# Flog Txt Version 1
# Analyzer Version: 4.6.0
# Analyzer Build Date: Jul 8 2022 06:26:21
# Log Creation Date: 05.08.2022 19:57:49.603
Process:
id = "1"
image_name = "9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe"
filename = "c:\\users\\rdhj0cnfevzx\\desktop\\9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe"
page_root = "0x27c58000"
os_pid = "0xc28"
os_integrity_level = "0x3000"
os_privileges = "0x60800000"
monitor_reason = "analysis_target"
parent_id = "0"
os_parent_pid = "0x7b4"
cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe\" "
cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
os_username = "XC64ZB\\RDhJ0CNFevzX"
bitness = "32"
os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fa87" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 117
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 118
start_va = 0x30000
end_va = 0x31fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000030000"
filename = ""
Region:
id = 119
start_va = 0x40000
end_va = 0x54fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 120
start_va = 0x60000
end_va = 0x9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000060000"
filename = ""
Region:
id = 121
start_va = 0xa0000
end_va = 0x19ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000a0000"
filename = ""
Region:
id = 122
start_va = 0x1a0000
end_va = 0x1a3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001a0000"
filename = ""
Region:
id = 123
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001b0000"
filename = ""
Region:
id = 124
start_va = 0x1c0000
end_va = 0x1c1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001c0000"
filename = ""
Region:
id = 125
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 126
start_va = 0x400000
end_va = 0x49ffff
monitored = 1
entry_point = 0x49b6ae
region_type = mapped_file
name = "9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe"
filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe")
Region:
id = 127
start_va = 0x771d0000
end_va = 0x7734afff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")
Region:
id = 128
start_va = 0x7ffb0000
end_va = 0x7ffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007ffb0000"
filename = ""
Region:
id = 129
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 130
start_va = 0x7fff0000
end_va = 0x7ffa1676ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007fff0000"
filename = ""
Region:
id = 131
start_va = 0x7ffa16770000
end_va = 0x7ffa16930fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 132
start_va = 0x7ffa16931000
end_va = 0x7ffffffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00007ffa16931000"
filename = ""
Region:
id = 271
start_va = 0x4a0000
end_va = 0x69ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000004a0000"
filename = ""
Region:
id = 272
start_va = 0x640d0000
end_va = 0x6411ffff
monitored = 0
entry_point = 0x640e8180
region_type = mapped_file
name = "wow64.dll"
filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")
Region:
id = 273
start_va = 0x64050000
end_va = 0x640c9fff
monitored = 0
entry_point = 0x64063290
region_type = mapped_file
name = "wow64win.dll"
filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")
Region:
id = 274
start_va = 0x76720000
end_va = 0x767fffff
monitored = 0
entry_point = 0x76733980
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 275
start_va = 0x64120000
end_va = 0x64127fff
monitored = 0
entry_point = 0x641217c0
region_type = mapped_file
name = "wow64cpu.dll"
filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")
Region:
id = 276
start_va = 0x4a0000
end_va = 0x5fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000004a0000"
filename = ""
Region:
id = 277
start_va = 0x690000
end_va = 0x69ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000690000"
filename = ""
Region:
id = 278
start_va = 0x6f850000
end_va = 0x6f8a8fff
monitored = 1
entry_point = 0x6f860780
region_type = mapped_file
name = "mscoree.dll"
filename = "\\Windows\\SysWOW64\\mscoree.dll" (normalized: "c:\\windows\\syswow64\\mscoree.dll")
Region:
id = 279
start_va = 0x76720000
end_va = 0x767fffff
monitored = 0
entry_point = 0x76733980
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 280
start_va = 0x76910000
end_va = 0x76a8dfff
monitored = 0
entry_point = 0x769c1b90
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")
Region:
id = 281
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 282
start_va = 0x7feb0000
end_va = 0x7ffaffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007feb0000"
filename = ""
Region:
id = 283
start_va = 0x4a0000
end_va = 0x4effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000004a0000"
filename = ""
Region:
id = 284
start_va = 0x500000
end_va = 0x5fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000500000"
filename = ""
Region:
id = 285
start_va = 0x6a0000
end_va = 0x75dfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 286
start_va = 0x73e50000
end_va = 0x73ee1fff
monitored = 0
entry_point = 0x73e90380
region_type = mapped_file
name = "apphelp.dll"
filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll")
Region:
id = 287
start_va = 0x7fb00000
end_va = 0x7fea0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sysmain.sdb"
filename = "\\Windows\\AppPatch\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\sysmain.sdb")
Region:
id = 288
start_va = 0x20000
end_va = 0x23fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 289
start_va = 0x76600000
end_va = 0x7667afff
monitored = 0
entry_point = 0x7661e970
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")
Region:
id = 290
start_va = 0x76a90000
end_va = 0x76b4dfff
monitored = 0
entry_point = 0x76ac5630
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")
Region:
id = 291
start_va = 0x4a0000
end_va = 0x4dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000004a0000"
filename = ""
Region:
id = 292
start_va = 0x4e0000
end_va = 0x4effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000004e0000"
filename = ""
Region:
id = 293
start_va = 0x760000
end_va = 0x85ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000760000"
filename = ""
Region:
id = 294
start_va = 0x76cb0000
end_va = 0x76cf3fff
monitored = 0
entry_point = 0x76cc9d80
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")
Region:
id = 295
start_va = 0x76c00000
end_va = 0x76cacfff
monitored = 0
entry_point = 0x76c14f00
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")
Region:
id = 296
start_va = 0x73f00000
end_va = 0x73f1dfff
monitored = 0
entry_point = 0x73f0b640
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")
Region:
id = 297
start_va = 0x73ef0000
end_va = 0x73ef9fff
monitored = 0
entry_point = 0x73ef2a00
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")
Region:
id = 298
start_va = 0x76840000
end_va = 0x76897fff
monitored = 0
entry_point = 0x768825c0
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")
Region:
id = 299
start_va = 0x860000
end_va = 0x99ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000860000"
filename = ""
Region:
id = 300
start_va = 0x6f7d0000
end_va = 0x6f84cfff
monitored = 1
entry_point = 0x6f7e0db0
region_type = mapped_file
name = "mscoreei.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscoreei.dll")
Region:
id = 301
start_va = 0x76d00000
end_va = 0x76d44fff
monitored = 0
entry_point = 0x76d1de90
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")
Region:
id = 302
start_va = 0x762b0000
end_va = 0x7646cfff
monitored = 0
entry_point = 0x76392a10
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")
Region:
id = 303
start_va = 0x74ab0000
end_va = 0x74bfefff
monitored = 0
entry_point = 0x74b66820
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")
Region:
id = 304
start_va = 0x743d0000
end_va = 0x74516fff
monitored = 0
entry_point = 0x743e1cf0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")
Region:
id = 305
start_va = 0x1d0000
end_va = 0x1f9fff
monitored = 0
entry_point = 0x1d5680
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")
Region:
id = 306
start_va = 0x9a0000
end_va = 0xb27fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000009a0000"
filename = ""
Region:
id = 307
start_va = 0x741b0000
end_va = 0x741dafff
monitored = 0
entry_point = 0x741b5680
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")
Region:
id = 308
start_va = 0x30000
end_va = 0x30fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000030000"
filename = ""
Region:
id = 309
start_va = 0x1d0000
end_va = 0x1d0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001d0000"
filename = ""
Region:
id = 310
start_va = 0xb30000
end_va = 0xcb0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000b30000"
filename = ""
Region:
id = 311
start_va = 0xcc0000
end_va = 0x20bffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000cc0000"
filename = ""
Region:
id = 312
start_va = 0x860000
end_va = 0x8fafff
monitored = 1
entry_point = 0x8fb6ae
region_type = mapped_file
name = "9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe"
filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe")
Region:
id = 313
start_va = 0x990000
end_va = 0x99ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000990000"
filename = ""
Region:
id = 314
start_va = 0x76d50000
end_va = 0x76d5bfff
monitored = 0
entry_point = 0x76d53930
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")
Region:
id = 315
start_va = 0x6f7c0000
end_va = 0x6f7c7fff
monitored = 0
entry_point = 0x6f7c17b0
region_type = mapped_file
name = "version.dll"
filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll")
Region:
id = 316
start_va = 0x6f0d0000
end_va = 0x6f7b0fff
monitored = 1
entry_point = 0x6f0fcd70
region_type = mapped_file
name = "clr.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll")
Region:
id = 317
start_va = 0x6efd0000
end_va = 0x6f0c4fff
monitored = 0
entry_point = 0x6f024160
region_type = mapped_file
name = "msvcr120_clr0400.dll"
filename = "\\Windows\\SysWOW64\\msvcr120_clr0400.dll" (normalized: "c:\\windows\\syswow64\\msvcr120_clr0400.dll")
Region:
id = 318
start_va = 0x1e0000
end_va = 0x1e0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001e0000"
filename = ""
Region:
id = 319
start_va = 0x1f0000
end_va = 0x1fffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001f0000"
filename = ""
Region:
id = 320
start_va = 0x4f0000
end_va = 0x4fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000004f0000"
filename = ""
Region:
id = 321
start_va = 0x600000
end_va = 0x60ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000600000"
filename = ""
Region:
id = 322
start_va = 0x610000
end_va = 0x61ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000610000"
filename = ""
Region:
id = 323
start_va = 0x620000
end_va = 0x62ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000620000"
filename = ""
Region:
id = 324
start_va = 0x630000
end_va = 0x63ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000630000"
filename = ""
Region:
id = 325
start_va = 0x640000
end_va = 0x640fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000640000"
filename = ""
Region:
id = 326
start_va = 0x650000
end_va = 0x650fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000650000"
filename = ""
Region:
id = 327
start_va = 0x860000
end_va = 0x94ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000860000"
filename = ""
Region:
id = 328
start_va = 0x20c0000
end_va = 0x229ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000020c0000"
filename = ""
Region:
id = 329
start_va = 0x860000
end_va = 0x89ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000860000"
filename = ""
Region:
id = 330
start_va = 0x940000
end_va = 0x94ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000940000"
filename = ""
Region:
id = 331
start_va = 0x20c0000
end_va = 0x21bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000020c0000"
filename = ""
Region:
id = 332
start_va = 0x2290000
end_va = 0x229ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002290000"
filename = ""
Region:
id = 333
start_va = 0x660000
end_va = 0x66ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000660000"
filename = ""
Region:
id = 334
start_va = 0x22a0000
end_va = 0x429ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000022a0000"
filename = ""
Region:
id = 335
start_va = 0x8a0000
end_va = 0x93ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000008a0000"
filename = ""
Region:
id = 336
start_va = 0x950000
end_va = 0x98ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000950000"
filename = ""
Region:
id = 337
start_va = 0x42a0000
end_va = 0x439ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000042a0000"
filename = ""
Region:
id = 338
start_va = 0x43a0000
end_va = 0x46d6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 339
start_va = 0x6dd10000
end_va = 0x6efc1fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "mscorlib.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\mscorlib\\7582400666d289c016013ad0f6e0e3e6\\mscorlib.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\mscorlib\\7582400666d289c016013ad0f6e0e3e6\\mscorlib.ni.dll")
Region:
id = 340
start_va = 0x74dc0000
end_va = 0x74eaafff
monitored = 0
entry_point = 0x74dfd650
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")
Region:
id = 341
start_va = 0x21c0000
end_va = 0x2250fff
monitored = 0
entry_point = 0x21f8cf0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")
Region:
id = 342
start_va = 0x73dd0000
end_va = 0x73e44fff
monitored = 0
entry_point = 0x73e09a60
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll")
Region:
id = 343
start_va = 0x46e0000
end_va = 0x484ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000046e0000"
filename = ""
Region:
id = 344
start_va = 0x6d340000
end_va = 0x6dd0bfff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System\\1be7a15b1f33bf22e4f53aaf45518c77\\System.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system\\1be7a15b1f33bf22e4f53aaf45518c77\\system.ni.dll")
Region:
id = 345
start_va = 0x6cc10000
end_va = 0x6d330fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.core.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Core\\eb4cca4f06a15158c3f7e2c56516729b\\System.Core.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.core\\eb4cca4f06a15158c3f7e2c56516729b\\system.core.ni.dll")
Region:
id = 346
start_va = 0x6c820000
end_va = 0x6cc02fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "windowsbase.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\WindowsBase\\9a2107b30cbb02ca475f58ed046eff63\\WindowsBase.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\windowsbase\\9a2107b30cbb02ca475f58ed046eff63\\windowsbase.ni.dll")
Region:
id = 347
start_va = 0x710b0000
end_va = 0x710c2fff
monitored = 0
entry_point = 0x710b9950
region_type = mapped_file
name = "cryptsp.dll"
filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll")
Region:
id = 348
start_va = 0x72bf0000
end_va = 0x72c1efff
monitored = 0
entry_point = 0x72c095e0
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll")
Region:
id = 349
start_va = 0x713f0000
end_va = 0x7140afff
monitored = 0
entry_point = 0x713f9050
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll")
Region:
id = 350
start_va = 0x6bd00000
end_va = 0x6c818fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "presentationcore.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\PresentationCore\\d7a637fdf68801e37fc897b530f9a8a6\\PresentationCore.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\presentationcore\\d7a637fdf68801e37fc897b530f9a8a6\\presentationcore.ni.dll")
Region:
id = 351
start_va = 0x6aa60000
end_va = 0x6bcf2fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "presentationframework.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Presentatio5ae0f00f#\\56617af3d6fd992497999aec2be809a4\\PresentationFramework.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\presentatio5ae0f00f#\\56617af3d6fd992497999aec2be809a4\\presentationframework.ni.dll")
Region:
id = 352
start_va = 0x660000
end_va = 0x66ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000660000"
filename = ""
Region:
id = 353
start_va = 0x6a9e0000
end_va = 0x6aa5ffff
monitored = 1
entry_point = 0x6a9e1180
region_type = mapped_file
name = "clrjit.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clrjit.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clrjit.dll")
Region:
id = 354
start_va = 0x76680000
end_va = 0x76711fff
monitored = 0
entry_point = 0x766b8cf0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")
Region:
id = 355
start_va = 0x670000
end_va = 0x67ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000670000"
filename = ""
Region:
id = 356
start_va = 0x6a850000
end_va = 0x6a9defff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.drawing.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Drawing\\1d52bd4ac5e0a6422058a5d62c9f6d9d\\System.Drawing.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.drawing\\1d52bd4ac5e0a6422058a5d62c9f6d9d\\system.drawing.ni.dll")
Region:
id = 357
start_va = 0x69be0000
end_va = 0x6a846fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.windows.forms.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Windows.Forms\\fb06ad4bc55b9c3ca68a3f9259d826cd\\System.Windows.Forms.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.windows.forms\\fb06ad4bc55b9c3ca68a3f9259d826cd\\system.windows.forms.ni.dll")
Region:
id = 358
start_va = 0x680000
end_va = 0x680fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000680000"
filename = ""
Region:
id = 359
start_va = 0x680000
end_va = 0x681fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000680000"
filename = ""
Region:
id = 360
start_va = 0x21c0000
end_va = 0x21cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000021c0000"
filename = ""
Region:
id = 361
start_va = 0x21d0000
end_va = 0x225efff
monitored = 0
entry_point = 0x21ddd60
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll")
Region:
id = 362
start_va = 0x69b40000
end_va = 0x69bd1fff
monitored = 0
entry_point = 0x69b4dd60
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll")
Region:
id = 363
start_va = 0x21d0000
end_va = 0x225ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000021d0000"
filename = ""
Region:
id = 364
start_va = 0x21d0000
end_va = 0x21d0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000021d0000"
filename = ""
Region:
id = 365
start_va = 0x2250000
end_va = 0x225ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002250000"
