Size=0xfa | out: _Dst=0x40640c) returned 0x40640c [0104.182] VirtualProtect (in: lpAddress=0x40640c, dwSize=0xfa, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.184] VirtualProtect (in: lpAddress=0x406508, dwSize=0xea, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.184] memcpy (in: _Dst=0x406508, _Src=0x27e2710, _Size=0xea | out: _Dst=0x406508) returned 0x406508 [0104.184] VirtualProtect (in: lpAddress=0x406508, dwSize=0xea, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.185] VirtualProtect (in: lpAddress=0x4065f4, dwSize=0x10f, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.185] memcpy (in: _Dst=0x4065f4, _Src=0x27e2818, _Size=0x10f | out: _Dst=0x4065f4) returned 0x4065f4 [0104.185] VirtualProtect (in: lpAddress=0x4065f4, dwSize=0x10f, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.185] VirtualProtect (in: lpAddress=0x406704, dwSize=0x42b, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.185] memcpy (in: _Dst=0x406704, _Src=0x27e2940, _Size=0x42b | out: _Dst=0x406704) returned 0x406704 [0104.185] VirtualProtect (in: lpAddress=0x406704, dwSize=0x42b, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.185] VirtualProtect (in: lpAddress=0x406b30, dwSize=0x424, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.186] memcpy (in: _Dst=0x406b30, _Src=0x27e2d88, _Size=0x424 | out: _Dst=0x406b30) returned 0x406b30 [0104.186] VirtualProtect (in: lpAddress=0x406b30, dwSize=0x424, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.186] VirtualProtect (in: lpAddress=0x406f54, dwSize=0x46a, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.186] memcpy (in: _Dst=0x406f54, _Src=0x27e31c8, _Size=0x46a | out: _Dst=0x406f54) returned 0x406f54 [0104.186] VirtualProtect (in: lpAddress=0x406f54, dwSize=0x46a, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.187] VirtualProtect (in: lpAddress=0x4073c0, dwSize=0x38e, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.187] memcpy (in: _Dst=0x4073c0, _Src=0x27e3650, _Size=0x38e | out: _Dst=0x4073c0) returned 0x4073c0 [0104.187] VirtualProtect (in: lpAddress=0x4073c0, dwSize=0x38e, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.187] VirtualProtect (in: lpAddress=0x407750, dwSize=0x431, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.187] memcpy (in: _Dst=0x407750, _Src=0x27e39f8, _Size=0x431 | out: _Dst=0x407750) returned 0x407750 [0104.187] VirtualProtect (in: lpAddress=0x407750, dwSize=0x431, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.188] VirtualProtect (in: lpAddress=0x407b84, dwSize=0x440, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.188] memcpy (in: _Dst=0x407b84, _Src=0x27e3e48, _Size=0x440 | out: _Dst=0x407b84) returned 0x407b84 [0104.188] VirtualProtect (in: lpAddress=0x407b84, dwSize=0x440, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.188] VirtualProtect (in: lpAddress=0x407fc4, dwSize=0x398, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.188] memcpy (in: _Dst=0x407fc4, _Src=0x27e42a0, _Size=0x398 | out: _Dst=0x407fc4) returned 0x407fc4 [0104.189] VirtualProtect (in: lpAddress=0x407fc4, dwSize=0x398, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.189] VirtualProtect (in: lpAddress=0x40835c, dwSize=0x38f, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.189] memcpy (in: _Dst=0x40835c, _Src=0x27e4650, _Size=0x38f | out: _Dst=0x40835c) returned 0x40835c [0104.189] VirtualProtect (in: lpAddress=0x40835c, dwSize=0x38f, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.189] VirtualProtect (in: lpAddress=0x4086ec, dwSize=0x39a, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.190] memcpy (in: _Dst=0x4086ec, _Src=0x27e49f8, _Size=0x39a | out: _Dst=0x4086ec) returned 0x4086ec [0104.190] VirtualProtect (in: lpAddress=0x4086ec, dwSize=0x39a, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.190] VirtualProtect (in: lpAddress=0x408a88, dwSize=0x44e, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.190] memcpy (in: _Dst=0x408a88, _Src=0x27e4db0, _Size=0x44e | out: _Dst=0x408a88) returned 0x408a88 [0104.190] VirtualProtect (in: lpAddress=0x408a88, dwSize=0x44e, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.190] VirtualProtect (in: lpAddress=0x408ed8, dwSize=0x3fe, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.191] memcpy (in: _Dst=0x408ed8, _Src=0x27e5218, _Size=0x3fe | out: _Dst=0x408ed8) returned 0x408ed8 [0104.191] VirtualProtect (in: lpAddress=0x408ed8, dwSize=0x3fe, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.191] VirtualProtect (in: lpAddress=0x4092d8, dwSize=0x400, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.191] memcpy (in: _Dst=0x4092d8, _Src=0x27e5630, _Size=0x400 | out: _Dst=0x4092d8) returned 0x4092d8 [0104.191] VirtualProtect (in: lpAddress=0x4092d8, dwSize=0x400, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.192] VirtualProtect (in: lpAddress=0x4096d8, dwSize=0x3b4, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.192] memcpy (in: _Dst=0x4096d8, _Src=0x27e5a48, _Size=0x3b4 | out: _Dst=0x4096d8) returned 0x4096d8 [0104.192] VirtualProtect (in: lpAddress=0x4096d8, dwSize=0x3b4, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.192] VirtualProtect (in: lpAddress=0x409a8c, dwSize=0xc, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.192] memcpy (in: _Dst=0x409a8c, _Src=0x27e5e18, _Size=0xc | out: _Dst=0x409a8c) returned 0x409a8c [0104.192] VirtualProtect (in: lpAddress=0x409a8c, dwSize=0xc, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.193] VirtualProtect (in: lpAddress=0x409a98, dwSize=0xd, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.193] memcpy (in: _Dst=0x409a98, _Src=0x27e5e40, _Size=0xd | out: _Dst=0x409a98) returned 0x409a98 [0104.193] VirtualProtect (in: lpAddress=0x409a98, dwSize=0xd, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.193] VirtualProtect (in: lpAddress=0x409aa8, dwSize=0xc, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.193] memcpy (in: _Dst=0x409aa8, _Src=0x27e5e68, _Size=0xc | out: _Dst=0x409aa8) returned 0x409aa8 [0104.193] VirtualProtect (in: lpAddress=0x409aa8, dwSize=0xc, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.194] VirtualProtect (in: lpAddress=0x409ab4, dwSize=0xd, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.194] memcpy (in: _Dst=0x409ab4, _Src=0x27e5e90, _Size=0xd | out: _Dst=0x409ab4) returned 0x409ab4 [0104.194] VirtualProtect (in: lpAddress=0x409ab4, dwSize=0xd, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.194] VirtualProtect (in: lpAddress=0x409ac4, dwSize=0xc, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.194] memcpy (in: _Dst=0x409ac4, _Src=0x27e5eb8, _Size=0xc | out: _Dst=0x409ac4) returned 0x409ac4 [0104.194] VirtualProtect (in: lpAddress=0x409ac4, dwSize=0xc, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.195] VirtualProtect (in: lpAddress=0x409ad0, dwSize=0xc, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.195] memcpy (in: _Dst=0x409ad0, _Src=0x27e5ee0, _Size=0xc | out: _Dst=0x409ad0) returned 0x409ad0 [0104.195] VirtualProtect (in: lpAddress=0x409ad0, dwSize=0xc, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.195] VirtualProtect (in: lpAddress=0x409adc, dwSize=0xc, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.195] memcpy (in: _Dst=0x409adc, _Src=0x27e5f08, _Size=0xc | out: _Dst=0x409adc) returned 0x409adc [0104.195] VirtualProtect (in: lpAddress=0x409adc, dwSize=0xc, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.195] VirtualProtect (in: lpAddress=0x409ae8, dwSize=0xf, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.196] memcpy (in: _Dst=0x409ae8, _Src=0x27e5f30, _Size=0xf | out: _Dst=0x409ae8) returned 0x409ae8 [0104.196] VirtualProtect (in: lpAddress=0x409ae8, dwSize=0xf, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.196] VirtualProtect (in: lpAddress=0x409af8, dwSize=0xc, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.196] memcpy (in: _Dst=0x409af8, _Src=0x27e5f58, _Size=0xc | out: _Dst=0x409af8) returned 0x409af8 [0104.196] VirtualProtect (in: lpAddress=0x409af8, dwSize=0xc, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.196] VirtualProtect (in: lpAddress=0x409b04, dwSize=0xd, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.197] memcpy (in: _Dst=0x409b04, _Src=0x27e5f80, _Size=0xd | out: _Dst=0x409b04) returned 0x409b04 [0104.197] VirtualProtect (in: lpAddress=0x409b04, dwSize=0xd, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.197] VirtualProtect (in: lpAddress=0x409b14, dwSize=0xc, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.197] memcpy (in: _Dst=0x409b14, _Src=0x27e5fa8, _Size=0xc | out: _Dst=0x409b14) returned 0x409b14 [0104.197] VirtualProtect (in: lpAddress=0x409b14, dwSize=0xc, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.198] VirtualProtect (in: lpAddress=0x409b20, dwSize=0xe, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.198] memcpy (in: _Dst=0x409b20, _Src=0x27e5fd0, _Size=0xe | out: _Dst=0x409b20) returned 0x409b20 [0104.198] VirtualProtect (in: lpAddress=0x409b20, dwSize=0xe, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.198] VirtualProtect (in: lpAddress=0x409b30, dwSize=0xc, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.198] memcpy (in: _Dst=0x409b30, _Src=0x27e5ff8, _Size=0xc | out: _Dst=0x409b30) returned 0x409b30 [0104.198] VirtualProtect (in: lpAddress=0x409b30, dwSize=0xc, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.199] VirtualProtect (in: lpAddress=0x409b3c, dwSize=0xc, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.199] memcpy (in: _Dst=0x409b3c, _Src=0x27e6020, _Size=0xc | out: _Dst=0x409b3c) returned 0x409b3c [0104.199] VirtualProtect (in: lpAddress=0x409b3c, dwSize=0xc, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.199] VirtualProtect (in: lpAddress=0x409b48, dwSize=0xc, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.199] memcpy (in: _Dst=0x409b48, _Src=0x27e6048, _Size=0xc | out: _Dst=0x409b48) returned 0x409b48 [0104.199] VirtualProtect (in: lpAddress=0x409b48, dwSize=0xc, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.200] VirtualProtect (in: lpAddress=0x409b54, dwSize=0xc, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.200] memcpy (in: _Dst=0x409b54, _Src=0x27e6070, _Size=0xc | out: _Dst=0x409b54) returned 0x409b54 [0104.200] VirtualProtect (in: lpAddress=0x409b54, dwSize=0xc, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.200] VirtualProtect (in: lpAddress=0x409b60, dwSize=0xc, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.200] memcpy (in: _Dst=0x409b60, _Src=0x27e6098, _Size=0xc | out: _Dst=0x409b60) returned 0x409b60 [0104.200] VirtualProtect (in: lpAddress=0x409b60, dwSize=0xc, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.201] VirtualProtect (in: lpAddress=0x409b6c, dwSize=0xd, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.201] memcpy (in: _Dst=0x409b6c, _Src=0x27e60c0, _Size=0xd | out: _Dst=0x409b6c) returned 0x409b6c [0104.201] VirtualProtect (in: lpAddress=0x409b6c, dwSize=0xd, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.201] VirtualProtect (in: lpAddress=0x409b7c, dwSize=0xc, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.201] memcpy (in: _Dst=0x409b7c, _Src=0x27e60e8, _Size=0xc | out: _Dst=0x409b7c) returned 0x409b7c [0104.201] VirtualProtect (in: lpAddress=0x409b7c, dwSize=0xc, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.202] VirtualProtect (in: lpAddress=0x409b88, dwSize=0xe, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.202] memcpy (in: _Dst=0x409b88, _Src=0x27e6110, _Size=0xe | out: _Dst=0x409b88) returned 0x409b88 [0104.202] VirtualProtect (in: lpAddress=0x409b88, dwSize=0xe, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.202] VirtualProtect (in: lpAddress=0x409b98, dwSize=0xc, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.202] memcpy (in: _Dst=0x409b98, _Src=0x27e6138, _Size=0xc | out: _Dst=0x409b98) returned 0x409b98 [0104.202] VirtualProtect (in: lpAddress=0x409b98, dwSize=0xc, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.203] VirtualProtect (in: lpAddress=0x409ba4, dwSize=0xe, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.203] memcpy (in: _Dst=0x409ba4, _Src=0x27e6160, _Size=0xe | out: _Dst=0x409ba4) returned 0x409ba4 [0104.203] VirtualProtect (in: lpAddress=0x409ba4, dwSize=0xe, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.203] VirtualProtect (in: lpAddress=0x409bb4, dwSize=0xc, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.203] memcpy (in: _Dst=0x409bb4, _Src=0x27e6188, _Size=0xc | out: _Dst=0x409bb4) returned 0x409bb4 [0104.203] VirtualProtect (in: lpAddress=0x409bb4, dwSize=0xc, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.204] VirtualProtect (in: lpAddress=0x409bc0, dwSize=0xd, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.204] memcpy (in: _Dst=0x409bc0, _Src=0x27e61b0, _Size=0xd | out: _Dst=0x409bc0) returned 0x409bc0 [0104.204] VirtualProtect (in: lpAddress=0x409bc0, dwSize=0xd, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.204] VirtualProtect (in: lpAddress=0x409bd0, dwSize=0xc, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.204] memcpy (in: _Dst=0x409bd0, _Src=0x27e61d8, _Size=0xc | out: _Dst=0x409bd0) returned 0x409bd0 [0104.204] VirtualProtect (in: lpAddress=0x409bd0, dwSize=0xc, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.205] VirtualProtect (in: lpAddress=0x409bdc, dwSize=0xd, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.205] memcpy (in: _Dst=0x409bdc, _Src=0x27e6200, _Size=0xd | out: _Dst=0x409bdc) returned 0x409bdc [0104.205] VirtualProtect (in: lpAddress=0x409bdc, dwSize=0xd, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.205] VirtualProtect (in: lpAddress=0x409bec, dwSize=0xc, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.206] memcpy (in: _Dst=0x409bec, _Src=0x27e6228, _Size=0xc | out: _Dst=0x409bec) returned 0x409bec [0104.206] VirtualProtect (in: lpAddress=0x409bec, dwSize=0xc, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.206] VirtualProtect (in: lpAddress=0x409bf8, dwSize=0xe, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.206] memcpy (in: _Dst=0x409bf8, _Src=0x27e6250, _Size=0xe | out: _Dst=0x409bf8) returned 0x409bf8 [0104.206] VirtualProtect (in: lpAddress=0x409bf8, dwSize=0xe, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.206] VirtualProtect (in: lpAddress=0x409c08, dwSize=0xc, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.207] memcpy (in: _Dst=0x409c08, _Src=0x27e6278, _Size=0xc | out: _Dst=0x409c08) returned 0x409c08 [0104.207] VirtualProtect (in: lpAddress=0x409c08, dwSize=0xc, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.207] VirtualProtect (in: lpAddress=0x409c14, dwSize=0xd, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.207] memcpy (in: _Dst=0x409c14, _Src=0x27e62a0, _Size=0xd | out: _Dst=0x409c14) returned 0x409c14 [0104.207] VirtualProtect (in: lpAddress=0x409c14, dwSize=0xd, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.207] VirtualProtect (in: lpAddress=0x409c24, dwSize=0xc, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.208] memcpy (in: _Dst=0x409c24, _Src=0x27e62c8, _Size=0xc | out: _Dst=0x409c24) returned 0x409c24 [0104.208] VirtualProtect (in: lpAddress=0x409c24, dwSize=0xc, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.208] VirtualProtect (in: lpAddress=0x409c30, dwSize=0xe, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.208] memcpy (in: _Dst=0x409c30, _Src=0x27e62f0, _Size=0xe | out: _Dst=0x409c30) returned 0x409c30 [0104.208] VirtualProtect (in: lpAddress=0x409c30, dwSize=0xe, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.208] VirtualProtect (in: lpAddress=0x409c40, dwSize=0xc, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.209] memcpy (in: _Dst=0x409c40, _Src=0x27e6318, _Size=0xc | out: _Dst=0x409c40) returned 0x409c40 [0104.209] VirtualProtect (in: lpAddress=0x409c40, dwSize=0xc, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.209] VirtualProtect (in: lpAddress=0x409c4c, dwSize=0xd, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.209] memcpy (in: _Dst=0x409c4c, _Src=0x27e6340, _Size=0xd | out: _Dst=0x409c4c) returned 0x409c4c [0104.209] VirtualProtect (in: lpAddress=0x409c4c, dwSize=0xd, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.210] VirtualProtect (in: lpAddress=0x409c5c, dwSize=0xc, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.210] memcpy (in: _Dst=0x409c5c, _Src=0x27e6368, _Size=0xc | out: _Dst=0x409c5c) returned 0x409c5c [0104.210] VirtualProtect (in: lpAddress=0x409c5c, dwSize=0xc, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.210] VirtualProtect (in: lpAddress=0x409c68, dwSize=0x12, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.210] memcpy (in: _Dst=0x409c68, _Src=0x27e6390, _Size=0x12 | out: _Dst=0x409c68) returned 0x409c68 [0104.210] VirtualProtect (in: lpAddress=0x409c68, dwSize=0x12, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.211] VirtualProtect (in: lpAddress=0x409c7c, dwSize=0xc, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.211] memcpy (in: _Dst=0x409c7c, _Src=0x27e63c0, _Size=0xc | out: _Dst=0x409c7c) returned 0x409c7c [0104.211] VirtualProtect (in: lpAddress=0x409c7c, dwSize=0xc, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.211] VirtualProtect (in: lpAddress=0x409c88, dwSize=0xd, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.211] memcpy (in: _Dst=0x409c88, _Src=0x27e63e8, _Size=0xd | out: _Dst=0x409c88) returned 0x409c88 [0104.211] VirtualProtect (in: lpAddress=0x409c88, dwSize=0xd, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.212] VirtualProtect (in: lpAddress=0x409c98, dwSize=0xc, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.212] memcpy (in: _Dst=0x409c98, _Src=0x27e6410, _Size=0xc | out: _Dst=0x409c98) returned 0x409c98 [0104.212] VirtualProtect (in: lpAddress=0x409c98, dwSize=0xc, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.212] VirtualProtect (in: lpAddress=0x409ca4, dwSize=0xf, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.212] memcpy (in: _Dst=0x409ca4, _Src=0x27e6438, _Size=0xf | out: _Dst=0x409ca4) returned 0x409ca4 [0104.213] VirtualProtect (in: lpAddress=0x409ca4, dwSize=0xf, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.213] VirtualProtect (in: lpAddress=0x409cb4, dwSize=0xc, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.213] memcpy (in: _Dst=0x409cb4, _Src=0x27e6460, _Size=0xc | out: _Dst=0x409cb4) returned 0x409cb4 [0104.213] VirtualProtect (in: lpAddress=0x409cb4, dwSize=0xc, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.213] VirtualProtect (in: lpAddress=0x409cc0, dwSize=0x10, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.214] memcpy (in: _Dst=0x409cc0, _Src=0x27e6488, _Size=0x10 | out: _Dst=0x409cc0) returned 0x409cc0 [0104.214] VirtualProtect (in: lpAddress=0x409cc0, dwSize=0x10, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.214] VirtualProtect (in: lpAddress=0x409cd0, dwSize=0xc, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.214] memcpy (in: _Dst=0x409cd0, _Src=0x27e64b0, _Size=0xc | out: _Dst=0x409cd0) returned 0x409cd0 [0104.214] VirtualProtect (in: lpAddress=0x409cd0, dwSize=0xc, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.217] VirtualProtect (in: lpAddress=0x409cdc, dwSize=0xe, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.217] memcpy (in: _Dst=0x409cdc, _Src=0x27e64d8, _Size=0xe | out: _Dst=0x409cdc) returned 0x409cdc [0104.217] VirtualProtect (in: lpAddress=0x409cdc, dwSize=0xe, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.218] VirtualProtect (in: lpAddress=0x409cec, dwSize=0xc, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.218] memcpy (in: _Dst=0x409cec, _Src=0x27e6500, _Size=0xc | out: _Dst=0x409cec) returned 0x409cec [0104.218] VirtualProtect (in: lpAddress=0x409cec, dwSize=0xc, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.218] VirtualProtect (in: lpAddress=0x409cf8, dwSize=0xd, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.219] memcpy (in: _Dst=0x409cf8, _Src=0x27e6528, _Size=0xd | out: _Dst=0x409cf8) returned 0x409cf8 [0104.219] VirtualProtect (in: lpAddress=0x409cf8, dwSize=0xd, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.219] VirtualProtect (in: lpAddress=0x409d08, dwSize=0xc, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.219] memcpy (in: _Dst=0x409d08, _Src=0x27e6550, _Size=0xc | out: _Dst=0x409d08) returned 0x409d08 [0104.219] VirtualProtect (in: lpAddress=0x409d08, dwSize=0xc, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.219] VirtualProtect (in: lpAddress=0x409d14, dwSize=0xc, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.220] memcpy (in: _Dst=0x409d14, _Src=0x27e6578, _Size=0xc | out: _Dst=0x409d14) returned 0x409d14 [0104.220] VirtualProtect (in: lpAddress=0x409d14, dwSize=0xc, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.220] VirtualProtect (in: lpAddress=0x409d20, dwSize=0xc, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.220] memcpy (in: _Dst=0x409d20, _Src=0x27e65a0, _Size=0xc | out: _Dst=0x409d20) returned 0x409d20 [0104.220] VirtualProtect (in: lpAddress=0x409d20, dwSize=0xc, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.221] VirtualProtect (in: lpAddress=0x409d2c, dwSize=0xf, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.221] memcpy (in: _Dst=0x409d2c, _Src=0x27e65c8, _Size=0xf | out: _Dst=0x409d2c) returned 0x409d2c [0104.221] VirtualProtect (in: lpAddress=0x409d2c, dwSize=0xf, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.221] VirtualProtect (in: lpAddress=0x409d3c, dwSize=0xc, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.221] memcpy (in: _Dst=0x409d3c, _Src=0x27e65f0, _Size=0xc | out: _Dst=0x409d3c) returned 0x409d3c [0104.221] VirtualProtect (in: lpAddress=0x409d3c, dwSize=0xc, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.222] VirtualProtect (in: lpAddress=0x409d48, dwSize=0xc, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.222] memcpy (in: _Dst=0x409d48, _Src=0x27e6618, _Size=0xc | out: _Dst=0x409d48) returned 0x409d48 [0104.222] VirtualProtect (in: lpAddress=0x409d48, dwSize=0xc, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.222] VirtualProtect (in: lpAddress=0x409d54, dwSize=0xc, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.223] memcpy (in: _Dst=0x409d54, _Src=0x27e6640, _Size=0xc | out: _Dst=0x409d54) returned 0x409d54 [0104.223] VirtualProtect (in: lpAddress=0x409d54, dwSize=0xc, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.223] VirtualProtect (in: lpAddress=0x409d60, dwSize=0xe, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.223] memcpy (in: _Dst=0x409d60, _Src=0x27e6668, _Size=0xe | out: _Dst=0x409d60) returned 0x409d60 [0104.223] VirtualProtect (in: lpAddress=0x409d60, dwSize=0xe, flNewProtect=0x2, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x4) returned 1 [0104.223] VirtualProtect (in: lpAddress=0x409d70, dwSize=0xc, flNewProtect=0x4, lpflOldProtect=0x14de00 | out: lpflOldProtect=0x14de00*=0x2) returned 1 [0104.224] memcpy (in: _Dst=0x409d70, _Src=0x27e6690, _Size=0xc | out: _Dst=0x409d70) returned 0x409d70 [0105.147] CreateFileMappingW (hFile=0xffffffffffffffff, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3c4600, lpName=0x0) returned 0x2c8 [0105.148] memcpy (in: _Dst=0x1b0c0000, _Src=0x12d02750, _Size=0x3c4600 | out: _Dst=0x1b0c0000) returned 0x1b0c0000 [0105.625] GetEnvironmentVariableW (in: lpName="COR_ENABLE_PROFILING", lpBuffer=0x14dbc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0105.627] GetEnvironmentVariableW (in: lpName="COR_PROFILER", lpBuffer=0x14dbc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0105.876] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe", nBufferLength=0x105, lpBuffer=0x14d6f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe", lpFilePart=0x0) returned 0x62 [0105.876] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe", nBufferLength=0x105, lpBuffer=0x14d570, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe", lpFilePart=0x0) returned 0x62 [0105.893] VirtualProtect (in: lpAddress=0x9d8e5e, dwSize=0xb, flNewProtect=0x40, lpflOldProtect=0x14ddf8 | out: lpflOldProtect=0x14ddf8*=0x2) returned 1 [0105.894] VirtualProtect (in: lpAddress=0x9d8e52, dwSize=0xb, flNewProtect=0x40, lpflOldProtect=0x14ddf8 | out: lpflOldProtect=0x14ddf8*=0x40) returned 1 [0105.894] VirtualProtect (in: lpAddress=0x400188, dwSize=0x8, flNewProtect=0x40, lpflOldProtect=0x14ddf8 | out: lpflOldProtect=0x14ddf8*=0x2) returned 1 [0105.894] memcpy (in: _Dst=0x400188, _Src=0x27477a8, _Size=0x8 | out: _Dst=0x400188) returned 0x400188 [0105.894] VirtualProtect (in: lpAddress=0x4001b0, dwSize=0x8, flNewProtect=0x40, lpflOldProtect=0x14ddf8 | out: lpflOldProtect=0x14ddf8*=0x40) returned 1 [0105.895] memcpy (in: _Dst=0x4001b0, _Src=0x27477c8, _Size=0x8 | out: _Dst=0x4001b0) returned 0x4001b0 [0105.895] VirtualProtect (in: lpAddress=0x4001d8, dwSize=0x8, flNewProtect=0x40, lpflOldProtect=0x14ddf8 | out: lpflOldProtect=0x14ddf8*=0x40) returned 1 [0105.895] memcpy (in: _Dst=0x4001d8, _Src=0x27477e8, _Size=0x8 | out: _Dst=0x4001d8) returned 0x4001d8 [0105.895] VirtualProtect (in: lpAddress=0x400200, dwSize=0x8, flNewProtect=0x40, lpflOldProtect=0x14ddf8 | out: lpflOldProtect=0x14ddf8*=0x40) returned 1 [0105.895] memcpy (in: _Dst=0x400200, _Src=0x2747808, _Size=0x8 | out: _Dst=0x400200) returned 0x400200 [0105.895] VirtualProtect (in: lpAddress=0x402008, dwSize=0x48, flNewProtect=0x40, lpflOldProtect=0x14ddf8 | out: lpflOldProtect=0x14ddf8*=0x2) returned 1 [0105.896] VirtualProtect (in: lpAddress=0x9d4c9c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x14ddf8 | out: lpflOldProtect=0x14ddf8*=0x2) returned 1 [0105.896] VirtualProtect (in: lpAddress=0x9d4cbc, dwSize=0x8, flNewProtect=0x40, lpflOldProtect=0x14ddf8 | out: lpflOldProtect=0x14ddf8*=0x40) returned 1 [0105.897] VirtualProtect (in: lpAddress=0x9d4cc4, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x14ddf8 | out: lpflOldProtect=0x14ddf8*=0x40) returned 1 [0105.897] VirtualProtect (in: lpAddress=0x9d4cc8, dwSize=0x8, flNewProtect=0x40, lpflOldProtect=0x14ddf8 | out: lpflOldProtect=0x14ddf8*=0x40) returned 1 [0105.897] VirtualProtect (in: lpAddress=0x9d4cd0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x14ddf8 | out: lpflOldProtect=0x14ddf8*=0x40) returned 1 [0105.897] VirtualProtect (in: lpAddress=0x9d4cd4, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x14ddf8 | out: lpflOldProtect=0x14ddf8*=0x40) returned 1 [0105.898] VirtualProtect (in: lpAddress=0x9d4cd8, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x14ddf8 | out: lpflOldProtect=0x14ddf8*=0x40) returned 1 [0105.898] VirtualProtect (in: lpAddress=0x9d4cdc, dwSize=0x8, flNewProtect=0x40, lpflOldProtect=0x14ddf8 | out: lpflOldProtect=0x14ddf8*=0x40) returned 1 [0105.898] VirtualProtect (in: lpAddress=0x9d4ce4, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x14ddf8 | out: lpflOldProtect=0x14ddf8*=0x40) returned 1 [0105.898] VirtualProtect (in: lpAddress=0x9d4ce8, dwSize=0x8, flNewProtect=0x40, lpflOldProtect=0x14ddf8 | out: lpflOldProtect=0x14ddf8*=0x40) returned 1 [0105.899] VirtualProtect (in: lpAddress=0x9d4cf0, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x14ddf8 | out: lpflOldProtect=0x14ddf8*=0x40) returned 1 [0105.899] VirtualProtect (in: lpAddress=0x9d4cf4, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x14ddf8 | out: lpflOldProtect=0x14ddf8*=0x40) returned 1 [0105.899] VirtualProtect (in: lpAddress=0x9d4cf8, dwSize=0x8, flNewProtect=0x40, lpflOldProtect=0x14ddf8 | out: lpflOldProtect=0x14ddf8*=0x40) returned 1 [0105.900] VirtualProtect (in: lpAddress=0x9d4d00, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x14ddf8 | out: lpflOldProtect=0x14ddf8*=0x40) returned 1 [0105.900] VirtualProtect (in: lpAddress=0x9d4d04, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x14ddf8 | out: lpflOldProtect=0x14ddf8*=0x40) returned 1 [0111.432] CreateFileMappingW (hFile=0xffffffffffffffff, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7a8e00, lpName=0x0) returned 0x2f0 [0111.433] memcpy (in: _Dst=0x1b690000, _Src=0x144130e8, _Size=0x7a8e00 | out: _Dst=0x1b690000) returned 0x1b690000 [0112.560] EtwEventRegister () returned 0x0 [0112.564] EtwEventSetInformation () returned 0x0 [0113.526] VirtualProtect (in: lpAddress=0x1b690810, dwSize=0x278, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.526] memcpy (in: _Dst=0x1b690810, _Src=0x28c4b08, _Size=0x278 | out: _Dst=0x1b690810) returned 0x1b690810 [0113.526] VirtualProtect (in: lpAddress=0x1b690810, dwSize=0x278, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.526] VirtualProtect (in: lpAddress=0x1b690a88, dwSize=0x35e, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.526] memcpy (in: _Dst=0x1b690a88, _Src=0x28c4d98, _Size=0x35e | out: _Dst=0x1b690a88) returned 0x1b690a88 [0113.526] VirtualProtect (in: lpAddress=0x1b690a88, dwSize=0x35e, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.527] VirtualProtect (in: lpAddress=0x1b690de8, dwSize=0x223, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.527] memcpy (in: _Dst=0x1b690de8, _Src=0x28c5110, _Size=0x223 | out: _Dst=0x1b690de8) returned 0x1b690de8 [0113.527] VirtualProtect (in: lpAddress=0x1b690de8, dwSize=0x223, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.527] VirtualProtect (in: lpAddress=0x1b69101c, dwSize=0xb6, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.527] memcpy (in: _Dst=0x1b69101c, _Src=0x28c5350, _Size=0xb6 | out: _Dst=0x1b69101c) returned 0x1b69101c [0113.527] VirtualProtect (in: lpAddress=0x1b69101c, dwSize=0xb6, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.528] VirtualProtect (in: lpAddress=0x1b6910d4, dwSize=0x62, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.528] memcpy (in: _Dst=0x1b6910d4, _Src=0x28c5420, _Size=0x62 | out: _Dst=0x1b6910d4) returned 0x1b6910d4 [0113.528] VirtualProtect (in: lpAddress=0x1b6910d4, dwSize=0x62, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.528] VirtualProtect (in: lpAddress=0x1b691154, dwSize=0x6a, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.528] memcpy (in: _Dst=0x1b691154, _Src=0x28c54a0, _Size=0x6a | out: _Dst=0x1b691154) returned 0x1b691154 [0113.528] VirtualProtect (in: lpAddress=0x1b691154, dwSize=0x6a, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.528] VirtualProtect (in: lpAddress=0x1b6911dc, dwSize=0x53, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.529] memcpy (in: _Dst=0x1b6911dc, _Src=0x28c5528, _Size=0x53 | out: _Dst=0x1b6911dc) returned 0x1b6911dc [0113.529] VirtualProtect (in: lpAddress=0x1b6911dc, dwSize=0x53, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.529] VirtualProtect (in: lpAddress=0x1b691230, dwSize=0x47, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.529] memcpy (in: _Dst=0x1b691230, _Src=0x28c5598, _Size=0x47 | out: _Dst=0x1b691230) returned 0x1b691230 [0113.529] VirtualProtect (in: lpAddress=0x1b691230, dwSize=0x47, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.529] VirtualProtect (in: lpAddress=0x1b691278, dwSize=0x66, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.529] memcpy (in: _Dst=0x1b691278, _Src=0x28c55f8, _Size=0x66 | out: _Dst=0x1b691278) returned 0x1b691278 [0113.529] VirtualProtect (in: lpAddress=0x1b691278, dwSize=0x66, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.530] VirtualProtect (in: lpAddress=0x1b6912e0, dwSize=0x9f, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.530] memcpy (in: _Dst=0x1b6912e0, _Src=0x28c5678, _Size=0x9f | out: _Dst=0x1b6912e0) returned 0x1b6912e0 [0113.530] VirtualProtect (in: lpAddress=0x1b6912e0, dwSize=0x9f, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.530] VirtualProtect (in: lpAddress=0x1b691390, dwSize=0x1d0, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.530] memcpy (in: _Dst=0x1b691390, _Src=0x28c5730, _Size=0x1d0 | out: _Dst=0x1b691390) returned 0x1b691390 [0113.530] VirtualProtect (in: lpAddress=0x1b691390, dwSize=0x1d0, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.530] VirtualProtect (in: lpAddress=0x1b69157c, dwSize=0x8f, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.531] memcpy (in: _Dst=0x1b69157c, _Src=0x28c5918, _Size=0x8f | out: _Dst=0x1b69157c) returned 0x1b69157c [0113.531] VirtualProtect (in: lpAddress=0x1b69157c, dwSize=0x8f, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.531] VirtualProtect (in: lpAddress=0x1b69160c, dwSize=0x122, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.531] memcpy (in: _Dst=0x1b69160c, _Src=0x28c59c0, _Size=0x122 | out: _Dst=0x1b69160c) returned 0x1b69160c [0113.531] VirtualProtect (in: lpAddress=0x1b69160c, dwSize=0x122, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.531] VirtualProtect (in: lpAddress=0x1b691740, dwSize=0xb4, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.532] memcpy (in: _Dst=0x1b691740, _Src=0x28c5b00, _Size=0xb4 | out: _Dst=0x1b691740) returned 0x1b691740 [0113.532] VirtualProtect (in: lpAddress=0x1b691740, dwSize=0xb4, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.532] VirtualProtect (in: lpAddress=0x1b691804, dwSize=0x6c, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.532] memcpy (in: _Dst=0x1b691804, _Src=0x28c5bd0, _Size=0x6c | out: _Dst=0x1b691804) returned 0x1b691804 [0113.532] VirtualProtect (in: lpAddress=0x1b691804, dwSize=0x6c, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.532] VirtualProtect (in: lpAddress=0x1b691870, dwSize=0xd4, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.532] memcpy (in: _Dst=0x1b691870, _Src=0x28c5c58, _Size=0xd4 | out: _Dst=0x1b691870) returned 0x1b691870 [0113.533] VirtualProtect (in: lpAddress=0x1b691870, dwSize=0xd4, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.533] VirtualProtect (in: lpAddress=0x1b691944, dwSize=0x46, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.533] memcpy (in: _Dst=0x1b691944, _Src=0x28c5d48, _Size=0x46 | out: _Dst=0x1b691944) returned 0x1b691944 [0113.533] VirtualProtect (in: lpAddress=0x1b691944, dwSize=0x46, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.533] VirtualProtect (in: lpAddress=0x1b69198c, dwSize=0x2f, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.533] memcpy (in: _Dst=0x1b69198c, _Src=0x28c5da8, _Size=0x2f | out: _Dst=0x1b69198c) returned 0x1b69198c [0113.533] VirtualProtect (in: lpAddress=0x1b69198c, dwSize=0x2f, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.534] VirtualProtect (in: lpAddress=0x1b6919bc, dwSize=0x23, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.534] memcpy (in: _Dst=0x1b6919bc, _Src=0x28c5df0, _Size=0x23 | out: _Dst=0x1b6919bc) returned 0x1b6919bc [0113.534] VirtualProtect (in: lpAddress=0x1b6919bc, dwSize=0x23, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.534] VirtualProtect (in: lpAddress=0x1b6919e0, dwSize=0x20, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.534] memcpy (in: _Dst=0x1b6919e0, _Src=0x28c5e30, _Size=0x20 | out: _Dst=0x1b6919e0) returned 0x1b6919e0 [0113.534] VirtualProtect (in: lpAddress=0x1b6919e0, dwSize=0x20, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.534] VirtualProtect (in: lpAddress=0x1b691a00, dwSize=0x36, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.535] memcpy (in: _Dst=0x1b691a00, _Src=0x28c5e68, _Size=0x36 | out: _Dst=0x1b691a00) returned 0x1b691a00 [0113.535] VirtualProtect (in: lpAddress=0x1b691a00, dwSize=0x36, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.535] VirtualProtect (in: lpAddress=0x1b691a38, dwSize=0x20, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.535] memcpy (in: _Dst=0x1b691a38, _Src=0x28c5eb8, _Size=0x20 | out: _Dst=0x1b691a38) returned 0x1b691a38 [0113.535] VirtualProtect (in: lpAddress=0x1b691a38, dwSize=0x20, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.536] VirtualProtect (in: lpAddress=0x1b691a58, dwSize=0x36, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.536] memcpy (in: _Dst=0x1b691a58, _Src=0x28c5ef0, _Size=0x36 | out: _Dst=0x1b691a58) returned 0x1b691a58 [0113.536] VirtualProtect (in: lpAddress=0x1b691a58, dwSize=0x36, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.536] VirtualProtect (in: lpAddress=0x1b691a90, dwSize=0x1a, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.536] memcpy (in: _Dst=0x1b691a90, _Src=0x28c5f40, _Size=0x1a | out: _Dst=0x1b691a90) returned 0x1b691a90 [0113.536] VirtualProtect (in: lpAddress=0x1b691a90, dwSize=0x1a, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.536] VirtualProtect (in: lpAddress=0x1b691aac, dwSize=0x1a, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.537] memcpy (in: _Dst=0x1b691aac, _Src=0x28c5f78, _Size=0x1a | out: _Dst=0x1b691aac) returned 0x1b691aac [0113.537] VirtualProtect (in: lpAddress=0x1b691aac, dwSize=0x1a, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.537] VirtualProtect (in: lpAddress=0x1b691ac8, dwSize=0x30, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.537] memcpy (in: _Dst=0x1b691ac8, _Src=0x28c5fb0, _Size=0x30 | out: _Dst=0x1b691ac8) returned 0x1b691ac8 [0113.537] VirtualProtect (in: lpAddress=0x1b691ac8, dwSize=0x30, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.537] VirtualProtect (in: lpAddress=0x1b691af8, dwSize=0x7f, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.538] memcpy (in: _Dst=0x1b691af8, _Src=0x28c5ff8, _Size=0x7f | out: _Dst=0x1b691af8) returned 0x1b691af8 [0113.538] VirtualProtect (in: lpAddress=0x1b691af8, dwSize=0x7f, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.538] VirtualProtect (in: lpAddress=0x1b691b78, dwSize=0x46, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.538] memcpy (in: _Dst=0x1b691b78, _Src=0x28c6090, _Size=0x46 | out: _Dst=0x1b691b78) returned 0x1b691b78 [0113.538] VirtualProtect (in: lpAddress=0x1b691b78, dwSize=0x46, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.538] VirtualProtect (in: lpAddress=0x1b691bc0, dwSize=0x79, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.539] memcpy (in: _Dst=0x1b691bc0, _Src=0x28c60f0, _Size=0x79 | out: _Dst=0x1b691bc0) returned 0x1b691bc0 [0113.539] VirtualProtect (in: lpAddress=0x1b691bc0, dwSize=0x79, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.539] VirtualProtect (in: lpAddress=0x1b691c3c, dwSize=0x1a, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.539] memcpy (in: _Dst=0x1b691c3c, _Src=0x28c6188, _Size=0x1a | out: _Dst=0x1b691c3c) returned 0x1b691c3c [0113.539] VirtualProtect (in: lpAddress=0x1b691c3c, dwSize=0x1a, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.539] VirtualProtect (in: lpAddress=0x1b691c58, dwSize=0x1a, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.540] memcpy (in: _Dst=0x1b691c58, _Src=0x28c61c0, _Size=0x1a | out: _Dst=0x1b691c58) returned 0x1b691c58 [0113.540] VirtualProtect (in: lpAddress=0x1b691c58, dwSize=0x1a, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.540] VirtualProtect (in: lpAddress=0x1b691c74, dwSize=0x8e, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.540] memcpy (in: _Dst=0x1b691c74, _Src=0x28c61f8, _Size=0x8e | out: _Dst=0x1b691c74) returned 0x1b691c74 [0113.540] VirtualProtect (in: lpAddress=0x1b691c74, dwSize=0x8e, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.540] VirtualProtect (in: lpAddress=0x1b691d14, dwSize=0xe3, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.541] memcpy (in: _Dst=0x1b691d14, _Src=0x28c62a0, _Size=0xe3 | out: _Dst=0x1b691d14) returned 0x1b691d14 [0113.541] VirtualProtect (in: lpAddress=0x1b691d14, dwSize=0xe3, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.541] VirtualProtect (in: lpAddress=0x1b691e14, dwSize=0x171, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.541] memcpy (in: _Dst=0x1b691e14, _Src=0x28c63a0, _Size=0x171 | out: _Dst=0x1b691e14) returned 0x1b691e14 [0113.541] VirtualProtect (in: lpAddress=0x1b691e14, dwSize=0x171, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.541] VirtualProtect (in: lpAddress=0x1b691f98, dwSize=0x3b, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.541] memcpy (in: _Dst=0x1b691f98, _Src=0x28c6530, _Size=0x3b | out: _Dst=0x1b691f98) returned 0x1b691f98 [0113.542] VirtualProtect (in: lpAddress=0x1b691f98, dwSize=0x3b, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.542] VirtualProtect (in: lpAddress=0x1b691fd4, dwSize=0x46, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.542] memcpy (in: _Dst=0x1b691fd4, _Src=0x28c6588, _Size=0x46 | out: _Dst=0x1b691fd4) returned 0x1b691fd4 [0113.542] VirtualProtect (in: lpAddress=0x1b691fd4, dwSize=0x46, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.542] VirtualProtect (in: lpAddress=0x1b69201c, dwSize=0x151, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.542] memcpy (in: _Dst=0x1b69201c, _Src=0x28c65e8, _Size=0x151 | out: _Dst=0x1b69201c) returned 0x1b69201c [0113.543] VirtualProtect (in: lpAddress=0x1b69201c, dwSize=0x151, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.543] VirtualProtect (in: lpAddress=0x1b692170, dwSize=0xee, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.543] memcpy (in: _Dst=0x1b692170, _Src=0x28c6758, _Size=0xee | out: _Dst=0x1b692170) returned 0x1b692170 [0113.543] VirtualProtect (in: lpAddress=0x1b692170, dwSize=0xee, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.543] VirtualProtect (in: lpAddress=0x1b692260, dwSize=0x21, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.543] memcpy (in: _Dst=0x1b692260, _Src=0x28c6860, _Size=0x21 | out: _Dst=0x1b692260) returned 0x1b692260 [0113.543] VirtualProtect (in: lpAddress=0x1b692260, dwSize=0x21, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.544] VirtualProtect (in: lpAddress=0x1b692284, dwSize=0x1f5, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.544] memcpy (in: _Dst=0x1b692284, _Src=0x28c68a0, _Size=0x1f5 | out: _Dst=0x1b692284) returned 0x1b692284 [0113.544] VirtualProtect (in: lpAddress=0x1b692284, dwSize=0x1f5, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.544] VirtualProtect (in: lpAddress=0x1b692498, dwSize=0x31, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.544] memcpy (in: _Dst=0x1b692498, _Src=0x28c6ab0, _Size=0x31 | out: _Dst=0x1b692498) returned 0x1b692498 [0113.544] VirtualProtect (in: lpAddress=0x1b692498, dwSize=0x31, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.545] VirtualProtect (in: lpAddress=0x1b6924cc, dwSize=0x3b, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.545] memcpy (in: _Dst=0x1b6924cc, _Src=0x28c6b00, _Size=0x3b | out: _Dst=0x1b6924cc) returned 0x1b6924cc [0113.545] VirtualProtect (in: lpAddress=0x1b6924cc, dwSize=0x3b, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.545] VirtualProtect (in: lpAddress=0x1b692508, dwSize=0x25, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.545] memcpy (in: _Dst=0x1b692508, _Src=0x28c6b58, _Size=0x25 | out: _Dst=0x1b692508) returned 0x1b692508 [0113.545] VirtualProtect (in: lpAddress=0x1b692508, dwSize=0x25, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.546] VirtualProtect (in: lpAddress=0x1b692530, dwSize=0xad, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.546] memcpy (in: _Dst=0x1b692530, _Src=0x28c6b98, _Size=0xad | out: _Dst=0x1b692530) returned 0x1b692530 [0113.546] VirtualProtect (in: lpAddress=0x1b692530, dwSize=0xad, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.546] VirtualProtect (in: lpAddress=0x1b6925e0, dwSize=0x31, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.546] memcpy (in: _Dst=0x1b6925e0, _Src=0x28c6c60, _Size=0x31 | out: _Dst=0x1b6925e0) returned 0x1b6925e0 [0113.547] VirtualProtect (in: lpAddress=0x1b6925e0, dwSize=0x31, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.547] VirtualProtect (in: lpAddress=0x1b692614, dwSize=0x1a, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.547] memcpy (in: _Dst=0x1b692614, _Src=0x28c6cb0, _Size=0x1a | out: _Dst=0x1b692614) returned 0x1b692614 [0113.547] VirtualProtect (in: lpAddress=0x1b692614, dwSize=0x1a, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.547] VirtualProtect (in: lpAddress=0x1b692630, dwSize=0x38, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.547] memcpy (in: _Dst=0x1b692630, _Src=0x28c6ce8, _Size=0x38 | out: _Dst=0x1b692630) returned 0x1b692630 [0113.547] VirtualProtect (in: lpAddress=0x1b692630, dwSize=0x38, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.548] VirtualProtect (in: lpAddress=0x1b692668, dwSize=0x1a, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.548] memcpy (in: _Dst=0x1b692668, _Src=0x28c6d38, _Size=0x1a | out: _Dst=0x1b692668) returned 0x1b692668 [0113.548] VirtualProtect (in: lpAddress=0x1b692668, dwSize=0x1a, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.548] VirtualProtect (in: lpAddress=0x1b692684, dwSize=0x22, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.548] memcpy (in: _Dst=0x1b692684, _Src=0x28c6d70, _Size=0x22 | out: _Dst=0x1b692684) returned 0x1b692684 [0113.548] VirtualProtect (in: lpAddress=0x1b692684, dwSize=0x22, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.549] VirtualProtect (in: lpAddress=0x1b6926a8, dwSize=0x1a, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.549] memcpy (in: _Dst=0x1b6926a8, _Src=0x28c6db0, _Size=0x1a | out: _Dst=0x1b6926a8) returned 0x1b6926a8 [0113.549] VirtualProtect (in: lpAddress=0x1b6926a8, dwSize=0x1a, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.549] VirtualProtect (in: lpAddress=0x1b6926c4, dwSize=0x32, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.550] memcpy (in: _Dst=0x1b6926c4, _Src=0x28c6de8, _Size=0x32 | out: _Dst=0x1b6926c4) returned 0x1b6926c4 [0113.550] VirtualProtect (in: lpAddress=0x1b6926c4, dwSize=0x32, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.550] VirtualProtect (in: lpAddress=0x1b6926f8, dwSize=0x1a, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.550] memcpy (in: _Dst=0x1b6926f8, _Src=0x28c6e38, _Size=0x1a | out: _Dst=0x1b6926f8) returned 0x1b6926f8 [0113.550] VirtualProtect (in: lpAddress=0x1b6926f8, dwSize=0x1a, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.551] VirtualProtect (in: lpAddress=0x1b692714, dwSize=0x38, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.551] memcpy (in: _Dst=0x1b692714, _Src=0x28c6e70, _Size=0x38 | out: _Dst=0x1b692714) returned 0x1b692714 [0113.551] VirtualProtect (in: lpAddress=0x1b692714, dwSize=0x38, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.551] VirtualProtect (in: lpAddress=0x1b69274c, dwSize=0x1a, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.551] memcpy (in: _Dst=0x1b69274c, _Src=0x28c6ec0, _Size=0x1a | out: _Dst=0x1b69274c) returned 0x1b69274c [0113.551] VirtualProtect (in: lpAddress=0x1b69274c, dwSize=0x1a, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.552] VirtualProtect (in: lpAddress=0x1b692768, dwSize=0x32, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.552] memcpy (in: _Dst=0x1b692768, _Src=0x28c6ef8, _Size=0x32 | out: _Dst=0x1b692768) returned 0x1b692768 [0113.552] VirtualProtect (in: lpAddress=0x1b692768, dwSize=0x32, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.552] VirtualProtect (in: lpAddress=0x1b69279c, dwSize=0xcc, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.552] memcpy (in: _Dst=0x1b69279c, _Src=0x28c6f48, _Size=0xcc | out: _Dst=0x1b69279c) returned 0x1b69279c [0113.552] VirtualProtect (in: lpAddress=0x1b69279c, dwSize=0xcc, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.553] VirtualProtect (in: lpAddress=0x1b692868, dwSize=0x194, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.553] memcpy (in: _Dst=0x1b692868, _Src=0x28c7030, _Size=0x194 | out: _Dst=0x1b692868) returned 0x1b692868 [0113.553] VirtualProtect (in: lpAddress=0x1b692868, dwSize=0x194, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.553] VirtualProtect (in: lpAddress=0x1b692a18, dwSize=0xe7, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.553] memcpy (in: _Dst=0x1b692a18, _Src=0x28c71e0, _Size=0xe7 | out: _Dst=0x1b692a18) returned 0x1b692a18 [0113.553] VirtualProtect (in: lpAddress=0x1b692a18, dwSize=0xe7, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.554] VirtualProtect (in: lpAddress=0x1b692b1c, dwSize=0xb8, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.554] memcpy (in: _Dst=0x1b692b1c, _Src=0x28c72e0, _Size=0xb8 | out: _Dst=0x1b692b1c) returned 0x1b692b1c [0113.554] VirtualProtect (in: lpAddress=0x1b692b1c, dwSize=0xb8, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.554] VirtualProtect (in: lpAddress=0x1b692be4, dwSize=0x35, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.554] memcpy (in: _Dst=0x1b692be4, _Src=0x28c73b0, _Size=0x35 | out: _Dst=0x1b692be4) returned 0x1b692be4 [0113.554] VirtualProtect (in: lpAddress=0x1b692be4, dwSize=0x35, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.555] VirtualProtect (in: lpAddress=0x1b692c2c, dwSize=0x249, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.555] memcpy (in: _Dst=0x1b692c2c, _Src=0x28c7400, _Size=0x249 | out: _Dst=0x1b692c2c) returned 0x1b692c2c [0113.555] VirtualProtect (in: lpAddress=0x1b692c2c, dwSize=0x249, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.555] VirtualProtect (in: lpAddress=0x1b692eac, dwSize=0x191, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.555] memcpy (in: _Dst=0x1b692eac, _Src=0x28c7668, _Size=0x191 | out: _Dst=0x1b692eac) returned 0x1b692eac [0113.555] VirtualProtect (in: lpAddress=0x1b692eac, dwSize=0x191, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.556] VirtualProtect (in: lpAddress=0x1b69305c, dwSize=0x1b0, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.556] memcpy (in: _Dst=0x1b69305c, _Src=0x28c7818, _Size=0x1b0 | out: _Dst=0x1b69305c) returned 0x1b69305c [0113.556] VirtualProtect (in: lpAddress=0x1b69305c, dwSize=0x1b0, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.556] VirtualProtect (in: lpAddress=0x1b693228, dwSize=0x1fc, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.556] memcpy (in: _Dst=0x1b693228, _Src=0x28c79e0, _Size=0x1fc | out: _Dst=0x1b693228) returned 0x1b693228 [0113.556] VirtualProtect (in: lpAddress=0x1b693228, dwSize=0x1fc, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.557] VirtualProtect (in: lpAddress=0x1b693440, dwSize=0x16c, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.557] memcpy (in: _Dst=0x1b693440, _Src=0x28c7bf8, _Size=0x16c | out: _Dst=0x1b693440) returned 0x1b693440 [0113.557] VirtualProtect (in: lpAddress=0x1b693440, dwSize=0x16c, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.557] VirtualProtect (in: lpAddress=0x1b6935c8, dwSize=0x1ae, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.557] memcpy (in: _Dst=0x1b6935c8, _Src=0x28c7d80, _Size=0x1ae | out: _Dst=0x1b6935c8) returned 0x1b6935c8 [0113.557] VirtualProtect (in: lpAddress=0x1b6935c8, dwSize=0x1ae, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.558] VirtualProtect (in: lpAddress=0x1b693794, dwSize=0x193, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.558] memcpy (in: _Dst=0x1b693794, _Src=0x28c7f48, _Size=0x193 | out: _Dst=0x1b693794) returned 0x1b693794 [0113.558] VirtualProtect (in: lpAddress=0x1b693794, dwSize=0x193, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.558] VirtualProtect (in: lpAddress=0x1b693944, dwSize=0x90, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.558] memcpy (in: _Dst=0x1b693944, _Src=0x28c80f8, _Size=0x90 | out: _Dst=0x1b693944) returned 0x1b693944 [0113.558] VirtualProtect (in: lpAddress=0x1b693944, dwSize=0x90, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.558] VirtualProtect (in: lpAddress=0x1b6939d4, dwSize=0x3b, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.559] memcpy (in: _Dst=0x1b6939d4, _Src=0x28c81a0, _Size=0x3b | out: _Dst=0x1b6939d4) returned 0x1b6939d4 [0113.559] VirtualProtect (in: lpAddress=0x1b6939d4, dwSize=0x3b, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.559] VirtualProtect (in: lpAddress=0x1b693a10, dwSize=0x32, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.559] memcpy (in: _Dst=0x1b693a10, _Src=0x28c81f8, _Size=0x32 | out: _Dst=0x1b693a10) returned 0x1b693a10 [0113.559] VirtualProtect (in: lpAddress=0x1b693a10, dwSize=0x32, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.559] VirtualProtect (in: lpAddress=0x1b693a44, dwSize=0x2c, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.560] memcpy (in: _Dst=0x1b693a44, _Src=0x28c8248, _Size=0x2c | out: _Dst=0x1b693a44) returned 0x1b693a44 [0113.560] VirtualProtect (in: lpAddress=0x1b693a44, dwSize=0x2c, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.560] VirtualProtect (in: lpAddress=0x1b693a70, dwSize=0x10e, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.560] memcpy (in: _Dst=0x1b693a70, _Src=0x28c8290, _Size=0x10e | out: _Dst=0x1b693a70) returned 0x1b693a70 [0113.560] VirtualProtect (in: lpAddress=0x1b693a70, dwSize=0x10e, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.560] VirtualProtect (in: lpAddress=0x1b693b9c, dwSize=0xa7, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.560] memcpy (in: _Dst=0x1b693b9c, _Src=0x28c83b8, _Size=0xa7 | out: _Dst=0x1b693b9c) returned 0x1b693b9c [0113.560] VirtualProtect (in: lpAddress=0x1b693b9c, dwSize=0xa7, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.561] VirtualProtect (in: lpAddress=0x1b693c54, dwSize=0xc5, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.561] memcpy (in: _Dst=0x1b693c54, _Src=0x28c8478, _Size=0xc5 | out: _Dst=0x1b693c54) returned 0x1b693c54 [0113.561] VirtualProtect (in: lpAddress=0x1b693c54, dwSize=0xc5, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.561] VirtualProtect (in: lpAddress=0x1b693d1c, dwSize=0xd9, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.561] memcpy (in: _Dst=0x1b693d1c, _Src=0x28c8558, _Size=0xd9 | out: _Dst=0x1b693d1c) returned 0x1b693d1c [0113.561] VirtualProtect (in: lpAddress=0x1b693d1c, dwSize=0xd9, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.562] VirtualProtect (in: lpAddress=0x1b693df8, dwSize=0x45, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.562] memcpy (in: _Dst=0x1b693df8, _Src=0x28c8650, _Size=0x45 | out: _Dst=0x1b693df8) returned 0x1b693df8 [0113.562] VirtualProtect (in: lpAddress=0x1b693df8, dwSize=0x45, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.562] VirtualProtect (in: lpAddress=0x1b693e40, dwSize=0x2a6, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.562] memcpy (in: _Dst=0x1b693e40, _Src=0x28c86b0, _Size=0x2a6 | out: _Dst=0x1b693e40) returned 0x1b693e40 [0113.562] VirtualProtect (in: lpAddress=0x1b693e40, dwSize=0x2a6, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.563] VirtualProtect (in: lpAddress=0x1b69411c, dwSize=0xd4, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.563] memcpy (in: _Dst=0x1b69411c, _Src=0x28c8970, _Size=0xd4 | out: _Dst=0x1b69411c) returned 0x1b69411c [0113.563] VirtualProtect (in: lpAddress=0x1b69411c, dwSize=0xd4, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.563] VirtualProtect (in: lpAddress=0x1b69420c, dwSize=0x1c3, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.563] memcpy (in: _Dst=0x1b69420c, _Src=0x28c8a60, _Size=0x1c3 | out: _Dst=0x1b69420c) returned 0x1b69420c [0113.563] VirtualProtect (in: lpAddress=0x1b69420c, dwSize=0x1c3, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.563] VirtualProtect (in: lpAddress=0x1b6943d0, dwSize=0xcf, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.564] memcpy (in: _Dst=0x1b6943d0, _Src=0x28c8c40, _Size=0xcf | out: _Dst=0x1b6943d0) returned 0x1b6943d0 [0113.564] VirtualProtect (in: lpAddress=0x1b6943d0, dwSize=0xcf, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.564] VirtualProtect (in: lpAddress=0x1b6944a0, dwSize=0x2d5, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.564] memcpy (in: _Dst=0x1b6944a0, _Src=0x28c8d28, _Size=0x2d5 | out: _Dst=0x1b6944a0) returned 0x1b6944a0 [0113.564] VirtualProtect (in: lpAddress=0x1b6944a0, dwSize=0x2d5, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.564] VirtualProtect (in: lpAddress=0x1b694778, dwSize=0x1c, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.565] memcpy (in: _Dst=0x1b694778, _Src=0x28c9018, _Size=0x1c | out: _Dst=0x1b694778) returned 0x1b694778 [0113.565] VirtualProtect (in: lpAddress=0x1b694778, dwSize=0x1c, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.565] VirtualProtect (in: lpAddress=0x1b694794, dwSize=0x125, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.565] memcpy (in: _Dst=0x1b694794, _Src=0x28c9050, _Size=0x125 | out: _Dst=0x1b694794) returned 0x1b694794 [0113.565] VirtualProtect (in: lpAddress=0x1b694794, dwSize=0x125, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.565] VirtualProtect (in: lpAddress=0x1b6948bc, dwSize=0x73, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.565] memcpy (in: _Dst=0x1b6948bc, _Src=0x28c9190, _Size=0x73 | out: _Dst=0x1b6948bc) returned 0x1b6948bc [0113.566] VirtualProtect (in: lpAddress=0x1b6948bc, dwSize=0x73, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.566] VirtualProtect (in: lpAddress=0x1b694930, dwSize=0xb9, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.571] memcpy (in: _Dst=0x1b694930, _Src=0x28c9220, _Size=0xb9 | out: _Dst=0x1b694930) returned 0x1b694930 [0113.572] VirtualProtect (in: lpAddress=0x1b694930, dwSize=0xb9, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.572] VirtualProtect (in: lpAddress=0x1b6949ec, dwSize=0xe4, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.572] memcpy (in: _Dst=0x1b6949ec, _Src=0x28c92f8, _Size=0xe4 | out: _Dst=0x1b6949ec) returned 0x1b6949ec [0113.572] VirtualProtect (in: lpAddress=0x1b6949ec, dwSize=0xe4, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.572] VirtualProtect (in: lpAddress=0x1b694ad0, dwSize=0x1c, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.573] memcpy (in: _Dst=0x1b694ad0, _Src=0x28c93f8, _Size=0x1c | out: _Dst=0x1b694ad0) returned 0x1b694ad0 [0113.573] VirtualProtect (in: lpAddress=0x1b694ad0, dwSize=0x1c, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.573] VirtualProtect (in: lpAddress=0x1b694aec, dwSize=0xcc7, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.573] memcpy (in: _Dst=0x1b694aec, _Src=0x28c9430, _Size=0xcc7 | out: _Dst=0x1b694aec) returned 0x1b694aec [0113.573] VirtualProtect (in: lpAddress=0x1b694aec, dwSize=0xcc7, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.574] VirtualProtect (in: lpAddress=0x1b6957b4, dwSize=0x2d7, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.574] memcpy (in: _Dst=0x1b6957b4, _Src=0x28ca110, _Size=0x2d7 | out: _Dst=0x1b6957b4) returned 0x1b6957b4 [0113.574] VirtualProtect (in: lpAddress=0x1b6957b4, dwSize=0x2d7, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.574] VirtualProtect (in: lpAddress=0x1b695a8c, dwSize=0xa17, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.574] memcpy (in: _Dst=0x1b695a8c, _Src=0x28ca400, _Size=0xa17 | out: _Dst=0x1b695a8c) returned 0x1b695a8c [0113.574] VirtualProtect (in: lpAddress=0x1b695a8c, dwSize=0xa17, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.575] VirtualProtect (in: lpAddress=0x1b6964a4, dwSize=0x27, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.575] memcpy (in: _Dst=0x1b6964a4, _Src=0x28cae30, _Size=0x27 | out: _Dst=0x1b6964a4) returned 0x1b6964a4 [0113.575] VirtualProtect (in: lpAddress=0x1b6964a4, dwSize=0x27, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.575] VirtualProtect (in: lpAddress=0x1b6964cc, dwSize=0x679, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.576] memcpy (in: _Dst=0x1b6964cc, _Src=0x28cae70, _Size=0x679 | out: _Dst=0x1b6964cc) returned 0x1b6964cc [0113.576] VirtualProtect (in: lpAddress=0x1b6964cc, dwSize=0x679, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.576] VirtualProtect (in: lpAddress=0x1b696bc4, dwSize=0x64, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.576] memcpy (in: _Dst=0x1b696bc4, _Src=0x28cb508, _Size=0x64 | out: _Dst=0x1b696bc4) returned 0x1b696bc4 [0113.576] VirtualProtect (in: lpAddress=0x1b696bc4, dwSize=0x64, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.577] VirtualProtect (in: lpAddress=0x1b696c38, dwSize=0x6b, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.577] memcpy (in: _Dst=0x1b696c38, _Src=0x28cb588, _Size=0x6b | out: _Dst=0x1b696c38) returned 0x1b696c38 [0113.577] VirtualProtect (in: lpAddress=0x1b696c38, dwSize=0x6b, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.577] VirtualProtect (in: lpAddress=0x1b696ca4, dwSize=0x27, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.577] memcpy (in: _Dst=0x1b696ca4, _Src=0x28cb610, _Size=0x27 | out: _Dst=0x1b696ca4) returned 0x1b696ca4 [0113.577] VirtualProtect (in: lpAddress=0x1b696ca4, dwSize=0x27, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.578] VirtualProtect (in: lpAddress=0x1b696ccc, dwSize=0x33b, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.578] memcpy (in: _Dst=0x1b696ccc, _Src=0x28cb650, _Size=0x33b | out: _Dst=0x1b696ccc) returned 0x1b696ccc [0113.578] VirtualProtect (in: lpAddress=0x1b696ccc, dwSize=0x33b, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.578] VirtualProtect (in: lpAddress=0x1b697054, dwSize=0x68, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.578] memcpy (in: _Dst=0x1b697054, _Src=0x28cb9a8, _Size=0x68 | out: _Dst=0x1b697054) returned 0x1b697054 [0113.579] VirtualProtect (in: lpAddress=0x1b697054, dwSize=0x68, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.579] VirtualProtect (in: lpAddress=0x1b6970bc, dwSize=0x775, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.579] memcpy (in: _Dst=0x1b6970bc, _Src=0x28cba28, _Size=0x775 | out: _Dst=0x1b6970bc) returned 0x1b6970bc [0113.579] VirtualProtect (in: lpAddress=0x1b6970bc, dwSize=0x775, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.579] VirtualProtect (in: lpAddress=0x1b697850, dwSize=0x3b, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.580] memcpy (in: _Dst=0x1b697850, _Src=0x28cc1b8, _Size=0x3b | out: _Dst=0x1b697850) returned 0x1b697850 [0113.580] VirtualProtect (in: lpAddress=0x1b697850, dwSize=0x3b, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.580] VirtualProtect (in: lpAddress=0x1b69788c, dwSize=0x3f, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.580] memcpy (in: _Dst=0x1b69788c, _Src=0x28cc210, _Size=0x3f | out: _Dst=0x1b69788c) returned 0x1b69788c [0113.580] VirtualProtect (in: lpAddress=0x1b69788c, dwSize=0x3f, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.580] VirtualProtect (in: lpAddress=0x1b6978cc, dwSize=0x21, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.581] memcpy (in: _Dst=0x1b6978cc, _Src=0x28cc268, _Size=0x21 | out: _Dst=0x1b6978cc) returned 0x1b6978cc [0113.581] VirtualProtect (in: lpAddress=0x1b6978cc, dwSize=0x21, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.581] VirtualProtect (in: lpAddress=0x1b6978f0, dwSize=0x1b, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.581] memcpy (in: _Dst=0x1b6978f0, _Src=0x28cc2a8, _Size=0x1b | out: _Dst=0x1b6978f0) returned 0x1b6978f0 [0113.581] VirtualProtect (in: lpAddress=0x1b6978f0, dwSize=0x1b, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.581] VirtualProtect (in: lpAddress=0x1b69790c, dwSize=0x27, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.582] memcpy (in: _Dst=0x1b69790c, _Src=0x28cc2e0, _Size=0x27 | out: _Dst=0x1b69790c) returned 0x1b69790c [0113.582] VirtualProtect (in: lpAddress=0x1b69790c, dwSize=0x27, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.582] VirtualProtect (in: lpAddress=0x1b697934, dwSize=0xa4, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.583] memcpy (in: _Dst=0x1b697934, _Src=0x28cc320, _Size=0xa4 | out: _Dst=0x1b697934) returned 0x1b697934 [0113.583] VirtualProtect (in: lpAddress=0x1b697934, dwSize=0xa4, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.583] VirtualProtect (in: lpAddress=0x1b6979e8, dwSize=0x21, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.583] memcpy (in: _Dst=0x1b6979e8, _Src=0x28cc3e0, _Size=0x21 | out: _Dst=0x1b6979e8) returned 0x1b6979e8 [0113.583] VirtualProtect (in: lpAddress=0x1b6979e8, dwSize=0x21, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.583] VirtualProtect (in: lpAddress=0x1b697a0c, dwSize=0x27, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.584] memcpy (in: _Dst=0x1b697a0c, _Src=0x28cc420, _Size=0x27 | out: _Dst=0x1b697a0c) returned 0x1b697a0c [0113.584] VirtualProtect (in: lpAddress=0x1b697a0c, dwSize=0x27, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.584] VirtualProtect (in: lpAddress=0x1b697a34, dwSize=0x78, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.584] memcpy (in: _Dst=0x1b697a34, _Src=0x28cc460, _Size=0x78 | out: _Dst=0x1b697a34) returned 0x1b697a34 [0113.584] VirtualProtect (in: lpAddress=0x1b697a34, dwSize=0x78, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.585] VirtualProtect (in: lpAddress=0x1b697abc, dwSize=0x21, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.585] memcpy (in: _Dst=0x1b697abc, _Src=0x28cc4f0, _Size=0x21 | out: _Dst=0x1b697abc) returned 0x1b697abc [0113.585] VirtualProtect (in: lpAddress=0x1b697abc, dwSize=0x21, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.585] VirtualProtect (in: lpAddress=0x1b697ae0, dwSize=0x234, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.585] memcpy (in: _Dst=0x1b697ae0, _Src=0x28cc530, _Size=0x234 | out: _Dst=0x1b697ae0) returned 0x1b697ae0 [0113.586] VirtualProtect (in: lpAddress=0x1b697ae0, dwSize=0x234, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.586] VirtualProtect (in: lpAddress=0x1b697d30, dwSize=0x3b, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.586] memcpy (in: _Dst=0x1b697d30, _Src=0x28cc780, _Size=0x3b | out: _Dst=0x1b697d30) returned 0x1b697d30 [0113.586] VirtualProtect (in: lpAddress=0x1b697d30, dwSize=0x3b, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.586] VirtualProtect (in: lpAddress=0x1b697d6c, dwSize=0x97, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.587] memcpy (in: _Dst=0x1b697d6c, _Src=0x28cc7d8, _Size=0x97 | out: _Dst=0x1b697d6c) returned 0x1b697d6c [0113.587] VirtualProtect (in: lpAddress=0x1b697d6c, dwSize=0x97, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.587] VirtualProtect (in: lpAddress=0x1b697e14, dwSize=0x99, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.587] memcpy (in: _Dst=0x1b697e14, _Src=0x28cc888, _Size=0x99 | out: _Dst=0x1b697e14) returned 0x1b697e14 [0113.587] VirtualProtect (in: lpAddress=0x1b697e14, dwSize=0x99, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.587] VirtualProtect (in: lpAddress=0x1b697eb0, dwSize=0x21c, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.588] memcpy (in: _Dst=0x1b697eb0, _Src=0x28cc940, _Size=0x21c | out: _Dst=0x1b697eb0) returned 0x1b697eb0 [0113.588] VirtualProtect (in: lpAddress=0x1b697eb0, dwSize=0x21c, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.588] VirtualProtect (in: lpAddress=0x1b698118, dwSize=0x27, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.588] memcpy (in: _Dst=0x1b698118, _Src=0x28ccb78, _Size=0x27 | out: _Dst=0x1b698118) returned 0x1b698118 [0113.588] VirtualProtect (in: lpAddress=0x1b698118, dwSize=0x27, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.589] VirtualProtect (in: lpAddress=0x1b698140, dwSize=0xb0, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.589] memcpy (in: _Dst=0x1b698140, _Src=0x28ccbb8, _Size=0xb0 | out: _Dst=0x1b698140) returned 0x1b698140 [0113.589] VirtualProtect (in: lpAddress=0x1b698140, dwSize=0xb0, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.589] VirtualProtect (in: lpAddress=0x1b698200, dwSize=0x37, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.589] memcpy (in: _Dst=0x1b698200, _Src=0x28ccc80, _Size=0x37 | out: _Dst=0x1b698200) returned 0x1b698200 [0113.589] VirtualProtect (in: lpAddress=0x1b698200, dwSize=0x37, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.590] VirtualProtect (in: lpAddress=0x1b698238, dwSize=0x196, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.590] memcpy (in: _Dst=0x1b698238, _Src=0x28cccd0, _Size=0x196 | out: _Dst=0x1b698238) returned 0x1b698238 [0113.590] VirtualProtect (in: lpAddress=0x1b698238, dwSize=0x196, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.590] VirtualProtect (in: lpAddress=0x1b6983d0, dwSize=0x174, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.590] memcpy (in: _Dst=0x1b6983d0, _Src=0x28cce80, _Size=0x174 | out: _Dst=0x1b6983d0) returned 0x1b6983d0 [0113.590] VirtualProtect (in: lpAddress=0x1b6983d0, dwSize=0x174, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.591] VirtualProtect (in: lpAddress=0x1b698578, dwSize=0x42, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.591] memcpy (in: _Dst=0x1b698578, _Src=0x28cd010, _Size=0x42 | out: _Dst=0x1b698578) returned 0x1b698578 [0113.591] VirtualProtect (in: lpAddress=0x1b698578, dwSize=0x42, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.591] VirtualProtect (in: lpAddress=0x1b6985bc, dwSize=0x72, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.591] memcpy (in: _Dst=0x1b6985bc, _Src=0x28cd070, _Size=0x72 | out: _Dst=0x1b6985bc) returned 0x1b6985bc [0113.592] VirtualProtect (in: lpAddress=0x1b6985bc, dwSize=0x72, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.592] VirtualProtect (in: lpAddress=0x1b698630, dwSize=0x2f, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.592] memcpy (in: _Dst=0x1b698630, _Src=0x28cd100, _Size=0x2f | out: _Dst=0x1b698630) returned 0x1b698630 [0113.592] VirtualProtect (in: lpAddress=0x1b698630, dwSize=0x2f, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.592] VirtualProtect (in: lpAddress=0x1b698660, dwSize=0x27, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.593] memcpy (in: _Dst=0x1b698660, _Src=0x28cd148, _Size=0x27 | out: _Dst=0x1b698660) returned 0x1b698660 [0113.593] VirtualProtect (in: lpAddress=0x1b698660, dwSize=0x27, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.593] VirtualProtect (in: lpAddress=0x1b698688, dwSize=0x620, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.593] memcpy (in: _Dst=0x1b698688, _Src=0x28cd188, _Size=0x620 | out: _Dst=0x1b698688) returned 0x1b698688 [0113.593] VirtualProtect (in: lpAddress=0x1b698688, dwSize=0x620, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.593] VirtualProtect (in: lpAddress=0x1b698d0c, dwSize=0x2f, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.594] memcpy (in: _Dst=0x1b698d0c, _Src=0x28cd7c0, _Size=0x2f | out: _Dst=0x1b698d0c) returned 0x1b698d0c [0113.594] VirtualProtect (in: lpAddress=0x1b698d0c, dwSize=0x2f, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.594] VirtualProtect (in: lpAddress=0x1b698d3c, dwSize=0x1a, flNewProtect=0x4, lpflOldProtect=0x14d338 | out: lpflOldProtect=0x14d338*=0x4) returned 1 [0113.594] memcpy (in: _Dst=0x1b698d3c, _Src=0x28cd808, _Size=0x1a | out: _Dst=0x1b698d3c) returned 0x1b698d3c [0115.063] CreateFileMappingW (hFile=0xffffffffffffffff, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1e000, lpName=0x0) returned 0x2f0 [0115.064] memcpy (in: _Dst=0xae0000, _Src=0x14233cc8, _Size=0x1e000 | out: _Dst=0xae0000) returned 0xae0000 [0115.120] GetEnvironmentVariableW (in: lpName="COR_ENABLE_PROFILING", lpBuffer=0x14d120, nSize=0x80 | out: lpBuffer="") returned 0x0 [0115.120] GetEnvironmentVariableW (in: lpName="COR_PROFILER", lpBuffer=0x14d120, nSize=0x80 | out: lpBuffer="") returned 0x0 [0115.323] VirtualProtect (in: lpAddress=0x1b690178, dwSize=0x8, flNewProtect=0x40, lpflOldProtect=0x14d358 | out: lpflOldProtect=0x14d358*=0x1) returned 0 [0115.392] memcpy (in: _Dst=0x1b690178, _Src=0x289abc8, _Size=0x8 | out: _Dst=0x1b690178) returned 0x1b690178 [0115.392] VirtualProtect (in: lpAddress=0x1b6901a0, dwSize=0x8, flNewProtect=0x40, lpflOldProtect=0x14d358 | out: lpflOldProtect=0x14d358*=0x1) returned 0 [0115.455] memcpy (in: _Dst=0x1b6901a0, _Src=0x289abe8, _Size=0x8 | out: _Dst=0x1b6901a0) returned 0x1b6901a0 [0115.455] VirtualProtect (in: lpAddress=0x1b6901c8, dwSize=0x8, flNewProtect=0x40, lpflOldProtect=0x14d358 | out: lpflOldProtect=0x14d358*=0x1) returned 0 [0115.533] memcpy (in: _Dst=0x1b6901c8, _Src=0x289ac08, _Size=0x8 | out: _Dst=0x1b6901c8) returned 0x1b6901c8 [0115.533] VirtualProtect (in: lpAddress=0x1b6901f0, dwSize=0x8, flNewProtect=0x40, lpflOldProtect=0x14d358 | out: lpflOldProtect=0x14d358*=0x1) returned 0 [0115.596] memcpy (in: _Dst=0x1b6901f0, _Src=0x289ac28, _Size=0x8 | out: _Dst=0x1b6901f0) returned 0x1b6901f0 [0115.596] VirtualProtect (in: lpAddress=0x1bb115be, dwSize=0xb, flNewProtect=0x40, lpflOldProtect=0x14d358 | out: lpflOldProtect=0x14d358*=0x1) returned 0 [0115.658] VirtualProtect (in: lpAddress=0x1bb115b2, dwSize=0xb, flNewProtect=0x40, lpflOldProtect=0x14d358 | out: lpflOldProtect=0x14d358*=0x1) returned 0 [0115.722] VirtualProtect (in: lpAddress=0x1b690408, dwSize=0x48, flNewProtect=0x40, lpflOldProtect=0x14d358 | out: lpflOldProtect=0x14d358*=0x1) returned 0 [0115.783] VirtualProtect (in: lpAddress=0x1b9c011c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x14d358 | out: lpflOldProtect=0x14d358*=0x1) returned 0 [0115.856] VirtualProtect (in: lpAddress=0x1b9c013c, dwSize=0x8, flNewProtect=0x40, lpflOldProtect=0x14d358 | out: lpflOldProtect=0x14d358*=0x1) returned 0 [0115.921] VirtualProtect (in: lpAddress=0x1b9c0144, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x14d358 | out: lpflOldProtect=0x14d358*=0x1) returned 0 [0116.011] VirtualProtect (in: lpAddress=0x1b9c0148, dwSize=0x8, flNewProtect=0x40, lpflOldProtect=0x14d358 | out: lpflOldProtect=0x14d358*=0x1) returned 0 [0116.074] VirtualProtect (in: lpAddress=0x1b9c0150, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x14d358 | out: lpflOldProtect=0x14d358*=0x1) returned 0 [0116.137] VirtualProtect (in: lpAddress=0x1b9c0154, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x14d358 | out: lpflOldProtect=0x14d358*=0x1) returned 0 [0116.198] VirtualProtect (in: lpAddress=0x1b9c0158, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x14d358 | out: lpflOldProtect=0x14d358*=0x1) returned 0 [0116.263] VirtualProtect (in: lpAddress=0x1b9c015c, dwSize=0x8, flNewProtect=0x40, lpflOldProtect=0x14d358 | out: lpflOldProtect=0x14d358*=0x1) returned 0 [0116.312] VirtualProtect (in: lpAddress=0x1b9c0164, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x14d358 | out: lpflOldProtect=0x14d358*=0x1) returned 0 [0116.400] VirtualProtect (in: lpAddress=0x1b9c0168, dwSize=0x8, flNewProtect=0x40, lpflOldProtect=0x14d358 | out: lpflOldProtect=0x14d358*=0x1) returned 0 [0116.463] VirtualProtect (in: lpAddress=0x1b9c0170, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x14d358 | out: lpflOldProtect=0x14d358*=0x1) returned 0 [0116.540] VirtualProtect (in: lpAddress=0x1b9c0174, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x14d358 | out: lpflOldProtect=0x14d358*=0x1) returned 0 [0116.602] VirtualProtect (in: lpAddress=0x1b9c0178, dwSize=0x8, flNewProtect=0x40, lpflOldProtect=0x14d358 | out: lpflOldProtect=0x14d358*=0x1) returned 0 [0116.660] VirtualProtect (in: lpAddress=0x1b9c0180, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x14d358 | out: lpflOldProtect=0x14d358*=0x1) returned 0 [0116.717] VirtualProtect (in: lpAddress=0x1b9c0184, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x14d358 | out: lpflOldProtect=0x14d358*=0x1) returned 0 [0118.109] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x31c [0118.110] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x320 [0118.135] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x20019, phkResult=0x14c808 | out: phkResult=0x14c808*=0x324) returned 0x0 [0118.137] RegQueryValueExW (in: hKey=0x324, lpValueName="InstallationType", lpReserved=0x0, lpType=0x14c858, lpData=0x0, lpcbData=0x14c850*=0x0 | out: lpType=0x14c858*=0x1, lpData=0x0, lpcbData=0x14c850*=0xe) returned 0x0 [0118.138] RegQueryValueExW (in: hKey=0x324, lpValueName="InstallationType", lpReserved=0x0, lpType=0x14c858, lpData=0x289bf58, lpcbData=0x14c850*=0xe | out: lpType=0x14c858*=0x1, lpData="Client", lpcbData=0x14c850*=0xe) returned 0x0 [0118.140] RegCloseKey (hKey=0x324) returned 0x0 [0118.884] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe.config", nBufferLength=0x105, lpBuffer=0x14bf00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe.config", lpFilePart=0x0) returned 0x69 [0119.425] GetCurrentProcess () returned 0xffffffffffffffff [0119.426] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x14c158 | out: TokenHandle=0x14c158*=0x324) returned 1 [0119.431] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\", nBufferLength=0x105, lpBuffer=0x14bb70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\", lpFilePart=0x0) returned 0x30 [0119.437] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x14c200 | out: lpFileInformation=0x14c200*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5fdfbae, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x982bc0b8, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x982bc0b8, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x8c8f)) returned 1 [0119.439] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Config\\machine.config", nBufferLength=0x105, lpBuffer=0x14bb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Config\\machine.config", lpFilePart=0x0) returned 0x45 [0119.440] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x14c1f8 | out: lpFileInformation=0x14c1f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5fdfbae, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x982bc0b8, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x982bc0b8, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x8c8f)) returned 1 [0119.444] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Config\\machine.config", nBufferLength=0x105, lpBuffer=0x14bb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Config\\machine.config", lpFilePart=0x0) returned 0x45 [0119.444] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x14c070) returned 1 [0119.444] CreateFileW (lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\config\\machine.config"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x328 [0119.445] GetFileType (hFile=0x328) returned 0x1 [0119.445] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x14bfe0) returned 1 [0119.445] GetFileType (hFile=0x328) returned 0x1 [0119.510] GetFileSize (in: hFile=0x328, lpFileSizeHigh=0x14c148 | out: lpFileSizeHigh=0x14c148*=0x0) returned 0x8c8f [0119.510] ReadFile (in: hFile=0x328, lpBuffer=0x28a14b0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14c0b8, lpOverlapped=0x0 | out: lpBuffer=0x28a14b0*, lpNumberOfBytesRead=0x14c0b8*=0x1000, lpOverlapped=0x0) returned 1 [0119.538] ReadFile (in: hFile=0x328, lpBuffer=0x28a14b0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14be98, lpOverlapped=0x0 | out: lpBuffer=0x28a14b0*, lpNumberOfBytesRead=0x14be98*=0x1000, lpOverlapped=0x0) returned 1 [0119.577] ReadFile (in: hFile=0x328, lpBuffer=0x28a14b0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14bc88, lpOverlapped=0x0 | out: lpBuffer=0x28a14b0*, lpNumberOfBytesRead=0x14bc88*=0x1000, lpOverlapped=0x0) returned 1 [0119.578] ReadFile (in: hFile=0x328, lpBuffer=0x28a14b0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14bc88, lpOverlapped=0x0 | out: lpBuffer=0x28a14b0*, lpNumberOfBytesRead=0x14bc88*=0x1000, lpOverlapped=0x0) returned 1 [0119.578] ReadFile (in: hFile=0x328, lpBuffer=0x28a14b0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14bc88, lpOverlapped=0x0 | out: lpBuffer=0x28a14b0*, lpNumberOfBytesRead=0x14bc88*=0x1000, lpOverlapped=0x0) returned 1 [0119.579] ReadFile (in: hFile=0x328, lpBuffer=0x28a14b0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14bb48, lpOverlapped=0x0 | out: lpBuffer=0x28a14b0*, lpNumberOfBytesRead=0x14bb48*=0x1000, lpOverlapped=0x0) returned 1 [0119.585] ReadFile (in: hFile=0x328, lpBuffer=0x28a14b0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14bd88, lpOverlapped=0x0 | out: lpBuffer=0x28a14b0*, lpNumberOfBytesRead=0x14bd88*=0x1000, lpOverlapped=0x0) returned 1 [0119.588] ReadFile (in: hFile=0x328, lpBuffer=0x28a14b0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14bc38, lpOverlapped=0x0 | out: lpBuffer=0x28a14b0*, lpNumberOfBytesRead=0x14bc38*=0x1000, lpOverlapped=0x0) returned 1 [0119.588] ReadFile (in: hFile=0x328, lpBuffer=0x28a14b0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14bc38, lpOverlapped=0x0 | out: lpBuffer=0x28a14b0*, lpNumberOfBytesRead=0x14bc38*=0xc8f, lpOverlapped=0x0) returned 1 [0119.588] ReadFile (in: hFile=0x328, lpBuffer=0x28a14b0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14bd58, lpOverlapped=0x0 | out: lpBuffer=0x28a14b0*, lpNumberOfBytesRead=0x14bd58*=0x0, lpOverlapped=0x0) returned 1 [0119.588] CloseHandle (hObject=0x328) returned 1 [0119.590] GetCurrentProcess () returned 0xffffffffffffffff [0119.590] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x14c388 | out: TokenHandle=0x14c388*=0x328) returned 1 [0119.591] GetCurrentProcess () returned 0xffffffffffffffff [0119.591] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x14c388 | out: TokenHandle=0x14c388*=0x32c) returned 1 [0119.592] GetCurrentProcess () returned 0xffffffffffffffff [0119.592] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x14c158 | out: TokenHandle=0x14c158*=0x330) returned 1 [0119.592] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe.config" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe.config"), fInfoLevelId=0x0, lpFileInformation=0x14c200 | out: lpFileInformation=0x14c200*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0119.593] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe.config", nBufferLength=0x105, lpBuffer=0x14bb90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe.config", lpFilePart=0x0) returned 0x69 [0119.597] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe.config" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe.config"), fInfoLevelId=0x0, lpFileInformation=0x14c1f8 | out: lpFileInformation=0x14c1f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0119.598] GetCurrentProcess () returned 0xffffffffffffffff [0119.598] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x14c388 | out: TokenHandle=0x14c388*=0x334) returned 1 [0119.599] GetCurrentProcess () returned 0xffffffffffffffff [0119.599] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x14c388 | out: TokenHandle=0x14c388*=0x338) returned 1 [0119.629] GetCurrentProcess () returned 0xffffffffffffffff [0119.629] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x14c0e8 | out: TokenHandle=0x14c0e8*=0x33c) returned 1 [0119.742] GetCurrentProcess () returned 0xffffffffffffffff [0119.742] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x14c0f8 | out: TokenHandle=0x14c0f8*=0x340) returned 1 [0119.786] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e5c8 | out: phkResult=0x14e5c8*=0x344) returned 0x0 [0119.787] RegQueryValueExW (in: hKey=0x344, lpValueName="SchUseStrongCrypto", lpReserved=0x0, lpType=0x14e608, lpData=0x0, lpcbData=0x14e600*=0x0 | out: lpType=0x14e608*=0x4, lpData=0x0, lpcbData=0x14e600*=0x4) returned 0x0 [0119.787] RegQueryValueExW (in: hKey=0x344, lpValueName="SchUseStrongCrypto", lpReserved=0x0, lpType=0x14e608, lpData=0x14e5e8, lpcbData=0x14e600*=0x4 | out: lpType=0x14e608*=0x4, lpData=0x14e5e8*=0x1, lpcbData=0x14e600*=0x4) returned 0x0 [0119.790] RegQueryValueExW (in: hKey=0x344, lpValueName="SchUseStrongCrypto", lpReserved=0x0, lpType=0x14e678, lpData=0x0, lpcbData=0x14e670*=0x0 | out: lpType=0x14e678*=0x4, lpData=0x0, lpcbData=0x14e670*=0x4) returned 0x0 [0119.794] RegCloseKey (hKey=0x344) returned 0x0 [0119.806] GetCurrentProcessId () returned 0xc04 [0119.815] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x14d620 | out: lpLuid=0x14d620*(LowPart=0x14, HighPart=0)) returned 1 [0119.818] GetCurrentProcess () returned 0xffffffffffffffff [0119.819] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x20, TokenHandle=0x14d618 | out: TokenHandle=0x14d618*=0x34c) returned 1 [0119.819] AdjustTokenPrivileges (in: TokenHandle=0x34c, DisableAllPrivileges=0, NewState=0x28c8440*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0119.819] CloseHandle (hObject=0x34c) returned 1 [0119.822] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xc04) returned 0x34c [0119.936] EnumProcessModules (in: hProcess=0x34c, lphModule=0x28c84a8, cb=0x200, lpcbNeeded=0x14e5d0 | out: lphModule=0x28c84a8, lpcbNeeded=0x14e5d0) returned 1 [0119.939] GetModuleInformation (in: hProcess=0x34c, hModule=0x400000, lpmodinfo=0x28c8718, cb=0x18 | out: lpmodinfo=0x28c8718*(lpBaseOfDll=0x400000, SizeOfImage=0x5ea000, EntryPoint=0x0)) returned 1 [0119.940] CoTaskMemAlloc (cb=0x804) returned 0xbe43c0 [0119.941] GetModuleBaseNameW (in: hProcess=0x34c, hModule=0x400000, lpBaseName=0xbe43c0, nSize=0x800 | out: lpBaseName="740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe") returned 0x44 [0119.941] CoTaskMemFree (pv=0xbe43c0) [0119.942] CoTaskMemAlloc (cb=0x804) returned 0xbeace0 [0119.943] GetModuleFileNameExW (in: hProcess=0x34c, hModule=0x400000, lpFilename=0xbeace0, nSize=0x800 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe")) returned 0x62 [0119.943] CoTaskMemFree (pv=0xbeace0) [0119.946] CloseHandle (hObject=0x34c) returned 1 [0119.948] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe", nBufferLength=0x105, lpBuffer=0x14e110, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe", lpFilePart=0x0) returned 