filename = ""
Region:
id = 366
start_va = 0x46e0000
end_va = 0x479bfff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000046e0000"
filename = ""
Region:
id = 367
start_va = 0x4840000
end_va = 0x484ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004840000"
filename = ""
Region:
id = 368
start_va = 0x21d0000
end_va = 0x21d3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000021d0000"
filename = ""
Region:
id = 369
start_va = 0x21e0000
end_va = 0x21e3fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000021e0000"
filename = ""
Region:
id = 370
start_va = 0x4850000
end_va = 0x4a5afff
monitored = 0
entry_point = 0x48fb0a0
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll")
Region:
id = 371
start_va = 0x72d30000
end_va = 0x72f3efff
monitored = 0
entry_point = 0x72ddb0a0
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll")
Region:
id = 372
start_va = 0x21f0000
end_va = 0x21f0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "windowsshell.manifest"
filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")
Region:
id = 373
start_va = 0x2200000
end_va = 0x2201fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002200000"
filename = ""
Region:
id = 374
start_va = 0x4850000
end_va = 0x494ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004850000"
filename = ""
Region:
id = 375
start_va = 0x73db0000
end_va = 0x73dccfff
monitored = 0
entry_point = 0x73db3b10
region_type = mapped_file
name = "dwmapi.dll"
filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll")
Region:
id = 376
start_va = 0x21f0000
end_va = 0x21fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000021f0000"
filename = ""
Region:
id = 377
start_va = 0x2210000
end_va = 0x221ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002210000"
filename = ""
Region:
id = 378
start_va = 0x2220000
end_va = 0x222ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002220000"
filename = ""
Region:
id = 379
start_va = 0x699d0000
end_va = 0x69b3afff
monitored = 0
entry_point = 0x69a3e360
region_type = mapped_file
name = "gdiplus.dll"
filename = "\\Windows\\WinSxS\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10586.0_none_538a540779726150\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10586.0_none_538a540779726150\\gdiplus.dll")
Region:
id = 380
start_va = 0x47a0000
end_va = 0x482ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000047a0000"
filename = ""
Region:
id = 381
start_va = 0x2210000
end_va = 0x224ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002210000"
filename = ""
Region:
id = 382
start_va = 0x4950000
end_va = 0x4a4ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004950000"
filename = ""
Region:
id = 383
start_va = 0x70a20000
end_va = 0x70c10fff
monitored = 0
entry_point = 0x70b03cd0
region_type = mapped_file
name = "dwrite.dll"
filename = "\\Windows\\SysWOW64\\DWrite.dll" (normalized: "c:\\windows\\syswow64\\dwrite.dll")
Region:
id = 384
start_va = 0x764e0000
end_va = 0x765fefff
monitored = 0
entry_point = 0x76525980
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll")
Region:
id = 385
start_va = 0x47a0000
end_va = 0x47e8fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "~fontcache-system.dat"
filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-System.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-system.dat")
Region:
id = 386
start_va = 0x4820000
end_va = 0x482ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004820000"
filename = ""
Region:
id = 387
start_va = 0x21f0000
end_va = 0x21f3fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000021f0000"
filename = ""
Region:
id = 388
start_va = 0x4a50000
end_va = 0x5a4ffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "~fontcache-fontface.dat"
filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-FontFace.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-fontface.dat")
Region:
id = 389
start_va = 0x2260000
end_va = 0x2263fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002260000"
filename = ""
Region:
id = 390
start_va = 0x5a50000
end_va = 0x5b4ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005a50000"
filename = ""
Region:
id = 391
start_va = 0x5b50000
end_va = 0x5c4ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005b50000"
filename = ""
Region:
id = 392
start_va = 0x5c50000
end_va = 0x6141fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000005c50000"
filename = ""
Region:
id = 393
start_va = 0x4850000
end_va = 0x490cfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "micross.ttf"
filename = "\\Windows\\Fonts\\micross.ttf" (normalized: "c:\\windows\\fonts\\micross.ttf")
Region:
id = 394
start_va = 0x4940000
end_va = 0x494ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004940000"
filename = ""
Region:
id = 395
start_va = 0x6150000
end_va = 0x654ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006150000"
filename = ""
Region:
id = 396
start_va = 0x6550000
end_va = 0x662ffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "arial.ttf"
filename = "\\Windows\\Fonts\\arial.ttf" (normalized: "c:\\windows\\fonts\\arial.ttf")
Region:
id = 397
start_va = 0x6630000
end_va = 0x66cefff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ariali.ttf"
filename = "\\Windows\\Fonts\\ariali.ttf" (normalized: "c:\\windows\\fonts\\ariali.ttf")
Region:
id = 398
start_va = 0x66d0000
end_va = 0x676ffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "arialbi.ttf"
filename = "\\Windows\\Fonts\\arialbi.ttf" (normalized: "c:\\windows\\fonts\\arialbi.ttf")
Region:
id = 399
start_va = 0x6770000
end_va = 0x77affff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "staticcache.dat"
filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat")
Region:
id = 400
start_va = 0x2270000
end_va = 0x2270fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002270000"
filename = ""
Region:
id = 401
start_va = 0x77b0000
end_va = 0x7811fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "mscorrc.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorrc.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscorrc.dll")
Region:
id = 402
start_va = 0x2280000
end_va = 0x228ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002280000"
filename = ""
Region:
id = 403
start_va = 0x47f0000
end_va = 0x47fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000047f0000"
filename = ""
Region:
id = 404
start_va = 0x4800000
end_va = 0x480ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004800000"
filename = ""
Region:
id = 405
start_va = 0x47f0000
end_va = 0x47fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000047f0000"
filename = ""
Region:
id = 406
start_va = 0x4800000
end_va = 0x480ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004800000"
filename = ""
Region:
id = 407
start_va = 0x4810000
end_va = 0x481ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004810000"
filename = ""
Region:
id = 408
start_va = 0x4830000
end_va = 0x483ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004830000"
filename = ""
Region:
id = 409
start_va = 0x4800000
end_va = 0x480ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004800000"
filename = ""
Region:
id = 410
start_va = 0x7820000
end_va = 0x785ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007820000"
filename = ""
Region:
id = 411
start_va = 0x7860000
end_va = 0x795ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007860000"
filename = ""
Region:
id = 412
start_va = 0x7960000
end_va = 0x895ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007960000"
filename = ""
Region:
id = 413
start_va = 0x8960000
end_va = 0x8b2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008960000"
filename = ""
Region:
id = 414
start_va = 0x8b30000
end_va = 0x9b2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008b30000"
filename = ""
Region:
id = 415
start_va = 0x9b30000
end_va = 0x9ecffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000009b30000"
filename = ""
Region:
id = 416
start_va = 0x4800000
end_va = 0x480ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004800000"
filename = ""
Region:
id = 417
start_va = 0x4800000
end_va = 0x480ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004800000"
filename = ""
Region:
id = 418
start_va = 0x4a0000
end_va = 0x4affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000004a0000"
filename = ""
Region:
id = 419
start_va = 0x9ed0000
end_va = 0x9f0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000009ed0000"
filename = ""
Region:
id = 420
start_va = 0x9f10000
end_va = 0xa00ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000009f10000"
filename = ""
Region:
id = 421
start_va = 0xa010000
end_va = 0xa04ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a010000"
filename = ""
Region:
id = 422
start_va = 0xa050000
end_va = 0xa14ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a050000"
filename = ""
Region:
id = 423
start_va = 0x4a0000
end_va = 0x4affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000004a0000"
filename = ""
Region:
id = 424
start_va = 0x4a0000
end_va = 0x4a2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000004a0000"
filename = ""
Region:
id = 425
start_va = 0x4b0000
end_va = 0x4bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000004b0000"
filename = ""
Region:
id = 426
start_va = 0x4b0000
end_va = 0x4bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000004b0000"
filename = ""
Region:
id = 427
start_va = 0x4b0000
end_va = 0x4bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000004b0000"
filename = ""
Region:
id = 428
start_va = 0x760000
end_va = 0x7dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000760000"
filename = ""
Region:
id = 429
start_va = 0x7820000
end_va = 0x791ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007820000"
filename = ""
Region:
id = 430
start_va = 0x69850000
end_va = 0x699c2fff
monitored = 0
entry_point = 0x698fd220
region_type = mapped_file
name = "windowscodecs.dll"
filename = "\\Windows\\SysWOW64\\WindowsCodecs.dll" (normalized: "c:\\windows\\syswow64\\windowscodecs.dll")
Region:
id = 431
start_va = 0x7e0000
end_va = 0x83cfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000007e0000"
filename = ""
Region:
id = 432
start_va = 0x4910000
end_va = 0x493ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004910000"
filename = ""
Region:
id = 433
start_va = 0x4910000
end_va = 0x491ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000004910000"
filename = ""
Region:
id = 434
start_va = 0x4920000
end_va = 0x492ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000004920000"
filename = ""
Region:
id = 435
start_va = 0x4930000
end_va = 0x493ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000004930000"
filename = ""
Region:
id = 436
start_va = 0xa150000
end_va = 0xa1abfff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000000a150000"
filename = ""
Region:
id = 437
start_va = 0x4c0000
end_va = 0x4cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000004c0000"
filename = ""
Region:
id = 438
start_va = 0x69130000
end_va = 0x6984dfff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.xml.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Xml\\4fbda26d781323081b45526da6e87b35\\System.Xml.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.xml\\4fbda26d781323081b45526da6e87b35\\system.xml.ni.dll")
Region:
id = 439
start_va = 0x4d0000
end_va = 0x4dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000004d0000"
filename = ""
Region:
id = 440
start_va = 0x5e430000
end_va = 0x5e4cbfff
monitored = 1
entry_point = 0x5e4be9a6
region_type = mapped_file
name = "microsoft.visualbasic.dll"
filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\v4.0_10.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualBasic.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_msil\\microsoft.visualbasic\\v4.0_10.0.0.0__b03f5f7f11d50a3a\\microsoft.visualbasic.dll")
Region:
id = 441
start_va = 0xa1b0000
end_va = 0xa24bfff
monitored = 1
entry_point = 0xa23e9a6
region_type = mapped_file
name = "microsoft.visualbasic.dll"
filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\v4.0_10.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualBasic.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_msil\\microsoft.visualbasic\\v4.0_10.0.0.0__b03f5f7f11d50a3a\\microsoft.visualbasic.dll")
Region:
id = 442
start_va = 0x840000
end_va = 0x84ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000840000"
filename = ""
Region:
id = 443
start_va = 0x850000
end_va = 0x85ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000850000"
filename = ""
Region:
id = 444
start_va = 0x4800000
end_va = 0x480ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004800000"
filename = ""
Region:
id = 445
start_va = 0x4810000
end_va = 0x481ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004810000"
filename = ""
Region:
id = 446
start_va = 0x4830000
end_va = 0x483ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004830000"
filename = ""
Region:
id = 447
start_va = 0x7920000
end_va = 0x792ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007920000"
filename = ""
Region:
id = 448
start_va = 0x7930000
end_va = 0x793ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007930000"
filename = ""
Region:
id = 449
start_va = 0x7940000
end_va = 0x794ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007940000"
filename = ""
Region:
id = 450
start_va = 0x7950000
end_va = 0x795ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007950000"
filename = ""
Region:
id = 451
start_va = 0xa250000
end_va = 0xa25ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a250000"
filename = ""
Region:
id = 452
start_va = 0xa260000
end_va = 0xa26ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a260000"
filename = ""
Region:
id = 453
start_va = 0xa270000
end_va = 0xa27ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a270000"
filename = ""
Region:
id = 454
start_va = 0xa280000
end_va = 0xa28ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a280000"
filename = ""
Region:
id = 455
start_va = 0xa290000
end_va = 0xa29ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a290000"
filename = ""
Region:
id = 456
start_va = 0xa2a0000
end_va = 0xa2affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a2a0000"
filename = ""
Region:
id = 457
start_va = 0xa2b0000
end_va = 0xa2bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a2b0000"
filename = ""
Region:
id = 458
start_va = 0xa2c0000
end_va = 0xa2cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a2c0000"
filename = ""
Region:
id = 459
start_va = 0xa2d0000
end_va = 0xa2dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a2d0000"
filename = ""
Region:
id = 460
start_va = 0xa2e0000
end_va = 0xa2effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a2e0000"
filename = ""
Region:
id = 461
start_va = 0xa2f0000
end_va = 0xa2fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a2f0000"
filename = ""
Region:
id = 462
start_va = 0xa300000
end_va = 0xa30ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a300000"
filename = ""
Region:
id = 463
start_va = 0x850000
end_va = 0x85ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000850000"
filename = ""
Region:
id = 464
start_va = 0x4800000
end_va = 0x480ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004800000"
filename = ""
Region:
id = 465
start_va = 0x4810000
end_va = 0x481ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004810000"
filename = ""
Region:
id = 466
start_va = 0x850000
end_va = 0x85ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000850000"
filename = ""
Region:
id = 467
start_va = 0x4800000
end_va = 0x480ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004800000"
filename = ""
Region:
id = 468
start_va = 0x4810000
end_va = 0x481ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004810000"
filename = ""
Region:
id = 469
start_va = 0x850000
end_va = 0x85ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000850000"
filename = ""
Region:
id = 470
start_va = 0x4800000
end_va = 0x480ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004800000"
filename = ""
Region:
id = 471
start_va = 0x4810000
end_va = 0x481ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004810000"
filename = ""
Region:
id = 472
start_va = 0x4830000
end_va = 0x483ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004830000"
filename = ""
Region:
id = 473
start_va = 0x7920000
end_va = 0x792ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007920000"
filename = ""
Region:
id = 474
start_va = 0x7930000
end_va = 0x793ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007930000"
filename = ""
Region:
id = 475
start_va = 0x7940000
end_va = 0x794ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007940000"
filename = ""
Region:
id = 476
start_va = 0x7950000
end_va = 0x795ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007950000"
filename = ""
Region:
id = 477
start_va = 0xa250000
end_va = 0xa25ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a250000"
filename = ""
Region:
id = 478
start_va = 0xa260000
end_va = 0xa26ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a260000"
filename = ""
Region:
id = 479
start_va = 0xa270000
end_va = 0xa27ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a270000"
filename = ""
Region:
id = 480
start_va = 0xa280000
end_va = 0xa28ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a280000"
filename = ""
Region:
id = 481
start_va = 0xa290000
end_va = 0xa29ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a290000"
filename = ""
Region:
id = 482
start_va = 0xa2a0000
end_va = 0xa2affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a2a0000"
filename = ""
Region:
id = 483
start_va = 0xa2b0000
end_va = 0xa2bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a2b0000"
filename = ""
Region:
id = 484
start_va = 0xa2c0000
end_va = 0xa2cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a2c0000"
filename = ""
Region:
id = 485
start_va = 0xa2d0000
end_va = 0xa2dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a2d0000"
filename = ""
Region:
id = 486
start_va = 0xa2e0000
end_va = 0xa2effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a2e0000"
filename = ""
Region:
id = 487
start_va = 0xa2f0000
end_va = 0xa2fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a2f0000"
filename = ""
Region:
id = 488
start_va = 0x850000
end_va = 0x85ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000850000"
filename = ""
Region:
id = 489
start_va = 0x850000
end_va = 0x85ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000850000"
filename = ""
Region:
id = 490
start_va = 0x850000
end_va = 0x85ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000850000"
filename = ""
Region:
id = 491
start_va = 0x850000
end_va = 0x85ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000850000"
filename = ""
Region:
id = 492
start_va = 0x850000
end_va = 0x85ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000850000"
filename = ""
Region:
id = 493
start_va = 0x850000
end_va = 0x85ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000850000"
filename = ""
Region:
id = 494
start_va = 0x850000
end_va = 0x85ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000850000"
filename = ""
Region:
id = 495
start_va = 0x850000
end_va = 0x85ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000850000"
filename = ""
Region:
id = 496
start_va = 0x850000
end_va = 0x85ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000850000"
filename = ""
Region:
id = 497
start_va = 0x850000
end_va = 0x85ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000850000"
filename = ""
Region:
id = 498
start_va = 0x850000
end_va = 0x85ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000850000"
filename = ""
Region:
id = 499
start_va = 0x4800000
end_va = 0x480ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004800000"
filename = ""
Region:
id = 500
start_va = 0x4800000
end_va = 0x480ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004800000"
filename = ""
Region:
id = 501
start_va = 0x4800000
end_va = 0x480ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004800000"
filename = ""
Region:
id = 502
start_va = 0x4810000
end_va = 0x481ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004810000"
filename = ""
Region:
id = 503
start_va = 0x8a0000
end_va = 0x8affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000008a0000"
filename = ""
Region:
id = 504
start_va = 0x74eb0000
end_va = 0x762aefff
monitored = 0
entry_point = 0x7506b990
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll")
Region:
id = 505
start_va = 0x76800000
end_va = 0x76836fff
monitored = 0
entry_point = 0x76803b50
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll")
Region:
id = 506
start_va = 0x8b0000
end_va = 0x8effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000008b0000"
filename = ""
Region:
id = 507
start_va = 0xa310000
end_va = 0xa40ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a310000"
filename = ""
Region:
id = 508
start_va = 0x745b0000
end_va = 0x74aa8fff
monitored = 0
entry_point = 0x747b7610
region_type = mapped_file
name = "windows.storage.dll"
filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll")
Region:
id = 509
start_va = 0x74520000
end_va = 0x745acfff
monitored = 0
entry_point = 0x74569b90
region_type = mapped_file
name = "shcore.dll"
filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll")
Region:
id = 510
start_va = 0x76470000
end_va = 0x764b3fff
monitored = 0
entry_point = 0x76477410
region_type = mapped_file
name = "powrprof.dll"
filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll")
Region:
id = 511
start_va = 0x73f20000
end_va = 0x73f2efff
monitored = 0
entry_point = 0x73f22e40
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll")
Region:
id = 512
start_va = 0x8f0000
end_va = 0x8f0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000008f0000"
filename = ""
Region:
id = 513
start_va = 0x69100000
end_va = 0x69127fff
monitored = 0
entry_point = 0x69107820
region_type = mapped_file
name = "ntmarta.dll"
filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll")
Region:
id = 514
start_va = 0x900000
end_va = 0x90ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000900000"
filename = ""
Region:
id = 515
start_va = 0x900000
end_va = 0x90ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000900000"
filename = ""
Region:
id = 516
start_va = 0x900000
end_va = 0x90ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000900000"
filename = ""
Region:
id = 517
start_va = 0x900000
end_va = 0x90ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000900000"
filename = ""
Region:
id = 518
start_va = 0x900000
end_va = 0x90ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000900000"
filename = ""
Region:
id = 519
start_va = 0x69080000
end_va = 0x690f0fff
monitored = 0
entry_point = 0x690d69e0
region_type = mapped_file
name = "efswrt.dll"
filename = "\\Windows\\SysWOW64\\efswrt.dll" (normalized: "c:\\windows\\syswow64\\efswrt.dll")
Region:
id = 520
start_va = 0x6fde0000
end_va = 0x6fea7fff
monitored = 0
entry_point = 0x6fe4ae90
region_type = mapped_file
name = "wintypes.dll"
filename = "\\Windows\\SysWOW64\\WinTypes.dll" (normalized: "c:\\windows\\syswow64\\wintypes.dll")
Region:
id = 521
start_va = 0x69030000
end_va = 0x69078fff
monitored = 0
entry_point = 0x69036450
region_type = mapped_file
name = "edputil.dll"
filename = "\\Windows\\SysWOW64\\edputil.dll" (normalized: "c:\\windows\\syswow64\\edputil.dll")
Region:
id = 522
start_va = 0x900000
end_va = 0x90ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000900000"
filename = ""
Region:
id = 523
start_va = 0x900000
end_va = 0x90ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000900000"
filename = ""
Region:
id = 524
start_va = 0x68f10000
end_va = 0x6902cfff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.management.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Management\\98d3949f9ba1a384939805aa5e47e933\\System.Management.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.management\\98d3949f9ba1a384939805aa5e47e933\\system.management.ni.dll")
Region:
id = 525
start_va = 0x900000
end_va = 0x93ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000900000"
filename = ""
Region:
id = 526
start_va = 0xa410000
end_va = 0xa50ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a410000"
filename = ""
Region:
id = 527
start_va = 0x6fc50000
end_va = 0x6fd9afff
monitored = 0
entry_point = 0x6fcb1660
region_type = mapped_file
name = "propsys.dll"
filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll")
Region:
id = 528
start_va = 0x4800000
end_va = 0x4800fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000004800000"
filename = ""
Region:
id = 529
start_va = 0x7920000
end_va = 0x795ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007920000"
filename = ""
Region:
id = 530
start_va = 0xa510000
end_va = 0xa60ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a510000"
filename = ""
Region:
id = 531
start_va = 0x74340000
end_va = 0x743c3fff
monitored = 0
entry_point = 0x74366220
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll")
Region:
id = 532
start_va = 0x6fa30000
end_va = 0x6fc4bfff
monitored = 0
entry_point = 0x6fbfbc40
region_type = mapped_file
name = "actxprxy.dll"
filename = "\\Windows\\SysWOW64\\actxprxy.dll" (normalized: "c:\\windows\\syswow64\\actxprxy.dll")
Region:
id = 533
start_va = 0x4810000
end_va = 0x4810fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000004810000"
filename = ""
Region:
id = 534
start_va = 0xa250000
end_va = 0xa28ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a250000"
filename = ""
Region:
id = 535
start_va = 0xa610000
end_va = 0xa70ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a610000"
filename = ""
Region:
id = 536
start_va = 0x4830000
end_va = 0x4833fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.1.db"
filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db")
Region:
id = 537
start_va = 0xa290000
end_va = 0xa2a3fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000016.db"
filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000016.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000016.db")
Region:
id = 538
start_va = 0xa2b0000
end_va = 0xa2b0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000000a2b0000"
filename = ""
Region:
id = 539
start_va = 0x4830000
end_va = 0x4833fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 540
start_va = 0xa2c0000
end_va = 0xa2fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a2c0000"
filename = ""
Region:
id = 541
start_va = 0xa710000
end_va = 0xa80ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a710000"
filename = ""
Region:
id = 542
start_va = 0xa810000
end_va = 0xa854fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000c.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db")
Region:
id = 543
start_va = 0xa860000
end_va = 0xa863fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 544
start_va = 0xa870000
end_va = 0xa8fdfff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db")
Region:
id = 545
start_va = 0xa900000
end_va = 0xa910fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "propsys.dll.mui"
filename = "\\Windows\\SysWOW64\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\propsys.dll.mui")
Region:
id = 546
start_va = 0x71630000
end_va = 0x717adfff
monitored = 0
entry_point = 0x716ac630
region_type = mapped_file
name = "urlmon.dll"
filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll")
Region:
id = 547
start_va = 0x73ae0000
end_va = 0x73daafff
monitored = 0
entry_point = 0x73d1c4c0
region_type = mapped_file
name = "iertutil.dll"
filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll")
Region:
id = 548
start_va = 0xa920000
end_va = 0xa920fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000000a920000"
filename = ""
Region:
id = 626
start_va = 0x900000
end_va = 0x90ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000900000"
filename = ""
Region:
id = 1204
start_va = 0x910000
end_va = 0x91ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000910000"
filename = ""
Region:
id = 1205
start_va = 0x920000
end_va = 0x92ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000920000"
filename = ""
Region:
id = 1206
start_va = 0x930000
end_va = 0x93ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000930000"
filename = ""
Region:
id = 1207
start_va = 0xa410000
end_va = 0xa41ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a410000"
filename = ""
Region:
id = 1208
start_va = 0xa420000
end_va = 0xa42ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a420000"
filename = ""
Region:
id = 1209
start_va = 0xa430000
end_va = 0xa43ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a430000"
filename = ""
Region:
id = 1210
start_va = 0xa440000
end_va = 0xa44ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a440000"
filename = ""
Region:
id = 1211
start_va = 0xa450000
end_va = 0xa45ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a450000"
filename = ""
Region:
id = 1212
start_va = 0xa460000
end_va = 0xa46ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a460000"
filename = ""
Region:
id = 1213
start_va = 0xa470000
end_va = 0xa47ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a470000"
filename = ""
Region:
id = 1214
start_va = 0xa480000
end_va = 0xa48ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a480000"
filename = ""
Region:
id = 1215
start_va = 0xa490000
end_va = 0xa49ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a490000"
filename = ""
Region:
id = 1216
start_va = 0xa4a0000
end_va = 0xa4affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a4a0000"
filename = ""
Region:
id = 1217
start_va = 0xa4b0000
end_va = 0xa4bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a4b0000"
filename = ""
Region:
id = 1218
start_va = 0xa4c0000
end_va = 0xa4cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a4c0000"
filename = ""
Region:
id = 1219
start_va = 0xa4d0000
end_va = 0xa4dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a4d0000"
filename = ""
Region:
id = 1220
start_va = 0xa4e0000
end_va = 0xa4effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a4e0000"
filename = ""
Region:
id = 1221
start_va = 0xa4f0000
end_va = 0xa4fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a4f0000"
filename = ""
Region:
id = 1222
start_va = 0x910000
end_va = 0x91ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000910000"
filename = ""
Region:
id = 1223
start_va = 0x920000
end_va = 0x92ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000920000"
filename = ""
Region:
id = 1226
start_va = 0x930000
end_va = 0x93ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000930000"
filename = ""
Region:
id = 1227
start_va = 0x930000
end_va = 0x93ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000930000"
filename = ""
Region:
id = 1228
start_va = 0xa410000
end_va = 0xa41ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a410000"
filename = ""
Region:
id = 1229
start_va = 0xa420000
end_va = 0xa42ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a420000"
filename = ""
Region:
id = 1230
start_va = 0xa430000
end_va = 0xa43ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a430000"
filename = ""
Region:
id = 1267
start_va = 0xa410000
end_va = 0xa44ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a410000"
filename = ""
Region:
id = 1268
start_va = 0xa930000
end_va = 0xaa2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000000a930000"
filename = ""
Thread:
id = 1
os_tid = 0xaf0
[0091.899] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0
[0092.665] RoInitialize () returned 0x1
[0092.665] RoUninitialize () returned 0x0
[0099.215] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\AppContext", ulOptions=0x0, samDesired=0x20019, phkResult=0x19de58 | out: phkResult=0x19de58*=0x0) returned 0x2
[0099.222] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Windows.Forms\\v4.0_4.0.0.0__b77a5c561934e089\\System.Windows.Forms.dll", nBufferLength=0x105, lpBuffer=0x19eed4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Windows.Forms\\v4.0_4.0.0.0__b77a5c561934e089\\System.Windows.Forms.dll", lpFilePart=0x0) returned 0x77
[0099.246] IsAppThemed () returned 0x1
[0099.252] CoTaskMemAlloc (cb=0xf0) returned 0x552118
[0099.252] CreateActCtxA (pActCtx=0x19f418) returned 0x56c024
[0099.383] CoTaskMemFree (pv=0x552118)
[0099.407] RegisterClipboardFormatW (lpszFormat="WM_GETCONTROLNAME") returned 0xc1e0
[0099.407] RegisterClipboardFormatW (lpszFormat="WM_GETCONTROLTYPE") returned 0xc1df
[0099.450] GetSystemMetrics (nIndex=75) returned 1
[0099.460] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x0
[0100.422] LoadLibraryW (lpLibFileName="comctl32.dll") returned 0x69b40000
[0100.491] AdjustWindowRectEx (in: lpRect=0x19f458, dwStyle=0x56cf0000, bMenu=0, dwExStyle=0x50001 | out: lpRect=0x19f458) returned 1
[0100.493] GetCurrentProcess () returned 0xffffffff
[0100.494] GetCurrentThread () returned 0xfffffffe
[0100.494] GetCurrentProcess () returned 0xffffffff
[0100.494] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x19f370, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x19f370*=0x298) returned 1
[0100.498] GetCurrentThreadId () returned 0xaf0
[0100.515] GetCurrentActCtx (in: lphActCtx=0x19f2d0 | out: lphActCtx=0x19f2d0*=0x0) returned 1
[0100.515] ActivateActCtx (in: hActCtx=0x56c024, lpCookie=0x19f2e0 | out: hActCtx=0x56c024, lpCookie=0x19f2e0) returned 1
[0100.516] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x0
[0101.719] LoadLibraryW (lpLibFileName="comctl32.dll") returned 0x72d30000
[0101.755] GetModuleHandleW (lpModuleName="user32.dll") returned 0x743d0000
[0101.756] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="DefWindowProcW", cchWideChar=14, lpMultiByteStr=0x19f194, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DefWindowProcWÞi\x93±°ö(ú\rohö\x19", lpUsedDefaultChar=0x0) returned 14
[0101.757] GetProcAddress (hModule=0x743d0000, lpProcName="DefWindowProcW") returned 0x73e807e0
[0101.758] GetStockObject (i=5) returned 0x1900015
[0101.765] GetModuleHandleW (lpModuleName=0x0) returned 0x400000
[0101.774] CoTaskMemAlloc (cb=0x5c) returned 0x563da0
[0101.774] RegisterClassW (lpWndClass=0x19f184) returned 0xc1db
[0101.775] CoTaskMemFree (pv=0x563da0)
[0101.776] GetModuleHandleW (lpModuleName=0x0) returned 0x400000
[0101.777] CreateWindowExW (dwExStyle=0x0, lpClassName="WindowsForms10.Window.8.app.0.141b42a_r10_ad1", lpWindowName=0x0, dwStyle=0x2010000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0xfffffffd, hMenu=0x0, hInstance=0x400000, lpParam=0x0) returned 0x70298
[0101.781] SetWindowLongW (hWnd=0x70298, nIndex=-4, dwNewLong=1944586208) returned 76809662
[0101.782] GetWindowLongW (hWnd=0x70298, nIndex=-4) returned 1944586208
[0101.784] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\.NETFramework", ulOptions=0x0, samDesired=0x20019, phkResult=0x19e9e4 | out: phkResult=0x19e9e4*=0x2b4) returned 0x0
[0101.785] RegQueryValueExW (in: hKey=0x2b4, lpValueName="DbgJITDebugLaunchSetting", lpReserved=0x0, lpType=0x19ea04, lpData=0x0, lpcbData=0x19ea00*=0x0 | out: lpType=0x19ea04*=0x0, lpData=0x0, lpcbData=0x19ea00*=0x0) returned 0x2
[0101.785] RegQueryValueExW (in: hKey=0x2b4, lpValueName="DbgManagedDebugger", lpReserved=0x0, lpType=0x19ea04, lpData=0x0, lpcbData=0x19ea00*=0x0 | out: lpType=0x19ea04*=0x0, lpData=0x0, lpcbData=0x19ea00*=0x0) returned 0x2
[0101.785] RegCloseKey (hKey=0x2b4) returned 0x0
[0101.789] SetWindowLongW (hWnd=0x70298, nIndex=-4, dwNewLong=76809702) returned 1944586208
[0101.789] GetWindowLongW (hWnd=0x70298, nIndex=-4) returned 76809702
[0101.789] GetWindowLongW (hWnd=0x70298, nIndex=-16) returned 113311744
[0101.791] RegisterClipboardFormatW (lpszFormat="WinFormsMouseEnter") returned 0xc14b
[0101.791] CallWindowProcW (lpPrevWndFunc=0x73e807e0, hWnd=0x70298, Msg=0x24, wParam=0x0, lParam=0x19ecfc) returned 0x0
[0101.792] RegisterClipboardFormatW (lpszFormat="WinFormsUnSubclass") returned 0xc1d9
[0101.792] CallWindowProcW (lpPrevWndFunc=0x73e807e0, hWnd=0x70298, Msg=0x81, wParam=0x0, lParam=0x19ecf0) returned 0x1
[0101.793] CallWindowProcW (lpPrevWndFunc=0x73e807e0, hWnd=0x70298, Msg=0x83, wParam=0x0, lParam=0x19ecdc) returned 0x0
[0102.077] CallWindowProcW (lpPrevWndFunc=0x73e807e0, hWnd=0x70298, Msg=0x1, wParam=0x0, lParam=0x19ecf0) returned 0x0
[0102.077] GetClientRect (in: hWnd=0x70298, lpRect=0x19ea1c | out: lpRect=0x19ea1c) returned 1
[0102.078] GetWindowRect (in: hWnd=0x70298, lpRect=0x19ea1c | out: lpRect=0x19ea1c) returned 1
[0102.081] GetParent (hWnd=0x70298) returned 0x0
[0102.081] DeactivateActCtx (dwFlags=0x0, ulCookie=0x14f80001) returned 1
[0102.229] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0102.229] AdjustWindowRectEx (in: lpRect=0x19f208, dwStyle=0x56010000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19f208) returned 1