0x62 [0119.949] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319\\System.Net.ServicePointManager.SecurityProtocol", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e5c8 | out: phkResult=0x14e5c8*=0x0) returned 0x2 [0119.968] GetCurrentProcessId () returned 0xc04 [0119.968] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xc04) returned 0x34c [0119.968] EnumProcessModules (in: hProcess=0x34c, lphModule=0x28cb750, cb=0x200, lpcbNeeded=0x14e5e0 | out: lphModule=0x28cb750, lpcbNeeded=0x14e5e0) returned 1 [0119.969] GetModuleInformation (in: hProcess=0x34c, hModule=0x400000, lpmodinfo=0x28cb9c0, cb=0x18 | out: lpmodinfo=0x28cb9c0*(lpBaseOfDll=0x400000, SizeOfImage=0x5ea000, EntryPoint=0x0)) returned 1 [0119.969] CoTaskMemAlloc (cb=0x804) returned 0xbe5c40 [0119.969] GetModuleBaseNameW (in: hProcess=0x34c, hModule=0x400000, lpBaseName=0xbe5c40, nSize=0x800 | out: lpBaseName="740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe") returned 0x44 [0119.970] CoTaskMemFree (pv=0xbe5c40) [0119.970] CoTaskMemAlloc (cb=0x804) returned 0xbe4c20 [0119.970] GetModuleFileNameExW (in: hProcess=0x34c, hModule=0x400000, lpFilename=0xbe4c20, nSize=0x800 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe")) returned 0x62 [0119.970] CoTaskMemFree (pv=0xbe4c20) [0119.970] CloseHandle (hObject=0x34c) returned 1 [0119.970] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe", nBufferLength=0x105, lpBuffer=0x14e120, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe", lpFilePart=0x0) returned 0x62 [0119.970] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319\\System.Net.ServicePointManager.SchSendAuxRecord", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e5d8 | out: phkResult=0x14e5d8*=0x0) returned 0x2 [0119.971] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e5d8 | out: phkResult=0x14e5d8*=0x34c) returned 0x0 [0119.971] RegQueryValueExW (in: hKey=0x34c, lpValueName="SchSendAuxRecord", lpReserved=0x0, lpType=0x14e618, lpData=0x0, lpcbData=0x14e610*=0x0 | out: lpType=0x14e618*=0x0, lpData=0x0, lpcbData=0x14e610*=0x0) returned 0x2 [0119.971] RegCloseKey (hKey=0x34c) returned 0x0 [0120.070] GetCurrentProcess () returned 0xffffffffffffffff [0120.070] GetCurrentThread () returned 0xfffffffffffffffe [0120.071] GetCurrentProcess () returned 0xffffffffffffffff [0120.073] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0xfffffffffffffffe, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x14e740, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x14e740*=0x354) returned 1 [0120.079] GetCurrentThreadId () returned 0x5f4 [0120.117] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Windows.Forms\\v4.0_4.0.0.0__b77a5c561934e089\\System.Windows.Forms.dll", nBufferLength=0x105, lpBuffer=0x14e090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Windows.Forms\\v4.0_4.0.0.0__b77a5c561934e089\\System.Windows.Forms.dll", lpFilePart=0x0) returned 0x77 [0120.137] IsAppThemed () returned 0x1 [0120.142] CoTaskMemAlloc (cb=0xf0) returned 0xbc8460 [0120.142] CreateActCtxA (pActCtx=0x14e660) returned 0xbd6058 [0120.231] CoTaskMemFree (pv=0xbc8460) [0120.247] RegisterClipboardFormatW (lpszFormat="WM_GETCONTROLNAME") returned 0xc1e0 [0120.247] RegisterClipboardFormatW (lpszFormat="WM_GETCONTROLTYPE") returned 0xc1df [0120.433] GetSystemMetrics (nIndex=75) returned 1 [0120.437] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x0 [0121.585] LoadLibraryW (lpLibFileName="comctl32.dll") returned 0x7ffa080f0000 [0121.603] AdjustWindowRectEx (in: lpRect=0x14e6f0, dwStyle=0x56cf0000, bMenu=0, dwExStyle=0x50001 | out: lpRect=0x14e6f0) returned 1 [0121.627] GetCurrentActCtx (in: lphActCtx=0x14e400 | out: lphActCtx=0x14e400*=0x0) returned 1 [0121.627] ActivateActCtx (in: hActCtx=0xbd6058, lpCookie=0x14e440 | out: hActCtx=0xbd6058, lpCookie=0x14e440) returned 1 [0121.627] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x7ffa080f0000 [0121.632] GetModuleHandleW (lpModuleName="user32.dll") returned 0x7ffa13d80000 [0121.632] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="DefWindowProcW", cchWideChar=14, lpMultiByteStr=0x14e130, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DefWindowProcW", lpUsedDefaultChar=0x0) returned 14 [0121.633] GetProcAddress (hModule=0x7ffa13d80000, lpProcName="DefWindowProcW") returned 0x7ffa16814a40 [0121.671] GetStockObject (i=5) returned 0x1900015 [0121.676] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0121.678] CoTaskMemAlloc (cb=0x5a) returned 0xbc5470 [0121.678] RegisterClassW (lpWndClass=0x14e0f0) returned 0xc1db [0121.679] CoTaskMemFree (pv=0xbc5470) [0121.679] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0121.680] CreateWindowExW (dwExStyle=0x0, lpClassName="WindowsForms10.Window.8.app.0.1ca0192_r8_ad1", lpWindowName=0x0, dwStyle=0x2010000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0xfffffffffffffffd, hMenu=0x0, hInstance=0x400000, lpParam=0x0) returned 0x90320 [0121.688] SetWindowLongPtrW (hWnd=0x90320, nIndex=-4, dwNewLong=0x7ffa16814a40) returned 0x1af70cfc [0121.691] GetWindowLongPtrW (hWnd=0x90320, nIndex=-4) returned 0x7ffa16814a40 [0121.693] SetWindowLongPtrW (hWnd=0x90320, nIndex=-4, dwNewLong=0x1af70d4c) returned 0x7ffa16814a40 [0121.693] GetWindowLongPtrW (hWnd=0x90320, nIndex=-4) returned 0x1af70d4c [0121.693] GetWindowLongPtrW (hWnd=0x90320, nIndex=-16) returned 0x6c10000 [0121.697] RegisterClipboardFormatW (lpszFormat="WinFormsMouseEnter") returned 0xc14b [0121.698] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x90320, Msg=0x24, wParam=0x0, lParam=0x14db10) returned 0x0 [0121.699] RegisterClipboardFormatW (lpszFormat="WinFormsUnSubclass") returned 0xc1d9 [0121.699] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x90320, Msg=0x81, wParam=0x0, lParam=0x14da80) returned 0x1 [0121.700] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x90320, Msg=0x83, wParam=0x0, lParam=0x14db30) returned 0x0 [0122.010] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x90320, Msg=0x1, wParam=0x0, lParam=0x14da80) returned 0x0 [0122.010] GetClientRect (in: hWnd=0x90320, lpRect=0x14d510 | out: lpRect=0x14d510) returned 1 [0122.010] GetWindowRect (in: hWnd=0x90320, lpRect=0x14d510 | out: lpRect=0x14d510) returned 1 [0122.015] GetParent (hWnd=0x90320) returned 0x0 [0122.015] DeactivateActCtx (dwFlags=0x0, ulCookie=0x11ca0df600000001) returned 1 [0122.215] RegisterClipboardFormatW (lpszFormat="TaskbarCreated") returned 0xc06e [0122.230] GetCurrentActCtx (in: lphActCtx=0x14e750 | out: lphActCtx=0x14e750*=0x0) returned 1 [0122.230] ActivateActCtx (in: hActCtx=0xbd6058, lpCookie=0x14e790 | out: hActCtx=0xbd6058, lpCookie=0x14e790) returned 1 [0122.232] GetCurrentActCtx (in: lphActCtx=0x14e3e0 | out: lphActCtx=0x14e3e0*=0xbd6058) returned 1 [0122.233] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x7ffa080f0000 [0122.233] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0122.233] CreateWindowExW (dwExStyle=0x50000, lpClassName="WindowsForms10.Window.8.app.0.1ca0192_r8_ad1", lpWindowName=0x0, dwStyle=0x2cf0000, X=-2147483648, Y=-2147483648, nWidth=300, nHeight=300, hWndParent=0x0, hMenu=0x0, hInstance=0x400000, lpParam=0x0) returned 0x30340 [0122.965] SetWindowLongPtrW (hWnd=0x30340, nIndex=-4, dwNewLong=0x7ffa16814a40) returned 0x1af70cfc [0122.966] GetWindowLongPtrW (hWnd=0x30340, nIndex=-4) returned 0x7ffa16814a40 [0122.966] SetWindowLongPtrW (hWnd=0x30340, nIndex=-4, dwNewLong=0x1af70d9c) returned 0x7ffa16814a40 [0122.966] GetWindowLongPtrW (hWnd=0x30340, nIndex=-4) returned 0x1af70d9c [0122.966] GetWindowLongPtrW (hWnd=0x30340, nIndex=-16) returned 0x6cf0000 [0122.967] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x30340, Msg=0x81, wParam=0x0, lParam=0x14da60) returned 0x1 [0122.975] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x30340, Msg=0x83, wParam=0x0, lParam=0x14db10) returned 0x0 [0122.982] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x30340, Msg=0x1, wParam=0x0, lParam=0x14da60) returned 0x0 [0122.982] GetClientRect (in: hWnd=0x30340, lpRect=0x14d4b0 | out: lpRect=0x14d4b0) returned 1 [0122.982] GetWindowRect (in: hWnd=0x30340, lpRect=0x14d4b0 | out: lpRect=0x14d4b0) returned 1 [0122.991] GetProcessWindowStation () returned 0xb4 [0122.992] GetUserObjectInformationA (in: hObj=0xb4, nIndex=1, pvInfo=0x28d9768, nLength=0xc, lpnLengthNeeded=0x14d240 | out: pvInfo=0x28d9768, lpnLengthNeeded=0x14d240) returned 1 [0122.994] SetConsoleCtrlHandler (HandlerRoutine=0x1af70dec, Add=1) returned 1 [0122.996] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0122.997] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0122.997] GetClassInfoW (in: hInstance=0x400000, lpClassName=".NET-BroadcastEventWindow.4.0.0.0.1ca0192.0", lpWndClass=0x28d9828 | out: lpWndClass=0x28d9828) returned 0 [0122.998] CoTaskMemAlloc (cb=0x58) returned 0xba8680 [0122.998] RegisterClassW (lpWndClass=0x14d050) returned 0xc1da [0122.999] CoTaskMemFree (pv=0xba8680) [0123.000] CreateWindowExW (dwExStyle=0x0, lpClassName=".NET-BroadcastEventWindow.4.0.0.0.1ca0192.0", lpWindowName=".NET-BroadcastEventWindow.4.0.0.0.1ca0192.0", dwStyle=0x80000000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x400000, lpParam=0x0) returned 0x50304 [0123.002] NtdllDefWindowProc_W (hWnd=0x50304, Msg=0x81, wParam=0x0, lParam=0x14c970) returned 0x1 [0123.004] NtdllDefWindowProc_W (hWnd=0x50304, Msg=0x83, wParam=0x0, lParam=0x14ca20) returned 0x0 [0123.004] NtdllDefWindowProc_W (hWnd=0x50304, Msg=0x1, wParam=0x0, lParam=0x14c910) returned 0x0 [0123.005] NtdllDefWindowProc_W (hWnd=0x50304, Msg=0x5, wParam=0x0, lParam=0x0) returned 0x0 [0123.005] NtdllDefWindowProc_W (hWnd=0x50304, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0 [0123.008] GetStartupInfoW (in: lpStartupInfo=0x28d9d20 | out: lpStartupInfo=0x28d9d20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0123.010] GetParent (hWnd=0x30340) returned 0x0 [0123.010] SetWindowLongPtrW (hWnd=0x30340, nIndex=-8, dwNewLong=0x0) returned 0x0 [0123.010] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x30340, Msg=0x2e0, wParam=0x600060, lParam=0x14e380) returned 0x0 [0123.010] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x30340, Msg=0x46, wParam=0x0, lParam=0x14e370) returned 0x0 [0123.011] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x30340, Msg=0x83, wParam=0x1, lParam=0x14e340) returned 0x0 [0123.013] GetWindowPlacement (in: hWnd=0x30340, lpwndpl=0x14df18 | out: lpwndpl=0x14df18) returned 1 [0123.013] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x30340, Msg=0x47, wParam=0x0, lParam=0x14e370) returned 0x0 [0123.013] GetClientRect (in: hWnd=0x30340, lpRect=0x14ddb0 | out: lpRect=0x14ddb0) returned 1 [0123.013] GetWindowRect (in: hWnd=0x30340, lpRect=0x14ddb0 | out: lpRect=0x14ddb0) returned 1 [0123.024] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x30340, Msg=0x7f, wParam=0x2, lParam=0x0) returned 0x0 [0123.024] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x30340, Msg=0x7f, wParam=0x0, lParam=0x0) returned 0x0 [0123.024] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x30340, Msg=0x7f, wParam=0x1, lParam=0x0) returned 0x0 [0123.037] GetSystemMetrics (nIndex=11) returned 32 [0123.037] GetSystemMetrics (nIndex=12) returned 32 [0123.038] GetDC (hWnd=0x0) returned 0xa0100d0 [0123.042] GetDeviceCaps (hdc=0xa0100d0, index=12) returned 32 [0123.042] GetDeviceCaps (hdc=0xa0100d0, index=14) returned 1 [0123.042] ReleaseDC (hWnd=0x0, hDC=0xa0100d0) returned 1 [0123.043] CreateIconFromResourceEx (presbits=0x28dccb0, dwResSize=0x10a8, fIcon=1, dwVer=0x30000, cxDesired=0, cyDesired=0, Flags=0x0) returned 0x1d0365 [0123.046] GetSystemMetrics (nIndex=49) returned 16 [0123.046] GetSystemMetrics (nIndex=50) returned 16 [0123.048] CreateIconFromResourceEx (presbits=0x28dddb8, dwResSize=0x468, fIcon=1, dwVer=0x30000, cxDesired=0, cyDesired=0, Flags=0x0) returned 0x1d0089 [0123.051] SendMessageW (hWnd=0x30340, Msg=0x80, wParam=0x0, lParam=0x1d0089) returned 0x0 [0123.051] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x30340, Msg=0x80, wParam=0x0, lParam=0x1d0089) returned 0x0 [0123.058] SendMessageW (hWnd=0x30340, Msg=0x80, wParam=0x1, lParam=0x1d0365) returned 0x0 [0123.058] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x30340, Msg=0x80, wParam=0x1, lParam=0x1d0365) returned 0x0 [0123.059] GetSystemMenu (hWnd=0x30340, bRevert=0) returned 0xe0139 [0123.079] GetWindowPlacement (in: hWnd=0x30340, lpwndpl=0x14e3e8 | out: lpwndpl=0x14e3e8) returned 1 [0123.080] EnableMenuItem (hMenu=0xe0139, uIDEnableItem=0xf020, uEnable=0x0) returned 0 [0123.080] EnableMenuItem (hMenu=0xe0139, uIDEnableItem=0xf030, uEnable=0x0) returned 0 [0123.080] EnableMenuItem (hMenu=0xe0139, uIDEnableItem=0xf060, uEnable=0x0) returned 0 [0123.080] EnableMenuItem (hMenu=0xe0139, uIDEnableItem=0xf120, uEnable=0x1) returned 0 [0123.080] EnableMenuItem (hMenu=0xe0139, uIDEnableItem=0xf000, uEnable=0x0) returned 0 [0123.080] GetClientRect (in: hWnd=0x30340, lpRect=0x14e4b0 | out: lpRect=0x14e4b0) returned 1 [0123.080] GetClientRect (in: hWnd=0x30340, lpRect=0x14e3e0 | out: lpRect=0x14e3e0) returned 1 [0123.081] GetWindowRect (in: hWnd=0x30340, lpRect=0x14e3e0 | out: lpRect=0x14e3e0) returned 1 [0123.081] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x7ffa080f0000 [0123.081] GetWindowLongPtrW (hWnd=0x30340, nIndex=-16) returned 0x6cf0000 [0123.082] GetWindowTextLengthW (hWnd=0x30340) returned 0 [0123.082] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x30340, Msg=0xe, wParam=0x0, lParam=0x0) returned 0x0 [0123.082] GetSystemMetrics (nIndex=42) returned 0 [0123.083] GetWindowTextW (in: hWnd=0x30340, lpString=0x14e1f0, nMaxCount=1 | out: lpString="") returned 0 [0123.083] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x30340, Msg=0xd, wParam=0x1, lParam=0x14e1f0) returned 0x0 [0123.083] GetWindowTextLengthW (hWnd=0x30340) returned 0 [0123.083] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x30340, Msg=0xe, wParam=0x0, lParam=0x0) returned 0x0 [0123.084] GetSystemMetrics (nIndex=42) returned 0 [0123.084] GetWindowTextW (in: hWnd=0x30340, lpString=0x14e1f0, nMaxCount=1 | out: lpString="") returned 0 [0123.084] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x30340, Msg=0xd, wParam=0x1, lParam=0x14e1f0) returned 0x0 [0123.084] GetWindowLongPtrW (hWnd=0x30340, nIndex=-16) returned 0x6cf0000 [0123.084] GetWindowLongPtrW (hWnd=0x30340, nIndex=-20) returned 0x50100 [0123.084] SetWindowLongPtrW (hWnd=0x30340, nIndex=-16, dwNewLong=0x2cf0000) returned 0x6cf0000 [0123.084] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x30340, Msg=0x7c, wParam=0xfffffffffffffff0, lParam=0x14e2b0) returned 0x0 [0123.086] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x30340, Msg=0x7d, wParam=0xfffffffffffffff0, lParam=0x14e2b0) returned 0x0 [0123.087] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x30340, Msg=0x7f, wParam=0x2, lParam=0x0) returned 0x1d0089 [0123.088] SetWindowLongPtrW (hWnd=0x30340, nIndex=-20, dwNewLong=0x50000) returned 0x50100 [0123.088] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x30340, Msg=0x7c, wParam=0xffffffffffffffec, lParam=0x14e2b0) returned 0x0 [0123.088] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x30340, Msg=0x7d, wParam=0xffffffffffffffec, lParam=0x14e2b0) returned 0x0 [0123.091] SetWindowPos (hWnd=0x30340, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x37) returned 1 [0123.091] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x30340, Msg=0x46, wParam=0x0, lParam=0x14e310) returned 0x0 [0123.091] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x30340, Msg=0x83, wParam=0x1, lParam=0x14e2e0) returned 0x0 [0123.092] GetWindowPlacement (in: hWnd=0x30340, lpwndpl=0x14deb8 | out: lpwndpl=0x14deb8) returned 1 [0123.092] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x30340, Msg=0x47, wParam=0x0, lParam=0x14e310) returned 0x0 [0123.092] GetClientRect (in: hWnd=0x30340, lpRect=0x14dd50 | out: lpRect=0x14dd50) returned 1 [0123.092] GetWindowRect (in: hWnd=0x30340, lpRect=0x14dd50 | out: lpRect=0x14dd50) returned 1 [0123.094] RedrawWindow (hWnd=0x30340, lprcUpdate=0x0, hrgnUpdate=0x0, flags=0x85) returned 1 [0123.094] GetSystemMenu (hWnd=0x30340, bRevert=0) returned 0xe0139 [0123.094] GetWindowPlacement (in: hWnd=0x30340, lpwndpl=0x14e388 | out: lpwndpl=0x14e388) returned 1 [0123.094] EnableMenuItem (hMenu=0xe0139, uIDEnableItem=0xf020, uEnable=0x0) returned 0 [0123.094] EnableMenuItem (hMenu=0xe0139, uIDEnableItem=0xf030, uEnable=0x0) returned 0 [0123.094] EnableMenuItem (hMenu=0xe0139, uIDEnableItem=0xf060, uEnable=0x0) returned 0 [0123.094] EnableMenuItem (hMenu=0xe0139, uIDEnableItem=0xf120, uEnable=0x1) returned 1 [0123.094] EnableMenuItem (hMenu=0xe0139, uIDEnableItem=0xf000, uEnable=0x0) returned 0 [0123.094] ShowWindow (hWnd=0x30340, nCmdShow=5) returned 0 [0123.094] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x30340, Msg=0x18, wParam=0x1, lParam=0x0) returned 0x0 [0123.139] GetFocus () returned 0x0 [0123.139] ShowWindow (hWnd=0x30340, nCmdShow=0) returned 0 [0123.163] GetCurrentThreadId () returned 0x5f4 [0123.171] EnumThreadWindows (dwThreadId=0x5f4, lpfn=0x1af70ecc, lParam=0x30340) returned 1 [0123.212] GetWindowLongPtrW (hWnd=0x50304, nIndex=-8) returned 0x0 [0123.213] GetWindowLongPtrW (hWnd=0x30340, nIndex=-8) returned 0x0 [0123.213] GetWindowLongPtrW (hWnd=0x8002c, nIndex=-8) returned 0x30340 [0123.275] SetWindowLongPtrW (hWnd=0x8002c, nIndex=-8, dwNewLong=0x0) returned 0x30340 [0123.284] GetFocus () returned 0x0 [0123.284] GetParent (hWnd=0x30340) returned 0x0 [0123.284] GetWindowLongPtrW (hWnd=0x30340, nIndex=-20) returned 0x50100 [0123.284] DestroyWindow (hWnd=0x30340) returned 1 [0123.284] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x30340, Msg=0x90, wParam=0x0, lParam=0x0) returned 0x0 [0123.288] GetWindowTextLengthW (hWnd=0x30340) returned 0 [0123.288] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x30340, Msg=0xe, wParam=0x0, lParam=0x0) returned 0x0 [0123.288] GetSystemMetrics (nIndex=42) returned 0 [0123.288] GetWindowTextW (in: hWnd=0x30340, lpString=0x14d2b0, nMaxCount=1 | out: lpString="") returned 0 [0123.288] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x30340, Msg=0xd, wParam=0x1, lParam=0x14d2b0) returned 0x0 [0123.289] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x30340, Msg=0x2, wParam=0x0, lParam=0x0) returned 0x0 [0123.290] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x30340, Msg=0x82, wParam=0x0, lParam=0x0) returned 0x0 [0123.303] GetCurrentActCtx (in: lphActCtx=0x14dae0 | out: lphActCtx=0x14dae0*=0xbd6058) returned 1 [0123.304] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x7ffa080f0000 [0123.305] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0123.305] CreateWindowExW (dwExStyle=0x10000, lpClassName="WindowsForms10.Window.8.app.0.1ca0192_r8_ad1", lpWindowName=0x0, dwStyle=0x2cf0000, X=104, Y=104, nWidth=300, nHeight=300, hWndParent=0x0, hMenu=0x0, hInstance=0x400000, lpParam=0x0) returned 0x60082 [0123.305] SetWindowLongPtrW (hWnd=0x60082, nIndex=-4, dwNewLong=0x7ffa16814a40) returned 0x1af70cfc [0123.306] GetWindowLongPtrW (hWnd=0x60082, nIndex=-4) returned 0x7ffa16814a40 [0123.306] SetWindowLongPtrW (hWnd=0x60082, nIndex=-4, dwNewLong=0x1af70f1c) returned 0x7ffa16814a40 [0123.306] GetWindowLongPtrW (hWnd=0x60082, nIndex=-4) returned 0x1af70f1c [0123.306] GetWindowLongPtrW (hWnd=0x60082, nIndex=-16) returned 0x6cf0000 [0123.308] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60082, Msg=0x81, wParam=0x0, lParam=0x14d160) returned 0x1 [0123.308] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60082, Msg=0x83, wParam=0x0, lParam=0x14d210) returned 0x0 [0123.309] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60082, Msg=0x1, wParam=0x0, lParam=0x14d160) returned 0x0 [0123.309] GetClientRect (in: hWnd=0x60082, lpRect=0x14cbb0 | out: lpRect=0x14cbb0) returned 1 [0123.309] GetWindowRect (in: hWnd=0x60082, lpRect=0x14cbb0 | out: lpRect=0x14cbb0) returned 1 [0123.310] GetStartupInfoW (in: lpStartupInfo=0x28e13c8 | out: lpStartupInfo=0x28e13c8*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0123.311] GetParent (hWnd=0x60082) returned 0x0 [0123.312] GetStockObject (i=5) returned 0x1900015 [0123.312] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0123.313] CoTaskMemAlloc (cb=0x5a) returned 0xbc4d70 [0123.313] RegisterClassW (lpWndClass=0x14d7e0) returned 0xc1d8 [0123.313] CoTaskMemFree (pv=0xbc4d70) [0123.313] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0123.313] CreateWindowExW (dwExStyle=0x80, lpClassName="WindowsForms10.Window.0.app.0.1ca0192_r8_ad1", lpWindowName=0x0, dwStyle=0x0, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x400000, lpParam=0x0) returned 0x60046 [0123.314] SetWindowLongPtrW (hWnd=0x60046, nIndex=-4, dwNewLong=0x7ffa16814a40) returned 0x1af70f6c [0123.314] GetWindowLongPtrW (hWnd=0x60046, nIndex=-4) returned 0x7ffa16814a40 [0123.314] SetWindowLongPtrW (hWnd=0x60046, nIndex=-4, dwNewLong=0x1af70fbc) returned 0x7ffa16814a40 [0123.315] GetWindowLongPtrW (hWnd=0x60046, nIndex=-4) returned 0x1af70fbc [0123.315] GetWindowLongPtrW (hWnd=0x60046, nIndex=-16) returned 0x4c00000 [0123.316] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60046, Msg=0x24, wParam=0x0, lParam=0x14d200) returned 0x0 [0123.316] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60046, Msg=0x81, wParam=0x0, lParam=0x14d170) returned 0x1 [0123.317] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60046, Msg=0x83, wParam=0x0, lParam=0x14d220) returned 0x0 [0123.318] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60046, Msg=0x1, wParam=0x0, lParam=0x14d170) returned 0x0 [0123.319] SetWindowLongPtrW (hWnd=0x60082, nIndex=-8, dwNewLong=0x60046) returned 0x0 [0123.320] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60082, Msg=0x2e0, wParam=0x600060, lParam=0x14da80) returned 0x0 [0123.322] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60082, Msg=0x46, wParam=0x0, lParam=0x14da70) returned 0x0 [0123.322] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60082, Msg=0x83, wParam=0x1, lParam=0x14da40) returned 0x0 [0123.324] GetWindowPlacement (in: hWnd=0x60082, lpwndpl=0x14d618 | out: lpwndpl=0x14d618) returned 1 [0123.324] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60082, Msg=0x47, wParam=0x0, lParam=0x14da70) returned 0x0 [0123.324] GetClientRect (in: hWnd=0x60082, lpRect=0x14d4b0 | out: lpRect=0x14d4b0) returned 1 [0123.324] GetWindowRect (in: hWnd=0x60082, lpRect=0x14d4b0 | out: lpRect=0x14d4b0) returned 1 [0123.325] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60082, Msg=0x7f, wParam=0x2, lParam=0x0) returned 0x0 [0123.325] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60082, Msg=0x7f, wParam=0x0, lParam=0x0) returned 0x0 [0123.325] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60082, Msg=0x7f, wParam=0x1, lParam=0x0) returned 0x0 [0123.326] SendMessageW (hWnd=0x60082, Msg=0x80, wParam=0x0, lParam=0x1d0089) returned 0x0 [0123.326] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60082, Msg=0x80, wParam=0x0, lParam=0x1d0089) returned 0x0 [0123.327] SendMessageW (hWnd=0x60082, Msg=0x80, wParam=0x1, lParam=0x1d0365) returned 0x0 [0123.327] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60082, Msg=0x80, wParam=0x1, lParam=0x1d0365) returned 0x0 [0123.327] GetSystemMenu (hWnd=0x60082, bRevert=0) returned 0xf0139 [0123.328] GetWindowPlacement (in: hWnd=0x60082, lpwndpl=0x14dae8 | out: lpwndpl=0x14dae8) returned 1 [0123.328] EnableMenuItem (hMenu=0xf0139, uIDEnableItem=0xf020, uEnable=0x0) returned 0 [0123.328] EnableMenuItem (hMenu=0xf0139, uIDEnableItem=0xf030, uEnable=0x0) returned 0 [0123.328] EnableMenuItem (hMenu=0xf0139, uIDEnableItem=0xf060, uEnable=0x0) returned 0 [0123.328] EnableMenuItem (hMenu=0xf0139, uIDEnableItem=0xf120, uEnable=0x1) returned 0 [0123.328] EnableMenuItem (hMenu=0xf0139, uIDEnableItem=0xf000, uEnable=0x0) returned 0 [0123.328] GetClientRect (in: hWnd=0x60082, lpRect=0x14dbb0 | out: lpRect=0x14dbb0) returned 1 [0123.328] GetClientRect (in: hWnd=0x60082, lpRect=0x14dae0 | out: lpRect=0x14dae0) returned 1 [0123.328] GetWindowRect (in: hWnd=0x60082, lpRect=0x14dae0 | out: lpRect=0x14dae0) returned 1 [0123.328] SetWindowLongPtrW (hWnd=0x60082, nIndex=-8, dwNewLong=0x60046) returned 0x60046 [0123.330] SendMessageW (hWnd=0x60046, Msg=0x80, wParam=0x1, lParam=0x1d0365) returned 0x0 [0123.330] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60046, Msg=0x80, wParam=0x1, lParam=0x1d0365) returned 0x0 [0123.332] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x7ffa080f0000 [0123.332] GetWindowLongPtrW (hWnd=0x60082, nIndex=-16) returned 0x6cf0000 [0123.332] GetWindowTextLengthW (hWnd=0x60082) returned 0 [0123.332] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60082, Msg=0xe, wParam=0x0, lParam=0x0) returned 0x0 [0123.332] GetSystemMetrics (nIndex=42) returned 0 [0123.333] GetWindowTextW (in: hWnd=0x60082, lpString=0x14d8f0, nMaxCount=1 | out: lpString="") returned 0 [0123.333] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60082, Msg=0xd, wParam=0x1, lParam=0x14d8f0) returned 0x0 [0123.333] GetWindowTextLengthW (hWnd=0x60082) returned 0 [0123.333] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60082, Msg=0xe, wParam=0x0, lParam=0x0) returned 0x0 [0123.333] GetSystemMetrics (nIndex=42) returned 0 [0123.333] GetWindowTextW (in: hWnd=0x60082, lpString=0x14d8f0, nMaxCount=1 | out: lpString="") returned 0 [0123.333] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60082, Msg=0xd, wParam=0x1, lParam=0x14d8f0) returned 0x0 [0123.333] GetWindowLongPtrW (hWnd=0x60082, nIndex=-16) returned 0x6cf0000 [0123.333] GetWindowLongPtrW (hWnd=0x60082, nIndex=-20) returned 0x10100 [0123.333] SetWindowLongPtrW (hWnd=0x60082, nIndex=-16, dwNewLong=0x2cf0000) returned 0x6cf0000 [0123.333] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60082, Msg=0x7c, wParam=0xfffffffffffffff0, lParam=0x14d9b0) returned 0x0 [0123.333] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60082, Msg=0x7d, wParam=0xfffffffffffffff0, lParam=0x14d9b0) returned 0x0 [0123.334] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60082, Msg=0x7f, wParam=0x2, lParam=0x0) returned 0x1d0089 [0123.335] SetWindowLongPtrW (hWnd=0x60082, nIndex=-20, dwNewLong=0x10000) returned 0x10100 [0123.335] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60082, Msg=0x7c, wParam=0xffffffffffffffec, lParam=0x14d9b0) returned 0x0 [0123.335] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60082, Msg=0x7d, wParam=0xffffffffffffffec, lParam=0x14d9b0) returned 0x0 [0123.336] SetWindowPos (hWnd=0x60082, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x37) returned 1 [0123.336] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60082, Msg=0x46, wParam=0x0, lParam=0x14da10) returned 0x0 [0123.336] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60082, Msg=0x83, wParam=0x1, lParam=0x14d9e0) returned 0x0 [0123.337] GetWindowPlacement (in: hWnd=0x60082, lpwndpl=0x14d5b8 | out: lpwndpl=0x14d5b8) returned 1 [0123.338] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60082, Msg=0x47, wParam=0x0, lParam=0x14da10) returned 0x0 [0123.338] GetClientRect (in: hWnd=0x60082, lpRect=0x14d450 | out: lpRect=0x14d450) returned 1 [0123.338] GetWindowRect (in: hWnd=0x60082, lpRect=0x14d450 | out: lpRect=0x14d450) returned 1 [0123.339] RedrawWindow (hWnd=0x60082, lprcUpdate=0x0, hrgnUpdate=0x0, flags=0x85) returned 1 [0123.339] GetSystemMenu (hWnd=0x60082, bRevert=0) returned 0xf0139 [0123.339] GetWindowPlacement (in: hWnd=0x60082, lpwndpl=0x14da88 | out: lpwndpl=0x14da88) returned 1 [0123.339] EnableMenuItem (hMenu=0xf0139, uIDEnableItem=0xf020, uEnable=0x0) returned 0 [0123.340] EnableMenuItem (hMenu=0xf0139, uIDEnableItem=0xf030, uEnable=0x0) returned 0 [0123.340] EnableMenuItem (hMenu=0xf0139, uIDEnableItem=0xf060, uEnable=0x0) returned 0 [0123.340] EnableMenuItem (hMenu=0xf0139, uIDEnableItem=0xf120, uEnable=0x1) returned 1 [0123.340] EnableMenuItem (hMenu=0xf0139, uIDEnableItem=0xf000, uEnable=0x0) returned 0 [0123.340] SetWindowLongPtrW (hWnd=0x8002c, nIndex=-8, dwNewLong=0x60082) returned 0x50304 [0123.680] CoTaskMemAlloc (cb=0x20c) returned 0xbd5170 [0123.680] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0xbd5170 | out: pszPath="C:\\Windows\\system32") returned 0x0 [0123.682] CoTaskMemFree (pv=0xbd5170) [0123.682] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x14a3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0126.479] CryptAcquireContextW (in: phProv=0x14dc68, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x14dc68*=0xbc9a60) returned 1 [0126.516] CryptGetProvParam (in: hProv=0xbc9a60, dwParam=0x1, pbData=0x0, pdwDataLen=0x14dc20, dwFlags=0x1 | out: pbData=0x0, pdwDataLen=0x14dc20) returned 1 [0126.517] CoTaskMemAlloc (cb=0x20) returned 0xbe4290 [0126.517] CryptGetProvParam (in: hProv=0xbc9a60, dwParam=0x1, pbData=0xbe4290, pdwDataLen=0x14dc20, dwFlags=0x1 | out: pbData=0xbe4290, pdwDataLen=0x14dc20) returned 1 [0126.518] CoTaskMemFree (pv=0xbe4290) [0126.518] CryptGetProvParam (in: hProv=0xbc9a60, dwParam=0x1, pbData=0x0, pdwDataLen=0x14dc20, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x14dc20) returned 1 [0126.518] CoTaskMemAlloc (cb=0x20) returned 0xbe3ff0 [0126.519] CryptGetProvParam (in: hProv=0xbc9a60, dwParam=0x1, pbData=0xbe3ff0, pdwDataLen=0x14dc20, dwFlags=0x0 | out: pbData=0xbe3ff0, pdwDataLen=0x14dc20) returned 1 [0126.519] CoTaskMemFree (pv=0xbe3ff0) [0126.519] CryptGetProvParam (in: hProv=0xbc9a60, dwParam=0x1, pbData=0x0, pdwDataLen=0x14dc20, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x14dc20) returned 1 [0126.519] CoTaskMemAlloc (cb=0x20) returned 0xbe4320 [0126.519] CryptGetProvParam (in: hProv=0xbc9a60, dwParam=0x1, pbData=0xbe4320, pdwDataLen=0x14dc20, dwFlags=0x0 | out: pbData=0xbe4320, pdwDataLen=0x14dc20) returned 1 [0126.519] CoTaskMemFree (pv=0xbe4320) [0126.519] CryptGetProvParam (in: hProv=0xbc9a60, dwParam=0x1, pbData=0x0, pdwDataLen=0x14dc20, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x14dc20) returned 1 [0126.519] CoTaskMemAlloc (cb=0x20) returned 0xbe3ff0 [0126.519] CryptGetProvParam (in: hProv=0xbc9a60, dwParam=0x1, pbData=0xbe3ff0, pdwDataLen=0x14dc20, dwFlags=0x0 | out: pbData=0xbe3ff0, pdwDataLen=0x14dc20) returned 1 [0126.519] CoTaskMemFree (pv=0xbe3ff0) [0126.519] CryptGetProvParam (in: hProv=0xbc9a60, dwParam=0x1, pbData=0x0, pdwDataLen=0x14dc20, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x14dc20) returned 1 [0126.519] CoTaskMemAlloc (cb=0x20) returned 0xbe4230 [0126.519] CryptGetProvParam (in: hProv=0xbc9a60, dwParam=0x1, pbData=0xbe4230, pdwDataLen=0x14dc20, dwFlags=0x0 | out: pbData=0xbe4230, pdwDataLen=0x14dc20) returned 1 [0126.519] CoTaskMemFree (pv=0xbe4230) [0126.519] CryptGetProvParam (in: hProv=0xbc9a60, dwParam=0x1, pbData=0x0, pdwDataLen=0x14dc20, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x14dc20) returned 1 [0126.519] CoTaskMemAlloc (cb=0x20) returned 0xbe3d80 [0126.519] CryptGetProvParam (in: hProv=0xbc9a60, dwParam=0x1, pbData=0xbe3d80, pdwDataLen=0x14dc20, dwFlags=0x0 | out: pbData=0xbe3d80, pdwDataLen=0x14dc20) returned 1 [0126.520] CoTaskMemFree (pv=0xbe3d80) [0126.520] CryptGetProvParam (in: hProv=0xbc9a60, dwParam=0x1, pbData=0x0, pdwDataLen=0x14dc20, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x14dc20) returned 1 [0126.520] CoTaskMemAlloc (cb=0x20) returned 0xbe4380 [0126.520] CryptGetProvParam (in: hProv=0xbc9a60, dwParam=0x1, pbData=0xbe4380, pdwDataLen=0x14dc20, dwFlags=0x0 | out: pbData=0xbe4380, pdwDataLen=0x14dc20) returned 1 [0126.520] CoTaskMemFree (pv=0xbe4380) [0126.520] CryptGetProvParam (in: hProv=0xbc9a60, dwParam=0x1, pbData=0x0, pdwDataLen=0x14dc20, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x14dc20) returned 1 [0126.520] CoTaskMemAlloc (cb=0x20) returned 0xbe3d20 [0126.520] CryptGetProvParam (in: hProv=0xbc9a60, dwParam=0x1, pbData=0xbe3d20, pdwDataLen=0x14dc20, dwFlags=0x0 | out: pbData=0xbe3d20, pdwDataLen=0x14dc20) returned 1 [0126.520] CoTaskMemFree (pv=0xbe3d20) [0126.520] CryptGetProvParam (in: hProv=0xbc9a60, dwParam=0x1, pbData=0x0, pdwDataLen=0x14dc20, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x14dc20) returned 1 [0126.520] CoTaskMemAlloc (cb=0x20) returned 0xbe4020 [0126.520] CryptGetProvParam (in: hProv=0xbc9a60, dwParam=0x1, pbData=0xbe4020, pdwDataLen=0x14dc20, dwFlags=0x0 | out: pbData=0xbe4020, pdwDataLen=0x14dc20) returned 1 [0126.520] CoTaskMemFree (pv=0xbe4020) [0126.520] CryptGetProvParam (in: hProv=0xbc9a60, dwParam=0x1, pbData=0x0, pdwDataLen=0x14dc20, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x14dc20) returned 1 [0126.520] CoTaskMemAlloc (cb=0x20) returned 0xbe3f00 [0126.520] CryptGetProvParam (in: hProv=0xbc9a60, dwParam=0x1, pbData=0xbe3f00, pdwDataLen=0x14dc20, dwFlags=0x0 | out: pbData=0xbe3f00, pdwDataLen=0x14dc20) returned 1 [0126.521] CoTaskMemFree (pv=0xbe3f00) [0126.521] CryptGetProvParam (in: hProv=0xbc9a60, dwParam=0x1, pbData=0x0, pdwDataLen=0x14dc20, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x14dc20) returned 1 [0126.521] CoTaskMemAlloc (cb=0x20) returned 0xbe3e70 [0126.521] CryptGetProvParam (in: hProv=0xbc9a60, dwParam=0x1, pbData=0xbe3e70, pdwDataLen=0x14dc20, dwFlags=0x0 | out: pbData=0xbe3e70, pdwDataLen=0x14dc20) returned 1 [0126.521] CoTaskMemFree (pv=0xbe3e70) [0126.521] CryptGetProvParam (in: hProv=0xbc9a60, dwParam=0x1, pbData=0x0, pdwDataLen=0x14dc20, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x14dc20) returned 1 [0126.521] CoTaskMemAlloc (cb=0x20) returned 0xbe41a0 [0126.521] CryptGetProvParam (in: hProv=0xbc9a60, dwParam=0x1, pbData=0xbe41a0, pdwDataLen=0x14dc20, dwFlags=0x0 | out: pbData=0xbe41a0, pdwDataLen=0x14dc20) returned 1 [0126.521] CoTaskMemFree (pv=0xbe41a0) [0126.521] CryptGetProvParam (in: hProv=0xbc9a60, dwParam=0x1, pbData=0x0, pdwDataLen=0x14dc20, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x14dc20) returned 1 [0126.521] CoTaskMemAlloc (cb=0x20) returned 0xbe3d80 [0126.521] CryptGetProvParam (in: hProv=0xbc9a60, dwParam=0x1, pbData=0xbe3d80, pdwDataLen=0x14dc20, dwFlags=0x0 | out: pbData=0xbe3d80, pdwDataLen=0x14dc20) returned 1 [0126.521] CoTaskMemFree (pv=0xbe3d80) [0126.521] CryptGetProvParam (in: hProv=0xbc9a60, dwParam=0x1, pbData=0x0, pdwDataLen=0x14dc20, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x14dc20) returned 1 [0126.521] CoTaskMemAlloc (cb=0x20) returned 0xbe4380 [0126.521] CryptGetProvParam (in: hProv=0xbc9a60, dwParam=0x1, pbData=0xbe4380, pdwDataLen=0x14dc20, dwFlags=0x0 | out: pbData=0xbe4380, pdwDataLen=0x14dc20) returned 1 [0126.522] CoTaskMemFree (pv=0xbe4380) [0126.522] CryptGetProvParam (in: hProv=0xbc9a60, dwParam=0x1, pbData=0x0, pdwDataLen=0x14dc20, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x14dc20) returned 1 [0126.522] CoTaskMemAlloc (cb=0x20) returned 0xbe4320 [0126.522] CryptGetProvParam (in: hProv=0xbc9a60, dwParam=0x1, pbData=0xbe4320, pdwDataLen=0x14dc20, dwFlags=0x0 | out: pbData=0xbe4320, pdwDataLen=0x14dc20) returned 1 [0126.522] CoTaskMemFree (pv=0xbe4320) [0126.522] CryptGetProvParam (in: hProv=0xbc9a60, dwParam=0x1, pbData=0x0, pdwDataLen=0x14dc20, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x14dc20) returned 1 [0126.522] CoTaskMemAlloc (cb=0x20) returned 0xbe3d20 [0126.522] CryptGetProvParam (in: hProv=0xbc9a60, dwParam=0x1, pbData=0xbe3d20, pdwDataLen=0x14dc20, dwFlags=0x0 | out: pbData=0xbe3d20, pdwDataLen=0x14dc20) returned 1 [0126.522] CoTaskMemFree (pv=0xbe3d20) [0126.522] CryptGetProvParam (in: hProv=0xbc9a60, dwParam=0x1, pbData=0x0, pdwDataLen=0x14dc20, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x14dc20) returned 1 [0126.522] CoTaskMemAlloc (cb=0x20) returned 0xbe3d20 [0126.522] CryptGetProvParam (in: hProv=0xbc9a60, dwParam=0x1, pbData=0xbe3d20, pdwDataLen=0x14dc20, dwFlags=0x0 | out: pbData=0xbe3d20, pdwDataLen=0x14dc20) returned 1 [0126.522] CoTaskMemFree (pv=0xbe3d20) [0126.522] CryptGetProvParam (in: hProv=0xbc9a60, dwParam=0x1, pbData=0x0, pdwDataLen=0x14dc20, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x14dc20) returned 1 [0126.522] CoTaskMemAlloc (cb=0x20) returned 0xbe4080 [0126.522] CryptGetProvParam (in: hProv=0xbc9a60, dwParam=0x1, pbData=0xbe4080, pdwDataLen=0x14dc20, dwFlags=0x0 | out: pbData=0xbe4080, pdwDataLen=0x14dc20) returned 1 [0126.523] CoTaskMemFree (pv=0xbe4080) [0126.523] CryptGetProvParam (in: hProv=0xbc9a60, dwParam=0x1, pbData=0x0, pdwDataLen=0x14dc20, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x14dc20) returned 1 [0126.523] CoTaskMemAlloc (cb=0x20) returned 0xbe4260 [0126.523] CryptGetProvParam (in: hProv=0xbc9a60, dwParam=0x1, pbData=0xbe4260, pdwDataLen=0x14dc20, dwFlags=0x0 | out: pbData=0xbe4260, pdwDataLen=0x14dc20) returned 1 [0126.523] CoTaskMemFree (pv=0xbe4260) [0126.523] CryptGetProvParam (in: hProv=0xbc9a60, dwParam=0x1, pbData=0x0, pdwDataLen=0x14dc20, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x14dc20) returned 1 [0126.523] CoTaskMemAlloc (cb=0x20) returned 0xbe4260 [0126.523] CryptGetProvParam (in: hProv=0xbc9a60, dwParam=0x1, pbData=0xbe4260, pdwDataLen=0x14dc20, dwFlags=0x0 | out: pbData=0xbe4260, pdwDataLen=0x14dc20) returned 1 [0126.523] CoTaskMemFree (pv=0xbe4260) [0126.523] CryptGetProvParam (in: hProv=0xbc9a60, dwParam=0x1, pbData=0x0, pdwDataLen=0x14dc20, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x14dc20) returned 0 [0126.692] CryptImportKey (in: hProv=0xbc9a60, pbData=0x27dca98, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x14dc50 | out: phKey=0x14dc50*=0xbc48a0) returned 1 [0126.694] CryptContextAddRef (hProv=0xbc9a60, pdwReserved=0x0, dwFlags=0x0) returned 1 [0126.912] CryptContextAddRef (hProv=0xbc9a60, pdwReserved=0x0, dwFlags=0x0) returned 1 [0126.912] CryptDuplicateKey (in: hKey=0xbc48a0, pdwReserved=0x0, dwFlags=0x0, phKey=0x14dc20 | out: phKey=0x14dc20*=0xbc4980) returned 1 [0126.913] CryptContextAddRef (hProv=0xbc9a60, pdwReserved=0x0, dwFlags=0x0) returned 1 [0126.914] CryptSetKeyParam (hKey=0xbc4980, dwParam=0x4, pbData=0x27e60d8*=0x1, dwFlags=0x0) returned 1 [0126.919] CryptSetKeyParam (hKey=0xbc4980, dwParam=0x1, pbData=0x27e6088, dwFlags=0x0) returned 1 [0126.960] CryptDecrypt (in: hKey=0xbc4980, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x27e9be8, pdwDataLen=0x14dc40 | out: pbData=0x27e9be8, pdwDataLen=0x14dc40) returned 1 [0126.972] CryptDecrypt (in: hKey=0xbc4980, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x27e9d30, pdwDataLen=0x14dc30 | out: pbData=0x27e9d30, pdwDataLen=0x14dc30) returned 0 [0126.986] CryptDestroyKey (hKey=0xbc48a0) returned 1 [0126.986] CryptReleaseContext (hProv=0xbc9a60, dwFlags=0x0) returned 1 [0126.986] CryptReleaseContext (hProv=0xbc9a60, dwFlags=0x0) returned 1 [0127.007] CryptAcquireContextW (in: phProv=0x14dc68, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x14dc68*=0xbca060) returned 1 [0127.012] CryptImportKey (in: hProv=0xbca060, pbData=0x27ec4d8, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x14dc50 | out: phKey=0x14dc50*=0xbc5550) returned 1 [0127.012] CryptContextAddRef (hProv=0xbca060, pdwReserved=0x0, dwFlags=0x0) returned 1 [0127.013] CryptContextAddRef (hProv=0xbca060, pdwReserved=0x0, dwFlags=0x0) returned 1 [0127.013] CryptDuplicateKey (in: hKey=0xbc5550, pdwReserved=0x0, dwFlags=0x0, phKey=0x14dc20 | out: phKey=0x14dc20*=0xbc5320) returned 1 [0127.013] CryptContextAddRef (hProv=0xbca060, pdwReserved=0x0, dwFlags=0x0) returned 1 [0127.013] CryptSetKeyParam (hKey=0xbc5320, dwParam=0x4, pbData=0x27ecda0*=0x1, dwFlags=0x0) returned 1 [0127.013] CryptSetKeyParam (hKey=0xbc5320, dwParam=0x1, pbData=0x27ecd50, dwFlags=0x0) returned 1 [0127.014] CryptDecrypt (in: hKey=0xbc5320, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x27ecf30, pdwDataLen=0x14dc40 | out: pbData=0x27ecf30, pdwDataLen=0x14dc40) returned 1 [0127.014] CryptDecrypt (in: hKey=0xbc5320, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x27ecf78, pdwDataLen=0x14dc30 | out: pbData=0x27ecf78, pdwDataLen=0x14dc30) returned 0 [0127.014] CryptDestroyKey (hKey=0xbc5550) returned 1 [0127.014] CryptReleaseContext (hProv=0xbca060, dwFlags=0x0) returned 1 [0127.014] CryptReleaseContext (hProv=0xbca060, dwFlags=0x0) returned 1 [0127.014] CryptAcquireContextW (in: phProv=0x14dc68, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x14dc68*=0xbc8660) returned 1 [0127.015] CryptImportKey (in: hProv=0xbc8660, pbData=0x27ed190, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x14dc50 | out: phKey=0x14dc50*=0xbc48a0) returned 1 [0127.015] CryptContextAddRef (hProv=0xbc8660, pdwReserved=0x0, dwFlags=0x0) returned 1 [0127.016] CryptContextAddRef (hProv=0xbc8660, pdwReserved=0x0, dwFlags=0x0) returned 1 [0127.016] CryptDuplicateKey (in: hKey=0xbc48a0, pdwReserved=0x0, dwFlags=0x0, phKey=0x14dc20 | out: phKey=0x14dc20*=0xbc4a60) returned 1 [0127.016] CryptContextAddRef (hProv=0xbc8660, pdwReserved=0x0, dwFlags=0x0) returned 1 [0127.016] CryptSetKeyParam (hKey=0xbc4a60, dwParam=0x4, pbData=0x27eda68*=0x1, dwFlags=0x0) returned 1 [0127.016] CryptSetKeyParam (hKey=0xbc4a60, dwParam=0x1, pbData=0x27eda18, dwFlags=0x0) returned 1 [0127.016] CryptDecrypt (in: hKey=0xbc4a60, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x27edbf0, pdwDataLen=0x14dc40 | out: pbData=0x27edbf0, pdwDataLen=0x14dc40) returned 1 [0127.016] CryptDecrypt (in: hKey=0xbc4a60, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x27edc50, pdwDataLen=0x14dc40 | out: pbData=0x27edc50, pdwDataLen=0x14dc40) returned 1 [0127.016] CryptDecrypt (in: hKey=0xbc4a60, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x27edc98, pdwDataLen=0x14dc30 | out: pbData=0x27edc98, pdwDataLen=0x14dc30) returned 0 [0127.016] CryptDestroyKey (hKey=0xbc48a0) returned 1 [0127.016] CryptReleaseContext (hProv=0xbc8660, dwFlags=0x0) returned 1 [0127.016] CryptReleaseContext (hProv=0xbc8660, dwFlags=0x0) returned 1 [0127.017] CryptAcquireContextW (in: phProv=0x14dc68, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x14dc68*=0xbc8c60) returned 1 [0127.017] CryptImportKey (in: hProv=0xbc8c60, pbData=0x27eded0, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x14dc50 | out: phKey=0x14dc50*=0xbc48a0) returned 1 [0127.017] CryptContextAddRef (hProv=0xbc8c60, pdwReserved=0x0, dwFlags=0x0) returned 1 [0127.018] CryptContextAddRef (hProv=0xbc8c60, pdwReserved=0x0, dwFlags=0x0) returned 1 [0127.018] CryptDuplicateKey (in: hKey=0xbc48a0, pdwReserved=0x0, dwFlags=0x0, phKey=0x14dc20 | out: phKey=0x14dc20*=0xbc4bb0) returned 1 [0127.018] CryptContextAddRef (hProv=0xbc8c60, pdwReserved=0x0, dwFlags=0x0) returned 1 [0127.018] CryptSetKeyParam (hKey=0xbc4bb0, dwParam=0x4, pbData=0x27ee798*=0x1, dwFlags=0x0) returned 1 [0127.018] CryptSetKeyParam (hKey=0xbc4bb0, dwParam=0x1, pbData=0x27ee748, dwFlags=0x0) returned 1 [0127.018] CryptDecrypt (in: hKey=0xbc4bb0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x27ee928, pdwDataLen=0x14dc40 | out: pbData=0x27ee928, pdwDataLen=0x14dc40) returned 1 [0127.018] CryptDecrypt (in: hKey=0xbc4bb0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x27ee970, pdwDataLen=0x14dc30 | out: pbData=0x27ee970, pdwDataLen=0x14dc30) returned 0 [0127.019] CryptDestroyKey (hKey=0xbc48a0) returned 1 [0127.019] CryptReleaseContext (hProv=0xbc8c60, dwFlags=0x0) returned 1 [0127.019] CryptReleaseContext (hProv=0xbc8c60, dwFlags=0x0) returned 1 [0127.019] CryptAcquireContextW (in: phProv=0x14dc68, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x14dc68*=0xbc9f60) returned 1 [0127.019] CryptImportKey (in: hProv=0xbc9f60, pbData=0x27eeb88, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x14dc50 | out: phKey=0x14dc50*=0xbc5240) returned 1 [0127.019] CryptContextAddRef (hProv=0xbc9f60, pdwReserved=0x0, dwFlags=0x0) returned 1 [0127.020] CryptContextAddRef (hProv=0xbc9f60, pdwReserved=0x0, dwFlags=0x0) returned 1 [0127.020] CryptDuplicateKey (in: hKey=0xbc5240, pdwReserved=0x0, dwFlags=0x0, phKey=0x14dc20 | out: phKey=0x14dc20*=0xbc48a0) returned 1 [0127.020] CryptContextAddRef (hProv=0xbc9f60, pdwReserved=0x0, dwFlags=0x0) returned 1 [0127.020] CryptSetKeyParam (hKey=0xbc48a0, dwParam=0x4, pbData=0x27ef460*=0x1, dwFlags=0x0) returned 1 [0127.020] CryptSetKeyParam (hKey=0xbc48a0, dwParam=0x1, pbData=0x27ef410, dwFlags=0x0) returned 1 [0127.020] CryptDecrypt (in: hKey=0xbc48a0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x27ef5e8, pdwDataLen=0x14dc40 | out: pbData=0x27ef5e8, pdwDataLen=0x14dc40) returned 1 [0127.021] CryptDecrypt (in: hKey=0xbc48a0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x27ef648, pdwDataLen=0x14dc40 | out: pbData=0x27ef648, pdwDataLen=0x14dc40) returned 1 [0127.021] CryptDecrypt (in: hKey=0xbc48a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x27ef690, pdwDataLen=0x14dc30 | out: pbData=0x27ef690, pdwDataLen=0x14dc30) returned 0 [0127.021] CryptDestroyKey (hKey=0xbc5240) returned 1 [0127.021] CryptReleaseContext (hProv=0xbc9f60, dwFlags=0x0) returned 1 [0127.021] CryptReleaseContext (hProv=0xbc9f60, dwFlags=0x0) returned 1 [0127.021] CryptAcquireContextW (in: phProv=0x14dc68, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x14dc68*=0xbc8960) returned 1 [0127.022] CryptImportKey (in: hProv=0xbc8960, pbData=0x27ef8e0, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x14dc50 | out: phKey=0x14dc50*=0xbc5470) returned 1 [0127.022] CryptContextAddRef (hProv=0xbc8960, pdwReserved=0x0, dwFlags=0x0) returned 1 [0127.022] CryptContextAddRef (hProv=0xbc8960, pdwReserved=0x0, dwFlags=0x0) returned 1 [0127.023] CryptDuplicateKey (in: hKey=0xbc5470, pdwReserved=0x0, dwFlags=0x0, phKey=0x14dc20 | out: phKey=0x14dc20*=0xbc49f0) returned 1 [0127.023] CryptContextAddRef (hProv=0xbc8960, pdwReserved=0x0, dwFlags=0x0) returned 1 [0127.023] CryptSetKeyParam (hKey=0xbc49f0, dwParam=0x4, pbData=0x27f0208*=0x1, dwFlags=0x0) returned 1 [0127.023] CryptSetKeyParam (hKey=0xbc49f0, dwParam=0x1, pbData=0x27f01b8, dwFlags=0x0) returned 1 [0127.023] CryptDecrypt (in: hKey=0xbc49f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x27f03b0, pdwDataLen=0x14dc40 | out: pbData=0x27f03b0, pdwDataLen=0x14dc40) returned 1 [0127.023] CryptDecrypt (in: hKey=0xbc49f0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x27f0420, pdwDataLen=0x14dc40 | out: pbData=0x27f0420, pdwDataLen=0x14dc40) returned 1 [0127.023] CryptDecrypt (in: hKey=0xbc49f0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x27f0468, pdwDataLen=0x14dc30 | out: pbData=0x27f0468, pdwDataLen=0x14dc30) returned 0 [0127.023] CryptDestroyKey (hKey=0xbc5470) returned 1 [0127.023] CryptReleaseContext (hProv=0xbc8960, dwFlags=0x0) returned 1 [0127.023] CryptReleaseContext (hProv=0xbc8960, dwFlags=0x0) returned 1 [0127.024] CryptAcquireContextW (in: phProv=0x14dc68, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x14dc68*=0xbc9760) returned 1 [0127.025] CryptImportKey (in: hProv=0xbc9760, pbData=0x27f06d0, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x14dc50 | out: phKey=0x14dc50*=0xbc4b40) returned 1 [0127.025] CryptContextAddRef (hProv=0xbc9760, pdwReserved=0x0, dwFlags=0x0) returned 1 [0127.025] CryptContextAddRef (hProv=0xbc9760, pdwReserved=0x0, dwFlags=0x0) returned 1 [0127.025] CryptDuplicateKey (in: hKey=0xbc4b40, pdwReserved=0x0, dwFlags=0x0, phKey=0x14dc20 | out: phKey=0x14dc20*=0xbc4d70) returned 1 [0127.025] CryptContextAddRef (hProv=0xbc9760, pdwReserved=0x0, dwFlags=0x0) returned 1 [0127.026] CryptSetKeyParam (hKey=0xbc4d70, dwParam=0x4, pbData=0x27f0f98*=0x1, dwFlags=0x0) returned 1 [0127.026] CryptSetKeyParam (hKey=0xbc4d70, dwParam=0x1, pbData=0x27f0f48, dwFlags=0x0) returned 1 [0127.026] CryptDecrypt (in: hKey=0xbc4d70, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x27f1128, pdwDataLen=0x14dc40 | out: pbData=0x27f1128, pdwDataLen=0x14dc40) returned 1 [0127.026] CryptDecrypt (in: hKey=0xbc4d70, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x27f1178, pdwDataLen=0x14dc30 | out: pbData=0x27f1178, pdwDataLen=0x14dc30) returned 0 [0127.026] CryptDestroyKey (hKey=0xbc4b40) returned 1 [0127.026] CryptReleaseContext (hProv=0xbc9760, dwFlags=0x0) returned 1 [0127.026] CryptReleaseContext (hProv=0xbc9760, dwFlags=0x0) returned 1 [0127.026] CryptAcquireContextW (in: phProv=0x14dc68, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x14dc68*=0xbca160) returned 1 [0127.027] CryptImportKey (in: hProv=0xbca160, pbData=0x27f1398, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x14dc50 | out: phKey=0x14dc50*=0xbc4b40) returned 1 [0127.027] CryptContextAddRef (hProv=0xbca160, pdwReserved=0x0, dwFlags=0x0) returned 1 [0127.028] CryptContextAddRef (hProv=0xbca160, pdwReserved=0x0, dwFlags=0x0) returned 1 [0127.028] CryptDuplicateKey (in: hKey=0xbc4b40, pdwReserved=0x0, dwFlags=0x0, phKey=0x14dc20 | out: phKey=0x14dc20*=0xbc5240) returned 1 [0127.028] CryptContextAddRef (hProv=0xbca160, pdwReserved=0x0, dwFlags=0x0) returned 1 [0127.028] CryptSetKeyParam (hKey=0xbc5240, dwParam=0x4, pbData=0x27f1c60*=0x1, dwFlags=0x0) returned 1 [0127.028] CryptSetKeyParam (hKey=0xbc5240, dwParam=0x1, pbData=0x27f1c10, dwFlags=0x0) returned 1 [0127.028] CryptDecrypt (in: hKey=0xbc5240, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x27f1df0, pdwDataLen=0x14dc40 | out: pbData=0x27f1df0, pdwDataLen=0x14dc40) returned 1 [0127.028] CryptDecrypt (in: hKey=0xbc5240, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x27f1e38, pdwDataLen=0x14dc30 | out: pbData=0x27f1e38, pdwDataLen=0x14dc30) returned 0 [0127.028] CryptDestroyKey (hKey=0xbc4b40) returned 1 [0127.028] CryptReleaseContext (hProv=0xbca160, dwFlags=0x0) returned 1 [0127.028] CryptReleaseContext (hProv=0xbca160, dwFlags=0x0) returned 1 [0127.029] CryptAcquireContextW (in: phProv=0x14dc68, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x14dc68*=0xbc9b60) returned 1 [0127.029] CryptImportKey (in: hProv=0xbc9b60, pbData=0x27f22e0, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x14dc50 | out: phKey=0x14dc50*=0xbc4b40) returned 1 [0127.029] CryptContextAddRef (hProv=0xbc9b60, pdwReserved=0x0, dwFlags=0x0) returned 1 [0127.030] CryptContextAddRef (hProv=0xbc9b60, pdwReserved=0x0, dwFlags=0x0) returned 1 [0127.031] CryptDuplicateKey (in: hKey=0xbc4b40, pdwReserved=0x0, dwFlags=0x0, phKey=0x14dc20 | out: phKey=0x14dc20*=0xbc4de0) returned 1 [0127.031] CryptContextAddRef (hProv=0xbc9b60, pdwReserved=0x0, dwFlags=0x0) returned 1 [0127.031] CryptSetKeyParam (hKey=0xbc4de0, dwParam=0x4, pbData=0x27f3108*=0x1, dwFlags=0x0) returned 1 [0127.031] CryptSetKeyParam (hKey=0xbc4de0, dwParam=0x1, pbData=0x27f30b8, dwFlags=0x0) returned 1 [0127.031] CryptDecrypt (in: hKey=0xbc4de0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x27f37b0, pdwDataLen=0x14dc40 | out: pbData=0x27f37b0, pdwDataLen=0x14dc40) returned 1 [0127.031] CryptDecrypt (in: hKey=0xbc4de0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x27f3aa0, pdwDataLen=0x14dc40 | out: pbData=0x27f3aa0, pdwDataLen=0x14dc40) returned 1 [0127.031] CryptDecrypt (in: hKey=0xbc4de0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x27f3af0, pdwDataLen=0x14dc30 | out: pbData=0x27f3af0, pdwDataLen=0x14dc30) returned 0 [0127.032] CryptDestroyKey (hKey=0xbc4b40) returned 1 [0127.032] CryptReleaseContext (hProv=0xbc9b60, dwFlags=0x0) returned 1 [0127.032] CryptReleaseContext (hProv=0xbc9b60, dwFlags=0x0) returned 1 [0127.032] CryptAcquireContextW (in: phProv=0x14dc68, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x14dc68*=0xbc8d60) returned 1 [0127.033] CryptImportKey (in: hProv=0xbc8d60, pbData=0x27f4b90, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x14dc50 | out: phKey=0x14dc50*=0xbc4b40) returned 1 [0127.033] CryptContextAddRef (hProv=0xbc8d60, pdwReserved=0x0, dwFlags=0x0) returned 1 [0127.034] CryptContextAddRef (hProv=0xbc8d60, pdwReserved=0x0, dwFlags=0x0) returned 1 [0127.034] CryptDuplicateKey (in: hKey=0xbc4b40, pdwReserved=0x0, dwFlags=0x0, phKey=0x14dc20 | out: phKey=0x14dc20*=0xbc5470) returned 1 [0127.034] CryptContextAddRef (hProv=0xbc8d60, pdwReserved=0x0, dwFlags=0x0) returned 1 [0127.034] CryptSetKeyParam (hKey=0xbc5470, dwParam=0x4, pbData=0x27f61b8*=0x1, dwFlags=0x0) returned 1 [0127.035] CryptSetKeyParam (hKey=0xbc5470, dwParam=0x1, pbData=0x27f6168, dwFlags=0x0) returned 1 [0127.035] CryptDecrypt (in: hKey=0xbc5470, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x27f7060, pdwDataLen=0x14dc40 | out: pbData=0x27f7060, pdwDataLen=0x14dc40) returned 1 [0127.035] CryptDecrypt (in: hKey=0xbc5470, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x27f7750, pdwDataLen=0x14dc40 | out: pbData=0x27f7750, pdwDataLen=0x14dc40) returned 1 [0127.035] CryptDecrypt (in: hKey=0xbc5470, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x27f7790, pdwDataLen=0x14dc30 | out: pbData=0x27f7790, pdwDataLen=0x14dc30) returned 0 [0127.035] CryptDestroyKey (hKey=0xbc4b40) returned 1 [0127.035] CryptReleaseContext (hProv=0xbc8d60, dwFlags=0x0) returned 1 [0127.035] CryptReleaseContext (hProv=0xbc8d60, dwFlags=0x0) returned 1 [0127.131] CertDuplicateCertificateContext (pCertContext=0xbcb8d0) returned 0xbcb8d0 [0127.161] CoTaskMemAlloc (cb=0x20c) returned 0xbd35d0 [0127.161] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0xbd35d0 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming") returned 0x0 [0127.161] CoTaskMemFree (pv=0xbd35d0) [0127.161] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0x14d6c0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming", lpFilePart=0x0) returned 0x25 [0127.338] LocalAlloc (uFlags=0x0, uBytes=0x2a) returned 0x1c3af730 [0127.338] memcpy (in: _Dst=0x1c3af730, _Src=0x27fe860, _Size=0x2a | out: _Dst=0x1c3af730) returned 0x1c3af730 [0127.355] CryptFindOIDInfo (dwKeyType=0x2, pvKey=0x1c3af730, dwGroupId=0x3) returned 0x0 [0127.376] LocalFree (hMem=0x1c3af730) returned 0x0 [0127.376] LocalAlloc (uFlags=0x0, uBytes=0x2a) returned 0xbf4460 [0127.376] memcpy (in: _Dst=0xbf4460, _Src=0x27fe998, _Size=0x2a | out: _Dst=0xbf4460) returned 0xbf4460 [0127.376] CryptFindOIDInfo (dwKeyType=0x2, pvKey=0xbf4460, dwGroupId=0x0) returned 0x0 [0127.388] LocalFree (hMem=0xbf4460) returned 0x0 [0127.415] LocalAlloc (uFlags=0x0, uBytes=0x15) returned 0xbd7c70 [0127.416] memcpy (in: _Dst=0xbd7c70, _Src=0x28004b0, _Size=0x15 | out: _Dst=0xbd7c70) returned 0xbd7c70 [0127.416] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0xbd7c70, dwGroupId=0x0) returned 0x7ffa13048220 [0127.426] CryptDecodeObject (in: dwCertEncodingType=0x10001, lpszStructType=0x13, pbEncoded=0x27fedf0, cbEncoded=0x20e, dwFlags=0x0, pvStructInfo=0x0, pcbStructInfo=0x14dce4 | out: pvStructInfo=0x0, pcbStructInfo=0x14dce4) returned 1 [0127.426] LocalAlloc (uFlags=0x0, uBytes=0x214) returned 0xbd35d0 [0127.427] CryptDecodeObject (in: dwCertEncodingType=0x10001, lpszStructType=0x13, pbEncoded=0x27fedf0, cbEncoded=0x20e, dwFlags=0x0, pvStructInfo=0xbd35d0, pcbStructInfo=0x14dce4 | out: pvStructInfo=0xbd35d0, pcbStructInfo=0x14dce4) returned 1 [0127.428] LocalFree (hMem=0xbd35d0) returned 0x0 [0127.580] CoTaskMemAlloc (cb=0x2e) returned 0xbf3fe0 [0127.590] CryptFindOIDInfo (dwKeyType=0x2, pvKey=0xbf3fe0, dwGroupId=0x1) returned 0x0 [0127.590] CryptFindOIDInfo (dwKeyType=0x2, pvKey=0xbf3fe0, dwGroupId=0x0) returned 0x0 [0127.590] CoTaskMemFree (pv=0xbf3fe0) [0127.694] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Local\\a65c20d9-cf82-4bb4-8f7e-e90aff87b9b5") returned 0x330 [0127.726] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe", nBufferLength=0x105, lpBuffer=0x14d730, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe", lpFilePart=0x0) returned 0x62 [0127.753] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe:Zone.Identifier" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe:zone.identifier")) returned 0 [0127.817] GetUserNameW (in: lpBuffer=0x14da70, pcbBuffer=0x14dd98 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x14dd98) returned 1 [0127.842] GetCurrentProcess () returned 0xffffffffffffffff [0127.842] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x14dc38 | out: TokenHandle=0x14dc38*=0x338) returned 1 [0127.962] GetTokenInformation (in: TokenHandle=0x338, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x14dc98 | out: TokenInformation=0x0, ReturnLength=0x14dc98) returned 0 [0127.963] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x1c3ae5f0 [0127.963] GetTokenInformation (in: TokenHandle=0x338, TokenInformationClass=0x8, TokenInformation=0x1c3ae5f0, TokenInformationLength=0x4, ReturnLength=0x14dc98 | out: TokenInformation=0x1c3ae5f0, ReturnLength=0x14dc98) returned 1 [0127.970] LocalFree (hMem=0x1c3ae5f0) returned 0x0 [0127.971] DuplicateTokenEx (in: hExistingToken=0x338, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0x14dcf8 | out: phNewToken=0x14dcf8*=0x328) returned 1 [0127.971] CheckTokenMembership (in: TokenHandle=0x328, SidToCheck=0x280fc68*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x14dd00 | out: IsMember=0x14dd00) returned 1 [0127.972] CloseHandle (hObject=0x328) returned 1 [0127.972] CloseHandle (hObject=0x338) returned 1 [0127.987] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe", nBufferLength=0x105, lpBuffer=0x14d700, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe", lpFilePart=0x0) returned 0x62 [0128.126] CloseHandle (hObject=0x330) returned 1 [0128.267] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\Windows", nBufferLength=0x105, lpBuffer=0x14d860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\Windows", lpFilePart=0x0) returned 0x1b [0128.267] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x14dcb0) returned 1 [0128.267] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\Windows" (normalized: "c:\\windows\\system32\\windows"), fInfoLevelId=0x0, lpFileInformation=0x14dd90 | out: lpFileInformation=0x14dd90*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0128.268] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x14dc70) returned 1 [0128.280] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\Windows", nBufferLength=0x105, lpBuffer=0x14d870, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\Windows", lpFilePart=0x0) returned 0x1b [0128.281] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x14dbf0) returned 1 [0128.281] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\Windows" (normalized: "c:\\windows\\system32\\windows"), fInfoLevelId=0x0, lpFileInformation=0x14dcd0 | out: lpFileInformation=0x14dcd0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0128.282] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x14dbb0) returned 1 [0128.283] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x14dbf0) returned 1 [0128.283] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\Windows" (normalized: "c:\\windows\\system32\\windows"), fInfoLevelId=0x0, lpFileInformation=0x14dcd0 | out: lpFileInformation=0x14dcd0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0128.283] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x14dbb0) returned 1 [0128.283] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x14dbf0) returned 1 [0128.284] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x14dcd0 | out: lpFileInformation=0x14dcd0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x57fecc6a, ftLastAccessTime.dwHighDateTime=0x1d8a73b, ftLastWriteTime.dwLowDateTime=0x57fecc6a, ftLastWriteTime.dwHighDateTime=0x1d8a73b, nFileSizeHigh=0x0, nFileSizeLow=0x100000)) returned 1 [0128.284] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x14dbb0) returned 1 [0128.297] CreateDirectoryW (lpPathName="C:\\Windows\\system32\\Windows" (normalized: "c:\\windows\\system32\\windows"), lpSecurityAttributes=0x0) returned 1 [0128.307] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\Windows\\RuntimeBroker.exe", nBufferLength=0x105, lpBuffer=0x14d870, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\Windows\\RuntimeBroker.exe", lpFilePart=0x0) returned 0x2d [0128.307] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x14dcc0) returned 1 [0128.307] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\Windows\\RuntimeBroker.exe" (normalized: "c:\\windows\\system32\\windows\\runtimebroker.exe"), fInfoLevelId=0x0, lpFileInformation=0x14dda0 | out: lpFileInformation=0x14dda0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0128.307] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x14dc80) returned 1 [0128.307] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe", nBufferLength=0x105, lpBuffer=0x14d6d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe", lpFilePart=0x0) returned 0x62 [0128.321] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe", nBufferLength=0x105, lpBuffer=0x14d820, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe", lpFilePart=0x0) returned 0x62 [0128.321] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\Windows\\RuntimeBroker.exe", nBufferLength=0x105, lpBuffer=0x14d820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\Windows\\RuntimeBroker.exe", lpFilePart=0x0) returned 0x2d [0128.328] CopyFileW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe"), lpNewFileName="C:\\Windows\\system32\\Windows\\RuntimeBroker.exe" (normalized: "c:\\windows\\system32\\windows\\runtimebroker.exe"), bFailIfExists=0) returned 1 [0130.819] GetUserNameW (in: lpBuffer=0x14da00, pcbBuffer=0x14dd28 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x14dd28) returned 1 [0130.820] GetCurrentProcess () returned 0xffffffffffffffff [0130.820] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x14dbc8 | out: TokenHandle=0x14dbc8*=0x330) returned 1 [0130.820] GetTokenInformation (in: TokenHandle=0x330, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x14dc28 | out: TokenInformation=0x0, ReturnLength=0x14dc28) returned 0 [0130.820] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x1c3ae8b0 [0130.820] GetTokenInformation (in: TokenHandle=0x330, TokenInformationClass=0x8, TokenInformation=0x1c3ae8b0, TokenInformationLength=0x4, ReturnLength=0x14dc28 | out: TokenInformation=0x1c3ae8b0, ReturnLength=0x14dc28) returned 1 [0130.820] LocalFree (hMem=0x1c3ae8b0) returned 0x0 [0130.820] DuplicateTokenEx (in: hExistingToken=0x330, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0x14dc88 | out: phNewToken=0x14dc88*=0x338) returned 1 [0130.821] CheckTokenMembership (in: TokenHandle=0x338, SidToCheck=0x28140a8*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x14dc90 | out: IsMember=0x14dc90) returned 1 [0130.821] CloseHandle (hObject=0x338) returned 1 [0130.821] CloseHandle (hObject=0x330) returned 1 [0130.821] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe", nBufferLength=0x105, lpBuffer=0x14d690, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe", lpFilePart=0x0) returned 0x62 [0131.009] CoTaskMemAlloc (cb=0x20e) returned 0xbd3a10 [0131.009] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0xbd3a10 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d [0131.009] CoTaskMemFree (pv=0xbd3a10) [0131.010] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"schtasks\" /create /tn \"Google Update\" /sc ONLOGON /tr \"C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe\" /rl HIGHEST /f", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x14d870*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2822510 | out: lpCommandLine="\"schtasks\" /create /tn \"Google Update\" /sc ONLOGON /tr \"C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe\" /rl HIGHEST /f", lpProcessInformation=0x2822510*(hProcess=0x338, hThread=0x330, dwProcessId=0x678, dwThreadId=0xc88)) returned 1 [0131.309] CloseHandle (hObject=0x330) returned 1 [0131.340] GetCurrentProcess () returned 0xffffffffffffffff [0131.340] GetCurrentProcess () returned 0xffffffffffffffff [0131.340] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x338, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x14dc40, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x14dc40*=0x330) returned 1 [0131.343] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x3e8, cHandles=0x1, pHandles=0x14daf0*=0x330, lpdwindex=0x14d8c4 | out: lpdwindex=0x14d8c4) returned 0x80010115 [0132.879] CloseHandle (hObject=0x330) returned 1 [0132.908] GetExitCodeProcess (in: hProcess=0x338, lpExitCode=0x14dce8 | out: lpExitCode=0x14dce8*=0x103) returned 1 [0132.908] GetCurrentProcess () returned 0xffffffffffffffff [0132.908] GetCurrentProcess () returned 0xffffffffffffffff [0132.908] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x338, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x14dbd0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x14dbd0*=0x330) returned 1 [0132.908] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x0, cHandles=0x1, pHandles=0x14da80*=0x330, lpdwindex=0x14d854 | out: lpdwindex=0x14d854) returned 0x80010115 [0132.908] CloseHandle (hObject=0x330) returned 1 [0133.035] GetWindowThreadProcessId (in: hWnd=0x60082, lpdwProcessId=0x14dde0 | out: lpdwProcessId=0x14dde0) returned 0x5f4 [0133.035] GetCurrentThreadId () returned 0x5f4 [0133.036] RegisterClipboardFormatW (lpszFormat="WindowsForms12_ThreadCallbackMessage") returned 0xc1e1 [0133.075] PostMessageW (hWnd=0x60082, Msg=0xc1e1, wParam=0x0, lParam=0x0) returned 1 [0133.081] GetWindowTextLengthW (hWnd=0x60082) returned 0 [0133.081] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60082, Msg=0xe, wParam=0x0, lParam=0x0) returned 0x0 [0133.081] GetSystemMetrics (nIndex=42) returned 0 [0133.081] GetWindowTextW (in: hWnd=0x60082, lpString=0x14e300, nMaxCount=1 | out: lpString="") returned 0 [0133.081] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60082, Msg=0xd, wParam=0x1, lParam=0x14e300) returned 0x0 [0133.087] OleInitialize (pvReserved=0x0) returned 0x0 [0133.088] CoRegisterMessageFilter (in: lpMessageFilter=0x0, lplpMessageFilter=0x14e708 | out: lplpMessageFilter=0x14e708*=0x0) returned 0x0 [0133.090] PeekMessageW (in: lpMsg=0x14e6a0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x0 | out: lpMsg=0x14e6a0) returned 1 [0133.090] IsWindowUnicode (hWnd=0x60082) returned 1 [0133.091] GetMessageW (in: lpMsg=0x14e6a0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x14e6a0) returned 1 [0133.093] TranslateMessage (lpMsg=0x14e6a0) returned 0 [0133.094] DispatchMessageW (lpMsg=0x14e6a0) returned 0x0 [0133.094] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60082, Msg=0x31f, wParam=0x1, lParam=0x0) returned 0x0 [0133.094] PeekMessageW (in: lpMsg=0x14e6a0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x0 | out: lpMsg=0x14e6a0) returned 1 [0133.094] IsWindowUnicode (hWnd=0x60046) returned 1 [0133.094] GetMessageW (in: lpMsg=0x14e6a0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x14e6a0) returned 1 [0133.094] TranslateMessage (lpMsg=0x14e6a0) returned 0 [0133.094] DispatchMessageW (lpMsg=0x14e6a0) returned 0x0 [0133.094] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60046, Msg=0x31f, wParam=0x1, lParam=0x0) returned 0x0 [0133.094] PeekMessageW (in: lpMsg=0x14e6a0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x0 | out: lpMsg=0x14e6a0) returned 1 [0133.095] IsWindowUnicode (hWnd=0x60082) returned 1 [0133.095] GetMessageW (in: lpMsg=0x14e6a0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x14e6a0) returned 1 [0133.095] TranslateMessage (lpMsg=0x14e6a0) returned 0 [0133.095] DispatchMessageW (lpMsg=0x14e6a0) returned 0x0 [0133.097] PeekMessageW (in: lpMsg=0x14e6a0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x0 | out: lpMsg=0x14e6a0) returned 0 [0133.097] PeekMessageW (in: lpMsg=0x14e6a0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x0 | out: lpMsg=0x14e6a0) returned 0 [0133.097] WaitMessage () returned 1 [0157.088] PeekMessageW (lpMsg=0x14e6a0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x0) [0157.089] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60046, Msg=0x3b, wParam=0x50e, lParam=0x0) returned 0x1 [0157.089] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60046, Msg=0x11, wParam=0x0, lParam=0x0) returned 0x1 [0158.800] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60046, Msg=0x1c, wParam=0x1, lParam=0xe24) returned 0x0 [0158.800] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60082, Msg=0x1c, wParam=0x1, lParam=0xe24) returned 0x0 [0158.800] NtdllDefWindowProc_W (hWnd=0x50304, Msg=0x1c, wParam=0x1, lParam=0xe24) returned 0x0 [0158.800] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60046, Msg=0x86, wParam=0x0, lParam=0x0) returned 0x1 [0158.804] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60046, Msg=0x6, wParam=0x1, lParam=0x0) returned 0x0 [0158.951] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60046, Msg=0x281, wParam=0x1, lParam=0xc000000f) returned 0x0 [0158.958] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60046, Msg=0x282, wParam=0x2, lParam=0x0) returned 0x0 [0158.959] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60046, Msg=0x7, wParam=0x0, lParam=0x0) returned 0x0 [0158.959] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60046, Msg=0x86, wParam=0x0, lParam=0x0) returned 0x1 [0158.960] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60046, Msg=0x6, wParam=0x0, lParam=0x0) returned 0x0 [0158.960] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60046, Msg=0x1c, wParam=0x0, lParam=0xf40) returned 0x0 [0158.960] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60082, Msg=0x1c, wParam=0x0, lParam=0xf40) returned 0x0 [0158.960] NtdllDefWindowProc_W (hWnd=0x50304, Msg=0x1c, wParam=0x0, lParam=0xf40) returned 0x0 [0158.960] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60046, Msg=0x8, wParam=0x0, lParam=0x0) returned 0x0 [0158.961] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60046, Msg=0x281, wParam=0x0, lParam=0xc000000f) returned 0x0 [0158.961] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60046, Msg=0x282, wParam=0x1, lParam=0x0) returned 0x0 [0158.961] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60046, Msg=0x3b, wParam=0x50c, lParam=0x0) [0158.962] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60046, Msg=0x16, wParam=0x1, lParam=0x0) returned 0x0 [0159.971] DestroyCursor (hCursor=0x1d0089) returned 1 [0159.976] GetWindowLongPtrW (hWnd=0x60082, nIndex=-20) returned 0x10100 [0159.976] DestroyWindow (hWnd=0x60082) [0159.976] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60082, Msg=0x90, wParam=0x0, lParam=0x0) returned 0x0 [0159.980] PostThreadMessageW (idThread=0x5f4, Msg=0x12, wParam=0x0, lParam=0x0) returned 1 [0159.984] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60082, Msg=0x2, wParam=0x0, lParam=0x0) returned 0x0 [0159.985] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60082, Msg=0x82, wParam=0x0, lParam=0x0) returned 0x0 [0159.986] DestroyWindow (hWnd=0x60046) [0159.986] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60046, Msg=0x90, wParam=0x0, lParam=0x0) returned 0x0 [0159.986] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60046, Msg=0x2, wParam=0x0, lParam=0x0) returned 0x0 [0159.987] CallWindowProcW (lpPrevWndFunc=0x7ffa16814a40, hWnd=0x60046, Msg=0x82, wParam=0x0, lParam=0x0) returned 0x0 Thread: id = 2 os_tid = 0x1094 Thread: id = 3 os_tid = 0xc10 Thread: id = 4 os_tid = 0x9f8 [0096.147] CoGetContextToken (in: pToken=0x1ab9fa80 | out: pToken=0x1ab9fa80) returned 0x800401f0 [0096.147] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0096.147] RoInitialize () returned 0x1 [0096.147] RoUninitialize () returned 0x0 [0124.384] CloseHandle (hObject=0x328) returned 1 [0124.384] CloseHandle (hObject=0x338) returned 1 [0124.385] CloseHandle (hObject=0x340) returned 1 [0124.385] CloseHandle (hObject=0x334) returned 1 [0124.385] CloseHandle (hObject=0x324) returned 1 [0124.385] CloseHandle (hObject=0x330) returned 1 [0124.386] CloseHandle (hObject=0x33c) returned 1 [0124.386] CloseHandle (hObject=0x32c) returned 1 Thread: id = 5 os_tid = 0xc6c [0132.923] CoGetContextToken (in: pToken=0x1b07fba0 | out: pToken=0x1b07fba0) returned 0x0 [0132.923] CObjectContext::QueryInterface () returned 0x0 [0132.923] CObjectContext::GetCurrentThreadType () returned 0x0 [0132.923] Release () returned 0x0 Thread: id = 6 os_tid = 0xc78 [0105.642] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0105.642] RoInitialize () returned 0x1 [0105.642] RoUninitialize () returned 0x0 Thread: id = 7 os_tid = 0xc74 [0105.800] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0105.800] RoInitialize () returned 0x1 [0105.800] RoUninitialize () returned 0x0 Thread: id = 8 os_tid = 0x1010 [0115.129] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0115.129] RoInitialize () returned 0x1 [0115.130] RoUninitialize () returned 0x0 Thread: id = 9 os_tid = 0xc7c [0115.272] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0115.272] RoInitialize () returned 0x1 [0115.272] RoUninitialize () returned 0x0 Thread: id = 10 os_tid = 0xc80 Thread: id = 11 os_tid = 0x1160 Thread: id = 14 os_tid = 0xcb4 Process: id = "2" image_name = "schtasks.exe" filename = "c:\\windows\\system32\\schtasks.exe" page_root = "0x3aac4000" os_pid = "0x678" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xc04" cmd_line = "\"schtasks\" /create /tn \"Google Update\" /sc ONLOGON /tr \"C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe\" /rl HIGHEST /f" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fa87" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 704 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 705 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 706 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 707 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 708 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 709 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 710 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 711 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 712 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 713 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 714 start_va = 0x7ff664df0000 end_va = 0x7ff664e2cfff monitored = 1 entry_point = 0x7ff664e14550 region_type = mapped_file name = "schtasks.exe" filename = "\\Windows\\System32\\schtasks.exe" (normalized: "c:\\windows\\system32\\schtasks.exe") Region: id = 715 start_va = 0x7ffa16770000 end_va = 0x7ffa16930fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 717 start_va = 0x100000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 718 start_va = 0x7ffa15160000 end_va = 0x7ffa1520cfff monitored = 0 entry_point = 0x7ffa151781a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 719 start_va = 0x7ffa13130000 end_va = 0x7ffa13317fff monitored = 0 entry_point = 0x7ffa1315ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 720 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 721 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 722 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 784 start_va = 0x7ffa13cc0000 end_va = 0x7ffa13d5cfff monitored = 0 entry_point = 0x7ffa13cc78a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 785 start_va = 0x4c0000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 786 start_va = 0x7ffa147c0000 end_va = 0x7ffa14880fff monitored = 0 entry_point = 0x7ffa147e0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 787 start_va = 0x7ffa14340000 end_va = 0x7ffa145bcfff monitored = 0 entry_point = 0x7ffa14414970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 788 start_va = 0x7ffa145c0000 end_va = 0x7ffa146dbfff monitored = 0 entry_point = 0x7ffa146002b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 789 start_va = 0x7ffa13320000 end_va = 0x7ffa13389fff monitored = 0 entry_point = 0x7ffa13356d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 790 start_va = 0x540000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 791 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 792 start_va = 0x660000 end_va = 0x7a2fff monitored = 0 entry_point = 0x688210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 793 start_va = 0x540000 end_va = 0x546fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 794 start_va = 0x650000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 795 start_va = 0x550000 end_va = 0x562fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "schtasks.exe.mui" filename = "\\Windows\\System32\\en-US\\schtasks.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\schtasks.exe.mui") Region: id = 796 start_va = 0x660000 end_va = 0x996fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 797 start_va = 0x570000 end_va = 0x64cfff monitored = 0 entry_point = 0x5ce0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 798 start_va = 0x7ffa12e10000 end_va = 0x7ffa12e1efff monitored = 0 entry_point = 0x7ffa12e13210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 799 start_va = 0x7ffa14070000 end_va = 0x7ffa140cafff monitored = 0 entry_point = 0x7ffa140838b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 800 start_va = 0x570000 end_va = 0x570fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 801 start_va = 0x7ffa14220000 end_va = 0x7ffa142c6fff monitored = 0 entry_point = 0x7ffa1422b4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 802 start_va = 0x580000 end_va = 0x580fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 803 start_va = 0x7ffa0fe10000 end_va = 0x7ffa0fecefff monitored = 0 entry_point = 0x7ffa0fe31c50 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 804 start_va = 0x7ffa12a10000 end_va = 0x7ffa12a3cfff monitored = 0 entry_point = 0x7ffa12a29d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 805 start_va = 0x7ffa0f430000 end_va = 0x7ffa0f465fff monitored = 0 entry_point = 0x7ffa0f440070 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Thread: id = 12 os_tid = 0xc88 [0133.295] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff664df0000 [0133.295] __set_app_type (_Type=0x1) [0133.295] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff664e148d0) returned 0x0 [0133.295] __wgetmainargs (in: _Argc=0x7ff664e27ff8, _Argv=0x7ff664e28000, _Env=0x7ff664e28008, _DoWildCard=0, _StartInfo=0x7ff664e28014 | out: _Argc=0x7ff664e27ff8, _Argv=0x7ff664e28000, _Env=0x7ff664e28008) returned 0 [0133.296] _onexit (_Func=0x7ff664e17ec0) returned 0x7ff664e17ec0 [0133.296] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0133.296] CsrIdentifyAlertableThread () returned 0x0 [0133.297] GetProcessHeap () returned 0x100000 [0133.297] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x18) returned 0x104a90 [0133.297] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.297] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x2, Condition=0x3) returned 0x8000000000000018 [0133.297] VerSetConditionMask (ConditionMask=0x8000000000000018, TypeMask=0x1, Condition=0x3) returned 0x800000000000001b [0133.297] VerSetConditionMask (ConditionMask=0x800000000000001b, TypeMask=0x20, Condition=0x3) returned 0x800000000001801b [0133.297] RtlVerifyVersionInfo (VersionInfo=0xcf750, TypeMask=0x3, ConditionMask=0x800000000001801b) returned 0x0 [0133.297] GetProcessHeap () returned 0x100000 [0133.297] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x18) returned 0x104ab0 [0133.297] lstrlenW (lpString="") returned 0 [0133.298] GetProcessHeap () returned 0x100000 [0133.298] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x2) returned 0x104ad0 [0133.298] GetProcessHeap () returned 0x100000 [0133.298] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x104440 [0133.298] GetProcessHeap () returned 0x100000 [0133.298] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x18) returned 0x104470 [0133.298] GetProcessHeap () returned 0x100000 [0133.298] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x104490 [0133.298] GetProcessHeap () returned 0x100000 [0133.298] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x1044c0 [0133.298] GetProcessHeap () returned 0x100000 [0133.298] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x104030 [0133.299] GetProcessHeap () returned 0x100000 [0133.299] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x109200 [0133.299] GetProcessHeap () returned 0x100000 [0133.299] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x18) returned 0x104060 [0133.299] GetProcessHeap () returned 0x100000 [0133.299] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x108f90 [0133.299] GetProcessHeap () returned 0x100000 [0133.299] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x108ed0 [0133.299] GetProcessHeap () returned 0x100000 [0133.299] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x109080 [0133.299] GetProcessHeap () returned 0x100000 [0133.299] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x109230 [0133.299] GetProcessHeap () returned 0x100000 [0133.299] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x18) returned 0x104080 [0133.299] GetProcessHeap () returned 0x100000 [0133.299] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x1090e0 [0133.299] GetProcessHeap () returned 0x100000 [0133.299] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x109140 [0133.299] GetProcessHeap () returned 0x100000 [0133.299] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x108f30 [0133.299] GetProcessHeap () returned 0x100000 [0133.300] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x108f00 [0133.300] SetThreadUILanguage (LangId=0x0) returned 0x409 [0133.306] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.306] GetProcessHeap () returned 0x100000 [0133.306] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x109170 [0133.306] GetProcessHeap () returned 0x100000 [0133.306] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x108fc0 [0133.306] GetProcessHeap () returned 0x100000 [0133.306] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x108f60 [0133.306] GetProcessHeap () returned 0x100000 [0133.306] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x109020 [0133.306] GetProcessHeap () returned 0x100000 [0133.306] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x1091d0 [0133.306] GetProcessHeap () returned 0x100000 [0133.306] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x18) returned 0x104830 [0133.306] _memicmp (_Buf1=0x104830, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.306] GetProcessHeap () returned 0x100000 [0133.306] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x208) returned 0x109b70 [0133.306] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x109b70, nSize=0x104 | out: lpFilename="C:\\Windows\\SYSTEM32\\schtasks.exe" (normalized: "c:\\windows\\system32\\schtasks.exe")) returned 0x20 [0133.306] GetFileVersionInfoSizeExW (in: dwFlags=0x1, lpwstrFilename="C:\\Windows\\SYSTEM32\\schtasks.exe", lpdwHandle=0xcf8a8 | out: lpdwHandle=0xcf8a8) returned 0x76c [0133.324] GetProcessHeap () returned 0x100000 [0133.324] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x776) returned 0x10a860 [0133.324] GetFileVersionInfoExW (in: dwFlags=0x3, lpwstrFilename="C:\\Windows\\SYSTEM32\\schtasks.exe", dwHandle=0x0, dwLen=0x776, lpData=0x10a860 | out: lpData=0x10a860) returned 1 [0133.324] VerQueryValueW (in: pBlock=0x10a860, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xcf840, puLen=0xcf8a0 | out: lplpBuffer=0xcf840*=0x10ac10, puLen=0xcf8a0) returned 1 [0133.329] _memicmp (_Buf1=0x104830, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.329] _vsnwprintf (in: _Buffer=0x109b70, _BufferCount=0x3f, _Format="\\StringFileInfo\\%04x%04x\\InternalName", _ArgList=0xcf818 | out: _Buffer="\\StringFileInfo\\040904b0\\InternalName") returned 37 [0133.330] VerQueryValueW (in: pBlock=0x10a860, lpSubBlock="\\StringFileInfo\\040904b0\\InternalName", lplpBuffer=0xcf830, puLen=0xcf898 | out: lplpBuffer=0xcf830*=0x10aa40, puLen=0xcf898) returned 1 [0133.330] lstrlenW (lpString="schtasks.exe") returned 12 [0133.330] lstrlenW (lpString="schtasks.exe") returned 12 [0133.330] lstrlenW (lpString=".EXE") returned 4 [0133.330] StrStrIW (lpFirst="schtasks.exe", lpSrch=".EXE") returned=".exe" [0133.331] lstrlenW (lpString="schtasks.exe") returned 12 [0133.331] lstrlenW (lpString=".EXE") returned 4 [0133.331] _memicmp (_Buf1=0x104830, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.331] lstrlenW (lpString="schtasks") returned 8 [0133.331] GetProcessHeap () returned 0x100000 [0133.331] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x1090b0 [0133.331] GetProcessHeap () returned 0x100000 [0133.331] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x109050 [0133.331] GetProcessHeap () returned 0x100000 [0133.332] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x10b6a0 [0133.332] GetProcessHeap () returned 0x100000 [0133.332] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x10b550 [0133.332] GetProcessHeap () returned 0x100000 [0133.332] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x18) returned 0x104850 [0133.332] _memicmp (_Buf1=0x104850, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.332] GetProcessHeap () returned 0x100000 [0133.332] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0xa0) returned 0x1038d0 [0133.332] GetProcessHeap () returned 0x100000 [0133.332] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x10b7f0 [0133.332] GetProcessHeap () returned 0x100000 [0133.332] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x10b8e0 [0133.332] GetProcessHeap () returned 0x100000 [0133.332] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x10b5e0 [0133.332] GetProcessHeap () returned 0x100000 [0133.332] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x18) returned 0x104870 [0133.332] _memicmp (_Buf1=0x104870, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.332] GetProcessHeap () returned 0x100000 [0133.332] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x200) returned 0x10bb30 [0133.332] LoadStringW (in: hInstance=0x0, uID=0x15ed, lpBuffer=0x10bb30, cchBufferMax=256 | out: lpBuffer="Type \"%s /?