[0102.231] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0102.231] AdjustWindowRectEx (in: lpRect=0x19f218, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f218) returned 1
[0102.231] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0102.231] AdjustWindowRectEx (in: lpRect=0x19f218, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f218) returned 1
[0102.231] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0102.231] AdjustWindowRectEx (in: lpRect=0x19f218, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f218) returned 1
[0102.231] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0102.232] AdjustWindowRectEx (in: lpRect=0x19f218, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f218) returned 1
[0102.232] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0102.232] AdjustWindowRectEx (in: lpRect=0x19f218, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f218) returned 1
[0102.232] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0102.232] AdjustWindowRectEx (in: lpRect=0x19f208, dwStyle=0x56010000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19f208) returned 1
[0102.234] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0102.235] AdjustWindowRectEx (in: lpRect=0x19f21c, dwStyle=0x5601008d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f21c) returned 1
[0102.235] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0102.235] AdjustWindowRectEx (in: lpRect=0x19f21c, dwStyle=0x5601008d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f21c) returned 1
[0102.235] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0102.235] AdjustWindowRectEx (in: lpRect=0x19f208, dwStyle=0x56010000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19f208) returned 1
[0102.241] GetCurrentThreadId () returned 0xaf0
[0102.241] GetCurrentThreadId () returned 0xaf0
[0102.248] GetSystemDefaultLCID () returned 0x409
[0102.248] GetStockObject (i=17) returned 0x10a0047
[0102.250] GetObjectW (in: h=0x10a0047, c=92, pv=0x19f06c | out: pv=0x19f06c) returned 92
[0102.251] GetDC (hWnd=0x0) returned 0x17010536
[0103.010] GdiplusStartup (in: token=0x619138, input=0x19e628, output=0x19e678 | out: token=0x619138, output=0x19e678) returned 0x0
[0103.016] CoTaskMemAlloc (cb=0x5c) returned 0x563ac8
[0103.017] GdipCreateFontFromLogfontW (hdc=0x17010536, logfont=0x563ac8, font=0x19f134) returned 0x0
[0104.650] CoTaskMemFree (pv=0x563ac8)
[0104.651] CoTaskMemAlloc (cb=0x5c) returned 0x5638c0
[0104.651] CoTaskMemFree (pv=0x5638c0)
[0104.652] CoTaskMemAlloc (cb=0x5c) returned 0x5638c0
[0104.652] CoTaskMemFree (pv=0x5638c0)
[0104.652] GdipGetFontUnit (font=0x4821f08, unit=0x19f100) returned 0x0
[0104.652] GdipGetFontSize (font=0x4821f08, size=0x19f104) returned 0x0
[0104.652] GdipGetFontStyle (font=0x4821f08, style=0x19f0fc) returned 0x0
[0104.653] GdipGetFamily (font=0x4821f08, family=0x19f0f8) returned 0x0
[0104.653] GdipGetFontSize (font=0x4821f08, size=0x22aa368) returned 0x0
[0104.653] ReleaseDC (hWnd=0x0, hDC=0x17010536) returned 1
[0104.654] GetDC (hWnd=0x0) returned 0xa0100d0
[0104.654] GdipCreateFromHDC (hdc=0xa0100d0, graphics=0x19f11c) returned 0x0
[0104.665] GdipGetDpiY (graphics=0x5b5f268, dpi=0x22aa470) returned 0x0
[0104.665] GdipGetFontHeight (font=0x4821f08, graphics=0x5b5f268, height=0x19f114) returned 0x0
[0104.665] GdipGetEmHeight (family=0x5b54c98, style=0, EmHeight=0x19f11c) returned 0x0
[0104.666] GdipGetLineSpacing (family=0x5b54c98, style=0, LineSpacing=0x19f11c) returned 0x0
[0104.666] GdipDeleteGraphics (graphics=0x5b5f268) returned 0x0
[0104.668] ReleaseDC (hWnd=0x0, hDC=0xa0100d0) returned 1
[0104.668] GdipCreateFont (fontFamily=0x5b54c98, emSize=0x41040000, style=0, unit=0x3, font=0x22aa430) returned 0x0
[0104.668] GdipGetFontSize (font=0x482efc0, size=0x22aa434) returned 0x0
[0104.669] GdipDeleteFont (font=0x4821f08) returned 0x0
[0104.671] GetCurrentThreadId () returned 0xaf0
[0104.671] GetCurrentThreadId () returned 0xaf0
[0104.671] GetCurrentThreadId () returned 0xaf0
[0104.671] GetCurrentThreadId () returned 0xaf0
[0104.671] GetCurrentThreadId () returned 0xaf0
[0104.671] GetCurrentThreadId () returned 0xaf0
[0104.671] GetCurrentThreadId () returned 0xaf0
[0104.671] GetCurrentThreadId () returned 0xaf0
[0104.672] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0104.672] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x56000000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19f1a8) returned 1
[0104.758] GetProcessWindowStation () returned 0xf0
[0104.828] GetUserObjectInformationA (in: hObj=0xf0, nIndex=1, pvInfo=0x22aad0c, nLength=0xc, lpnLengthNeeded=0x19f084 | out: pvInfo=0x22aad0c, lpnLengthNeeded=0x19f084) returned 1
[0104.831] SetConsoleCtrlHandler (HandlerRoutine=0x494060e, Add=1) returned 1
[0104.832] GetModuleHandleW (lpModuleName=0x0) returned 0x400000
[0104.833] GetModuleHandleW (lpModuleName=0x0) returned 0x400000
[0104.835] GetClassInfoW (in: hInstance=0x400000, lpClassName=".NET-BroadcastEventWindow.4.0.0.0.141b42a.0", lpWndClass=0x22aad70 | out: lpWndClass=0x22aad70) returned 0
[0104.838] CoTaskMemAlloc (cb=0x58) returned 0x56ea10
[0104.838] RegisterClassW (lpWndClass=0x19efd4) returned 0xc1d7
[0104.838] CoTaskMemFree (pv=0x56ea10)
[0104.839] CreateWindowExW (dwExStyle=0x0, lpClassName=".NET-BroadcastEventWindow.4.0.0.0.141b42a.0", lpWindowName=".NET-BroadcastEventWindow.4.0.0.0.141b42a.0", dwStyle=0x80000000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x400000, lpParam=0x0) returned 0x50276
[0104.840] NtdllDefWindowProc_W (hWnd=0x50276, Msg=0x81, wParam=0x0, lParam=0x19eb10) returned 0x1
[0104.842] NtdllDefWindowProc_W (hWnd=0x50276, Msg=0x83, wParam=0x0, lParam=0x19eafc) returned 0x0
[0104.842] NtdllDefWindowProc_W (hWnd=0x50276, Msg=0x1, wParam=0x0, lParam=0x19eb10) returned 0x0
[0104.843] NtdllDefWindowProc_W (hWnd=0x50276, Msg=0x5, wParam=0x0, lParam=0x0) returned 0x0
[0104.843] NtdllDefWindowProc_W (hWnd=0x50276, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0
[0104.960] GetSysColor (nIndex=10) returned 0xb4b4b4
[0104.960] GetSysColor (nIndex=2) returned 0xd1b499
[0104.960] GetSysColor (nIndex=9) returned 0x0
[0104.960] GetSysColor (nIndex=12) returned 0xababab
[0104.961] GetSysColor (nIndex=15) returned 0xf0f0f0
[0104.961] GetSysColor (nIndex=20) returned 0xffffff
[0104.961] GetSysColor (nIndex=16) returned 0xa0a0a0
[0104.961] GetSysColor (nIndex=15) returned 0xf0f0f0
[0104.961] GetSysColor (nIndex=16) returned 0xa0a0a0
[0104.961] GetSysColor (nIndex=21) returned 0x696969
[0104.961] GetSysColor (nIndex=22) returned 0xe3e3e3
[0104.961] GetSysColor (nIndex=20) returned 0xffffff
[0104.961] GetSysColor (nIndex=18) returned 0x0
[0104.961] GetSysColor (nIndex=1) returned 0x0
[0104.961] GetSysColor (nIndex=27) returned 0xead1b9
[0104.961] GetSysColor (nIndex=28) returned 0xf2e4d7
[0104.962] GetSysColor (nIndex=17) returned 0x6d6d6d
[0104.962] GetSysColor (nIndex=13) returned 0xff9933
[0104.962] GetSysColor (nIndex=14) returned 0xffffff
[0104.962] GetSysColor (nIndex=26) returned 0xcc6600
[0104.962] GetSysColor (nIndex=11) returned 0xfcf7f4
[0104.962] GetSysColor (nIndex=3) returned 0xdbcdbf
[0104.962] GetSysColor (nIndex=19) returned 0x0
[0104.962] GetSysColor (nIndex=24) returned 0xe1ffff
[0104.962] GetSysColor (nIndex=23) returned 0x0
[0104.962] GetSysColor (nIndex=4) returned 0xf0f0f0
[0104.962] GetSysColor (nIndex=30) returned 0xf0f0f0
[0104.962] GetSysColor (nIndex=29) returned 0xff9933
[0104.962] GetSysColor (nIndex=7) returned 0x0
[0104.962] GetSysColor (nIndex=0) returned 0xc8c8c8
[0104.962] GetSysColor (nIndex=5) returned 0xffffff
[0104.962] GetSysColor (nIndex=6) returned 0x646464
[0104.962] GetSysColor (nIndex=8) returned 0x0
[0104.963] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0104.963] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x56000000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19f1a8) returned 1
[0105.078] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0105.078] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f1a8) returned 1
[0105.079] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0105.079] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f1a8) returned 1
[0105.089] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0105.089] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f1a8) returned 1
[0105.089] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0105.089] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f1a8) returned 1
[0105.090] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0105.090] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f1a8) returned 1
[0105.090] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0105.090] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f1a8) returned 1
[0105.090] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0105.090] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f1a8) returned 1
[0105.090] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0105.090] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f1a8) returned 1
[0105.091] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0105.091] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f1a8) returned 1
[0105.091] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0105.091] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f1a8) returned 1
[0105.091] GetCurrentThreadId () returned 0xaf0
[0105.091] GetCurrentThreadId () returned 0xaf0
[0105.091] GetCurrentThreadId () returned 0xaf0
[0105.091] GetCurrentThreadId () returned 0xaf0
[0105.092] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0105.092] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x56000000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19f1a8) returned 1
[0105.092] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0105.092] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x56000000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19f1a8) returned 1
[0105.095] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0105.095] AdjustWindowRectEx (in: lpRect=0x19f05c, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f05c) returned 1
[0105.098] GdipGetFamilyName (in: family=0x5b54c98, name=0x19f028, language=0x409 | out: name="Microsoft Sans Serif") returned 0x0
[0105.100] CreateCompatibleDC (hdc=0x0) returned 0x4801090d
[0105.102] GetCurrentObject (hdc=0x4801090d, type=0x1) returned 0x1b00017
[0105.102] GetCurrentObject (hdc=0x4801090d, type=0x2) returned 0x1900010
[0105.102] GetCurrentObject (hdc=0x4801090d, type=0x7) returned 0x185000f
[0105.102] GetCurrentObject (hdc=0x4801090d, type=0x6) returned 0x18a0048
[0105.103] SaveDC (hdc=0x4801090d) returned 1
[0105.103] GetDeviceCaps (hdc=0x4801090d, index=90) returned 96
[0105.118] CoTaskMemAlloc (cb=0x5c) returned 0x563da0
[0105.118] CreateFontIndirectW (lplf=0x563da0) returned 0x4a0a0986
[0105.119] CoTaskMemFree (pv=0x563da0)
[0105.119] GetObjectW (in: h=0x4a0a0986, c=92, pv=0x19efec | out: pv=0x19efec) returned 92
[0105.422] GetCurrentObject (hdc=0x4801090d, type=0x6) returned 0x18a0048
[0105.422] GetObjectW (in: h=0x18a0048, c=92, pv=0x19efd4 | out: pv=0x19efd4) returned 92
[0105.423] SelectObject (hdc=0x4801090d, h=0x4a0a0986) returned 0x18a0048
[0105.481] GetTextExtentPoint32W (in: hdc=0x4801090d, lpString="0", c=1, psizl=0x22abecc | out: psizl=0x22abecc) returned 1
[0105.525] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0105.525] AdjustWindowRectEx (in: lpRect=0x19f130, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f130) returned 1
[0105.526] GdipCreateFontFamilyFromName (name="Arial", fontCollection=0x0, fontFamily=0x19f1f8) returned 0x0
[0105.526] GdipCreateFont (fontFamily=0x5b509d8, emSize=0x417c0000, style=1, unit=0x3, font=0x22abfa8) returned 0x0
[0105.788] GdipGetFontSize (font=0x4821f08, size=0x22abfac) returned 0x0
[0105.789] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0105.789] AdjustWindowRectEx (in: lpRect=0x19f014, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f014) returned 1
[0105.789] GdipGetFamilyName (in: family=0x5b509d8, name=0x19efe0, language=0x409 | out: name="Arial") returned 0x0
[0105.789] GetDeviceCaps (hdc=0x4801090d, index=90) returned 96
[0105.789] CoTaskMemAlloc (cb=0x5c) returned 0x563ac8
[0105.789] CreateFontIndirectW (lplf=0x563ac8) returned 0x370a06cc
[0105.790] CoTaskMemFree (pv=0x563ac8)
[0105.790] GetObjectW (in: h=0x370a06cc, c=92, pv=0x19efa4 | out: pv=0x19efa4) returned 92
[0105.790] SelectObject (hdc=0x4801090d, h=0x370a06cc) returned 0x4a0a0986
[0105.792] DeleteObject (ho=0x4a0a0986) returned 1
[0105.792] GetTextExtentPoint32W (in: hdc=0x4801090d, lpString="0", c=1, psizl=0x22ac25c | out: psizl=0x22ac25c) returned 1
[0105.796] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0105.796] AdjustWindowRectEx (in: lpRect=0x19f0e8, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f0e8) returned 1
[0105.900] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0105.901] AdjustWindowRectEx (in: lpRect=0x19f048, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f048) returned 1
[0105.901] GdipGetFamilyName (in: family=0x5b509d8, name=0x19f014, language=0x409 | out: name="Arial") returned 0x0
[0105.901] GetDeviceCaps (hdc=0x4801090d, index=90) returned 96
[0105.901] CoTaskMemAlloc (cb=0x5c) returned 0x563c68
[0105.901] CreateFontIndirectW (lplf=0x563c68) returned 0x4b0a0986
[0105.901] CoTaskMemFree (pv=0x563c68)
[0105.901] GetObjectW (in: h=0x4b0a0986, c=92, pv=0x19efd8 | out: pv=0x19efd8) returned 92
[0106.040] GetTextExtentPoint32W (in: hdc=0x4801090d, lpString="0", c=1, psizl=0x22ac43c | out: psizl=0x22ac43c) returned 1
[0106.040] DeleteObject (ho=0x4b0a0986) returned 1
[0106.041] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0106.041] AdjustWindowRectEx (in: lpRect=0x19f17c, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f17c) returned 1
[0106.041] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0106.041] AdjustWindowRectEx (in: lpRect=0x19f048, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f048) returned 1
[0106.041] GdipGetFamilyName (in: family=0x5b509d8, name=0x19f014, language=0x409 | out: name="Arial") returned 0x0
[0106.041] GetDeviceCaps (hdc=0x4801090d, index=90) returned 96
[0106.041] CoTaskMemAlloc (cb=0x5c) returned 0x563ac8
[0106.041] CreateFontIndirectW (lplf=0x563ac8) returned 0x4c0a0986
[0106.042] CoTaskMemFree (pv=0x563ac8)
[0106.042] GetObjectW (in: h=0x4c0a0986, c=92, pv=0x19efd8 | out: pv=0x19efd8) returned 92
[0106.042] GetTextExtentPoint32W (in: hdc=0x4801090d, lpString="0", c=1, psizl=0x22ac618 | out: psizl=0x22ac618) returned 1
[0106.042] DeleteObject (ho=0x4c0a0986) returned 1
[0106.042] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0106.042] AdjustWindowRectEx (in: lpRect=0x19f024, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f024) returned 1
[0106.190] GdipGetFamilyName (in: family=0x5b509d8, name=0x19ef14, language=0x409 | out: name="Arial") returned 0x0
[0106.190] GetDeviceCaps (hdc=0x4801090d, index=90) returned 96
[0106.190] CoTaskMemAlloc (cb=0x5c) returned 0x563c68
[0106.190] CreateFontIndirectW (lplf=0x563c68) returned 0x4d0a0986
[0106.190] CoTaskMemFree (pv=0x563c68)
[0106.190] GetObjectW (in: h=0x4d0a0986, c=92, pv=0x19eed8 | out: pv=0x19eed8) returned 92
[0106.191] GetMapMode (hdc=0x4801090d) returned 1
[0106.191] GetTextMetricsW (in: hdc=0x4801090d, lptm=0x19ef00 | out: lptm=0x19ef00) returned 1
[0106.192] DrawTextExW (in: hdc=0x4801090d, lpchText="Chipu and Co.", cchText=13, lprc=0x19f00c, format=0x2400, lpdtp=0x22ac8bc | out: lpchText="Chipu and Co.", lprc=0x19f00c) returned 24
[0106.236] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0106.237] AdjustWindowRectEx (in: lpRect=0x19f0f8, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f0f8) returned 1
[0106.237] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0106.237] AdjustWindowRectEx (in: lpRect=0x19f05c, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f05c) returned 1
[0106.237] GdipGetFamilyName (in: family=0x5b54c98, name=0x19f028, language=0x409 | out: name="Microsoft Sans Serif") returned 0x0
[0106.237] GetDeviceCaps (hdc=0x4801090d, index=90) returned 96
[0106.237] CoTaskMemAlloc (cb=0x5c) returned 0x5638c0
[0106.237] CreateFontIndirectW (lplf=0x5638c0) returned 0x800a060d
[0106.237] CoTaskMemFree (pv=0x5638c0)
[0106.237] GetObjectW (in: h=0x800a060d, c=92, pv=0x19efec | out: pv=0x19efec) returned 92
[0106.237] SelectObject (hdc=0x4801090d, h=0x800a060d) returned 0x370a06cc
[0106.238] DeleteObject (ho=0x370a06cc) returned 1
[0106.238] GetTextExtentPoint32W (in: hdc=0x4801090d, lpString="0", c=1, psizl=0x22acb2c | out: psizl=0x22acb2c) returned 1
[0106.238] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0106.238] AdjustWindowRectEx (in: lpRect=0x19f130, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f130) returned 1
[0106.238] GdipCreateFontFamilyFromName (name="Arial", fontCollection=0x0, fontFamily=0x19f1f8) returned 0x0
[0106.238] GdipCreateFont (fontFamily=0x5b509d8, emSize=0x417c0000, style=1, unit=0x3, font=0x22acc34) returned 0x0
[0106.238] GdipGetFontSize (font=0x5b5b080, size=0x22acc38) returned 0x0
[0106.239] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0106.239] AdjustWindowRectEx (in: lpRect=0x19f014, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f014) returned 1
[0106.239] GdipGetFamilyName (in: family=0x5b509d8, name=0x19efe0, language=0x409 | out: name="Arial") returned 0x0
[0106.239] GetDeviceCaps (hdc=0x4801090d, index=90) returned 96
[0106.239] CoTaskMemAlloc (cb=0x5c) returned 0x563ac8
[0106.239] CreateFontIndirectW (lplf=0x563ac8) returned 0x380a06cc
[0106.239] CoTaskMemFree (pv=0x563ac8)
[0106.239] GetObjectW (in: h=0x380a06cc, c=92, pv=0x19efa4 | out: pv=0x19efa4) returned 92
[0106.239] SelectObject (hdc=0x4801090d, h=0x380a06cc) returned 0x800a060d
[0106.239] DeleteObject (ho=0x800a060d) returned 1
[0106.239] GetTextExtentPoint32W (in: hdc=0x4801090d, lpString="0", c=1, psizl=0x22acea0 | out: psizl=0x22acea0) returned 1
[0106.240] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0106.240] AdjustWindowRectEx (in: lpRect=0x19f0e8, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f0e8) returned 1
[0106.240] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0106.240] AdjustWindowRectEx (in: lpRect=0x19f048, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f048) returned 1
[0106.240] GdipGetFamilyName (in: family=0x5b509d8, name=0x19f014, language=0x409 | out: name="Arial") returned 0x0