\" for usage.") returned 0x17 [0133.333] lstrlenW (lpString="Type \"%s /?\" for usage.") returned 23 [0133.333] GetProcessHeap () returned 0x100000 [0133.333] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x30) returned 0x103980 [0133.333] _vsnwprintf (in: _Buffer=0x1038d0, _BufferCount=0x4f, _Format="Type \"%s /?\" for usage.", _ArgList=0xcf818 | out: _Buffer="Type \"SCHTASKS /?\" for usage.") returned 29 [0133.333] GetProcessHeap () returned 0x100000 [0133.333] GetProcessHeap () returned 0x100000 [0133.333] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10a860) returned 1 [0133.333] GetProcessHeap () returned 0x100000 [0133.334] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10a860) returned 0x776 [0133.334] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10a860) returned 1 [0133.334] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.334] GetThreadLocale () returned 0x409 [0133.334] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0133.334] lstrlenW (lpString="?") returned 1 [0133.334] GetThreadLocale () returned 0x409 [0133.334] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0133.335] lstrlenW (lpString="create") returned 6 [0133.335] GetThreadLocale () returned 0x409 [0133.335] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0133.335] lstrlenW (lpString="delete") returned 6 [0133.335] GetThreadLocale () returned 0x409 [0133.335] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0133.335] lstrlenW (lpString="query") returned 5 [0133.335] GetThreadLocale () returned 0x409 [0133.335] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0133.335] lstrlenW (lpString="change") returned 6 [0133.335] GetThreadLocale () returned 0x409 [0133.335] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0133.335] lstrlenW (lpString="run") returned 3 [0133.335] GetThreadLocale () returned 0x409 [0133.335] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0133.335] lstrlenW (lpString="end") returned 3 [0133.335] GetThreadLocale () returned 0x409 [0133.335] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0133.335] lstrlenW (lpString="showsid") returned 7 [0133.335] GetThreadLocale () returned 0x409 [0133.335] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0133.335] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.335] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.336] lstrlenW (lpString="/create") returned 7 [0133.336] lstrlenW (lpString="-/") returned 2 [0133.336] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0133.336] lstrlenW (lpString="?") returned 1 [0133.336] lstrlenW (lpString="?") returned 1 [0133.336] GetProcessHeap () returned 0x100000 [0133.336] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x18) returned 0x103f50 [0133.336] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.336] GetProcessHeap () returned 0x100000 [0133.336] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0xa) returned 0x103f70 [0133.336] lstrlenW (lpString="create") returned 6 [0133.336] GetProcessHeap () returned 0x100000 [0133.336] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x18) returned 0x103f90 [0133.336] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.336] GetProcessHeap () returned 0x100000 [0133.336] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x14) returned 0x103fb0 [0133.336] _vsnwprintf (in: _Buffer=0x103f70, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|?|") returned 3 [0133.336] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|create|") returned 8 [0133.336] lstrlenW (lpString="|?|") returned 3 [0133.336] lstrlenW (lpString="|create|") returned 8 [0133.336] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.336] lstrlenW (lpString="create") returned 6 [0133.336] lstrlenW (lpString="create") returned 6 [0133.336] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.336] GetProcessHeap () returned 0x100000 [0133.336] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x103f70) returned 1 [0133.336] GetProcessHeap () returned 0x100000 [0133.336] RtlReAllocateHeap (Heap=0x100000, Flags=0xc, Ptr=0x103f70, Size=0x14) returned 0x1042c0 [0133.336] lstrlenW (lpString="create") returned 6 [0133.337] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.337] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|create|") returned 8 [0133.337] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|create|") returned 8 [0133.337] lstrlenW (lpString="|create|") returned 8 [0133.337] lstrlenW (lpString="|create|") returned 8 [0133.337] StrStrIW (lpFirst="|create|", lpSrch="|create|") returned="|create|" [0133.337] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.337] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.337] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.337] lstrlenW (lpString="/tn") returned 3 [0133.337] lstrlenW (lpString="-/") returned 2 [0133.337] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0133.337] lstrlenW (lpString="?") returned 1 [0133.337] lstrlenW (lpString="?") returned 1 [0133.337] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.337] lstrlenW (lpString="tn") returned 2 [0133.337] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.337] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|?|") returned 3 [0133.337] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|tn|") returned 4 [0133.337] lstrlenW (lpString="|?|") returned 3 [0133.337] lstrlenW (lpString="|tn|") returned 4 [0133.337] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.337] lstrlenW (lpString="create") returned 6 [0133.337] lstrlenW (lpString="create") returned 6 [0133.337] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.337] lstrlenW (lpString="tn") returned 2 [0133.337] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.338] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|create|") returned 8 [0133.338] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|tn|") returned 4 [0133.338] lstrlenW (lpString="|create|") returned 8 [0133.338] lstrlenW (lpString="|tn|") returned 4 [0133.338] StrStrIW (lpFirst="|create|", lpSrch="|tn|") returned 0x0 [0133.338] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.338] lstrlenW (lpString="delete") returned 6 [0133.338] lstrlenW (lpString="delete") returned 6 [0133.338] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.338] lstrlenW (lpString="tn") returned 2 [0133.338] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.338] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|delete|") returned 8 [0133.338] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|tn|") returned 4 [0133.338] lstrlenW (lpString="|delete|") returned 8 [0133.338] lstrlenW (lpString="|tn|") returned 4 [0133.338] StrStrIW (lpFirst="|delete|", lpSrch="|tn|") returned 0x0 [0133.338] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.338] lstrlenW (lpString="query") returned 5 [0133.338] lstrlenW (lpString="query") returned 5 [0133.338] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.338] lstrlenW (lpString="tn") returned 2 [0133.338] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.338] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x8, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|query|") returned 7 [0133.338] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|tn|") returned 4 [0133.338] lstrlenW (lpString="|query|") returned 7 [0133.338] lstrlenW (lpString="|tn|") returned 4 [0133.338] StrStrIW (lpFirst="|query|", lpSrch="|tn|") returned 0x0 [0133.338] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.339] lstrlenW (lpString="change") returned 6 [0133.339] lstrlenW (lpString="change") returned 6 [0133.339] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.339] lstrlenW (lpString="tn") returned 2 [0133.339] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.339] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|change|") returned 8 [0133.339] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|tn|") returned 4 [0133.339] lstrlenW (lpString="|change|") returned 8 [0133.339] lstrlenW (lpString="|tn|") returned 4 [0133.339] StrStrIW (lpFirst="|change|", lpSrch="|tn|") returned 0x0 [0133.339] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.339] lstrlenW (lpString="run") returned 3 [0133.339] lstrlenW (lpString="run") returned 3 [0133.339] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.339] lstrlenW (lpString="tn") returned 2 [0133.339] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.339] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|run|") returned 5 [0133.339] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|tn|") returned 4 [0133.339] lstrlenW (lpString="|run|") returned 5 [0133.339] lstrlenW (lpString="|tn|") returned 4 [0133.339] StrStrIW (lpFirst="|run|", lpSrch="|tn|") returned 0x0 [0133.339] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.339] lstrlenW (lpString="end") returned 3 [0133.339] lstrlenW (lpString="end") returned 3 [0133.339] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.339] lstrlenW (lpString="tn") returned 2 [0133.339] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.339] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|end|") returned 5 [0133.339] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|tn|") returned 4 [0133.340] lstrlenW (lpString="|end|") returned 5 [0133.340] lstrlenW (lpString="|tn|") returned 4 [0133.340] StrStrIW (lpFirst="|end|", lpSrch="|tn|") returned 0x0 [0133.340] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.340] lstrlenW (lpString="showsid") returned 7 [0133.340] lstrlenW (lpString="showsid") returned 7 [0133.340] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.340] GetProcessHeap () returned 0x100000 [0133.340] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x1042c0) returned 1 [0133.340] GetProcessHeap () returned 0x100000 [0133.340] RtlReAllocateHeap (Heap=0x100000, Flags=0xc, Ptr=0x1042c0, Size=0x16) returned 0x1042c0 [0133.340] lstrlenW (lpString="tn") returned 2 [0133.340] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.340] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0xa, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|showsid|") returned 9 [0133.340] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|tn|") returned 4 [0133.340] lstrlenW (lpString="|showsid|") returned 9 [0133.340] lstrlenW (lpString="|tn|") returned 4 [0133.340] StrStrIW (lpFirst="|showsid|", lpSrch="|tn|") returned 0x0 [0133.340] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.340] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.340] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.340] lstrlenW (lpString="/tn") returned 3 [0133.340] StrChrIW (lpStart="/tn", wMatch=0x3a) returned 0x0 [0133.340] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.340] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.340] lstrlenW (lpString="/tn") returned 3 [0133.340] GetProcessHeap () returned 0x100000 [0133.340] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x8) returned 0x103f70 [0133.340] GetProcessHeap () returned 0x100000 [0133.340] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x10b880 [0133.340] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.340] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.340] lstrlenW (lpString="Google Update") returned 13 [0133.341] lstrlenW (lpString="-/") returned 2 [0133.341] StrChrIW (lpStart="-/", wMatch=0x47) returned 0x0 [0133.341] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.341] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.341] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.341] lstrlenW (lpString="Google Update") returned 13 [0133.341] StrChrIW (lpStart="Google Update", wMatch=0x3a) returned 0x0 [0133.341] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.341] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.341] lstrlenW (lpString="Google Update") returned 13 [0133.341] GetProcessHeap () returned 0x100000 [0133.341] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x1c) returned 0x10b580 [0133.341] GetProcessHeap () returned 0x100000 [0133.341] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x10b610 [0133.341] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.341] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.341] lstrlenW (lpString="/sc") returned 3 [0133.341] lstrlenW (lpString="-/") returned 2 [0133.341] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0133.341] lstrlenW (lpString="?") returned 1 [0133.341] lstrlenW (lpString="?") returned 1 [0133.341] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.341] lstrlenW (lpString="sc") returned 2 [0133.341] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.341] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|?|") returned 3 [0133.341] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|sc|") returned 4 [0133.341] lstrlenW (lpString="|?|") returned 3 [0133.341] lstrlenW (lpString="|sc|") returned 4 [0133.341] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.341] lstrlenW (lpString="create") returned 6 [0133.341] lstrlenW (lpString="create") returned 6 [0133.341] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.341] lstrlenW (lpString="sc") returned 2 [0133.341] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.342] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|create|") returned 8 [0133.342] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|sc|") returned 4 [0133.342] lstrlenW (lpString="|create|") returned 8 [0133.342] lstrlenW (lpString="|sc|") returned 4 [0133.342] StrStrIW (lpFirst="|create|", lpSrch="|sc|") returned 0x0 [0133.342] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.342] lstrlenW (lpString="delete") returned 6 [0133.342] lstrlenW (lpString="delete") returned 6 [0133.342] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.342] lstrlenW (lpString="sc") returned 2 [0133.342] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.342] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|delete|") returned 8 [0133.342] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|sc|") returned 4 [0133.342] lstrlenW (lpString="|delete|") returned 8 [0133.342] lstrlenW (lpString="|sc|") returned 4 [0133.342] StrStrIW (lpFirst="|delete|", lpSrch="|sc|") returned 0x0 [0133.342] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.342] lstrlenW (lpString="query") returned 5 [0133.342] lstrlenW (lpString="query") returned 5 [0133.342] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.342] lstrlenW (lpString="sc") returned 2 [0133.342] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.342] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x8, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|query|") returned 7 [0133.342] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|sc|") returned 4 [0133.342] lstrlenW (lpString="|query|") returned 7 [0133.342] lstrlenW (lpString="|sc|") returned 4 [0133.342] StrStrIW (lpFirst="|query|", lpSrch="|sc|") returned 0x0 [0133.342] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.343] lstrlenW (lpString="change") returned 6 [0133.343] lstrlenW (lpString="change") returned 6 [0133.343] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.343] lstrlenW (lpString="sc") returned 2 [0133.343] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.343] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|change|") returned 8 [0133.343] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|sc|") returned 4 [0133.343] lstrlenW (lpString="|change|") returned 8 [0133.343] lstrlenW (lpString="|sc|") returned 4 [0133.343] StrStrIW (lpFirst="|change|", lpSrch="|sc|") returned 0x0 [0133.343] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.343] lstrlenW (lpString="run") returned 3 [0133.343] lstrlenW (lpString="run") returned 3 [0133.343] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.343] lstrlenW (lpString="sc") returned 2 [0133.343] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.343] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|run|") returned 5 [0133.343] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|sc|") returned 4 [0133.343] lstrlenW (lpString="|run|") returned 5 [0133.343] lstrlenW (lpString="|sc|") returned 4 [0133.343] StrStrIW (lpFirst="|run|", lpSrch="|sc|") returned 0x0 [0133.343] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.343] lstrlenW (lpString="end") returned 3 [0133.343] lstrlenW (lpString="end") returned 3 [0133.343] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.343] lstrlenW (lpString="sc") returned 2 [0133.343] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.343] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|end|") returned 5 [0133.344] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|sc|") returned 4 [0133.344] lstrlenW (lpString="|end|") returned 5 [0133.344] lstrlenW (lpString="|sc|") returned 4 [0133.344] StrStrIW (lpFirst="|end|", lpSrch="|sc|") returned 0x0 [0133.344] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.344] lstrlenW (lpString="showsid") returned 7 [0133.344] lstrlenW (lpString="showsid") returned 7 [0133.344] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.344] lstrlenW (lpString="sc") returned 2 [0133.344] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.344] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0xa, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|showsid|") returned 9 [0133.344] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|sc|") returned 4 [0133.344] lstrlenW (lpString="|showsid|") returned 9 [0133.344] lstrlenW (lpString="|sc|") returned 4 [0133.344] StrStrIW (lpFirst="|showsid|", lpSrch="|sc|") returned 0x0 [0133.344] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.344] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.344] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.344] lstrlenW (lpString="/sc") returned 3 [0133.344] StrChrIW (lpStart="/sc", wMatch=0x3a) returned 0x0 [0133.344] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.344] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.344] lstrlenW (lpString="/sc") returned 3 [0133.344] GetProcessHeap () returned 0x100000 [0133.344] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x8) returned 0x1042f0 [0133.344] GetProcessHeap () returned 0x100000 [0133.344] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x10b460 [0133.344] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.344] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.344] lstrlenW (lpString="ONLOGON") returned 7 [0133.344] lstrlenW (lpString="-/") returned 2 [0133.345] StrChrIW (lpStart="-/", wMatch=0x4f) returned 0x0 [0133.345] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.345] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.345] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.345] lstrlenW (lpString="ONLOGON") returned 7 [0133.345] StrChrIW (lpStart="ONLOGON", wMatch=0x3a) returned 0x0 [0133.345] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.345] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.345] lstrlenW (lpString="ONLOGON") returned 7 [0133.345] GetProcessHeap () returned 0x100000 [0133.345] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x10) returned 0x104310 [0133.345] GetProcessHeap () returned 0x100000 [0133.345] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x10b820 [0133.345] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.345] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.345] lstrlenW (lpString="/tr") returned 3 [0133.345] lstrlenW (lpString="-/") returned 2 [0133.345] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0133.345] lstrlenW (lpString="?") returned 1 [0133.345] lstrlenW (lpString="?") returned 1 [0133.345] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.345] lstrlenW (lpString="tr") returned 2 [0133.345] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.345] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|?|") returned 3 [0133.345] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|tr|") returned 4 [0133.345] lstrlenW (lpString="|?|") returned 3 [0133.345] lstrlenW (lpString="|tr|") returned 4 [0133.345] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.345] lstrlenW (lpString="create") returned 6 [0133.345] lstrlenW (lpString="create") returned 6 [0133.346] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.346] lstrlenW (lpString="tr") returned 2 [0133.346] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.346] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|create|") returned 8 [0133.346] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|tr|") returned 4 [0133.346] lstrlenW (lpString="|create|") returned 8 [0133.346] lstrlenW (lpString="|tr|") returned 4 [0133.346] StrStrIW (lpFirst="|create|", lpSrch="|tr|") returned 0x0 [0133.346] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.346] lstrlenW (lpString="delete") returned 6 [0133.346] lstrlenW (lpString="delete") returned 6 [0133.346] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.346] lstrlenW (lpString="tr") returned 2 [0133.346] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.346] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|delete|") returned 8 [0133.346] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|tr|") returned 4 [0133.346] lstrlenW (lpString="|delete|") returned 8 [0133.346] lstrlenW (lpString="|tr|") returned 4 [0133.346] StrStrIW (lpFirst="|delete|", lpSrch="|tr|") returned 0x0 [0133.346] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.346] lstrlenW (lpString="query") returned 5 [0133.346] lstrlenW (lpString="query") returned 5 [0133.346] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.346] lstrlenW (lpString="tr") returned 2 [0133.346] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.346] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x8, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|query|") returned 7 [0133.346] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|tr|") returned 4 [0133.346] lstrlenW (lpString="|query|") returned 7 [0133.347] lstrlenW (lpString="|tr|") returned 4 [0133.347] StrStrIW (lpFirst="|query|", lpSrch="|tr|") returned 0x0 [0133.347] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.347] lstrlenW (lpString="change") returned 6 [0133.347] lstrlenW (lpString="change") returned 6 [0133.347] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.347] lstrlenW (lpString="tr") returned 2 [0133.347] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.347] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|change|") returned 8 [0133.347] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|tr|") returned 4 [0133.347] lstrlenW (lpString="|change|") returned 8 [0133.347] lstrlenW (lpString="|tr|") returned 4 [0133.347] StrStrIW (lpFirst="|change|", lpSrch="|tr|") returned 0x0 [0133.347] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.347] lstrlenW (lpString="run") returned 3 [0133.347] lstrlenW (lpString="run") returned 3 [0133.347] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.347] lstrlenW (lpString="tr") returned 2 [0133.347] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.347] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|run|") returned 5 [0133.347] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|tr|") returned 4 [0133.347] lstrlenW (lpString="|run|") returned 5 [0133.347] lstrlenW (lpString="|tr|") returned 4 [0133.347] StrStrIW (lpFirst="|run|", lpSrch="|tr|") returned 0x0 [0133.347] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.347] lstrlenW (lpString="end") returned 3 [0133.347] lstrlenW (lpString="end") returned 3 [0133.347] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.347] lstrlenW (lpString="tr") returned 2 [0133.347] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.348] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|end|") returned 5 [0133.348] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|tr|") returned 4 [0133.348] lstrlenW (lpString="|end|") returned 5 [0133.348] lstrlenW (lpString="|tr|") returned 4 [0133.348] StrStrIW (lpFirst="|end|", lpSrch="|tr|") returned 0x0 [0133.348] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.348] lstrlenW (lpString="showsid") returned 7 [0133.348] lstrlenW (lpString="showsid") returned 7 [0133.348] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.348] lstrlenW (lpString="tr") returned 2 [0133.348] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.348] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0xa, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|showsid|") returned 9 [0133.348] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|tr|") returned 4 [0133.348] lstrlenW (lpString="|showsid|") returned 9 [0133.348] lstrlenW (lpString="|tr|") returned 4 [0133.348] StrStrIW (lpFirst="|showsid|", lpSrch="|tr|") returned 0x0 [0133.348] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.348] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.348] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.348] lstrlenW (lpString="/tr") returned 3 [0133.348] StrChrIW (lpStart="/tr", wMatch=0x3a) returned 0x0 [0133.348] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.348] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.348] lstrlenW (lpString="/tr") returned 3 [0133.348] GetProcessHeap () returned 0x100000 [0133.348] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x8) returned 0x104330 [0133.348] GetProcessHeap () returned 0x100000 [0133.348] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x10b760 [0133.348] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.348] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.348] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe") returned 98 [0133.349] lstrlenW (lpString="-/") returned 2 [0133.349] StrChrIW (lpStart="-/", wMatch=0x43) returned 0x0 [0133.349] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.349] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.349] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.349] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe") returned 98 [0133.349] StrChrIW (lpStart="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe", wMatch=0x3a) returned=":\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe" [0133.349] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe") returned 98 [0133.349] GetProcessHeap () returned 0x100000 [0133.349] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x18) returned 0x104350 [0133.349] _memicmp (_Buf1=0x104350, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.349] GetProcessHeap () returned 0x100000 [0133.349] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0xc) returned 0x104370 [0133.349] GetProcessHeap () returned 0x100000 [0133.349] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x18) returned 0x10a9b0 [0133.349] _memicmp (_Buf1=0x10a9b0, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.349] GetProcessHeap () returned 0x100000 [0133.349] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0xca) returned 0x103ba0 [0133.349] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.349] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.349] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.349] lstrlenW (lpString="C") returned 1 [0133.349] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.349] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.349] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe") returned 98 [0133.349] GetProcessHeap () returned 0x100000 [0133.349] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0xc6) returned 0x10c1a0 [0133.350] GetProcessHeap () returned 0x100000 [0133.350] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x10b910 [0133.350] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.350] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.350] lstrlenW (lpString="/rl") returned 3 [0133.350] lstrlenW (lpString="-/") returned 2 [0133.350] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0133.350] lstrlenW (lpString="?") returned 1 [0133.350] lstrlenW (lpString="?") returned 1 [0133.350] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.350] lstrlenW (lpString="rl") returned 2 [0133.350] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.350] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|?|") returned 3 [0133.350] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|rl|") returned 4 [0133.350] lstrlenW (lpString="|?|") returned 3 [0133.350] lstrlenW (lpString="|rl|") returned 4 [0133.350] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.350] lstrlenW (lpString="create") returned 6 [0133.350] lstrlenW (lpString="create") returned 6 [0133.350] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.350] lstrlenW (lpString="rl") returned 2 [0133.350] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.351] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|create|") returned 8 [0133.351] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|rl|") returned 4 [0133.351] lstrlenW (lpString="|create|") returned 8 [0133.351] lstrlenW (lpString="|rl|") returned 4 [0133.351] StrStrIW (lpFirst="|create|", lpSrch="|rl|") returned 0x0 [0133.351] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.351] lstrlenW (lpString="delete") returned 6 [0133.351] lstrlenW (lpString="delete") returned 6 [0133.351] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.351] lstrlenW (lpString="rl") returned 2 [0133.351] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.351] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|delete|") returned 8 [0133.351] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|rl|") returned 4 [0133.351] lstrlenW (lpString="|delete|") returned 8 [0133.351] lstrlenW (lpString="|rl|") returned 4 [0133.351] StrStrIW (lpFirst="|delete|", lpSrch="|rl|") returned 0x0 [0133.351] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.351] lstrlenW (lpString="query") returned 5 [0133.351] lstrlenW (lpString="query") returned 5 [0133.351] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.351] lstrlenW (lpString="rl") returned 2 [0133.351] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.351] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x8, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|query|") returned 7 [0133.351] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|rl|") returned 4 [0133.351] lstrlenW (lpString="|query|") returned 7 [0133.351] lstrlenW (lpString="|rl|") returned 4 [0133.351] StrStrIW (lpFirst="|query|", lpSrch="|rl|") returned 0x0 [0133.351] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.351] lstrlenW (lpString="change") returned 6 [0133.351] lstrlenW (lpString="change") returned 6 [0133.352] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.352] lstrlenW (lpString="rl") returned 2 [0133.352] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.352] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|change|") returned 8 [0133.352] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|rl|") returned 4 [0133.352] lstrlenW (lpString="|change|") returned 8 [0133.352] lstrlenW (lpString="|rl|") returned 4 [0133.352] StrStrIW (lpFirst="|change|", lpSrch="|rl|") returned 0x0 [0133.352] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.352] lstrlenW (lpString="run") returned 3 [0133.352] lstrlenW (lpString="run") returned 3 [0133.352] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.352] lstrlenW (lpString="rl") returned 2 [0133.352] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.352] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|run|") returned 5 [0133.352] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|rl|") returned 4 [0133.352] lstrlenW (lpString="|run|") returned 5 [0133.352] lstrlenW (lpString="|rl|") returned 4 [0133.352] StrStrIW (lpFirst="|run|", lpSrch="|rl|") returned 0x0 [0133.352] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.352] lstrlenW (lpString="end") returned 3 [0133.352] lstrlenW (lpString="end") returned 3 [0133.352] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.352] lstrlenW (lpString="rl") returned 2 [0133.352] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.352] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|end|") returned 5 [0133.352] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|rl|") returned 4 [0133.353] lstrlenW (lpString="|end|") returned 5 [0133.353] lstrlenW (lpString="|rl|") returned 4 [0133.353] StrStrIW (lpFirst="|end|", lpSrch="|rl|") returned 0x0 [0133.353] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.353] lstrlenW (lpString="showsid") returned 7 [0133.353] lstrlenW (lpString="showsid") returned 7 [0133.353] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.353] lstrlenW (lpString="rl") returned 2 [0133.353] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.353] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0xa, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|showsid|") returned 9 [0133.353] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|rl|") returned 4 [0133.353] lstrlenW (lpString="|showsid|") returned 9 [0133.353] lstrlenW (lpString="|rl|") returned 4 [0133.353] StrStrIW (lpFirst="|showsid|", lpSrch="|rl|") returned 0x0 [0133.353] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.353] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.353] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.353] lstrlenW (lpString="/rl") returned 3 [0133.353] StrChrIW (lpStart="/rl", wMatch=0x3a) returned 0x0 [0133.353] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.353] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.353] lstrlenW (lpString="/rl") returned 3 [0133.353] GetProcessHeap () returned 0x100000 [0133.353] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x8) returned 0x104390 [0133.353] GetProcessHeap () returned 0x100000 [0133.353] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x10ba90 [0133.353] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.353] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.353] lstrlenW (lpString="HIGHEST") returned 7 [0133.354] lstrlenW (lpString="-/") returned 2 [0133.354] StrChrIW (lpStart="-/", wMatch=0x48) returned 0x0 [0133.354] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.354] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.354] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.354] lstrlenW (lpString="HIGHEST") returned 7 [0133.354] StrChrIW (lpStart="HIGHEST", wMatch=0x3a) returned 0x0 [0133.354] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.354] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.354] lstrlenW (lpString="HIGHEST") returned 7 [0133.354] GetProcessHeap () returned 0x100000 [0133.354] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x10) returned 0x10ab90 [0133.354] GetProcessHeap () returned 0x100000 [0133.354] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x10b940 [0133.354] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.354] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.354] lstrlenW (lpString="/f") returned 2 [0133.354] lstrlenW (lpString="-/") returned 2 [0133.354] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0133.354] lstrlenW (lpString="?") returned 1 [0133.354] lstrlenW (lpString="?") returned 1 [0133.354] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.354] lstrlenW (lpString="f") returned 1 [0133.354] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.354] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|?|") returned 3 [0133.354] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|f|") returned 3 [0133.354] lstrlenW (lpString="|?|") returned 3 [0133.354] lstrlenW (lpString="|f|") returned 3 [0133.355] StrStrIW (lpFirst="|?|", lpSrch="|f|") returned 0x0 [0133.355] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.355] lstrlenW (lpString="create") returned 6 [0133.355] lstrlenW (lpString="create") returned 6 [0133.355] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.355] lstrlenW (lpString="f") returned 1 [0133.355] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.355] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|create|") returned 8 [0133.355] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|f|") returned 3 [0133.355] lstrlenW (lpString="|create|") returned 8 [0133.355] lstrlenW (lpString="|f|") returned 3 [0133.355] StrStrIW (lpFirst="|create|", lpSrch="|f|") returned 0x0 [0133.355] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.355] lstrlenW (lpString="delete") returned 6 [0133.355] lstrlenW (lpString="delete") returned 6 [0133.355] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.355] lstrlenW (lpString="f") returned 1 [0133.355] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.355] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|delete|") returned 8 [0133.355] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|f|") returned 3 [0133.355] lstrlenW (lpString="|delete|") returned 8 [0133.355] lstrlenW (lpString="|f|") returned 3 [0133.355] StrStrIW (lpFirst="|delete|", lpSrch="|f|") returned 0x0 [0133.355] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.355] lstrlenW (lpString="query") returned 5 [0133.355] lstrlenW (lpString="query") returned 5 [0133.355] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.356] lstrlenW (lpString="f") returned 1 [0133.356] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.356] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x8, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|query|") returned 7 [0133.356] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|f|") returned 3 [0133.356] lstrlenW (lpString="|query|") returned 7 [0133.356] lstrlenW (lpString="|f|") returned 3 [0133.356] StrStrIW (lpFirst="|query|", lpSrch="|f|") returned 0x0 [0133.356] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.356] lstrlenW (lpString="change") returned 6 [0133.356] lstrlenW (lpString="change") returned 6 [0133.356] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.356] lstrlenW (lpString="f") returned 1 [0133.356] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.356] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|change|") returned 8 [0133.356] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|f|") returned 3 [0133.356] lstrlenW (lpString="|change|") returned 8 [0133.356] lstrlenW (lpString="|f|") returned 3 [0133.356] StrStrIW (lpFirst="|change|", lpSrch="|f|") returned 0x0 [0133.356] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.356] lstrlenW (lpString="run") returned 3 [0133.356] lstrlenW (lpString="run") returned 3 [0133.356] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.356] lstrlenW (lpString="f") returned 1 [0133.356] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.356] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|run|") returned 5 [0133.356] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|f|") returned 3 [0133.356] lstrlenW (lpString="|run|") returned 5 [0133.356] lstrlenW (lpString="|f|") returned 3 [0133.357] StrStrIW (lpFirst="|run|", lpSrch="|f|") returned 0x0 [0133.357] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.357] lstrlenW (lpString="end") returned 3 [0133.357] lstrlenW (lpString="end") returned 3 [0133.357] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.357] lstrlenW (lpString="f") returned 1 [0133.357] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.357] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|end|") returned 5 [0133.357] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|f|") returned 3 [0133.357] lstrlenW (lpString="|end|") returned 5 [0133.357] lstrlenW (lpString="|f|") returned 3 [0133.357] StrStrIW (lpFirst="|end|", lpSrch="|f|") returned 0x0 [0133.357] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.357] lstrlenW (lpString="showsid") returned 7 [0133.357] lstrlenW (lpString="showsid") returned 7 [0133.357] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.357] lstrlenW (lpString="f") returned 1 [0133.357] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.357] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0xa, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|showsid|") returned 9 [0133.357] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcf828 | out: _Buffer="|f|") returned 3 [0133.357] lstrlenW (lpString="|showsid|") returned 9 [0133.357] lstrlenW (lpString="|f|") returned 3 [0133.357] StrStrIW (lpFirst="|showsid|", lpSrch="|f|") returned 0x0 [0133.357] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.357] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.357] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.357] lstrlenW (lpString="/f") returned 2 [0133.357] StrChrIW (lpStart="/f", wMatch=0x3a) returned 0x0 [0133.357] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.357] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.357] lstrlenW (lpString="/f") returned 2 [0133.358] GetProcessHeap () returned 0x100000 [0133.358] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x6) returned 0x1043b0 [0133.358] GetProcessHeap () returned 0x100000 [0133.358] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x10b5b0 [0133.358] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.358] GetProcessHeap () returned 0x100000 [0133.358] GetProcessHeap () returned 0x100000 [0133.358] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x103f70) returned 1 [0133.358] GetProcessHeap () returned 0x100000 [0133.358] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x103f70) returned 0x8 [0133.358] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x103f70) returned 1 [0133.358] GetProcessHeap () returned 0x100000 [0133.358] GetProcessHeap () returned 0x100000 [0133.358] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10b880) returned 1 [0133.358] GetProcessHeap () returned 0x100000 [0133.358] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10b880) returned 0x20 [0133.359] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10b880) returned 1 [0133.359] GetProcessHeap () returned 0x100000 [0133.359] GetProcessHeap () returned 0x100000 [0133.359] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10b580) returned 1 [0133.359] GetProcessHeap () returned 0x100000 [0133.359] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10b580) returned 0x1c [0133.359] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10b580) returned 1 [0133.359] GetProcessHeap () returned 0x100000 [0133.359] GetProcessHeap () returned 0x100000 [0133.359] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10b610) returned 1 [0133.359] GetProcessHeap () returned 0x100000 [0133.359] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10b610) returned 0x20 [0133.359] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10b610) returned 1 [0133.359] GetProcessHeap () returned 0x100000 [0133.359] GetProcessHeap () returned 0x100000 [0133.359] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x1042f0) returned 1 [0133.359] GetProcessHeap () returned 0x100000 [0133.359] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x1042f0) returned 0x8 [0133.359] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x1042f0) returned 1 [0133.359] GetProcessHeap () returned 0x100000 [0133.360] GetProcessHeap () returned 0x100000 [0133.360] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10b460) returned 1 [0133.360] GetProcessHeap () returned 0x100000 [0133.360] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10b460) returned 0x20 [0133.360] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10b460) returned 1 [0133.360] GetProcessHeap () returned 0x100000 [0133.360] GetProcessHeap () returned 0x100000 [0133.360] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x104310) returned 1 [0133.360] GetProcessHeap () returned 0x100000 [0133.360] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x104310) returned 0x10 [0133.360] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x104310) returned 1 [0133.360] GetProcessHeap () returned 0x100000 [0133.360] GetProcessHeap () returned 0x100000 [0133.360] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10b820) returned 1 [0133.360] GetProcessHeap () returned 0x100000 [0133.360] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10b820) returned 0x20 [0133.361] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10b820) returned 1 [0133.361] GetProcessHeap () returned 0x100000 [0133.361] GetProcessHeap () returned 0x100000 [0133.361] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x104330) returned 1 [0133.361] GetProcessHeap () returned 0x100000 [0133.361] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x104330) returned 0x8 [0133.361] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x104330) returned 1 [0133.361] GetProcessHeap () returned 0x100000 [0133.361] GetProcessHeap () returned 0x100000 [0133.361] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10b760) returned 1 [0133.361] GetProcessHeap () returned 0x100000 [0133.361] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10b760) returned 0x20 [0133.362] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10b760) returned 1 [0133.362] GetProcessHeap () returned 0x100000 [0133.362] GetProcessHeap () returned 0x100000 [0133.362] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10c1a0) returned 1 [0133.362] GetProcessHeap () returned 0x100000 [0133.362] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10c1a0) returned 0xc6 [0133.362] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10c1a0) returned 1 [0133.362] GetProcessHeap () returned 0x100000 [0133.362] GetProcessHeap () returned 0x100000 [0133.362] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10b910) returned 1 [0133.362] GetProcessHeap () returned 0x100000 [0133.362] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10b910) returned 0x20 [0133.363] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10b910) returned 1 [0133.363] GetProcessHeap () returned 0x100000 [0133.363] GetProcessHeap () returned 0x100000 [0133.363] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x104390) returned 1 [0133.363] GetProcessHeap () returned 0x100000 [0133.363] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x104390) returned 0x8 [0133.363] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x104390) returned 1 [0133.363] GetProcessHeap () returned 0x100000 [0133.363] GetProcessHeap () returned 0x100000 [0133.363] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10ba90) returned 1 [0133.363] GetProcessHeap () returned 0x100000 [0133.363] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10ba90) returned 0x20 [0133.363] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10ba90) returned 1 [0133.363] GetProcessHeap () returned 0x100000 [0133.363] GetProcessHeap () returned 0x100000 [0133.363] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10ab90) returned 1 [0133.363] GetProcessHeap () returned 0x100000 [0133.363] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10ab90) returned 0x10 [0133.364] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10ab90) returned 1 [0133.364] GetProcessHeap () returned 0x100000 [0133.364] GetProcessHeap () returned 0x100000 [0133.364] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10b940) returned 1 [0133.364] GetProcessHeap () returned 0x100000 [0133.364] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10b940) returned 0x20 [0133.364] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10b940) returned 1 [0133.364] GetProcessHeap () returned 0x100000 [0133.364] GetProcessHeap () returned 0x100000 [0133.364] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x1043b0) returned 1 [0133.364] GetProcessHeap () returned 0x100000 [0133.364] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x1043b0) returned 0x6 [0133.368] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x1043b0) returned 1 [0133.368] GetProcessHeap () returned 0x100000 [0133.368] GetProcessHeap () returned 0x100000 [0133.368] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10b5b0) returned 1 [0133.368] GetProcessHeap () returned 0x100000 [0133.368] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10b5b0) returned 0x20 [0133.368] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10b5b0) returned 1 [0133.368] GetProcessHeap () returned 0x100000 [0133.368] GetProcessHeap () returned 0x100000 [0133.368] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x104a90) returned 1 [0133.368] GetProcessHeap () returned 0x100000 [0133.368] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x104a90) returned 0x18 [0133.368] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x104a90) returned 1 [0133.369] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.369] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x2, Condition=0x3) returned 0x8000000000000018 [0133.369] VerSetConditionMask (ConditionMask=0x8000000000000018, TypeMask=0x1, Condition=0x3) returned 0x800000000000001b [0133.369] VerSetConditionMask (ConditionMask=0x800000000000001b, TypeMask=0x20, Condition=0x3) returned 0x800000000001801b [0133.369] RtlVerifyVersionInfo (VersionInfo=0xcc7c0, TypeMask=0x3, ConditionMask=0x800000000001801b) returned 0x0 [0133.369] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.369] lstrlenW (lpString="create") returned 6 [0133.369] StrChrIW (lpStart="create", wMatch=0x7c) returned 0x0 [0133.369] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.369] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.369] lstrlenW (lpString="create") returned 6 [0133.369] GetProcessHeap () returned 0x100000 [0133.369] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x10b790 [0133.369] GetProcessHeap () returned 0x100000 [0133.369] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x18) returned 0x10ab10 [0133.369] _memicmp (_Buf1=0x10ab10, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.369] GetProcessHeap () returned 0x100000 [0133.369] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x16) returned 0x10a990 [0133.369] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.369] _memicmp (_Buf1=0x104830, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.369] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x109b70, nSize=0x104 | out: lpFilename="C:\\Windows\\SYSTEM32\\schtasks.exe" (normalized: "c:\\windows\\system32\\schtasks.exe")) returned 0x20 [0133.369] GetFileVersionInfoSizeExW (in: dwFlags=0x1, lpwstrFilename="C:\\Windows\\SYSTEM32\\schtasks.exe", lpdwHandle=0xcc918 | out: lpdwHandle=0xcc918) returned 0x76c [0133.370] GetProcessHeap () returned 0x100000 [0133.370] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x776) returned 0x10cd50 [0133.370] GetFileVersionInfoExW (in: dwFlags=0x3, lpwstrFilename="C:\\Windows\\SYSTEM32\\schtasks.exe", dwHandle=0x0, dwLen=0x776, lpData=0x10cd50 | out: lpData=0x10cd50) returned 1 [0133.370] VerQueryValueW (in: pBlock=0x10cd50, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xcc8b0, puLen=0xcc910 | out: lplpBuffer=0xcc8b0*=0x10d100, puLen=0xcc910) returned 1 [0133.370] _memicmp (_Buf1=0x104830, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.370] _vsnwprintf (in: _Buffer=0x109b70, _BufferCount=0x3f, _Format="\\StringFileInfo\\%04x%04x\\InternalName", _ArgList=0xcc888 | out: _Buffer="\\StringFileInfo\\040904b0\\InternalName") returned 37 [0133.370] VerQueryValueW (in: pBlock=0x10cd50, lpSubBlock="\\StringFileInfo\\040904b0\\InternalName", lplpBuffer=0xcc8a0, puLen=0xcc908 | out: lplpBuffer=0xcc8a0*=0x10cf30, puLen=0xcc908) returned 1 [0133.370] lstrlenW (lpString="schtasks.exe") returned 12 [0133.370] lstrlenW (lpString="schtasks.exe") returned 12 [0133.370] lstrlenW (lpString=".EXE") returned 4 [0133.370] StrStrIW (lpFirst="schtasks.exe", lpSrch=".EXE") returned=".exe" [0133.370] lstrlenW (lpString="schtasks.exe") returned 12 [0133.370] lstrlenW (lpString=".EXE") returned 4 [0133.370] lstrlenW (lpString="schtasks") returned 8 [0133.370] lstrlenW (lpString="/create") returned 7 [0133.370] _memicmp (_Buf1=0x104830, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.370] _vsnwprintf (in: _Buffer=0x109b70, _BufferCount=0x19, _Format="%s %s", _ArgList=0xcc888 | out: _Buffer="schtasks /create") returned 16 [0133.370] _memicmp (_Buf1=0x104850, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.370] GetProcessHeap () returned 0x100000 [0133.370] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x10b370 [0133.370] _memicmp (_Buf1=0x104870, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.370] LoadStringW (in: hInstance=0x0, uID=0x15ed, lpBuffer=0x10bb30, cchBufferMax=256 | out: lpBuffer="Type \"%s /?\" for usage.") returned 0x17 [0133.371] lstrlenW (lpString="Type \"%s /?\" for usage.") returned 23 [0133.371] GetProcessHeap () returned 0x100000 [0133.371] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x30) returned 0x104390 [0133.371] _vsnwprintf (in: _Buffer=0x1038d0, _BufferCount=0x4f, _Format="Type \"%s /?\" for usage.", _ArgList=0xcc888 | out: _Buffer="Type \"SCHTASKS /CREATE /?\" for usage.") returned 37 [0133.371] GetProcessHeap () returned 0x100000 [0133.371] GetProcessHeap () returned 0x100000 [0133.371] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10cd50) returned 1 [0133.371] GetProcessHeap () returned 0x100000 [0133.371] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10cd50) returned 0x776 [0133.371] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10cd50) returned 1 [0133.371] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.371] GetThreadLocale () returned 0x409 [0133.371] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0133.371] lstrlenW (lpString="create") returned 6 [0133.371] GetThreadLocale () returned 0x409 [0133.371] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0133.371] lstrlenW (lpString="?") returned 1 [0133.371] GetThreadLocale () returned 0x409 [0133.371] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0133.371] lstrlenW (lpString="s") returned 1 [0133.371] GetThreadLocale () returned 0x409 [0133.371] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0133.371] lstrlenW (lpString="u") returned 1 [0133.372] GetThreadLocale () returned 0x409 [0133.372] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0133.372] lstrlenW (lpString="p") returned 1 [0133.372] GetThreadLocale () returned 0x409 [0133.372] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0133.372] lstrlenW (lpString="ru") returned 2 [0133.372] GetThreadLocale () returned 0x409 [0133.372] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0133.372] lstrlenW (lpString="rp") returned 2 [0133.372] GetThreadLocale () returned 0x409 [0133.372] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0133.372] lstrlenW (lpString="sc") returned 2 [0133.372] GetThreadLocale () returned 0x409 [0133.372] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0133.372] lstrlenW (lpString="mo") returned 2 [0133.372] GetThreadLocale () returned 0x409 [0133.372] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0133.372] lstrlenW (lpString="d") returned 1 [0133.372] GetThreadLocale () returned 0x409 [0133.372] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0133.372] lstrlenW (lpString="m") returned 1 [0133.372] GetThreadLocale () returned 0x409 [0133.372] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0133.372] lstrlenW (lpString="i") returned 1 [0133.372] GetThreadLocale () returned 0x409 [0133.372] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0133.372] lstrlenW (lpString="tn") returned 2 [0133.372] GetThreadLocale () returned 0x409 [0133.372] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0133.372] lstrlenW (lpString="tr") returned 2 [0133.372] GetThreadLocale () returned 0x409 [0133.372] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0133.372] lstrlenW (lpString="st") returned 2 [0133.372] GetThreadLocale () returned 0x409 [0133.372] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0133.373] lstrlenW (lpString="sd") returned 2 [0133.373] GetThreadLocale () returned 0x409 [0133.373] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0133.373] lstrlenW (lpString="ed") returned 2 [0133.373] GetThreadLocale () returned 0x409 [0133.373] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0133.373] lstrlenW (lpString="it") returned 2 [0133.373] GetThreadLocale () returned 0x409 [0133.373] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0133.373] lstrlenW (lpString="et") returned 2 [0133.373] GetThreadLocale () returned 0x409 [0133.373] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0133.373] lstrlenW (lpString="k") returned 1 [0133.373] GetThreadLocale () returned 0x409 [0133.373] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0133.373] lstrlenW (lpString="du") returned 2 [0133.373] GetThreadLocale () returned 0x409 [0133.373] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0133.373] lstrlenW (lpString="ri") returned 2 [0133.373] GetThreadLocale () returned 0x409 [0133.373] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0133.373] lstrlenW (lpString="z") returned 1 [0133.373] GetThreadLocale () returned 0x409 [0133.373] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0133.373] lstrlenW (lpString="f") returned 1 [0133.373] GetThreadLocale () returned 0x409 [0133.373] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0133.373] lstrlenW (lpString="v1") returned 2 [0133.373] GetThreadLocale () returned 0x409 [0133.373] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0133.373] lstrlenW (lpString="xml") returned 3 [0133.373] GetThreadLocale () returned 0x409 [0133.373] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0133.373] lstrlenW (lpString="ec") returned 2 [0133.374] GetThreadLocale () returned 0x409 [0133.374] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0133.374] lstrlenW (lpString="rl") returned 2 [0133.374] GetThreadLocale () returned 0x409 [0133.374] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0133.374] lstrlenW (lpString="delay") returned 5 [0133.374] GetThreadLocale () returned 0x409 [0133.374] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0133.374] lstrlenW (lpString="np") returned 2 [0133.374] GetThreadLocale () returned 0x409 [0133.374] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0133.374] lstrlenW (lpString="hresult") returned 7 [0133.374] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.374] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.374] lstrlenW (lpString="/create") returned 7 [0133.374] lstrlenW (lpString="-/") returned 2 [0133.374] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0133.374] lstrlenW (lpString="create") returned 6 [0133.374] lstrlenW (lpString="create") returned 6 [0133.374] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.374] lstrlenW (lpString="create") returned 6 [0133.374] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.374] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|create|") returned 8 [0133.374] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|create|") returned 8 [0133.374] lstrlenW (lpString="|create|") returned 8 [0133.374] lstrlenW (lpString="|create|") returned 8 [0133.374] StrStrIW (lpFirst="|create|", lpSrch="|create|") returned="|create|" [0133.374] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.374] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.374] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.375] lstrlenW (lpString="/tn") returned 3 [0133.375] lstrlenW (lpString="-/") returned 2 [0133.375] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0133.375] lstrlenW (lpString="create") returned 6 [0133.375] lstrlenW (lpString="create") returned 6 [0133.375] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.375] lstrlenW (lpString="tn") returned 2 [0133.375] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.375] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|create|") returned 8 [0133.375] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|tn|") returned 4 [0133.375] lstrlenW (lpString="|create|") returned 8 [0133.375] lstrlenW (lpString="|tn|") returned 4 [0133.375] StrStrIW (lpFirst="|create|", lpSrch="|tn|") returned 0x0 [0133.375] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.375] lstrlenW (lpString="?") returned 1 [0133.375] lstrlenW (lpString="?") returned 1 [0133.375] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.375] lstrlenW (lpString="tn") returned 2 [0133.375] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.375] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|?|") returned 3 [0133.375] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|tn|") returned 4 [0133.375] lstrlenW (lpString="|?|") returned 3 [0133.375] lstrlenW (lpString="|tn|") returned 4 [0133.375] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.375] lstrlenW (lpString="s") returned 1 [0133.375] lstrlenW (lpString="s") returned 1 [0133.375] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.375] lstrlenW (lpString="tn") returned 2 [0133.375] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.375] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|s|") returned 3 [0133.376] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|tn|") returned 4 [0133.376] lstrlenW (lpString="|s|") returned 3 [0133.376] lstrlenW (lpString="|tn|") returned 4 [0133.376] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.376] lstrlenW (lpString="u") returned 1 [0133.376] lstrlenW (lpString="u") returned 1 [0133.376] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.376] lstrlenW (lpString="tn") returned 2 [0133.376] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.376] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|u|") returned 3 [0133.376] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|tn|") returned 4 [0133.376] lstrlenW (lpString="|u|") returned 3 [0133.376] lstrlenW (lpString="|tn|") returned 4 [0133.376] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.376] lstrlenW (lpString="p") returned 1 [0133.376] lstrlenW (lpString="p") returned 1 [0133.376] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.376] lstrlenW (lpString="tn") returned 2 [0133.376] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.376] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|p|") returned 3 [0133.376] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|tn|") returned 4 [0133.376] lstrlenW (lpString="|p|") returned 3 [0133.376] lstrlenW (lpString="|tn|") returned 4 [0133.376] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.376] lstrlenW (lpString="ru") returned 2 [0133.376] lstrlenW (lpString="ru") returned 2 [0133.376] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.376] lstrlenW (lpString="tn") returned 2 [0133.376] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.376] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|ru|") returned 4 [0133.377] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|tn|") returned 4 [0133.377] lstrlenW (lpString="|ru|") returned 4 [0133.377] lstrlenW (lpString="|tn|") returned 4 [0133.377] StrStrIW (lpFirst="|ru|", lpSrch="|tn|") returned 0x0 [0133.377] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.377] lstrlenW (lpString="rp") returned 2 [0133.377] lstrlenW (lpString="rp") returned 2 [0133.377] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.377] lstrlenW (lpString="tn") returned 2 [0133.377] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.377] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|rp|") returned 4 [0133.377] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|tn|") returned 4 [0133.377] lstrlenW (lpString="|rp|") returned 4 [0133.377] lstrlenW (lpString="|tn|") returned 4 [0133.377] StrStrIW (lpFirst="|rp|", lpSrch="|tn|") returned 0x0 [0133.377] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.377] lstrlenW (lpString="sc") returned 2 [0133.377] lstrlenW (lpString="sc") returned 2 [0133.377] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.377] lstrlenW (lpString="tn") returned 2 [0133.377] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.377] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|sc|") returned 4 [0133.377] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|tn|") returned 4 [0133.377] lstrlenW (lpString="|sc|") returned 4 [0133.377] lstrlenW (lpString="|tn|") returned 4 [0133.377] StrStrIW (lpFirst="|sc|", lpSrch="|tn|") returned 0x0 [0133.377] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.377] lstrlenW (lpString="mo") returned 2 [0133.377] lstrlenW (lpString="mo") returned 2 [0133.378] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.378] lstrlenW (lpString="tn") returned 2 [0133.378] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.378] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|mo|") returned 4 [0133.378] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|tn|") returned 4 [0133.378] lstrlenW (lpString="|mo|") returned 4 [0133.378] lstrlenW (lpString="|tn|") returned 4 [0133.378] StrStrIW (lpFirst="|mo|", lpSrch="|tn|") returned 0x0 [0133.378] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.378] lstrlenW (lpString="d") returned 1 [0133.378] lstrlenW (lpString="d") returned 1 [0133.378] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.378] lstrlenW (lpString="tn") returned 2 [0133.378] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.378] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|d|") returned 3 [0133.378] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|tn|") returned 4 [0133.378] lstrlenW (lpString="|d|") returned 3 [0133.378] lstrlenW (lpString="|tn|") returned 4 [0133.378] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.378] lstrlenW (lpString="m") returned 1 [0133.378] lstrlenW (lpString="m") returned 1 [0133.378] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.378] lstrlenW (lpString="tn") returned 2 [0133.378] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.378] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|m|") returned 3 [0133.378] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|tn|") returned 4 [0133.378] lstrlenW (lpString="|m|") returned 3 [0133.378] lstrlenW (lpString="|tn|") returned 4 [0133.378] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.378] lstrlenW (lpString="i") returned 1 [0133.379] lstrlenW (lpString="i") returned 1 [0133.379] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.379] lstrlenW (lpString="tn") returned 2 [0133.379] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.379] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|i|") returned 3 [0133.379] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|tn|") returned 4 [0133.379] lstrlenW (lpString="|i|") returned 3 [0133.379] lstrlenW (lpString="|tn|") returned 4 [0133.379] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.379] lstrlenW (lpString="tn") returned 2 [0133.379] lstrlenW (lpString="tn") returned 2 [0133.379] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.379] lstrlenW (lpString="tn") returned 2 [0133.379] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.379] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|tn|") returned 4 [0133.379] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|tn|") returned 4 [0133.379] lstrlenW (lpString="|tn|") returned 4 [0133.379] lstrlenW (lpString="|tn|") returned 4 [0133.379] StrStrIW (lpFirst="|tn|", lpSrch="|tn|") returned="|tn|" [0133.379] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.379] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.379] lstrlenW (lpString="Google Update") returned 13 [0133.379] lstrlenW (lpString="-/") returned 2 [0133.379] StrChrIW (lpStart="-/", wMatch=0x47) returned 0x0 [0133.379] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.379] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.379] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.379] lstrlenW (lpString="Google Update") returned 13 [0133.379] StrChrIW (lpStart="Google Update", wMatch=0x3a) returned 0x0 [0133.379] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.379] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.380] lstrlenW (lpString="Google Update") returned 13 [0133.380] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.380] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.380] lstrlenW (lpString="/sc") returned 3 [0133.380] lstrlenW (lpString="-/") returned 2 [0133.380] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0133.380] lstrlenW (lpString="create") returned 6 [0133.380] lstrlenW (lpString="create") returned 6 [0133.380] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.380] lstrlenW (lpString="sc") returned 2 [0133.380] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.380] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|create|") returned 8 [0133.380] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|sc|") returned 4 [0133.380] lstrlenW (lpString="|create|") returned 8 [0133.380] lstrlenW (lpString="|sc|") returned 4 [0133.380] StrStrIW (lpFirst="|create|", lpSrch="|sc|") returned 0x0 [0133.380] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.380] lstrlenW (lpString="?") returned 1 [0133.380] lstrlenW (lpString="?") returned 1 [0133.380] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.380] lstrlenW (lpString="sc") returned 2 [0133.380] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.381] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|?|") returned 3 [0133.381] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|sc|") returned 4 [0133.381] lstrlenW (lpString="|?|") returned 3 [0133.381] lstrlenW (lpString="|sc|") returned 4 [0133.381] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.381] lstrlenW (lpString="s") returned 1 [0133.381] lstrlenW (lpString="s") returned 1 [0133.381] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.381] lstrlenW (lpString="sc") returned 2 [0133.381] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.381] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|s|") returned 3 [0133.381] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|sc|") returned 4 [0133.381] lstrlenW (lpString="|s|") returned 3 [0133.381] lstrlenW (lpString="|sc|") returned 4 [0133.381] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.381] lstrlenW (lpString="u") returned 1 [0133.381] lstrlenW (lpString="u") returned 1 [0133.381] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.381] lstrlenW (lpString="sc") returned 2 [0133.381] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.381] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|u|") returned 3 [0133.381] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|sc|") returned 4 [0133.381] lstrlenW (lpString="|u|") returned 3 [0133.381] lstrlenW (lpString="|sc|") returned 4 [0133.381] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.381] lstrlenW (lpString="p") returned 1 [0133.381] lstrlenW (lpString="p") returned 1 [0133.382] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.382] lstrlenW (lpString="sc") returned 2 [0133.382] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.382] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|p|") returned 3 [0133.382] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|sc|") returned 4 [0133.382] lstrlenW (lpString="|p|") returned 3 [0133.382] lstrlenW (lpString="|sc|") returned 4 [0133.382] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.382] lstrlenW (lpString="ru") returned 2 [0133.382] lstrlenW (lpString="ru") returned 2 [0133.382] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.382] lstrlenW (lpString="sc") returned 2 [0133.382] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.382] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|ru|") returned 4 [0133.382] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|sc|") returned 4 [0133.382] lstrlenW (lpString="|ru|") returned 4 [0133.382] lstrlenW (lpString="|sc|") returned 4 [0133.382] StrStrIW (lpFirst="|ru|", lpSrch="|sc|") returned 0x0 [0133.382] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.382] lstrlenW (lpString="rp") returned 2 [0133.382] lstrlenW (lpString="rp") returned 2 [0133.382] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.382] lstrlenW (lpString="sc") returned 2 [0133.382] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.382] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|rp|") returned 4 [0133.382] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|sc|") returned 4 [0133.382] lstrlenW (lpString="|rp|") returned 4 [0133.382] lstrlenW (lpString="|sc|") returned 4 [0133.383] StrStrIW (lpFirst="|rp|", lpSrch="|sc|") returned 0x0 [0133.383] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.383] lstrlenW (lpString="sc") returned 2 [0133.383] lstrlenW (lpString="sc") returned 2 [0133.383] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.383] lstrlenW (lpString="sc") returned 2 [0133.383] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.383] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|sc|") returned 4 [0133.383] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|sc|") returned 4 [0133.383] lstrlenW (lpString="|sc|") returned 4 [0133.383] lstrlenW (lpString="|sc|") returned 4 [0133.383] StrStrIW (lpFirst="|sc|", lpSrch="|sc|") returned="|sc|" [0133.383] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.383] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.383] lstrlenW (lpString="ONLOGON") returned 7 [0133.383] lstrlenW (lpString="-/") returned 2 [0133.383] StrChrIW (lpStart="-/", wMatch=0x4f) returned 0x0 [0133.383] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.383] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.383] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.383] lstrlenW (lpString="ONLOGON") returned 7 [0133.383] StrChrIW (lpStart="ONLOGON", wMatch=0x3a) returned 0x0 [0133.383] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.383] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.383] GetProcessHeap () returned 0x100000 [0133.383] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x18) returned 0x10a9d0 [0133.383] _memicmp (_Buf1=0x10a9d0, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.383] lstrlenW (lpString="ONLOGON") returned 7 [0133.383] GetProcessHeap () returned 0x100000 [0133.383] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x10) returned 0x10a8f0 [0133.383] lstrlenW (lpString="ONLOGON") returned 7 [0133.383] lstrlenW (lpString=" \x09") returned 2 [0133.384] StrChrW (lpStart=" \x09", wMatch=0x4f) returned 0x0 [0133.384] StrChrW (lpStart=" \x09", wMatch=0x4f) returned 0x0 [0133.384] StrChrW (lpStart=" \x09", wMatch=0x4e) returned 0x0 [0133.384] StrChrW (lpStart=" \x09", wMatch=0x4c) returned 0x0 [0133.384] StrChrW (lpStart=" \x09", wMatch=0x4f) returned 0x0 [0133.384] StrChrW (lpStart=" \x09", wMatch=0x47) returned 0x0 [0133.384] StrChrW (lpStart=" \x09", wMatch=0x4f) returned 0x0 [0133.384] StrChrW (lpStart=" \x09", wMatch=0x4e) returned 0x0 [0133.384] GetLastError () returned 0x0 [0133.384] lstrlenW (lpString="ONLOGON") returned 7 [0133.384] lstrlenW (lpString="ONLOGON") returned 7 [0133.384] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.384] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.384] lstrlenW (lpString="/tr") returned 3 [0133.384] lstrlenW (lpString="-/") returned 2 [0133.384] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0133.384] lstrlenW (lpString="create") returned 6 [0133.384] lstrlenW (lpString="create") returned 6 [0133.384] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.384] lstrlenW (lpString="tr") returned 2 [0133.384] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.384] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|create|") returned 8 [0133.384] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|tr|") returned 4 [0133.384] lstrlenW (lpString="|create|") returned 8 [0133.384] lstrlenW (lpString="|tr|") returned 4 [0133.384] StrStrIW (lpFirst="|create|", lpSrch="|tr|") returned 0x0 [0133.384] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.384] lstrlenW (lpString="?") returned 1 [0133.384] lstrlenW (lpString="?") returned 1 [0133.385] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.385] lstrlenW (lpString="tr") returned 2 [0133.385] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.385] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|?|") returned 3 [0133.385] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|tr|") returned 4 [0133.385] lstrlenW (lpString="|?