[0106.240] GetDeviceCaps (hdc=0x4801090d, index=90) returned 96
[0106.240] CoTaskMemAlloc (cb=0x5c) returned 0x563ac8
[0106.240] CreateFontIndirectW (lplf=0x563ac8) returned 0x810a060d
[0106.240] CoTaskMemFree (pv=0x563ac8)
[0106.240] GetObjectW (in: h=0x810a060d, c=92, pv=0x19efd8 | out: pv=0x19efd8) returned 92
[0106.241] GetTextExtentPoint32W (in: hdc=0x4801090d, lpString="0", c=1, psizl=0x22ad080 | out: psizl=0x22ad080) returned 1
[0106.241] DeleteObject (ho=0x810a060d) returned 1
[0106.241] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0106.241] AdjustWindowRectEx (in: lpRect=0x19f17c, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f17c) returned 1
[0106.241] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0106.241] AdjustWindowRectEx (in: lpRect=0x19f048, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f048) returned 1
[0106.241] GdipGetFamilyName (in: family=0x5b509d8, name=0x19f014, language=0x409 | out: name="Arial") returned 0x0
[0106.241] GetDeviceCaps (hdc=0x4801090d, index=90) returned 96
[0106.241] CoTaskMemAlloc (cb=0x5c) returned 0x5638c0
[0106.241] CreateFontIndirectW (lplf=0x5638c0) returned 0x820a060d
[0106.241] CoTaskMemFree (pv=0x5638c0)
[0106.242] GetObjectW (in: h=0x820a060d, c=92, pv=0x19efd8 | out: pv=0x19efd8) returned 92
[0106.242] GetTextExtentPoint32W (in: hdc=0x4801090d, lpString="0", c=1, psizl=0x22ad25c | out: psizl=0x22ad25c) returned 1
[0106.242] DeleteObject (ho=0x820a060d) returned 1
[0106.242] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0106.242] AdjustWindowRectEx (in: lpRect=0x19f024, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f024) returned 1
[0106.242] DrawTextExW (in: hdc=0x4801090d, lpchText="LMS", cchText=3, lprc=0x19f00c, format=0x2400, lpdtp=0x22ad2d0 | out: lpchText="LMS", lprc=0x19f00c) returned 24
[0106.243] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0106.243] AdjustWindowRectEx (in: lpRect=0x19f0f8, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f0f8) returned 1
[0106.243] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0106.243] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x56000000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19f1a8) returned 1
[0106.243] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0106.243] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x56000000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19f1a8) returned 1
[0106.244] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0106.244] AdjustWindowRectEx (in: lpRect=0x19f1dc, dwStyle=0x2cf0000, bMenu=0, dwExStyle=0x50000 | out: lpRect=0x19f1dc) returned 1
[0106.244] GetSystemMetrics (nIndex=59) returned 1456
[0106.244] GetSystemMetrics (nIndex=60) returned 916
[0106.244] GetSystemMetrics (nIndex=34) returned 136
[0106.244] GetSystemMetrics (nIndex=35) returned 39
[0106.245] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0106.245] AdjustWindowRectEx (in: lpRect=0x19f0dc, dwStyle=0x2cf0000, bMenu=0, dwExStyle=0x50000 | out: lpRect=0x19f0dc) returned 1
[0106.245] GetCurrentThreadId () returned 0xaf0
[0106.245] GetCurrentThreadId () returned 0xaf0
[0106.245] GetCurrentThreadId () returned 0xaf0
[0106.245] GetCurrentThreadId () returned 0xaf0
[0106.245] GetCurrentThreadId () returned 0xaf0
[0106.245] GetCurrentThreadId () returned 0xaf0
[0106.246] CreateCompatibleDC (hdc=0x0) returned 0x8301060d
[0106.246] GetDC (hWnd=0x0) returned 0xa0100d0
[0106.246] GdipCreateFromHDC (hdc=0xa0100d0, graphics=0x19f02c) returned 0x0
[0106.247] CoTaskMemAlloc (cb=0x5c) returned 0x5638c0
[0106.247] GdipGetLogFontW (font=0x482efc0, graphics=0x5b5f3b8, logfontW=0x5638c0) returned 0x0
[0106.250] CoTaskMemFree (pv=0x5638c0)
[0106.250] CoTaskMemAlloc (cb=0x5c) returned 0x5638c0
[0106.250] CoTaskMemFree (pv=0x5638c0)
[0106.250] CoTaskMemAlloc (cb=0x5c) returned 0x563ac8
[0106.250] CoTaskMemFree (pv=0x563ac8)
[0106.250] GdipDeleteGraphics (graphics=0x5b5f3b8) returned 0x0
[0106.250] ReleaseDC (hWnd=0x0, hDC=0xa0100d0) returned 1
[0106.251] CoTaskMemAlloc (cb=0x5c) returned 0x563da0
[0106.251] CreateFontIndirectW (lplf=0x563da0) returned 0x460a054c
[0106.251] CoTaskMemFree (pv=0x563da0)
[0106.251] SelectObject (hdc=0x8301060d, h=0x460a054c) returned 0x18a0048
[0106.251] GetTextMetricsW (in: hdc=0x8301060d, lptm=0x19f138 | out: lptm=0x19f138) returned 1
[0106.251] GetTextExtentPoint32W (in: hdc=0x8301060d, lpString="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ", c=52, psizl=0x22ad778 | out: psizl=0x22ad778) returned 1
[0106.252] SelectObject (hdc=0x8301060d, h=0x18a0048) returned 0x460a054c
[0106.252] DeleteDC (hdc=0x8301060d) returned 1
[0106.252] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0106.252] AdjustWindowRectEx (in: lpRect=0x19f118, dwStyle=0x56000000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19f118) returned 1
[0106.253] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0106.253] AdjustWindowRectEx (in: lpRect=0x19ef7c, dwStyle=0x56000000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19ef7c) returned 1
[0106.253] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0106.253] AdjustWindowRectEx (in: lpRect=0x19f0e4, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f0e4) returned 1
[0106.253] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0106.253] AdjustWindowRectEx (in: lpRect=0x19ef48, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef48) returned 1
[0106.253] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0106.253] AdjustWindowRectEx (in: lpRect=0x19f0e4, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f0e4) returned 1
[0106.254] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0106.254] AdjustWindowRectEx (in: lpRect=0x19ef48, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef48) returned 1
[0106.254] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0106.254] AdjustWindowRectEx (in: lpRect=0x19f0e4, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f0e4) returned 1
[0106.254] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0106.254] AdjustWindowRectEx (in: lpRect=0x19ef48, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef48) returned 1
[0106.254] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0106.254] AdjustWindowRectEx (in: lpRect=0x19f0e4, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f0e4) returned 1
[0106.254] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0106.254] AdjustWindowRectEx (in: lpRect=0x19ef48, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef48) returned 1
[0106.255] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0106.255] AdjustWindowRectEx (in: lpRect=0x19f0e4, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f0e4) returned 1
[0106.255] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0106.255] AdjustWindowRectEx (in: lpRect=0x19ef48, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef48) returned 1
[0106.255] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0106.255] AdjustWindowRectEx (in: lpRect=0x19f118, dwStyle=0x56000000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19f118) returned 1
[0106.255] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0106.255] AdjustWindowRectEx (in: lpRect=0x19ef7c, dwStyle=0x56000000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19ef7c) returned 1
[0106.256] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0106.256] AdjustWindowRectEx (in: lpRect=0x19f0e4, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f0e4) returned 1
[0106.256] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0106.256] AdjustWindowRectEx (in: lpRect=0x19ef48, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef48) returned 1
[0106.256] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0106.256] AdjustWindowRectEx (in: lpRect=0x19eda4, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19eda4) returned 1
[0106.256] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0106.256] AdjustWindowRectEx (in: lpRect=0x19f0e4, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f0e4) returned 1
[0106.257] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0106.257] AdjustWindowRectEx (in: lpRect=0x19ef48, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef48) returned 1
[0106.257] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0106.257] AdjustWindowRectEx (in: lpRect=0x19eda4, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19eda4) returned 1
[0106.257] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0106.258] AdjustWindowRectEx (in: lpRect=0x19ee90, dwStyle=0x2cf0000, bMenu=0, dwExStyle=0x50000 | out: lpRect=0x19ee90) returned 1
[0106.258] AdjustWindowRectEx (in: lpRect=0x19f0b0, dwStyle=0x2cf0000, bMenu=0, dwExStyle=0x50000 | out: lpRect=0x19f0b0) returned 1
[0106.259] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0106.259] AdjustWindowRectEx (in: lpRect=0x19ee08, dwStyle=0x2cf0000, bMenu=0, dwExStyle=0x50000 | out: lpRect=0x19ee08) returned 1
[0106.259] AdjustWindowRectEx (in: lpRect=0x19eee8, dwStyle=0x2cf0000, bMenu=0, dwExStyle=0x50000 | out: lpRect=0x19eee8) returned 1
[0106.259] GetSystemMetrics (nIndex=34) returned 136
[0106.259] GetSystemMetrics (nIndex=35) returned 39
[0106.259] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0106.259] AdjustWindowRectEx (in: lpRect=0x19f078, dwStyle=0x56000000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19f078) returned 1
[0106.259] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x69b40000
[0106.259] AdjustWindowRectEx (in: lpRect=0x19eedc, dwStyle=0x56000000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19eedc) returned 1
[0106.356] EtwEventRegister (in: ProviderId=0x22ae1b8, EnableCallback=0x494065e, CallbackContext=0x0, RegHandle=0x22ae194 | out: RegHandle=0x22ae194) returned 0x0
[0106.358] EtwEventSetInformation (RegHandle=0x576708, InformationClass=0x32, EventInformation=0x2, InformationLength=0x22ae128) returned 0x0
[0106.367] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe.config", nBufferLength=0x105, lpBuffer=0x19ea00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe.config", lpFilePart=0x0) returned 0x69
[0106.368] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x19eeb0) returned 1
[0106.369] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe.config" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe.config"), fInfoLevelId=0x0, lpFileInformation=0x19ef2c | out: lpFileInformation=0x19ef2c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0
[0106.369] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x19eeac) returned 1
[0107.014] BCryptGetFipsAlgorithmMode (in: pfEnabled=0x19f168 | out: pfEnabled=0x19f168) returned 0x0
[0107.228] CreateFileMappingW (hFile=0xffffffff, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xfa00, lpName=0x0) returned 0x2f8
[0107.229] memcpy (in: _Dst=0x2280000, _Src=0x22c0958, _Size=0xfa00 | out: _Dst=0x2280000) returned 0x2280000
[0107.230] CloseHandle (hObject=0x2f8) returned 1
[0154.480] CreateFileMappingW (hFile=0xffffffff, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2e00, lpName=0x0) returned 0x304
[0154.480] memcpy (in: _Dst=0x4a0000, _Src=0x22c8418, _Size=0x2e00 | out: _Dst=0x4a0000) returned 0x4a0000
[0154.481] CloseHandle (hObject=0x304) returned 1
[0154.509] CoTaskMemAlloc (cb=0x20c) returned 0x5868d8
[0154.510] GetTempPathW (in: nBufferLength=0x104, lpBuffer=0x5868d8 | out: lpBuffer="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\") returned 0x25
[0154.510] CoTaskMemFree (pv=0x5868d8)
[0154.511] GetLongPathNameW (in: lpszShortPath="C:\\Users\\RDHJ0C~1\\", lpszLongPath=0x19def8, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\RDhJ0CNFevzX\\") returned 0x16
[0154.514] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\", nBufferLength=0x105, lpBuffer=0x19df0c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\", lpFilePart=0x0) returned 0x29
[0154.792] GdipLoadImageFromStream (stream=0x4b0030, image=0x19e960) returned 0x0
[0155.214] GdipImageForceValidation (image=0x5b5f3b8) returned 0x0
[0155.225] GdipGetImageType (image=0x5b5f3b8, type=0x19e95c) returned 0x0
[0155.225] GdipGetImageRawFormat (image=0x5b5f3b8, format=0x19e8d0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0))) returned 0x0
[0155.245] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eee8) returned 0x0
[0155.247] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.247] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.247] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=0, color=0x19eed4) returned 0x0
[0155.249] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.249] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.249] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=1, color=0x19eed4) returned 0x0
[0155.249] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.249] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.249] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=2, color=0x19eed4) returned 0x0
[0155.249] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.249] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.249] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=3, color=0x19eed4) returned 0x0
[0155.249] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.250] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.250] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=4, color=0x19eed4) returned 0x0
[0155.250] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.250] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.250] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=5, color=0x19eed4) returned 0x0
[0155.250] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.250] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.250] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=6, color=0x19eed4) returned 0x0
[0155.250] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.250] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.250] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=7, color=0x19eed4) returned 0x0
[0155.250] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.250] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.250] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=8, color=0x19eed4) returned 0x0
[0155.250] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.250] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.250] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=9, color=0x19eed4) returned 0x0
[0155.250] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.251] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.251] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=10, color=0x19eed4) returned 0x0
[0155.251] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.251] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.251] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=11, color=0x19eed4) returned 0x0
[0155.251] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.251] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.251] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=12, color=0x19eed4) returned 0x0
[0155.251] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.251] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.251] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=13, color=0x19eed4) returned 0x0
[0155.251] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.251] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.251] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=14, color=0x19eed4) returned 0x0
[0155.251] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.251] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.251] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=15, color=0x19eed4) returned 0x0
[0155.251] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.252] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.252] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=16, color=0x19eed4) returned 0x0
[0155.252] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.252] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.252] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=17, color=0x19eed4) returned 0x0
[0155.252] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.252] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.252] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=18, color=0x19eed4) returned 0x0
[0155.252] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.252] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.252] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=19, color=0x19eed4) returned 0x0
[0155.252] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.252] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.252] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=20, color=0x19eed4) returned 0x0
[0155.252] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.252] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.252] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=21, color=0x19eed4) returned 0x0
[0155.252] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.253] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.253] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=22, color=0x19eed4) returned 0x0
[0155.253] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.253] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.253] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=23, color=0x19eed4) returned 0x0
[0155.253] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.253] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.253] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=24, color=0x19eed4) returned 0x0
[0155.253] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.253] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.253] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=25, color=0x19eed4) returned 0x0
[0155.253] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.253] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.253] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=26, color=0x19eed4) returned 0x0
[0155.253] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.253] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.253] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=27, color=0x19eed4) returned 0x0
[0155.253] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.253] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.254] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=28, color=0x19eed4) returned 0x0
[0155.254] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.254] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.254] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=29, color=0x19eed4) returned 0x0
[0155.254] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.254] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.254] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=30, color=0x19eed4) returned 0x0
[0155.254] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.254] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.254] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=31, color=0x19eed4) returned 0x0
[0155.254] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.254] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.254] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=32, color=0x19eed4) returned 0x0
[0155.254] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.254] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.254] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=33, color=0x19eed4) returned 0x0
[0155.254] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.254] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.254] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=34, color=0x19eed4) returned 0x0
[0155.255] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.255] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.255] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=35, color=0x19eed4) returned 0x0
[0155.255] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.255] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.255] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=36, color=0x19eed4) returned 0x0
[0155.255] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.255] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.255] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=37, color=0x19eed4) returned 0x0
[0155.255] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.255] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.255] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=38, color=0x19eed4) returned 0x0
[0155.255] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.255] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.255] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=39, color=0x19eed4) returned 0x0
[0155.255] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.255] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.256] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=40, color=0x19eed4) returned 0x0
[0155.256] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.256] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.256] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=41, color=0x19eed4) returned 0x0
[0155.256] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.256] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.256] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=42, color=0x19eed4) returned 0x0
[0155.256] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.256] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.256] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=43, color=0x19eed4) returned 0x0
[0155.256] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.256] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.256] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=44, color=0x19eed4) returned 0x0
[0155.256] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.256] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.256] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=45, color=0x19eed4) returned 0x0
[0155.256] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.257] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.257] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=46, color=0x19eed4) returned 0x0
[0155.257] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.257] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.257] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=47, color=0x19eed4) returned 0x0
[0155.257] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.257] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.257] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=48, color=0x19eed4) returned 0x0
[0155.257] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.257] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.257] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=49, color=0x19eed4) returned 0x0
[0155.257] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.257] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.257] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=50, color=0x19eed4) returned 0x0
[0155.257] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.257] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.257] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=51, color=0x19eed4) returned 0x0
[0155.257] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.257] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.258] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=52, color=0x19eed4) returned 0x0
[0155.258] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.258] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.258] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=53, color=0x19eed4) returned 0x0
[0155.258] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.258] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.258] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=54, color=0x19eed4) returned 0x0
[0155.258] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.258] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.258] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=55, color=0x19eed4) returned 0x0
[0155.258] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.258] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.258] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=56, color=0x19eed4) returned 0x0
[0155.258] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.258] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.258] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=57, color=0x19eed4) returned 0x0
[0155.259] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.259] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.259] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=58, color=0x19eed4) returned 0x0
[0155.259] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.259] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.259] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=59, color=0x19eed4) returned 0x0
[0155.259] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.259] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.259] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=60, color=0x19eed4) returned 0x0
[0155.259] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.259] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.259] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=61, color=0x19eed4) returned 0x0
[0155.259] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.259] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.259] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=62, color=0x19eed4) returned 0x0
[0155.259] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.259] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.259] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=63, color=0x19eed4) returned 0x0
[0155.260] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.260] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.260] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=64, color=0x19eed4) returned 0x0
[0155.260] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.260] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.260] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=65, color=0x19eed4) returned 0x0
[0155.260] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.260] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.260] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=66, color=0x19eed4) returned 0x0
[0155.260] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.260] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.260] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=67, color=0x19eed4) returned 0x0
[0155.260] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.260] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.260] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=68, color=0x19eed4) returned 0x0
[0155.260] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.260] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.260] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=69, color=0x19eed4) returned 0x0
[0155.260] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.261] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.261] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=70, color=0x19eed4) returned 0x0
[0155.261] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.261] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.261] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=71, color=0x19eed4) returned 0x0
[0155.261] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.261] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.261] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=72, color=0x19eed4) returned 0x0
[0155.261] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.261] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.261] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=73, color=0x19eed4) returned 0x0
[0155.261] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.261] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.261] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=74, color=0x19eed4) returned 0x0
[0155.261] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.261] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.261] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=75, color=0x19eed4) returned 0x0
[0155.262] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.262] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.262] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=76, color=0x19eed4) returned 0x0
[0155.262] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.262] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.262] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=77, color=0x19eed4) returned 0x0
[0155.262] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.262] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.262] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=78, color=0x19eed4) returned 0x0
[0155.262] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.262] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.262] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=79, color=0x19eed4) returned 0x0
[0155.262] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.262] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.262] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=80, color=0x19eed4) returned 0x0
[0155.262] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.262] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.262] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=81, color=0x19eed4) returned 0x0
[0155.262] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.263] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.263] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=82, color=0x19eed4) returned 0x0
[0155.263] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.263] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.263] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=83, color=0x19eed4) returned 0x0
[0155.263] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.263] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.263] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=84, color=0x19eed4) returned 0x0
[0155.263] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.263] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.263] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=85, color=0x19eed4) returned 0x0
[0155.263] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.263] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.263] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=86, color=0x19eed4) returned 0x0
[0155.263] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.263] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.263] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=87, color=0x19eed4) returned 0x0
[0155.263] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.263] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.263] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=88, color=0x19eed4) returned 0x0
[0155.263] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.264] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.264] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=89, color=0x19eed4) returned 0x0
[0155.264] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.264] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.264] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=90, color=0x19eed4) returned 0x0
[0155.264] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.264] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.264] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=91, color=0x19eed4) returned 0x0
[0155.264] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.264] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.264] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=92, color=0x19eed4) returned 0x0
[0155.264] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.264] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.264] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=93, color=0x19eed4) returned 0x0
[0155.264] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.264] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.264] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=94, color=0x19eed4) returned 0x0
[0155.264] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.264] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.264] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=95, color=0x19eed4) returned 0x0
[0155.264] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.264] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.265] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=96, color=0x19eed4) returned 0x0
[0155.265] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.265] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.265] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=97, color=0x19eed4) returned 0x0
[0155.265] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.265] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.265] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=98, color=0x19eed4) returned 0x0
[0155.265] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.265] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.265] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=99, color=0x19eed4) returned 0x0
[0155.265] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.265] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.265] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=100, color=0x19eed4) returned 0x0
[0155.265] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.265] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.265] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=101, color=0x19eed4) returned 0x0
[0155.265] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.265] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.265] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=102, color=0x19eed4) returned 0x0
[0155.265] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.265] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.265] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=103, color=0x19eed4) returned 0x0
[0155.266] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.266] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.266] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=104, color=0x19eed4) returned 0x0
[0155.266] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.266] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.266] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=105, color=0x19eed4) returned 0x0
[0155.266] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.266] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.266] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=106, color=0x19eed4) returned 0x0
[0155.266] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.266] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.266] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=107, color=0x19eed4) returned 0x0
[0155.266] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.266] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.266] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=108, color=0x19eed4) returned 0x0
[0155.266] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.266] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.266] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=109, color=0x19eed4) returned 0x0
[0155.266] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.266] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.266] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=110, color=0x19eed4) returned 0x0
[0155.267] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.267] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.267] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=111, color=0x19eed4) returned 0x0
[0155.267] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.267] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.267] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=112, color=0x19eed4) returned 0x0
[0155.267] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.267] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.267] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=113, color=0x19eed4) returned 0x0