|") returned 3 [0133.385] lstrlenW (lpString="|tr|") returned 4 [0133.385] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.385] lstrlenW (lpString="s") returned 1 [0133.385] lstrlenW (lpString="s") returned 1 [0133.385] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.385] lstrlenW (lpString="tr") returned 2 [0133.385] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.385] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|s|") returned 3 [0133.385] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|tr|") returned 4 [0133.385] lstrlenW (lpString="|s|") returned 3 [0133.385] lstrlenW (lpString="|tr|") returned 4 [0133.385] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.385] lstrlenW (lpString="u") returned 1 [0133.385] lstrlenW (lpString="u") returned 1 [0133.385] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.385] lstrlenW (lpString="tr") returned 2 [0133.385] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.385] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|u|") returned 3 [0133.385] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|tr|") returned 4 [0133.385] lstrlenW (lpString="|u|") returned 3 [0133.385] lstrlenW (lpString="|tr|") returned 4 [0133.385] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.386] lstrlenW (lpString="p") returned 1 [0133.386] lstrlenW (lpString="p") returned 1 [0133.386] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.386] lstrlenW (lpString="tr") returned 2 [0133.386] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.386] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|p|") returned 3 [0133.386] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|tr|") returned 4 [0133.386] lstrlenW (lpString="|p|") returned 3 [0133.386] lstrlenW (lpString="|tr|") returned 4 [0133.386] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.386] lstrlenW (lpString="ru") returned 2 [0133.386] lstrlenW (lpString="ru") returned 2 [0133.386] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.386] lstrlenW (lpString="tr") returned 2 [0133.386] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.386] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|ru|") returned 4 [0133.386] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|tr|") returned 4 [0133.386] lstrlenW (lpString="|ru|") returned 4 [0133.386] lstrlenW (lpString="|tr|") returned 4 [0133.386] StrStrIW (lpFirst="|ru|", lpSrch="|tr|") returned 0x0 [0133.386] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.386] lstrlenW (lpString="rp") returned 2 [0133.386] lstrlenW (lpString="rp") returned 2 [0133.386] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.387] lstrlenW (lpString="tr") returned 2 [0133.387] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.387] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|rp|") returned 4 [0133.387] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|tr|") returned 4 [0133.387] lstrlenW (lpString="|rp|") returned 4 [0133.387] lstrlenW (lpString="|tr|") returned 4 [0133.387] StrStrIW (lpFirst="|rp|", lpSrch="|tr|") returned 0x0 [0133.387] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.387] lstrlenW (lpString="sc") returned 2 [0133.387] lstrlenW (lpString="sc") returned 2 [0133.387] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.387] lstrlenW (lpString="tr") returned 2 [0133.387] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.387] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|sc|") returned 4 [0133.387] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|tr|") returned 4 [0133.387] lstrlenW (lpString="|sc|") returned 4 [0133.387] lstrlenW (lpString="|tr|") returned 4 [0133.387] StrStrIW (lpFirst="|sc|", lpSrch="|tr|") returned 0x0 [0133.387] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.387] lstrlenW (lpString="mo") returned 2 [0133.387] lstrlenW (lpString="mo") returned 2 [0133.387] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.387] lstrlenW (lpString="tr") returned 2 [0133.387] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.387] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|mo|") returned 4 [0133.387] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|tr|") returned 4 [0133.388] lstrlenW (lpString="|mo|") returned 4 [0133.388] lstrlenW (lpString="|tr|") returned 4 [0133.388] StrStrIW (lpFirst="|mo|", lpSrch="|tr|") returned 0x0 [0133.388] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.388] lstrlenW (lpString="d") returned 1 [0133.388] lstrlenW (lpString="d") returned 1 [0133.388] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.388] lstrlenW (lpString="tr") returned 2 [0133.388] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.388] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|d|") returned 3 [0133.388] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|tr|") returned 4 [0133.388] lstrlenW (lpString="|d|") returned 3 [0133.388] lstrlenW (lpString="|tr|") returned 4 [0133.388] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.388] lstrlenW (lpString="m") returned 1 [0133.388] lstrlenW (lpString="m") returned 1 [0133.388] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.388] lstrlenW (lpString="tr") returned 2 [0133.388] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.388] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|m|") returned 3 [0133.388] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|tr|") returned 4 [0133.388] lstrlenW (lpString="|m|") returned 3 [0133.388] lstrlenW (lpString="|tr|") returned 4 [0133.388] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.388] lstrlenW (lpString="i") returned 1 [0133.388] lstrlenW (lpString="i") returned 1 [0133.388] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.389] lstrlenW (lpString="tr") returned 2 [0133.389] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.389] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|i|") returned 3 [0133.389] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|tr|") returned 4 [0133.389] lstrlenW (lpString="|i|") returned 3 [0133.389] lstrlenW (lpString="|tr|") returned 4 [0133.389] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.389] lstrlenW (lpString="tn") returned 2 [0133.389] lstrlenW (lpString="tn") returned 2 [0133.389] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.389] lstrlenW (lpString="tr") returned 2 [0133.389] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.389] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|tn|") returned 4 [0133.389] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|tr|") returned 4 [0133.389] lstrlenW (lpString="|tn|") returned 4 [0133.389] lstrlenW (lpString="|tr|") returned 4 [0133.389] StrStrIW (lpFirst="|tn|", lpSrch="|tr|") returned 0x0 [0133.389] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.389] lstrlenW (lpString="tr") returned 2 [0133.389] lstrlenW (lpString="tr") returned 2 [0133.389] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.389] lstrlenW (lpString="tr") returned 2 [0133.389] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.389] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|tr|") returned 4 [0133.389] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|tr|") returned 4 [0133.390] lstrlenW (lpString="|tr|") returned 4 [0133.390] lstrlenW (lpString="|tr|") returned 4 [0133.390] StrStrIW (lpFirst="|tr|", lpSrch="|tr|") returned="|tr|" [0133.390] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.390] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.390] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe") returned 98 [0133.390] lstrlenW (lpString="-/") returned 2 [0133.390] StrChrIW (lpStart="-/", wMatch=0x43) returned 0x0 [0133.390] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.390] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.390] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.390] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe") returned 98 [0133.390] StrChrIW (lpStart="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe", wMatch=0x3a) returned=":\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe" [0133.390] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe") returned 98 [0133.390] _memicmp (_Buf1=0x104350, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.390] _memicmp (_Buf1=0x10a9b0, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.390] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.390] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.390] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.390] lstrlenW (lpString="C") returned 1 [0133.390] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.390] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.390] _memicmp (_Buf1=0x10a9d0, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.390] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe") returned 98 [0133.390] GetProcessHeap () returned 0x100000 [0133.390] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10a8f0) returned 1 [0133.390] GetProcessHeap () returned 0x100000 [0133.390] RtlReAllocateHeap (Heap=0x100000, Flags=0xc, Ptr=0x10a8f0, Size=0xc6) returned 0x10c000 [0133.390] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe") returned 98 [0133.390] lstrlenW (lpString=" \x09") returned 2 [0133.390] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0133.391] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0133.391] StrChrW (lpStart=" \x09", wMatch=0x3a) returned 0x0 [0133.391] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0133.391] StrChrW (lpStart=" \x09", wMatch=0x55) returned 0x0 [0133.391] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0133.391] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0133.391] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0133.391] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0133.391] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0133.391] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0133.391] StrChrW (lpStart=" \x09", wMatch=0x44) returned 0x0 [0133.391] StrChrW (lpStart=" \x09", wMatch=0x68) returned 0x0 [0133.391] StrChrW (lpStart=" \x09", wMatch=0x4a) returned 0x0 [0133.391] StrChrW (lpStart=" \x09", wMatch=0x30) returned 0x0 [0133.391] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0133.391] StrChrW (lpStart=" \x09", wMatch=0x4e) returned 0x0 [0133.391] StrChrW (lpStart=" \x09", wMatch=0x46) returned 0x0 [0133.391] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0133.391] StrChrW (lpStart=" \x09", wMatch=0x76) returned 0x0 [0133.391] StrChrW (lpStart=" \x09", wMatch=0x7a) returned 0x0 [0133.391] StrChrW (lpStart=" \x09", wMatch=0x58) returned 0x0 [0133.391] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0133.391] StrChrW (lpStart=" \x09", wMatch=0x44) returned 0x0 [0133.391] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0133.391] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0133.391] StrChrW (lpStart=" \x09", wMatch=0x6b) returned 0x0 [0133.391] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0133.391] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0133.391] StrChrW (lpStart=" \x09", wMatch=0x70) returned 0x0 [0133.392] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0133.392] StrChrW (lpStart=" \x09", wMatch=0x37) returned 0x0 [0133.392] StrChrW (lpStart=" \x09", wMatch=0x34) returned 0x0 [0133.392] StrChrW (lpStart=" \x09", wMatch=0x30) returned 0x0 [0133.392] StrChrW (lpStart=" \x09", wMatch=0x36) returned 0x0 [0133.392] StrChrW (lpStart=" \x09", wMatch=0x33) returned 0x0 [0133.392] StrChrW (lpStart=" \x09", wMatch=0x34) returned 0x0 [0133.392] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0133.392] StrChrW (lpStart=" \x09", wMatch=0x63) returned 0x0 [0133.392] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0133.392] StrChrW (lpStart=" \x09", wMatch=0x64) returned 0x0 [0133.392] StrChrW (lpStart=" \x09", wMatch=0x64) returned 0x0 [0133.392] StrChrW (lpStart=" \x09", wMatch=0x33) returned 0x0 [0133.392] StrChrW (lpStart=" \x09", wMatch=0x31) returned 0x0 [0133.392] StrChrW (lpStart=" \x09", wMatch=0x38) returned 0x0 [0133.392] StrChrW (lpStart=" \x09", wMatch=0x61) returned 0x0 [0133.392] StrChrW (lpStart=" \x09", wMatch=0x63) returned 0x0 [0133.392] StrChrW (lpStart=" \x09", wMatch=0x38) returned 0x0 [0133.392] StrChrW (lpStart=" \x09", wMatch=0x66) returned 0x0 [0133.392] StrChrW (lpStart=" \x09", wMatch=0x38) returned 0x0 [0133.392] StrChrW (lpStart=" \x09", wMatch=0x34) returned 0x0 [0133.392] StrChrW (lpStart=" \x09", wMatch=0x63) returned 0x0 [0133.392] StrChrW (lpStart=" \x09", wMatch=0x33) returned 0x0 [0133.392] StrChrW (lpStart=" \x09", wMatch=0x36) returned 0x0 [0133.392] StrChrW (lpStart=" \x09", wMatch=0x30) returned 0x0 [0133.392] StrChrW (lpStart=" \x09", wMatch=0x66) returned 0x0 [0133.392] StrChrW (lpStart=" \x09", wMatch=0x35) returned 0x0 [0133.392] StrChrW (lpStart=" \x09", wMatch=0x64) returned 0x0 [0133.392] StrChrW (lpStart=" \x09", wMatch=0x32) returned 0x0 [0133.393] StrChrW (lpStart=" \x09", wMatch=0x35) returned 0x0 [0133.393] StrChrW (lpStart=" \x09", wMatch=0x33) returned 0x0 [0133.393] StrChrW (lpStart=" \x09", wMatch=0x66) returned 0x0 [0133.393] StrChrW (lpStart=" \x09", wMatch=0x66) returned 0x0 [0133.393] StrChrW (lpStart=" \x09", wMatch=0x38) returned 0x0 [0133.393] StrChrW (lpStart=" \x09", wMatch=0x33) returned 0x0 [0133.393] StrChrW (lpStart=" \x09", wMatch=0x36) returned 0x0 [0133.393] StrChrW (lpStart=" \x09", wMatch=0x63) returned 0x0 [0133.393] StrChrW (lpStart=" \x09", wMatch=0x35) returned 0x0 [0133.393] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0133.393] StrChrW (lpStart=" \x09", wMatch=0x36) returned 0x0 [0133.393] StrChrW (lpStart=" \x09", wMatch=0x30) returned 0x0 [0133.393] StrChrW (lpStart=" \x09", wMatch=0x64) returned 0x0 [0133.393] StrChrW (lpStart=" \x09", wMatch=0x61) returned 0x0 [0133.393] StrChrW (lpStart=" \x09", wMatch=0x36) returned 0x0 [0133.393] StrChrW (lpStart=" \x09", wMatch=0x35) returned 0x0 [0133.393] StrChrW (lpStart=" \x09", wMatch=0x34) returned 0x0 [0133.393] StrChrW (lpStart=" \x09", wMatch=0x32) returned 0x0 [0133.393] StrChrW (lpStart=" \x09", wMatch=0x63) returned 0x0 [0133.393] StrChrW (lpStart=" \x09", wMatch=0x36) returned 0x0 [0133.393] StrChrW (lpStart=" \x09", wMatch=0x35) returned 0x0 [0133.393] StrChrW (lpStart=" \x09", wMatch=0x61) returned 0x0 [0133.393] StrChrW (lpStart=" \x09", wMatch=0x31) returned 0x0 [0133.393] StrChrW (lpStart=" \x09", wMatch=0x34) returned 0x0 [0133.393] StrChrW (lpStart=" \x09", wMatch=0x30) returned 0x0 [0133.394] StrChrW (lpStart=" \x09", wMatch=0x62) returned 0x0 [0133.394] StrChrW (lpStart=" \x09", wMatch=0x31) returned 0x0 [0133.394] StrChrW (lpStart=" \x09", wMatch=0x37) returned 0x0 [0133.394] StrChrW (lpStart=" \x09", wMatch=0x62) returned 0x0 [0133.394] StrChrW (lpStart=" \x09", wMatch=0x34) returned 0x0 [0133.394] StrChrW (lpStart=" \x09", wMatch=0x62) returned 0x0 [0133.394] StrChrW (lpStart=" \x09", wMatch=0x61) returned 0x0 [0133.394] StrChrW (lpStart=" \x09", wMatch=0x38) returned 0x0 [0133.394] StrChrW (lpStart=" \x09", wMatch=0x30) returned 0x0 [0133.394] StrChrW (lpStart=" \x09", wMatch=0x32) returned 0x0 [0133.394] StrChrW (lpStart=" \x09", wMatch=0x34) returned 0x0 [0133.394] StrChrW (lpStart=" \x09", wMatch=0x2e) returned 0x0 [0133.394] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0133.394] StrChrW (lpStart=" \x09", wMatch=0x78) returned 0x0 [0133.394] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0133.394] GetLastError () returned 0x0 [0133.394] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe") returned 98 [0133.394] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe") returned 98 [0133.394] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.394] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.394] lstrlenW (lpString="/rl") returned 3 [0133.394] lstrlenW (lpString="-/") returned 2 [0133.394] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0133.394] lstrlenW (lpString="create") returned 6 [0133.394] lstrlenW (lpString="create") returned 6 [0133.394] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.395] lstrlenW (lpString="rl") returned 2 [0133.395] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.395] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|create|") returned 8 [0133.395] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|rl|") returned 4 [0133.395] lstrlenW (lpString="|create|") returned 8 [0133.395] lstrlenW (lpString="|rl|") returned 4 [0133.395] StrStrIW (lpFirst="|create|", lpSrch="|rl|") returned 0x0 [0133.395] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.395] lstrlenW (lpString="?") returned 1 [0133.395] lstrlenW (lpString="?") returned 1 [0133.395] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.395] lstrlenW (lpString="rl") returned 2 [0133.395] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.395] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|?|") returned 3 [0133.395] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|rl|") returned 4 [0133.395] lstrlenW (lpString="|?|") returned 3 [0133.395] lstrlenW (lpString="|rl|") returned 4 [0133.396] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.396] lstrlenW (lpString="s") returned 1 [0133.396] lstrlenW (lpString="s") returned 1 [0133.396] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.396] lstrlenW (lpString="rl") returned 2 [0133.396] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.396] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|s|") returned 3 [0133.396] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|rl|") returned 4 [0133.396] lstrlenW (lpString="|s|") returned 3 [0133.396] lstrlenW (lpString="|rl|") returned 4 [0133.396] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.396] lstrlenW (lpString="u") returned 1 [0133.397] lstrlenW (lpString="u") returned 1 [0133.397] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.397] lstrlenW (lpString="rl") returned 2 [0133.397] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.397] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|u|") returned 3 [0133.397] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|rl|") returned 4 [0133.397] lstrlenW (lpString="|u|") returned 3 [0133.397] lstrlenW (lpString="|rl|") returned 4 [0133.397] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.397] lstrlenW (lpString="p") returned 1 [0133.397] lstrlenW (lpString="p") returned 1 [0133.397] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.397] lstrlenW (lpString="rl") returned 2 [0133.397] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.397] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|p|") returned 3 [0133.397] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|rl|") returned 4 [0133.397] lstrlenW (lpString="|p|") returned 3 [0133.397] lstrlenW (lpString="|rl|") returned 4 [0133.397] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.397] lstrlenW (lpString="ru") returned 2 [0133.397] lstrlenW (lpString="ru") returned 2 [0133.397] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.397] lstrlenW (lpString="rl") returned 2 [0133.397] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.398] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|ru|") returned 4 [0133.398] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|rl|") returned 4 [0133.398] lstrlenW (lpString="|ru|") returned 4 [0133.398] lstrlenW (lpString="|rl|") returned 4 [0133.398] StrStrIW (lpFirst="|ru|", lpSrch="|rl|") returned 0x0 [0133.398] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.398] lstrlenW (lpString="rp") returned 2 [0133.398] lstrlenW (lpString="rp") returned 2 [0133.398] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.398] lstrlenW (lpString="rl") returned 2 [0133.398] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.398] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|rp|") returned 4 [0133.398] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|rl|") returned 4 [0133.398] lstrlenW (lpString="|rp|") returned 4 [0133.398] lstrlenW (lpString="|rl|") returned 4 [0133.398] StrStrIW (lpFirst="|rp|", lpSrch="|rl|") returned 0x0 [0133.398] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.398] lstrlenW (lpString="sc") returned 2 [0133.398] lstrlenW (lpString="sc") returned 2 [0133.398] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.398] lstrlenW (lpString="rl") returned 2 [0133.398] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.399] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|sc|") returned 4 [0133.399] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|rl|") returned 4 [0133.399] lstrlenW (lpString="|sc|") returned 4 [0133.399] lstrlenW (lpString="|rl|") returned 4 [0133.399] StrStrIW (lpFirst="|sc|", lpSrch="|rl|") returned 0x0 [0133.399] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.399] lstrlenW (lpString="mo") returned 2 [0133.399] lstrlenW (lpString="mo") returned 2 [0133.399] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.399] lstrlenW (lpString="rl") returned 2 [0133.399] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.399] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|mo|") returned 4 [0133.399] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|rl|") returned 4 [0133.399] lstrlenW (lpString="|mo|") returned 4 [0133.399] lstrlenW (lpString="|rl|") returned 4 [0133.399] StrStrIW (lpFirst="|mo|", lpSrch="|rl|") returned 0x0 [0133.399] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.399] lstrlenW (lpString="d") returned 1 [0133.399] lstrlenW (lpString="d") returned 1 [0133.399] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.399] lstrlenW (lpString="rl") returned 2 [0133.400] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.400] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|d|") returned 3 [0133.400] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|rl|") returned 4 [0133.400] lstrlenW (lpString="|d|") returned 3 [0133.400] lstrlenW (lpString="|rl|") returned 4 [0133.400] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.400] lstrlenW (lpString="m") returned 1 [0133.400] lstrlenW (lpString="m") returned 1 [0133.400] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.400] lstrlenW (lpString="rl") returned 2 [0133.400] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.400] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|m|") returned 3 [0133.400] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|rl|") returned 4 [0133.400] lstrlenW (lpString="|m|") returned 3 [0133.400] lstrlenW (lpString="|rl|") returned 4 [0133.400] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.400] lstrlenW (lpString="i") returned 1 [0133.400] lstrlenW (lpString="i") returned 1 [0133.400] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.400] lstrlenW (lpString="rl") returned 2 [0133.400] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.400] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|i|") returned 3 [0133.401] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|rl|") returned 4 [0133.401] lstrlenW (lpString="|i|") returned 3 [0133.401] lstrlenW (lpString="|rl|") returned 4 [0133.401] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.401] lstrlenW (lpString="tn") returned 2 [0133.401] lstrlenW (lpString="tn") returned 2 [0133.401] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.401] lstrlenW (lpString="rl") returned 2 [0133.401] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.401] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|tn|") returned 4 [0133.401] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|rl|") returned 4 [0133.401] lstrlenW (lpString="|tn|") returned 4 [0133.401] lstrlenW (lpString="|rl|") returned 4 [0133.401] StrStrIW (lpFirst="|tn|", lpSrch="|rl|") returned 0x0 [0133.401] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.401] lstrlenW (lpString="tr") returned 2 [0133.401] lstrlenW (lpString="tr") returned 2 [0133.401] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.401] lstrlenW (lpString="rl") returned 2 [0133.401] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.401] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|tr|") returned 4 [0133.401] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|rl|") returned 4 [0133.401] lstrlenW (lpString="|tr|") returned 4 [0133.401] lstrlenW (lpString="|rl|") returned 4 [0133.401] StrStrIW (lpFirst="|tr|", lpSrch="|rl|") returned 0x0 [0133.402] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.402] lstrlenW (lpString="st") returned 2 [0133.402] lstrlenW (lpString="st") returned 2 [0133.402] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.402] lstrlenW (lpString="rl") returned 2 [0133.402] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.402] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|st|") returned 4 [0133.402] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|rl|") returned 4 [0133.402] lstrlenW (lpString="|st|") returned 4 [0133.402] lstrlenW (lpString="|rl|") returned 4 [0133.402] StrStrIW (lpFirst="|st|", lpSrch="|rl|") returned 0x0 [0133.402] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.402] lstrlenW (lpString="sd") returned 2 [0133.402] lstrlenW (lpString="sd") returned 2 [0133.402] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.402] lstrlenW (lpString="rl") returned 2 [0133.402] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.402] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|sd|") returned 4 [0133.402] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|rl|") returned 4 [0133.402] lstrlenW (lpString="|sd|") returned 4 [0133.402] lstrlenW (lpString="|rl|") returned 4 [0133.402] StrStrIW (lpFirst="|sd|", lpSrch="|rl|") returned 0x0 [0133.402] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.402] lstrlenW (lpString="ed") returned 2 [0133.402] lstrlenW (lpString="ed") returned 2 [0133.403] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.403] lstrlenW (lpString="rl") returned 2 [0133.403] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.403] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|ed|") returned 4 [0133.403] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|rl|") returned 4 [0133.403] lstrlenW (lpString="|ed|") returned 4 [0133.403] lstrlenW (lpString="|rl|") returned 4 [0133.403] StrStrIW (lpFirst="|ed|", lpSrch="|rl|") returned 0x0 [0133.403] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.403] lstrlenW (lpString="it") returned 2 [0133.403] lstrlenW (lpString="it") returned 2 [0133.403] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.403] lstrlenW (lpString="rl") returned 2 [0133.403] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.403] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|it|") returned 4 [0133.403] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|rl|") returned 4 [0133.403] lstrlenW (lpString="|it|") returned 4 [0133.403] lstrlenW (lpString="|rl|") returned 4 [0133.403] StrStrIW (lpFirst="|it|", lpSrch="|rl|") returned 0x0 [0133.403] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.403] lstrlenW (lpString="et") returned 2 [0133.403] lstrlenW (lpString="et") returned 2 [0133.403] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.404] lstrlenW (lpString="rl") returned 2 [0133.404] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.404] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|et|") returned 4 [0133.404] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|rl|") returned 4 [0133.404] lstrlenW (lpString="|et|") returned 4 [0133.404] lstrlenW (lpString="|rl|") returned 4 [0133.404] StrStrIW (lpFirst="|et|", lpSrch="|rl|") returned 0x0 [0133.404] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.404] lstrlenW (lpString="k") returned 1 [0133.404] lstrlenW (lpString="k") returned 1 [0133.404] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.404] lstrlenW (lpString="rl") returned 2 [0133.404] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.404] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|k|") returned 3 [0133.404] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|rl|") returned 4 [0133.404] lstrlenW (lpString="|k|") returned 3 [0133.404] lstrlenW (lpString="|rl|") returned 4 [0133.404] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.404] lstrlenW (lpString="du") returned 2 [0133.404] lstrlenW (lpString="du") returned 2 [0133.404] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.404] lstrlenW (lpString="rl") returned 2 [0133.405] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.405] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|du|") returned 4 [0133.405] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|rl|") returned 4 [0133.405] lstrlenW (lpString="|du|") returned 4 [0133.405] lstrlenW (lpString="|rl|") returned 4 [0133.405] StrStrIW (lpFirst="|du|", lpSrch="|rl|") returned 0x0 [0133.405] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.405] lstrlenW (lpString="ri") returned 2 [0133.405] lstrlenW (lpString="ri") returned 2 [0133.405] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.405] lstrlenW (lpString="rl") returned 2 [0133.405] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.405] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|ri|") returned 4 [0133.405] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|rl|") returned 4 [0133.405] lstrlenW (lpString="|ri|") returned 4 [0133.405] lstrlenW (lpString="|rl|") returned 4 [0133.405] StrStrIW (lpFirst="|ri|", lpSrch="|rl|") returned 0x0 [0133.405] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.405] lstrlenW (lpString="z") returned 1 [0133.405] lstrlenW (lpString="z") returned 1 [0133.405] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.405] lstrlenW (lpString="rl") returned 2 [0133.405] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.405] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|z|") returned 3 [0133.405] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|rl|") returned 4 [0133.406] lstrlenW (lpString="|z|") returned 3 [0133.406] lstrlenW (lpString="|rl|") returned 4 [0133.406] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.406] lstrlenW (lpString="f") returned 1 [0133.406] lstrlenW (lpString="f") returned 1 [0133.406] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.406] lstrlenW (lpString="rl") returned 2 [0133.406] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.406] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|f|") returned 3 [0133.406] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|rl|") returned 4 [0133.406] lstrlenW (lpString="|f|") returned 3 [0133.406] lstrlenW (lpString="|rl|") returned 4 [0133.406] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.406] lstrlenW (lpString="v1") returned 2 [0133.406] lstrlenW (lpString="v1") returned 2 [0133.406] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.406] lstrlenW (lpString="rl") returned 2 [0133.406] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.406] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|v1|") returned 4 [0133.406] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|rl|") returned 4 [0133.406] lstrlenW (lpString="|v1|") returned 4 [0133.406] lstrlenW (lpString="|rl|") returned 4 [0133.406] StrStrIW (lpFirst="|v1|", lpSrch="|rl|") returned 0x0 [0133.406] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.407] lstrlenW (lpString="xml") returned 3 [0133.407] lstrlenW (lpString="xml") returned 3 [0133.407] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.407] lstrlenW (lpString="rl") returned 2 [0133.407] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.407] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|xml|") returned 5 [0133.407] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|rl|") returned 4 [0133.407] lstrlenW (lpString="|xml|") returned 5 [0133.407] lstrlenW (lpString="|rl|") returned 4 [0133.407] StrStrIW (lpFirst="|xml|", lpSrch="|rl|") returned 0x0 [0133.407] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.407] lstrlenW (lpString="ec") returned 2 [0133.407] lstrlenW (lpString="ec") returned 2 [0133.407] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.407] lstrlenW (lpString="rl") returned 2 [0133.407] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.407] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|ec|") returned 4 [0133.407] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|rl|") returned 4 [0133.407] lstrlenW (lpString="|ec|") returned 4 [0133.407] lstrlenW (lpString="|rl|") returned 4 [0133.407] StrStrIW (lpFirst="|ec|", lpSrch="|rl|") returned 0x0 [0133.407] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.407] lstrlenW (lpString="rl") returned 2 [0133.407] lstrlenW (lpString="rl") returned 2 [0133.408] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.408] lstrlenW (lpString="rl") returned 2 [0133.408] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.408] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|rl|") returned 4 [0133.408] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|rl|") returned 4 [0133.408] lstrlenW (lpString="|rl|") returned 4 [0133.408] lstrlenW (lpString="|rl|") returned 4 [0133.408] StrStrIW (lpFirst="|rl|", lpSrch="|rl|") returned="|rl|" [0133.408] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.408] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.408] lstrlenW (lpString="HIGHEST") returned 7 [0133.408] lstrlenW (lpString="-/") returned 2 [0133.408] StrChrIW (lpStart="-/", wMatch=0x48) returned 0x0 [0133.408] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.408] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.408] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.408] lstrlenW (lpString="HIGHEST") returned 7 [0133.408] StrChrIW (lpStart="HIGHEST", wMatch=0x3a) returned 0x0 [0133.408] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.408] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.408] _memicmp (_Buf1=0x10a9d0, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.408] lstrlenW (lpString="HIGHEST") returned 7 [0133.408] lstrlenW (lpString="HIGHEST") returned 7 [0133.408] lstrlenW (lpString=" \x09") returned 2 [0133.408] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0133.408] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0133.408] StrChrW (lpStart=" \x09", wMatch=0x49) returned 0x0 [0133.408] StrChrW (lpStart=" \x09", wMatch=0x47) returned 0x0 [0133.409] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0133.409] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0133.409] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0133.409] StrChrW (lpStart=" \x09", wMatch=0x54) returned 0x0 [0133.409] GetLastError () returned 0x0 [0133.409] lstrlenW (lpString="HIGHEST") returned 7 [0133.409] lstrlenW (lpString="HIGHEST") returned 7 [0133.409] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.409] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.409] lstrlenW (lpString="/f") returned 2 [0133.409] lstrlenW (lpString="-/") returned 2 [0133.409] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0133.409] lstrlenW (lpString="create") returned 6 [0133.409] lstrlenW (lpString="create") returned 6 [0133.409] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.409] lstrlenW (lpString="f") returned 1 [0133.409] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.409] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|create|") returned 8 [0133.409] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|f|") returned 3 [0133.409] lstrlenW (lpString="|create|") returned 8 [0133.409] lstrlenW (lpString="|f|") returned 3 [0133.409] StrStrIW (lpFirst="|create|", lpSrch="|f|") returned 0x0 [0133.409] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.409] lstrlenW (lpString="?") returned 1 [0133.410] lstrlenW (lpString="?") returned 1 [0133.410] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.410] lstrlenW (lpString="f") returned 1 [0133.410] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.410] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|?|") returned 3 [0133.410] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|f|") returned 3 [0133.410] lstrlenW (lpString="|?|") returned 3 [0133.410] lstrlenW (lpString="|f|") returned 3 [0133.410] StrStrIW (lpFirst="|?|", lpSrch="|f|") returned 0x0 [0133.410] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.410] lstrlenW (lpString="s") returned 1 [0133.410] lstrlenW (lpString="s") returned 1 [0133.410] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.410] lstrlenW (lpString="f") returned 1 [0133.410] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.410] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|s|") returned 3 [0133.410] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|f|") returned 3 [0133.410] lstrlenW (lpString="|s|") returned 3 [0133.410] lstrlenW (lpString="|f|") returned 3 [0133.410] StrStrIW (lpFirst="|s|", lpSrch="|f|") returned 0x0 [0133.410] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.410] lstrlenW (lpString="u") returned 1 [0133.410] lstrlenW (lpString="u") returned 1 [0133.410] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.410] lstrlenW (lpString="f") returned 1 [0133.410] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.410] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|u|") returned 3 [0133.410] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|f|") returned 3 [0133.410] lstrlenW (lpString="|u|") returned 3 [0133.411] lstrlenW (lpString="|f|") returned 3 [0133.411] StrStrIW (lpFirst="|u|", lpSrch="|f|") returned 0x0 [0133.411] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.411] lstrlenW (lpString="p") returned 1 [0133.411] lstrlenW (lpString="p") returned 1 [0133.411] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.411] lstrlenW (lpString="f") returned 1 [0133.411] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.411] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|p|") returned 3 [0133.411] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|f|") returned 3 [0133.411] lstrlenW (lpString="|p|") returned 3 [0133.411] lstrlenW (lpString="|f|") returned 3 [0133.411] StrStrIW (lpFirst="|p|", lpSrch="|f|") returned 0x0 [0133.411] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.411] lstrlenW (lpString="ru") returned 2 [0133.412] lstrlenW (lpString="ru") returned 2 [0133.412] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.413] lstrlenW (lpString="f") returned 1 [0133.413] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.413] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|ru|") returned 4 [0133.413] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|f|") returned 3 [0133.413] lstrlenW (lpString="|ru|") returned 4 [0133.413] lstrlenW (lpString="|f|") returned 3 [0133.413] StrStrIW (lpFirst="|ru|", lpSrch="|f|") returned 0x0 [0133.413] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.413] lstrlenW (lpString="rp") returned 2 [0133.413] lstrlenW (lpString="rp") returned 2 [0133.413] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.413] lstrlenW (lpString="f") returned 1 [0133.413] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.413] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|rp|") returned 4 [0133.413] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|f|") returned 3 [0133.413] lstrlenW (lpString="|rp|") returned 4 [0133.413] lstrlenW (lpString="|f|") returned 3 [0133.413] StrStrIW (lpFirst="|rp|", lpSrch="|f|") returned 0x0 [0133.413] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.413] lstrlenW (lpString="sc") returned 2 [0133.413] lstrlenW (lpString="sc") returned 2 [0133.413] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.413] lstrlenW (lpString="f") returned 1 [0133.413] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.413] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|sc|") returned 4 [0133.413] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|f|") returned 3 [0133.414] lstrlenW (lpString="|sc|") returned 4 [0133.414] lstrlenW (lpString="|f|") returned 3 [0133.414] StrStrIW (lpFirst="|sc|", lpSrch="|f|") returned 0x0 [0133.414] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.414] lstrlenW (lpString="mo") returned 2 [0133.414] lstrlenW (lpString="mo") returned 2 [0133.414] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.414] lstrlenW (lpString="f") returned 1 [0133.414] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.414] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|mo|") returned 4 [0133.414] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|f|") returned 3 [0133.414] lstrlenW (lpString="|mo|") returned 4 [0133.414] lstrlenW (lpString="|f|") returned 3 [0133.414] StrStrIW (lpFirst="|mo|", lpSrch="|f|") returned 0x0 [0133.414] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.414] lstrlenW (lpString="d") returned 1 [0133.414] lstrlenW (lpString="d") returned 1 [0133.414] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.414] lstrlenW (lpString="f") returned 1 [0133.414] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.414] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|d|") returned 3 [0133.414] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|f|") returned 3 [0133.414] lstrlenW (lpString="|d|") returned 3 [0133.414] lstrlenW (lpString="|f|") returned 3 [0133.414] StrStrIW (lpFirst="|d|", lpSrch="|f|") returned 0x0 [0133.414] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.414] lstrlenW (lpString="m") returned 1 [0133.414] lstrlenW (lpString="m") returned 1 [0133.415] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.415] lstrlenW (lpString="f") returned 1 [0133.415] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.415] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|m|") returned 3 [0133.415] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|f|") returned 3 [0133.415] lstrlenW (lpString="|m|") returned 3 [0133.415] lstrlenW (lpString="|f|") returned 3 [0133.415] StrStrIW (lpFirst="|m|", lpSrch="|f|") returned 0x0 [0133.415] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.415] lstrlenW (lpString="i") returned 1 [0133.415] lstrlenW (lpString="i") returned 1 [0133.415] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.415] lstrlenW (lpString="f") returned 1 [0133.415] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.415] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|i|") returned 3 [0133.415] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|f|") returned 3 [0133.415] lstrlenW (lpString="|i|") returned 3 [0133.415] lstrlenW (lpString="|f|") returned 3 [0133.415] StrStrIW (lpFirst="|i|", lpSrch="|f|") returned 0x0 [0133.415] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.415] lstrlenW (lpString="tn") returned 2 [0133.415] lstrlenW (lpString="tn") returned 2 [0133.415] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.415] lstrlenW (lpString="f") returned 1 [0133.415] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.415] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|tn|") returned 4 [0133.415] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|f|") returned 3 [0133.416] lstrlenW (lpString="|tn|") returned 4 [0133.416] lstrlenW (lpString="|f|") returned 3 [0133.416] StrStrIW (lpFirst="|tn|", lpSrch="|f|") returned 0x0 [0133.416] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.416] lstrlenW (lpString="tr") returned 2 [0133.416] lstrlenW (lpString="tr") returned 2 [0133.416] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.416] lstrlenW (lpString="f") returned 1 [0133.416] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.416] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|tr|") returned 4 [0133.416] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|f|") returned 3 [0133.416] lstrlenW (lpString="|tr|") returned 4 [0133.416] lstrlenW (lpString="|f|") returned 3 [0133.416] StrStrIW (lpFirst="|tr|", lpSrch="|f|") returned 0x0 [0133.416] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.416] lstrlenW (lpString="st") returned 2 [0133.416] lstrlenW (lpString="st") returned 2 [0133.416] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.416] lstrlenW (lpString="f") returned 1 [0133.416] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.416] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|st|") returned 4 [0133.416] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|f|") returned 3 [0133.416] lstrlenW (lpString="|st|") returned 4 [0133.416] lstrlenW (lpString="|f|") returned 3 [0133.416] StrStrIW (lpFirst="|st|", lpSrch="|f|") returned 0x0 [0133.416] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.416] lstrlenW (lpString="sd") returned 2 [0133.416] lstrlenW (lpString="sd") returned 2 [0133.416] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.417] lstrlenW (lpString="f") returned 1 [0133.417] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.417] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|sd|") returned 4 [0133.417] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|f|") returned 3 [0133.417] lstrlenW (lpString="|sd|") returned 4 [0133.417] lstrlenW (lpString="|f|") returned 3 [0133.417] StrStrIW (lpFirst="|sd|", lpSrch="|f|") returned 0x0 [0133.417] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.417] lstrlenW (lpString="ed") returned 2 [0133.417] lstrlenW (lpString="ed") returned 2 [0133.417] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.417] lstrlenW (lpString="f") returned 1 [0133.417] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.417] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|ed|") returned 4 [0133.417] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|f|") returned 3 [0133.417] lstrlenW (lpString="|ed|") returned 4 [0133.417] lstrlenW (lpString="|f|") returned 3 [0133.417] StrStrIW (lpFirst="|ed|", lpSrch="|f|") returned 0x0 [0133.417] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.417] lstrlenW (lpString="it") returned 2 [0133.417] lstrlenW (lpString="it") returned 2 [0133.417] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.417] lstrlenW (lpString="f") returned 1 [0133.417] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.417] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|it|") returned 4 [0133.417] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|f|") returned 3 [0133.418] lstrlenW (lpString="|it|") returned 4 [0133.418] lstrlenW (lpString="|f|") returned 3 [0133.418] StrStrIW (lpFirst="|it|", lpSrch="|f|") returned 0x0 [0133.418] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.418] lstrlenW (lpString="et") returned 2 [0133.418] lstrlenW (lpString="et") returned 2 [0133.418] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.418] lstrlenW (lpString="f") returned 1 [0133.418] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.418] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|et|") returned 4 [0133.418] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|f|") returned 3 [0133.418] lstrlenW (lpString="|et|") returned 4 [0133.418] lstrlenW (lpString="|f|") returned 3 [0133.418] StrStrIW (lpFirst="|et|", lpSrch="|f|") returned 0x0 [0133.418] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.418] lstrlenW (lpString="k") returned 1 [0133.418] lstrlenW (lpString="k") returned 1 [0133.418] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.418] lstrlenW (lpString="f") returned 1 [0133.418] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.418] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|k|") returned 3 [0133.418] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|f|") returned 3 [0133.418] lstrlenW (lpString="|k|") returned 3 [0133.419] lstrlenW (lpString="|f|") returned 3 [0133.419] StrStrIW (lpFirst="|k|", lpSrch="|f|") returned 0x0 [0133.419] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.419] lstrlenW (lpString="du") returned 2 [0133.419] lstrlenW (lpString="du") returned 2 [0133.419] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.419] lstrlenW (lpString="f") returned 1 [0133.419] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.419] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|du|") returned 4 [0133.419] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|f|") returned 3 [0133.419] lstrlenW (lpString="|du|") returned 4 [0133.419] lstrlenW (lpString="|f|") returned 3 [0133.419] StrStrIW (lpFirst="|du|", lpSrch="|f|") returned 0x0 [0133.419] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.419] lstrlenW (lpString="ri") returned 2 [0133.419] lstrlenW (lpString="ri") returned 2 [0133.419] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.419] lstrlenW (lpString="f") returned 1 [0133.419] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.419] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|ri|") returned 4 [0133.419] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|f|") returned 3 [0133.419] lstrlenW (lpString="|ri|") returned 4 [0133.419] lstrlenW (lpString="|f|") returned 3 [0133.419] StrStrIW (lpFirst="|ri|", lpSrch="|f|") returned 0x0 [0133.419] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.419] lstrlenW (lpString="z") returned 1 [0133.419] lstrlenW (lpString="z") returned 1 [0133.419] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.419] lstrlenW (lpString="f") returned 1 [0133.420] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.420] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|z|") returned 3 [0133.420] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|f|") returned 3 [0133.420] lstrlenW (lpString="|z|") returned 3 [0133.420] lstrlenW (lpString="|f|") returned 3 [0133.420] StrStrIW (lpFirst="|z|", lpSrch="|f|") returned 0x0 [0133.420] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.420] lstrlenW (lpString="f") returned 1 [0133.420] lstrlenW (lpString="f") returned 1 [0133.420] _memicmp (_Buf1=0x103f50, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.420] lstrlenW (lpString="f") returned 1 [0133.420] _memicmp (_Buf1=0x103f90, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.420] _vsnwprintf (in: _Buffer=0x1042c0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|f|") returned 3 [0133.420] _vsnwprintf (in: _Buffer=0x103fb0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xcc898 | out: _Buffer="|f|") returned 3 [0133.420] lstrlenW (lpString="|f|") returned 3 [0133.420] lstrlenW (lpString="|f|") returned 3 [0133.420] StrStrIW (lpFirst="|f|", lpSrch="|f|") returned="|f|" [0133.420] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.420] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.420] GetProcessHeap () returned 0x100000 [0133.420] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x10b700 [0133.420] _memicmp (_Buf1=0x104870, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.420] LoadStringW (in: hInstance=0x0, uID=0x20d, lpBuffer=0x10bb30, cchBufferMax=256 | out: lpBuffer="LIMITED") returned 0x7 [0133.420] lstrlenW (lpString="LIMITED") returned 7 [0133.420] GetProcessHeap () returned 0x100000 [0133.420] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x10) returned 0x10a930 [0133.420] GetThreadLocale () returned 0x409 [0133.420] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="HIGHEST", cchCount1=-1, lpString2="LIMITED", cchCount2=-1) returned 1 [0133.420] GetProcessHeap () returned 0x100000 [0133.421] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x10b820 [0133.421] _memicmp (_Buf1=0x104870, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.421] LoadStringW (in: hInstance=0x0, uID=0x20e, lpBuffer=0x10bb30, cchBufferMax=256 | out: lpBuffer="HIGHEST") returned 0x7 [0133.421] lstrlenW (lpString="HIGHEST") returned 7 [0133.421] GetProcessHeap () returned 0x100000 [0133.421] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x10) returned 0x10a9f0 [0133.421] GetThreadLocale () returned 0x409 [0133.421] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="HIGHEST", cchCount1=-1, lpString2="HIGHEST", cchCount2=-1) returned 2 [0133.421] GetProcessHeap () returned 0x100000 [0133.421] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x10b850 [0133.421] _memicmp (_Buf1=0x104870, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.421] LoadStringW (in: hInstance=0x0, uID=0x1ae, lpBuffer=0x10bb30, cchBufferMax=256 | out: lpBuffer="MINUTE") returned 0x6 [0133.421] lstrlenW (lpString="MINUTE") returned 6 [0133.421] GetProcessHeap () returned 0x100000 [0133.421] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0xe) returned 0x10aaf0 [0133.421] GetThreadLocale () returned 0x409 [0133.421] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="ONLOGON", cchCount1=-1, lpString2="MINUTE", cchCount2=-1) returned 3 [0133.421] GetProcessHeap () returned 0x100000 [0133.421] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x10b520 [0133.421] _memicmp (_Buf1=0x104870, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.421] LoadStringW (in: hInstance=0x0, uID=0x1af, lpBuffer=0x10bb30, cchBufferMax=256 | out: lpBuffer="HOURLY") returned 0x6 [0133.421] lstrlenW (lpString="HOURLY") returned 6 [0133.421] GetProcessHeap () returned 0x100000 [0133.421] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0xe) returned 0x10aab0 [0133.421] GetThreadLocale () returned 0x409 [0133.421] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="ONLOGON", cchCount1=-1, lpString2="HOURLY", cchCount2=-1) returned 3 [0133.421] GetProcessHeap () returned 0x100000 [0133.421] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x10b730 [0133.421] _memicmp (_Buf1=0x104870, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.422] LoadStringW (in: hInstance=0x0, uID=0x1b0, lpBuffer=0x10bb30, cchBufferMax=256 | out: lpBuffer="DAILY") returned 0x5 [0133.422] lstrlenW (lpString="DAILY") returned 5 [0133.422] GetProcessHeap () returned 0x100000 [0133.422] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0xc) returned 0x10aa50 [0133.422] GetThreadLocale () returned 0x409 [0133.422] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="ONLOGON", cchCount1=-1, lpString2="DAILY", cchCount2=-1) returned 3 [0133.422] GetProcessHeap () returned 0x100000 [0133.422] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x10b9d0 [0133.422] _memicmp (_Buf1=0x104870, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.422] LoadStringW (in: hInstance=0x0, uID=0x1b1, lpBuffer=0x10bb30, cchBufferMax=256 | out: lpBuffer="WEEKLY") returned 0x6 [0133.422] lstrlenW (lpString="WEEKLY") returned 6 [0133.422] GetProcessHeap () returned 0x100000 [0133.422] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0xe) returned 0x10a950 [0133.422] GetThreadLocale () returned 0x409 [0133.422] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="ONLOGON", cchCount1=-1, lpString2="WEEKLY", cchCount2=-1) returned 1 [0133.422] GetProcessHeap () returned 0x100000 [0133.422] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x20) returned 0x10b3a0 [0133.422] _memicmp (_Buf1=0x104870, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.422] LoadStringW (in: hInstance=0x0, uID=0x1b2, lpBuffer=0x10bb30, cchBufferMax=256 | out: lpBuffer="MONTHLY") returned 0x7 [0133.422] lstrlenW (lpString="MONTHLY") returned 7 [0133.422] GetProcessHeap () returned 0x100000 [0133.422] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x10) returned 0x10a8b0 [0133.422] GetThreadLocale () returned 0x409 [0133.422] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="ONLOGON", cchCount1=-1, lpString2="MONTHLY", cchCount2=-1) returned 3 [0133.422] _memicmp (_Buf1=0x104870, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.422] LoadStringW (in: hInstance=0x0, uID=0x1b3, lpBuffer=0x10bb30, cchBufferMax=256 | out: lpBuffer="ONCE") returned 0x4 [0133.422] lstrlenW (lpString="ONCE") returned 4 [0133.423] GetProcessHeap () returned 0x100000 [0133.423] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0xa) returned 0x10ab70 [0133.423] GetThreadLocale () returned 0x409 [0133.423] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="ONLOGON", cchCount1=-1, lpString2="ONCE", cchCount2=-1) returned 3 [0133.423] _memicmp (_Buf1=0x104870, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.423] LoadStringW (in: hInstance=0x0, uID=0x1b4, lpBuffer=0x10bb30, cchBufferMax=256 | out: lpBuffer="ONSTART") returned 0x7 [0133.423] lstrlenW (lpString="ONSTART") returned 7 [0133.423] GetThreadLocale () returned 0x409 [0133.423] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="ONLOGON", cchCount1=-1, lpString2="ONSTART", cchCount2=-1) returned 1 [0133.423] _memicmp (_Buf1=0x104870, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.423] LoadStringW (in: hInstance=0x0, uID=0x1b5, lpBuffer=0x10bb30, cchBufferMax=256 | out: lpBuffer="ONLOGON") returned 0x7 [0133.423] lstrlenW (lpString="ONLOGON") returned 7 [0133.423] GetThreadLocale () returned 0x409 [0133.423] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="ONLOGON", cchCount1=-1, lpString2="ONLOGON", cchCount2=-1) returned 2 [0133.423] RtlRestoreLastWin32Error () returned 0x3f7000 [0133.423] GetProcessHeap () returned 0x100000 [0133.423] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x1fc) returned 0x10ac70 [0133.423] _memicmp (_Buf1=0x104870, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.423] LoadStringW (in: hInstance=0x0, uID=0x1d7, lpBuffer=0x10bb30, cchBufferMax=256 | out: lpBuffer="First") returned 0x5 [0133.423] lstrlenW (lpString="First") returned 5 [0133.424] _memicmp (_Buf1=0x104870, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.424] LoadStringW (in: hInstance=0x0, uID=0x1d8, lpBuffer=0x10bb30, cchBufferMax=256 | out: lpBuffer="Second") returned 0x6 [0133.424] lstrlenW (lpString="Second") returned 6 [0133.424] _memicmp (_Buf1=0x104870, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.424] LoadStringW (in: hInstance=0x0, uID=0x1d9, lpBuffer=0x10bb30, cchBufferMax=256 | out: lpBuffer="Third") returned 0x5 [0133.424] lstrlenW (lpString="Third") returned 5 [0133.424] _memicmp (_Buf1=0x104870, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.424] LoadStringW (in: hInstance=0x0, uID=0x1da, lpBuffer=0x10bb30, cchBufferMax=256 | out: lpBuffer="Fourth") returned 0x6 [0133.424] lstrlenW (lpString="Fourth") returned 6 [0133.424] _memicmp (_Buf1=0x104870, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.424] LoadStringW (in: hInstance=0x0, uID=0x1db, lpBuffer=0x10bb30, cchBufferMax=256 | out: lpBuffer="Last") returned 0x4 [0133.424] lstrlenW (lpString="Last") returned 4 [0133.424] _memicmp (_Buf1=0x104870, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.424] LoadStringW (in: hInstance=0x0, uID=0x1d7, lpBuffer=0x10bb30, cchBufferMax=256 | out: lpBuffer="First") returned 0x5 [0133.424] lstrlenW (lpString="First") returned 5 [0133.424] _memicmp (_Buf1=0x104870, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.424] LoadStringW (in: hInstance=0x0, uID=0x1d8, lpBuffer=0x10bb30, cchBufferMax=256 | out: lpBuffer="Second") returned 0x6 [0133.424] lstrlenW (lpString="Second") returned 6 [0133.424] _memicmp (_Buf1=0x104870, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.424] LoadStringW (in: hInstance=0x0, uID=0x1d9, lpBuffer=0x10bb30, cchBufferMax=256 | out: lpBuffer="Third") returned 0x5 [0133.424] lstrlenW (lpString="Third") returned 5 [0133.424] GetProcessHeap () returned 0x100000 [0133.424] GetProcessHeap () returned 0x100000 [0133.424] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10ab70) returned 1 [0133.424] GetProcessHeap () returned 0x100000 [0133.424] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10ab70) returned 0xa [0133.425] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10ab70) returned 1 [0133.425] GetProcessHeap () returned 0x100000 [0133.425] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0xc) returned 0x10aa10 [0133.425] _memicmp (_Buf1=0x104870, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.425] LoadStringW (in: hInstance=0x0, uID=0x1da, lpBuffer=0x10bb30, cchBufferMax=256 | out: lpBuffer="Fourth") returned 0x6 [0133.425] lstrlenW (lpString="Fourth") returned 6 [0133.425] _memicmp (_Buf1=0x104870, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.425] LoadStringW (in: hInstance=0x0, uID=0x1db, lpBuffer=0x10bb30, cchBufferMax=256 | out: lpBuffer="Last") returned 0x4 [0133.425] lstrlenW (lpString="Last") returned 4 [0133.426] GetLocaleInfoW (in: Locale=0x400, LCType=0x21, lpLCData=0xcc6f0, cchData=128 | out: lpLCData="0") returned 2 [0133.426] _memicmp (_Buf1=0x104870, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.426] LoadStringW (in: hInstance=0x0, uID=0x19c, lpBuffer=0x10bb30, cchBufferMax=256 | out: lpBuffer="mm/dd/yyyy") returned 0xa [0133.426] lstrlenW (lpString="mm/dd/yyyy") returned 10 [0133.426] GetProcessHeap () returned 0x100000 [0133.426] GetProcessHeap () returned 0x100000 [0133.426] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10a930) returned 1 [0133.426] GetProcessHeap () returned 0x100000 [0133.426] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10a930) returned 0x10 [0133.426] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10a930) returned 1 [0133.426] GetProcessHeap () returned 0x100000 [0133.426] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x16) returned 0x10a970 [0133.426] GetLocaleInfoW (in: Locale=0x400, LCType=0x21, lpLCData=0xcc710, cchData=128 | out: lpLCData="0") returned 2 [0133.426] _memicmp (_Buf1=0x104870, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0133.426] LoadStringW (in: hInstance=0x0, uID=0x19c, lpBuffer=0x10bb30, cchBufferMax=256 | out: lpBuffer="mm/dd/yyyy") returned 0xa [0133.426] lstrlenW (lpString="mm/dd/yyyy") returned 10 [0133.426] GetProcessHeap () returned 0x100000 [0133.426] GetProcessHeap () returned 0x100000 [0133.426] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10a9f0) returned 1 [0133.426] GetProcessHeap () returned 0x100000 [0133.426] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10a9f0) returned 0x10 [0133.426] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10a9f0) returned 1 [0133.426] GetProcessHeap () returned 0x100000 [0133.426] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x16) returned 0x10abd0 [0133.427] GetLocalTime (in: lpSystemTime=0xcc948 | out: lpSystemTime=0xcc948*(wYear=0x7e6, wMonth=0x8, wDayOfWeek=0x5, wDay=0x5, wHour=0xe, wMinute=0x13, wSecond=0xb, wMilliseconds=0x2c9)) [0133.427] GetLocalTime (in: lpSystemTime=0xcd338 | out: lpSystemTime=0xcd338*(wYear=0x7e6, wMonth=0x8, wDayOfWeek=0x5, wDay=0x5, wHour=0xe, wMinute=0x13, wSecond=0xb, wMilliseconds=0x2c9)) [0133.427] lstrlenW (lpString="") returned 0 [0133.427] lstrlenW (lpString="") returned 0 [0133.427] lstrlenW (lpString="") returned 0 [0133.427] lstrlenW (lpString="") returned 0 [0133.427] lstrlenW (lpString="") returned 0 [0133.427] lstrlenW (lpString="") returned 0 [0133.427] lstrlenW (lpString="") returned 0 [0133.428] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0133.437] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0133.467] CoCreateInstance (in: rclsid=0x7ff664e19e68*(Data1=0xf87369f, Data2=0xa4e5, Data3=0x4cfc, Data4=([0]=0xbd, [1]=0x3e, [2]=0x73, [3]=0xe6, [4]=0x15, [5]=0x45, [6]=0x72, [7]=0xdd)), pUnkOuter=0x0, dwClsContext=0x17, riid=0x7ff664e19e78*(Data1=0x2faba4c7, Data2=0x4da9, Data3=0x4013, Data4=([0]=0x96, [1]=0x97, [2]=0x20, [3]=0xcc, [4]=0x3f, [5]=0xd4, [6]=0xf, [7]=0x85)), ppv=0xcd090 | out: ppv=0xcd090*=0x655830) returned 0x0 [0134.191] TaskScheduler:ITaskService:Connect (This=0x655830, serverName=0xcd180*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), user=0xcd150*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), domain=0xcd130*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), password=0xcd110*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0)) returned 0x0 [0134.334] TaskScheduler:ITaskService:GetFolder (in: This=0x655830, Path=0x0, ppFolder=0xcd270 | out: ppFolder=0xcd270*=0x656f20) returned 0x0 [0134.336] TaskScheduler:ITaskService:NewTask (in: This=0x655830, flags=0x0, ppDefinition=0xcd248 | out: ppDefinition=0xcd248*=0x655980) returned 0x0 [0134.337] ITaskDefinition:get_Actions (in: This=0x655980, ppActions=0xcd190 | out: ppActions=0xcd190*=0x655a10) returned 0x0 [0134.338] IActionCollection:Create (in: This=0x655a10, Type=0, ppAction=0xcd1d0 | out: ppAction=0xcd1d0*=0x655e20) returned 0x0 [0134.339] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe") returned 98 [0134.339] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe") returned 98 [0134.339] lstrlenW (lpString=" ") returned 1 [0134.339] StrChrW (lpStart=" ", wMatch=0x43) returned 0x0 [0134.339] StrChrW (lpStart=" ", wMatch=0x43) returned 0x0 [0134.339] StrChrW (lpStart=" ", wMatch=0x3a) returned 0x0 [0134.339] StrChrW (lpStart=" ", wMatch=0x5c) returned 0x0 [0134.339] StrChrW (lpStart=" ", wMatch=0x55) returned 0x0 [0134.339] StrChrW (lpStart=" ", wMatch=0x73) returned 0x0 [0134.339] StrChrW (lpStart=" ", wMatch=0x65) returned 0x0 [0134.339] StrChrW (lpStart=" ", wMatch=0x72) returned 0x0 [0134.339] StrChrW (lpStart=" ", wMatch=0x73) returned 0x0 [0134.339] StrChrW (lpStart=" ", wMatch=0x5c) returned 0x0 [0134.339] StrChrW (lpStart=" ", wMatch=0x52) returned 0x0 [0134.339] StrChrW (lpStart=" ", wMatch=0x44) returned 0x0 [0134.339] StrChrW (lpStart=" ", wMatch=0x68) returned 0x0 [0134.339] StrChrW (lpStart=" ", wMatch=0x4a) returned 0x0 [0134.339] StrChrW (lpStart=" ", wMatch=0x30) returned 0x0 [0134.339] StrChrW (lpStart=" ", wMatch=0x43) returned 0x0 [0134.339] StrChrW (lpStart=" ", wMatch=0x4e) returned 0x0 [0134.339] StrChrW (lpStart=" ", wMatch=0x46) returned 0x0 [0134.340] StrChrW (lpStart=" ", wMatch=0x65) returned 0x0 [0134.340] StrChrW (lpStart=" ", wMatch=0x76) returned 0x0 [0134.340] StrChrW (lpStart=" ", wMatch=0x7a) returned 0x0 [0134.340] StrChrW (lpStart=" ", wMatch=0x58) returned 0x0 [0134.340] StrChrW (lpStart=" ", wMatch=0x5c) returned 0x0 [0134.340] StrChrW (lpStart=" ", wMatch=0x44) returned 0x0 [0134.340] StrChrW (lpStart=" ", wMatch=0x65) returned 0x0 [0134.340] StrChrW (lpStart=" ", wMatch=0x73) returned 0x0 [0134.340] StrChrW (lpStart=" ", wMatch=0x6b) returned 0x0 [0134.340] StrChrW (lpStart=" ", wMatch=0x74) returned 0x0 [0134.340] StrChrW (lpStart=" ", wMatch=0x6f) returned 0x0 [0134.340] StrChrW (lpStart=" ", wMatch=0x70) returned 0x0 [0134.340] StrChrW (lpStart=" ", wMatch=0x5c) returned 0x0 [0134.340] StrChrW (lpStart=" ", wMatch=0x37) returned 0x0 [0134.340] StrChrW (lpStart=" ", wMatch=0x34) returned 0x0 [0134.340] StrChrW (lpStart=" ", wMatch=0x30) returned 0x0 [0134.340] StrChrW (lpStart=" ", wMatch=0x36) returned 0x0 [0134.340] StrChrW (lpStart=" ", wMatch=0x33) returned 0x0 [0134.340] StrChrW (lpStart=" ", wMatch=0x34) returned 0x0 [0134.340] StrChrW (lpStart=" ", wMatch=0x65) returned 0x0 [0134.340] StrChrW (lpStart=" ", wMatch=0x63) returned 0x0 [0134.340] StrChrW (lpStart=" ", wMatch=0x65) returned 0x0 [0134.340] StrChrW (lpStart=" ", wMatch=0x64) returned 0x0 [0134.340] StrChrW (lpStart=" ", wMatch=0x64) returned 0x0 [0134.341] StrChrW (lpStart=" ", wMatch=0x33) returned 0x0 [0134.341] StrChrW (lpStart=" ", wMatch=0x31) returned 0x0 [0134.341] StrChrW (lpStart=" ", wMatch=0x38) returned 0x0 [0134.341] StrChrW (lpStart=" ", wMatch=0x61) returned 0x0 [0134.341] StrChrW (lpStart=" ", wMatch=0x63) returned 0x0 [0134.341] StrChrW (lpStart=" ", wMatch=0x38) returned 0x0 [0134.341] StrChrW (lpStart=" ", wMatch=0x66) returned 0x0 [0134.341] StrChrW (lpStart=" ", wMatch=0x38) returned 0x0 [0134.341] StrChrW (lpStart=" ", wMatch=0x34) returned 0x0 [0134.341] StrChrW (lpStart=" ", wMatch=0x63) returned 0x0 [0134.341] StrChrW (lpStart=" ", wMatch=0x33) returned 0x0 [0134.341] StrChrW (lpStart=" ", wMatch=0x36) returned 0x0 [0134.341] StrChrW (lpStart=" ", wMatch=0x30) returned 0x0 [0134.341] StrChrW (lpStart=" ", wMatch=0x66) returned 0x0 [0134.341] StrChrW (lpStart=" ", wMatch=0x35) returned 0x0 [0134.342] StrChrW (lpStart=" ", wMatch=0x64) returned 0x0 [0134.342] StrChrW (lpStart=" ", wMatch=0x32) returned 0x0 [0134.342] StrChrW (lpStart=" ", wMatch=0x35) returned 0x0 [0134.342] StrChrW (lpStart=" ", wMatch=0x33) returned 0x0 [0134.342] StrChrW (lpStart=" ", wMatch=0x66) returned 0x0 [0134.342] StrChrW (lpStart=" ", wMatch=0x66) returned 0x0 [0134.342] StrChrW (lpStart=" ", wMatch=0x38) returned 0x0 [0134.342] StrChrW (lpStart=" ", wMatch=0x33) returned 0x0 [0134.342] StrChrW (lpStart=" ", wMatch=0x36) returned 0x0 [0134.342] StrChrW (lpStart=" ", wMatch=0x63) returned 0x0 [0134.342] StrChrW (lpStart=" ", wMatch=0x35) returned 0x0 [0134.342] StrChrW (lpStart=" ", wMatch=0x65) returned 0x0 [0134.342] StrChrW (lpStart=" ", wMatch=0x36) returned 0x0 [0134.342] StrChrW (lpStart=" ", wMatch=0x30) returned 0x0 [0134.342] StrChrW (lpStart=" ", wMatch=0x64) returned 0x0 [0134.342] StrChrW (lpStart=" ", wMatch=0x61) returned 0x0 [0134.342] StrChrW (lpStart=" ", wMatch=0x36) returned 0x0 [0134.342] StrChrW (lpStart=" ", wMatch=0x35) returned 0x0 [0134.342] StrChrW (lpStart=" ", wMatch=0x34) returned 0x0 [0134.342] StrChrW (lpStart=" ", wMatch=0x32) returned 0x0 [0134.342] StrChrW (lpStart=" ", wMatch=0x63) returned 0x0 [0134.342] StrChrW (lpStart=" ", wMatch=0x36) returned 0x0 [0134.342] StrChrW (lpStart=" ", wMatch=0x35) returned 0x0 [0134.342] StrChrW (lpStart=" ", wMatch=0x61) returned 0x0 [0134.342] StrChrW (lpStart=" ", wMatch=0x31) returned 0x0 [0134.342] StrChrW (lpStart=" ", wMatch=0x34) returned 0x0 [0134.343] StrChrW (lpStart=" ", wMatch=0x30) returned 0x0 [0134.343] StrChrW (lpStart=" ", wMatch=0x62) returned 0x0 [0134.343] StrChrW (lpStart=" ", wMatch=0x31) returned 0x0 [0134.343] StrChrW (lpStart=" ", wMatch=0x37) returned 0x0 [0134.343] StrChrW (lpStart=" ", wMatch=0x62) returned 0x0 [0134.343] StrChrW (lpStart=" ", wMatch=0x34) returned 0x0 [0134.343] StrChrW (lpStart=" ", wMatch=0x62) returned 0x0 [0134.343] StrChrW (lpStart=" ", wMatch=0x61) returned 0x0 [0134.343] StrChrW (lpStart=" ", wMatch=0x38) returned 0x0 [0134.343] StrChrW (lpStart=" ", wMatch=0x30) returned 0x0 [0134.343] StrChrW (lpStart=" ", wMatch=0x32) returned 0x0 [0134.343] StrChrW (lpStart=" ", wMatch=0x34) returned 0x0 [0134.343] StrChrW (lpStart=" ", wMatch=0x2e) returned 0x0 [0134.343] StrChrW (lpStart=" ", wMatch=0x65) returned 0x0 [0134.343] StrChrW (lpStart=" ", wMatch=0x78) returned 0x0 [0134.343] StrChrW (lpStart=" ", wMatch=0x65) returned 0x0 [0134.343] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe") returned 98 [0134.343] StrChrIW (lpStart="C:\\Users\\RDhJ0CNFevzX\\Desktop\\740634ecedd318ac8f84c360f5d253ff836c5e60da6542c65a140b17b4ba8024.exe", wMatch=0x20) returned 0x0 [0134.343] RtlRestoreLastWin32Error () returned 0x3f7000 [0134.344] IUnknown:Release (This=0x655e20) returned 0x1 [0134.344] IUnknown:Release (This=0x655a10) returned 0x1 [0134.344] ITaskDefinition:get_Triggers (in: This=0x655980, ppTriggers=0xccd40 | out: ppTriggers=0xccd40*=0x655cd0) returned 0x0 [0134.344] ITriggerCollection:Create (in: This=0x655cd0, Type=9, ppTrigger=0xccd28 | out: ppTrigger=0xccd28*=0x655e90) returned 0x0 [0134.345] IUnknown:QueryInterface (in: This=0x655e90, riid=0x7ff664e18a30*(Data1=0x72dade38, Data2=0xfae4, Data3=0x4b3e, Data4=([0]=0xba, [1]=0xf4, [2]=0x5d, [3]=0x0, [4]=0x9a, [5]=0xf0, [6]=0x2b, [7]=0x1c)), ppvObject=0xccd20 | out: ppvObject=0xccd20*=0x655e90) returned 0x0 [0134.345] IUnknown:Release (This=0x655e90) returned 0x2 [0134.346] _vsnwprintf (in: _Buffer=0xccc70, _BufferCount=0x1f, _Format="%04u-%02u-%02dT%02u:%02u:00", _ArgList=0xccc48 | out: _Buffer="2022-08-05T14:19:00") returned 19 [0134.346] ITrigger:put_StartBoundary (This=0x655e90, StartBoundary="2022-08-05T14:19:00") returned 0x0 [0134.346] lstrlenW (lpString="") returned 0 [0134.346] lstrlenW (lpString="") returned 0 [0134.346] lstrlenW (lpString="") returned 0 [0134.346] lstrlenW (lpString="") returned 0 [0134.347] IUnknown:Release (This=0x655e90) returned 0x1 [0134.347] IUnknown:Release (This=0x655cd0) returned 0x1 [0134.347] ITaskDefinition:get_Settings (in: This=0x655980, ppSettings=0xcd1d0 | out: ppSettings=0xcd1d0*=0x655b50) returned 0x0 [0134.347] lstrlenW (lpString="") returned 0 [0134.347] IUnknown:Release (This=0x655b50) returned 0x3 [0134.347] GetLocalTime (in: lpSystemTime=0xcd088 | out: lpSystemTime=0xcd088*(wYear=0x7e6, wMonth=0x8, wDayOfWeek=0x5, wDay=0x5, wHour=0xe, wMinute=0x13, wSecond=0xc, wMilliseconds=0x26b)) [0134.347] ResolveDelayLoadedAPI () returned 0x7ffa12a13fa0 [0134.348] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0xcd0a0, nSize=0xcd078 | out: lpNameBuffer="XC64ZB\\RDhJ0CNFevzX", nSize=0xcd078) returned 0x1 [0134.348] ITaskDefinition:get_RegistrationInfo (in: This=0x655980, ppRegistrationInfo=0xcd070 | out: ppRegistrationInfo=0xcd070*=0x655a90) returned 0x0 [0134.349] IRegistrationInfo:put_Author (This=0x655a90, Author="XC64ZB\\RDhJ0CNFevzX") returned 0x0 [0134.349] _vsnwprintf (in: _Buffer=0xcd0a0, _BufferCount=0x7f, _Format="%d-%02d-%02dT%02d:%02d:%02d", _ArgList=0xcd038 | out: _Buffer="2022-08-05T14:19:12") returned 19 [0134.349] IRegistrationInfo:put_Date (This=0x655a90, Date="2022-08-05T14:19:12") returned 0x0 [0134.349] IUnknown:Release (This=0x655a90) returned 0x1 [0134.350] malloc (_Size=0x18) returned 0x655fb0 [0134.350] free (_Block=0x655fb0) [0134.350] lstrlenW (lpString="") returned 0 [0134.350] ITaskDefinition:get_Principal (in: This=0x655980, ppPrincipal=0xcd238 | out: ppPrincipal=0xcd238*=0x655d40) returned 0x0 [0134.350] IPrincipal:put_RunLevel (This=0x655d40, RunLevel=1) returned 0x0 [0134.350] IUnknown:Release (This=0x655d40) returned 0x1 [0134.351] malloc (_Size=0x18) returned 0x655fb0 [0134.351] ITaskFolder:RegisterTaskDefinition (in: This=0x656f20, Path="Google Update", pDefinition=0x655980, flags=6, UserId=0xcd2e0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), password=0xcd2c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), LogonType=3, sddl=0xcd300*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), ppTask=0xcd2a0 | out: ppTask=0xcd2a0*=0x656fd0) returned 0x0 [0135.639] free (_Block=0x655fb0) [0135.639] _memicmp (_Buf1=0x104870, _Buf2=0x7ff664e19eb0, _Size=0x7) returned 0 [0135.640] LoadStringW (in: hInstance=0x0, uID=0x12e, lpBuffer=0x10bb30, cchBufferMax=256 | out: lpBuffer="SUCCESS: The scheduled task \"%s\" has successfully been created.\n") returned 0x40 [0135.640] lstrlenW (lpString="SUCCESS: The scheduled task \"%s\" has successfully been created.\n") returned 64 [0135.640] GetProcessHeap () returned 0x100000 [0135.640] GetProcessHeap () returned 0x100000 [0135.640] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10aaf0) returned 1 [0135.640] GetProcessHeap () returned 0x100000 [0135.640] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10aaf0) returned 0xe [0135.640] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10aaf0) returned 1 [0135.640] GetProcessHeap () returned 0x100000 [0135.640] RtlAllocateHeap (HeapHandle=0x100000, Flags=0xc, Size=0x82) returned 0x11f160 [0135.640] _vsnwprintf (in: _Buffer=0xcd950, _BufferCount=0x1fb, _Format="SUCCESS: The scheduled task \"%s\" has successfully been created.\n", _ArgList=0xcd1e8 | out: _Buffer="SUCCESS: The scheduled task \"Google Update\" has successfully been created.\n") returned 75 [0135.640] __iob_func () returned 0x7ffa13d4e210 [0135.640] _fileno (_File=0x7ffa13d4e240) returned 1 [0135.640] _errno () returned 0x650840 [0135.640] _get_osfhandle (_FileHandle=1) returned 0x24 [0135.641] _errno () returned 0x650840 [0135.641] GetFileType (hFile=0x24) returned 0x2 [0135.641] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0135.641] GetFileType (hFile=0x24) returned 0x2 [0135.641] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0xcd160 | out: lpMode=0xcd160) returned 1 [0135.745] __iob_func () returned 0x7ffa13d4e210 [0135.745] GetStdHandle (nStdHandle=0xfffffff5) returned 0x24 [0135.745] lstrlenW (lpString="SUCCESS: The scheduled task \"Google Update\" has successfully been created.\n") returned 75 [0135.745] WriteConsoleW (in: hConsoleOutput=0x24, lpBuffer=0xcd950*, nNumberOfCharsToWrite=0x4b, lpNumberOfCharsWritten=0xcd1d0, lpReserved=0x0 | out: lpBuffer=0xcd950*, lpNumberOfCharsWritten=0xcd1d0*=0x4b) returned 1 [0135.797] IUnknown:Release (This=0x656fd0) returned 0x0 [0135.797] TaskScheduler:IUnknown:Release (This=0x655980) returned 0x0 [0135.797] TaskScheduler:IUnknown:Release (This=0x656f20) returned 0x0 [0135.797] TaskScheduler:IUnknown:Release (This=0x655830) returned 0x0 [0135.797] lstrlenW (lpString="") returned 0 [0135.797] GetProcessHeap () returned 0x100000 [0135.797] GetProcessHeap () returned 0x100000 [0135.797] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10ac70) returned 1 [0135.797] GetProcessHeap () returned 0x100000 [0135.797] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10ac70) returned 0x1fc [0135.798] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10ac70) returned 1 [0135.798] GetProcessHeap () returned 0x100000 [0135.798] GetProcessHeap () returned 0x100000 [0135.798] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10a990) returned 1 [0135.798] GetProcessHeap () returned 0x100000 [0135.798] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10a990) returned 0x16 [0135.798] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10a990) returned 1 [0135.798] GetProcessHeap () returned 0x100000 [0135.798] GetProcessHeap () returned 0x100000 [0135.798] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10ab10) returned 1 [0135.798] GetProcessHeap () returned 0x100000 [0135.798] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10ab10) returned 0x18 [0135.799] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10ab10) returned 1 [0135.799] GetProcessHeap () returned 0x100000 [0135.799] GetProcessHeap () returned 0x100000 [0135.799] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10b790) returned 1 [0135.799] GetProcessHeap () returned 0x100000 [0135.799] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10b790) returned 0x20 [0135.799] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10b790) returned 1 [0135.799] GetProcessHeap () returned 0x100000 [0135.799] GetProcessHeap () returned 0x100000 [0135.799] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x1038d0) returned 1 [0135.799] GetProcessHeap () returned 0x100000 [0135.799] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x1038d0) returned 0xa0 [0135.799] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x1038d0) returned 1 [0135.800] GetProcessHeap () returned 0x100000 [0135.800] GetProcessHeap () returned 0x100000 [0135.800] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x104850) returned 1 [0135.800] GetProcessHeap () returned 0x100000 [0135.800] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x104850) returned 0x18 [0135.800] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x104850) returned 1 [0135.800] GetProcessHeap () returned 0x100000 [0135.800] GetProcessHeap () returned 0x100000 [0135.800] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10b550) returned 1 [0135.800] GetProcessHeap () returned 0x100000 [0135.800] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10b550) returned 0x20 [0135.800] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10b550) returned 1 [0135.800] GetProcessHeap () returned 0x100000 [0135.800] GetProcessHeap () returned 0x100000 [0135.800] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10c000) returned 1 [0135.800] GetProcessHeap () returned 0x100000 [0135.800] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10c000) returned 0xc6 [0135.801] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10c000) returned 1 [0135.801] GetProcessHeap () returned 0x100000 [0135.801] GetProcessHeap () returned 0x100000 [0135.801] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10a9d0) returned 1 [0135.801] GetProcessHeap () returned 0x100000 [0135.801] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10a9d0) returned 0x18 [0135.801] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10a9d0) returned 1 [0135.801] GetProcessHeap () returned 0x100000 [0135.801] GetProcessHeap () returned 0x100000 [0135.801] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10b6a0) returned 1 [0135.801] GetProcessHeap () returned 0x100000 [0135.801] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10b6a0) returned 0x20 [0135.801] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10b6a0) returned 1 [0135.801] GetProcessHeap () returned 0x100000 [0135.802] GetProcessHeap () returned 0x100000 [0135.802] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x103ba0) returned 1 [0135.802] GetProcessHeap () returned 0x100000 [0135.802] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x103ba0) returned 0xca [0135.802] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x103ba0) returned 1 [0135.802] GetProcessHeap () returned 0x100000 [0135.802] GetProcessHeap () returned 0x100000 [0135.802] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10a9b0) returned 1 [0135.802] GetProcessHeap () returned 0x100000 [0135.802] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10a9b0) returned 0x18 [0135.802] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10a9b0) returned 1 [0135.802] GetProcessHeap () returned 0x100000 [0135.802] GetProcessHeap () returned 0x100000 [0135.803] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x109050) returned 1 [0135.803] GetProcessHeap () returned 0x100000 [0135.803] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x109050) returned 0x20 [0135.803] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x109050) returned 1 [0135.803] GetProcessHeap () returned 0x100000 [0135.803] GetProcessHeap () returned 0x100000 [0135.803] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x104370) returned 1 [0135.803] GetProcessHeap () returned 0x100000 [0135.803] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x104370) returned 0xc [0135.803] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x104370) returned 1 [0135.803] GetProcessHeap () returned 0x100000 [0135.803] GetProcessHeap () returned 0x100000 [0135.803] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x104350) returned 1 [0135.803] GetProcessHeap () returned 0x100000 [0135.803] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x104350) returned 0x18 [0135.803] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x104350) returned 1 [0135.803] GetProcessHeap () returned 0x100000 [0135.803] GetProcessHeap () returned 0x100000 [0135.803] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x1090b0) returned 1 [0135.804] GetProcessHeap () returned 0x100000 [0135.804] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x1090b0) returned 0x20 [0135.804] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x1090b0) returned 1 [0135.804] GetProcessHeap () returned 0x100000 [0135.804] GetProcessHeap () returned 0x100000 [0135.804] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x109b70) returned 1 [0135.804] GetProcessHeap () returned 0x100000 [0135.804] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x109b70) returned 0x208 [0135.805] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x109b70) returned 1 [0135.805] GetProcessHeap () returned 0x100000 [0135.805] GetProcessHeap () returned 0x100000 [0135.805] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x104830) returned 1 [0135.805] GetProcessHeap () returned 0x100000 [0135.805] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x104830) returned 0x18 [0135.805] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x104830) returned 1 [0135.805] GetProcessHeap () returned 0x100000 [0135.806] GetProcessHeap () returned 0x100000 [0135.806] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x1091d0) returned 1 [0135.806] GetProcessHeap () returned 0x100000 [0135.806] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x1091d0) returned 0x20 [0135.806] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x1091d0) returned 1 [0135.806] GetProcessHeap () returned 0x100000 [0135.806] GetProcessHeap () returned 0x100000 [0135.806] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10bb30) returned 1 [0135.806] GetProcessHeap () returned 0x100000 [0135.806] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10bb30) returned 0x200 [0135.807] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10bb30) returned 1 [0135.807] GetProcessHeap () returned 0x100000 [0135.807] GetProcessHeap () returned 0x100000 [0135.807] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x104870) returned 1 [0135.807] GetProcessHeap () returned 0x100000 [0135.807] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x104870) returned 0x18 [0135.807] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x104870) returned 1 [0135.807] GetProcessHeap () returned 0x100000 [0135.807] GetProcessHeap () returned 0x100000 [0135.807] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x108fc0) returned 1 [0135.807] GetProcessHeap () returned 0x100000 [0135.807] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x108fc0) returned 0x20 [0135.808] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x108fc0) returned 1 [0135.808] GetProcessHeap () returned 0x100000 [0135.808] GetProcessHeap () returned 0x100000 [0135.808] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x103fb0) returned 1 [0135.808] GetProcessHeap () returned 0x100000 [0135.808] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x103fb0) returned 0x14 [0135.808] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x103fb0) returned 1 [0135.808] GetProcessHeap () returned 0x100000 [0135.808] GetProcessHeap () returned 0x100000 [0135.808] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x103f90) returned 1 [0135.808] GetProcessHeap () returned 0x100000 [0135.808] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x103f90) returned 0x18 [0135.808] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x103f90) returned 1 [0135.809] GetProcessHeap () returned 0x100000 [0135.809] GetProcessHeap () returned 0x100000 [0135.809] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x109140) returned 1 [0135.809] GetProcessHeap () returned 0x100000 [0135.809] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x109140) returned 0x20 [0135.809] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x109140) returned 1 [0135.809] GetProcessHeap () returned 0x100000 [0135.809] GetProcessHeap () returned 0x100000 [0135.809] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x1042c0) returned 1 [0135.809] GetProcessHeap () returned 0x100000 [0135.809] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x1042c0) returned 0x16 [0135.810] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x1042c0) returned 1 [0135.810] GetProcessHeap () returned 0x100000 [0135.810] GetProcessHeap () returned 0x100000 [0135.810] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x103f50) returned 1 [0135.810] GetProcessHeap () returned 0x100000 [0135.810] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x103f50) returned 0x18 [0135.810] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x103f50) returned 1 [0135.810] GetProcessHeap () returned 0x100000 [0135.810] GetProcessHeap () returned 0x100000 [0135.810] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x1090e0) returned 1 [0135.810] GetProcessHeap () returned 0x100000 [0135.810] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x1090e0) returned 0x20 [0135.810] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x1090e0) returned 1 [0135.811] GetProcessHeap () returned 0x100000 [0135.811] GetProcessHeap () returned 0x100000 [0135.811] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x104ad0) returned 1 [0135.811] GetProcessHeap () returned 0x100000 [0135.811] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x104ad0) returned 0x2 [0135.811] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x104ad0) returned 1 [0135.811] GetProcessHeap () returned 0x100000 [0135.811] GetProcessHeap () returned 0x100000 [0135.811] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x104440) returned 1 [0135.811] GetProcessHeap () returned 0x100000 [0135.811] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x104440) returned 0x20 [0135.812] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x104440) returned 1 [0135.812] GetProcessHeap () returned 0x100000 [0135.812] GetProcessHeap () returned 0x100000 [0135.812] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x104490) returned 1 [0135.812] GetProcessHeap () returned 0x100000 [0135.812] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x104490) returned 0x20 [0135.812] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x104490) returned 1 [0135.812] GetProcessHeap () returned 0x100000 [0135.812] GetProcessHeap () returned 0x100000 [0135.812] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x1044c0) returned 1 [0135.812] GetProcessHeap () returned 0x100000 [0135.812] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x1044c0) returned 0x20 [0135.814] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x1044c0) returned 1 [0135.814] GetProcessHeap () returned 0x100000 [0135.814] GetProcessHeap () returned 0x100000 [0135.814] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x104030) returned 1 [0135.814] GetProcessHeap () returned 0x100000 [0135.814] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x104030) returned 0x20 [0135.815] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x104030) returned 1 [0135.815] GetProcessHeap () returned 0x100000 [0135.815] GetProcessHeap () returned 0x100000 [0135.815] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10b7f0) returned 1 [0135.815] GetProcessHeap () returned 0x100000 [0135.815] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10b7f0) returned 0x20 [0135.815] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10b7f0) returned 1 [0135.815] GetProcessHeap () returned 0x100000 [0135.815] GetProcessHeap () returned 0x100000 [0135.815] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10aa10) returned 1 [0135.815] GetProcessHeap () returned 0x100000 [0135.815] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10aa10) returned 0xc [0135.815] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10aa10) returned 1 [0135.815] GetProcessHeap () returned 0x100000 [0135.815] GetProcessHeap () returned 0x100000 [0135.816] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10b8e0) returned 1 [0135.816] GetProcessHeap () returned 0x100000 [0135.816] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10b8e0) returned 0x20 [0135.816] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10b8e0) returned 1 [0135.816] GetProcessHeap () returned 0x100000 [0135.816] GetProcessHeap () returned 0x100000 [0135.816] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x103980) returned 1 [0135.816] GetProcessHeap () returned 0x100000 [0135.816] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x103980) returned 0x30 [0135.816] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x103980) returned 1 [0135.816] GetProcessHeap () returned 0x100000 [0135.816] GetProcessHeap () returned 0x100000 [0135.816] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10b5e0) returned 1 [0135.816] GetProcessHeap () returned 0x100000 [0135.816] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10b5e0) returned 0x20 [0135.816] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10b5e0) returned 1 [0135.817] GetProcessHeap () returned 0x100000 [0135.817] GetProcessHeap () returned 0x100000 [0135.817] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x104390) returned 1 [0135.817] GetProcessHeap () returned 0x100000 [0135.817] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x104390) returned 0x30 [0135.817] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x104390) returned 1 [0135.817] GetProcessHeap () returned 0x100000 [0135.817] GetProcessHeap () returned 0x100000 [0135.817] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10b370) returned 1 [0135.817] GetProcessHeap () returned 0x100000 [0135.817] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10b370) returned 0x20 [0135.817] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10b370) returned 1 [0135.818] GetProcessHeap () returned 0x100000 [0135.818] GetProcessHeap () returned 0x100000 [0135.818] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10a970) returned 1 [0135.818] GetProcessHeap () returned 0x100000 [0135.818] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10a970) returned 0x16 [0135.818] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10a970) returned 1 [0135.818] GetProcessHeap () returned 0x100000 [0135.818] GetProcessHeap () returned 0x100000 [0135.818] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10b700) returned 1 [0135.818] GetProcessHeap () returned 0x100000 [0135.818] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10b700) returned 0x20 [0135.818] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10b700) returned 1 [0135.818] GetProcessHeap () returned 0x100000 [0135.818] GetProcessHeap () returned 0x100000 [0135.818] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10abd0) returned 1 [0135.819] GetProcessHeap () returned 0x100000 [0135.819] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10abd0) returned 0x16 [0135.819] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10abd0) returned 1 [0135.819] GetProcessHeap () returned 0x100000 [0135.819] GetProcessHeap () returned 0x100000 [0135.819] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10b820) returned 1 [0135.819] GetProcessHeap () returned 0x100000 [0135.819] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10b820) returned 0x20 [0135.819] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10b820) returned 1 [0135.819] GetProcessHeap () returned 0x100000 [0135.819] GetProcessHeap () returned 0x100000 [0135.819] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x11f160) returned 1 [0135.819] GetProcessHeap () returned 0x100000 [0135.819] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x11f160) returned 0x82 [0135.819] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x11f160) returned 1 [0135.819] GetProcessHeap () returned 0x100000 [0135.819] GetProcessHeap () returned 0x100000 [0135.819] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10b850) returned 1 [0135.820] GetProcessHeap () returned 0x100000 [0135.820] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10b850) returned 0x20 [0135.820] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10b850) returned 1 [0135.820] GetProcessHeap () returned 0x100000 [0135.820] GetProcessHeap () returned 0x100000 [0135.820] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10aab0) returned 1 [0135.820] GetProcessHeap () returned 0x100000 [0135.820] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10aab0) returned 0xe [0135.820] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10aab0) returned 1 [0135.820] GetProcessHeap () returned 0x100000 [0135.820] GetProcessHeap () returned 0x100000 [0135.820] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10b520) returned 1 [0135.820] GetProcessHeap () returned 0x100000 [0135.820] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10b520) returned 0x20 [0135.820] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10b520) returned 1 [0135.820] GetProcessHeap () returned 0x100000 [0135.820] GetProcessHeap () returned 0x100000 [0135.820] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10aa50) returned 1 [0135.821] GetProcessHeap () returned 0x100000 [0135.821] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10aa50) returned 0xc [0135.821] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10aa50) returned 1 [0135.821] GetProcessHeap () returned 0x100000 [0135.821] GetProcessHeap () returned 0x100000 [0135.821] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10b730) returned 1 [0135.821] GetProcessHeap () returned 0x100000 [0135.821] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10b730) returned 0x20 [0135.821] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10b730) returned 1 [0135.821] GetProcessHeap () returned 0x100000 [0135.821] GetProcessHeap () returned 0x100000 [0135.821] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10a950) returned 1 [0135.821] GetProcessHeap () returned 0x100000 [0135.821] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10a950) returned 0xe [0135.821] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10a950) returned 1 [0135.821] GetProcessHeap () returned 0x100000 [0135.821] GetProcessHeap () returned 0x100000 [0135.821] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10b9d0) returned 1 [0135.821] GetProcessHeap () returned 0x100000 [0135.821] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10b9d0) returned 0x20 [0135.822] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10b9d0) returned 1 [0135.822] GetProcessHeap () returned 0x100000 [0135.822] GetProcessHeap () returned 0x100000 [0135.822] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10a8b0) returned 1 [0135.822] GetProcessHeap () returned 0x100000 [0135.822] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10a8b0) returned 0x10 [0135.822] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10a8b0) returned 1 [0135.822] GetProcessHeap () returned 0x100000 [0135.822] GetProcessHeap () returned 0x100000 [0135.822] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x10b3a0) returned 1 [0135.822] GetProcessHeap () returned 0x100000 [0135.822] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x10b3a0) returned 0x20 [0135.822] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x10b3a0) returned 1 [0135.822] GetProcessHeap () returned 0x100000 [0135.822] GetProcessHeap () returned 0x100000 [0135.823] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x104470) returned 1 [0135.823] GetProcessHeap () returned 0x100000 [0135.823] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x104470) returned 0x18 [0135.823] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x104470) returned 1 [0135.823] GetProcessHeap () returned 0x100000 [0135.823] GetProcessHeap () returned 0x100000 [0135.823] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x109200) returned 1 [0135.823] GetProcessHeap () returned 0x100000 [0135.823] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x109200) returned 0x20 [0135.823] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x109200) returned 1 [0135.823] GetProcessHeap () returned 0x100000 [0135.823] GetProcessHeap () returned 0x100000 [0135.823] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x108f90) returned 1 [0135.823] GetProcessHeap () returned 0x100000 [0135.823] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x108f90) returned 0x20 [0135.824] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x108f90) returned 1 [0135.824] GetProcessHeap () returned 0x100000 [0135.824] GetProcessHeap () returned 0x100000 [0135.824] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x108ed0) returned 1 [0135.824] GetProcessHeap () returned 0x100000 [0135.824] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x108ed0) returned 0x20 [0135.824] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x108ed0) returned 1 [0135.824] GetProcessHeap () returned 0x100000 [0135.824] GetProcessHeap () returned 0x100000 [0135.824] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x109080) returned 1 [0135.824] GetProcessHeap () returned 0x100000 [0135.824] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x109080) returned 0x20 [0135.825] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x109080) returned 1 [0135.825] GetProcessHeap () returned 0x100000 [0135.825] GetProcessHeap () returned 0x100000 [0135.825] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x104060) returned 1 [0135.825] GetProcessHeap () returned 0x100000 [0135.825] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x104060) returned 0x18 [0135.825] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x104060) returned 1 [0135.825] GetProcessHeap () returned 0x100000 [0135.825] GetProcessHeap () returned 0x100000 [0135.825] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x109230) returned 1 [0135.825] GetProcessHeap () returned 0x100000 [0135.825] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x109230) returned 0x20 [0135.825] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x109230) returned 1 [0135.825] GetProcessHeap () returned 0x100000 [0135.825] GetProcessHeap () returned 0x100000 [0135.826] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x108f30) returned 1 [0135.826] GetProcessHeap () returned 0x100000 [0135.826] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x108f30) returned 0x20 [0135.826] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x108f30) returned 1 [0135.826] GetProcessHeap () returned 0x100000 [0135.826] GetProcessHeap () returned 0x100000 [0135.826] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x109170) returned 1 [0135.826] GetProcessHeap () returned 0x100000 [0135.826] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x109170) returned 0x20 [0135.826] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x109170) returned 1 [0135.826] GetProcessHeap () returned 0x100000 [0135.827] GetProcessHeap () returned 0x100000 [0135.827] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x108f60) returned 1 [0135.827] GetProcessHeap () returned 0x100000 [0135.827] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x108f60) returned 0x20 [0135.827] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x108f60) returned 1 [0135.827] GetProcessHeap () returned 0x100000 [0135.827] GetProcessHeap () returned 0x100000 [0135.827] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x109020) returned 1 [0135.827] GetProcessHeap () returned 0x100000 [0135.827] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x109020) returned 0x20 [0135.827] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x109020) returned 1 [0135.827] GetProcessHeap () returned 0x100000 [0135.828] GetProcessHeap () returned 0x100000 [0135.828] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x104080) returned 1 [0135.828] GetProcessHeap () returned 0x100000 [0135.828] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x104080) returned 0x18 [0135.828] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x104080) returned 1 [0135.828] GetProcessHeap () returned 0x100000 [0135.828] GetProcessHeap () returned 0x100000 [0135.828] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x108f00) returned 1 [0135.828] GetProcessHeap () returned 0x100000 [0135.828] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x108f00) returned 0x20 [0135.828] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x108f00) returned 1 [0135.828] GetProcessHeap () returned 0x100000 [0135.828] GetProcessHeap () returned 0x100000 [0135.828] HeapValidate (hHeap=0x100000, dwFlags=0x0, lpMem=0x104ab0) returned 1 [0135.828] GetProcessHeap () returned 0x100000 [0135.828] RtlSizeHeap (HeapHandle=0x100000, Flags=0x0, MemoryPointer=0x104ab0) returned 0x18 [0135.828] RtlFreeHeap (HeapHandle=0x100000, Flags=0x0, BaseAddress=0x104ab0) returned 1 [0135.829] exit (_Code=0) Thread: id = 17 os_tid = 0xc9c Process: id = "3" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x6ae7e000" os_pid = "0xcb0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x678" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fa87" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 724 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 725 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 726 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 727 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 728 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 729 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 730 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 731 start_va = 0x7ff637930000 end_va = 0x7ff637940fff monitored = 0 entry_point = 0x7ff6379316b0 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 732 start_va = 0x7ffa16770000 end_va = 0x7ffa16930fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 734 start_va = 0x400000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 735 start_va = 0x7ffa15160000 end_va = 0x7ffa1520cfff monitored = 0 entry_point = 0x7ffa151781a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 736 start_va = 0x7ffa13130000 end_va = 0x7ffa13317fff monitored = 0 entry_point = 0x7ffa1315ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 737 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 738 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 739 start_va = 0x90000 end_va = 0x14dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 740 start_va = 0x7ffa13cc0000 end_va = 0x7ffa13d5cfff monitored = 0 entry_point = 0x7ffa13cc78a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 741 start_va = 0x150000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 742 start_va = 0x590000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 743 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 744 start_va = 0x7ffa0abf0000 end_va = 0x7ffa0ac48fff monitored = 0 entry_point = 0x7ffa0abffbf0 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 745 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 746 start_va = 0x7ffa14340000 end_va = 0x7ffa145bcfff monitored = 0 entry_point = 0x7ffa14414970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 747 start_va = 0x7ffa145c0000 end_va = 0x7ffa146dbfff monitored = 0 entry_point = 0x7ffa146002b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 748 start_va = 0x7ffa13320000 end_va = 0x7ffa13389fff monitored = 0 entry_point = 0x7ffa13356d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 749 start_va = 0x7ffa13d80000 end_va = 0x7ffa13ed5fff monitored = 0 entry_point = 0x7ffa13d8a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 750 start_va = 0x7ffa13ee0000 end_va = 0x7ffa14065fff monitored = 0 entry_point = 0x7ffa13f2ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 751 start_va = 0x1a0000 end_va = 0x1a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 752 start_va = 0x7ffa13b70000 end_va = 0x7ffa13cb2fff monitored = 0 entry_point = 0x7ffa13b98210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 753 start_va = 0x7ffa14070000 end_va = 0x7ffa140cafff monitored = 0 entry_point = 0x7ffa140838b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 754 start_va = 0x7ffa141e0000 end_va = 0x7ffa1421afff monitored = 0 entry_point = 0x7ffa141e12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 755 start_va = 0x7ffa147c0000 end_va = 0x7ffa14880fff monitored = 0 entry_point = 0x7ffa147e0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 756 start_va = 0x7ffa11220000 end_va = 0x7ffa113a5fff monitored = 0 entry_point = 0x7ffa1126d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 757 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 758 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 759 start_va = 0x690000 end_va = 0x817fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 760 start_va = 0x820000 end_va = 0x9a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 761 start_va = 0x9b0000 end_va = 0x1daffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009b0000" filename = "" Region: id = 762 start_va = 0x1db0000 end_va = 0x1efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001db0000" filename = "" Region: id = 763 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 764 start_va = 0x490000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 765 start_va = 0x7ffa15210000 end_va = 0x7ffa1676efff monitored = 0 entry_point = 0x7ffa153711f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 766 start_va = 0x7ffa13390000 end_va = 0x7ffa133d2fff monitored = 0 entry_point = 0x7ffa133a4b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 767 start_va = 0x7ffa13520000 end_va = 0x7ffa13b63fff monitored = 0 entry_point = 0x7ffa136e64b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 768 start_va = 0x7ffa15090000 end_va = 0x7ffa15136fff monitored = 0 entry_point = 0x7ffa150a58d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 769 start_va = 0x7ffa14ba0000 end_va = 0x7ffa14bf1fff monitored = 0 entry_point = 0x7ffa14baf530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 770 start_va = 0x7ffa12e10000 end_va = 0x7ffa12e1efff monitored = 0 entry_point = 0x7ffa12e13210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 771 start_va = 0x7ffa12e80000 end_va = 0x7ffa12f34fff monitored = 0 entry_point = 0x7ffa12ec22e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 772 start_va = 0x7ffa12dc0000 end_va = 0x7ffa12e0afff monitored = 0 entry_point = 0x7ffa12dc35f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 773 start_va = 0x7ffa12d90000 end_va = 0x7ffa12da3fff monitored = 0 entry_point = 0x7ffa12d952e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 774 start_va = 0x7ffa11710000 end_va = 0x7ffa117a5fff monitored = 0 entry_point = 0x7ffa11735570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 775 start_va = 0x1f00000 end_va = 0x20affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f00000" filename = "" Region: id = 776 start_va = 0x20b0000 end_va = 0x23e6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 777 start_va = 0x23f0000 end_va = 0x260efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000023f0000" filename = "" Region: id = 778 start_va = 0x2610000 end_va = 0x2829fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 779 start_va = 0x1db0000 end_va = 0x1ec7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001db0000" filename = "" Region: id = 780 start_va = 0x1ef0000 end_va = 0x1efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ef0000" filename = "" Region: id = 781 start_va = 0x2830000 end_va = 0x2a43fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002830000" filename = "" Region: id = 782 start_va = 0x1f00000 end_va = 0x2015fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f00000" filename = "" Region: id = 783 start_va = 0x20a0000 end_va = 0x20affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020a0000" filename = "" Thread: id = 13 os_tid = 0xcbc Thread: id = 15 os_tid = 0xc84 Thread: id = 16 os_tid = 0x1168 Process: id = "4" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x75956000" os_pid = "0x360" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "created_scheduled_job" parent_id = "2" os_parent_pid = "0x214" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\DcpSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\lfsvc" [0xa], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\RetailDemo" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\UsoSvc" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000abff" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 806 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 807 start_va = 0x20000 end_va = 0x20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 808 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 809 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 810 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 811 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 812 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 813 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 814 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 815 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 816 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 817 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 818 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 819 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 820 start_va = 0x410000 end_va = 0x411fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "dosvc.dll.mui" filename = "\\Windows\\System32\\en-US\\dosvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\dosvc.dll.mui") Region: id = 821 start_va = 0x420000 end_va = 0x424fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll" filename = "\\Windows\\System32\\winnlsres.dll" (normalized: "c:\\windows\\system32\\winnlsres.dll") Region: id = 822 start_va = 0x430000 end_va = 0x430fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 823 start_va = 0x440000 end_va = 0x442fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "mswsock.dll.mui" filename = "\\Windows\\System32\\en-US\\mswsock.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\mswsock.dll.mui") Region: id = 824 start_va = 0x450000 end_va = 0x451fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 825 start_va = 0x460000 end_va = 0x46ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll.mui" filename = "\\Windows\\System32\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winnlsres.dll.mui") Region: id = 826 start_va = 0x470000 end_va = 0x479fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "crypt32.dll.mui" filename = "\\Windows\\System32\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\crypt32.dll.mui") Region: id = 827 start_va = 0x480000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 828 start_va = 0x540000 end_va = 0x546fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 829 start_va = 0x550000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 830 start_va = 0x5d0000 end_va = 0x5d6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 831 start_va = 0x5e0000 end_va = 0x5e0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "usocore.dll.mui" filename = "\\Windows\\System32\\en-US\\usocore.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\usocore.dll.mui") Region: id = 832 start_va = 0x5f0000 end_va = 0x5f1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 833 start_va = 0x600000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 834 start_va = 0x700000 end_va = 0x887fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000700000" filename = "" Region: id = 835 start_va = 0x890000 end_va = 0x890fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000890000" filename = "" Region: id = 836 start_va = 0x8a0000 end_va = 0x8a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008a0000" filename = "" Region: id = 837 start_va = 0x8b0000 end_va = 0x8bcfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "gpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\gpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\gpsvc.dll.mui") Region: id = 838 start_va = 0x8c0000 end_va = 0x8c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008c0000" filename = "" Region: id = 839 start_va = 0x8d0000 end_va = 0x8d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008d0000" filename = "" Region: id = 840 start_va = 0x8e0000 end_va = 0x8e3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 841 start_va = 0x8f0000 end_va = 0x8f6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008f0000" filename = "" Region: id = 842 start_va = 0x900000 end_va = 0x9fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 843 start_va = 0xa00000 end_va = 0xb80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a00000" filename = "" Region: id = 844 start_va = 0xb90000 end_va = 0xc8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 845 start_va = 0xc90000 end_va = 0xc93fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 846 start_va = 0xca0000 end_va = 0xcb0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "propsys.dll.mui" filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui") Region: id = 847 start_va = 0xcc0000 end_va = 0xcc6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 848 start_va = 0xcd0000 end_va = 0xd14fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000c.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db") Region: id = 849 start_va = 0xd20000 end_va = 0xd2cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 850 start_va = 0xd30000 end_va = 0xd36fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d30000" filename = "" Region: id = 851 start_va = 0xdc0000 end_va = 0xdc8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "vsstrace.dll.mui" filename = "\\Windows\\System32\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\vsstrace.dll.mui") Region: id = 852 start_va = 0xdd0000 end_va = 0xdd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 853 start_va = 0xde0000 end_va = 0xde1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "activeds.dll.mui" filename = "\\Windows\\System32\\en-US\\activeds.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\activeds.dll.mui") Region: id = 854 start_va = 0xe00000 end_va = 0xefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e00000" filename = "" Region: id = 855 start_va = 0xf00000 end_va = 0xffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 856 start_va = 0x1000000 end_va = 0x1336fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 857 start_va = 0x1360000 end_va = 0x1370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1256.nls" filename = "\\Windows\\System32\\C_1256.NLS" (normalized: "c:\\windows\\system32\\c_1256.nls") Region: id = 858 start_va = 0x1380000 end_va = 0x1386fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001380000" filename = "" Region: id = 859 start_va = 0x1390000 end_va = 0x13a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1251.nls" filename = "\\Windows\\System32\\C_1251.NLS" (normalized: "c:\\windows\\system32\\c_1251.nls") Region: id = 860 start_va = 0x13b0000 end_va = 0x13c0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1254.nls" filename = "\\Windows\\System32\\C_1254.NLS" (normalized: "c:\\windows\\system32\\c_1254.nls") Region: id = 861 start_va = 0x13d0000 end_va = 0x13e0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1250.nls" filename = "\\Windows\\System32\\C_1250.NLS" (normalized: "c:\\windows\\system32\\c_1250.nls") Region: id = 862 start_va = 0x1400000 end_va = 0x1406fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001400000" filename = "" Region: id = 863 start_va = 0x1410000 end_va = 0x1420fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1253.nls" filename = "\\Windows\\System32\\C_1253.NLS" (normalized: "c:\\windows\\system32\\c_1253.nls") Region: id = 864 start_va = 0x1440000 end_va = 0x153ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001440000" filename = "" Region: id = 865 start_va = 0x1540000 end_va = 0x15bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001540000" filename = "" Region: id = 866 start_va = 0x15c0000 end_va = 0x15c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000015c0000" filename = "" Region: id = 867 start_va = 0x15d0000 end_va = 0x15e0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1257.nls" filename = "\\Windows\\System32\\C_1257.NLS" (normalized: "c:\\windows\\system32\\c_1257.nls") Region: id = 868 start_va = 0x1600000 end_va = 0x16fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001600000" filename = "" Region: id = 869 start_va = 0x1700000 end_va = 0x17fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001700000" filename = "" Region: id = 870 start_va = 0x1800000 end_va = 0x18dffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 871 start_va = 0x18e0000 end_va = 0x18f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1255.nls" filename = "\\Windows\\System32\\C_1255.NLS" (normalized: "c:\\windows\\system32\\c_1255.nls") Region: id = 872 start_va = 0x1900000 end_va = 0x19fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 873 start_va = 0x1a00000 end_va = 0x1a7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a00000" filename = "" Region: id = 874 start_va = 0x1a80000 end_va = 0x1b7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a80000" filename = "" Region: id = 875 start_va = 0x1b80000 end_va = 0x1c7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b80000" filename = "" Region: id = 876 start_va = 0x1c80000 end_va = 0x1d7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c80000" filename = "" Region: id = 877 start_va = 0x1d80000 end_va = 0x1e7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d80000" filename = "" Region: id = 878 start_va = 0x1e80000 end_va = 0x1f7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e80000" filename = "" Region: id = 879 start_va = 0x1f80000 end_va = 0x207ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f80000" filename = "" Region: id = 880 start_va = 0x2080000 end_va = 0x217ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002080000" filename = "" Region: id = 881 start_va = 0x2180000 end_va = 0x227ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002180000" filename = "" Region: id = 882 start_va = 0x2280000 end_va = 0x237ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002280000" filename = "" Region: id = 883 start_va = 0x2380000 end_va = 0x247ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002380000" filename = "" Region: id = 884 start_va = 0x2480000 end_va = 0x24fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002480000" filename = "" Region: id = 885 start_va = 0x2500000 end_va = 0x25fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002500000" filename = "" Region: id = 886 start_va = 0x2600000 end_va = 0x26fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002600000" filename = "" Region: id = 887 start_va = 0x2700000 end_va = 0x27fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002700000" filename = "" Region: id = 888 start_va = 0x2800000 end_va = 0x28fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002800000" filename = "" Region: id = 889 start_va = 0x2900000 end_va = 0x29fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002900000" filename = "" Region: id = 890 start_va = 0x2a00000 end_va = 0x2afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a00000" filename = "" Region: id = 891 start_va = 0x2b00000 end_va = 0x2bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b00000" filename = "" Region: id = 892 start_va = 0x2c00000 end_va = 0x2c8dfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 893 start_va = 0x2c90000 end_va = 0x2d0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c90000" filename = "" Region: id = 894 start_va = 0x2d10000 end_va = 0x2e0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d10000" filename = "" Region: id = 895 start_va = 0x2e10000 end_va = 0x2f0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e10000" filename = "" Region: id = 896 start_va = 0x2f10000 end_va = 0x2f8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f10000" filename = "" Region: id = 897 start_va = 0x2f90000 end_va = 0x300ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f90000" filename = "" Region: id = 898 start_va = 0x3010000 end_va = 0x310ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 899 start_va = 0x3110000 end_va = 0x318ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003110000" filename = "" Region: id = 900 start_va = 0x3190000 end_va = 0x328ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003190000" filename = "" Region: id = 901 start_va = 0x3290000 end_va = 0x330ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003290000" filename = "" Region: id = 902 start_va = 0x3310000 end_va = 0x3337fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_932.nls" filename = "\\Windows\\System32\\C_932.NLS" (normalized: "c:\\windows\\system32\\c_932.nls") Region: id = 903 start_va = 0x3340000 end_va = 0x3370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_949.nls" filename = "\\Windows\\System32\\C_949.NLS" (normalized: "c:\\windows\\system32\\c_949.nls") Region: id = 904 start_va = 0x3390000 end_va = 0x3396fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003390000" filename = "" Region: id = 905 start_va = 0x33a0000 end_va = 0x341ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000033a0000" filename = "" Region: id = 906 start_va = 0x34a0000 end_va = 0x34b0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_874.nls" filename = "\\Windows\\System32\\C_874.NLS" (normalized: "c:\\windows\\system32\\c_874.nls") Region: id = 907 start_va = 0x34c0000 end_va = 0x34d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1258.nls" filename = "\\Windows\\System32\\C_1258.NLS" (normalized: "c:\\windows\\system32\\c_1258.nls") Region: id = 908 start_va = 0x34e0000 end_va = 0x3510fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_936.nls" filename = "\\Windows\\System32\\C_936.NLS" (normalized: "c:\\windows\\system32\\c_936.nls") Region: id = 909 start_va = 0x3520000 end_va = 0x3550fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_950.nls" filename = "\\Windows\\System32\\C_950.NLS" (normalized: "c:\\windows\\system32\\c_950.nls") Region: id = 910 start_va = 0x3570000 end_va = 0x35effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003570000" filename = "" Region: id = 911 start_va = 0x35f0000 end_va = 0x3607fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035f0000" filename = "" Region: id = 912 start_va = 0x3670000 end_va = 0x376ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003670000" filename = "" Region: id = 913 start_va = 0x3770000 end_va = 0x386ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003770000" filename = "" Region: id = 914 start_va = 0x3870000 end_va = 0x38effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003870000" filename = "" Region: id = 915 start_va = 0x3900000 end_va = 0x39fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003900000" filename = "" Region: id = 916 start_va = 0x3a00000 end_va = 0x3afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003a00000" filename = "" Region: id = 917 start_va = 0x3b00000 end_va = 0x3bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003b00000" filename = "" Region: id = 918 start_va = 0x3c00000 end_va = 0x3c7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003c00000" filename = "" Region: id = 919 start_va = 0x3c80000 end_va = 0x3d7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003c80000" filename = "" Region: id = 920 start_va = 0x3e00000 end_va = 0x3e7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003e00000" filename = "" Region: id = 921 start_va = 0x3f00000 end_va = 0x3ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003f00000" filename = "" Region: id = 922 start_va = 0x4000000 end_va = 0x40fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004000000" filename = "" Region: id = 923 start_va = 0x4200000 end_va = 0x42fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 924 start_va = 0x4300000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004300000" filename = "" Region: id = 925 start_va = 0x4400000 end_va = 0x44fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 926 start_va = 0x4500000 end_va = 0x45fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004500000" filename = "" Region: id = 927 start_va = 0x4600000 end_va = 0x46fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004600000" filename = "" Region: id = 928 start_va = 0x4700000 end_va = 0x47fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004700000" filename = "" Region: id = 929 start_va = 0x4800000 end_va = 0x48fffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004800000" filename = "" Region: id = 930 start_va = 0x4900000 end_va = 0x49fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004900000" filename = "" Region: id = 931 start_va = 0x4b00000 end_va = 0x4bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004b00000" filename = "" Region: id = 932 start_va = 0x4c00000 end_va = 0x4cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004c00000" filename = "" Region: id = 933 start_va = 0x4d00000 end_va = 0x4dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004d00000" filename = "" Region: id = 934 start_va = 0x4e00000 end_va = 0x4efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004e00000" filename = "" Region: id = 935 start_va = 0x4f00000 end_va = 0x4ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004f00000" filename = "" Region: id = 936 start_va = 0x5000000 end_va = 0x50fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005000000" filename = "" Region: id = 937 start_va = 0x5300000 end_va = 0x53fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005300000" filename = "" Region: id = 938 start_va = 0x5400000 end_va = 0x54fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005400000" filename = "" Region: id = 939 start_va = 0x5500000 end_va = 0x55fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005500000" filename = "" Region: id = 940 start_va = 0x5600000 end_va = 0x56fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005600000" filename = "" Region: id = 941 start_va = 0x5700000 end_va = 0x57fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005700000" filename = "" Region: id = 942 start_va = 0x5800000 end_va = 0x58fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005800000" filename = "" Region: id = 943 start_va = 0x5900000 end_va = 0x59fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005900000" filename = "" Region: id = 944 start_va = 0x5a00000 end_va = 0x5afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005a00000" filename = "" Region: id = 945 start_va = 0x5b00000 end_va = 0x5bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005b00000" filename = "" Region: id = 946 start_va = 0x5c00000 end_va = 0x5cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005c00000" filename = "" Region: id = 947 start_va = 0x5d60000 end_va = 0x5d66fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005d60000" filename = "" Region: id = 948 start_va = 0x5d70000 end_va = 0x5e6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005d70000" filename = "" Region: id = 949 start_va = 0x5e70000 end_va = 0x5f6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005e70000" filename = "" Region: id = 950 start_va = 0x5f70000 end_va = 0x606ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005f70000" filename = "" Region: id = 951 start_va = 0x6070000 end_va = 0x616ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006070000" filename = "" Region: id = 952 start_va = 0x6170000 end_va = 0x626ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006170000" filename = "" Region: id = 953 start_va = 0x6270000 end_va = 0x636ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006270000" filename = "" Region: id = 954 start_va = 0x6370000 end_va = 0x646ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006370000" filename = "" Region: id = 955 start_va = 0x6470000 end_va = 0x656ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006470000" filename = "" Region: id = 956 start_va = 0x6570000 end_va = 0x666ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006570000" filename = "" Region: id = 957 start_va = 0x6670000 end_va = 0x676ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006670000" filename = "" Region: id = 958 start_va = 0x6770000 end_va = 0x686ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006770000" filename = "" Region: id = 959 start_va = 0x6970000 end_va = 0x6a6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006970000" filename = "" Region: id = 960 start_va = 0x6a70000 end_va = 0x6b6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006a70000" filename = "" Region: id = 961 start_va = 0x6b70000 end_va = 0x6c6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006b70000" filename = "" Region: id = 962 start_va = 0x6f00000 end_va = 0x6ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006f00000" filename = "" Region: id = 963 start_va = 0x7000000 end_va = 0x70fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007000000" filename = "" Region: id = 964 start_va = 0x7100000 end_va = 0x71fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007100000" filename = "" Region: id = 965 start_va = 0x7300000 end_va = 0x73fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007300000" filename = "" Region: id = 966 start_va = 0x7400000 end_va = 0x74fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007400000" filename = "" Region: id = 967 start_va = 0x7600000 end_va = 0x76fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007600000" filename = "" Region: id = 968 start_va = 0x7700000 end_va = 0x77fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007700000" filename = "" Region: id = 969 start_va = 0x7800000 end_va = 0x78fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007800000" filename = "" Region: id = 970 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 971 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 972 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 973 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 974 start_va = 0x7ff681250000 end_va = 0x7ff68125cfff monitored = 0 entry_point = 0x7ff681253980 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 975 start_va = 0x7ff9fbf80000 end_va = 0x7ff9fbf97fff monitored = 0 entry_point = 0x7ff9fbf81b10 region_type = mapped_file name = "locationframeworkinternalps.dll" filename = "\\Windows\\System32\\LocationFrameworkInternalPS.dll" (normalized: "c:\\windows\\system32\\locationframeworkinternalps.dll") Region: id = 976 start_va = 0x7ff9fc290000 end_va = 0x7ff9fc364fff monitored = 0 entry_point = 0x7ff9fc2acf80 region_type = mapped_file name = "wuapi.dll" filename = "\\Windows\\System32\\wuapi.dll" (normalized: "c:\\windows\\system32\\wuapi.dll") Region: id = 977 start_va = 0x7ff9fde10000 end_va = 0x7ff9fde8ffff monitored = 0 entry_point = 0x7ff9fde3d280 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 978 start_va = 0x7ff9fded0000 end_va = 0x7ff9fdf0efff monitored = 0 entry_point = 0x7ff9fdef82d0 region_type = mapped_file name = "tcpipcfg.dll" filename = "\\Windows\\System32\\tcpipcfg.dll" (normalized: "c:\\windows\\system32\\tcpipcfg.dll") Region: id = 979 start_va = 0x7ff9fedb0000 end_va = 0x7ff9fedf3fff monitored = 0 entry_point = 0x7ff9fedd83e0 region_type = mapped_file name = "updatehandlers.dll" filename = "\\Windows\\System32\\updatehandlers.dll" (normalized: "c:\\windows\\system32\\updatehandlers.dll") Region: id = 980 start_va = 0x7ff9fee00000 end_va = 0x7ff9ff0affff monitored = 0 entry_point = 0x7ff9fee01cf0 region_type = mapped_file name = "netshell.dll" filename = "\\Windows\\System32\\netshell.dll" (normalized: "c:\\windows\\system32\\netshell.dll") Region: id = 981 start_va = 0x7ff9ff110000 end_va = 0x7ff9ff145fff monitored = 0 entry_point = 0x7ff9ff1127f0 region_type = mapped_file name = "windows.networking.hostname.dll" filename = "\\Windows\\System32\\Windows.Networking.HostName.dll" (normalized: "c:\\windows\\system32\\windows.networking.hostname.dll") Region: id = 982 start_va = 0x7ff9ff150000 end_va = 0x7ff9ff171fff monitored = 0 entry_point = 0x7ff9ff162540 region_type = mapped_file name = "updatepolicy.dll" filename = "\\Windows\\System32\\updatepolicy.dll" (normalized: "c:\\windows\\system32\\updatepolicy.dll") Region: id = 983 start_va = 0x7ff9ff180000 end_va = 0x7ff9ff197fff monitored = 0 entry_point = 0x7ff9ff18b850 region_type = mapped_file name = "dmcmnutils.dll" filename = "\\Windows\\System32\\dmcmnutils.dll" (normalized: "c:\\windows\\system32\\dmcmnutils.dll") Region: id = 984 start_va = 0x7ff9ff1a0000 end_va = 0x7ff9ff1fcfff monitored = 0 entry_point = 0x7ff9ff1ce510 region_type = mapped_file name = "usocore.dll" filename = "\\Windows\\System32\\usocore.dll" (normalized: "c:\\windows\\system32\\usocore.dll") Region: id = 985 start_va = 0x7ff9ff270000 end_va = 0x7ff9ff286fff monitored = 0 entry_point = 0x7ff9ff277520 region_type = mapped_file name = "usoapi.dll" filename = "\\Windows\\System32\\usoapi.dll" (normalized: "c:\\windows\\system32\\usoapi.dll") Region: id = 986 start_va = 0x7ff9ff8e0000 end_va = 0x7ff9ff911fff monitored = 0 entry_point = 0x7ff9ff8eb0c0 region_type = mapped_file name = "shacct.dll" filename = "\\Windows\\System32\\shacct.dll" (normalized: "c:\\windows\\system32\\shacct.dll") Region: id = 987 start_va = 0x7ff9ffbb0000 end_va = 0x7ff9ffc16fff monitored = 0 entry_point = 0x7ff9ffbbb160 region_type = mapped_file name = "upnp.dll" filename = "\\Windows\\System32\\upnp.dll" (normalized: "c:\\windows\\system32\\upnp.dll") Region: id = 988 start_va = 0x7ffa000e0000 end_va = 0x7ffa001eefff monitored = 0 entry_point = 0x7ffa0011c010 region_type = mapped_file name = "dosvc.dll" filename = "\\Windows\\System32\\dosvc.dll" (normalized: "c:\\windows\\system32\\dosvc.dll") Region: id = 989 start_va = 0x7ffa001f0000 end_va = 0x7ffa0030cfff monitored = 0 entry_point = 0x7ffa0021fe60 region_type = mapped_file name = "qmgr.dll" filename = "\\Windows\\System32\\qmgr.dll" (normalized: "c:\\windows\\system32\\qmgr.dll") Region: id = 990 start_va = 0x7ffa01690000 end_va = 0x7ffa016a3fff monitored = 0 entry_point = 0x7ffa01693710 region_type = mapped_file name = "mskeyprotect.dll" filename = "\\Windows\\System32\\mskeyprotect.dll" (normalized: "c:\\windows\\system32\\mskeyprotect.dll") Region: id = 991 start_va = 0x7ffa01740000 end_va = 0x7ffa0175dfff monitored = 0 entry_point = 0x7ffa0174ef80 region_type = mapped_file name = "ncryptsslp.dll" filename = "\\Windows\\System32\\ncryptsslp.dll" (normalized: "c:\\windows\\system32\\ncryptsslp.dll") Region: id = 992 start_va = 0x7ffa05c40000 end_va = 0x7ffa05c47fff monitored = 0 entry_point = 0x7ffa05c413b0 region_type = mapped_file name = "dmiso8601utils.dll" filename = "\\Windows\\System32\\dmiso8601utils.dll" (normalized: "c:\\windows\\system32\\dmiso8601utils.dll") Region: id = 993 start_va = 0x7ffa06940000 end_va = 0x7ffa06951fff monitored = 0 entry_point = 0x7ffa06941a80 region_type = mapped_file name = "bitsproxy.dll" filename = "\\Windows\\System32\\BitsProxy.dll" (normalized: "c:\\windows\\system32\\bitsproxy.dll") Region: id = 994 start_va = 0x7ffa069a0000 end_va = 0x7ffa069b5fff monitored = 0 entry_point = 0x7ffa069a1d50 region_type = mapped_file name = "wwapi.dll" filename = "\\Windows\\System32\\wwapi.dll" (normalized: "c:\\windows\\system32\\wwapi.dll") Region: id = 995 start_va = 0x7ffa07a20000 end_va = 0x7ffa07a30fff monitored = 0 entry_point = 0x7ffa07a27480 region_type = mapped_file name = "tetheringclient.dll" filename = "\\Windows\\System32\\tetheringclient.dll" (normalized: "c:\\windows\\system32\\tetheringclient.dll") Region: id = 996 start_va = 0x7ffa07a40000 end_va = 0x7ffa07ac3fff monitored = 0 entry_point = 0x7ffa07a58d50 region_type = mapped_file name = "wbemess.dll" filename = "\\Windows\\System32\\wbem\\wbemess.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemess.dll") Region: id = 997 start_va = 0x7ffa07ad0000 end_va = 0x7ffa07ae5fff monitored = 0 entry_point = 0x7ffa07ad55e0 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 998 start_va = 0x7ffa07af0000 end_va = 0x7ffa07bc5fff monitored = 0 entry_point = 0x7ffa07b1a800 region_type = mapped_file name = "wmiprvsd.dll" filename = "\\Windows\\System32\\wbem\\WmiPrvSD.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprvsd.dll") Region: id = 999 start_va = 0x7ffa07c20000 end_va = 0x7ffa07c83fff monitored = 0 entry_point = 0x7ffa07c3bed0 region_type = mapped_file name = "repdrvfs.dll" filename = "\\Windows\\System32\\wbem\\repdrvfs.dll" (normalized: "c:\\windows\\system32\\wbem\\repdrvfs.dll") Region: id = 1000 start_va = 0x7ffa07c90000 end_va = 0x7ffa07cb4fff monitored = 0 entry_point = 0x7ffa07c99900 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 1001 start_va = 0x7ffa07cc0000 end_va = 0x7ffa07cd3fff monitored = 0 entry_point = 0x7ffa07cc1800 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 1002 start_va = 0x7ffa07ce0000 end_va = 0x7ffa07dd5fff monitored = 0 entry_point = 0x7ffa07d19590 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 1003 start_va = 0x7ffa07de0000 end_va = 0x7ffa07e53fff monitored = 0 entry_point = 0x7ffa07df5eb0 region_type = mapped_file name = "esscli.dll" filename = "\\Windows\\System32\\wbem\\esscli.dll" (normalized: "c:\\windows\\system32\\wbem\\esscli.dll") Region: id = 1004 start_va = 0x7ffa07e60000 end_va = 0x7ffa07f96fff monitored = 0 entry_point = 0x7ffa07ea0480 region_type = mapped_file name = "wbemcore.dll" filename = "\\Windows\\System32\\wbem\\wbemcore.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemcore.dll") Region: id = 1005 start_va = 0x7ffa08390000 end_va = 0x7ffa083a0fff monitored = 0 entry_point = 0x7ffa08392fc0 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 1006 start_va = 0x7ffa083b0000 end_va = 0x7ffa083cdfff monitored = 0 entry_point = 0x7ffa083b3a40 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 1007 start_va = 0x7ffa083d0000 end_va = 0x7ffa08451fff monitored = 0 entry_point = 0x7ffa083d2a10 region_type = mapped_file name = "hnetcfg.dll" filename = "\\Windows\\System32\\hnetcfg.dll" (normalized: "c:\\windows\\system32\\hnetcfg.dll") Region: id = 1008 start_va = 0x7ffa08460000 end_va = 0x7ffa08475fff monitored = 0 entry_point = 0x7ffa08461af0 region_type = mapped_file name = "napinsp.dll" filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll") Region: id = 1009 start_va = 0x7ffa08480000 end_va = 0x7ffa08499fff monitored = 0 entry_point = 0x7ffa08482330 region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll") Region: id = 1010 start_va = 0x7ffa08940000 end_va = 0x7ffa0894efff monitored = 0 entry_point = 0x7ffa08944960 region_type = mapped_file name = "nci.dll" filename = "\\Windows\\System32\\nci.dll" (normalized: "c:\\windows\\system32\\nci.dll") Region: id = 1011 start_va = 0x7ffa08a00000 end_va = 0x7ffa08a0bfff monitored = 0 entry_point = 0x7ffa08a035c0 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 1012 start_va = 0x7ffa08a10000 end_va = 0x7ffa08a4ffff monitored = 0 entry_point = 0x7ffa08a1cbe0 region_type = mapped_file name = "adsldpc.dll" filename = "\\Windows\\System32\\adsldpc.dll" (normalized: "c:\\windows\\system32\\adsldpc.dll") Region: id = 1013 start_va = 0x7ffa08a50000 end_va = 0x7ffa08a96fff monitored = 0 entry_point = 0x7ffa08a51d10 region_type = mapped_file name = "activeds.dll" filename = "\\Windows\\System32\\activeds.dll" (normalized: "c:\\windows\\system32\\activeds.dll") Region: id = 1014 start_va = 0x7ffa08ae0000 end_va = 0x7ffa08b21fff monitored = 0 entry_point = 0x7ffa08ae3670 region_type = mapped_file name = "wdscore.dll" filename = "\\Windows\\System32\\wdscore.dll" (normalized: "c:\\windows\\system32\\wdscore.dll") Region: id = 1015 start_va = 0x7ffa08e00000 end_va = 0x7ffa08e1efff monitored = 0 entry_point = 0x7ffa08e037e0 region_type = mapped_file name = "netsetupapi.dll" filename = "\\Windows\\System32\\NetSetupApi.dll" (normalized: "c:\\windows\\system32\\netsetupapi.dll") Region: id = 1016 start_va = 0x7ffa08e20000 end_va = 0x7ffa08e98fff monitored = 0 entry_point = 0x7ffa08e276a0 region_type = mapped_file name = "netsetupshim.dll" filename = "\\Windows\\System32\\NetSetupShim.dll" (normalized: "c:\\windows\\system32\\netsetupshim.dll") Region: id = 1017 start_va = 0x7ffa08eb0000 end_va = 0x7ffa08eeffff monitored = 0 entry_point = 0x7ffa08ec6c60 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 1018 start_va = 0x7ffa08f10000 end_va = 0x7ffa08f27fff monitored = 0 entry_point = 0x7ffa08f14e10 region_type = mapped_file name = "adhsvc.dll" filename = "\\Windows\\System32\\adhsvc.dll" (normalized: "c:\\windows\\system32\\adhsvc.dll") Region: id = 1019 start_va = 0x7ffa08f30000 end_va = 0x7ffa08f54fff monitored = 0 entry_point = 0x7ffa08f35ca0 region_type = mapped_file name = "httpprxm.dll" filename = "\\Windows\\System32\\httpprxm.dll" (normalized: "c:\\windows\\system32\\httpprxm.dll") Region: id = 1020 start_va = 0x7ffa08f60000 end_va = 0x7ffa090e1fff monitored = 0 entry_point = 0x7ffa08f782a0 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 1021 start_va = 0x7ffa090f0000 end_va = 0x7ffa09192fff monitored = 0 entry_point = 0x7ffa090f2c10 region_type = mapped_file name = "clusapi.dll" filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll") Region: id = 1022 start_va = 0x7ffa091a0000 end_va = 0x7ffa091f1fff monitored = 0 entry_point = 0x7ffa091a5770 region_type = mapped_file name = "resutils.dll" filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll") Region: id = 1023 start_va = 0x7ffa09200000 end_va = 0x7ffa0922dfff monitored = 1 entry_point = 0x7ffa09202300 region_type = mapped_file name = "wmidcom.dll" filename = "\\Windows\\System32\\wmidcom.dll" (normalized: "c:\\windows\\system32\\wmidcom.dll") Region: id = 1024 start_va = 0x7ffa09230000 end_va = 0x7ffa0928dfff monitored = 0 entry_point = 0x7ffa09235080 region_type = mapped_file name = "miutils.dll" filename = "\\Windows\\System32\\miutils.dll" (normalized: "c:\\windows\\system32\\miutils.dll") Region: id = 1025 start_va = 0x7ffa09290000 end_va = 0x7ffa092affff monitored = 0 entry_point = 0x7ffa09291f50 region_type = mapped_file name = "mi.dll" filename = "\\Windows\\System32\\mi.dll" (normalized: "c:\\windows\\system32\\mi.dll") Region: id = 1026 start_va = 0x7ffa092b0000 end_va = 0x7ffa092b8fff monitored = 0 entry_point = 0x7ffa092b18f0 region_type = mapped_file name = "sscoreext.dll" filename = "\\Windows\\System32\\sscoreext.dll" (normalized: "c:\\windows\\system32\\sscoreext.dll") Region: id = 1027 start_va = 0x7ffa092c0000 end_va = 0x7ffa092d0fff monitored = 0 entry_point = 0x7ffa092c1d30 region_type = mapped_file name = "sscore.dll" filename = "\\Windows\\System32\\sscore.dll" (normalized: "c:\\windows\\system32\\sscore.dll") Region: id = 1028 start_va = 0x7ffa09330000 end_va = 0x7ffa09347fff monitored = 0 entry_point = 0x7ffa09332000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 1029 start_va = 0x7ffa09350000 end_va = 0x7ffa09390fff monitored = 0 entry_point = 0x7ffa09353750 region_type = mapped_file name = "sqmapi.dll" filename = "\\Windows\\System32\\sqmapi.dll" (normalized: "c:\\windows\\system32\\sqmapi.dll") Region: id = 1030 start_va = 0x7ffa09430000 end_va = 0x7ffa0947bfff monitored = 0 entry_point = 0x7ffa09445310 region_type = mapped_file name = "srvsvc.dll" filename = "\\Windows\\System32\\srvsvc.dll" (normalized: "c:\\windows\\system32\\srvsvc.dll") Region: id = 1031 start_va = 0x7ffa09490000 end_va = 0x7ffa0950efff monitored = 0 entry_point = 0x7ffa094a7110 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 1032 start_va = 0x7ffa09510000 end_va = 0x7ffa0954bfff monitored = 0 entry_point = 0x7ffa09516aa0 region_type = mapped_file name = "wmisvc.dll" filename = "\\Windows\\System32\\wbem\\WMIsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wmisvc.dll") Region: id = 1033 start_va = 0x7ffa09c80000 end_va = 0x7ffa09c88fff monitored = 0 entry_point = 0x7ffa09c821d0 region_type = mapped_file name = "httpprxc.dll" filename = "\\Windows\\System32\\httpprxc.dll" (normalized: "c:\\windows\\system32\\httpprxc.dll") Region: id = 1034 start_va = 0x7ffa09c90000 end_va = 0x7ffa09cc4fff monitored = 0 entry_point = 0x7ffa09c9a270 region_type = mapped_file name = "fwpolicyiomgr.dll" filename = "\\Windows\\System32\\fwpolicyiomgr.dll" (normalized: "c:\\windows\\system32\\fwpolicyiomgr.dll") Region: id = 1035 start_va = 0x7ffa09db0000 end_va = 0x7ffa09dc0fff monitored = 0 entry_point = 0x7ffa09db28d0 region_type = mapped_file name = "credentialmigrationhandler.dll" filename = "\\Windows\\System32\\CredentialMigrationHandler.dll" (normalized: "c:\\windows\\system32\\credentialmigrationhandler.dll") Region: id = 1036 start_va = 0x7ffa0a560000 end_va = 0x7ffa0a652fff monitored = 0 entry_point = 0x7ffa0a585d80 region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 1037 start_va = 0x7ffa0ac50000 end_va = 0x7ffa0ac59fff monitored = 0 entry_point = 0x7ffa0ac514c0 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 1038 start_va = 0x7ffa0afc0000 end_va = 0x7ffa0afd1fff monitored = 0 entry_point = 0x7ffa0afc3580 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 1039 start_va = 0x7ffa0b050000 end_va = 0x7ffa0b06afff monitored = 0 entry_point = 0x7ffa0b051040 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 1040 start_va = 0x7ffa0b300000 end_va = 0x7ffa0b314fff monitored = 0 entry_point = 0x7ffa0b302dc0 region_type = mapped_file name = "ondemandconnroutehelper.dll" filename = "\\Windows\\System32\\OnDemandConnRouteHelper.dll" (normalized: "c:\\windows\\system32\\ondemandconnroutehelper.dll") Region: id = 1041 start_va = 0x7ffa0b320000 end_va = 0x7ffa0b32dfff monitored = 0 entry_point = 0x7ffa0b321460 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 1042 start_va = 0x7ffa0b330000 end_va = 0x7ffa0b33bfff monitored = 0 entry_point = 0x7ffa0b332830 region_type = mapped_file name = "bi.dll" filename = "\\Windows\\System32\\bi.dll" (normalized: "c:\\windows\\system32\\bi.dll") Region: id = 1043 start_va = 0x7ffa0b340000 end_va = 0x7ffa0b34ffff monitored = 0 entry_point = 0x7ffa0b341700 region_type = mapped_file name = "proximityservicepal.dll" filename = "\\Windows\\System32\\ProximityServicePal.dll" (normalized: "c:\\windows\\system32\\proximityservicepal.dll") Region: id = 1044 start_va = 0x7ffa0b350000 end_va = 0x7ffa0b358fff monitored = 0 entry_point = 0x7ffa0b351ed0 region_type = mapped_file name = "proximitycommonpal.dll" filename = "\\Windows\\System32\\ProximityCommonPal.dll" (normalized: "c:\\windows\\system32\\proximitycommonpal.dll") Region: id = 1045 start_va = 0x7ffa0b360000 end_va = 0x7ffa0b38cfff monitored = 0 entry_point = 0x7ffa0b362290 region_type = mapped_file name = "proximitycommon.dll" filename = "\\Windows\\System32\\ProximityCommon.dll" (normalized: "c:\\windows\\system32\\proximitycommon.dll") Region: id = 1046 start_va = 0x7ffa0b390000 end_va = 0x7ffa0b3e1fff monitored = 0 entry_point = 0x7ffa0b3938e0 region_type = mapped_file name = "proximityservice.dll" filename = "\\Windows\\System32\\ProximityService.dll" (normalized: "c:\\windows\\system32\\proximityservice.dll") Region: id = 1047 start_va = 0x7ffa0b4a0000 end_va = 0x7ffa0b4b4fff monitored = 0 entry_point = 0x7ffa0b4a3460 region_type = mapped_file name = "ssdpapi.dll" filename = "\\Windows\\System32\\ssdpapi.dll" (normalized: "c:\\windows\\system32\\ssdpapi.dll") Region: id = 1048 start_va = 0x7ffa0b4c0000 end_va = 0x7ffa0b559fff monitored = 0 entry_point = 0x7ffa0b4dada0 region_type = mapped_file name = "shsvcs.dll" filename = "\\Windows\\System32\\shsvcs.dll" (normalized: "c:\\windows\\system32\\shsvcs.dll") Region: id = 1049 start_va = 0x7ffa0b640000 end_va = 0x7ffa0b6a6fff monitored = 0 entry_point = 0x7ffa0b6463e0 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 1050 start_va = 0x7ffa0b7a0000 end_va = 0x7ffa0b7aafff monitored = 0 entry_point = 0x7ffa0b7a1d30 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1051 start_va = 0x7ffa0b800000 end_va = 0x7ffa0b8bffff monitored = 0 entry_point = 0x7ffa0b82fd20 region_type = mapped_file name = "fveapi.dll" filename = "\\Windows\\System32\\fveapi.dll" (normalized: "c:\\windows\\system32\\fveapi.dll") Region: id = 1052 start_va = 0x7ffa0b9f0000 end_va = 0x7ffa0ba09fff monitored = 0 entry_point = 0x7ffa0b9f2430 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 1053 start_va = 0x7ffa0ba10000 end_va = 0x7ffa0ba25fff monitored = 0 entry_point = 0x7ffa0ba119f0 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 1054 start_va = 0x7ffa0baf0000 end_va = 0x7ffa0bb27fff monitored = 0 entry_point = 0x7ffa0bb08cc0 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1055 start_va = 0x7ffa0bbe0000 end_va = 0x7ffa0bc8dfff monitored = 0 entry_point = 0x7ffa0bbf80c0 region_type = mapped_file name = "windows.networking.connectivity.dll" filename = "\\Windows\\System32\\Windows.Networking.Connectivity.dll" (normalized: "c:\\windows\\system32\\windows.networking.connectivity.dll") Region: id = 1056 start_va = 0x7ffa0bc90000 end_va = 0x7ffa0bca1fff monitored = 0 entry_point = 0x7ffa0bc99260 region_type = mapped_file name = "rilproxy.dll" filename = "\\Windows\\System32\\rilproxy.dll" (normalized: "c:\\windows\\system32\\rilproxy.dll") Region: id = 1057 start_va = 0x7ffa0bcb0000 end_va = 0x7ffa0bd60fff monitored = 0 entry_point = 0x7ffa0bd288b0 region_type = mapped_file name = "cellularapi.dll" filename = "\\Windows\\System32\\CellularAPI.dll" (normalized: "c:\\windows\\system32\\cellularapi.dll") Region: id = 1058 start_va = 0x7ffa0bd70000 end_va = 0x7ffa0bd83fff monitored = 0 entry_point = 0x7ffa0bd72d50 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 1059 start_va = 0x7ffa0c070000 end_va = 0x7ffa0c102fff monitored = 0 entry_point = 0x7ffa0c079680 region_type = mapped_file name = "msvcp_win.dll" filename = "\\Windows\\System32\\msvcp_win.dll" (normalized: "c:\\windows\\system32\\msvcp_win.dll") Region: id = 1060 start_va = 0x7ffa0c120000 end_va = 0x7ffa0c165fff monitored = 0 entry_point = 0x7ffa0c1279a0 region_type = mapped_file name = "adsldp.dll" filename = "\\Windows\\System32\\adsldp.dll" (normalized: "c:\\windows\\system32\\adsldp.dll") Region: id = 1061 start_va = 0x7ffa0c2b0000 end_va = 0x7ffa0c2d4fff monitored = 0 entry_point = 0x7ffa0c2c2f20 region_type = mapped_file name = "wificonnapi.dll" filename = "\\Windows\\System32\\wificonnapi.dll" (normalized: "c:\\windows\\system32\\wificonnapi.dll") Region: id = 1062 start_va = 0x7ffa0c2e0000 end_va = 0x7ffa0c2f0fff monitored = 0 entry_point = 0x7ffa0c2e7ea0 region_type = mapped_file name = "dcpapi.dll" filename = "\\Windows\\System32\\dcpapi.dll" (normalized: "c:\\windows\\system32\\dcpapi.dll") Region: id = 1063 start_va = 0x7ffa0c300000 end_va = 0x7ffa0c318fff monitored = 0 entry_point = 0x7ffa0c304520 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 1064 start_va = 0x7ffa0c9a0000 end_va = 0x7ffa0c9befff monitored = 0 entry_point = 0x7ffa0c9a4960 region_type = mapped_file name = "ncprov.dll" filename = "\\Windows\\System32\\wbem\\NCProv.dll" (normalized: "c:\\windows\\system32\\wbem\\ncprov.dll") Region: id = 1065 start_va = 0x7ffa0ca80000 end_va = 0x7ffa0ca99fff monitored = 0 entry_point = 0x7ffa0ca82cf0 region_type = mapped_file name = "locationpelegacywinlocation.dll" filename = "\\Windows\\System32\\LocationPeLegacyWinLocation.dll" (normalized: "c:\\windows\\system32\\locationpelegacywinlocation.dll") Region: id = 1066 start_va = 0x7ffa0ce40000 end_va = 0x7ffa0d1c1fff monitored = 0 entry_point = 0x7ffa0ce91220 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 1067 start_va = 0x7ffa0e2c0000 end_va = 0x7ffa0e3cdfff monitored = 0 entry_point = 0x7ffa0e30eaa0 region_type = mapped_file name = "mrmcorer.dll" filename = "\\Windows\\System32\\MrmCoreR.dll" (normalized: "c:\\windows\\system32\\mrmcorer.dll") Region: id = 1068 start_va = 0x7ffa0e440000 end_va = 0x7ffa0e453fff monitored = 0 entry_point = 0x7ffa0e442a00 region_type = mapped_file name = "bitsigd.dll" filename = "\\Windows\\System32\\bitsigd.dll" (normalized: "c:\\windows\\system32\\bitsigd.dll") Region: id = 1069 start_va = 0x7ffa0e6d0000 end_va = 0x7ffa0e724fff monitored = 0 entry_point = 0x7ffa0e6d3fb0 region_type = mapped_file name = "policymanager.dll" filename = "\\Windows\\System32\\policymanager.dll" (normalized: "c:\\windows\\system32\\policymanager.dll") Region: id = 1070 start_va = 0x7ffa0e730000 end_va = 0x7ffa0e766fff monitored = 0 entry_point = 0x7ffa0e736020 region_type = mapped_file name = "gnssadapter.dll" filename = "\\Windows\\System32\\GnssAdapter.dll" (normalized: "c:\\windows\\system32\\gnssadapter.dll") Region: id = 1071 start_va = 0x7ffa0e770000 end_va = 0x7ffa0e78ffff monitored = 0 entry_point = 0x7ffa0e7739a0 region_type = mapped_file name = "locationwinpalmisc.dll" filename = "\\Windows\\System32\\LocationWinPalMisc.dll" (normalized: "c:\\windows\\system32\\locationwinpalmisc.dll") Region: id = 1072 start_va = 0x7ffa0e790000 end_va = 0x7ffa0e7a6fff monitored = 0 entry_point = 0x7ffa0e795630 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 1073 start_va = 0x7ffa0e7b0000 end_va = 0x7ffa0e7c2fff monitored = 0 entry_point = 0x7ffa0e7b57f0 region_type = mapped_file name = "themeservice.dll" filename = "\\Windows\\System32\\themeservice.dll" (normalized: "c:\\windows\\system32\\themeservice.dll") Region: id = 1074 start_va = 0x7ffa0e7d0000 end_va = 0x7ffa0e849fff monitored = 0 entry_point = 0x7ffa0e7f7630 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 1075 start_va = 0x7ffa0e850000 end_va = 0x7ffa0e87dfff monitored = 0 entry_point = 0x7ffa0e857550 region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 1076 start_va = 0x7ffa0e880000 end_va = 0x7ffa0e895fff monitored = 0 entry_point = 0x7ffa0e881b60 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1077 start_va = 0x7ffa0e8a0000 end_va = 0x7ffa0e903fff monitored = 0 entry_point = 0x7ffa0e8b5ae0 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 1078 start_va = 0x7ffa0ead0000 end_va = 0x7ffa0eb10fff monitored = 0 entry_point = 0x7ffa0ead4840 region_type = mapped_file name = "usermgrproxy.dll" filename = "\\Windows\\System32\\UserMgrProxy.dll" (normalized: "c:\\windows\\system32\\usermgrproxy.dll") Region: id = 1079 start_va = 0x7ffa0eb20000 end_va = 0x7ffa0eb2bfff monitored = 0 entry_point = 0x7ffa0eb214d0 region_type = mapped_file name = "locationframeworkps.dll" filename = "\\Windows\\System32\\LocationFrameworkPS.dll" (normalized: "c:\\windows\\system32\\locationframeworkps.dll") Region: id = 1080 start_va = 0x7ffa0eb30000 end_va = 0x7ffa0ec65fff monitored = 0 entry_point = 0x7ffa0eb5f350 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 1081 start_va = 0x7ffa0ec70000 end_va = 0x7ffa0ed55fff monitored = 0 entry_point = 0x7ffa0ec8cf10 region_type = mapped_file name = "usermgr.dll" filename = "\\Windows\\System32\\usermgr.dll" (normalized: "c:\\windows\\system32\\usermgr.dll") Region: id = 1082 start_va = 0x7ffa0ed60000 end_va = 0x7ffa0ee27fff monitored = 0 entry_point = 0x7ffa0eda13f0 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 1083 start_va = 0x7ffa0ee30000 end_va = 0x7ffa0ee90fff monitored = 0 entry_point = 0x7ffa0ee34b50 region_type = mapped_file name = "wlanapi.dll" filename = "\\Windows\\System32\\wlanapi.dll" (normalized: "c:\\windows\\system32\\wlanapi.dll") Region: id = 1084 start_va = 0x7ffa0eea0000 end_va = 0x7ffa0f01bfff monitored = 0 entry_point = 0x7ffa0eef1650 region_type = mapped_file name = "locationframework.dll" filename = "\\Windows\\System32\\LocationFramework.dll" (normalized: "c:\\windows\\system32\\locationframework.dll") Region: id = 1085 start_va = 0x7ffa0f020000 end_va = 0x7ffa0f02afff monitored = 0 entry_point = 0x7ffa0f021770 region_type = mapped_file name = "lfsvc.dll" filename = "\\Windows\\System32\\lfsvc.dll" (normalized: "c:\\windows\\system32\\lfsvc.dll") Region: id = 1086 start_va = 0x7ffa0f030000 end_va = 0x7ffa0f06dfff monitored = 0 entry_point = 0x7ffa0f03a050 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 1087 start_va = 0x7ffa0f070000 end_va = 0x7ffa0f096fff monitored = 0 entry_point = 0x7ffa0f073bf0 region_type = mapped_file name = "profsvcext.dll" filename = "\\Windows\\System32\\profsvcext.dll" (normalized: "c:\\windows\\system32\\profsvcext.dll") Region: id = 1088 start_va = 0x7ffa0f0f0000 end_va = 0x7ffa0f144fff monitored = 0 entry_point = 0x7ffa0f0ffc00 region_type = mapped_file name = "profsvc.dll" filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll") Region: id = 1089 start_va = 0x7ffa0f190000 end_va = 0x7ffa0f221fff monitored = 0 entry_point = 0x7ffa0f1da780 region_type = mapped_file name = "msvcp110_win.dll" filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll") Region: id = 1090 start_va = 0x7ffa0f2b0000 end_va = 0x7ffa0f2bcfff monitored = 0 entry_point = 0x7ffa0f2b1420 region_type = mapped_file name = "winrnr.dll" filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll") Region: id = 1091 start_va = 0x7ffa0f2d0000 end_va = 0x7ffa0f2dffff monitored = 0 entry_point = 0x7ffa0f2d2c60 region_type = mapped_file name = "usermgrcli.dll" filename = "\\Windows\\System32\\usermgrcli.dll" (normalized: "c:\\windows\\system32\\usermgrcli.dll") Region: id = 1092 start_va = 0x7ffa0f2e0000 end_va = 0x7ffa0f2ecfff monitored = 0 entry_point = 0x7ffa0f2e2ca0 region_type = mapped_file name = "csystemeventsbrokerclient.dll" filename = "\\Windows\\System32\\CSystemEventsBrokerClient.dll" (normalized: "c:\\windows\\system32\\csystemeventsbrokerclient.dll") Region: id = 1093 start_va = 0x7ffa0f2f0000 end_va = 0x7ffa0f31efff monitored = 0 entry_point = 0x7ffa0f2f8910 region_type = mapped_file name = "wptaskscheduler.dll" filename = "\\Windows\\System32\\WPTaskScheduler.dll" (normalized: "c:\\windows\\system32\\wptaskscheduler.dll") Region: id = 1094 start_va = 0x7ffa0f370000 end_va = 0x7ffa0f3ddfff monitored = 0 entry_point = 0x7ffa0f377f60 region_type = mapped_file name = "taskcomp.dll" filename = "\\Windows\\System32\\taskcomp.dll" (normalized: "c:\\windows\\system32\\taskcomp.dll") Region: id = 1095 start_va = 0x7ffa0f3e0000 end_va = 0x7ffa0f3f0fff monitored = 0 entry_point = 0x7ffa0f3e3320 region_type = mapped_file name = "wmiclnt.dll" filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll") Region: id = 1096 start_va = 0x7ffa0f430000 end_va = 0x7ffa0f465fff monitored = 0 entry_point = 0x7ffa0f440070 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 1097 start_va = 0x7ffa0fc30000 end_va = 0x7ffa0fc70fff monitored = 0 entry_point = 0x7ffa0fc47eb0 region_type = mapped_file name = "ubpm.dll" filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll") Region: id = 1098 start_va = 0x7ffa0fc80000 end_va = 0x7ffa0fd7bfff monitored = 0 entry_point = 0x7ffa0fcb6df0 region_type = mapped_file name = "schedsvc.dll" filename = "\\Windows\\System32\\schedsvc.dll" (normalized: "c:\\windows\\system32\\schedsvc.dll") Region: id = 1099 start_va = 0x7ffa0fe10000 end_va = 0x7ffa0fecefff monitored = 0 entry_point = 0x7ffa0fe31c50 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 1100 start_va = 0x7ffa0ff20000 end_va = 0x7ffa0ff29fff monitored = 0 entry_point = 0x7ffa0ff21660 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 1101 start_va = 0x7ffa0ff30000 end_va = 0x7ffa0ff47fff monitored = 0 entry_point = 0x7ffa0ff35910 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 1102 start_va = 0x7ffa0ff50000 end_va = 0x7ffa1009cfff monitored = 0 entry_point = 0x7ffa0ff93da0 region_type = mapped_file name = "gpsvc.dll" filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll") Region: id = 1103 start_va = 0x7ffa10cc0000 end_va = 0x7ffa11152fff monitored = 0 entry_point = 0x7ffa10ccf760 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 1104 start_va = 0x7ffa11160000 end_va = 0x7ffa111c6fff monitored = 0 entry_point = 0x7ffa1117e710 region_type = mapped_file name = "bcp47langs.dll" filename = "\\Windows\\System32\\BCP47Langs.dll" (normalized: "c:\\windows\\system32\\bcp47langs.dll") Region: id = 1105 start_va = 0x7ffa11220000 end_va = 0x7ffa113a5fff monitored = 0 entry_point = 0x7ffa1126d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 1106 start_va = 0x7ffa113b0000 end_va = 0x7ffa113cbfff monitored = 0 entry_point = 0x7ffa113b37a0 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 1107 start_va = 0x7ffa113d0000 end_va = 0x7ffa113dafff monitored = 0 entry_point = 0x7ffa113d1de0 region_type = mapped_file name = "bitsperf.dll" filename = "\\Windows\\System32\\bitsperf.dll" (normalized: "c:\\windows\\system32\\bitsperf.dll") Region: id = 1108 start_va = 0x7ffa11410000 end_va = 0x7ffa11422fff monitored = 0 entry_point = 0x7ffa11412760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1109 start_va = 0x7ffa114c0000 end_va = 0x7ffa114c9fff monitored = 0 entry_point = 0x7ffa114c1350 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 1110 start_va = 0x7ffa11560000 end_va = 0x7ffa1157cfff monitored = 0 entry_point = 0x7ffa11564f60 region_type = mapped_file name = "appinfo.dll" filename = "\\Windows\\System32\\appinfo.dll" (normalized: "c:\\windows\\system32\\appinfo.dll") Region: id = 1111 start_va = 0x7ffa11580000 end_va = 0x7ffa115f8fff monitored = 0 entry_point = 0x7ffa1159fb90 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 1112 start_va = 0x7ffa11600000 end_va = 0x7ffa11607fff monitored = 0 entry_point = 0x7ffa116013e0 region_type = mapped_file name = "dabapi.dll" filename = "\\Windows\\System32\\dabapi.dll" (normalized: "c:\\windows\\system32\\dabapi.dll") Region: id = 1113 start_va = 0x7ffa11640000 end_va = 0x7ffa1167ffff monitored = 0 entry_point = 0x7ffa11651960 region_type = mapped_file name = "brokerlib.dll" filename = "\\Windows\\System32\\BrokerLib.dll" (normalized: "c:\\windows\\system32\\brokerlib.dll") Region: id = 1114 start_va = 0x7ffa117d0000 end_va = 0x7ffa117f6fff monitored = 0 entry_point = 0x7ffa117d7940 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 1115 start_va = 0x7ffa11800000 end_va = 0x7ffa118a9fff monitored = 0 entry_point = 0x7ffa11827910 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 1116 start_va = 0x7ffa118b0000 end_va = 0x7ffa119affff monitored = 0 entry_point = 0x7ffa118f0f80 region_type = mapped_file name = "twinapi.appcore.dll" filename = "\\Windows\\System32\\twinapi.appcore.dll" (normalized: "c:\\windows\\system32\\twinapi.appcore.dll") Region: id = 1117 start_va = 0x7ffa11a40000 end_va = 0x7ffa11a4bfff monitored = 0 entry_point = 0x7ffa11a42480 region_type = mapped_file name = "sysntfy.dll" filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll") Region: id = 1118 start_va = 0x7ffa11b10000 end_va = 0x7ffa11b41fff monitored = 0 entry_point = 0x7ffa11b22340 region_type = mapped_file name = "fwbase.dll" filename = "\\Windows\\System32\\fwbase.dll" (normalized: "c:\\windows\\system32\\fwbase.dll") Region: id = 1119 start_va = 0x7ffa11d80000 end_va = 0x7ffa11d8bfff monitored = 0 entry_point = 0x7ffa11d82790 region_type = mapped_file name = "hid.dll" filename = "\\Windows\\System32\\hid.dll" (normalized: "c:\\windows\\system32\\hid.dll") Region: id = 1120 start_va = 0x7ffa11d90000 end_va = 0x7ffa11db3fff monitored = 0 entry_point = 0x7ffa11d93260 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 1121 start_va = 0x7ffa11f30000 end_va = 0x7ffa12023fff monitored = 0 entry_point = 0x7ffa11f3a960 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 1122 start_va = 0x7ffa12080000 end_va = 0x7ffa120c8fff monitored = 0 entry_point = 0x7ffa1208a090 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 1123 start_va = 0x7ffa121a0000 end_va = 0x7ffa121abfff monitored = 0 entry_point = 0x7ffa121a27e0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1124 start_va = 0x7ffa12280000 end_va = 0x7ffa122b0fff monitored = 0 entry_point = 0x7ffa12287d10 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 1125 start_va = 0x7ffa122e0000 end_va = 0x7ffa12359fff monitored = 0 entry_point = 0x7ffa12301a50 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll") Region: id = 1126 start_va = 0x7ffa123a0000 end_va = 0x7ffa123d3fff monitored = 0 entry_point = 0x7ffa123bae70 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1127 start_va = 0x7ffa123e0000 end_va = 0x7ffa123e9fff monitored = 0 entry_point = 0x7ffa123e1830 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll") Region: id = 1128 start_va = 0x7ffa124f0000 end_va = 0x7ffa1250efff monitored = 0 entry_point = 0x7ffa124f5d30 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 1129 start_va = 0x7ffa12660000 end_va = 0x7ffa126bbfff monitored = 0 entry_point = 0x7ffa12676f70 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1130 start_va = 0x7ffa12710000 end_va = 0x7ffa12726fff monitored = 0 entry_point = 0x7ffa127179d0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1131 start_va = 0x7ffa12830000 end_va = 0x7ffa1283afff monitored = 0 entry_point = 0x7ffa128319a0 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1132 start_va = 0x7ffa12870000 end_va = 0x7ffa12890fff monitored = 0 entry_point = 0x7ffa12880250 region_type = mapped_file name = "joinutil.dll" filename = "\\Windows\\System32\\joinutil.dll" (normalized: "c:\\windows\\system32\\joinutil.dll") Region: id = 1133 start_va = 0x7ffa128c0000 end_va = 0x7ffa128f9fff monitored = 0 entry_point = 0x7ffa128c8d20 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 1134 start_va = 0x7ffa12900000 end_va = 0x7ffa12926fff monitored = 0 entry_point = 0x7ffa12910aa0 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 1135 start_va = 0x7ffa12a10000 end_va = 0x7ffa12a3cfff monitored = 0 entry_point = 0x7ffa12a29d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1136 start_va = 0x7ffa12ba0000 end_va = 0x7ffa12bf5fff monitored = 0 entry_point = 0x7ffa12bb0bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1137 start_va = 0x7ffa12c00000 end_va = 0x7ffa12c18fff monitored = 0 entry_point = 0x7ffa12c05e10 region_type = mapped_file name = "eventaggregation.dll" filename = "\\Windows\\System32\\EventAggregation.dll" (normalized: "c:\\windows\\system32\\eventaggregation.dll") Region: id = 1138 start_va = 0x7ffa12c20000 end_va = 0x7ffa12c48fff monitored = 0 entry_point = 0x7ffa12c34530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 1139 start_va = 0x7ffa12c50000 end_va = 0x7ffa12ce8fff monitored = 0 entry_point = 0x7ffa12c7f4e0 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 1140 start_va = 0x7ffa12d90000 end_va = 0x7ffa12da3fff monitored = 0 entry_point = 0x7ffa12d952e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1141 start_va = 0x7ffa12db0000 end_va = 0x7ffa12dbffff monitored = 0 entry_point = 0x7ffa12db56e0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 1142 start_va = 0x7ffa12dc0000 end_va = 0x7ffa12e0afff monitored = 0 entry_point = 0x7ffa12dc35f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1143 start_va = 0x7ffa12e10000 end_va = 0x7ffa12e1efff monitored = 0 entry_point = 0x7ffa12e13210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1144 start_va = 0x7ffa12e20000 end_va = 0x7ffa12e74fff monitored = 0 entry_point = 0x7ffa12e37970 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 1145 start_va = 0x7ffa12e80000 end_va = 0x7ffa12f34fff monitored = 0 entry_point = 0x7ffa12ec22e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 1146 start_va = 0x7ffa12f40000 end_va = 0x7ffa13106fff monitored = 0 entry_point = 0x7ffa12f9db80 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 1147 start_va = 0x7ffa13110000 end_va = 0x7ffa13126fff monitored = 0 entry_point = 0x7ffa13111390 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 1148 start_va = 0x7ffa13130000 end_va = 0x7ffa13317fff monitored = 0 entry_point = 0x7ffa1315ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1149 start_va = 0x7ffa13320000 end_va = 0x7ffa13389fff monitored = 0 entry_point = 0x7ffa13356d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1150 start_va = 0x7ffa13390000 end_va = 0x7ffa133d2fff monitored = 0 entry_point = 0x7ffa133a4b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1151 start_va = 0x7ffa133e0000 end_va = 0x7ffa13465fff monitored = 0 entry_point = 0x7ffa133ed8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 1152 start_va = 0x7ffa13520000 end_va = 0x7ffa13b63fff monitored = 0 entry_point = 0x7ffa136e64b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 1153 start_va = 0x7ffa13b70000 end_va = 0x7ffa13cb2fff monitored = 0 entry_point = 0x7ffa13b98210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1154 start_va = 0x7ffa13cc0000 end_va = 0x7ffa13d5cfff monitored = 0 entry_point = 0x7ffa13cc78a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1155 start_va = 0x7ffa13d60000 end_va = 0x7ffa13d67fff monitored = 0 entry_point = 0x7ffa13d61ea0 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1156 start_va = 0x7ffa13d80000 end_va = 0x7ffa13ed5fff monitored = 0 entry_point = 0x7ffa13d8a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1157 start_va = 0x7ffa13ee0000 end_va = 0x7ffa14065fff monitored = 0 entry_point = 0x7ffa13f2ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1158 start_va = 0x7ffa14070000 end_va = 0x7ffa140cafff monitored = 0 entry_point = 0x7ffa140838b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1159 start_va = 0x7ffa14220000 end_va = 0x7ffa142c6fff monitored = 0 entry_point = 0x7ffa1422b4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1160 start_va = 0x7ffa14340000 end_va = 0x7ffa145bcfff monitored = 0 entry_point = 0x7ffa14414970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1161 start_va = 0x7ffa145c0000 end_va = 0x7ffa146dbfff monitored = 0 entry_point = 0x7ffa146002b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1162 start_va = 0x7ffa146e0000 end_va = 0x7ffa1474afff monitored = 0 entry_point = 0x7ffa146f90c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1163 start_va = 0x7ffa147c0000 end_va = 0x7ffa14880fff monitored = 0 entry_point = 0x7ffa147e0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1164 start_va = 0x7ffa14ba0000 end_va = 0x7ffa14bf1fff monitored = 0 entry_point = 0x7ffa14baf530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1165 start_va = 0x7ffa14c00000 end_va = 0x7ffa15028fff monitored = 0 entry_point = 0x7ffa14c28740 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 1166 start_va = 0x7ffa15030000 end_va = 0x7ffa1508bfff monitored = 0 entry_point = 0x7ffa1504b720 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 1167 start_va = 0x7ffa15090000 end_va = 0x7ffa15136fff monitored = 0 entry_point = 0x7ffa150a58d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1168 start_va = 0x7ffa15160000 end_va = 0x7ffa1520cfff monitored = 0 entry_point = 0x7ffa151781a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1169 start_va = 0x7ffa15210000 end_va = 0x7ffa1676efff monitored = 0 entry_point = 0x7ffa153711f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1170 start_va = 0x7ffa16770000 end_va = 0x7ffa16930fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1309 start_va = 0x7900000 end_va = 0x79fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007900000" filename = "" Region: id = 1310 start_va = 0x7a00000 end_va = 0x7afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007a00000" filename = "" Region: id = 1311 start_va = 0x7b00000 end_va = 0x7bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007b00000" filename = "" Region: id = 1312 start_va = 0x7c00000 end_va = 0x7cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007c00000" filename = "" Region: id = 1313 start_va = 0x450000 end_va = 0x451fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 1314 start_va = 0x450000 end_va = 0x450fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 1315 start_va = 0xd40000 end_va = 0xd41fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d40000" filename = "" Thread: id = 18 os_tid = 0xc98 Thread: id = 19 os_tid = 0x78c Thread: id = 20 os_tid = 0x12c4 Thread: id = 21 os_tid = 0x1128 Thread: id = 22 os_tid = 0x111c Thread: id = 23 os_tid = 0x1028 Thread: id = 24 os_tid = 0x1024 Thread: id = 25 os_tid = 0xcac Thread: id = 26 os_tid = 0xe90 Thread: id = 27 os_tid = 0x4e8 Thread: id = 28 os_tid = 0x9dc Thread: id = 29 os_tid = 0x45c Thread: id = 30 os_tid = 0x8cc Thread: id = 31 os_tid = 0x85c Thread: id = 32 os_tid = 0x868 Thread: id = 33 os_tid = 0x3b8 Thread: id = 34 os_tid = 0x9c4 Thread: id = 35 os_tid = 0x6f0 Thread: id = 36 os_tid = 0x828 Thread: id = 37 os_tid = 0xf8 Thread: id = 38 os_tid = 0xf4 Thread: id = 39 os_tid = 0x398 Thread: id = 40 os_tid = 0x27c Thread: id = 41 os_tid = 0x234 Thread: id = 42 os_tid = 0x224 Thread: id = 43 os_tid = 0x1d0 Thread: id = 44 os_tid = 0x18c Thread: id = 45 os_tid = 0x4bc Thread: id = 46 os_tid = 0x958 Thread: id = 47 os_tid = 0x79c Thread: id = 48 os_tid = 0xa08 Thread: id = 49 os_tid = 0xac0 Thread: id = 50 os_tid = 0xab4 Thread: id = 51 os_tid = 0xaa4 Thread: id = 52 os_tid = 0x89c Thread: id = 53 os_tid = 0x8b8 Thread: id = 54 os_tid = 0xbb8 Thread: id = 55 os_tid = 0xba8 Thread: id = 56 os_tid = 0x8c4 Thread: id = 57 os_tid = 0x8c0 Thread: id = 58 os_tid = 0xb84 Thread: id = 59 os_tid = 0x658 Thread: id = 60 os_tid = 0x5ec Thread: id = 61 os_tid = 0x780 Thread: id = 62 os_tid = 0x5ac Thread: id = 63 os_tid = 0x5e0 Thread: id = 64 os_tid = 0x508 Thread: id = 65 os_tid = 0x428 Thread: id = 66 os_tid = 0x4f8 Thread: id = 67 os_tid = 0x7e4 Thread: id = 68 os_tid = 0x7dc Thread: id = 69 os_tid = 0x7d8 Thread: id = 70 os_tid = 0x7cc Thread: id = 71 os_tid = 0x7c4 Thread: id = 72 os_tid = 0x7b0 Thread: id = 73 os_tid = 0x788 Thread: id = 74 os_tid = 0x744 Thread: id = 75 os_tid = 0x448 Thread: id = 76 os_tid = 0x6f8 Thread: id = 77 os_tid = 0x6d4 Thread: id = 78 os_tid = 0x648 Thread: id = 79 os_tid = 0x640 Thread: id = 80 os_tid = 0x62c Thread: id = 81 os_tid = 0x534 Thread: id = 82 os_tid = 0x530 Thread: id = 83 os_tid = 0x4a8 Thread: id = 84 os_tid = 0x2ac Thread: id = 85 os_tid = 0x270 Thread: id = 86 os_tid = 0x154 Thread: id = 87 os_tid = 0x1b8 Thread: id = 88 os_tid = 0x1bc Thread: id = 89 os_tid = 0x180 Thread: id = 90 os_tid = 0x188 Thread: id = 91 os_tid = 0x148 Thread: id = 92 os_tid = 0x12c Thread: id = 93 os_tid = 0xfc Thread: id = 94 os_tid = 0x60 Thread: id = 95 os_tid = 0x3f0 Thread: id = 96 os_tid = 0x3e8 Thread: id = 97 os_tid = 0x364 Thread: id = 122 os_tid = 0x1154 Thread: id = 123 os_tid = 0x1164 Thread: id = 124 os_tid = 0x113c Thread: id = 125 os_tid = 0x1130 Process: id = "5" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x510bc000" os_pid = "0x390" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0x214" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AppIDSvc" [0xa], "NT SERVICE\\Audiosrv" [0xa], "NT SERVICE\\Dhcp" [0xa], "NT SERVICE\\eventlog" [0xa], "NT SERVICE\\HomeGroupProvider" [0xa], "NT SERVICE\\icssvc" [0xa], "NT SERVICE\\lmhosts" [0xe], "NT SERVICE\\NgcCtnrSvc" [0xa], "NT SERVICE\\vmictimesync" [0xa], "NT SERVICE\\Wcmsvc" [0xa], "NT SERVICE\\wscsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000c87e" [0xc000000f], "LOCAL" [0x7] Region: id = 1171 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1172 