[0155.267] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.267] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.267] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=114, color=0x19eed4) returned 0x0
[0155.267] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.267] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.267] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=115, color=0x19eed4) returned 0x0
[0155.267] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.267] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.267] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=116, color=0x19eed4) returned 0x0
[0155.267] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.267] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.267] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=117, color=0x19eed4) returned 0x0
[0155.267] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.267] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.268] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=118, color=0x19eed4) returned 0x0
[0155.268] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.268] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.268] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=119, color=0x19eed4) returned 0x0
[0155.268] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.268] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.268] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=120, color=0x19eed4) returned 0x0
[0155.268] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.268] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.268] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=121, color=0x19eed4) returned 0x0
[0155.268] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.268] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.268] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=122, color=0x19eed4) returned 0x0
[0155.268] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.268] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.268] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=123, color=0x19eed4) returned 0x0
[0155.268] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.268] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.268] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=124, color=0x19eed4) returned 0x0
[0155.268] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.268] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.268] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=125, color=0x19eed4) returned 0x0
[0155.269] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.269] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.269] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=126, color=0x19eed4) returned 0x0
[0155.269] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.269] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.269] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=127, color=0x19eed4) returned 0x0
[0155.269] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.269] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.269] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=128, color=0x19eed4) returned 0x0
[0155.269] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.269] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.269] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=129, color=0x19eed4) returned 0x0
[0155.269] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.269] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.269] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=130, color=0x19eed4) returned 0x0
[0155.269] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.269] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.269] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=131, color=0x19eed4) returned 0x0
[0155.269] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.269] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.269] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=132, color=0x19eed4) returned 0x0
[0155.269] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.269] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.270] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=133, color=0x19eed4) returned 0x0
[0155.270] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.270] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.270] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=134, color=0x19eed4) returned 0x0
[0155.270] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.270] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.270] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=135, color=0x19eed4) returned 0x0
[0155.270] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.270] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.270] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=136, color=0x19eed4) returned 0x0
[0155.270] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.270] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.270] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=137, color=0x19eed4) returned 0x0
[0155.270] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.271] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.271] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=138, color=0x19eed4) returned 0x0
[0155.271] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.271] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.271] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=139, color=0x19eed4) returned 0x0
[0155.271] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.271] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.271] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=140, color=0x19eed4) returned 0x0
[0155.271] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.271] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.271] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=141, color=0x19eed4) returned 0x0
[0155.271] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.271] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.271] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=142, color=0x19eed4) returned 0x0
[0155.271] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.271] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.271] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=143, color=0x19eed4) returned 0x0
[0155.271] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.271] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.271] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=144, color=0x19eed4) returned 0x0
[0155.271] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.271] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.271] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=145, color=0x19eed4) returned 0x0
[0155.272] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.272] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.272] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=146, color=0x19eed4) returned 0x0
[0155.272] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.272] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.272] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=147, color=0x19eed4) returned 0x0
[0155.272] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.272] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.272] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=148, color=0x19eed4) returned 0x0
[0155.272] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.272] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.272] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=149, color=0x19eed4) returned 0x0
[0155.272] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.272] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.272] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=150, color=0x19eed4) returned 0x0
[0155.272] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.272] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.272] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=151, color=0x19eed4) returned 0x0
[0155.272] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.272] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.272] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=152, color=0x19eed4) returned 0x0
[0155.272] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.273] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.273] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=153, color=0x19eed4) returned 0x0
[0155.273] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.273] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.273] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=154, color=0x19eed4) returned 0x0
[0155.273] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.273] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.273] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=155, color=0x19eed4) returned 0x0
[0155.273] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.273] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.273] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=156, color=0x19eed4) returned 0x0
[0155.273] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.273] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.273] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=157, color=0x19eed4) returned 0x0
[0155.273] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.273] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.273] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=158, color=0x19eed4) returned 0x0
[0155.273] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.273] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.273] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=159, color=0x19eed4) returned 0x0
[0155.274] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.274] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.274] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=160, color=0x19eed4) returned 0x0
[0155.274] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.274] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.274] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=161, color=0x19eed4) returned 0x0
[0155.274] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.274] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.274] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=162, color=0x19eed4) returned 0x0
[0155.274] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.274] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.274] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=163, color=0x19eed4) returned 0x0
[0155.274] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.274] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.274] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=164, color=0x19eed4) returned 0x0
[0155.274] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.274] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.274] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=165, color=0x19eed4) returned 0x0
[0155.274] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.274] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.274] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=166, color=0x19eed4) returned 0x0
[0155.274] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.275] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.275] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=167, color=0x19eed4) returned 0x0
[0155.275] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.275] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.275] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=168, color=0x19eed4) returned 0x0
[0155.275] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.275] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.275] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=169, color=0x19eed4) returned 0x0
[0155.275] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.275] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.275] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=170, color=0x19eed4) returned 0x0
[0155.275] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.275] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.275] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=171, color=0x19eed4) returned 0x0
[0155.275] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.275] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.275] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=172, color=0x19eed4) returned 0x0
[0155.275] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.275] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.275] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=173, color=0x19eed4) returned 0x0
[0155.275] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.275] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.276] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=174, color=0x19eed4) returned 0x0
[0155.276] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.276] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.276] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=175, color=0x19eed4) returned 0x0
[0155.276] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.276] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.276] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=176, color=0x19eed4) returned 0x0
[0155.276] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.276] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.276] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=177, color=0x19eed4) returned 0x0
[0155.276] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.276] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.276] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=178, color=0x19eed4) returned 0x0
[0155.276] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.276] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.276] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=179, color=0x19eed4) returned 0x0
[0155.276] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.276] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.276] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=180, color=0x19eed4) returned 0x0
[0155.276] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.276] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.276] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=181, color=0x19eed4) returned 0x0
[0155.277] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.277] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.277] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=182, color=0x19eed4) returned 0x0
[0155.277] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.277] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.277] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=183, color=0x19eed4) returned 0x0
[0155.277] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.277] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.277] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=184, color=0x19eed4) returned 0x0
[0155.277] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.277] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.277] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=185, color=0x19eed4) returned 0x0
[0155.277] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.277] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.277] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=186, color=0x19eed4) returned 0x0
[0155.277] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.277] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.277] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=187, color=0x19eed4) returned 0x0
[0155.277] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.277] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.277] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=188, color=0x19eed4) returned 0x0
[0155.278] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.278] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.278] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=189, color=0x19eed4) returned 0x0
[0155.278] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.278] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.278] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=190, color=0x19eed4) returned 0x0
[0155.278] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.278] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.278] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=191, color=0x19eed4) returned 0x0
[0155.278] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.278] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.278] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=192, color=0x19eed4) returned 0x0
[0155.278] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.278] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.278] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=193, color=0x19eed4) returned 0x0
[0155.278] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.278] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.278] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=194, color=0x19eed4) returned 0x0
[0155.278] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.278] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.279] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=195, color=0x19eed4) returned 0x0
[0155.279] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.279] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.279] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=196, color=0x19eed4) returned 0x0
[0155.279] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.279] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.279] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=197, color=0x19eed4) returned 0x0
[0155.279] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.279] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.279] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=198, color=0x19eed4) returned 0x0
[0155.279] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.279] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.279] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=199, color=0x19eed4) returned 0x0