start_va = 0x20000 end_va = 0x20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 1173 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1174 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1175 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1176 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 1177 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1178 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1179 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1180 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 1181 start_va = 0x1e0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 1182 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1183 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1184 start_va = 0x480000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 1185 start_va = 0x540000 end_va = 0x540fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 1186 start_va = 0x550000 end_va = 0x556fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1187 start_va = 0x560000 end_va = 0x560fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 1188 start_va = 0x570000 end_va = 0x576fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 1189 start_va = 0x580000 end_va = 0x5e3fff monitored = 0 entry_point = 0x595ae0 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 1190 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 1191 start_va = 0x600000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 1192 start_va = 0x700000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 1193 start_va = 0x800000 end_va = 0x987fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 1194 start_va = 0x990000 end_va = 0xb10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 1195 start_va = 0xba0000 end_va = 0xba0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 1196 start_va = 0xbb0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bb0000" filename = "" Region: id = 1197 start_va = 0xc20000 end_va = 0xc26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 1198 start_va = 0xc30000 end_va = 0xcaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 1199 start_va = 0xcb0000 end_va = 0xccffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cb0000" filename = "" Region: id = 1200 start_va = 0xcd0000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cd0000" filename = "" Region: id = 1201 start_va = 0xcf0000 end_va = 0xcf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Region: id = 1202 start_va = 0xd00000 end_va = 0xdfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 1203 start_va = 0xe00000 end_va = 0xefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e00000" filename = "" Region: id = 1204 start_va = 0xf00000 end_va = 0xf00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 1205 start_va = 0xf10000 end_va = 0xf8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f10000" filename = "" Region: id = 1206 start_va = 0x1000000 end_va = 0x10fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 1207 start_va = 0x1120000 end_va = 0x1126fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001120000" filename = "" Region: id = 1208 start_va = 0x1130000 end_va = 0x11affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001130000" filename = "" Region: id = 1209 start_va = 0x1200000 end_va = 0x12fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 1210 start_va = 0x1300000 end_va = 0x137ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Region: id = 1211 start_va = 0x1380000 end_va = 0x13fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001380000" filename = "" Region: id = 1212 start_va = 0x1400000 end_va = 0x147ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001400000" filename = "" Region: id = 1213 start_va = 0x1480000 end_va = 0x14fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001480000" filename = "" Region: id = 1214 start_va = 0x1500000 end_va = 0x157ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001500000" filename = "" Region: id = 1215 start_va = 0x1590000 end_va = 0x168ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001590000" filename = "" Region: id = 1216 start_va = 0x1700000 end_va = 0x17fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001700000" filename = "" Region: id = 1217 start_va = 0x1800000 end_va = 0x18fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001800000" filename = "" Region: id = 1218 start_va = 0x1900000 end_va = 0x19fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 1219 start_va = 0x1a00000 end_va = 0x1afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a00000" filename = "" Region: id = 1220 start_va = 0x1b00000 end_va = 0x1bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b00000" filename = "" Region: id = 1221 start_va = 0x1c00000 end_va = 0x1cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c00000" filename = "" Region: id = 1222 start_va = 0x1d00000 end_va = 0x2036fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1223 start_va = 0x2040000 end_va = 0x213ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002040000" filename = "" Region: id = 1224 start_va = 0x2140000 end_va = 0x221ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 1225 start_va = 0x2220000 end_va = 0x231ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002220000" filename = "" Region: id = 1226 start_va = 0x2320000 end_va = 0x241ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 1227 start_va = 0x2420000 end_va = 0x251ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 1228 start_va = 0x2520000 end_va = 0x261ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002520000" filename = "" Region: id = 1229 start_va = 0x2700000 end_va = 0x27fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002700000" filename = "" Region: id = 1230 start_va = 0x2800000 end_va = 0x28fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002800000" filename = "" Region: id = 1231 start_va = 0x2900000 end_va = 0x29fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002900000" filename = "" Region: id = 1232 start_va = 0x2a00000 end_va = 0x2afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a00000" filename = "" Region: id = 1233 start_va = 0x2b00000 end_va = 0x2bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b00000" filename = "" Region: id = 1234 start_va = 0x2c00000 end_va = 0x2cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c00000" filename = "" Region: id = 1235 start_va = 0x2d00000 end_va = 0x2dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d00000" filename = "" Region: id = 1236 start_va = 0x2e00000 end_va = 0x2efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e00000" filename = "" Region: id = 1237 start_va = 0x2f00000 end_va = 0x2ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f00000" filename = "" Region: id = 1238 start_va = 0x3000000 end_va = 0x30fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 1239 start_va = 0x3100000 end_va = 0x31fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003100000" filename = "" Region: id = 1240 start_va = 0x3400000 end_va = 0x34fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003400000" filename = "" Region: id = 1241 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1242 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 1243 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 1244 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 1245 start_va = 0x7ff681250000 end_va = 0x7ff68125cfff monitored = 0 entry_point = 0x7ff681253980 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 1246 start_va = 0x7ff9ff920000 end_va = 0x7ff9ff952fff monitored = 0 entry_point = 0x7ff9ff92ae20 region_type = mapped_file name = "wscsvc.dll" filename = "\\Windows\\System32\\wscsvc.dll" (normalized: "c:\\windows\\system32\\wscsvc.dll") Region: id = 1247 start_va = 0x7ffa00990000 end_va = 0x7ffa00a17fff monitored = 0 entry_point = 0x7ffa009a4510 region_type = mapped_file name = "audioses.dll" filename = "\\Windows\\System32\\AudioSes.dll" (normalized: "c:\\windows\\system32\\audioses.dll") Region: id = 1248 start_va = 0x7ffa07cc0000 end_va = 0x7ffa07cd3fff monitored = 0 entry_point = 0x7ffa07cc1800 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 1249 start_va = 0x7ffa07ce0000 end_va = 0x7ffa07dd5fff monitored = 0 entry_point = 0x7ffa07d19590 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 1250 start_va = 0x7ffa08390000 end_va = 0x7ffa083a0fff monitored = 0 entry_point = 0x7ffa08392fc0 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 1251 start_va = 0x7ffa09490000 end_va = 0x7ffa0950efff monitored = 0 entry_point = 0x7ffa094a7110 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 1252 start_va = 0x7ffa0b7a0000 end_va = 0x7ffa0b7aafff monitored = 0 entry_point = 0x7ffa0b7a1d30 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1253 start_va = 0x7ffa0b7b0000 end_va = 0x7ffa0b7f7fff monitored = 0 entry_point = 0x7ffa0b7ba1e0 region_type = mapped_file name = "dhcpcore6.dll" filename = "\\Windows\\System32\\dhcpcore6.dll" (normalized: "c:\\windows\\system32\\dhcpcore6.dll") Region: id = 1254 start_va = 0x7ffa0b8c0000 end_va = 0x7ffa0b91cfff monitored = 0 entry_point = 0x7ffa0b8d2bf0 region_type = mapped_file name = "dhcpcore.dll" filename = "\\Windows\\System32\\dhcpcore.dll" (normalized: "c:\\windows\\system32\\dhcpcore.dll") Region: id = 1255 start_va = 0x7ffa0b9f0000 end_va = 0x7ffa0ba09fff monitored = 0 entry_point = 0x7ffa0b9f2430 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 1256 start_va = 0x7ffa0ba10000 end_va = 0x7ffa0ba25fff monitored = 0 entry_point = 0x7ffa0ba119f0 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 1257 start_va = 0x7ffa0ba70000 end_va = 0x7ffa0ba7dfff monitored = 0 entry_point = 0x7ffa0ba72e50 region_type = mapped_file name = "cmintegrator.dll" filename = "\\Windows\\System32\\cmintegrator.dll" (normalized: "c:\\windows\\system32\\cmintegrator.dll") Region: id = 1258 start_va = 0x7ffa0ba80000 end_va = 0x7ffa0bab7fff monitored = 0 entry_point = 0x7ffa0ba868f0 region_type = mapped_file name = "wcmcsp.dll" filename = "\\Windows\\System32\\wcmcsp.dll" (normalized: "c:\\windows\\system32\\wcmcsp.dll") Region: id = 1259 start_va = 0x7ffa0baf0000 end_va = 0x7ffa0bb27fff monitored = 0 entry_point = 0x7ffa0bb08cc0 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1260 start_va = 0x7ffa0bb30000 end_va = 0x7ffa0bbc8fff monitored = 0 entry_point = 0x7ffa0bb4a090 region_type = mapped_file name = "wcmsvc.dll" filename = "\\Windows\\System32\\wcmsvc.dll" (normalized: "c:\\windows\\system32\\wcmsvc.dll") Region: id = 1261 start_va = 0x7ffa0c7c0000 end_va = 0x7ffa0c8cafff monitored = 0 entry_point = 0x7ffa0c802610 region_type = mapped_file name = "audiosrv.dll" filename = "\\Windows\\System32\\audiosrv.dll" (normalized: "c:\\windows\\system32\\audiosrv.dll") Region: id = 1262 start_va = 0x7ffa0c9c0000 end_va = 0x7ffa0ca2ffff monitored = 0 entry_point = 0x7ffa0c9e2960 region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 1263 start_va = 0x7ffa0e910000 end_va = 0x7ffa0eac0fff monitored = 0 entry_point = 0x7ffa0e963690 region_type = mapped_file name = "wevtsvc.dll" filename = "\\Windows\\System32\\wevtsvc.dll" (normalized: "c:\\windows\\system32\\wevtsvc.dll") Region: id = 1264 start_va = 0x7ffa0eb30000 end_va = 0x7ffa0ec65fff monitored = 0 entry_point = 0x7ffa0eb5f350 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 1265 start_va = 0x7ffa0ed60000 end_va = 0x7ffa0ee27fff monitored = 0 entry_point = 0x7ffa0eda13f0 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 1266 start_va = 0x7ffa0f0a0000 end_va = 0x7ffa0f0e9fff monitored = 0 entry_point = 0x7ffa0f0aac30 region_type = mapped_file name = "deviceaccess.dll" filename = "\\Windows\\System32\\deviceaccess.dll" (normalized: "c:\\windows\\system32\\deviceaccess.dll") Region: id = 1267 start_va = 0x7ffa0f3e0000 end_va = 0x7ffa0f3f0fff monitored = 0 entry_point = 0x7ffa0f3e3320 region_type = mapped_file name = "wmiclnt.dll" filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll") Region: id = 1268 start_va = 0x7ffa0ff00000 end_va = 0x7ffa0ff08fff monitored = 0 entry_point = 0x7ffa0ff019a0 region_type = mapped_file name = "nrpsrv.dll" filename = "\\Windows\\System32\\nrpsrv.dll" (normalized: "c:\\windows\\system32\\nrpsrv.dll") Region: id = 1269 start_va = 0x7ffa0ff10000 end_va = 0x7ffa0ff1afff monitored = 0 entry_point = 0x7ffa0ff11cd0 region_type = mapped_file name = "lmhsvc.dll" filename = "\\Windows\\System32\\lmhsvc.dll" (normalized: "c:\\windows\\system32\\lmhsvc.dll") Region: id = 1270 start_va = 0x7ffa0ff30000 end_va = 0x7ffa0ff47fff monitored = 0 entry_point = 0x7ffa0ff35910 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 1271 start_va = 0x7ffa11220000 end_va = 0x7ffa113a5fff monitored = 0 entry_point = 0x7ffa1126d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 1272 start_va = 0x7ffa11410000 end_va = 0x7ffa11422fff monitored = 0 entry_point = 0x7ffa11412760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1273 start_va = 0x7ffa117d0000 end_va = 0x7ffa117f6fff monitored = 0 entry_point = 0x7ffa117d7940 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 1274 start_va = 0x7ffa11800000 end_va = 0x7ffa118a9fff monitored = 0 entry_point = 0x7ffa11827910 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 1275 start_va = 0x7ffa11b10000 end_va = 0x7ffa11b41fff monitored = 0 entry_point = 0x7ffa11b22340 region_type = mapped_file name = "fwbase.dll" filename = "\\Windows\\System32\\fwbase.dll" (normalized: "c:\\windows\\system32\\fwbase.dll") Region: id = 1276 start_va = 0x7ffa11d90000 end_va = 0x7ffa11db3fff monitored = 0 entry_point = 0x7ffa11d93260 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 1277 start_va = 0x7ffa11f30000 end_va = 0x7ffa12023fff monitored = 0 entry_point = 0x7ffa11f3a960 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 1278 start_va = 0x7ffa121a0000 end_va = 0x7ffa121abfff monitored = 0 entry_point = 0x7ffa121a27e0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1279 start_va = 0x7ffa12280000 end_va = 0x7ffa122b0fff monitored = 0 entry_point = 0x7ffa12287d10 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 1280 start_va = 0x7ffa124f0000 end_va = 0x7ffa1250efff monitored = 0 entry_point = 0x7ffa124f5d30 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 1281 start_va = 0x7ffa12660000 end_va = 0x7ffa126bbfff monitored = 0 entry_point = 0x7ffa12676f70 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1282 start_va = 0x7ffa12830000 end_va = 0x7ffa1283afff monitored = 0 entry_point = 0x7ffa128319a0 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1283 start_va = 0x7ffa12a10000 end_va = 0x7ffa12a3cfff monitored = 0 entry_point = 0x7ffa12a29d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1284 start_va = 0x7ffa12ba0000 end_va = 0x7ffa12bf5fff monitored = 0 entry_point = 0x7ffa12bb0bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1285 start_va = 0x7ffa12c20000 end_va = 0x7ffa12c48fff monitored = 0 entry_point = 0x7ffa12c34530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 1286 start_va = 0x7ffa12d90000 end_va = 0x7ffa12da3fff monitored = 0 entry_point = 0x7ffa12d952e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1287 start_va = 0x7ffa12db0000 end_va = 0x7ffa12dbffff monitored = 0 entry_point = 0x7ffa12db56e0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 1288 start_va = 0x7ffa12dc0000 end_va = 0x7ffa12e0afff monitored = 0 entry_point = 0x7ffa12dc35f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1289 start_va = 0x7ffa12e10000 end_va = 0x7ffa12e1efff monitored = 0 entry_point = 0x7ffa12e13210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1290 start_va = 0x7ffa12f40000 end_va = 0x7ffa13106fff monitored = 0 entry_point = 0x7ffa12f9db80 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 1291 start_va = 0x7ffa13130000 end_va = 0x7ffa13317fff monitored = 0 entry_point = 0x7ffa1315ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1292 start_va = 0x7ffa13320000 end_va = 0x7ffa13389fff monitored = 0 entry_point = 0x7ffa13356d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1293 start_va = 0x7ffa13390000 end_va = 0x7ffa133d2fff monitored = 0 entry_point = 0x7ffa133a4b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1294 start_va = 0x7ffa133e0000 end_va = 0x7ffa13465fff monitored = 0 entry_point = 0x7ffa133ed8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 1295 start_va = 0x7ffa13b70000 end_va = 0x7ffa13cb2fff monitored = 0 entry_point = 0x7ffa13b98210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1296 start_va = 0x7ffa13cc0000 end_va = 0x7ffa13d5cfff monitored = 0 entry_point = 0x7ffa13cc78a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1297 start_va = 0x7ffa13d60000 end_va = 0x7ffa13d67fff monitored = 0 entry_point = 0x7ffa13d61ea0 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1298 start_va = 0x7ffa13d80000 end_va = 0x7ffa13ed5fff monitored = 0 entry_point = 0x7ffa13d8a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1299 start_va = 0x7ffa13ee0000 end_va = 0x7ffa14065fff monitored = 0 entry_point = 0x7ffa13f2ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1300 start_va = 0x7ffa14070000 end_va = 0x7ffa140cafff monitored = 0 entry_point = 0x7ffa140838b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1301 start_va = 0x7ffa14220000 end_va = 0x7ffa142c6fff monitored = 0 entry_point = 0x7ffa1422b4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1302 start_va = 0x7ffa14340000 end_va = 0x7ffa145bcfff monitored = 0 entry_point = 0x7ffa14414970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1303 start_va = 0x7ffa145c0000 end_va = 0x7ffa146dbfff monitored = 0 entry_point = 0x7ffa146002b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1304 start_va = 0x7ffa146e0000 end_va = 0x7ffa1474afff monitored = 0 entry_point = 0x7ffa146f90c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1305 start_va = 0x7ffa147c0000 end_va = 0x7ffa14880fff monitored = 0 entry_point = 0x7ffa147e0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1306 start_va = 0x7ffa15090000 end_va = 0x7ffa15136fff monitored = 0 entry_point = 0x7ffa150a58d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1307 start_va = 0x7ffa15160000 end_va = 0x7ffa1520cfff monitored = 0 entry_point = 0x7ffa151781a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1308 start_va = 0x7ffa16770000 end_va = 0x7ffa16930fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Thread: id = 98 os_tid = 0x1070 Thread: id = 99 os_tid = 0x238 Thread: id = 100 os_tid = 0x13f8 Thread: id = 101 os_tid = 0x13e4 Thread: id = 102 os_tid = 0x824 Thread: id = 103 os_tid = 0x7a0 Thread: id = 104 os_tid = 0xac4 Thread: id = 105 os_tid = 0xaac Thread: id = 106 os_tid = 0x470 Thread: id = 107 os_tid = 0xa18 Thread: id = 108 os_tid = 0x478 Thread: id = 109 os_tid = 0x468 Thread: id = 110 os_tid = 0x458 Thread: id = 111 os_tid = 0x450 Thread: id = 112 os_tid = 0x44c Thread: id = 113 os_tid = 0x434 Thread: id = 114 os_tid = 0x42c Thread: id = 115 os_tid = 0x8 Thread: id = 116 os_tid = 0x348 Thread: id = 117 os_tid = 0x324 Thread: id = 118 os_tid = 0x2f4 Thread: id = 119 os_tid = 0x2e8 Thread: id = 120 os_tid = 0x284 Thread: id = 121 os_tid = 0x394 Process: id = "6" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x65299000" os_pid = "0x3f0" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "created_scheduled_job" parent_id = "2" os_parent_pid = "0x210" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\DcpSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\lfsvc" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\RetailDemo" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\UsoSvc" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d41e" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 1416 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1417 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1418 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1419 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1420 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 1421 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1422 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1423 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1424 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 1425 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 1426 start_va = 0x7ff7c0750000 end_va = 0x7ff7c075cfff monitored = 0 entry_point = 0x7ff7c0753980 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 1427 start_va = 0x7ffc109e0000 end_va = 0x7ffc10ba0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1545 start_va = 0x400000 end_va = 0x586fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1546 start_va = 0x590000 end_va = 0x78ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 1547 start_va = 0x600000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 1548 start_va = 0x7ffc108d0000 end_va = 0x7ffc1097cfff monitored = 0 entry_point = 0x7ffc108e81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1549 start_va = 0x7ffc0d250000 end_va = 0x7ffc0d437fff monitored = 0 entry_point = 0x7ffc0d27ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1550 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1551 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 1552 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1553 start_va = 0x7ffc0e230000 end_va = 0x7ffc0e28afff monitored = 0 entry_point = 0x7ffc0e2438b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1554 start_va = 0x7ffc0ef30000 end_va = 0x7ffc0f04bfff monitored = 0 entry_point = 0x7ffc0ef702b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1555 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1556 start_va = 0x580000 end_va = 0x586fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 1557 start_va = 0x7ffc0c1a0000 end_va = 0x7ffc0c293fff monitored = 0 entry_point = 0x7ffc0c1aa960 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 1558 start_va = 0x7ffc0e780000 end_va = 0x7ffc0e9fcfff monitored = 0 entry_point = 0x7ffc0e854970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1559 start_va = 0x7ffc0df90000 end_va = 0x7ffc0e02cfff monitored = 0 entry_point = 0x7ffc0df978a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1560 start_va = 0x7ffc0d1e0000 end_va = 0x7ffc0d249fff monitored = 0 entry_point = 0x7ffc0d216d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1561 start_va = 0x700000 end_va = 0x866fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 1562 start_va = 0x870000 end_va = 0xa6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 1563 start_va = 0x900000 end_va = 0x9fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 1564 start_va = 0x480000 end_va = 0x55cfff monitored = 0 entry_point = 0x4de0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1565 start_va = 0x7ffc0d080000 end_va = 0x7ffc0d08efff monitored = 0 entry_point = 0x7ffc0d083210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1566 start_va = 0x7ffc0ed60000 end_va = 0x7ffc0eeb5fff monitored = 0 entry_point = 0x7ffc0ed6a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1567 start_va = 0x7ffc0f170000 end_va = 0x7ffc0f2f5fff monitored = 0 entry_point = 0x7ffc0f1bffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1568 start_va = 0x480000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 1569 start_va = 0xa00000 end_va = 0xb87fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a00000" filename = "" Region: id = 1570 start_va = 0xb90000 end_va = 0xd10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b90000" filename = "" Region: id = 1571 start_va = 0x20000 end_va = 0x20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 1572 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1573 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 1574 start_va = 0x700000 end_va = 0x7c6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 1575 start_va = 0x860000 end_va = 0x866fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1576 start_va = 0xd20000 end_va = 0xf1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 1577 start_va = 0xe00000 end_va = 0xefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e00000" filename = "" Region: id = 1578 start_va = 0xf00000 end_va = 0xffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 1579 start_va = 0x1000000 end_va = 0x10fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 1580 start_va = 0x7ffc076d0000 end_va = 0x7ffc0781cfff monitored = 0 entry_point = 0x7ffc07713da0 region_type = mapped_file name = "gpsvc.dll" filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll") Region: id = 1581 start_va = 0x7ffc0bcb0000 end_va = 0x7ffc0bcbbfff monitored = 0 entry_point = 0x7ffc0bcb2480 region_type = mapped_file name = "sysntfy.dll" filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll") Region: id = 1582 start_va = 0x7ffc076b0000 end_va = 0x7ffc076c7fff monitored = 0 entry_point = 0x7ffc076b5910 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 1583 start_va = 0x7ffc076a0000 end_va = 0x7ffc076aafff monitored = 0 entry_point = 0x7ffc076a1770 region_type = mapped_file name = "lfsvc.dll" filename = "\\Windows\\System32\\lfsvc.dll" (normalized: "c:\\windows\\system32\\lfsvc.dll") Region: id = 1584 start_va = 0x7ffc098c0000 end_va = 0x7ffc09951fff monitored = 0 entry_point = 0x7ffc0990a780 region_type = mapped_file name = "msvcp110_win.dll" filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll") Region: id = 1585 start_va = 0x7ffc07520000 end_va = 0x7ffc0769bfff monitored = 0 entry_point = 0x7ffc07571650 region_type = mapped_file name = "locationframework.dll" filename = "\\Windows\\System32\\LocationFramework.dll" (normalized: "c:\\windows\\system32\\locationframework.dll") Region: id = 1586 start_va = 0x7ffc0ec90000 end_va = 0x7ffc0ed50fff monitored = 0 entry_point = 0x7ffc0ecb0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1587 start_va = 0x7ffc0d020000 end_va = 0x7ffc0d06afff monitored = 0 entry_point = 0x7ffc0d0235f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1588 start_va = 0x7ffc0ea60000 end_va = 0x7ffc0eb06fff monitored = 0 entry_point = 0x7ffc0ea758d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1589 start_va = 0x7ffc0dbc0000 end_va = 0x7ffc0dd86fff monitored = 0 entry_point = 0x7ffc0dc1db80 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 1590 start_va = 0x7ffc0d070000 end_va = 0x7ffc0d07ffff monitored = 0 entry_point = 0x7ffc0d0756e0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 1591 start_va = 0x7ffc0eec0000 end_va = 0x7ffc0ef2afff monitored = 0 entry_point = 0x7ffc0eed90c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1592 start_va = 0x7ffc0b8b0000 end_va = 0x7ffc0b8effff monitored = 0 entry_point = 0x7ffc0b8c1960 region_type = mapped_file name = "brokerlib.dll" filename = "\\Windows\\System32\\BrokerLib.dll" (normalized: "c:\\windows\\system32\\brokerlib.dll") Region: id = 1593 start_va = 0x7ffc07300000 end_va = 0x7ffc07360fff monitored = 0 entry_point = 0x7ffc07304b50 region_type = mapped_file name = "wlanapi.dll" filename = "\\Windows\\System32\\wlanapi.dll" (normalized: "c:\\windows\\system32\\wlanapi.dll") Region: id = 1594 start_va = 0x7ffc09a30000 end_va = 0x7ffc09a65fff monitored = 0 entry_point = 0x7ffc09a40070 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 1595 start_va = 0x700000 end_va = 0x77ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 1596 start_va = 0x7c0000 end_va = 0x7c6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 1597 start_va = 0x7ffc07230000 end_va = 0x7ffc072f7fff monitored = 0 entry_point = 0x7ffc072713f0 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 1598 start_va = 0x1100000 end_va = 0x1242fff monitored = 0 entry_point = 0x1128210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1599 start_va = 0x7ffc071f0000 end_va = 0x7ffc071f9fff monitored = 0 entry_point = 0x7ffc071f1660 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 1600 start_va = 0xd20000 end_va = 0xdfcfff monitored = 0 entry_point = 0xd7e0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1601 start_va = 0x540000 end_va = 0x566fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 1602 start_va = 0x1100000 end_va = 0x12fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001100000" filename = "" Region: id = 1603 start_va = 0x1100000 end_va = 0x11fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001100000" filename = "" Region: id = 1604 start_va = 0x1200000 end_va = 0x12fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 1605 start_va = 0x1300000 end_va = 0x13fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Region: id = 1606 start_va = 0x1400000 end_va = 0x14fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001400000" filename = "" Region: id = 1607 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 1608 start_va = 0x7ffc0e6d0000 end_va = 0x7ffc0e776fff monitored = 0 entry_point = 0x7ffc0e6db4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1609 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 1610 start_va = 0x1500000 end_va = 0x15fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001500000" filename = "" Region: id = 1611 start_va = 0x7ffc071d0000 end_va = 0x7ffc071effff monitored = 0 entry_point = 0x7ffc071d39a0 region_type = mapped_file name = "locationwinpalmisc.dll" filename = "\\Windows\\System32\\LocationWinPalMisc.dll" (normalized: "c:\\windows\\system32\\locationwinpalmisc.dll") Region: id = 1612 start_va = 0x7ffc0f300000 end_va = 0x7ffc1085efff monitored = 0 entry_point = 0x7ffc0f4611f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1613 start_va = 0x7ffc0dd90000 end_va = 0x7ffc0ddd2fff monitored = 0 entry_point = 0x7ffc0dda4b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1614 start_va = 0x7ffc0d4c0000 end_va = 0x7ffc0db03fff monitored = 0 entry_point = 0x7ffc0d6864b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 1615 start_va = 0x7ffc10870000 end_va = 0x7ffc108c1fff monitored = 0 entry_point = 0x7ffc1087f530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1616 start_va = 0x7ffc0d120000 end_va = 0x7ffc0d1d4fff monitored = 0 entry_point = 0x7ffc0d1622e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 1617 start_va = 0x7ffc0d000000 end_va = 0x7ffc0d013fff monitored = 0 entry_point = 0x7ffc0d0052e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1618 start_va = 0x7ffc0c760000 end_va = 0x7ffc0c77efff monitored = 0 entry_point = 0x7ffc0c765d30 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 1619 start_va = 0x7ffc0ba40000 end_va = 0x7ffc0ba66fff monitored = 0 entry_point = 0x7ffc0ba47940 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 1620 start_va = 0x1600000 end_va = 0x1936fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1621 start_va = 0x540000 end_va = 0x540fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 1622 start_va = 0x560000 end_va = 0x566fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 1623 start_va = 0x7ffc071c0000 end_va = 0x7ffc071cbfff monitored = 0 entry_point = 0x7ffc071c14d0 region_type = mapped_file name = "locationframeworkps.dll" filename = "\\Windows\\System32\\LocationFrameworkPS.dll" (normalized: "c:\\windows\\system32\\locationframeworkps.dll") Region: id = 1624 start_va = 0x7ffc07100000 end_va = 0x7ffc071befff monitored = 0 entry_point = 0x7ffc07121c50 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 1625 start_va = 0x7ffc070c0000 end_va = 0x7ffc070f6fff monitored = 0 entry_point = 0x7ffc070c6020 region_type = mapped_file name = "gnssadapter.dll" filename = "\\Windows\\System32\\GnssAdapter.dll" (normalized: "c:\\windows\\system32\\gnssadapter.dll") Region: id = 1626 start_va = 0x7ffc07060000 end_va = 0x7ffc070b4fff monitored = 0 entry_point = 0x7ffc07063fb0 region_type = mapped_file name = "policymanager.dll" filename = "\\Windows\\System32\\policymanager.dll" (normalized: "c:\\windows\\system32\\policymanager.dll") Region: id = 1627 start_va = 0x1940000 end_va = 0x1a3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001940000" filename = "" Region: id = 1628 start_va = 0x1a40000 end_va = 0x1b3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a40000" filename = "" Region: id = 1629 start_va = 0x7ffc06f60000 end_va = 0x7ffc0705bfff monitored = 0 entry_point = 0x7ffc06f96df0 region_type = mapped_file name = "schedsvc.dll" filename = "\\Windows\\System32\\schedsvc.dll" (normalized: "c:\\windows\\system32\\schedsvc.dll") Region: id = 1630 start_va = 0x7ffc06f10000 end_va = 0x7ffc06f50fff monitored = 0 entry_point = 0x7ffc06f27eb0 region_type = mapped_file name = "ubpm.dll" filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll") Region: id = 1631 start_va = 0x7ffc0ce70000 end_va = 0x7ffc0ce88fff monitored = 0 entry_point = 0x7ffc0ce75e10 region_type = mapped_file name = "eventaggregation.dll" filename = "\\Windows\\System32\\EventAggregation.dll" (normalized: "c:\\windows\\system32\\eventaggregation.dll") Region: id = 1632 start_va = 0x590000 end_va = 0x5e6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 1633 start_va = 0x1b40000 end_va = 0x1d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b40000" filename = "" Region: id = 1634 start_va = 0x1c00000 end_va = 0x1cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c00000" filename = "" Region: id = 1635 start_va = 0x7ffc0c2a0000 end_va = 0x7ffc0c2e8fff monitored = 0 entry_point = 0x7ffc0c2aa090 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 1636 start_va = 0x1d00000 end_va = 0x1dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d00000" filename = "" Region: id = 1637 start_va = 0x7ffc06ef0000 end_va = 0x7ffc06f00fff monitored = 0 entry_point = 0x7ffc06ef3320 region_type = mapped_file name = "wmiclnt.dll" filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll") Region: id = 1638 start_va = 0x7ffc0cce0000 end_va = 0x7ffc0cd0cfff monitored = 0 entry_point = 0x7ffc0ccf9d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1639 start_va = 0x7ffc06ed0000 end_va = 0x7ffc06ee9fff monitored = 0 entry_point = 0x7ffc06ed2cf0 region_type = mapped_file name = "locationpelegacywinlocation.dll" filename = "\\Windows\\System32\\LocationPeLegacyWinLocation.dll" (normalized: "c:\\windows\\system32\\locationpelegacywinlocation.dll") Region: id = 1640 start_va = 0x7ffc0e0a0000 end_va = 0x7ffc0e1e2fff monitored = 0 entry_point = 0x7ffc0e0c8210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1643 start_va = 0x7ffc0ce90000 end_va = 0x7ffc0ceb8fff monitored = 0 entry_point = 0x7ffc0cea4530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 1644 start_va = 0x7d0000 end_va = 0x84ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 1645 start_va = 0xf00000 end_va = 0xffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 1646 start_va = 0x7ffc06e60000 end_va = 0x7ffc06ecdfff monitored = 0 entry_point = 0x7ffc06e67f60 region_type = mapped_file name = "taskcomp.dll" filename = "\\Windows\\System32\\taskcomp.dll" (normalized: "c:\\windows\\system32\\taskcomp.dll") Region: id = 1647 start_va = 0x7ffc06c50000 end_va = 0x7ffc06c91fff monitored = 0 entry_point = 0x7ffc06c527d0 region_type = mapped_file name = "mstask.dll" filename = "\\Windows\\System32\\mstask.dll" (normalized: "c:\\windows\\system32\\mstask.dll") Region: id = 1648 start_va = 0x550000 end_va = 0x551fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 1649 start_va = 0x7ffc06c30000 end_va = 0x7ffc06c40fff monitored = 0 entry_point = 0x7ffc06c37ea0 region_type = mapped_file name = "dcpapi.dll" filename = "\\Windows\\System32\\dcpapi.dll" (normalized: "c:\\windows\\system32\\dcpapi.dll") Region: id = 1650 start_va = 0x7ffc06c00000 end_va = 0x7ffc06c24fff monitored = 0 entry_point = 0x7ffc06c12f20 region_type = mapped_file name = "wificonnapi.dll" filename = "\\Windows\\System32\\wificonnapi.dll" (normalized: "c:\\windows\\system32\\wificonnapi.dll") Region: id = 1651 start_va = 0x7ffc06bc0000 end_va = 0x7ffc06bf8fff monitored = 0 entry_point = 0x7ffc06bc9c90 region_type = mapped_file name = "aepic.dll" filename = "\\Windows\\System32\\aepic.dll" (normalized: "c:\\windows\\system32\\aepic.dll") Region: id = 1652 start_va = 0x7ffc06ba0000 end_va = 0x7ffc06bb0fff monitored = 0 entry_point = 0x7ffc06ba3e10 region_type = mapped_file name = "sfc_os.dll" filename = "\\Windows\\System32\\sfc_os.dll" (normalized: "c:\\windows\\system32\\sfc_os.dll") Region: id = 1653 start_va = 0x7ffc07e60000 end_va = 0x7ffc081e1fff monitored = 0 entry_point = 0x7ffc07eb1220 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 1654 start_va = 0x7ffc06b40000 end_va = 0x7ffc06bf0fff monitored = 0 entry_point = 0x7ffc06bb88b0 region_type = mapped_file name = "cellularapi.dll" filename = "\\Windows\\System32\\CellularAPI.dll" (normalized: "c:\\windows\\system32\\cellularapi.dll") Region: id = 1655 start_va = 0x7ffc06b20000 end_va = 0x7ffc06b31fff monitored = 0 entry_point = 0x7ffc06b29260 region_type = mapped_file name = "rilproxy.dll" filename = "\\Windows\\System32\\rilproxy.dll" (normalized: "c:\\windows\\system32\\rilproxy.dll") Region: id = 1656 start_va = 0x7ffc06a70000 end_va = 0x7ffc06b1dfff monitored = 0 entry_point = 0x7ffc06a880c0 region_type = mapped_file name = "windows.networking.connectivity.dll" filename = "\\Windows\\System32\\Windows.Networking.Connectivity.dll" (normalized: "c:\\windows\\system32\\windows.networking.connectivity.dll") Region: id = 1657 start_va = 0x7ffc0c4f0000 end_va = 0x7ffc0c520fff monitored = 0 entry_point = 0x7ffc0c4f7d10 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 1658 start_va = 0x1000000 end_va = 0x10fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 1659 start_va = 0x870000 end_va = 0x8effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 1660 start_va = 0x7ffc069e0000 end_va = 0x7ffc069f5fff monitored = 0 entry_point = 0x7ffc069e1b60 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1661 start_va = 0x7ffc069b0000 end_va = 0x7ffc069defff monitored = 0 entry_point = 0x7ffc069b8910 region_type = mapped_file name = "wptaskscheduler.dll" filename = "\\Windows\\System32\\WPTaskScheduler.dll" (normalized: "c:\\windows\\system32\\wptaskscheduler.dll") Region: id = 1662 start_va = 0x7ffc069a0000 end_va = 0x7ffc069acfff monitored = 0 entry_point = 0x7ffc069a2ca0 region_type = mapped_file name = "csystemeventsbrokerclient.dll" filename = "\\Windows\\System32\\CSystemEventsBrokerClient.dll" (normalized: "c:\\windows\\system32\\csystemeventsbrokerclient.dll") Region: id = 1663 start_va = 0xd20000 end_va = 0xd9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 1664 start_va = 0x1b40000 end_va = 0x1bbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b40000" filename = "" Region: id = 1665 start_va = 0x1e00000 end_va = 0x1efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e00000" filename = "" Region: id = 1666 start_va = 0x7ffc0c8d0000 end_va = 0x7ffc0c92bfff monitored = 0 entry_point = 0x7ffc0c8e6f70 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1667 start_va = 0x7ffc06940000 end_va = 0x7ffc06994fff monitored = 0 entry_point = 0x7ffc0694fc00 region_type = mapped_file name = "profsvc.dll" filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll") Region: id = 1668 start_va = 0x7ffc06910000 end_va = 0x7ffc0693dfff monitored = 0 entry_point = 0x7ffc06917550 region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 1669 start_va = 0x7ffc0cb40000 end_va = 0x7ffc0cb60fff monitored = 0 entry_point = 0x7ffc0cb50250 region_type = mapped_file name = "joinutil.dll" filename = "\\Windows\\System32\\joinutil.dll" (normalized: "c:\\windows\\system32\\joinutil.dll") Region: id = 1670 start_va = 0x7ffc0c410000 end_va = 0x7ffc0c41bfff monitored = 0 entry_point = 0x7ffc0c4127e0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1671 start_va = 0x1f00000 end_va = 0x1ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f00000" filename = "" Region: id = 1672 start_va = 0x570000 end_va = 0x570fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 1673 start_va = 0x7ffc06860000 end_va = 0x7ffc06886fff monitored = 0 entry_point = 0x7ffc06863bf0 region_type = mapped_file name = "profsvcext.dll" filename = "\\Windows\\System32\\profsvcext.dll" (normalized: "c:\\windows\\system32\\profsvcext.dll") Region: id = 1674 start_va = 0x7ffc0ea00000 end_va = 0x7ffc0ea5bfff monitored = 0 entry_point = 0x7ffc0ea1b720 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 1675 start_va = 0x7ffc06820000 end_va = 0x7ffc0685dfff monitored = 0 entry_point = 0x7ffc0682a050 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 1676 start_va = 0x7ffc06800000 end_va = 0x7ffc06812fff monitored = 0 entry_point = 0x7ffc068057f0 region_type = mapped_file name = "themeservice.dll" filename = "\\Windows\\System32\\themeservice.dll" (normalized: "c:\\windows\\system32\\themeservice.dll") Region: id = 1677 start_va = 0x7ffc0c980000 end_va = 0x7ffc0c9d5fff monitored = 0 entry_point = 0x7ffc0c990bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1678 start_va = 0x590000 end_va = 0x590fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 1679 start_va = 0x5e0000 end_va = 0x5e6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 1680 start_va = 0x2000000 end_va = 0x20fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002000000" filename = "" Region: id = 1681 start_va = 0x7ffc067d0000 end_va = 0x7ffc067e6fff monitored = 0 entry_point = 0x7ffc067d5630 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 1682 start_va = 0x590000 end_va = 0x590fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 1683 start_va = 0x7ffc0c000000 end_va = 0x7ffc0c023fff monitored = 0 entry_point = 0x7ffc0c003260 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 1684 start_va = 0x7ffc0b740000 end_va = 0x7ffc0b752fff monitored = 0 entry_point = 0x7ffc0b742760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1685 start_va = 0x2100000 end_va = 0x21fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002100000" filename = "" Region: id = 1686 start_va = 0x7ffc06470000 end_va = 0x7ffc06555fff monitored = 0 entry_point = 0x7ffc0648cf10 region_type = mapped_file name = "usermgr.dll" filename = "\\Windows\\System32\\usermgr.dll" (normalized: "c:\\windows\\system32\\usermgr.dll") Region: id = 1687 start_va = 0x7ffc081f0000 end_va = 0x7ffc08325fff monitored = 0 entry_point = 0x7ffc0821f350 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 1688 start_va = 0x5a0000 end_va = 0x5a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 1689 start_va = 0x2200000 end_va = 0x22fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002200000" filename = "" Region: id = 1690 start_va = 0x5a0000 end_va = 0x5a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 1691 start_va = 0x7ffc0a520000 end_va = 0x7ffc0a527fff monitored = 0 entry_point = 0x7ffc0a5213e0 region_type = mapped_file name = "dabapi.dll" filename = "\\Windows\\System32\\dabapi.dll" (normalized: "c:\\windows\\system32\\dabapi.dll") Region: id = 1692 start_va = 0x7ffc062c0000 end_va = 0x7ffc06300fff monitored = 0 entry_point = 0x7ffc062c4840 region_type = mapped_file name = "usermgrproxy.dll" filename = "\\Windows\\System32\\UserMgrProxy.dll" (normalized: "c:\\windows\\system32\\usermgrproxy.dll") Region: id = 1695 start_va = 0x7ffc0b6e0000 end_va = 0x7ffc0b6fbfff monitored = 0 entry_point = 0x7ffc0b6e37a0 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 1696 start_va = 0x5a0000 end_va = 0x5acfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "gpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\gpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\gpsvc.dll.mui") Region: id = 1697 start_va = 0x2000000 end_va = 0x207ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002000000" filename = "" Region: id = 1698 start_va = 0x7ffc06180000 end_va = 0x7ffc0618bfff monitored = 0 entry_point = 0x7ffc06182830 region_type = mapped_file name = "bi.dll" filename = "\\Windows\\System32\\bi.dll" (normalized: "c:\\windows\\system32\\bi.dll") Region: id = 1699 start_va = 0x2300000 end_va = 0x24fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 1700 start_va = 0x2300000 end_va = 0x23fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 1701 start_va = 0x2400000 end_va = 0x24fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002400000" filename = "" Region: id = 1702 start_va = 0x7ffc05f20000 end_va = 0x7ffc05fb9fff monitored = 0 entry_point = 0x7ffc05f3ada0 region_type = mapped_file name = "shsvcs.dll" filename = "\\Windows\\System32\\shsvcs.dll" (normalized: "c:\\windows\\system32\\shsvcs.dll") Region: id = 1703 start_va = 0x7ffc05e60000 end_va = 0x7ffc05f1ffff monitored = 0 entry_point = 0x7ffc05e8fd20 region_type = mapped_file name = "fveapi.dll" filename = "\\Windows\\System32\\fveapi.dll" (normalized: "c:\\windows\\system32\\fveapi.dll") Region: id = 1704 start_va = 0x5b0000 end_va = 0x5b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 1705 start_va = 0x7ffc05e00000 end_va = 0x7ffc05e51fff monitored = 0 entry_point = 0x7ffc05e038e0 region_type = mapped_file name = "proximityservice.dll" filename = "\\Windows\\System32\\ProximityService.dll" (normalized: "c:\\windows\\system32\\proximityservice.dll") Region: id = 1706 start_va = 0x7ffc05dd0000 end_va = 0x7ffc05dfcfff monitored = 0 entry_point = 0x7ffc05dd2290 region_type = mapped_file name = "proximitycommon.dll" filename = "\\Windows\\System32\\ProximityCommon.dll" (normalized: "c:\\windows\\system32\\proximitycommon.dll") Region: id = 1707 start_va = 0x7ffc06310000 end_va = 0x7ffc06347fff monitored = 0 entry_point = 0x7ffc06328cc0 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1708 start_va = 0x7ffc05dc0000 end_va = 0x7ffc05dc8fff monitored = 0 entry_point = 0x7ffc05dc1ed0 region_type = mapped_file name = "proximitycommonpal.dll" filename = "\\Windows\\System32\\ProximityCommonPal.dll" (normalized: "c:\\windows\\system32\\proximitycommonpal.dll") Region: id = 1709 start_va = 0x7ffc05db0000 end_va = 0x7ffc05dbffff monitored = 0 entry_point = 0x7ffc05db1700 region_type = mapped_file name = "proximityservicepal.dll" filename = "\\Windows\\System32\\ProximityServicePal.dll" (normalized: "c:\\windows\\system32\\proximityservicepal.dll") Region: id = 1710 start_va = 0x7ffc0d090000 end_va = 0x7ffc0d115fff monitored = 0 entry_point = 0x7ffc0d09d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 1711 start_va = 0x7ffc0be80000 end_va = 0x7ffc0beb1fff monitored = 0 entry_point = 0x7ffc0be92340 region_type = mapped_file name = "fwbase.dll" filename = "\\Windows\\System32\\fwbase.dll" (normalized: "c:\\windows\\system32\\fwbase.dll") Region: id = 1712 start_va = 0x7ffc0bff0000 end_va = 0x7ffc0bffbfff monitored = 0 entry_point = 0x7ffc0bff2790 region_type = mapped_file name = "hid.dll" filename = "\\Windows\\System32\\hid.dll" (normalized: "c:\\windows\\system32\\hid.dll") Region: id = 1713 start_va = 0x2500000 end_va = 0x25fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002500000" filename = "" Region: id = 1714 start_va = 0x7ffc06a00000 end_va = 0x7ffc06a63fff monitored = 0 entry_point = 0x7ffc06a15ae0 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 1715 start_va = 0x2600000 end_va = 0x26fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002600000" filename = "" Region: id = 1716 start_va = 0x7ffc05c30000 end_va = 0x7ffc05c3dfff monitored = 0 entry_point = 0x7ffc05c31460 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 1833 start_va = 0x7ffc0cb00000 end_va = 0x7ffc0cb0afff monitored = 0 entry_point = 0x7ffc0cb019a0 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1843 start_va = 0x7ffc0b550000 end_va = 0x7ffc0b6d5fff monitored = 0 entry_point = 0x7ffc0b59d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 1846 start_va = 0x5b0000 end_va = 0x5b3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1849 start_va = 0x2700000 end_va = 0x28fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002700000" filename = "" Region: id = 1850 start_va = 0x2700000 end_va = 0x27fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002700000" filename = "" Region: id = 1863 start_va = 0xda0000 end_va = 0xde4fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000c.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db") Region: id = 1864 start_va = 0x5c0000 end_va = 0x5c3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1865 start_va = 0x1d00000 end_va = 0x1d8dfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 1866 start_va = 0x780000 end_va = 0x790fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "propsys.dll.mui" filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui") Region: id = 1869 start_va = 0x2080000 end_va = 0x20fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002080000" filename = "" Region: id = 1892 start_va = 0x7ffc067c0000 end_va = 0x7ffc067cffff monitored = 0 entry_point = 0x7ffc067c2c60 region_type = mapped_file name = "usermgrcli.dll" filename = "\\Windows\\System32\\usermgrcli.dll" (normalized: "c:\\windows\\system32\\usermgrcli.dll") Region: id = 1905 start_va = 0x5d0000 end_va = 0x5d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 1906 start_va = 0x7ffc0b700000 end_va = 0x7ffc0b731fff monitored = 0 entry_point = 0x7ffc0b70b0c0 region_type = mapped_file name = "shacct.dll" filename = "\\Windows\\System32\\shacct.dll" (normalized: "c:\\windows\\system32\\shacct.dll") Region: id = 1907 start_va = 0x7ffc04fe0000 end_va = 0x7ffc0507afff monitored = 0 entry_point = 0x7ffc04fe7220 region_type = mapped_file name = "settingsync.dll" filename = "\\Windows\\System32\\SettingSync.dll" (normalized: "c:\\windows\\system32\\settingsync.dll") Region: id = 1908 start_va = 0x5d0000 end_va = 0x5d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 1909 start_va = 0x2800000 end_va = 0x28dffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 1914 start_va = 0x7ffc04fc0000 end_va = 0x7ffc04fd0fff monitored = 0 entry_point = 0x7ffc04fc28d0 region_type = mapped_file name = "credentialmigrationhandler.dll" filename = "\\Windows\\System32\\CredentialMigrationHandler.dll" (normalized: "c:\\windows\\system32\\credentialmigrationhandler.dll") Region: id = 1915 start_va = 0x28e0000 end_va = 0x29dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028e0000" filename = "" Region: id = 1916 start_va = 0x29e0000 end_va = 0x2a5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029e0000" filename = "" Region: id = 1917 start_va = 0x7ffc06890000 end_va = 0x7ffc06909fff monitored = 0 entry_point = 0x7ffc068b7630 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 1918 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 1919 start_va = 0x7ffc0cec0000 end_va = 0x7ffc0cf58fff monitored = 0 entry_point = 0x7ffc0ceef4e0 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 1920 start_va = 0x5f0000 end_va = 0x5f1fff monitored = 0 entry_point = 0x5f5630 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 1921 start_va = 0x7a0000 end_va = 0x7a4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "stdole2.tlb" filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb") Region: id = 1988 start_va = 0x2a60000 end_va = 0x2b5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a60000" filename = "" Region: id = 1999 start_va = 0x5f0000 end_va = 0x5f1fff monitored = 0 entry_point = 0x5f5630 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 2000 start_va = 0x7a0000 end_va = 0x7a4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "stdole2.tlb" filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb") Region: id = 2007 start_va = 0x5f0000 end_va = 0x5f1fff monitored = 0 entry_point = 0x5f5630 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 2008 start_va = 0x7a0000 end_va = 0x7a4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "stdole2.tlb" filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb") Region: id = 2018 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 2041 start_va = 0x2b60000 end_va = 0x2c5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b60000" filename = "" Region: id = 2043 start_va = 0x7ffc04660000 end_va = 0x7ffc0469bfff monitored = 0 entry_point = 0x7ffc04666aa0 region_type = mapped_file name = "wmisvc.dll" filename = "\\Windows\\System32\\wbem\\WMIsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wmisvc.dll") Region: id = 2055 start_va = 0x7ffc045e0000 end_va = 0x7ffc0465efff monitored = 0 entry_point = 0x7ffc045f7110 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 2059 start_va = 0x2c60000 end_va = 0x2d5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c60000" filename = "" Region: id = 2060 start_va = 0x7ffc040c0000 end_va = 0x7ffc0410bfff monitored = 0 entry_point = 0x7ffc040d5310 region_type = mapped_file name = "srvsvc.dll" filename = "\\Windows\\System32\\srvsvc.dll" (normalized: "c:\\windows\\system32\\srvsvc.dll") Region: id = 2061 start_va = 0x7ffc0e6c0000 end_va = 0x7ffc0e6c7fff monitored = 0 entry_point = 0x7ffc0e6c1ea0 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2062 start_va = 0x7ffc06460000 end_va = 0x7ffc0646afff monitored = 0 entry_point = 0x7ffc06461d30 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 2063 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Region: id = 2064 start_va = 0x2d60000 end_va = 0x2e5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d60000" filename = "" Region: id = 2065 start_va = 0x700000 end_va = 0x731fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netmsg.dll.mui" filename = "\\Windows\\System32\\en-US\\netmsg.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netmsg.dll.mui") Region: id = 2066 start_va = 0x2e60000 end_va = 0x2f5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e60000" filename = "" Region: id = 2067 start_va = 0x7ffc03f90000 end_va = 0x7ffc04082fff monitored = 0 entry_point = 0x7ffc03fb5d80 region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2068 start_va = 0x7ffc05ff0000 end_va = 0x7ffc06056fff monitored = 0 entry_point = 0x7ffc05ff63e0 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2069 start_va = 0x7ffc056b0000 end_va = 0x7ffc056c3fff monitored = 0 entry_point = 0x7ffc056b2d50 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 2070 start_va = 0x7ffc0e290000 end_va = 0x7ffc0e6b8fff monitored = 0 entry_point = 0x7ffc0e2b8740 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 2071 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 2072 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 2073 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 2074 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 2075 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 2076 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 2077 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 2078 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 2079 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 2080 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 2081 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 2082 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 2083 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 2084 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 2085 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 2086 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 2087 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 2088 start_va = 0x7ffc03f40000 end_va = 0x7ffc03f80fff monitored = 0 entry_point = 0x7ffc03f43750 region_type = mapped_file name = "sqmapi.dll" filename = "\\Windows\\System32\\sqmapi.dll" (normalized: "c:\\windows\\system32\\sqmapi.dll") Region: id = 2089 start_va = 0x7ffc03f20000 end_va = 0x7ffc03f30fff monitored = 0 entry_point = 0x7ffc03f21d30 region_type = mapped_file name = "sscore.dll" filename = "\\Windows\\System32\\sscore.dll" (normalized: "c:\\windows\\system32\\sscore.dll") Region: id = 2090 start_va = 0x7ffc03f10000 end_va = 0x7ffc03f18fff monitored = 0 entry_point = 0x7ffc03f118f0 region_type = mapped_file name = "sscoreext.dll" filename = "\\Windows\\System32\\sscoreext.dll" (normalized: "c:\\windows\\system32\\sscoreext.dll") Region: id = 2091 start_va = 0x7ffc03ef0000 end_va = 0x7ffc03f0ffff monitored = 0 entry_point = 0x7ffc03ef1f50 region_type = mapped_file name = "mi.dll" filename = "\\Windows\\System32\\mi.dll" (normalized: "c:\\windows\\system32\\mi.dll") Region: id = 2092 start_va = 0x7ffc03e90000 end_va = 0x7ffc03eedfff monitored = 0 entry_point = 0x7ffc03e95080 region_type = mapped_file name = "miutils.dll" filename = "\\Windows\\System32\\miutils.dll" (normalized: "c:\\windows\\system32\\miutils.dll") Region: id = 2093 start_va = 0x7ffc03e60000 end_va = 0x7ffc03e8dfff monitored = 1 entry_point = 0x7ffc03e62300 region_type = mapped_file name = "wmidcom.dll" filename = "\\Windows\\System32\\wmidcom.dll" (normalized: "c:\\windows\\system32\\wmidcom.dll") Region: id = 2095 start_va = 0x7ffc0c650000 end_va = 0x7ffc0c659fff monitored = 0 entry_point = 0x7ffc0c651830 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll") Region: id = 2096 start_va = 0x2f60000 end_va = 0x305ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 2097 start_va = 0x7ffc03cc0000 end_va = 0x7ffc03d11fff monitored = 0 entry_point = 0x7ffc03cc5770 region_type = mapped_file name = "resutils.dll" filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll") Region: id = 2098 start_va = 0x7ffc03c10000 end_va = 0x7ffc03cb2fff monitored = 0 entry_point = 0x7ffc03c12c10 region_type = mapped_file name = "clusapi.dll" filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll") Region: id = 2099 start_va = 0x7ffc0cbd0000 end_va = 0x7ffc0cbf6fff monitored = 0 entry_point = 0x7ffc0cbe0aa0 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 2100 start_va = 0x7ffc0cb90000 end_va = 0x7ffc0cbc9fff monitored = 0 entry_point = 0x7ffc0cb98d20 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 2101 start_va = 0x7ffc03be0000 end_va = 0x7ffc03c04fff monitored = 0 entry_point = 0x7ffc03be5ca0 region_type = mapped_file name = "httpprxm.dll" filename = "\\Windows\\System32\\httpprxm.dll" (normalized: "c:\\windows\\system32\\httpprxm.dll") Region: id = 2102 start_va = 0x7ffc03bc0000 end_va = 0x7ffc03bd7fff monitored = 0 entry_point = 0x7ffc03bc4e10 region_type = mapped_file name = "adhsvc.dll" filename = "\\Windows\\System32\\adhsvc.dll" (normalized: "c:\\windows\\system32\\adhsvc.dll") Region: id = 2107 start_va = 0x7ffc04900000 end_va = 0x7ffc04908fff monitored = 0 entry_point = 0x7ffc049021d0 region_type = mapped_file name = "httpprxc.dll" filename = "\\Windows\\System32\\httpprxc.dll" (normalized: "c:\\windows\\system32\\httpprxc.dll") Region: id = 2108 start_va = 0x700000 end_va = 0x77ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 2109 start_va = 0x7ffc062a0000 end_va = 0x7ffc062b5fff monitored = 0 entry_point = 0x7ffc062a19f0 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 2110 start_va = 0x7ffc06280000 end_va = 0x7ffc06299fff monitored = 0 entry_point = 0x7ffc06282430 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 2111 start_va = 0x28e0000 end_va = 0x295ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028e0000" filename = "" Region: id = 2113 start_va = 0x2960000 end_va = 0x29dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002960000" filename = "" Region: id = 2114 start_va = 0x7ffc0c9e0000 end_va = 0x7ffc0c9f6fff monitored = 0 entry_point = 0x7ffc0c9e79d0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2115 start_va = 0x7ffc0c610000 end_va = 0x7ffc0c643fff monitored = 0 entry_point = 0x7ffc0c62ae70 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2116 start_va = 0x3060000 end_va = 0x3256fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003060000" filename = "" Region: id = 2117 start_va = 0x2a60000 end_va = 0x2af6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a60000" filename = "" Region: id = 2118 start_va = 0x2e60000 end_va = 0x2f5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002e60000" filename = "" Region: id = 2119 start_va = 0x3060000 end_va = 0x3106fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003060000" filename = "" Region: id = 2120 start_va = 0x3250000 end_va = 0x3256fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003250000" filename = "" Region: id = 2121 start_va = 0x2a60000 end_va = 0x2adffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a60000" filename = "" Region: id = 2122 start_va = 0x2af0000 end_va = 0x2af6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002af0000" filename = "" Region: id = 2124 start_va = 0x5f0000 end_va = 0x5fcfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 2125 start_va = 0x7ffc03640000 end_va = 0x7ffc036b8fff monitored = 0 entry_point = 0x7ffc036476a0 region_type = mapped_file name = "netsetupshim.dll" filename = "\\Windows\\System32\\NetSetupShim.dll" (normalized: "c:\\windows\\system32\\netsetupshim.dll") Region: id = 2126 start_va = 0x3060000 end_va = 0x30dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003060000" filename = "" Region: id = 2127 start_va = 0x3100000 end_va = 0x3106fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003100000" filename = "" Region: id = 2128 start_va = 0x7a0000 end_va = 0x7a1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 2129 start_va = 0x7ffc03620000 end_va = 0x7ffc0363efff monitored = 0 entry_point = 0x7ffc036237e0 region_type = mapped_file name = "netsetupapi.dll" filename = "\\Windows\\System32\\NetSetupApi.dll" (normalized: "c:\\windows\\system32\\netsetupapi.dll") Region: id = 2130 start_va = 0x3110000 end_va = 0x318ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003110000" filename = "" Region: id = 2131 start_va = 0x3190000 end_va = 0x320ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003190000" filename = "" Region: id = 2132 start_va = 0x3260000 end_va = 0x335ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003260000" filename = "" Region: id = 2133 start_va = 0x3360000 end_va = 0x33dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003360000" filename = "" Region: id = 2134 start_va = 0x7ffc035d0000 end_va = 0x7ffc0360ffff monitored = 0 entry_point = 0x7ffc035e6c60 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 2135 start_va = 0x33e0000 end_va = 0x345ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000033e0000" filename = "" Region: id = 2136 start_va = 0x3460000 end_va = 0x355ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003460000" filename = "" Region: id = 2137 start_va = 0x7ffc03530000 end_va = 0x7ffc03571fff monitored = 0 entry_point = 0x7ffc03533670 region_type = mapped_file name = "wdscore.dll" filename = "\\Windows\\System32\\wdscore.dll" (normalized: "c:\\windows\\system32\\wdscore.dll") Region: id = 2138 start_va = 0x7ffc0d460000 end_va = 0x7ffc0d4b4fff monitored = 0 entry_point = 0x7ffc0d477970 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 2139 start_va = 0x3560000 end_va = 0x375ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003560000" filename = "" Region: id = 2140 start_va = 0x3600000 end_va = 0x36fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003600000" filename = "" Region: id = 2141 start_va = 0x3560000 end_va = 0x35dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003560000" filename = "" Region: id = 2142 start_va = 0x570000 end_va = 0x570fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 2143 start_va = 0x3700000 end_va = 0x377ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003700000" filename = "" Region: id = 2144 start_va = 0x570000 end_va = 0x570fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 2145 start_va = 0x7ffc034b0000 end_va = 0x7ffc034f6fff monitored = 0 entry_point = 0x7ffc034b1d10 region_type = mapped_file name = "activeds.dll" filename = "\\Windows\\System32\\activeds.dll" (normalized: "c:\\windows\\system32\\activeds.dll") Region: id = 2146 start_va = 0x7ffc03470000 end_va = 0x7ffc034affff monitored = 0 entry_point = 0x7ffc0347cbe0 region_type = mapped_file name = "adsldpc.dll" filename = "\\Windows\\System32\\adsldpc.dll" (normalized: "c:\\windows\\system32\\adsldpc.dll") Region: id = 2147 start_va = 0x7ffc0ba70000 end_va = 0x7ffc0bb19fff monitored = 0 entry_point = 0x7ffc0ba97910 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 2148 start_va = 0x7ffc05600000 end_va = 0x7ffc05609fff monitored = 0 entry_point = 0x7ffc056014c0 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 2149 start_va = 0x7ffc030c0000 end_va = 0x7ffc03105fff monitored = 0 entry_point = 0x7ffc030c79a0 region_type = mapped_file name = "adsldp.dll" filename = "\\Windows\\System32\\adsldp.dll" (normalized: "c:\\windows\\system32\\adsldp.dll") Region: id = 2150 start_va = 0x1bc0000 end_va = 0x1bdbfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "activeds.tlb" filename = "\\Windows\\System32\\activeds.tlb" (normalized: "c:\\windows\\system32\\activeds.tlb") Region: id = 2151 start_va = 0x7ffc0d440000 end_va = 0x7ffc0d456fff monitored = 0 entry_point = 0x7ffc0d441390 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 2153 start_va = 0x7ffc03460000 end_va = 0x7ffc0346bfff monitored = 0 entry_point = 0x7ffc034635c0 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 2154 start_va = 0x3780000 end_va = 0x387ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003780000" filename = "" Region: id = 2155 start_va = 0x3880000 end_va = 0x397ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003880000" filename = "" Region: id = 2156 start_va = 0x7ffc04f10000 end_va = 0x7ffc04f21fff monitored = 0 entry_point = 0x7ffc04f13580 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 2157 start_va = 0x570000 end_va = 0x570fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 2160 start_va = 0x3980000 end_va = 0x3a7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003980000" filename = "" Region: id = 2161 start_va = 0x3a80000 end_va = 0x3b7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003a80000" filename = "" Region: id = 2163 start_va = 0x3b80000 end_va = 0x3c7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 2164 start_va = 0x7ffc05d30000 end_va = 0x7ffc05d44fff monitored = 0 entry_point = 0x7ffc05d32dc0 region_type = mapped_file name = "ondemandconnroutehelper.dll" filename = "\\Windows\\System32\\OnDemandConnRouteHelper.dll" (normalized: "c:\\windows\\system32\\ondemandconnroutehelper.dll") Region: id = 2166 start_va = 0x3c80000 end_va = 0x3d7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003c80000" filename = "" Region: id = 2167 start_va = 0x7ffc03080000 end_va = 0x7ffc030b5fff monitored = 0 entry_point = 0x7ffc03099b90 region_type = mapped_file name = "netsetupsvc.dll" filename = "\\Windows\\System32\\NetSetupSvc.dll" (normalized: "c:\\windows\\system32\\netsetupsvc.dll") Region: id = 2168 start_va = 0x3d80000 end_va = 0x3e7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003d80000" filename = "" Region: id = 2169 start_va = 0x570000 end_va = 0x571fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "activeds.dll.mui" filename = "\\Windows\\System32\\en-US\\activeds.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\activeds.dll.mui") Region: id = 2170 start_va = 0x7ffc049e0000 end_va = 0x7ffc04a14fff monitored = 0 entry_point = 0x7ffc049ea270 region_type = mapped_file name = "fwpolicyiomgr.dll" filename = "\\Windows\\System32\\fwpolicyiomgr.dll" (normalized: "c:\\windows\\system32\\fwpolicyiomgr.dll") Region: id = 2171 start_va = 0x7ffc048a0000 end_va = 0x7ffc048e3fff monitored = 0 entry_point = 0x7ffc048ac010 region_type = mapped_file name = "execmodelclient.dll" filename = "\\Windows\\System32\\ExecModelClient.dll" (normalized: "c:\\windows\\system32\\execmodelclient.dll") Region: id = 2172 start_va = 0x7ffc0a8e0000 end_va = 0x7ffc0a99dfff monitored = 0 entry_point = 0x7ffc0a922d40 region_type = mapped_file name = "coremessaging.dll" filename = "\\Windows\\System32\\CoreMessaging.dll" (normalized: "c:\\windows\\system32\\coremessaging.dll") Region: id = 2173 start_va = 0x1bc0000 end_va = 0x1bdbfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "activeds.tlb" filename = "\\Windows\\System32\\activeds.tlb" (normalized: "c:\\windows\\system32\\activeds.tlb") Region: id = 2174 start_va = 0x2d60000 end_va = 0x2ddffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d60000" filename = "" Region: id = 2175 start_va = 0x7ffc09830000 end_va = 0x7ffc09879fff monitored = 0 entry_point = 0x7ffc0983ac30 region_type = mapped_file name = "deviceaccess.dll" filename = "\\Windows\\System32\\deviceaccess.dll" (normalized: "c:\\windows\\system32\\deviceaccess.dll") Region: id = 2176 start_va = 0x7b0000 end_va = 0x7b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007b0000" filename = "" Region: id = 2177 start_va = 0x3e80000 end_va = 0x3f7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003e80000" filename = "" Region: id = 2178 start_va = 0x850000 end_va = 0x850fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000850000" filename = "" Region: id = 2180 start_va = 0x850000 end_va = 0x850fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 2181 start_va = 0x7ffc02f70000 end_va = 0x7ffc0301ffff monitored = 0 entry_point = 0x7ffc02f94450 region_type = mapped_file name = "netsetupengine.dll" filename = "\\Windows\\System32\\NetSetupEngine.dll" (normalized: "c:\\windows\\system32\\netsetupengine.dll") Region: id = 2182 start_va = 0x7ffc02f50000 end_va = 0x7ffc02f69fff monitored = 0 entry_point = 0x7ffc02f51620 region_type = mapped_file name = "implatsetup.dll" filename = "\\Windows\\System32\\ImplatSetup.dll" (normalized: "c:\\windows\\system32\\implatsetup.dll") Region: id = 2183 start_va = 0x3f80000 end_va = 0x407ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003f80000" filename = "" Region: id = 2185 start_va = 0x7ffc02e20000 end_va = 0x7ffc02e39fff monitored = 0 entry_point = 0x7ffc02e21620 region_type = mapped_file name = "implatsetup.dll" filename = "\\Windows\\System32\\ImplatSetup.dll" (normalized: "c:\\windows\\system32\\implatsetup.dll") Region: id = 2186 start_va = 0x850000 end_va = 0x850fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 2187 start_va = 0x7ffc02f10000 end_va = 0x7ffc02f1efff monitored = 0 entry_point = 0x7ffc02f14960 region_type = mapped_file name = "nci.dll" filename = "\\Windows\\System32\\nci.dll" (normalized: "c:\\windows\\system32\\nci.dll") Region: id = 2188 start_va = 0x850000 end_va = 0x853fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 2189 start_va = 0x7ffc02f90000 end_va = 0x7ffc03011fff monitored = 0 entry_point = 0x7ffc02f92a10 region_type = mapped_file name = "hnetcfg.dll" filename = "\\Windows\\System32\\hnetcfg.dll" (normalized: "c:\\windows\\system32\\hnetcfg.dll") Region: id = 2190 start_va = 0x7ffc02f70000 end_va = 0x7ffc02f8dfff monitored = 0 entry_point = 0x7ffc02f73a40 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 2191 start_va = 0x7ffc02e20000 end_va = 0x7ffc02e30fff monitored = 0 entry_point = 0x7ffc02e22fc0 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 2204 start_va = 0x7ffc0aff0000 end_va = 0x7ffc0b482fff monitored = 0 entry_point = 0x7ffc0afff760 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 2224 start_va = 0x7ffc04420000 end_va = 0x7ffc045a1fff monitored = 0 entry_point = 0x7ffc044382a0 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 2225 start_va = 0x7ffc04400000 end_va = 0x7ffc04417fff monitored = 0 entry_point = 0x7ffc04402000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 2226 start_va = 0x850000 end_va = 0x858fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "vsstrace.dll.mui" filename = "\\Windows\\System32\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\vsstrace.dll.mui") Region: id = 2227 start_va = 0x1bc0000 end_va = 0x1bd5fff monitored = 0 entry_point = 0x1bc1af0 region_type = mapped_file name = "napinsp.dll" filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll") Region: id = 2228 start_va = 0x7ffc05b60000 end_va = 0x7ffc05b78fff monitored = 0 entry_point = 0x7ffc05b64520 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 2229 start_va = 0x8f0000 end_va = 0x8f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "napinsp.dll.mui" filename = "\\Windows\\System32\\en-US\\napinsp.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\napinsp.dll.mui") Region: id = 2230 start_va = 0x8f0000 end_va = 0x8f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pnrpnsp.dll.mui" filename = "\\Windows\\System32\\en-US\\pnrpnsp.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\pnrpnsp.dll.mui") Region: id = 2231 start_va = 0x1bc0000 end_va = 0x1bd9fff monitored = 0 entry_point = 0x1bc2330 region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll") Region: id = 2232 start_va = 0x8f0000 end_va = 0x8f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pnrpnsp.dll.mui" filename = "\\Windows\\System32\\en-US\\pnrpnsp.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\pnrpnsp.dll.mui") Region: id = 2233 start_va = 0x1bc0000 end_va = 0x1bd9fff monitored = 0 entry_point = 0x1bc2330 region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll") Region: id = 2234 start_va = 0x8f0000 end_va = 0x8f3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "nlasvc.dll.mui" filename = "\\Windows\\System32\\en-US\\nlasvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\nlasvc.dll.mui") Region: id = 2235 start_va = 0x1d90000 end_va = 0x1deffff monitored = 0 entry_point = 0x1db0fc0 region_type = mapped_file name = "nlasvc.dll" filename = "\\Windows\\System32\\nlasvc.dll" (normalized: "c:\\windows\\system32\\nlasvc.dll") Region: id = 2239 start_va = 0x8f0000 end_va = 0x8f7fff monitored = 0 entry_point = 0x8f10a0 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 2240 start_va = 0xdf0000 end_va = 0xdf0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wshtcpip.dll.mui" filename = "\\Windows\\System32\\en-US\\wshtcpip.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wshtcpip.dll.mui") Region: id = 2241 start_va = 0x1bc0000 end_va = 0x1bc4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001bc0000" filename = "" Region: id = 2242 start_va = 0x8f0000 end_va = 0x8fcfff monitored = 0 entry_point = 0x8f1420 region_type = mapped_file name = "winrnr.dll" filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll") Region: id = 2243 start_va = 0xdf0000 end_va = 0xdf0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winrnr.dll.mui" filename = "\\Windows\\System32\\en-US\\winrnr.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winrnr.dll.mui") Region: id = 2244 start_va = 0x7ffc05b50000 end_va = 0x7ffc05b5cfff monitored = 0 entry_point = 0x7ffc05b51420 region_type = mapped_file name = "winrnr.dll" filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll") Region: id = 2245 start_va = 0x7ffc05b30000 end_va = 0x7ffc05b49fff monitored = 0 entry_point = 0x7ffc05b32330 region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll") Region: id = 2246 start_va = 0x7ffc05b10000 end_va = 0x7ffc05b25fff monitored = 0 entry_point = 0x7ffc05b11af0 region_type = mapped_file name = "napinsp.dll" filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll") Region: id = 2247 start_va = 0x4080000 end_va = 0x417ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004080000" filename = "" Region: id = 2248 start_va = 0x4180000 end_va = 0x427ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004180000" filename = "" Region: id = 2255 start_va = 0x4280000 end_va = 0x437ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004280000" filename = "" Region: id = 2256 start_va = 0x4380000 end_va = 0x447ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004380000" filename = "" Region: id = 2257 start_va = 0x4480000 end_va = 0x457ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004480000" filename = "" Region: id = 2258 start_va = 0x3a80000 end_va = 0x3b7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003a80000" filename = "" Region: id = 2259 start_va = 0x7ffc02be0000 end_va = 0x7ffc02d16fff monitored = 0 entry_point = 0x7ffc02c20480 region_type = mapped_file name = "wbemcore.dll" filename = "\\Windows\\System32\\wbem\\wbemcore.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemcore.dll") Region: id = 2260 start_va = 0x7ffc02870000 end_va = 0x7ffc028e3fff monitored = 0 entry_point = 0x7ffc02885eb0 region_type = mapped_file name = "esscli.dll" filename = "\\Windows\\System32\\wbem\\esscli.dll" (normalized: "c:\\windows\\system32\\wbem\\esscli.dll") Region: id = 2261 start_va = 0x7ffc02770000 end_va = 0x7ffc02865fff monitored = 0 entry_point = 0x7ffc027a9590 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 2262 start_va = 0x4580000 end_va = 0x4646fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004580000" filename = "" Region: id = 2263 start_va = 0x8f0000 end_va = 0x8f3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 2264 start_va = 0x7ffc05660000 end_va = 0x7ffc05673fff monitored = 0 entry_point = 0x7ffc05661800 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 2265 start_va = 0x4650000 end_va = 0x474ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004650000" filename = "" Region: id = 2266 start_va = 0x7ffc02740000 end_va = 0x7ffc02764fff monitored = 0 entry_point = 0x7ffc02749900 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 2267 start_va = 0x7ffc026d0000 end_va = 0x7ffc02733fff monitored = 0 entry_point = 0x7ffc026ebed0 region_type = mapped_file name = "repdrvfs.dll" filename = "\\Windows\\System32\\wbem\\repdrvfs.dll" (normalized: "c:\\windows\\system32\\wbem\\repdrvfs.dll") Region: id = 2283 start_va = 0x8f0000 end_va = 0x8f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 2284 start_va = 0x1bc0000 end_va = 0x1be2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001bc0000" filename = "" Region: id = 2492 start_va = 0x8f0000 end_va = 0x8f4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 2563 start_va = 0x8f0000 end_va = 0x8f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 2564 start_va = 0x4750000 end_va = 0x494ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004750000" filename = "" Region: id = 2565 start_va = 0x4800000 end_va = 0x48fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004800000" filename = "" Region: id = 2871 start_va = 0x4900000 end_va = 0x4afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004900000" filename = "" Region: id = 2872 start_va = 0x4900000 end_va = 0x49fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004900000" filename = "" Region: id = 2989 start_va = 0x4a00000 end_va = 0x4bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004a00000" filename = "" Region: id = 2990 start_va = 0x4a00000 end_va = 0x4afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004a00000" filename = "" Region: id = 3027 start_va = 0x2de0000 end_va = 0x2e5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002de0000" filename = "" Region: id = 3028 start_va = 0x4b00000 end_va = 0x4cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004b00000" filename = "" Region: id = 3029 start_va = 0x4b00000 end_va = 0x4bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004b00000" filename = "" Region: id = 3030 start_va = 0x4c00000 end_va = 0x4cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004c00000" filename = "" Region: id = 3032 start_va = 0x4d00000 end_va = 0x4efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004d00000" filename = "" Region: id = 3033 start_va = 0x4d00000 end_va = 0x4dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004d00000" filename = "" Region: id = 3034 start_va = 0x7ffc05890000 end_va = 0x7ffc059acfff monitored = 0 entry_point = 0x7ffc058bfe60 region_type = mapped_file name = "qmgr.dll" filename = "\\Windows\\System32\\qmgr.dll" (normalized: "c:\\windows\\system32\\qmgr.dll") Region: id = 3035 start_va = 0x7ffc08340000 end_va = 0x7ffc0834afff monitored = 0 entry_point = 0x7ffc08341de0 region_type = mapped_file name = "bitsperf.dll" filename = "\\Windows\\System32\\bitsperf.dll" (normalized: "c:\\windows\\system32\\bitsperf.dll") Region: id = 3037 start_va = 0x4e00000 end_va = 0x4fb6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004e00000" filename = "" Region: id = 3039 start_va = 0x4fc0000 end_va = 0x51bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004fc0000" filename = "" Region: id = 3040 start_va = 0x5000000 end_va = 0x50fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005000000" filename = "" Region: id = 3044 start_va = 0x7ffc031b0000 end_va = 0x7ffc03452fff monitored = 0 entry_point = 0x7ffc031d6190 region_type = mapped_file name = "windows.staterepository.dll" filename = "\\Windows\\System32\\Windows.StateRepository.dll" (normalized: "c:\\windows\\system32\\windows.staterepository.dll") Region: id = 3046 start_va = 0x7ffc03110000 end_va = 0x7ffc031a3fff monitored = 0 entry_point = 0x7ffc03149210 region_type = mapped_file name = "staterepository.core.dll" filename = "\\Windows\\System32\\StateRepository.Core.dll" (normalized: "c:\\windows\\system32\\staterepository.core.dll") Region: id = 3047 start_va = 0x5100000 end_va = 0x52fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005100000" filename = "" Region: id = 3048 start_va = 0x5100000 end_va = 0x51fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005100000" filename = "" Thread: id = 126 os_tid = 0x3f4 Thread: id = 127 os_tid = 0x124 Thread: id = 128 os_tid = 0x160 Thread: id = 129 os_tid = 0x150 Thread: id = 130 os_tid = 0x18c Thread: id = 131 os_tid = 0x8 Thread: id = 132 os_tid = 0x180 Thread: id = 133 os_tid = 0x174 Thread: id = 134 os_tid = 0x170 Thread: id = 135 os_tid = 0x1c8 Thread: id = 136 os_tid = 0x1b4 Thread: id = 137 os_tid = 0x1b0 Thread: id = 138 os_tid = 0x25c Thread: id = 139 os_tid = 0x264 Thread: id = 140 os_tid = 0x280 Thread: id = 141 os_tid = 0x28c Thread: id = 142 os_tid = 0x2e8 Thread: id = 143 os_tid = 0x33c Thread: id = 144 os_tid = 0x2ec Thread: id = 145 os_tid = 0x3dc Thread: id = 146 os_tid = 0x408 Thread: id = 147 os_tid = 0x448 Thread: id = 148 os_tid = 0x45c Thread: id = 149 os_tid = 0x4c0 Thread: id = 150 os_tid = 0x530 [0274.068] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0274.068] CoCreateInstance (in: rclsid=0x7ffc03e77f78*(Data1=0x323, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7ffc03e77f88*(Data1=0x146, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x6cc860 | out: ppv=0x6cc860*=0x7ffc0e9b9610) returned 0x0 [0274.068] CoCreateInstance (in: rclsid=0x7ffc03e77f58*(Data1=0x34e, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7ffc03e77f68*(Data1=0x1da, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x6cc858 | out: ppv=0x6cc858*=0x2758780) returned 0x0 [0274.069] SetEvent (hEvent=0xb38) returned 1 [0274.145] WaitForSingleObject (hHandle=0xb34, dwMilliseconds=0xffffffff) Thread: id = 151 os_tid = 0x494 Thread: id = 152 os_tid = 0x55c Thread: id = 169 os_tid = 0x588 Thread: id = 174 os_tid = 0x610 Thread: id = 179 os_tid = 0x614 Thread: id = 183 os_tid = 0x64c Thread: id = 190 os_tid = 0x690 Thread: id = 192 os_tid = 0x6d0 [0274.063] malloc (_Size=0x100) returned 0x93d480 [0274.066] PublishDebugMessage () returned 0x1 [0274.066] GetProcessHeap () returned 0x580000 [0274.066] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x108) returned 0x6cc760 [0274.066] GetProcessHeap () returned 0x580000 [0274.066] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x18) returned 0x27585c0 [0274.066] GetProcessHeap () returned 0x580000 [0274.066] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x18) returned 0x2758680 [0274.066] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xb2c [0274.066] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xb30 [0274.066] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xb34 [0274.066] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xb38 [0274.066] CreateThreadpoolWork (in: pfnwk=0x7ffc03e61e90, pv=0x6cc760, pcbe=0x2d5f790 | out: pv=0x6cc760) returned 0x2739ad0 [0274.066] TpPostWork () returned 0x3 [0274.066] WaitForSingleObject (hHandle=0xb38, dwMilliseconds=0xffffffff) returned 0x0 [0274.069] CloseHandle (hObject=0xb38) returned 1 [0274.069] PublishDebugMessage () returned 0x1 [0274.071] GetProcessHeap () returned 0x580000 [0274.071] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x58) returned 0x276f2d0 [0274.071] GetProcessHeap () returned 0x580000 [0274.071] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xc) returned 0x2779600 [0274.071] memcpy (in: _Dst=0x2779600, _Src=0x2779150, _Size=0xc | out: _Dst=0x2779600) returned 0x2779600 [0274.071] GetProcessHeap () returned 0x580000 [0274.071] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0xc) returned 0x2779180 [0274.071] memcpy (in: _Dst=0x2779180, _Src=0x2779510, _Size=0xc | out: _Dst=0x2779180) returned 0x2779180 [0274.071] PublishDebugMessage () returned 0x1 [0274.071] GetProcessHeap () returned 0x580000 [0274.071] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x198) returned 0x64e8a0 [0274.071] ??0WMISchema@@QEAA@XZ () returned 0x64e8a0 [0274.071] GetProcessHeap () returned 0x580000 [0274.071] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x30) returned 0x2733f80 [0274.071] GetProcessHeap () returned 0x580000 [0274.071] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x30) returned 0x2734110 [0274.072] GetProcessHeap () returned 0x580000 [0274.072] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x18) returned 0x2758400 [0274.072] GetProcessHeap () returned 0x580000 [0274.072] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x28) returned 0x27341b0 [0274.072] PublishDebugMessage () returned 0x1 [0274.072] GetCurrentThread () returned 0xfffffffffffffffe [0274.072] OpenThreadToken (in: ThreadHandle=0xfffffffffffffffe, DesiredAccess=0x2e, OpenAsSelf=1, TokenHandle=0x64ea18 | out: TokenHandle=0x64ea18*=0xb38) returned 1 [0274.072] GetTokenInformation (in: TokenHandle=0xb38, TokenInformationClass=0x3, TokenInformation=0x2d5f710, TokenInformationLength=0x10, ReturnLength=0x2d5f750 | out: TokenInformation=0x2d5f710, ReturnLength=0x2d5f750) returned 0 [0274.072] GetLastError () returned 0x7a [0274.072] GetProcessHeap () returned 0x580000 [0274.072] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x148) returned 0x274dd00 [0274.072] GetTokenInformation (in: TokenHandle=0xb38, TokenInformationClass=0x3, TokenInformation=0x274dd00, TokenInformationLength=0x148, ReturnLength=0x2d5f750 | out: TokenInformation=0x274dd00, ReturnLength=0x2d5f750) returned 1 [0274.072] AdjustTokenPrivileges (in: TokenHandle=0xb38, DisableAllPrivileges=0, NewState=0x274dd00*(PrivilegesCount=0x1b, Privileges=((Luid.LowPart=0x3, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=3, Attributes=0x5), (Luid.LowPart=0x2, Luid.HighPart=7, Attributes=0x0), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xa), (Luid.LowPart=0x2, Luid.HighPart=11, Attributes=0x0), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=3, Attributes=0xe), (Luid.LowPart=0x3, Luid.HighPart=15, Attributes=0x0), (Luid.LowPart=0x10, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x0, Luid.HighPart=3, Attributes=0x16), (Luid.LowPart=0x2, Luid.HighPart=23, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x0, Luid.HighPart=3, Attributes=0x23), (Luid.LowPart=0x3, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x40280000), (Luid.LowPart=0x7ffc, Luid.HighPart=244560712, Attributes=0x7ffc), (Luid.LowPart=0x7ffc, Luid.HighPart=244560792, Attributes=0x7ffc), (Luid.LowPart=0x7ffc, Luid.HighPart=2, Attributes=0x0), (Luid.LowPart=0x4adcf1ae, Luid.HighPart=-433087062, Attributes=0x6e662555))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0274.072] GetProcessHeap () returned 0x580000 [0274.073] RtlFreeHeap (HeapHandle=0x580000, Flags=0x0, BaseAddress=0x274dd00) returned 1 [0274.073] ClassCache_New () returned 0x0 [0274.073] ResultToHRESULT () returned 0x0 [0274.073] PublishDebugMessage () returned 0x1 [0274.073] GetProcessHeap () returned 0x580000 [0274.073] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x0, Size=0x18) returned 0x2758200 [0274.073] PublishDebugMessage () returned 0x1 Thread: id = 193 os_tid = 0x6e8 Thread: id = 194 os_tid = 0x6ec Thread: id = 195 os_tid = 0x700 Thread: id = 197 os_tid = 0x744 Thread: id = 198 os_tid = 0x748 Thread: id = 199 os_tid = 0x750 Thread: id = 200 os_tid = 0x760 Thread: id = 201 os_tid = 0x764 Thread: id = 202 os_tid = 0x76c Thread: id = 203 os_tid = 0x770 Thread: id = 204 os_tid = 0x774 Thread: id = 205 os_tid = 0x780 Thread: id = 206 os_tid = 0x784 Thread: id = 207 os_tid = 0x788 Thread: id = 208 os_tid = 0x790 Thread: id = 209 os_tid = 0x798 Thread: id = 211 os_tid = 0x7ac Thread: id = 212 os_tid = 0x7b0 Thread: id = 213 os_tid = 0x7c4 Thread: id = 214 os_tid = 0x7c8 Thread: id = 215 os_tid = 0x7cc Thread: id = 217 os_tid = 0x7d8 Thread: id = 218 os_tid = 0x7e0 Thread: id = 219 os_tid = 0x7e8 Thread: id = 220 os_tid = 0x7f4 Thread: id = 223 os_tid = 0x438 Thread: id = 226 os_tid = 0x524 Thread: id = 229 os_tid = 0x550 Thread: id = 230 os_tid = 0x570 Thread: id = 231 os_tid = 0x5dc Thread: id = 232 os_tid = 0x5b4 Thread: id = 233 os_tid = 0x184 Thread: id = 302 os_tid = 0x14c Thread: id = 303 os_tid = 0x46c Process: id = "7" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x23b74000" os_pid = "0x39c" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "6" os_parent_pid = "0x210" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AJRouter" [0xa], "NT SERVICE\\bthserv" [0xa], "NT SERVICE\\CDPSvc" [0xa], "NT SERVICE\\EventSystem" [0xa], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\FontCache" [0xa], "NT SERVICE\\LicenseManager" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\PhoneSvc" [0xa], "NT SERVICE\\RemoteRegistry" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\tzautoupdate" [0xe], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT SERVICE\\workfolderssvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000cf72" [0xc000000f], "LOCAL" [0x7] Region: id = 1717 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1718 start_va = 0x20000 end_va = 0x20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 1719 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1720 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1721 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1722 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 1723 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1724 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1725 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1726 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 1727 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 1728 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 1729 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1730 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1731 start_va = 0x480000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 1732 start_va = 0x540000 end_va = 0x540fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 1733 start_va = 0x550000 end_va = 0x55dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "refspcl.ttf" filename = "\\Windows\\Fonts\\REFSPCL.TTF" (normalized: "c:\\windows\\fonts\\refspcl.ttf") Region: id = 1734 start_va = 0x560000 end_va = 0x56dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "rocc____.ttf" filename = "\\Windows\\Fonts\\ROCC____.TTF" (normalized: "c:\\windows\\fonts\\rocc____.ttf") Region: id = 1735 start_va = 0x570000 end_va = 0x57efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "roccb___.ttf" filename = "\\Windows\\Fonts\\ROCCB___.TTF" (normalized: "c:\\windows\\fonts\\roccb___.ttf") Region: id = 1736 start_va = 0x580000 end_va = 0x58cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "rockeb.ttf" filename = "\\Windows\\Fonts\\ROCKEB.TTF" (normalized: "c:\\windows\\fonts\\rockeb.ttf") Region: id = 1737 start_va = 0x590000 end_va = 0x59dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "stencil.ttf" filename = "\\Windows\\Fonts\\STENCIL.TTF" (normalized: "c:\\windows\\fonts\\stencil.ttf") Region: id = 1738 start_va = 0x5a0000 end_va = 0x5a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 1739 start_va = 0x5b0000 end_va = 0x5c0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "rockb.ttf" filename = "\\Windows\\Fonts\\ROCKB.TTF" (normalized: "c:\\windows\\fonts\\rockb.ttf") Region: id = 1740 start_va = 0x5d0000 end_va = 0x5e2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "rocki.ttf" filename = "\\Windows\\Fonts\\ROCKI.TTF" (normalized: "c:\\windows\\fonts\\rocki.ttf") Region: id = 1741 start_va = 0x5f0000 end_va = 0x5fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "vladimir.ttf" filename = "\\Windows\\Fonts\\VLADIMIR.TTF" (normalized: "c:\\windows\\fonts\\vladimir.ttf") Region: id = 1742 start_va = 0x600000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 1743 start_va = 0x700000 end_va = 0x887fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000700000" filename = "" Region: id = 1744 start_va = 0x890000 end_va = 0x89dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "scriptbl.ttf" filename = "\\Windows\\Fonts\\SCRIPTBL.TTF" (normalized: "c:\\windows\\fonts\\scriptbl.ttf") Region: id = 1745 start_va = 0x8a0000 end_va = 0x8a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wingdng3.ttf" filename = "\\Windows\\Fonts\\WINGDNG3.TTF" (normalized: "c:\\windows\\fonts\\wingdng3.ttf") Region: id = 1746 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 1747 start_va = 0x8c0000 end_va = 0x8e9fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "schlbkb.ttf" filename = "\\Windows\\Fonts\\SCHLBKB.TTF" (normalized: "c:\\windows\\fonts\\schlbkb.ttf") Region: id = 1748 start_va = 0x8f0000 end_va = 0x8f1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "mtextra.ttf" filename = "\\Program Files (x86)\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\equation\\mtextra.ttf") Region: id = 1749 start_va = 0x900000 end_va = 0x9fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 1750 start_va = 0xa00000 end_va = 0xb80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a00000" filename = "" Region: id = 1751 start_va = 0xb90000 end_va = 0xc0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 1752 start_va = 0xc10000 end_va = 0xd0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 1753 start_va = 0xd10000 end_va = 0xd1cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "showg.ttf" filename = "\\Windows\\Fonts\\SHOWG.TTF" (normalized: "c:\\windows\\fonts\\showg.ttf") Region: id = 1754 start_va = 0xd20000 end_va = 0xd2ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "snap____.ttf" filename = "\\Windows\\Fonts\\SNAP____.TTF" (normalized: "c:\\windows\\fonts\\snap____.ttf") Region: id = 1755 start_va = 0xd30000 end_va = 0xd42fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tempsitc.ttf" filename = "\\Windows\\Fonts\\TEMPSITC.TTF" (normalized: "c:\\windows\\fonts\\tempsitc.ttf") Region: id = 1756 start_va = 0xd50000 end_va = 0xd56fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d50000" filename = "" Region: id = 1757 start_va = 0xd60000 end_va = 0xd72fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tcm_____.ttf" filename = "\\Windows\\Fonts\\TCM_____.TTF" (normalized: "c:\\windows\\fonts\\tcm_____.ttf") Region: id = 1758 start_va = 0xd80000 end_va = 0xd99fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "vineritc.ttf" filename = "\\Windows\\Fonts\\VINERITC.TTF" (normalized: "c:\\windows\\fonts\\vineritc.ttf") Region: id = 1759 start_va = 0xda0000 end_va = 0xdb0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wingdng2.ttf" filename = "\\Windows\\Fonts\\WINGDNG2.TTF" (normalized: "c:\\windows\\fonts\\wingdng2.ttf") Region: id = 1760 start_va = 0xdc0000 end_va = 0xdc6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "marlett.ttf" filename = "\\Windows\\Fonts\\marlett.ttf" (normalized: "c:\\windows\\fonts\\marlett.ttf") Region: id = 1761 start_va = 0xdd0000 end_va = 0xdd1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netprofmsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\netprofmsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netprofmsvc.dll.mui") Region: id = 1762 start_va = 0xe00000 end_va = 0xefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e00000" filename = "" Region: id = 1763 start_va = 0xf00000 end_va = 0xffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 1764 start_va = 0x1000000 end_va = 0x10fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 1765 start_va = 0x1100000 end_va = 0x11fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001100000" filename = "" Region: id = 1766 start_va = 0x1200000 end_va = 0x1227fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "schlbki.ttf" filename = "\\Windows\\Fonts\\SCHLBKI.TTF" (normalized: "c:\\windows\\fonts\\schlbki.ttf") Region: id = 1767 start_va = 0x1230000 end_va = 0x1242fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tcb_____.ttf" filename = "\\Windows\\Fonts\\TCB_____.TTF" (normalized: "c:\\windows\\fonts\\tcb_____.ttf") Region: id = 1768 start_va = 0x1250000 end_va = 0x1262fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tcbi____.ttf" filename = "\\Windows\\Fonts\\TCBI____.TTF" (normalized: "c:\\windows\\fonts\\tcbi____.ttf") Region: id = 1769 start_va = 0x1270000 end_va = 0x1280fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tccb____.ttf" filename = "\\Windows\\Fonts\\TCCB____.TTF" (normalized: "c:\\windows\\fonts\\tccb____.ttf") Region: id = 1770 start_va = 0x1290000 end_va = 0x12a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tccm____.ttf" filename = "\\Windows\\Fonts\\TCCM____.TTF" (normalized: "c:\\windows\\fonts\\tccm____.ttf") Region: id = 1771 start_va = 0x12b0000 end_va = 0x12c3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tcmi____.ttf" filename = "\\Windows\\Fonts\\TCMI____.TTF" (normalized: "c:\\windows\\fonts\\tcmi____.ttf") Region: id = 1772 start_va = 0x12d0000 end_va = 0x12e0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "vivaldii.ttf" filename = "\\Windows\\Fonts\\VIVALDII.TTF" (normalized: "c:\\windows\\fonts\\vivaldii.ttf") Region: id = 1773 start_va = 0x1300000 end_va = 0x13fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Region: id = 1774 start_va = 0x1400000 end_va = 0x23fffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "~fontcache-fontface.dat" filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-FontFace.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-fontface.dat") Region: id = 1775 start_va = 0x2400000 end_va = 0x24fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002400000" filename = "" Region: id = 1776 start_va = 0x2500000 end_va = 0x25fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002500000" filename = "" Region: id = 1777 start_va = 0x2600000 end_va = 0x2936fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1778 start_va = 0x2940000 end_va = 0x2a3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002940000" filename = "" Region: id = 1779 start_va = 0x2a90000 end_va = 0x2aa2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ravie.ttf" filename = "\\Windows\\Fonts\\RAVIE.TTF" (normalized: "c:\\windows\\fonts\\ravie.ttf") Region: id = 1780 start_va = 0x2ab0000 end_va = 0x2ad7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "schlbkbi.ttf" filename = "\\Windows\\Fonts\\SCHLBKBI.TTF" (normalized: "c:\\windows\\fonts\\schlbkbi.ttf") Region: id = 1781 start_va = 0x2ae0000 end_va = 0x2af2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tcceb.ttf" filename = "\\Windows\\Fonts\\TCCEB.TTF" (normalized: "c:\\windows\\fonts\\tcceb.ttf") Region: id = 1782 start_va = 0x2b10000 end_va = 0x2b45fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "refsan.ttf" filename = "\\Windows\\Fonts\\REFSAN.TTF" (normalized: "c:\\windows\\fonts\\refsan.ttf") Region: id = 1783 start_va = 0x2b50000 end_va = 0x2b61fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "rock.ttf" filename = "\\Windows\\Fonts\\ROCK.TTF" (normalized: "c:\\windows\\fonts\\rock.ttf") Region: id = 1784 start_va = 0x2b70000 end_va = 0x2b81fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "rockbi.ttf" filename = "\\Windows\\Fonts\\ROCKBI.TTF" (normalized: "c:\\windows\\fonts\\rockbi.ttf") Region: id = 1785 start_va = 0x2c00000 end_va = 0x2cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c00000" filename = "" Region: id = 1786 start_va = 0x2e90000 end_va = 0x2f8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e90000" filename = "" Region: id = 1787 start_va = 0x3000000 end_va = 0x30fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 1788 start_va = 0x3100000 end_va = 0x31fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003100000" filename = "" Region: id = 1789 start_va = 0x3200000 end_va = 0x32fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003200000" filename = "" Region: id = 1790 start_va = 0x3300000 end_va = 0x33fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003300000" filename = "" Region: id = 1791 start_va = 0x3400000 end_va = 0x34fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003400000" filename = "" Region: id = 1792 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1793 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 1794 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 1795 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 1796 start_va = 0x7ff7c0750000 end_va = 0x7ff7c075cfff monitored = 0 entry_point = 0x7ff7c0753980 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 1797 start_va = 0x7ffc05c30000 end_va = 0x7ffc05c3dfff monitored = 0 entry_point = 0x7ffc05c31460 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 1798 start_va = 0x7ffc05ca0000 end_va = 0x7ffc05d2afff monitored = 0 entry_point = 0x7ffc05cbd2a0 region_type = mapped_file name = "netprofmsvc.dll" filename = "\\Windows\\System32\\netprofmsvc.dll" (normalized: "c:\\windows\\system32\\netprofmsvc.dll") Region: id = 1799 start_va = 0x7ffc067f0000 end_va = 0x7ffc067fcfff monitored = 0 entry_point = 0x7ffc067f2650 region_type = mapped_file name = "nsisvc.dll" filename = "\\Windows\\System32\\nsisvc.dll" (normalized: "c:\\windows\\system32\\nsisvc.dll") Region: id = 1800 start_va = 0x7ffc06890000 end_va = 0x7ffc06909fff monitored = 0 entry_point = 0x7ffc068b7630 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 1801 start_va = 0x7ffc071c0000 end_va = 0x7ffc071cbfff monitored = 0 entry_point = 0x7ffc071c14d0 region_type = mapped_file name = "locationframeworkps.dll" filename = "\\Windows\\System32\\LocationFrameworkPS.dll" (normalized: "c:\\windows\\system32\\locationframeworkps.dll") Region: id = 1802 start_va = 0x7ffc07200000 end_va = 0x7ffc07228fff monitored = 0 entry_point = 0x7ffc072124d0 region_type = mapped_file name = "fontprovider.dll" filename = "\\Windows\\System32\\FontProvider.dll" (normalized: "c:\\windows\\system32\\fontprovider.dll") Region: id = 1803 start_va = 0x7ffc07370000 end_va = 0x7ffc07511fff monitored = 0 entry_point = 0x7ffc073bc2d0 region_type = mapped_file name = "fntcache.dll" filename = "\\Windows\\System32\\FntCache.dll" (normalized: "c:\\windows\\system32\\fntcache.dll") Region: id = 1804 start_va = 0x7ffc076b0000 end_va = 0x7ffc076c7fff monitored = 0 entry_point = 0x7ffc076b5910 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 1805 start_va = 0x7ffc09830000 end_va = 0x7ffc09879fff monitored = 0 entry_point = 0x7ffc0983ac30 region_type = mapped_file name = "deviceaccess.dll" filename = "\\Windows\\System32\\deviceaccess.dll" (normalized: "c:\\windows\\system32\\deviceaccess.dll") Region: id = 1806 start_va = 0x7ffc09880000 end_va = 0x7ffc098b2fff monitored = 0 entry_point = 0x7ffc0988d5a0 region_type = mapped_file name = "biwinrt.dll" filename = "\\Windows\\System32\\biwinrt.dll" (normalized: "c:\\windows\\system32\\biwinrt.dll") Region: id = 1807 start_va = 0x7ffc098c0000 end_va = 0x7ffc09951fff monitored = 0 entry_point = 0x7ffc0990a780 region_type = mapped_file name = "msvcp110_win.dll" filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll") Region: id = 1808 start_va = 0x7ffc09960000 end_va = 0x7ffc099d8fff monitored = 0 entry_point = 0x7ffc09977800 region_type = mapped_file name = "geolocation.dll" filename = "\\Windows\\System32\\Geolocation.dll" (normalized: "c:\\windows\\system32\\geolocation.dll") Region: id = 1809 start_va = 0x7ffc099e0000 end_va = 0x7ffc099f9fff monitored = 0 entry_point = 0x7ffc099eb670 region_type = mapped_file name = "tzautoupdate.dll" filename = "\\Windows\\System32\\tzautoupdate.dll" (normalized: "c:\\windows\\system32\\tzautoupdate.dll") Region: id = 1810 start_va = 0x7ffc09a30000 end_va = 0x7ffc09a65fff monitored = 0 entry_point = 0x7ffc09a40070 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 1811 start_va = 0x7ffc0bb20000 end_va = 0x7ffc0bc1ffff monitored = 0 entry_point = 0x7ffc0bb60f80 region_type = mapped_file name = "twinapi.appcore.dll" filename = "\\Windows\\System32\\twinapi.appcore.dll" (normalized: "c:\\windows\\system32\\twinapi.appcore.dll") Region: id = 1812 start_va = 0x7ffc0c1a0000 end_va = 0x7ffc0c293fff monitored = 0 entry_point = 0x7ffc0c1aa960 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 1813 start_va = 0x7ffc0c760000 end_va = 0x7ffc0c77efff monitored = 0 entry_point = 0x7ffc0c765d30 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 1814 start_va = 0x7ffc0ce90000 end_va = 0x7ffc0ceb8fff monitored = 0 entry_point = 0x7ffc0cea4530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 1815 start_va = 0x7ffc0d000000 end_va = 0x7ffc0d013fff monitored = 0 entry_point = 0x7ffc0d0052e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1816 start_va = 0x7ffc0d080000 end_va = 0x7ffc0d08efff monitored = 0 entry_point = 0x7ffc0d083210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1817 start_va = 0x7ffc0d120000 end_va = 0x7ffc0d1d4fff monitored = 0 entry_point = 0x7ffc0d1622e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 1818 start_va = 0x7ffc0d1e0000 end_va = 0x7ffc0d249fff monitored = 0 entry_point = 0x7ffc0d216d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1819 start_va = 0x7ffc0d250000 end_va = 0x7ffc0d437fff monitored = 0 entry_point = 0x7ffc0d27ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1820 start_va = 0x7ffc0df90000 end_va = 0x7ffc0e02cfff monitored = 0 entry_point = 0x7ffc0df978a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1821 start_va = 0x7ffc0e0a0000 end_va = 0x7ffc0e1e2fff monitored = 0 entry_point = 0x7ffc0e0c8210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1822 start_va = 0x7ffc0e230000 end_va = 0x7ffc0e28afff monitored = 0 entry_point = 0x7ffc0e2438b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1823 start_va = 0x7ffc0e6c0000 end_va = 0x7ffc0e6c7fff monitored = 0 entry_point = 0x7ffc0e6c1ea0 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1824 start_va = 0x7ffc0e6d0000 end_va = 0x7ffc0e776fff monitored = 0 entry_point = 0x7ffc0e6db4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1825 start_va = 0x7ffc0e780000 end_va = 0x7ffc0e9fcfff monitored = 0 entry_point = 0x7ffc0e854970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1826 start_va = 0x7ffc0ea60000 end_va = 0x7ffc0eb06fff monitored = 0 entry_point = 0x7ffc0ea758d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1827 start_va = 0x7ffc0ec90000 end_va = 0x7ffc0ed50fff monitored = 0 entry_point = 0x7ffc0ecb0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1828 start_va = 0x7ffc0ed60000 end_va = 0x7ffc0eeb5fff monitored = 0 entry_point = 0x7ffc0ed6a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1829 start_va = 0x7ffc0ef30000 end_va = 0x7ffc0f04bfff monitored = 0 entry_point = 0x7ffc0ef702b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1830 start_va = 0x7ffc0f170000 end_va = 0x7ffc0f2f5fff monitored = 0 entry_point = 0x7ffc0f1bffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1831 start_va = 0x7ffc108d0000 end_va = 0x7ffc1097cfff monitored = 0 entry_point = 0x7ffc108e81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1832 start_va = 0x7ffc109e0000 end_va = 0x7ffc10ba0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1834 start_va = 0x3500000 end_va = 0x36fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003500000" filename = "" Region: id = 1835 start_va = 0x3500000 end_va = 0x35fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003500000" filename = "" Region: id = 1836 start_va = 0x550000 end_va = 0x598fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "~fontcache-system.dat" filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-System.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-system.dat") Region: id = 1837 start_va = 0x5b0000 end_va = 0x5ddfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 1838 start_va = 0x3600000 end_va = 0x36fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003600000" filename = "" Region: id = 1839 start_va = 0x7ffc07230000 end_va = 0x7ffc072f7fff monitored = 0 entry_point = 0x7ffc072713f0 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 1844 start_va = 0x7ffc0eec0000 end_va = 0x7ffc0ef2afff monitored = 0 entry_point = 0x7ffc0eed90c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1845 start_va = 0x3700000 end_va = 0x38fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003700000" filename = "" Region: id = 1847 start_va = 0x3700000 end_va = 0x37fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003700000" filename = "" Region: id = 1848 start_va = 0x7ffc0c8d0000 end_va = 0x7ffc0c92bfff monitored = 0 entry_point = 0x7ffc0c8e6f70 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1867 start_va = 0x7ffc06310000 end_va = 0x7ffc06347fff monitored = 0 entry_point = 0x7ffc06328cc0 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1868 start_va = 0x7ffc06460000 end_va = 0x7ffc0646afff monitored = 0 entry_point = 0x7ffc06461d30 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1870 start_va = 0x1200000 end_va = 0x12defff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "segoeui.ttf" filename = "\\Windows\\Fonts\\segoeui.ttf" (normalized: "c:\\windows\\fonts\\segoeui.ttf") Region: id = 1871 start_va = 0x2a40000 end_va = 0x2b03fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "segoeuisl.ttf" filename = "\\Windows\\Fonts\\segoeuisl.ttf" (normalized: "c:\\windows\\fonts\\segoeuisl.ttf") Region: id = 1872 start_va = 0x3800000 end_va = 0x3ffffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "~fontcache-s-1-5-18.dat" filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-S-1-5-18.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-s-1-5-18.dat") Region: id = 1873 start_va = 0x7ffc0d020000 end_va = 0x7ffc0d06afff monitored = 0 entry_point = 0x7ffc0d0235f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1874 start_va = 0x4000000 end_va = 0x40fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004000000" filename = "" Region: id = 1875 start_va = 0x7ffc062a0000 end_va = 0x7ffc062b5fff monitored = 0 entry_point = 0x7ffc062a19f0 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 1876 start_va = 0x7ffc06280000 end_va = 0x7ffc06299fff monitored = 0 entry_point = 0x7ffc06282430 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 1877 start_va = 0x4100000 end_va = 0x41fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004100000" filename = "" Region: id = 1878 start_va = 0x7ffc0ba70000 end_va = 0x7ffc0bb19fff monitored = 0 entry_point = 0x7ffc0ba97910 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 1879 start_va = 0x4200000 end_va = 0x42fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 1880 start_va = 0x7ffc05600000 end_va = 0x7ffc05609fff monitored = 0 entry_point = 0x7ffc056014c0 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 1881 start_va = 0x1200000 end_va = 0x12dffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 1882 start_va = 0x7ffc099e0000 end_va = 0x7ffc099f3fff monitored = 0 entry_point = 0x7ffc099e1a50 region_type = mapped_file name = "wlanradiomanager.dll" filename = "\\Windows\\System32\\WlanRadioManager.dll" (normalized: "c:\\windows\\system32\\wlanradiomanager.dll") Region: id = 1883 start_va = 0x7ffc07300000 end_va = 0x7ffc07360fff monitored = 0 entry_point = 0x7ffc07304b50 region_type = mapped_file name = "wlanapi.dll" filename = "\\Windows\\System32\\wlanapi.dll" (normalized: "c:\\windows\\system32\\wlanapi.dll") Region: id = 1884 start_va = 0x7ffc05540000 end_va = 0x7ffc05558fff monitored = 0 entry_point = 0x7ffc05542180 region_type = mapped_file name = "bthradiomedia.dll" filename = "\\Windows\\System32\\BthRadioMedia.dll" (normalized: "c:\\windows\\system32\\bthradiomedia.dll") Region: id = 1888 start_va = 0x7ffc0dd90000 end_va = 0x7ffc0ddd2fff monitored = 0 entry_point = 0x7ffc0dda4b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1889 start_va = 0x7ffc0ba40000 end_va = 0x7ffc0ba66fff monitored = 0 entry_point = 0x7ffc0ba47940 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 1890 start_va = 0x7ffc05520000 end_va = 0x7ffc0553dfff monitored = 0 entry_point = 0x7ffc05521690 region_type = mapped_file name = "bluetoothapis.dll" filename = "\\Windows\\System32\\BluetoothApis.dll" (normalized: "c:\\windows\\system32\\bluetoothapis.dll") Region: id = 1891 start_va = 0x7ffc0c000000 end_va = 0x7ffc0c023fff monitored = 0 entry_point = 0x7ffc0c003260 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 1893 start_va = 0x2a40000 end_va = 0x2b13fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "segoeuil.ttf" filename = "\\Windows\\Fonts\\segoeuil.ttf" (normalized: "c:\\windows\\fonts\\segoeuil.ttf") Region: id = 1894 start_va = 0x2b20000 end_va = 0x2be3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "segoeuisl.ttf" filename = "\\Windows\\Fonts\\segoeuisl.ttf" (normalized: "c:\\windows\\fonts\\segoeuisl.ttf") Region: id = 2057 start_va = 0x4300000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004300000" filename = "" Region: id = 2058 start_va = 0x7ffc045c0000 end_va = 0x7ffc045dcfff monitored = 0 entry_point = 0x7ffc045c6190 region_type = mapped_file name = "wdi.dll" filename = "\\Windows\\System32\\wdi.dll" (normalized: "c:\\windows\\system32\\wdi.dll") Region: id = 2103 start_va = 0x5e0000 end_va = 0x5f1fff monitored = 0 entry_point = 0x607630 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 2104 start_va = 0x4400000 end_va = 0x44fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 2105 start_va = 0x7ffc0cec0000 end_va = 0x7ffc0cf58fff monitored = 0 entry_point = 0x7ffc0ceef4e0 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 2106 start_va = 0x890000 end_va = 0x894fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "stdole2.tlb" filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb") Region: id = 2112 start_va = 0x7ffc03a00000 end_va = 0x7ffc03a17fff monitored = 0 entry_point = 0x7ffc03a04a20 region_type = mapped_file name = "perftrack.dll" filename = "\\Windows\\System32\\perftrack.dll" (normalized: "c:\\windows\\system32\\perftrack.dll") Region: id = 2123 start_va = 0x8a0000 end_va = 0x8a1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008a0000" filename = "" Region: id = 2158 start_va = 0x4500000 end_va = 0x46fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004500000" filename = "" Region: id = 2159 start_va = 0x4500000 end_va = 0x45fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004500000" filename = "" Thread: id = 153 os_tid = 0x56c Thread: id = 154 os_tid = 0x568 Thread: id = 155 os_tid = 0x564 Thread: id = 156 os_tid = 0x560 Thread: id = 157 os_tid = 0x54c Thread: id = 158 os_tid = 0x4a0 Thread: id = 159 os_tid = 0x150 Thread: id = 160 os_tid = 0x16c Thread: id = 161 os_tid = 0x154 Thread: id = 162 os_tid = 0x158 Thread: id = 163 os_tid = 0x3e8 Thread: id = 164 os_tid = 0x3e4 Thread: id = 165 os_tid = 0x3e0 Thread: id = 166 os_tid = 0x3a8 Thread: id = 167 os_tid = 0x3a0 Thread: id = 168 os_tid = 0x570 Thread: id = 170 os_tid = 0x594 Thread: id = 171 os_tid = 0x598 Thread: id = 172 os_tid = 0x59c Thread: id = 191 os_tid = 0x6c8 Thread: id = 196 os_tid = 0x738 Process: id = "8" image_name = "taskhostw.exe" filename = "c:\\windows\\system32\\taskhostw.exe" page_root = "0x6fdd9000" os_pid = "0x580" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "6" os_parent_pid = "0x3f0" cmd_line = "taskhostw.exe SYSTEM" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\DcpSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\lfsvc" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\RetailDemo" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\UsoSvc" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d41e" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 1851 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1852 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1853 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1854 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1855 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 1856 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1857 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1858 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1859 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 1860 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 1861 start_va = 0x7ff678e00000 end_va = 0x7ff678e18fff monitored = 0 entry_point = 0x7ff678e059b0 region_type = mapped_file name = "taskhostw.exe" filename = "\\Windows\\System32\\taskhostw.exe" (normalized: "c:\\windows\\system32\\taskhostw.exe") Region: id = 1862 start_va = 0x7ffc109e0000 end_va = 0x7ffc10ba0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1885 start_va = 0x400000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1886 start_va = 0x7ffc108d0000 end_va = 0x7ffc1097cfff monitored = 0 entry_point = 0x7ffc108e81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1887 start_va = 0x7ffc0d250000 end_va = 0x7ffc0d437fff monitored = 0 entry_point = 0x7ffc0d27ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1895 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1896 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 1897 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1898 start_va = 0x7ffc0df90000 end_va = 0x7ffc0e02cfff monitored = 0 entry_point = 0x7ffc0df978a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1899 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1900 start_va = 0x5a0000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 1901 start_va = 0x7ffc0ef30000 end_va = 0x7ffc0f04bfff monitored = 0 entry_point = 0x7ffc0ef702b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1902 start_va = 0x7ffc0e780000 end_va = 0x7ffc0e9fcfff monitored = 0 entry_point = 0x7ffc0e854970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1903 start_va = 0x7ffc0d1e0000 end_va = 0x7ffc0d249fff monitored = 0 entry_point = 0x7ffc0d216d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1904 start_va = 0x7ffc0ec90000 end_va = 0x7ffc0ed50fff monitored = 0 entry_point = 0x7ffc0ecb0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1933 start_va = 0x6a0000 end_va = 0x89ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 1934 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1935 start_va = 0x6a0000 end_va = 0x7e2fff monitored = 0 entry_point = 0x6c8210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1936 start_va = 0x890000 end_va = 0x89ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 1937 start_va = 0x480000 end_va = 0x55cfff monitored = 0 entry_point = 0x4de0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1938 start_va = 0x7ffc0d080000 end_va = 0x7ffc0d08efff monitored = 0 entry_point = 0x7ffc0d083210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1939 start_va = 0x1c0000 end_va = 0x1c6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1940 start_va = 0x7ffc0ed60000 end_va = 0x7ffc0eeb5fff monitored = 0 entry_point = 0x7ffc0ed6a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1941 start_va = 0x7ffc0f170000 end_va = 0x7ffc0f2f5fff monitored = 0 entry_point = 0x7ffc0f1bffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2011 start_va = 0x480000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 2012 start_va = 0x6a0000 end_va = 0x827fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 2013 start_va = 0x8a0000 end_va = 0xa20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008a0000" filename = "" Region: id = 2036 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskhostw.exe.mui" filename = "\\Windows\\System32\\en-US\\taskhostw.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskhostw.exe.mui") Region: id = 2037 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 2038 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 2094 start_va = 0x7ffc0e230000 end_va = 0x7ffc0e28afff monitored = 0 entry_point = 0x7ffc0e2438b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2249 start_va = 0x540000 end_va = 0x540fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 2250 start_va = 0xa30000 end_va = 0xaaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 2251 start_va = 0xab0000 end_va = 0xb2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ab0000" filename = "" Region: id = 2252 start_va = 0x7ffc0e6d0000 end_va = 0x7ffc0e776fff monitored = 0 entry_point = 0x7ffc0e6db4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2253 start_va = 0x550000 end_va = 0x550fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 2254 start_va = 0x7ffc05ad0000 end_va = 0x7ffc05ae0fff monitored = 0 entry_point = 0x7ffc05ad6710 region_type = mapped_file name = "tpmtasks.dll" filename = "\\Windows\\System32\\TpmTasks.dll" (normalized: "c:\\windows\\system32\\tpmtasks.dll") Region: id = 2493 start_va = 0x7ffc0ea60000 end_va = 0x7ffc0eb06fff monitored = 0 entry_point = 0x7ffc0ea758d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2494 start_va = 0x7ffc0b7a0000 end_va = 0x7ffc0b80dfff monitored = 0 entry_point = 0x7ffc0b7ee6c0 region_type = mapped_file name = "tpmcoreprovisioning.dll" filename = "\\Windows\\System32\\TpmCoreProvisioning.dll" (normalized: "c:\\windows\\system32\\tpmcoreprovisioning.dll") Region: id = 2836 start_va = 0x7ffc0dbc0000 end_va = 0x7ffc0dd86fff monitored = 0 entry_point = 0x7ffc0dc1db80 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 2837 start_va = 0x7ffc0d070000 end_va = 0x7ffc0d07ffff monitored = 0 entry_point = 0x7ffc0d0756e0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 2838 start_va = 0x7ffc0cbd0000 end_va = 0x7ffc0cbf6fff monitored = 0 entry_point = 0x7ffc0cbe0aa0 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 2839 start_va = 0x7ffc07230000 end_va = 0x7ffc072f7fff monitored = 0 entry_point = 0x7ffc072713f0 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 2840 start_va = 0x7ffc06820000 end_va = 0x7ffc0685dfff monitored = 0 entry_point = 0x7ffc0682a050 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 2841 start_va = 0x7ffc0c410000 end_va = 0x7ffc0c41bfff monitored = 0 entry_point = 0x7ffc0c4127e0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 2842 start_va = 0x7ffc0ce90000 end_va = 0x7ffc0ceb8fff monitored = 0 entry_point = 0x7ffc0cea4530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 2843 start_va = 0x7ffc0cb90000 end_va = 0x7ffc0cbc9fff monitored = 0 entry_point = 0x7ffc0cb98d20 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 2913 start_va = 0x7ffc0af20000 end_va = 0x7ffc0af2efff monitored = 0 entry_point = 0x7ffc0af22c50 region_type = mapped_file name = "dimsjob.dll" filename = "\\Windows\\System32\\dimsjob.dll" (normalized: "c:\\windows\\system32\\dimsjob.dll") Region: id = 2978 start_va = 0xb30000 end_va = 0xbaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Region: id = 3014 start_va = 0x560000 end_va = 0x560fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 3015 start_va = 0xbb0000 end_va = 0xc2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bb0000" filename = "" Region: id = 3016 start_va = 0xc30000 end_va = 0xcaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 3017 start_va = 0x7ffc034b0000 end_va = 0x7ffc034f6fff monitored = 0 entry_point = 0x7ffc034b1d10 region_type = mapped_file name = "activeds.dll" filename = "\\Windows\\System32\\activeds.dll" (normalized: "c:\\windows\\system32\\activeds.dll") Region: id = 3018 start_va = 0x7ffc03470000 end_va = 0x7ffc034affff monitored = 0 entry_point = 0x7ffc0347cbe0 region_type = mapped_file name = "adsldpc.dll" filename = "\\Windows\\System32\\adsldpc.dll" (normalized: "c:\\windows\\system32\\adsldpc.dll") Region: id = 3019 start_va = 0x7ffc0ea00000 end_va = 0x7ffc0ea5bfff monitored = 0 entry_point = 0x7ffc0ea1b720 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 3020 start_va = 0x7ffc0c450000 end_va = 0x7ffc0c45cfff monitored = 0 entry_point = 0x7ffc0c451fe0 region_type = mapped_file name = "tbs.dll" filename = "\\Windows\\System32\\tbs.dll" (normalized: "c:\\windows\\system32\\tbs.dll") Region: id = 3021 start_va = 0x7ffc035d0000 end_va = 0x7ffc0360ffff monitored = 0 entry_point = 0x7ffc035e6c60 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 3022 start_va = 0xcb0000 end_va = 0xd8cfff monitored = 0 entry_point = 0xd0e0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 3031 start_va = 0xcb0000 end_va = 0xd2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cb0000" filename = "" Thread: id = 173 os_tid = 0x584 Thread: id = 175 os_tid = 0x5d4 Thread: id = 227 os_tid = 0x408 Thread: id = 228 os_tid = 0x160 Thread: id = 300 os_tid = 0x6b0 Thread: id = 301 os_tid = 0x7c8 Thread: id = 304 os_tid = 0x128 Process: id = "9" image_name = "sihost.exe" filename = "c:\\windows\\system32\\sihost.exe" page_root = "0x7a6b1000" os_pid = "0x624" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "6" os_parent_pid = "0x3f0" cmd_line = "sihost.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001298a" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1922 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1923 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1924 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1925 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1926 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 1927 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1928 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1929 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 1930 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 1931 start_va = 0x7ff6620b0000 end_va = 0x7ff6620c5fff monitored = 0 entry_point = 0x7ff6620b5190 region_type = mapped_file name = "sihost.exe" filename = "\\Windows\\System32\\sihost.exe" (normalized: "c:\\windows\\system32\\sihost.exe") Region: id = 1932 start_va = 0x7ffc109e0000 end_va = 0x7ffc10ba0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1942 start_va = 0x400000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1943 start_va = 0x7ffc108d0000 end_va = 0x7ffc1097cfff monitored = 0 entry_point = 0x7ffc108e81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1944 start_va = 0x7ffc0d250000 end_va = 0x7ffc0d437fff monitored = 0 entry_point = 0x7ffc0d27ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1945 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1946 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 1947 start_va = 0xf0000 end_va = 0x1adfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1948 start_va = 0x7ffc0df90000 end_va = 0x7ffc0e02cfff monitored = 0 entry_point = 0x7ffc0df978a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1949 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1950 start_va = 0x490000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 1951 start_va = 0x7ffc0e780000 end_va = 0x7ffc0e9fcfff monitored = 0 entry_point = 0x7ffc0e854970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1952 start_va = 0x7ffc0ef30000 end_va = 0x7ffc0f04bfff monitored = 0 entry_point = 0x7ffc0ef702b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1953 start_va = 0x7ffc0d1e0000 end_va = 0x7ffc0d249fff monitored = 0 entry_point = 0x7ffc0d216d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1954 start_va = 0x7ffc0e230000 end_va = 0x7ffc0e28afff monitored = 0 entry_point = 0x7ffc0e2438b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1955 start_va = 0x7ffc0ea60000 end_va = 0x7ffc0eb06fff monitored = 0 entry_point = 0x7ffc0ea758d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1956 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1957 start_va = 0x7ffc0c4f0000 end_va = 0x7ffc0c520fff monitored = 0 entry_point = 0x7ffc0c4f7d10 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 1958 start_va = 0x7ffc0a8e0000 end_va = 0x7ffc0a99dfff monitored = 0 entry_point = 0x7ffc0a922d40 region_type = mapped_file name = "coremessaging.dll" filename = "\\Windows\\System32\\CoreMessaging.dll" (normalized: "c:\\windows\\system32\\coremessaging.dll") Region: id = 1959 start_va = 0x590000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 1960 start_va = 0x7ffc04c80000 end_va = 0x7ffc04f07fff monitored = 0 entry_point = 0x7ffc04cdf670 region_type = mapped_file name = "coreuicomponents.dll" filename = "\\Windows\\System32\\CoreUIComponents.dll" (normalized: "c:\\windows\\system32\\coreuicomponents.dll") Region: id = 1961 start_va = 0x7ffc0d080000 end_va = 0x7ffc0d08efff monitored = 0 entry_point = 0x7ffc0d083210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1962 start_va = 0x7ffc0ed60000 end_va = 0x7ffc0eeb5fff monitored = 0 entry_point = 0x7ffc0ed6a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1963 start_va = 0x7ffc0f170000 end_va = 0x7ffc0f2f5fff monitored = 0 entry_point = 0x7ffc0f1bffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1964 start_va = 0x7ffc0d120000 end_va = 0x7ffc0d1d4fff monitored = 0 entry_point = 0x7ffc0d1622e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 1965 start_va = 0x7ffc081f0000 end_va = 0x7ffc08325fff monitored = 0 entry_point = 0x7ffc0821f350 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 1966 start_va = 0x610000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 1967 start_va = 0x1b0000 end_va = 0x1b6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1968 start_va = 0x1c0000 end_va = 0x1f8fff monitored = 0 entry_point = 0x1c12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1969 start_va = 0x6d0000 end_va = 0x857fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 1970 start_va = 0x7ffc0e1f0000 end_va = 0x7ffc0e22afff monitored = 0 entry_point = 0x7ffc0e1f12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1971 start_va = 0x860000 end_va = 0x9e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000860000" filename = "" Region: id = 1972 start_va = 0x9f0000 end_va = 0x1deffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 1973 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1974 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 1975 start_va = 0x1df0000 end_va = 0x1eccfff monitored = 0 entry_point = 0x1e4e0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1976 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 1977 start_va = 0x7ffc0e6d0000 end_va = 0x7ffc0e776fff monitored = 0 entry_point = 0x7ffc0e6db4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1978 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 1979 start_va = 0x7ffc04c60000 end_va = 0x7ffc04c7dfff monitored = 0 entry_point = 0x7ffc04c65340 region_type = mapped_file name = "desktopshellext.dll" filename = "\\Windows\\System32\\DesktopShellExt.dll" (normalized: "c:\\windows\\system32\\desktopshellext.dll") Region: id = 1980 start_va = 0x7ffc04c40000 end_va = 0x7ffc04c51fff monitored = 0 entry_point = 0x7ffc04c45110 region_type = mapped_file name = "windows.shell.servicehostbuilder.dll" filename = "\\Windows\\System32\\Windows.Shell.ServiceHostBuilder.dll" (normalized: "c:\\windows\\system32\\windows.shell.servicehostbuilder.dll") Region: id = 1981 start_va = 0x1df0000 end_va = 0x1eeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001df0000" filename = "" Region: id = 1982 start_va = 0x1ef0000 end_va = 0x1fccfff monitored = 0 entry_point = 0x1f4e0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1983 start_va = 0x610000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 1984 start_va = 0x6c0000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 1985 start_va = 0x1ef0000 end_va = 0x1f6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ef0000" filename = "" Region: id = 1986 start_va = 0x1f70000 end_va = 0x1feffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f70000" filename = "" Region: id = 1987 start_va = 0x7ffc0aff0000 end_va = 0x7ffc0b482fff monitored = 0 entry_point = 0x7ffc0afff760 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 1989 start_va = 0x7ffc04a80000 end_va = 0x7ffc04b59fff monitored = 0 entry_point = 0x7ffc04ad03b0 region_type = mapped_file name = "modernexecserver.dll" filename = "\\Windows\\System32\\modernexecserver.dll" (normalized: "c:\\windows\\system32\\modernexecserver.dll") Region: id = 2001 start_va = 0x7ffc0ec90000 end_va = 0x7ffc0ed50fff monitored = 0 entry_point = 0x7ffc0ecb0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2002 start_va = 0x7ffc0d020000 end_va = 0x7ffc0d06afff monitored = 0 entry_point = 0x7ffc0d0235f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2003 start_va = 0x7ffc0bd80000 end_va = 0x7ffc0bda9fff monitored = 0 entry_point = 0x7ffc0bd88b90 region_type = mapped_file name = "rmclient.dll" filename = "\\Windows\\System32\\rmclient.dll" (normalized: "c:\\windows\\system32\\rmclient.dll") Region: id = 2004 start_va = 0x7ffc04a20000 end_va = 0x7ffc04a6afff monitored = 0 entry_point = 0x7ffc04a37b70 region_type = mapped_file name = "veeventdispatcher.dll" filename = "\\Windows\\System32\\VEEventDispatcher.dll" (normalized: "c:\\windows\\system32\\veeventdispatcher.dll") Region: id = 2005 start_va = 0x7ffc0bb20000 end_va = 0x7ffc0bc1ffff monitored = 0 entry_point = 0x7ffc0bb60f80 region_type = mapped_file name = "twinapi.appcore.dll" filename = "\\Windows\\System32\\twinapi.appcore.dll" (normalized: "c:\\windows\\system32\\twinapi.appcore.dll") Region: id = 2006 start_va = 0x7ffc0ce90000 end_va = 0x7ffc0ceb8fff monitored = 0 entry_point = 0x7ffc0cea4530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 2009 start_va = 0x7ffc098c0000 end_va = 0x7ffc09951fff monitored = 0 entry_point = 0x7ffc0990a780 region_type = mapped_file name = "msvcp110_win.dll" filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll") Region: id = 2010 start_va = 0x1ff0000 end_va = 0x2132fff monitored = 0 entry_point = 0x2018210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2014 start_va = 0x1ff0000 end_va = 0x20cffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 2015 start_va = 0x20d0000 end_va = 0x214ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020d0000" filename = "" Region: id = 2016 start_va = 0x7ffc0b980000 end_va = 0x7ffc0ba15fff monitored = 0 entry_point = 0x7ffc0b9a5570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 2017 start_va = 0x2150000 end_va = 0x21bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002150000" filename = "" Region: id = 2019 start_va = 0x7ffc049a0000 end_va = 0x7ffc049d0fff monitored = 0 entry_point = 0x7ffc049a3400 region_type = mapped_file name = "clipboardserver.dll" filename = "\\Windows\\System32\\ClipboardServer.dll" (normalized: "c:\\windows\\system32\\clipboardserver.dll") Region: id = 2020 start_va = 0x7ffc04940000 end_va = 0x7ffc0499cfff monitored = 0 entry_point = 0x7ffc04950080 region_type = mapped_file name = "activationmanager.dll" filename = "\\Windows\\System32\\ActivationManager.dll" (normalized: "c:\\windows\\system32\\activationmanager.dll") Region: id = 2021 start_va = 0x7ffc04910000 end_va = 0x7ffc04932fff monitored = 0 entry_point = 0x7ffc04913020 region_type = mapped_file name = "appointmentactivation.dll" filename = "\\Windows\\System32\\AppointmentActivation.dll" (normalized: "c:\\windows\\system32\\appointmentactivation.dll") Region: id = 2022 start_va = 0x21c0000 end_va = 0x223ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021c0000" filename = "" Region: id = 2023 start_va = 0x7ffc0e0a0000 end_va = 0x7ffc0e1e2fff monitored = 0 entry_point = 0x7ffc0e0c8210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2024 start_va = 0x7ffc062c0000 end_va = 0x7ffc06300fff monitored = 0 entry_point = 0x7ffc062c4840 region_type = mapped_file name = "usermgrproxy.dll" filename = "\\Windows\\System32\\UserMgrProxy.dll" (normalized: "c:\\windows\\system32\\usermgrproxy.dll") Region: id = 2025 start_va = 0x2240000 end_va = 0x22bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002240000" filename = "" Region: id = 2026 start_va = 0x7ffc067c0000 end_va = 0x7ffc067cffff monitored = 0 entry_point = 0x7ffc067c2c60 region_type = mapped_file name = "usermgrcli.dll" filename = "\\Windows\\System32\\usermgrcli.dll" (normalized: "c:\\windows\\system32\\usermgrcli.dll") Region: id = 2027 start_va = 0x22c0000 end_va = 0x233ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000022c0000" filename = "" Region: id = 2028 start_va = 0x2340000 end_va = 0x243ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002340000" filename = "" Region: id = 2029 start_va = 0x2440000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002440000" filename = "" Region: id = 2030 start_va = 0x2c40000 end_va = 0x2cbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 2031 start_va = 0x2cc0000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002cc0000" filename = "" Region: id = 2032 start_va = 0x7ffc048a0000 end_va = 0x7ffc048e3fff monitored = 0 entry_point = 0x7ffc048ac010 region_type = mapped_file name = "execmodelclient.dll" filename = "\\Windows\\System32\\ExecModelClient.dll" (normalized: "c:\\windows\\system32\\execmodelclient.dll") Region: id = 2039 start_va = 0x7ffc04870000 end_va = 0x7ffc0487dfff monitored = 0 entry_point = 0x7ffc04872690 region_type = mapped_file name = "notificationplatformcomponent.dll" filename = "\\Windows\\System32\\notificationplatformcomponent.dll" (normalized: "c:\\windows\\system32\\notificationplatformcomponent.dll") Region: id = 2040 start_va = 0x7ffc047a0000 end_va = 0x7ffc04836fff monitored = 0 entry_point = 0x7ffc047b4fd0 region_type = mapped_file name = "appcontracts.dll" filename = "\\Windows\\System32\\AppContracts.dll" (normalized: "c:\\windows\\system32\\appcontracts.dll") Region: id = 2042 start_va = 0x7ffc046a0000 end_va = 0x7ffc04741fff monitored = 0 entry_point = 0x7ffc046a2b20 region_type = mapped_file name = "sharehost.dll" filename = "\\Windows\\System32\\ShareHost.dll" (normalized: "c:\\windows\\system32\\sharehost.dll") Region: id = 2047 start_va = 0x7ffc10870000 end_va = 0x7ffc108c1fff monitored = 0 entry_point = 0x7ffc1087f530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2048 start_va = 0x7ffc0d4c0000 end_va = 0x7ffc0db03fff monitored = 0 entry_point = 0x7ffc0d6864b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 2049 start_va = 0x7ffc0dd90000 end_va = 0x7ffc0ddd2fff monitored = 0 entry_point = 0x7ffc0dda4b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2050 start_va = 0x7ffc0d000000 end_va = 0x7ffc0d013fff monitored = 0 entry_point = 0x7ffc0d0052e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 2051 start_va = 0x7ffc045b0000 end_va = 0x7ffc045b8fff monitored = 0 entry_point = 0x7ffc045b1480 region_type = mapped_file name = "wpportinglibrary.dll" filename = "\\Windows\\System32\\WpPortingLibrary.dll" (normalized: "c:\\windows\\system32\\wpportinglibrary.dll") Region: id = 2056 start_va = 0x7ffc041a0000 end_va = 0x7ffc043fcfff monitored = 0 entry_point = 0x7ffc04228610 region_type = mapped_file name = "twinui.appcore.dll" filename = "\\Windows\\System32\\twinui.appcore.dll" (normalized: "c:\\windows\\system32\\twinui.appcore.dll") Region: id = 2152 start_va = 0x2d40000 end_va = 0x2dbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d40000" filename = "" Region: id = 2162 start_va = 0x7ffc03020000 end_va = 0x7ffc03034fff monitored = 0 entry_point = 0x7ffc03021ab0 region_type = mapped_file name = "execmodelproxy.dll" filename = "\\Windows\\System32\\execmodelproxy.dll" (normalized: "c:\\windows\\system32\\execmodelproxy.dll") Region: id = 2165 start_va = 0x2dc0000 end_va = 0x2e3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002dc0000" filename = "" Region: id = 2179 start_va = 0x2e40000 end_va = 0x2ebffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e40000" filename = "" Region: id = 2184 start_va = 0x2ec0000 end_va = 0x2f3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ec0000" filename = "" Region: id = 3041 start_va = 0x7ffc031b0000 end_va = 0x7ffc03452fff monitored = 0 entry_point = 0x7ffc031d6190 region_type = mapped_file name = "windows.staterepository.dll" filename = "\\Windows\\System32\\Windows.StateRepository.dll" (normalized: "c:\\windows\\system32\\windows.staterepository.dll") Region: id = 3042 start_va = 0x2f40000 end_va = 0x2fbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 3043 start_va = 0x7ffc03110000 end_va = 0x7ffc031a3fff monitored = 0 entry_point = 0x7ffc03149210 region_type = mapped_file name = "staterepository.core.dll" filename = "\\Windows\\System32\\StateRepository.Core.dll" (normalized: "c:\\windows\\system32\\staterepository.core.dll") Thread: id = 176 os_tid = 0x628 Thread: id = 177 os_tid = 0x62c Thread: id = 178 os_tid = 0x634 Thread: id = 180 os_tid = 0x63c Thread: id = 181 os_tid = 0x640 Thread: id = 182 os_tid = 0x644 Thread: id = 184 os_tid = 0x658 Thread: id = 185 os_tid = 0x664 Thread: id = 186 os_tid = 0x670 Thread: id = 187 os_tid = 0x674 Thread: id = 188 os_tid = 0x67c Thread: id = 189 os_tid = 0x680 Thread: id = 210 os_tid = 0x7a4 Thread: id = 216 os_tid = 0x7d0 Thread: id = 221 os_tid = 0x7fc Thread: id = 222 os_tid = 0x394 Thread: id = 305 os_tid = 0x31c Process: id = "10" image_name = "taskhostw.exe" filename = "c:\\windows\\system32\\taskhostw.exe" page_root = "0x77289000" os_pid = "0x2fc" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "6" os_parent_pid = "0x3f0" cmd_line = "taskhostw.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001298a" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2192 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2193 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2194 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2195 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 2196 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 2197 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 2198 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2199 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2200 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 2201 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 2202 start_va = 0x7ff678e00000 end_va = 0x7ff678e18fff monitored = 0 entry_point = 0x7ff678e059b0 region_type = mapped_file name = "taskhostw.exe" filename = "\\Windows\\System32\\taskhostw.exe" (normalized: "c:\\windows\\system32\\taskhostw.exe") Region: id = 2203 start_va = 0x7ffc109e0000 end_va = 0x7ffc10ba0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2205 start_va = 0x400000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2206 start_va = 0x7ffc108d0000 end_va = 0x7ffc1097cfff monitored = 0 entry_point = 0x7ffc108e81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2207 start_va = 0x7ffc0d250000 end_va = 0x7ffc0d437fff monitored = 0 entry_point = 0x7ffc0d27ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2208 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2209 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 2210 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2211 start_va = 0x7ffc0df90000 end_va = 0x7ffc0e02cfff monitored = 0 entry_point = 0x7ffc0df978a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2212 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2213 start_va = 0x5d0000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 2214 start_va = 0x7ffc0ef30000 end_va = 0x7ffc0f04bfff monitored = 0 entry_point = 0x7ffc0ef702b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2215 start_va = 0x7ffc0e780000 end_va = 0x7ffc0e9fcfff monitored = 0 entry_point = 0x7ffc0e854970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2216 start_va = 0x7ffc0d1e0000 end_va = 0x7ffc0d249fff monitored = 0 entry_point = 0x7ffc0d216d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 2217 start_va = 0x7ffc0ec90000 end_va = 0x7ffc0ed50fff monitored = 0 entry_point = 0x7ffc0ecb0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2218 start_va = 0x6d0000 end_va = 0x8affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 2219 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2220 start_va = 0x480000 end_va = 0x5c2fff monitored = 0 entry_point = 0x4a8210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2221 start_va = 0x480000 end_va = 0x55cfff monitored = 0 entry_point = 0x4de0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2222 start_va = 0x7ffc0d080000 end_va = 0x7ffc0d08efff monitored = 0 entry_point = 0x7ffc0d083210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 2223 start_va = 0x1c0000 end_va = 0x1c6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2268 start_va = 0x7ffc0e230000 end_va = 0x7ffc0e28afff monitored = 0 entry_point = 0x7ffc0e2438b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2269 start_va = 0x480000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 2270 start_va = 0x7ffc0ed60000 end_va = 0x7ffc0eeb5fff monitored = 0 entry_point = 0x7ffc0ed6a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2271 start_va = 0x7ffc0f170000 end_va = 0x7ffc0f2f5fff monitored = 0 entry_point = 0x7ffc0f1bffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2272 start_va = 0x500000 end_va = 0x538fff monitored = 0 entry_point = 0x5012f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2273 start_va = 0x6d0000 end_va = 0x857fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 2274 start_va = 0x8a0000 end_va = 0x8affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Region: id = 2275 start_va = 0x7ffc0e1f0000 end_va = 0x7ffc0e22afff monitored = 0 entry_point = 0x7ffc0e1f12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2276 start_va = 0x8b0000 end_va = 0xa30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 2277 start_va = 0xa40000 end_va = 0x1e3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a40000" filename = "" Region: id = 2278 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskhostw.exe.mui" filename = "\\Windows\\System32\\en-US\\taskhostw.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskhostw.exe.mui") Region: id = 2279 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 2280 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 2281 start_va = 0x7ffc0b980000 end_va = 0x7ffc0ba15fff monitored = 0 entry_point = 0x7ffc0b9a5570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 2282 start_va = 0x500000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 2285 start_va = 0x7ffc0eb30000 end_va = 0x7ffc0ec89fff monitored = 0 entry_point = 0x7ffc0eb738e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2286 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 2287 start_va = 0x590000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 2288 start_va = 0x1e40000 end_va = 0x1efbfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e40000" filename = "" Region: id = 2289 start_va = 0x500000 end_va = 0x503fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 2290 start_va = 0x7ffc0a890000 end_va = 0x7ffc0a8b1fff monitored = 0 entry_point = 0x7ffc0a891a40 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 2477 start_va = 0x510000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 2478 start_va = 0x5a0000 end_va = 0x5a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 2479 start_va = 0x7ffc0e6d0000 end_va = 0x7ffc0e776fff monitored = 0 entry_point = 0x7ffc0e6db4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2480 start_va = 0x5b0000 end_va = 0x5b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 2481 start_va = 0x7ffc05750000 end_va = 0x7ffc05848fff monitored = 0 entry_point = 0x7ffc05798000 region_type = mapped_file name = "settingsynccore.dll" filename = "\\Windows\\System32\\SettingSyncCore.dll" (normalized: "c:\\windows\\system32\\settingsynccore.dll") Region: id = 2482 start_va = 0x5c0000 end_va = 0x5c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 2483 start_va = 0x7ffc0d120000 end_va = 0x7ffc0d1d4fff monitored = 0 entry_point = 0x7ffc0d1622e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 2484 start_va = 0x7ffc0d000000 end_va = 0x7ffc0d013fff monitored = 0 entry_point = 0x7ffc0d0052e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 2485 start_va = 0x7ffc0ea60000 end_va = 0x7ffc0eb06fff monitored = 0 entry_point = 0x7ffc0ea758d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2486 start_va = 0x7ffc0ce90000 end_va = 0x7ffc0ceb8fff monitored = 0 entry_point = 0x7ffc0cea4530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 2487 start_va = 0x7ffc0c9e0000 end_va = 0x7ffc0c9f6fff monitored = 0 entry_point = 0x7ffc0c9e79d0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2488 start_va = 0x7ffc02d20000 end_va = 0x7ffc02dedfff monitored = 0 entry_point = 0x7ffc02d514c0 region_type = mapped_file name = "tokenbroker.dll" filename = "\\Windows\\System32\\TokenBroker.dll" (normalized: "c:\\windows\\system32\\tokenbroker.dll") Region: id = 2489 start_va = 0x7ffc081f0000 end_va = 0x7ffc08325fff monitored = 0 entry_point = 0x7ffc0821f350 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 2490 start_va = 0x1f00000 end_va = 0x1fdcfff monitored = 0 entry_point = 0x1f5e0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2495 start_va = 0x1f00000 end_va = 0x1f7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f00000" filename = "" Region: id = 2496 start_va = 0x1f80000 end_va = 0x1ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f80000" filename = "" Region: id = 2497 start_va = 0x2000000 end_va = 0x207ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002000000" filename = "" Region: id = 2904 start_va = 0x7ffc0aff0000 end_va = 0x7ffc0b482fff monitored = 0 entry_point = 0x7ffc0afff760 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 2922 start_va = 0x860000 end_va = 0x88dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000860000" filename = "" Thread: id = 224 os_tid = 0x4ac Thread: id = 225 os_tid = 0x500 Thread: id = 234 os_tid = 0x5b0 Thread: id = 265 os_tid = 0x630 Thread: id = 266 os_tid = 0x5f0 Thread: id = 267 os_tid = 0x5f8 Thread: id = 268 os_tid = 0x5fc Process: id = "11" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x22444000" os_pid = "0x364" os_integrity_level = "0x4000" os_privileges = "0x60a00000" monitor_reason = "rpc_server" parent_id = "7" os_parent_pid = "0x210" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalServiceNoNetwork" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BFE" [0xa], "NT SERVICE\\CoreMessagingRegistrar" [0xe], "NT SERVICE\\DPS" [0xa], "NT SERVICE\\MpsSvc" [0xa], "NT SERVICE\\NcdAutoSetup" [0xa], "NT SERVICE\\pla" [0xa], "NT SERVICE\\WwanSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000b28b" [0xc000000f], "LOCAL" [0x7], "NT AUTHORITY\\WRITE RESTRICTED" [0x7] Region: id = 2291 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2292 start_va = 0x20000 end_va = 0x20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 2293 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2294 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2295 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 2296 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 2297 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 2298 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2299 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2300 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 2301 start_va = 0x1e0000 end_va = 0x1e6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 2302 start_va = 0x1f0000 end_va = 0x1f6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "bfe.dll.mui" filename = "\\Windows\\System32\\en-US\\bfe.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\bfe.dll.mui") Region: id = 2303 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2304 start_va = 0x400000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2305 start_va = 0x500000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 2306 start_va = 0x580000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 2307 start_va = 0x590000 end_va = 0x590fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 2308 start_va = 0x5a0000 end_va = 0x5a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 2309 start_va = 0x5b0000 end_va = 0x5d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2310 start_va = 0x5e0000 end_va = 0x5e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 2311 start_va = 0x5f0000 end_va = 0x5f6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 2312 start_va = 0x600000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 2313 start_va = 0x700000 end_va = 0x887fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000700000" filename = "" Region: id = 2314 start_va = 0x890000 end_va = 0xa10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000890000" filename = "" Region: id = 2315 start_va = 0xa20000 end_va = 0xadffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a20000" filename = "" Region: id = 2316 start_va = 0xae0000 end_va = 0xae0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ae0000" filename = "" Region: id = 2317 start_va = 0xaf0000 end_va = 0xaf7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 2318 start_va = 0xb00000 end_va = 0xbfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 2319 start_va = 0xc00000 end_va = 0xc80fff monitored = 0 entry_point = 0xc0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2320 start_va = 0xc90000 end_va = 0xc91fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c90000" filename = "" Region: id = 2321 start_va = 0xca0000 end_va = 0xca4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ca0000" filename = "" Region: id = 2322 start_va = 0xcb0000 end_va = 0xcb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cb0000" filename = "" Region: id = 2323 start_va = 0xcc0000 end_va = 0xcc6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 2324 start_va = 0xcd0000 end_va = 0xcd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cd0000" filename = "" Region: id = 2325 start_va = 0xce0000 end_va = 0xce0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 2326 start_va = 0xcf0000 end_va = 0xcf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Region: id = 2327 start_va = 0xd00000 end_va = 0xdfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 2328 start_va = 0xe00000 end_va = 0x15fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e00000" filename = "" Region: id = 2329 start_va = 0x1600000 end_va = 0x16fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001600000" filename = "" Region: id = 2330 start_va = 0x1700000 end_va = 0x17fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001700000" filename = "" Region: id = 2331 start_va = 0x1800000 end_va = 0x187ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001800000" filename = "" Region: id = 2332 start_va = 0x1880000 end_va = 0x1883fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001880000" filename = "" Region: id = 2333 start_va = 0x1890000 end_va = 0x1891fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001890000" filename = "" Region: id = 2334 start_va = 0x18a0000 end_va = 0x18a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018a0000" filename = "" Region: id = 2335 start_va = 0x18e0000 end_va = 0x18e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018e0000" filename = "" Region: id = 2336 start_va = 0x18f0000 end_va = 0x18f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018f0000" filename = "" Region: id = 2337 start_va = 0x1900000 end_va = 0x19fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 2338 start_va = 0x1a00000 end_va = 0x1afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a00000" filename = "" Region: id = 2339 start_va = 0x1b00000 end_va = 0x1bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b00000" filename = "" Region: id = 2340 start_va = 0x1c00000 end_va = 0x1cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c00000" filename = "" Region: id = 2341 start_va = 0x1d00000 end_va = 0x1dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d00000" filename = "" Region: id = 2342 start_va = 0x1e00000 end_va = 0x1efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e00000" filename = "" Region: id = 2343 start_va = 0x2000000 end_va = 0x20fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002000000" filename = "" Region: id = 2344 start_va = 0x2100000 end_va = 0x21fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002100000" filename = "" Region: id = 2345 start_va = 0x2200000 end_va = 0x22fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002200000" filename = "" Region: id = 2346 start_va = 0x2300000 end_va = 0x23fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 2347 start_va = 0x2400000 end_va = 0x24fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002400000" filename = "" Region: id = 2348 start_va = 0x2500000 end_va = 0x25fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002500000" filename = "" Region: id = 2349 start_va = 0x2600000 end_va = 0x26fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002600000" filename = "" Region: id = 2350 start_va = 0x2700000 end_va = 0x27fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002700000" filename = "" Region: id = 2351 start_va = 0x2800000 end_va = 0x28fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002800000" filename = "" Region: id = 2352 start_va = 0x2900000 end_va = 0x290ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002900000" filename = "" Region: id = 2353 start_va = 0x2910000 end_va = 0x291ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002910000" filename = "" Region: id = 2354 start_va = 0x2920000 end_va = 0x292ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002920000" filename = "" Region: id = 2355 start_va = 0x2930000 end_va = 0x293ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002930000" filename = "" Region: id = 2356 start_va = 0x2940000 end_va = 0x295ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002940000" filename = "" Region: id = 2357 start_va = 0x2960000 end_va = 0x2966fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002960000" filename = "" Region: id = 2358 start_va = 0x2970000 end_va = 0x297ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002970000" filename = "" Region: id = 2359 start_va = 0x2980000 end_va = 0x298ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 2360 start_va = 0x2990000 end_va = 0x299ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002990000" filename = "" Region: id = 2361 start_va = 0x29a0000 end_va = 0x29affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000029a0000" filename = "" Region: id = 2362 start_va = 0x29e0000 end_va = 0x29e1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029e0000" filename = "" Region: id = 2363 start_va = 0x2a00000 end_va = 0x2afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a00000" filename = "" Region: id = 2364 start_va = 0x2b00000 end_va = 0x2bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b00000" filename = "" Region: id = 2365 start_va = 0x2c00000 end_va = 0x2e01fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c00000" filename = "" Region: id = 2366 start_va = 0x2e10000 end_va = 0x2f0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e10000" filename = "" Region: id = 2367 start_va = 0x2f10000 end_va = 0x300ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f10000" filename = "" Region: id = 2368 start_va = 0x3010000 end_va = 0x310ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2369 start_va = 0x3110000 end_va = 0x320ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003110000" filename = "" Region: id = 2370 start_va = 0x3210000 end_va = 0x330ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003210000" filename = "" Region: id = 2371 start_va = 0x3310000 end_va = 0x340ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003310000" filename = "" Region: id = 2372 start_va = 0x3410000 end_va = 0x350ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003410000" filename = "" Region: id = 2373 start_va = 0x3510000 end_va = 0x3846fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2374 start_va = 0x3850000 end_va = 0x394ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003850000" filename = "" Region: id = 2375 start_va = 0x3950000 end_va = 0x3a4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003950000" filename = "" Region: id = 2376 start_va = 0x3a50000 end_va = 0x3a5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "srudb.dat" filename = "\\Windows\\System32\\sru\\SRUDB.dat" (normalized: "c:\\windows\\system32\\sru\\srudb.dat") Region: id = 2377 start_va = 0x3a60000 end_va = 0x3a6ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "srudb.dat" filename = "\\Windows\\System32\\sru\\SRUDB.dat" (normalized: "c:\\windows\\system32\\sru\\srudb.dat") Region: id = 2378 start_va = 0x3a70000 end_va = 0x3a7ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "srudb.dat" filename = "\\Windows\\System32\\sru\\SRUDB.dat" (normalized: "c:\\windows\\system32\\sru\\srudb.dat") Region: id = 2379 start_va = 0x3a80000 end_va = 0x3a8ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "srudb.dat" filename = "\\Windows\\System32\\sru\\SRUDB.dat" (normalized: "c:\\windows\\system32\\sru\\srudb.dat") Region: id = 2380 start_va = 0x3a90000 end_va = 0x3a9ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "srudb.dat" filename = "\\Windows\\System32\\sru\\SRUDB.dat" (normalized: "c:\\windows\\system32\\sru\\srudb.dat") Region: id = 2381 start_va = 0x3aa0000 end_va = 0x3aaffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "srudb.dat" filename = "\\Windows\\System32\\sru\\SRUDB.dat" (normalized: "c:\\windows\\system32\\sru\\srudb.dat") Region: id = 2382 start_va = 0x3ab0000 end_va = 0x3abffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "srudb.dat" filename = "\\Windows\\System32\\sru\\SRUDB.dat" (normalized: "c:\\windows\\system32\\sru\\srudb.dat") Region: id = 2383 start_va = 0x3ac0000 end_va = 0x3acffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "srudb.dat" filename = "\\Windows\\System32\\sru\\SRUDB.dat" (normalized: "c:\\windows\\system32\\sru\\srudb.dat") Region: id = 2384 start_va = 0x3ad0000 end_va = 0x3adffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "srudb.dat" filename = "\\Windows\\System32\\sru\\SRUDB.dat" (normalized: "c:\\windows\\system32\\sru\\srudb.dat") Region: id = 2385 start_va = 0x3ae0000 end_va = 0x3aeffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "srudb.dat" filename = "\\Windows\\System32\\sru\\SRUDB.dat" (normalized: "c:\\windows\\system32\\sru\\srudb.dat") Region: id = 2386 start_va = 0x3af0000 end_va = 0x3afffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "srudb.dat" filename = "\\Windows\\System32\\sru\\SRUDB.dat" (normalized: "c:\\windows\\system32\\sru\\srudb.dat") Region: id = 2387 start_va = 0x3b00000 end_va = 0x3bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003b00000" filename = "" Region: id = 2388 start_va = 0x3c00000 end_va = 0x3cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003c00000" filename = "" Region: id = 2389 start_va = 0x3d00000 end_va = 0x3dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003d00000" filename = "" Region: id = 2390 start_va = 0x3e00000 end_va = 0x3efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003e00000" filename = "" Region: id = 2391 start_va = 0x3f00000 end_va = 0x4efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003f00000" filename = "" Region: id = 2392 start_va = 0x4f00000 end_va = 0x4f0ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "srudb.dat" filename = "\\Windows\\System32\\sru\\SRUDB.dat" (normalized: "c:\\windows\\system32\\sru\\srudb.dat") Region: id = 2393 start_va = 0x4f10000 end_va = 0x4f1ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "srudb.dat" filename = "\\Windows\\System32\\sru\\SRUDB.dat" (normalized: "c:\\windows\\system32\\sru\\srudb.dat") Region: id = 2394 start_va = 0x4f20000 end_va = 0x4f2ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "srudb.dat" filename = "\\Windows\\System32\\sru\\SRUDB.dat" (normalized: "c:\\windows\\system32\\sru\\srudb.dat") Region: id = 2395 start_va = 0x4f30000 end_va = 0x4faffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004f30000" filename = "" Region: id = 2396 start_va = 0x4fb0000 end_va = 0x4fb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004fb0000" filename = "" Region: id = 2397 start_va = 0x4fc0000 end_va = 0x50bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004fc0000" filename = "" Region: id = 2398 start_va = 0x50c0000 end_va = 0x51bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000050c0000" filename = "" Region: id = 2399 start_va = 0x5200000 end_va = 0x52fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005200000" filename = "" Region: id = 2400 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2401 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 2402 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 2403 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 2404 start_va = 0x7ff7c0750000 end_va = 0x7ff7c075cfff monitored = 0 entry_point = 0x7ff7c0753980 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 2405 start_va = 0x7ffc02f20000 end_va = 0x7ffc02f2dfff monitored = 0 entry_point = 0x7ffc02f23c90 region_type = mapped_file name = "wpnsruprov.dll" filename = "\\Windows\\System32\\wpnsruprov.dll" (normalized: "c:\\windows\\system32\\wpnsruprov.dll") Region: id = 2406 start_va = 0x7ffc02f30000 end_va = 0x7ffc02f48fff monitored = 0 entry_point = 0x7ffc02f3c2f0 region_type = mapped_file name = "appsruprov.dll" filename = "\\Windows\\System32\\appsruprov.dll" (normalized: "c:\\windows\\system32\\appsruprov.dll") Region: id = 2407 start_va = 0x7ffc02f50000 end_va = 0x7ffc02f6afff monitored = 0 entry_point = 0x7ffc02f5c6a0 region_type = mapped_file name = "eeprov.dll" filename = "\\Windows\\System32\\eeprov.dll" (normalized: "c:\\windows\\system32\\eeprov.dll") Region: id = 2408 start_va = 0x7ffc03040000 end_va = 0x7ffc0304cfff monitored = 0 entry_point = 0x7ffc03043da0 region_type = mapped_file name = "pots.dll" filename = "\\Windows\\System32\\pots.dll" (normalized: "c:\\windows\\system32\\pots.dll") Region: id = 2409 start_va = 0x7ffc03050000 end_va = 0x7ffc03063fff monitored = 0 entry_point = 0x7ffc03055d60 region_type = mapped_file name = "nduprov.dll" filename = "\\Windows\\System32\\nduprov.dll" (normalized: "c:\\windows\\system32\\nduprov.dll") Region: id = 2410 start_va = 0x7ffc035d0000 end_va = 0x7ffc0360ffff monitored = 0 entry_point = 0x7ffc035e6c60 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 2411 start_va = 0x7ffc03610000 end_va = 0x7ffc0361bfff monitored = 0 entry_point = 0x7ffc036116a0 region_type = mapped_file name = "wfapigp.dll" filename = "\\Windows\\System32\\wfapigp.dll" (normalized: "c:\\windows\\system32\\wfapigp.dll") Region: id = 2412 start_va = 0x7ffc036c0000 end_va = 0x7ffc039b8fff monitored = 0 entry_point = 0x7ffc03787280 region_type = mapped_file name = "esent.dll" filename = "\\Windows\\System32\\esent.dll" (normalized: "c:\\windows\\system32\\esent.dll") Region: id = 2413 start_va = 0x7ffc039c0000 end_va = 0x7ffc039f6fff monitored = 0 entry_point = 0x7ffc039ca9e0 region_type = mapped_file name = "srumsvc.dll" filename = "\\Windows\\System32\\srumsvc.dll" (normalized: "c:\\windows\\system32\\srumsvc.dll") Region: id = 2414 start_va = 0x7ffc03a20000 end_va = 0x7ffc03a3dfff monitored = 0 entry_point = 0x7ffc03a25190 region_type = mapped_file name = "radardt.dll" filename = "\\Windows\\System32\\radardt.dll" (normalized: "c:\\windows\\system32\\radardt.dll") Region: id = 2415 start_va = 0x7ffc03a40000 end_va = 0x7ffc03a48fff monitored = 0 entry_point = 0x7ffc03a41620 region_type = mapped_file name = "pnpts.dll" filename = "\\Windows\\System32\\pnpts.dll" (normalized: "c:\\windows\\system32\\pnpts.dll") Region: id = 2416 start_va = 0x7ffc03a50000 end_va = 0x7ffc03bb5fff monitored = 0 entry_point = 0x7ffc03a979f0 region_type = mapped_file name = "diagperf.dll" filename = "\\Windows\\System32\\diagperf.dll" (normalized: "c:\\windows\\system32\\diagperf.dll") Region: id = 2417 start_va = 0x7ffc03e30000 end_va = 0x7ffc03e37fff monitored = 0 entry_point = 0x7ffc03e31ab0 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 2418 start_va = 0x7ffc03e40000 end_va = 0x7ffc03e47fff monitored = 0 entry_point = 0x7ffc03e410a0 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 2419 start_va = 0x7ffc03e50000 end_va = 0x7ffc03e59fff monitored = 0 entry_point = 0x7ffc03e515c0 region_type = mapped_file name = "wshqos.dll" filename = "\\Windows\\System32\\wshqos.dll" (normalized: "c:\\windows\\system32\\wshqos.dll") Region: id = 2420 start_va = 0x7ffc045c0000 end_va = 0x7ffc045dcfff monitored = 0 entry_point = 0x7ffc045c6190 region_type = mapped_file name = "wdi.dll" filename = "\\Windows\\System32\\wdi.dll" (normalized: "c:\\windows\\system32\\wdi.dll") Region: id = 2421 start_va = 0x7ffc04840000 end_va = 0x7ffc0486ffff monitored = 0 entry_point = 0x7ffc0484a670 region_type = mapped_file name = "dps.dll" filename = "\\Windows\\System32\\dps.dll" (normalized: "c:\\windows\\system32\\dps.dll") Region: id = 2422 start_va = 0x7ffc048f0000 end_va = 0x7ffc048f9fff monitored = 0 entry_point = 0x7ffc048f3070 region_type = mapped_file name = "adhapi.dll" filename = "\\Windows\\System32\\adhapi.dll" (normalized: "c:\\windows\\system32\\adhapi.dll") Region: id = 2423 start_va = 0x7ffc04900000 end_va = 0x7ffc04908fff monitored = 0 entry_point = 0x7ffc049021d0 region_type = mapped_file name = "httpprxc.dll" filename = "\\Windows\\System32\\httpprxc.dll" (normalized: "c:\\windows\\system32\\httpprxc.dll") Region: id = 2424 start_va = 0x7ffc049e0000 end_va = 0x7ffc04a14fff monitored = 0 entry_point = 0x7ffc049ea270 region_type = mapped_file name = "fwpolicyiomgr.dll" filename = "\\Windows\\System32\\fwpolicyiomgr.dll" (normalized: "c:\\windows\\system32\\fwpolicyiomgr.dll") Region: id = 2425 start_va = 0x7ffc04b60000 end_va = 0x7ffc04c3cfff monitored = 0 entry_point = 0x7ffc04b95630 region_type = mapped_file name = "mpssvc.dll" filename = "\\Windows\\System32\\MPSSVC.dll" (normalized: "c:\\windows\\system32\\mpssvc.dll") Region: id = 2426 start_va = 0x7ffc05440000 end_va = 0x7ffc0550afff monitored = 0 entry_point = 0x7ffc054687f0 region_type = mapped_file name = "bfe.dll" filename = "\\Windows\\System32\\BFE.DLL" (normalized: "c:\\windows\\system32\\bfe.dll") Region: id = 2427 start_va = 0x7ffc059b0000 end_va = 0x7ffc05a42fff monitored = 0 entry_point = 0x7ffc059b9680 region_type = mapped_file name = "msvcp_win.dll" filename = "\\Windows\\System32\\msvcp_win.dll" (normalized: "c:\\windows\\system32\\msvcp_win.dll") Region: id = 2428 start_va = 0x7ffc05c30000 end_va = 0x7ffc05c3dfff monitored = 0 entry_point = 0x7ffc05c31460 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 2429 start_va = 0x7ffc05ff0000 end_va = 0x7ffc06056fff monitored = 0 entry_point = 0x7ffc05ff63e0 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2430 start_va = 0x7ffc06280000 end_va = 0x7ffc06299fff monitored = 0 entry_point = 0x7ffc06282430 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 2431 start_va = 0x7ffc062a0000 end_va = 0x7ffc062b5fff monitored = 0 entry_point = 0x7ffc062a19f0 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 2432 start_va = 0x7ffc06310000 end_va = 0x7ffc06347fff monitored = 0 entry_point = 0x7ffc06328cc0 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 2433 start_va = 0x7ffc06460000 end_va = 0x7ffc0646afff monitored = 0 entry_point = 0x7ffc06461d30 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 2434 start_va = 0x7ffc069e0000 end_va = 0x7ffc069f5fff monitored = 0 entry_point = 0x7ffc069e1b60 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 2435 start_va = 0x7ffc06a00000 end_va = 0x7ffc06a63fff monitored = 0 entry_point = 0x7ffc06a15ae0 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 2436 start_va = 0x7ffc07060000 end_va = 0x7ffc070b4fff monitored = 0 entry_point = 0x7ffc07063fb0 region_type = mapped_file name = "policymanager.dll" filename = "\\Windows\\System32\\policymanager.dll" (normalized: "c:\\windows\\system32\\policymanager.dll") Region: id = 2437 start_va = 0x7ffc07100000 end_va = 0x7ffc071befff monitored = 0 entry_point = 0x7ffc07121c50 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 2438 start_va = 0x7ffc07e60000 end_va = 0x7ffc081e1fff monitored = 0 entry_point = 0x7ffc07eb1220 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 2439 start_va = 0x7ffc09420000 end_va = 0x7ffc0952dfff monitored = 0 entry_point = 0x7ffc0946eaa0 region_type = mapped_file name = "mrmcorer.dll" filename = "\\Windows\\System32\\MrmCoreR.dll" (normalized: "c:\\windows\\system32\\mrmcorer.dll") Region: id = 2440 start_va = 0x7ffc098c0000 end_va = 0x7ffc09951fff monitored = 0 entry_point = 0x7ffc0990a780 region_type = mapped_file name = "msvcp110_win.dll" filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll") Region: id = 2441 start_va = 0x7ffc0a8e0000 end_va = 0x7ffc0a99dfff monitored = 0 entry_point = 0x7ffc0a922d40 region_type = mapped_file name = "coremessaging.dll" filename = "\\Windows\\System32\\CoreMessaging.dll" (normalized: "c:\\windows\\system32\\coremessaging.dll") Region: id = 2442 start_va = 0x7ffc0ba40000 end_va = 0x7ffc0ba66fff monitored = 0 entry_point = 0x7ffc0ba47940 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 2443 start_va = 0x7ffc0ba70000 end_va = 0x7ffc0bb19fff monitored = 0 entry_point = 0x7ffc0ba97910 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 2444 start_va = 0x7ffc0be80000 end_va = 0x7ffc0beb1fff monitored = 0 entry_point = 0x7ffc0be92340 region_type = mapped_file name = "fwbase.dll" filename = "\\Windows\\System32\\fwbase.dll" (normalized: "c:\\windows\\system32\\fwbase.dll") Region: id = 2445 start_va = 0x7ffc0c000000 end_va = 0x7ffc0c023fff monitored = 0 entry_point = 0x7ffc0c003260 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 2446 start_va = 0x7ffc0c030000 end_va = 0x7ffc0c127fff monitored = 0 entry_point = 0x7ffc0c03d580 region_type = mapped_file name = "tdh.dll" filename = "\\Windows\\System32\\tdh.dll" (normalized: "c:\\windows\\system32\\tdh.dll") Region: id = 2447 start_va = 0x7ffc0c1a0000 end_va = 0x7ffc0c293fff monitored = 0 entry_point = 0x7ffc0c1aa960 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 2448 start_va = 0x7ffc0c2a0000 end_va = 0x7ffc0c2e8fff monitored = 0 entry_point = 0x7ffc0c2aa090 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 2449 start_va = 0x7ffc0c410000 end_va = 0x7ffc0c41bfff monitored = 0 entry_point = 0x7ffc0c4127e0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 2450 start_va = 0x7ffc0c4f0000 end_va = 0x7ffc0c520fff monitored = 0 entry_point = 0x7ffc0c4f7d10 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 2451 start_va = 0x7ffc0c8d0000 end_va = 0x7ffc0c92bfff monitored = 0 entry_point = 0x7ffc0c8e6f70 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 2452 start_va = 0x7ffc0cb00000 end_va = 0x7ffc0cb0afff monitored = 0 entry_point = 0x7ffc0cb019a0 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2453 start_va = 0x7ffc0cce0000 end_va = 0x7ffc0cd0cfff monitored = 0 entry_point = 0x7ffc0ccf9d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2454 start_va = 0x7ffc0ce90000 end_va = 0x7ffc0ceb8fff monitored = 0 entry_point = 0x7ffc0cea4530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 2455 start_va = 0x7ffc0d000000 end_va = 0x7ffc0d013fff monitored = 0 entry_point = 0x7ffc0d0052e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 2456 start_va = 0x7ffc0d020000 end_va = 0x7ffc0d06afff monitored = 0 entry_point = 0x7ffc0d0235f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2457 start_va = 0x7ffc0d080000 end_va = 0x7ffc0d08efff monitored = 0 entry_point = 0x7ffc0d083210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 2458 start_va = 0x7ffc0d120000 end_va = 0x7ffc0d1d4fff monitored = 0 entry_point = 0x7ffc0d1622e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 2459 start_va = 0x7ffc0d1e0000 end_va = 0x7ffc0d249fff monitored = 0 entry_point = 0x7ffc0d216d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 2460 start_va = 0x7ffc0d250000 end_va = 0x7ffc0d437fff monitored = 0 entry_point = 0x7ffc0d27ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2461 start_va = 0x7ffc0d4c0000 end_va = 0x7ffc0db03fff monitored = 0 entry_point = 0x7ffc0d6864b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 2462 start_va = 0x7ffc0dd90000 end_va = 0x7ffc0ddd2fff monitored = 0 entry_point = 0x7ffc0dda4b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2463 start_va = 0x7ffc0df90000 end_va = 0x7ffc0e02cfff monitored = 0 entry_point = 0x7ffc0df978a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2464 start_va = 0x7ffc0e230000 end_va = 0x7ffc0e28afff monitored = 0 entry_point = 0x7ffc0e2438b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2465 start_va = 0x7ffc0e6c0000 end_va = 0x7ffc0e6c7fff monitored = 0 entry_point = 0x7ffc0e6c1ea0 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2466 start_va = 0x7ffc0e6d0000 end_va = 0x7ffc0e776fff monitored = 0 entry_point = 0x7ffc0e6db4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2467 start_va = 0x7ffc0e780000 end_va = 0x7ffc0e9fcfff monitored = 0 entry_point = 0x7ffc0e854970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2468 start_va = 0x7ffc0ea60000 end_va = 0x7ffc0eb06fff monitored = 0 entry_point = 0x7ffc0ea758d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2469 start_va = 0x7ffc0ec90000 end_va = 0x7ffc0ed50fff monitored = 0 entry_point = 0x7ffc0ecb0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2470 start_va = 0x7ffc0ed60000 end_va = 0x7ffc0eeb5fff monitored = 0 entry_point = 0x7ffc0ed6a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2471 start_va = 0x7ffc0eec0000 end_va = 0x7ffc0ef2afff monitored = 0 entry_point = 0x7ffc0eed90c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2472 start_va = 0x7ffc0ef30000 end_va = 0x7ffc0f04bfff monitored = 0 entry_point = 0x7ffc0ef702b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2473 start_va = 0x7ffc0f170000 end_va = 0x7ffc0f2f5fff monitored = 0 entry_point = 0x7ffc0f1bffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2474 start_va = 0x7ffc10870000 end_va = 0x7ffc108c1fff monitored = 0 entry_point = 0x7ffc1087f530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2475 start_va = 0x7ffc108d0000 end_va = 0x7ffc1097cfff monitored = 0 entry_point = 0x7ffc108e81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2476 start_va = 0x7ffc109e0000 end_va = 0x7ffc10ba0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2491 start_va = 0x18b0000 end_va = 0x18b4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000018b0000" filename = "" Region: id = 2498 start_va = 0x5300000 end_va = 0x54fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005300000" filename = "" Region: id = 2499 start_va = 0x5300000 end_va = 0x53fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005300000" filename = "" Region: id = 2500 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2501 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2502 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2503 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2504 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2505 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2506 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2507 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2508 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2509 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2510 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2511 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2512 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2513 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2514 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2515 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2516 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2517 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2518 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2519 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2520 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2521 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2522 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2523 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2524 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2525 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2526 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2527 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2528 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2529 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2530 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2531 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2532 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2533 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2534 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2535 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2536 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2537 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2538 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2539 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2540 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2541 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2542 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2543 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2544 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2545 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2546 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2547 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2548 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2549 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2550 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2551 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2552 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2553 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2554 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2555 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2556 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2557 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2558 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2559 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2560 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2561 start_va = 0x18b0000 end_va = 0x18c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 2562 start_va = 0x18b0000 end_va = 0x18b5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000018b0000" filename = "" Region: id = 2774 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2775 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2781 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2782 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2783 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2784 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2785 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2786 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2787 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2788 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2789 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2790 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2791 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2792 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2793 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2794 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2795 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2796 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2797 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2798 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2799 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2800 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2801 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2802 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2803 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2804 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2805 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2806 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2807 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2808 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2809 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2810 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2811 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2812 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2813 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2814 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2815 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2816 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2817 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2818 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2819 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2820 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2821 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2822 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2823 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2824 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2825 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2826 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2827 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2828 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2829 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2830 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2831 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2832 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2859 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2860 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2861 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2862 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2863 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2864 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2865 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2866 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2867 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2868 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2869 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2870 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2873 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2874 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2875 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2876 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2877 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2878 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2879 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2880 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2881 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2882 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2883 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2884 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2885 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2886 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2887 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2888 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2889 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2890 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2891 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2892 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2893 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2894 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2895 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2896 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2897 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2898 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2899 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2900 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2901 start_va = 0x18b0000 end_va = 0x18d3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2902 start_va = 0x1f00000 end_va = 0x1f85fff monitored = 0 entry_point = 0x1f0d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 3036 start_va = 0x7ffc08330000 end_va = 0x7ffc0833bfff monitored = 0 entry_point = 0x7ffc08333ab0 region_type = mapped_file name = "ncuprov.dll" filename = "\\Windows\\System32\\ncuprov.dll" (normalized: "c:\\windows\\system32\\ncuprov.dll") Region: id = 3045 start_va = 0x7ffc07840000 end_va = 0x7ffc07854fff monitored = 0 entry_point = 0x7ffc07843040 region_type = mapped_file name = "energyprov.dll" filename = "\\Windows\\System32\\energyprov.dll" (normalized: "c:\\windows\\system32\\energyprov.dll") Region: id = 3113 start_va = 0x5400000 end_va = 0x54fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005400000" filename = "" Thread: id = 235 os_tid = 0x484 Thread: id = 236 os_tid = 0x464 Thread: id = 237 os_tid = 0x7d4 Thread: id = 238 os_tid = 0x7b4 Thread: id = 239 os_tid = 0x7a8 Thread: id = 240 os_tid = 0x7a0 Thread: id = 241 os_tid = 0x78c Thread: id = 242 os_tid = 0x77c Thread: id = 243 os_tid = 0x778 Thread: id = 244 os_tid = 0x768 Thread: id = 245 os_tid = 0x754 Thread: id = 246 os_tid = 0x74c Thread: id = 247 os_tid = 0x6fc Thread: id = 248 os_tid = 0x6b8 Thread: id = 249 os_tid = 0x6b4 Thread: id = 250 os_tid = 0x68c Thread: id = 251 os_tid = 0x678 Thread: id = 252 os_tid = 0x66c Thread: id = 253 os_tid = 0x668 Thread: id = 254 os_tid = 0x65c Thread: id = 255 os_tid = 0x654 Thread: id = 256 os_tid = 0x648 Thread: id = 257 os_tid = 0x620 Thread: id = 258 os_tid = 0x61c Thread: id = 259 os_tid = 0x5c4 Thread: id = 260 os_tid = 0x53c Thread: id = 261 os_tid = 0x538 Thread: id = 262 os_tid = 0x3ac Thread: id = 263 os_tid = 0x378 Thread: id = 264 os_tid = 0x368 Thread: id = 314 os_tid = 0x314 Process: id = "12" image_name = "runtimebroker.exe" filename = "c:\\windows\\system32\\runtimebroker.exe" page_root = "0x766fb000" os_pid = "0x1cc" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "rpc_server" parent_id = "10" os_parent_pid = "0x270" cmd_line = "C:\\Windows\\System32\\RuntimeBroker.exe -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001298a" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2731 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2732 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2733 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2734 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2735 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 2736 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 2737 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 2738 start_va = 0x100000 end_va = 0x100fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 2739 start_va = 0x110000 end_va = 0x116fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 2740 start_va = 0x120000 end_va = 0x1ddfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2741 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 2742 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2743 start_va = 0x400000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2744 start_va = 0x500000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 2745 start_va = 0x580000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 2746 start_va = 0x610000 end_va = 0x616fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 2747 start_va = 0x620000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 2748 start_va = 0x700000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 2749 start_va = 0x800000 end_va = 0x987fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 2750 start_va = 0x990000 end_va = 0xb10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 2751 start_va = 0xb20000 end_va = 0x1f1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b20000" filename = "" Region: id = 2752 start_va = 0x1f20000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f20000" filename = "" Region: id = 2753 start_va = 0x1fa0000 end_va = 0x201ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fa0000" filename = "" Region: id = 2754 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2755 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 2756 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 2757 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 2758 start_va = 0x7ff670fd0000 end_va = 0x7ff670fe6fff monitored = 0 entry_point = 0x7ff670fd44f0 region_type = mapped_file name = "runtimebroker.exe" filename = "\\Windows\\System32\\RuntimeBroker.exe" (normalized: "c:\\windows\\system32\\runtimebroker.exe") Region: id = 2759 start_va = 0x7ffc0d020000 end_va = 0x7ffc0d06afff monitored = 0 entry_point = 0x7ffc0d0235f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2760 start_va = 0x7ffc0d080000 end_va = 0x7ffc0d08efff monitored = 0 entry_point = 0x7ffc0d083210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 2761 start_va = 0x7ffc0d1e0000 end_va = 0x7ffc0d249fff monitored = 0 entry_point = 0x7ffc0d216d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 2762 start_va = 0x7ffc0d250000 end_va = 0x7ffc0d437fff monitored = 0 entry_point = 0x7ffc0d27ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2763 start_va = 0x7ffc0df90000 end_va = 0x7ffc0e02cfff monitored = 0 entry_point = 0x7ffc0df978a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2764 start_va = 0x7ffc0e0a0000 end_va = 0x7ffc0e1e2fff monitored = 0 entry_point = 0x7ffc0e0c8210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2765 start_va = 0x7ffc0e1f0000 end_va = 0x7ffc0e22afff monitored = 0 entry_point = 0x7ffc0e1f12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2766 start_va = 0x7ffc0e230000 end_va = 0x7ffc0e28afff monitored = 0 entry_point = 0x7ffc0e2438b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2767 start_va = 0x7ffc0e6d0000 end_va = 0x7ffc0e776fff monitored = 0 entry_point = 0x7ffc0e6db4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2768 start_va = 0x7ffc0e780000 end_va = 0x7ffc0e9fcfff monitored = 0 entry_point = 0x7ffc0e854970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2769 start_va = 0x7ffc0ed60000 end_va = 0x7ffc0eeb5fff monitored = 0 entry_point = 0x7ffc0ed6a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2770 start_va = 0x7ffc0ef30000 end_va = 0x7ffc0f04bfff monitored = 0 entry_point = 0x7ffc0ef702b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2771 start_va = 0x7ffc0f170000 end_va = 0x7ffc0f2f5fff monitored = 0 entry_point = 0x7ffc0f1bffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2772 start_va = 0x7ffc108d0000 end_va = 0x7ffc1097cfff monitored = 0 entry_point = 0x7ffc108e81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2773 start_va = 0x7ffc109e0000 end_va = 0x7ffc10ba0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2776 start_va = 0x7ffc02d20000 end_va = 0x7ffc02dedfff monitored = 0 entry_point = 0x7ffc02d514c0 region_type = mapped_file name = "tokenbroker.dll" filename = "\\Windows\\System32\\TokenBroker.dll" (normalized: "c:\\windows\\system32\\tokenbroker.dll") Region: id = 2777 start_va = 0x7ffc0ec90000 end_va = 0x7ffc0ed50fff monitored = 0 entry_point = 0x7ffc0ecb0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2778 start_va = 0x7ffc0d120000 end_va = 0x7ffc0d1d4fff monitored = 0 entry_point = 0x7ffc0d1622e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 2779 start_va = 0x7ffc0ce90000 end_va = 0x7ffc0ceb8fff monitored = 0 entry_point = 0x7ffc0cea4530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 2780 start_va = 0x7ffc081f0000 end_va = 0x7ffc08325fff monitored = 0 entry_point = 0x7ffc0821f350 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 2903 start_va = 0x7ffc0aff0000 end_va = 0x7ffc0b482fff monitored = 0 entry_point = 0x7ffc0afff760 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 2923 start_va = 0x2020000 end_va = 0x209ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002020000" filename = "" Region: id = 2927 start_va = 0x7ffc0b740000 end_va = 0x7ffc0b752fff monitored = 0 entry_point = 0x7ffc0b742760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2928 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 2929 start_va = 0x7ffc05680000 end_va = 0x7ffc056a7fff monitored = 0 entry_point = 0x7ffc05688c10 region_type = mapped_file name = "idstore.dll" filename = "\\Windows\\System32\\IDStore.dll" (normalized: "c:\\windows\\system32\\idstore.dll") Region: id = 2930 start_va = 0x7ffc0ea60000 end_va = 0x7ffc0eb06fff monitored = 0 entry_point = 0x7ffc0ea758d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2961 start_va = 0x7ffc0b6e0000 end_va = 0x7ffc0b6fbfff monitored = 0 entry_point = 0x7ffc0b6e37a0 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 2962 start_va = 0x6a0000 end_va = 0x6cdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Thread: id = 269 os_tid = 0x688 Thread: id = 270 os_tid = 0x18c Thread: id = 271 os_tid = 0x390 Thread: id = 272 os_tid = 0x638 Thread: id = 273 os_tid = 0x228 Thread: id = 274 os_tid = 0x1d4 Thread: id = 292 os_tid = 0x6ec Process: id = "13" image_name = "explorer.exe" filename = "c:\\windows\\explorer.exe" page_root = "0x77d80000" os_pid = "0x430" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "rpc_server" parent_id = "9" os_parent_pid = "0x7ec" cmd_line = "C:\\Windows\\Explorer.EXE" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001298a" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2566 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2567 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2568 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2569 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2570 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 2571 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 2572 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 2573 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2574 start_va = 0x1c0000 end_va = 0x1c6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2575 start_va = 0x1d0000 end_va = 0x1d7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "explorer.exe.mui" filename = "\\Windows\\en-US\\explorer.exe.mui" (normalized: "c:\\windows\\en-us\\explorer.exe.mui") Region: id = 2576 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 2577 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 2578 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2579 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2580 start_va = 0x480000 end_va = 0x480fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 2581 start_va = 0x490000 end_va = 0x490fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 2582 start_va = 0x4a0000 end_va = 0x4a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 2583 start_va = 0x4b0000 end_va = 0x4b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 2584 start_va = 0x4c0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 2585 start_va = 0x5c0000 end_va = 0x747fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 2586 start_va = 0x750000 end_va = 0x753fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 2587 start_va = 0x760000 end_va = 0x776fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000017.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db") Region: id = 2588 start_va = 0x780000 end_va = 0x780fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 2589 start_va = 0x790000 end_va = 0x791fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 2590 start_va = 0x7a0000 end_va = 0x7affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 2591 start_va = 0x7b0000 end_va = 0x930fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007b0000" filename = "" Region: id = 2592 start_va = 0x940000 end_va = 0x1d3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 2593 start_va = 0x1d40000 end_va = 0x1da0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "shell32.dll.mui" filename = "\\Windows\\System32\\en-US\\shell32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\shell32.dll.mui") Region: id = 2594 start_va = 0x1db0000 end_va = 0x1db1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001db0000" filename = "" Region: id = 2595 start_va = 0x1dc0000 end_va = 0x1e3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001dc0000" filename = "" Region: id = 2596 start_va = 0x1e40000 end_va = 0x1ebffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e40000" filename = "" Region: id = 2597 start_va = 0x1ec0000 end_va = 0x1ed7fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000016.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.1.ver0x0000000000000016.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\{3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000016.db") Region: id = 2598 start_va = 0x1ee0000 end_va = 0x1f0dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ee0000" filename = "" Region: id = 2599 start_va = 0x1f10000 end_va = 0x1f11fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f10000" filename = "" Region: id = 2600 start_va = 0x1f20000 end_va = 0x1f21fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f20000" filename = "" Region: id = 2601 start_va = 0x1f30000 end_va = 0x1f3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f30000" filename = "" Region: id = 2602 start_va = 0x1f40000 end_va = 0x2276fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2603 start_va = 0x2280000 end_va = 0x22fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002280000" filename = "" Region: id = 2604 start_va = 0x2300000 end_va = 0x237ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 2605 start_va = 0x2380000 end_va = 0x245ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 2606 start_va = 0x2460000 end_va = 0x24dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002460000" filename = "" Region: id = 2607 start_va = 0x24e0000 end_va = 0x255ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000024e0000" filename = "" Region: id = 2608 start_va = 0x2560000 end_va = 0x25dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002560000" filename = "" Region: id = 2609 start_va = 0x25e0000 end_va = 0x25e1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "oleaccrc.dll" filename = "\\Windows\\System32\\oleaccrc.dll" (normalized: "c:\\windows\\system32\\oleaccrc.dll") Region: id = 2610 start_va = 0x25f0000 end_va = 0x25f4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "oleaccrc.dll.mui" filename = "\\Windows\\System32\\en-US\\oleaccrc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\oleaccrc.dll.mui") Region: id = 2611 start_va = 0x2600000 end_va = 0x26bbfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002600000" filename = "" Region: id = 2612 start_va = 0x26c0000 end_va = 0x26c3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000026c0000" filename = "" Region: id = 2613 start_va = 0x26d0000 end_va = 0x27cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026d0000" filename = "" Region: id = 2614 start_va = 0x27d0000 end_va = 0x27d6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027d0000" filename = "" Region: id = 2615 start_va = 0x27e0000 end_va = 0x27e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000027e0000" filename = "" Region: id = 2616 start_va = 0x27f0000 end_va = 0x382ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 2617 start_va = 0x3830000 end_va = 0x3d21fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003830000" filename = "" Region: id = 2618 start_va = 0x3d30000 end_va = 0x3d30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003d30000" filename = "" Region: id = 2619 start_va = 0x3d40000 end_va = 0x3d40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003d40000" filename = "" Region: id = 2620 start_va = 0x3d50000 end_va = 0x3d50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003d50000" filename = "" Region: id = 2621 start_va = 0x3d60000 end_va = 0x3d61fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003d60000" filename = "" Region: id = 2622 start_va = 0x3d70000 end_va = 0x3deffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003d70000" filename = "" Region: id = 2623 start_va = 0x3df0000 end_va = 0x3df1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003df0000" filename = "" Region: id = 2624 start_va = 0x3e00000 end_va = 0x3e00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003e00000" filename = "" Region: id = 2625 start_va = 0x3e10000 end_va = 0x3e10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003e10000" filename = "" Region: id = 2626 start_va = 0x3e20000 end_va = 0x3e20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003e20000" filename = "" Region: id = 2627 start_va = 0x3e30000 end_va = 0x3f2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003e30000" filename = "" Region: id = 2628 start_va = 0x3f30000 end_va = 0x3f30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003f30000" filename = "" Region: id = 2629 start_va = 0x3f40000 end_va = 0x3f4ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003f40000" filename = "" Region: id = 2630 start_va = 0x3f50000 end_va = 0x3f5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003f50000" filename = "" Region: id = 2631 start_va = 0x3f60000 end_va = 0x3f6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003f60000" filename = "" Region: id = 2632 start_va = 0x3f70000 end_va = 0x3f70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003f70000" filename = "" Region: id = 2633 start_va = 0x3f80000 end_va = 0x3f80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003f80000" filename = "" Region: id = 2634 start_va = 0x3f90000 end_va = 0x3f90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003f90000" filename = "" Region: id = 2635 start_va = 0x3fa0000 end_va = 0x3fa3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 2636 start_va = 0x3fb0000 end_va = 0x3fb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003fb0000" filename = "" Region: id = 2637 start_va = 0x3fc0000 end_va = 0x3fc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003fc0000" filename = "" Region: id = 2638 start_va = 0x3fd0000 end_va = 0x3fd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003fd0000" filename = "" Region: id = 2639 start_va = 0x3fe0000 end_va = 0x3fe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003fe0000" filename = "" Region: id = 2640 start_va = 0x3ff0000 end_va = 0x4028fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003ff0000" filename = "" Region: id = 2641 start_va = 0x4030000 end_va = 0x4030fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004030000" filename = "" Region: id = 2642 start_va = 0x4040000 end_va = 0x4040fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004040000" filename = "" Region: id = 2643 start_va = 0x4060000 end_va = 0x4083fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004060000" filename = "" Region: id = 2644 start_va = 0x4090000 end_va = 0x40b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 2645 start_va = 0x40c0000 end_va = 0x40c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000040c0000" filename = "" Region: id = 2646 start_va = 0x40d0000 end_va = 0x40d3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 2647 start_va = 0x40e0000 end_va = 0x4124fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000c.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db") Region: id = 2648 start_va = 0x4130000 end_va = 0x4133fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 2649 start_va = 0x4140000 end_va = 0x41cdfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 2650 start_va = 0x41d0000 end_va = 0x41e0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "propsys.dll.mui" filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui") Region: id = 2651 start_va = 0x41f0000 end_va = 0x426ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041f0000" filename = "" Region: id = 2652 start_va = 0x4270000 end_va = 0x42effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004270000" filename = "" Region: id = 2653 start_va = 0x42f0000 end_va = 0x436ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000042f0000" filename = "" Region: id = 2654 start_va = 0x4370000 end_va = 0x4370fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004370000" filename = "" Region: id = 2655 start_va = 0x4400000 end_va = 0x447ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 2656 start_va = 0x4480000 end_va = 0x44fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004480000" filename = "" Region: id = 2657 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2658 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 2659 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 2660 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 2661 start_va = 0x7ff7f58f0000 end_va = 0x7ff7f5d37fff monitored = 0 entry_point = 0x7ff7f598e090 region_type = mapped_file name = "explorer.exe" filename = "\\Windows\\explorer.exe" (normalized: "c:\\windows\\explorer.exe") Region: id = 2662 start_va = 0x7ffc028f0000 end_va = 0x7ffc02959fff monitored = 0 entry_point = 0x7ffc02905e90 region_type = mapped_file name = "oleacc.dll" filename = "\\Windows\\System32\\oleacc.dll" (normalized: "c:\\windows\\system32\\oleacc.dll") Region: id = 2663 start_va = 0x7ffc02960000 end_va = 0x7ffc02bd3fff monitored = 0 entry_point = 0x7ffc029d0400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 2664 start_va = 0x7ffc02d20000 end_va = 0x7ffc02dedfff monitored = 0 entry_point = 0x7ffc02d514c0 region_type = mapped_file name = "tokenbroker.dll" filename = "\\Windows\\System32\\TokenBroker.dll" (normalized: "c:\\windows\\system32\\tokenbroker.dll") Region: id = 2665 start_va = 0x7ffc02e40000 end_va = 0x7ffc02ef0fff monitored = 0 entry_point = 0x7ffc02e508f0 region_type = mapped_file name = "twinapi.dll" filename = "\\Windows\\System32\\twinapi.dll" (normalized: "c:\\windows\\system32\\twinapi.dll") Region: id = 2666 start_va = 0x7ffc05680000 end_va = 0x7ffc056a7fff monitored = 0 entry_point = 0x7ffc05688c10 region_type = mapped_file name = "idstore.dll" filename = "\\Windows\\System32\\IDStore.dll" (normalized: "c:\\windows\\system32\\idstore.dll") Region: id = 2667 start_va = 0x7ffc05750000 end_va = 0x7ffc05848fff monitored = 0 entry_point = 0x7ffc05798000 region_type = mapped_file name = "settingsynccore.dll" filename = "\\Windows\\System32\\SettingSyncCore.dll" (normalized: "c:\\windows\\system32\\settingsynccore.dll") Region: id = 2668 start_va = 0x7ffc05a60000 end_va = 0x7ffc05ac4fff monitored = 0 entry_point = 0x7ffc05a64c50 region_type = mapped_file name = "sndvolsso.dll" filename = "\\Windows\\System32\\SndVolSSO.dll" (normalized: "c:\\windows\\system32\\sndvolsso.dll") Region: id = 2669 start_va = 0x7ffc05af0000 end_va = 0x7ffc05b04fff monitored = 0 entry_point = 0x7ffc05af2c90 region_type = mapped_file name = "settingsyncpolicy.dll" filename = "\\Windows\\System32\\SettingSyncPolicy.dll" (normalized: "c:\\windows\\system32\\settingsyncpolicy.dll") Region: id = 2670 start_va = 0x7ffc065b0000 end_va = 0x7ffc0661ffff monitored = 0 entry_point = 0x7ffc065d2960 region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 2671 start_va = 0x7ffc07060000 end_va = 0x7ffc070b4fff monitored = 0 entry_point = 0x7ffc07063fb0 region_type = mapped_file name = "policymanager.dll" filename = "\\Windows\\System32\\policymanager.dll" (normalized: "c:\\windows\\system32\\policymanager.dll") Region: id = 2672 start_va = 0x7ffc081f0000 end_va = 0x7ffc08325fff monitored = 0 entry_point = 0x7ffc0821f350 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 2673 start_va = 0x7ffc08470000 end_va = 0x7ffc08f7afff monitored = 0 entry_point = 0x7ffc085ba540 region_type = mapped_file name = "twinui.dll" filename = "\\Windows\\System32\\twinui.dll" (normalized: "c:\\windows\\system32\\twinui.dll") Region: id = 2674 start_va = 0x7ffc08f80000 end_va = 0x7ffc0941ffff monitored = 0 entry_point = 0x7ffc09018740 region_type = mapped_file name = "explorerframe.dll" filename = "\\Windows\\System32\\ExplorerFrame.dll" (normalized: "c:\\windows\\system32\\explorerframe.dll") Region: id = 2675 start_va = 0x7ffc09420000 end_va = 0x7ffc0952dfff monitored = 0 entry_point = 0x7ffc0946eaa0 region_type = mapped_file name = "mrmcorer.dll" filename = "\\Windows\\System32\\MrmCoreR.dll" (normalized: "c:\\windows\\system32\\mrmcorer.dll") Region: id = 2676 start_va = 0x7ffc09670000 end_va = 0x7ffc0982cfff monitored = 0 entry_point = 0x7ffc0969af90 region_type = mapped_file name = "windows.ui.immersive.dll" filename = "\\Windows\\System32\\Windows.UI.Immersive.dll" (normalized: "c:\\windows\\system32\\windows.ui.immersive.dll") Region: id = 2677 start_va = 0x7ffc098c0000 end_va = 0x7ffc09951fff monitored = 0 entry_point = 0x7ffc0990a780 region_type = mapped_file name = "msvcp110_win.dll" filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll") Region: id = 2678 start_va = 0x7ffc0a360000 end_va = 0x7ffc0a510fff monitored = 0 entry_point = 0x7ffc0a3f61a0 region_type = mapped_file name = "windowscodecs.dll" filename = "\\Windows\\System32\\WindowsCodecs.dll" (normalized: "c:\\windows\\system32\\windowscodecs.dll") Region: id = 2679 start_va = 0x7ffc0a530000 end_va = 0x7ffc0a5d1fff monitored = 0 entry_point = 0x7ffc0a550a40 region_type = mapped_file name = "dxgi.dll" filename = "\\Windows\\System32\\dxgi.dll" (normalized: "c:\\windows\\system32\\dxgi.dll") Region: id = 2680 start_va = 0x7ffc0a5e0000 end_va = 0x7ffc0a887fff monitored = 0 entry_point = 0x7ffc0a673250 region_type = mapped_file name = "d3d11.dll" filename = "\\Windows\\System32\\d3d11.dll" (normalized: "c:\\windows\\system32\\d3d11.dll") Region: id = 2681 start_va = 0x7ffc0a890000 end_va = 0x7ffc0a8b1fff monitored = 0 entry_point = 0x7ffc0a891a40 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 2682 start_va = 0x7ffc0a9a0000 end_va = 0x7ffc0aa82fff monitored = 0 entry_point = 0x7ffc0a9d7da0 region_type = mapped_file name = "dcomp.dll" filename = "\\Windows\\System32\\dcomp.dll" (normalized: "c:\\windows\\system32\\dcomp.dll") Region: id = 2683 start_va = 0x7ffc0adc0000 end_va = 0x7ffc0ae38fff monitored = 0 entry_point = 0x7ffc0addfb90 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 2684 start_va = 0x7ffc0afc0000 end_va = 0x7ffc0afe4fff monitored = 0 entry_point = 0x7ffc0afc2300 region_type = mapped_file name = "sppc.dll" filename = "\\Windows\\System32\\sppc.dll" (normalized: "c:\\windows\\system32\\sppc.dll") Region: id = 2685 start_va = 0x7ffc0aff0000 end_va = 0x7ffc0b482fff monitored = 0 entry_point = 0x7ffc0afff760 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 2686 start_va = 0x7ffc0b490000 end_va = 0x7ffc0b4f6fff monitored = 0 entry_point = 0x7ffc0b4ae710 region_type = mapped_file name = "bcp47langs.dll" filename = "\\Windows\\System32\\BCP47Langs.dll" (normalized: "c:\\windows\\system32\\bcp47langs.dll") Region: id = 2687 start_va = 0x7ffc0b500000 end_va = 0x7ffc0b54cfff monitored = 0 entry_point = 0x7ffc0b50d180 region_type = mapped_file name = "windows.immersiveshell.serviceprovider.dll" filename = "\\Windows\\System32\\windows.immersiveshell.serviceprovider.dll" (normalized: "c:\\windows\\system32\\windows.immersiveshell.serviceprovider.dll") Region: id = 2688 start_va = 0x7ffc0b550000 end_va = 0x7ffc0b6d5fff monitored = 0 entry_point = 0x7ffc0b59d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2689 start_va = 0x7ffc0b6e0000 end_va = 0x7ffc0b6fbfff monitored = 0 entry_point = 0x7ffc0b6e37a0 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 2690 start_va = 0x7ffc0b740000 end_va = 0x7ffc0b752fff monitored = 0 entry_point = 0x7ffc0b742760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2691 start_va = 0x7ffc0b760000 end_va = 0x7ffc0b784fff monitored = 0 entry_point = 0x7ffc0b775220 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 2692 start_va = 0x7ffc0b790000 end_va = 0x7ffc0b79bfff monitored = 0 entry_point = 0x7ffc0b7918b0 region_type = mapped_file name = "wldp.dll" filename = "\\Windows\\System32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll") Region: id = 2693 start_va = 0x7ffc0b810000 end_va = 0x7ffc0b85ffff monitored = 0 entry_point = 0x7ffc0b812580 region_type = mapped_file name = "edputil.dll" filename = "\\Windows\\System32\\edputil.dll" (normalized: "c:\\windows\\system32\\edputil.dll") Region: id = 2694 start_va = 0x7ffc0b860000 end_va = 0x7ffc0b8a9fff monitored = 0 entry_point = 0x7ffc0b865800 region_type = mapped_file name = "dataexchange.dll" filename = "\\Windows\\System32\\DataExchange.dll" (normalized: "c:\\windows\\system32\\dataexchange.dll") Region: id = 2695 start_va = 0x7ffc0b980000 end_va = 0x7ffc0ba15fff monitored = 0 entry_point = 0x7ffc0b9a5570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 2696 start_va = 0x7ffc0ba40000 end_va = 0x7ffc0ba66fff monitored = 0 entry_point = 0x7ffc0ba47940 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 2697 start_va = 0x7ffc0bb20000 end_va = 0x7ffc0bc1ffff monitored = 0 entry_point = 0x7ffc0bb60f80 region_type = mapped_file name = "twinapi.appcore.dll" filename = "\\Windows\\System32\\twinapi.appcore.dll" (normalized: "c:\\windows\\system32\\twinapi.appcore.dll") Region: id = 2698 start_va = 0x7ffc0c760000 end_va = 0x7ffc0c77efff monitored = 0 entry_point = 0x7ffc0c765d30 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 2699 start_va = 0x7ffc0c980000 end_va = 0x7ffc0c9d5fff monitored = 0 entry_point = 0x7ffc0c990bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2700 start_va = 0x7ffc0c9e0000 end_va = 0x7ffc0c9f6fff monitored = 0 entry_point = 0x7ffc0c9e79d0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2701 start_va = 0x7ffc0cce0000 end_va = 0x7ffc0cd0cfff monitored = 0 entry_point = 0x7ffc0ccf9d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2702 start_va = 0x7ffc0ce90000 end_va = 0x7ffc0ceb8fff monitored = 0 entry_point = 0x7ffc0cea4530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 2703 start_va = 0x7ffc0d000000 end_va = 0x7ffc0d013fff monitored = 0 entry_point = 0x7ffc0d0052e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 2704 start_va = 0x7ffc0d020000 end_va = 0x7ffc0d06afff monitored = 0 entry_point = 0x7ffc0d0235f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2705 start_va = 0x7ffc0d070000 end_va = 0x7ffc0d07ffff monitored = 0 entry_point = 0x7ffc0d0756e0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 2706 start_va = 0x7ffc0d080000 end_va = 0x7ffc0d08efff monitored = 0 entry_point = 0x7ffc0d083210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 2707 start_va = 0x7ffc0d120000 end_va = 0x7ffc0d1d4fff monitored = 0 entry_point = 0x7ffc0d1622e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 2708 start_va = 0x7ffc0d1e0000 end_va = 0x7ffc0d249fff monitored = 0 entry_point = 0x7ffc0d216d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 2709 start_va = 0x7ffc0d250000 end_va = 0x7ffc0d437fff monitored = 0 entry_point = 0x7ffc0d27ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2710 start_va = 0x7ffc0d460000 end_va = 0x7ffc0d4b4fff monitored = 0 entry_point = 0x7ffc0d477970 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 2711 start_va = 0x7ffc0d4c0000 end_va = 0x7ffc0db03fff monitored = 0 entry_point = 0x7ffc0d6864b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 2712 start_va = 0x7ffc0dbc0000 end_va = 0x7ffc0dd86fff monitored = 0 entry_point = 0x7ffc0dc1db80 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 2713 start_va = 0x7ffc0dd90000 end_va = 0x7ffc0ddd2fff monitored = 0 entry_point = 0x7ffc0dda4b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2714 start_va = 0x7ffc0df90000 end_va = 0x7ffc0e02cfff monitored = 0 entry_point = 0x7ffc0df978a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2715 start_va = 0x7ffc0e030000 end_va = 0x7ffc0e09efff monitored = 0 entry_point = 0x7ffc0e055f70 region_type = mapped_file name = "coml2.dll" filename = "\\Windows\\System32\\coml2.dll" (normalized: "c:\\windows\\system32\\coml2.dll") Region: id = 2716 start_va = 0x7ffc0e0a0000 end_va = 0x7ffc0e1e2fff monitored = 0 entry_point = 0x7ffc0e0c8210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2717 start_va = 0x7ffc0e1f0000 end_va = 0x7ffc0e22afff monitored = 0 entry_point = 0x7ffc0e1f12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2718 start_va = 0x7ffc0e230000 end_va = 0x7ffc0e28afff monitored = 0 entry_point = 0x7ffc0e2438b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2719 start_va = 0x7ffc0e6d0000 end_va = 0x7ffc0e776fff monitored = 0 entry_point = 0x7ffc0e6db4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2720 start_va = 0x7ffc0e780000 end_va = 0x7ffc0e9fcfff monitored = 0 entry_point = 0x7ffc0e854970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2721 start_va = 0x7ffc0ea60000 end_va = 0x7ffc0eb06fff monitored = 0 entry_point = 0x7ffc0ea758d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2722 start_va = 0x7ffc0eb30000 end_va = 0x7ffc0ec89fff monitored = 0 entry_point = 0x7ffc0eb738e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2723 start_va = 0x7ffc0ec90000 end_va = 0x7ffc0ed50fff monitored = 0 entry_point = 0x7ffc0ecb0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2724 start_va = 0x7ffc0ed60000 end_va = 0x7ffc0eeb5fff monitored = 0 entry_point = 0x7ffc0ed6a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2725 start_va = 0x7ffc0ef30000 end_va = 0x7ffc0f04bfff monitored = 0 entry_point = 0x7ffc0ef702b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2726 start_va = 0x7ffc0f170000 end_va = 0x7ffc0f2f5fff monitored = 0 entry_point = 0x7ffc0f1bffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2727 start_va = 0x7ffc0f300000 end_va = 0x7ffc1085efff monitored = 0 entry_point = 0x7ffc0f4611f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 2728 start_va = 0x7ffc10870000 end_va = 0x7ffc108c1fff monitored = 0 entry_point = 0x7ffc1087f530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2729 start_va = 0x7ffc108d0000 end_va = 0x7ffc1097cfff monitored = 0 entry_point = 0x7ffc108e81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2730 start_va = 0x7ffc109e0000 end_va = 0x7ffc10ba0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2833 start_va = 0x4500000 end_va = 0x45fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004500000" filename = "" Region: id = 2834 start_va = 0x4600000 end_va = 0x467ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004600000" filename = "" Region: id = 2835 start_va = 0x7ffc07bc0000 end_va = 0x7ffc07e5ffff monitored = 0 entry_point = 0x7ffc07bc51e0 region_type = mapped_file name = "gameux.dll" filename = "\\Windows\\System32\\gameux.dll" (normalized: "c:\\windows\\system32\\gameux.dll") Region: id = 2844 start_va = 0x4050000 end_va = 0x4051fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004050000" filename = "" Region: id = 2845 start_va = 0x7ffc07a10000 end_va = 0x7ffc07bb8fff monitored = 0 entry_point = 0x7ffc07a64060 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10586.0_none_0bdd1d3064f6384a\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10586.0_none_0bdd1d3064f6384a\\gdiplus.dll") Region: id = 2846 start_va = 0x4380000 end_va = 0x4383fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 2847 start_va = 0x4680000 end_va = 0x507ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004680000" filename = "" Region: id = 2848 start_va = 0x7ffc0afb0000 end_va = 0x7ffc0afb9fff monitored = 0 entry_point = 0x7ffc0afb2e50 region_type = mapped_file name = "msiltcfg.dll" filename = "\\Windows\\System32\\msiltcfg.dll" (normalized: "c:\\windows\\system32\\msiltcfg.dll") Region: id = 2849 start_va = 0x7ffc0afa0000 end_va = 0x7ffc0afa9fff monitored = 0 entry_point = 0x7ffc0afa1350 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 2850 start_va = 0x7ffc02390000 end_va = 0x7ffc026c9fff monitored = 0 entry_point = 0x7ffc02398520 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\System32\\msi.dll" (normalized: "c:\\windows\\system32\\msi.dll") Region: id = 2851 start_va = 0x4390000 end_va = 0x4391fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004390000" filename = "" Region: id = 2852 start_va = 0x5080000 end_va = 0x50fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005080000" filename = "" Region: id = 2853 start_va = 0x7ffc0c4f0000 end_va = 0x7ffc0c520fff monitored = 0 entry_point = 0x7ffc0c4f7d10 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 2854 start_va = 0x43a0000 end_va = 0x43a1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000043a0000" filename = "" Region: id = 2855 start_va = 0x43b0000 end_va = 0x43b3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 2856 start_va = 0x43c0000 end_va = 0x43c3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 2857 start_va = 0x43d0000 end_va = 0x43e8fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000017.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.1.ver0x0000000000000017.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\{3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000017.db") Region: id = 2858 start_va = 0x43b0000 end_va = 0x43c8fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000017.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.1.ver0x0000000000000017.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\{3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000017.db") Region: id = 2905 start_va = 0x5100000 end_va = 0x517ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005100000" filename = "" Region: id = 2906 start_va = 0x5180000 end_va = 0x51e7fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "transcodedwallpaper" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\windows\\themes\\transcodedwallpaper") Region: id = 2907 start_va = 0x5180000 end_va = 0x5671fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005180000" filename = "" Region: id = 2908 start_va = 0x5680000 end_va = 0x56b7fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cachedimage_1440_900_pos4.jpg" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\CachedImage_1440_900_POS4.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\windows\\themes\\cachedfiles\\cachedimage_1440_900_pos4.jpg") Region: id = 2909 start_va = 0x5680000 end_va = 0x56e7fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "transcodedwallpaper" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\windows\\themes\\transcodedwallpaper") Region: id = 2910 start_va = 0x5680000 end_va = 0x587ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005680000" filename = "" Region: id = 2911 start_va = 0x7ffc0af30000 end_va = 0x7ffc0af9cfff monitored = 0 entry_point = 0x7ffc0af3d750 region_type = mapped_file name = "photometadatahandler.dll" filename = "\\Windows\\System32\\PhotoMetadataHandler.dll" (normalized: "c:\\windows\\system32\\photometadatahandler.dll") Region: id = 2912 start_va = 0x5880000 end_va = 0x6265fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005880000" filename = "" Region: id = 2914 start_va = 0x6270000 end_va = 0x6761fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006270000" filename = "" Region: id = 2915 start_va = 0x7ffc0ae40000 end_va = 0x7ffc0af1afff monitored = 0 entry_point = 0x7ffc0ae528b0 region_type = mapped_file name = "ntshrui.dll" filename = "\\Windows\\System32\\ntshrui.dll" (normalized: "c:\\windows\\system32\\ntshrui.dll") Region: id = 2921 start_va = 0x7ffc02df0000 end_va = 0x7ffc02e15fff monitored = 0 entry_point = 0x7ffc02df1cf0 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 2924 start_va = 0x7ffc04f10000 end_va = 0x7ffc04f21fff monitored = 0 entry_point = 0x7ffc04f13580 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 2925 start_va = 0x7ffc0c410000 end_va = 0x7ffc0c41bfff monitored = 0 entry_point = 0x7ffc0c4127e0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 2926 start_va = 0x4060000 end_va = 0x4067fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windows.storage.dll.mui" filename = "\\Windows\\System32\\en-US\\windows.storage.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\windows.storage.dll.mui") Region: id = 2931 start_va = 0x4070000 end_va = 0x4093fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004070000" filename = "" Region: id = 2932 start_va = 0x40a0000 end_va = 0x40a8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040a0000" filename = "" Region: id = 2933 start_va = 0x40b0000 end_va = 0x40b8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040b0000" filename = "" Region: id = 2934 start_va = 0x43d0000 end_va = 0x43f3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000043d0000" filename = "" Region: id = 2935 start_va = 0x5880000 end_va = 0x597ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005880000" filename = "" Region: id = 2936 start_va = 0x5980000 end_va = 0x5981fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005980000" filename = "" Region: id = 2937 start_va = 0x7ffc09620000 end_va = 0x7ffc0966cfff monitored = 0 entry_point = 0x7ffc09637de0 region_type = mapped_file name = "thumbcache.dll" filename = "\\Windows\\System32\\thumbcache.dll" (normalized: "c:\\windows\\system32\\thumbcache.dll") Region: id = 2938 start_va = 0x5990000 end_va = 0x5991fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005990000" filename = "" Region: id = 2939 start_va = 0x59a0000 end_va = 0x59a1fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_idx.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_idx.db") Region: id = 2940 start_va = 0x59b0000 end_va = 0x59b0fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_48.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_48.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_48.db") Region: id = 2941 start_va = 0x59a0000 end_va = 0x59a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll.mui" filename = "\\Windows\\System32\\en-US\\imageres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\imageres.dll.mui") Region: id = 2942 start_va = 0x6770000 end_va = 0x938ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 2943 start_va = 0x59a0000 end_va = 0x59a1fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_idx.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_idx.db") Region: id = 2944 start_va = 0x59b0000 end_va = 0x59b0fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_48.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_48.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_48.db") Region: id = 2945 start_va = 0x43d0000 end_va = 0x43d1fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_idx.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_idx.db") Region: id = 2946 start_va = 0x59a0000 end_va = 0x59e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000059a0000" filename = "" Region: id = 2947 start_va = 0x43e0000 end_va = 0x43e0fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_48.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_48.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_48.db") Region: id = 2948 start_va = 0x43d0000 end_va = 0x43d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll.mui" filename = "\\Windows\\System32\\en-US\\imageres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\imageres.dll.mui") Region: id = 2949 start_va = 0x6770000 end_va = 0x938ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 2950 start_va = 0x43d0000 end_va = 0x43d1fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_idx.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_idx.db") Region: id = 2951 start_va = 0x43e0000 end_va = 0x43e0fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_48.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_48.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_48.db") Region: id = 2952 start_va = 0x43e0000 end_va = 0x43e0fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_48.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_48.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_48.db") Region: id = 2953 start_va = 0x43d0000 end_va = 0x43d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll.mui" filename = "\\Windows\\System32\\en-US\\imageres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\imageres.dll.mui") Region: id = 2954 start_va = 0x6770000 end_va = 0x938ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 2955 start_va = 0x43d0000 end_va = 0x43d1fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_idx.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_idx.db") Region: id = 2956 start_va = 0x43e0000 end_va = 0x43e0fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_48.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_48.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_48.db") Region: id = 2957 start_va = 0x43d0000 end_va = 0x43d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000043d0000" filename = "" Region: id = 2958 start_va = 0x43e0000 end_va = 0x43e3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000043e0000" filename = "" Region: id = 2959 start_va = 0x59f0000 end_va = 0x5a37fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000059f0000" filename = "" Region: id = 2960 start_va = 0x5a40000 end_va = 0x5abffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005a40000" filename = "" Region: id = 2963 start_va = 0x5ac0000 end_va = 0x5b3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005ac0000" filename = "" Region: id = 2964 start_va = 0x7ffc09610000 end_va = 0x7ffc0961cfff monitored = 0 entry_point = 0x7ffc09611ea0 region_type = mapped_file name = "linkinfo.dll" filename = "\\Windows\\System32\\linkinfo.dll" (normalized: "c:\\windows\\system32\\linkinfo.dll") Region: id = 2965 start_va = 0x5b40000 end_va = 0x5bbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005b40000" filename = "" Region: id = 2966 start_va = 0x43f0000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000043f0000" filename = "" Region: id = 2967 start_va = 0x43f0000 end_va = 0x43f1fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_idx.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_idx.db") Region: id = 2968 start_va = 0x5bc0000 end_va = 0x5bc0fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_48.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_48.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_48.db") Region: id = 2969 start_va = 0x7ffc07e60000 end_va = 0x7ffc081e1fff monitored = 0 entry_point = 0x7ffc07eb1220 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 2970 start_va = 0x5bd0000 end_va = 0x5c27fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wmploc.dll.mui" filename = "\\Windows\\System32\\en-US\\wmploc.DLL.mui" (normalized: "c:\\windows\\system32\\en-us\\wmploc.dll.mui") Region: id = 2971 start_va = 0x6770000 end_va = 0x7062fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wmploc.dll" filename = "\\Windows\\System32\\wmploc.DLL" (normalized: "c:\\windows\\system32\\wmploc.dll") Region: id = 2972 start_va = 0x5bd0000 end_va = 0x5bd0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll.mui" filename = "\\Windows\\System32\\en-US\\imageres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\imageres.dll.mui") Region: id = 2973 start_va = 0x6770000 end_va = 0x938ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 2974 start_va = 0x5bd0000 end_va = 0x5c4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005bd0000" filename = "" Region: id = 2975 start_va = 0x5c50000 end_va = 0x5ca7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wmploc.dll.mui" filename = "\\Windows\\System32\\en-US\\wmploc.DLL.mui" (normalized: "c:\\windows\\system32\\en-us\\wmploc.dll.mui") Region: id = 2976 start_va = 0x6770000 end_va = 0x7062fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wmploc.dll" filename = "\\Windows\\System32\\wmploc.DLL" (normalized: "c:\\windows\\system32\\wmploc.dll") Region: id = 2977 start_va = 0x7ffc09560000 end_va = 0x7ffc09608fff monitored = 0 entry_point = 0x7ffc09589010 region_type = mapped_file name = "windows.ui.dll" filename = "\\Windows\\System32\\Windows.UI.dll" (normalized: "c:\\windows\\system32\\windows.ui.dll") Region: id = 2979 start_va = 0x5c50000 end_va = 0x5d9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005c50000" filename = "" Region: id = 2980 start_va = 0x5c50000 end_va = 0x5ccffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005c50000" filename = "" Region: id = 2981 start_va = 0x5d90000 end_va = 0x5d9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005d90000" filename = "" Region: id = 2982 start_va = 0x5c50000 end_va = 0x5c51fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_idx.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_idx.db") Region: id = 2983 start_va = 0x5c60000 end_va = 0x5d5ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_48.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_48.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_48.db") Region: id = 2984 start_va = 0x7ffc041a0000 end_va = 0x7ffc043fcfff monitored = 0 entry_point = 0x7ffc04228610 region_type = mapped_file name = "twinui.appcore.dll" filename = "\\Windows\\System32\\twinui.appcore.dll" (normalized: "c:\\windows\\system32\\twinui.appcore.dll") Region: id = 2985 start_va = 0x7ffc0a8e0000 end_va = 0x7ffc0a99dfff monitored = 0 entry_point = 0x7ffc0a922d40 region_type = mapped_file name = "coremessaging.dll" filename = "\\Windows\\System32\\CoreMessaging.dll" (normalized: "c:\\windows\\system32\\coremessaging.dll") Region: id = 2986 start_va = 0x7ffc04c80000 end_va = 0x7ffc04f07fff monitored = 0 entry_point = 0x7ffc04cdf670 region_type = mapped_file name = "coreuicomponents.dll" filename = "\\Windows\\System32\\CoreUIComponents.dll" (normalized: "c:\\windows\\system32\\coreuicomponents.dll") Region: id = 2987 start_va = 0x7ffc08350000 end_va = 0x7ffc0846ffff monitored = 0 entry_point = 0x7ffc08388310 region_type = mapped_file name = "applicationframe.dll" filename = "\\Windows\\System32\\ApplicationFrame.dll" (normalized: "c:\\windows\\system32\\applicationframe.dll") Region: id = 2988 start_va = 0x7ffc09a70000 end_va = 0x7ffc09fb4fff monitored = 0 entry_point = 0x7ffc09c0a450 region_type = mapped_file name = "d2d1.dll" filename = "\\Windows\\System32\\d2d1.dll" (normalized: "c:\\windows\\system32\\d2d1.dll") Region: id = 2991 start_va = 0x5d60000 end_va = 0x5ddffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005d60000" filename = "" Region: id = 2992 start_va = 0x7ffc02170000 end_va = 0x7ffc02383fff monitored = 0 entry_point = 0x7ffc02171000 region_type = mapped_file name = "grooveex.dll" filename = "\\PROGRA~1\\MICROS~1\\Office16\\GROOVEEX.DLL" (normalized: "c:\\program files\\micros~1\\office16\\grooveex.dll") Region: id = 2993 start_va = 0x6770000 end_va = 0x6f6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006770000" filename = "" Region: id = 2994 start_va = 0x5a40000 end_va = 0x5a41fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005a40000" filename = "" Region: id = 2995 start_va = 0x7ffc09540000 end_va = 0x7ffc09558fff monitored = 0 entry_point = 0x7ffc0954ee50 region_type = mapped_file name = "vcruntime140.dll" filename = "\\Windows\\System32\\vcruntime140.dll" (normalized: "c:\\windows\\system32\\vcruntime140.dll") Region: id = 2996 start_va = 0x7ffc0c1a0000 end_va = 0x7ffc0c293fff monitored = 0 entry_point = 0x7ffc0c1aa960 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 2997 start_va = 0x7ffc07970000 end_va = 0x7ffc07a00fff monitored = 0 entry_point = 0x7ffc079c2430 region_type = mapped_file name = "msvcp140.dll" filename = "\\Windows\\System32\\msvcp140.dll" (normalized: "c:\\windows\\system32\\msvcp140.dll") Region: id = 2998 start_va = 0x7ffc09530000 end_va = 0x7ffc0953bfff monitored = 0 entry_point = 0x7ffc09534150 region_type = mapped_file name = "vcruntime140_1.dll" filename = "\\Windows\\System32\\vcruntime140_1.dll" (normalized: "c:\\windows\\system32\\vcruntime140_1.dll") Region: id = 2999 start_va = 0x5a50000 end_va = 0x5a50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005a50000" filename = "" Region: id = 3000 start_va = 0x5de0000 end_va = 0x5f98fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "office.odf" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE16\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files\\common files\\microsoft shared\\office16\\cultures\\office.odf") Region: id = 3001 start_va = 0x180000000 end_va = 0x18087dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "grooveintlresource.dll" filename = "\\PROGRA~1\\MICROS~1\\Office16\\1033\\GrooveIntlResource.dll" (normalized: "c:\\program files\\micros~1\\office16\\1033\\grooveintlresource.dll") Region: id = 3002 start_va = 0x7ffc07930000 end_va = 0x7ffc07966fff monitored = 0 entry_point = 0x7ffc079320a0 region_type = mapped_file name = "ehstorshell.dll" filename = "\\Windows\\System32\\EhStorShell.dll" (normalized: "c:\\windows\\system32\\ehstorshell.dll") Region: id = 3003 start_va = 0x7ffc0e290000 end_va = 0x7ffc0e6b8fff monitored = 0 entry_point = 0x7ffc0e2b8740 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 3004 start_va = 0x7ffc07860000 end_va = 0x7ffc07925fff monitored = 0 entry_point = 0x7ffc07863ac0 region_type = mapped_file name = "cscui.dll" filename = "\\Windows\\System32\\cscui.dll" (normalized: "c:\\windows\\system32\\cscui.dll") Region: id = 3005 start_va = 0x5a60000 end_va = 0x5a61fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005a60000" filename = "" Region: id = 3006 start_va = 0x6f70000 end_va = 0x7465fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006f70000" filename = "" Region: id = 3007 start_va = 0x5a70000 end_va = 0x5a72fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_48.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_48.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_48.db") Region: id = 3008 start_va = 0x5fa0000 end_va = 0x5ff7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wmploc.dll.mui" filename = "\\Windows\\System32\\en-US\\wmploc.DLL.mui" (normalized: "c:\\windows\\system32\\en-us\\wmploc.dll.mui") Region: id = 3009 start_va = 0x6f70000 end_va = 0x7862fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wmploc.dll" filename = "\\Windows\\System32\\wmploc.DLL" (normalized: "c:\\windows\\system32\\wmploc.dll") Region: id = 3010 start_va = 0x5a70000 end_va = 0x5aa7fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cachedimage_1440_900_pos4.jpg" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\CachedImage_1440_900_POS4.jpg" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\windows\\themes\\cachedfiles\\cachedimage_1440_900_pos4.jpg") Region: id = 3011 start_va = 0x6000000 end_va = 0x64f1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006000000" filename = "" Region: id = 3012 start_va = 0x5fa0000 end_va = 0x5ff7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wmploc.dll.mui" filename = "\\Windows\\System32\\en-US\\wmploc.DLL.mui" (normalized: "c:\\windows\\system32\\en-us\\wmploc.dll.mui") Region: id = 3013 start_va = 0x6f70000 end_va = 0x7862fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wmploc.dll" filename = "\\Windows\\System32\\wmploc.DLL" (normalized: "c:\\windows\\system32\\wmploc.dll") Region: id = 3023 start_va = 0x5fa0000 end_va = 0x5ff7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wmploc.dll.mui" filename = "\\Windows\\System32\\en-US\\wmploc.DLL.mui" (normalized: "c:\\windows\\system32\\en-us\\wmploc.dll.mui") Region: id = 3024 start_va = 0x6f70000 end_va = 0x7862fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wmploc.dll" filename = "\\Windows\\System32\\wmploc.DLL" (normalized: "c:\\windows\\system32\\wmploc.dll") Region: id = 3025 start_va = 0x5a70000 end_va = 0x5a70fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll.mui" filename = "\\Windows\\System32\\en-US\\imageres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\imageres.dll.mui") Region: id = 3026 start_va = 0x6f70000 end_va = 0x9b8ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 3038 start_va = 0x7ffc062c0000 end_va = 0x7ffc06300fff monitored = 0 entry_point = 0x7ffc062c4840 region_type = mapped_file name = "usermgrproxy.dll" filename = "\\Windows\\System32\\UserMgrProxy.dll" (normalized: "c:\\windows\\system32\\usermgrproxy.dll") Thread: id = 275 os_tid = 0x380 Thread: id = 276 os_tid = 0x694 Thread: id = 277 os_tid = 0x5ec Thread: id = 278 os_tid = 0x5f4 Thread: id = 279 os_tid = 0x60c Thread: id = 280 os_tid = 0x604 Thread: id = 281 os_tid = 0x5d0 Thread: id = 282 os_tid = 0x608 Thread: id = 283 os_tid = 0x5cc Thread: id = 284 os_tid = 0x148 Thread: id = 285 os_tid = 0x51c Thread: id = 286 os_tid = 0x490 Thread: id = 287 os_tid = 0x48c Thread: id = 288 os_tid = 0x460 Thread: id = 289 os_tid = 0x428 Thread: id = 290 os_tid = 0x6f4 Thread: id = 291 os_tid = 0x6d4 Thread: id = 293 os_tid = 0x6c4 Thread: id = 294 os_tid = 0x5c0 Thread: id = 295 os_tid = 0x5d8 Thread: id = 296 os_tid = 0x300 Thread: id = 297 os_tid = 0x6e8 Thread: id = 298 os_tid = 0x30c Thread: id = 299 os_tid = 0x58c Process: id = "14" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x79b1e000" os_pid = "0x6bc" os_integrity_level = "0x4000" os_privileges = "0x260814080" monitor_reason = "rpc_server" parent_id = "6" os_parent_pid = "0x210" cmd_line = "C:\\Windows\\system32\\svchost.exe -k appmodel" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EntAppSvc" [0xa], "NT SERVICE\\StateRepository" [0xe], "NT SERVICE\\tiledatamodelsvc" [0xa], "NT SERVICE\\WalletService" [0xa], "NT AUTHORITY\\Logon Session 00000000:0001522e" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 3049 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3050 start_va = 0x20000 end_va = 0x20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 3051 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3052 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 3053 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 3054 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 3055 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 3056 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3057 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3058 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 3059 start_va = 0x1e0000 end_va = 0x1e7fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "staterepository-deployment.srd-shm" filename = "\\ProgramData\\Microsoft\\Windows\\AppRepository\\StateRepository-Deployment.srd-shm" (normalized: "c:\\programdata\\microsoft\\windows\\apprepository\\staterepository-deployment.srd-shm") Region: id = 3060 start_va = 0x1f0000 end_va = 0x1f7fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "staterepository-machine.srd-shm" filename = "\\ProgramData\\Microsoft\\Windows\\AppRepository\\StateRepository-Machine.srd-shm" (normalized: "c:\\programdata\\microsoft\\windows\\apprepository\\staterepository-machine.srd-shm") Region: id = 3061 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3062 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3063 start_va = 0x480000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 3064 start_va = 0x540000 end_va = 0x540fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 3065 start_va = 0x550000 end_va = 0x551fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 3066 start_va = 0x5a0000 end_va = 0x5a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 3067 start_va = 0x5f0000 end_va = 0x5f6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 3068 start_va = 0x600000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 3069 start_va = 0x700000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 3070 start_va = 0x800000 end_va = 0x987fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 3071 start_va = 0x990000 end_va = 0xb10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 3072 start_va = 0xb20000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 3073 start_va = 0xc20000 end_va = 0xc26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 3074 start_va = 0xc30000 end_va = 0xcaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 3075 start_va = 0xd00000 end_va = 0xdfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 3076 start_va = 0xe00000 end_va = 0xefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e00000" filename = "" Region: id = 3077 start_va = 0xf00000 end_va = 0xffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 3078 start_va = 0x1000000 end_va = 0x10fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 3079 start_va = 0x1100000 end_va = 0x11fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001100000" filename = "" Region: id = 3080 start_va = 0x1200000 end_va = 0x12fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 3081 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3082 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 3083 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 3084 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 3085 start_va = 0x7ff7c0750000 end_va = 0x7ff7c075cfff monitored = 0 entry_point = 0x7ff7c0753980 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 3086 start_va = 0x7ffc01fb0000 end_va = 0x7ffc02167fff monitored = 0 entry_point = 0x7ffc0201e630 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 3087 start_va = 0x7ffc03110000 end_va = 0x7ffc031a3fff monitored = 0 entry_point = 0x7ffc03149210 region_type = mapped_file name = "staterepository.core.dll" filename = "\\Windows\\System32\\StateRepository.Core.dll" (normalized: "c:\\windows\\system32\\staterepository.core.dll") Region: id = 3088 start_va = 0x7ffc031b0000 end_va = 0x7ffc03452fff monitored = 0 entry_point = 0x7ffc031d6190 region_type = mapped_file name = "windows.staterepository.dll" filename = "\\Windows\\System32\\Windows.StateRepository.dll" (normalized: "c:\\windows\\system32\\windows.staterepository.dll") Region: id = 3089 start_va = 0x7ffc036c0000 end_va = 0x7ffc039b8fff monitored = 0 entry_point = 0x7ffc03787280 region_type = mapped_file name = "esent.dll" filename = "\\Windows\\System32\\esent.dll" (normalized: "c:\\windows\\system32\\esent.dll") Region: id = 3090 start_va = 0x7ffc05bb0000 end_va = 0x7ffc05c2bfff monitored = 0 entry_point = 0x7ffc05bda970 region_type = mapped_file name = "tileobjserver.dll" filename = "\\Windows\\System32\\tileobjserver.dll" (normalized: "c:\\windows\\system32\\tileobjserver.dll") Region: id = 3091 start_va = 0x7ffc07e60000 end_va = 0x7ffc081e1fff monitored = 0 entry_point = 0x7ffc07eb1220 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 3092 start_va = 0x7ffc098c0000 end_va = 0x7ffc09951fff monitored = 0 entry_point = 0x7ffc0990a780 region_type = mapped_file name = "msvcp110_win.dll" filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll") Region: id = 3093 start_va = 0x7ffc0c1a0000 end_va = 0x7ffc0c293fff monitored = 0 entry_point = 0x7ffc0c1aa960 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 3094 start_va = 0x7ffc0d000000 end_va = 0x7ffc0d013fff monitored = 0 entry_point = 0x7ffc0d0052e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 3095 start_va = 0x7ffc0d020000 end_va = 0x7ffc0d06afff monitored = 0 entry_point = 0x7ffc0d0235f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 3096 start_va = 0x7ffc0d080000 end_va = 0x7ffc0d08efff monitored = 0 entry_point = 0x7ffc0d083210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 3097 start_va = 0x7ffc0d120000 end_va = 0x7ffc0d1d4fff monitored = 0 entry_point = 0x7ffc0d1622e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 3098 start_va = 0x7ffc0d1e0000 end_va = 0x7ffc0d249fff monitored = 0 entry_point = 0x7ffc0d216d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 3099 start_va = 0x7ffc0d250000 end_va = 0x7ffc0d437fff monitored = 0 entry_point = 0x7ffc0d27ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3100 start_va = 0x7ffc0d4c0000 end_va = 0x7ffc0db03fff monitored = 0 entry_point = 0x7ffc0d6864b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 3101 start_va = 0x7ffc0dd90000 end_va = 0x7ffc0ddd2fff monitored = 0 entry_point = 0x7ffc0dda4b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 3102 start_va = 0x7ffc0df90000 end_va = 0x7ffc0e02cfff monitored = 0 entry_point = 0x7ffc0df978a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3103 start_va = 0x7ffc0e230000 end_va = 0x7ffc0e28afff monitored = 0 entry_point = 0x7ffc0e2438b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3104 start_va = 0x7ffc0e6d0000 end_va = 0x7ffc0e776fff monitored = 0 entry_point = 0x7ffc0e6db4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 3105 start_va = 0x7ffc0e780000 end_va = 0x7ffc0e9fcfff monitored = 0 entry_point = 0x7ffc0e854970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 3106 start_va = 0x7ffc0ea60000 end_va = 0x7ffc0eb06fff monitored = 0 entry_point = 0x7ffc0ea758d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3107 start_va = 0x7ffc0ed60000 end_va = 0x7ffc0eeb5fff monitored = 0 entry_point = 0x7ffc0ed6a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3108 start_va = 0x7ffc0ef30000 end_va = 0x7ffc0f04bfff monitored = 0 entry_point = 0x7ffc0ef702b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3109 start_va = 0x7ffc0f170000 end_va = 0x7ffc0f2f5fff monitored = 0 entry_point = 0x7ffc0f1bffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3110 start_va = 0x7ffc10870000 end_va = 0x7ffc108c1fff monitored = 0 entry_point = 0x7ffc1087f530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 3111 start_va = 0x7ffc108d0000 end_va = 0x7ffc1097cfff monitored = 0 entry_point = 0x7ffc108e81a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3112 start_va = 0x7ffc109e0000 end_va = 0x7ffc10ba0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3114 start_va = 0x1300000 end_va = 0x13fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Thread: id = 306 os_tid = 0x310 Thread: id = 307 os_tid = 0x2f4 Thread: id = 308 os_tid = 0x318 Thread: id = 309 os_tid = 0x7c0 Thread: id = 310 os_tid = 0x7bc Thread: id = 311 os_tid = 0x7b8 Thread: id = 312 os_tid = 0x6cc Thread: id = 313 os_tid = 0x6c0 Thread: id = 315 os_tid = 0x41c