[0155.279] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.279] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.279] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=200, color=0x19eed4) returned 0x0
[0155.279] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.279] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.279] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=201, color=0x19eed4) returned 0x0
[0155.279] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.279] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.279] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=202, color=0x19eed4) returned 0x0
[0155.279] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.280] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.280] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=203, color=0x19eed4) returned 0x0
[0155.280] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.280] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.280] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=204, color=0x19eed4) returned 0x0
[0155.280] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.280] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.280] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=205, color=0x19eed4) returned 0x0
[0155.280] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.280] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.280] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=206, color=0x19eed4) returned 0x0
[0155.280] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.280] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.280] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=207, color=0x19eed4) returned 0x0
[0155.280] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.280] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.280] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=208, color=0x19eed4) returned 0x0
[0155.280] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.280] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.280] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=209, color=0x19eed4) returned 0x0
[0155.280] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.280] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.280] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=210, color=0x19eed4) returned 0x0
[0155.281] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.281] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.281] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=211, color=0x19eed4) returned 0x0
[0155.281] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.281] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.281] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=212, color=0x19eed4) returned 0x0
[0155.281] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.281] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.281] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=213, color=0x19eed4) returned 0x0
[0155.281] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.281] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.281] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=214, color=0x19eed4) returned 0x0
[0155.281] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.281] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.281] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=215, color=0x19eed4) returned 0x0
[0155.281] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.281] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.281] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=216, color=0x19eed4) returned 0x0
[0155.281] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.281] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.281] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=217, color=0x19eed4) returned 0x0
[0155.281] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.281] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.281] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=218, color=0x19eed4) returned 0x0
[0155.282] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.282] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.282] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=219, color=0x19eed4) returned 0x0
[0155.282] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.282] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.282] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=220, color=0x19eed4) returned 0x0
[0155.282] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.282] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.282] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=221, color=0x19eed4) returned 0x0
[0155.282] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.282] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.282] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=222, color=0x19eed4) returned 0x0
[0155.282] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.282] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.282] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=223, color=0x19eed4) returned 0x0
[0155.282] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.282] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.282] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=224, color=0x19eed4) returned 0x0
[0155.282] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.282] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.282] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=225, color=0x19eed4) returned 0x0
[0155.282] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.282] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.283] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=226, color=0x19eed4) returned 0x0
[0155.283] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.283] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.283] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=227, color=0x19eed4) returned 0x0
[0155.283] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.283] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.283] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=228, color=0x19eed4) returned 0x0
[0155.283] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.283] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.283] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=229, color=0x19eed4) returned 0x0
[0155.283] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.283] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.283] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=230, color=0x19eed4) returned 0x0
[0155.283] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.283] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.283] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=231, color=0x19eed4) returned 0x0
[0155.283] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.283] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.283] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=232, color=0x19eed4) returned 0x0
[0155.283] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.283] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.283] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=233, color=0x19eed4) returned 0x0
[0155.284] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.284] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.284] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=234, color=0x19eed4) returned 0x0
[0155.284] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.284] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.284] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=235, color=0x19eed4) returned 0x0
[0155.284] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.284] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.284] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=236, color=0x19eed4) returned 0x0
[0155.284] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.284] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.284] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=237, color=0x19eed4) returned 0x0
[0155.284] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.284] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.284] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=238, color=0x19eed4) returned 0x0
[0155.284] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.284] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.284] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=239, color=0x19eed4) returned 0x0
[0155.284] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.284] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.284] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=240, color=0x19eed4) returned 0x0
[0155.284] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.284] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.284] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=241, color=0x19eed4) returned 0x0
[0155.285] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.285] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.285] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=242, color=0x19eed4) returned 0x0
[0155.285] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.285] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.285] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=243, color=0x19eed4) returned 0x0
[0155.285] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.285] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.285] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=244, color=0x19eed4) returned 0x0
[0155.285] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.285] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.285] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=245, color=0x19eed4) returned 0x0
[0155.285] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.285] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.285] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=246, color=0x19eed4) returned 0x0
[0155.285] GdipGetImageWidth (image=0x5b5f3b8, width=0x19eec4) returned 0x0
[0155.285] GdipGetImageHeight (image=0x5b5f3b8, height=0x19eec4) returned 0x0
[0155.285] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=247, color=0x19eed4) returned 0x0
[0155.285] GdipBitmapGetPixel (bitmap=0x5b5f3b8, x=0, y=248, color=0x19eed4) returned 0x0
[0155.386] CreateFileMappingW (hFile=0xffffffff, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5b400, lpName=0x0) returned 0x2fc
[0155.387] memcpy (in: _Dst=0xa150000, _Src=0x3c591e0, _Size=0x5b400 | out: _Dst=0xa150000) returned 0xa150000
[0155.389] CloseHandle (hObject=0x2fc) returned 1
[0158.748] CoTaskMemAlloc (cb=0xd) returned 0x57a0e0
[0158.749] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x2478064, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8
[0158.749] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000
[0158.749] CoTaskMemFree (pv=0x57a0e0)
[0158.756] CoTaskMemAlloc (cb=0x11) returned 0x56edf8
[0158.756] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ResumeThread", cchWideChar=12, lpMultiByteStr=0x24783a0, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ResumeThread", lpUsedDefaultChar=0x0) returned 12
[0158.757] GetProcAddress (hModule=0x76720000, lpProcName="ResumeThread") returned 0x7673a800
[0158.757] CoTaskMemFree (pv=0x56edf8)
[0158.776] CoTaskMemAlloc (cb=0xd) returned 0x57a128
[0158.776] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x2478b78, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8
[0158.776] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000
[0158.777] CoTaskMemFree (pv=0x57a128)
[0158.777] CoTaskMemAlloc (cb=0x1a) returned 0x5874f0
[0158.777] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Wow64SetThreadContext", cchWideChar=21, lpMultiByteStr=0x2478bb0, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Wow64SetThreadContext", lpUsedDefaultChar=0x0) returned 21
[0158.777] GetProcAddress (hModule=0x76720000, lpProcName="Wow64SetThreadContext") returned 0x76763e60
[0158.778] CoTaskMemFree (pv=0x5874f0)
[0158.786] CoTaskMemAlloc (cb=0xd) returned 0x57a050
[0158.786] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x2478c7c, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8
[0158.786] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000
[0158.787] CoTaskMemFree (pv=0x57a050)
[0158.787] CoTaskMemAlloc (cb=0x15) returned 0x56edf8
[0158.787] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="SetThreadContext", cchWideChar=16, lpMultiByteStr=0x2478cb4, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetThreadContext", lpUsedDefaultChar=0x0) returned 16
[0158.787] GetProcAddress (hModule=0x76720000, lpProcName="SetThreadContext") returned 0x76762490
[0158.787] CoTaskMemFree (pv=0x56edf8)
[0158.790] CoTaskMemAlloc (cb=0xd) returned 0x57a098
[0158.790] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x2478d7c, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8
[0158.790] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000
[0158.790] CoTaskMemFree (pv=0x57a098)
[0158.790] CoTaskMemAlloc (cb=0x1a) returned 0x5874f0
[0158.790] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Wow64GetThreadContext", cchWideChar=21, lpMultiByteStr=0x2478db4, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Wow64GetThreadContext", lpUsedDefaultChar=0x0) returned 21
[0158.791] GetProcAddress (hModule=0x76720000, lpProcName="Wow64GetThreadContext") returned 0x76763e30
[0158.791] CoTaskMemFree (pv=0x5874f0)
[0158.794] CoTaskMemAlloc (cb=0xd) returned 0x57a068
[0158.794] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x2478e80, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8
[0158.794] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000
[0158.794] CoTaskMemFree (pv=0x57a068)
[0158.794] CoTaskMemAlloc (cb=0x15) returned 0x56f0d8
[0158.794] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetThreadContext", cchWideChar=16, lpMultiByteStr=0x2478eb8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetThreadContext", lpUsedDefaultChar=0x0) returned 16
[0158.794] GetProcAddress (hModule=0x76720000, lpProcName="GetThreadContext") returned 0x7673ec60
[0158.795] CoTaskMemFree (pv=0x56f0d8)
[0158.797] CoTaskMemAlloc (cb=0xd) returned 0x579fc0
[0158.797] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x2478f74, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8
[0158.797] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000
[0158.797] CoTaskMemFree (pv=0x579fc0)
[0158.797] CoTaskMemAlloc (cb=0x13) returned 0x56edf8
[0158.798] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="VirtualAllocEx", cchWideChar=14, lpMultiByteStr=0x2478fac, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VirtualAllocEx", lpUsedDefaultChar=0x0) returned 14
[0158.798] GetProcAddress (hModule=0x76720000, lpProcName="VirtualAllocEx") returned 0x76762730
[0158.798] CoTaskMemFree (pv=0x56edf8)
[0158.804] CoTaskMemAlloc (cb=0xd) returned 0x579ff0
[0158.804] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x2479068, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8
[0158.804] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000
[0158.805] CoTaskMemFree (pv=0x579ff0)
[0158.805] CoTaskMemAlloc (cb=0x17) returned 0x56ee38
[0158.805] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="WriteProcessMemory", cchWideChar=18, lpMultiByteStr=0x24790a0, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WriteProcessMemory", lpUsedDefaultChar=0x0) returned 18
[0158.805] GetProcAddress (hModule=0x76720000, lpProcName="WriteProcessMemory") returned 0x76762850
[0158.805] CoTaskMemFree (pv=0x56ee38)
[0158.817] CoTaskMemAlloc (cb=0xd) returned 0x57a170
[0158.817] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x2479164, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8
[0158.817] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000
[0158.817] CoTaskMemFree (pv=0x57a170)
[0158.817] CoTaskMemAlloc (cb=0x16) returned 0x56edf8
[0158.817] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ReadProcessMemory", cchWideChar=17, lpMultiByteStr=0x247919c, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReadProcessMemory", lpUsedDefaultChar=0x0) returned 17
[0158.817] GetProcAddress (hModule=0x76720000, lpProcName="ReadProcessMemory") returned 0x76761c80
[0158.818] CoTaskMemFree (pv=0x56edf8)
[0158.823] CoTaskMemAlloc (cb=0xa) returned 0x57a128
[0158.823] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ntdll", cchWideChar=5, lpMultiByteStr=0x247925c, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ntdll", lpUsedDefaultChar=0x0) returned 5
[0158.824] LoadLibraryA (lpLibFileName="ntdll") returned 0x771d0000
[0158.824] CoTaskMemFree (pv=0x57a128)
[0158.824] CoTaskMemAlloc (cb=0x19) returned 0x5874f0
[0158.824] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ZwUnmapViewOfSection", cchWideChar=20, lpMultiByteStr=0x2479288, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZwUnmapViewOfSection", lpUsedDefaultChar=0x0) returned 20
[0158.824] GetProcAddress (hModule=0x771d0000, lpProcName="ZwUnmapViewOfSection") returned 0x77246f40
[0158.824] CoTaskMemFree (pv=0x5874f0)
[0158.828] CoTaskMemAlloc (cb=0xd) returned 0x579ff0
[0158.828] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x2479350, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8
[0158.828] LoadLibraryA (lpLibFileName="kernel32") returned 0x76720000
[0158.828] CoTaskMemFree (pv=0x579ff0)
[0158.828] CoTaskMemAlloc (cb=0x13) returned 0x56f0d8
[0158.829] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CreateProcessA", cchWideChar=14, lpMultiByteStr=0x2479388, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CreateProcessA", lpUsedDefaultChar=0x0) returned 14
[0158.829] GetProcAddress (hModule=0x76720000, lpProcName="CreateProcessA") returned 0x76760750
[0158.829] CoTaskMemFree (pv=0x56f0d8)
[0158.896] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe", nBufferLength=0x105, lpBuffer=0x19e43c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe", lpFilePart=0x0) returned 0x62
[0164.236] CoTaskMemAlloc (cb=0x20c) returned 0x786ba70
[0164.236] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x786ba70 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming") returned 0x0
[0164.242] CoTaskMemFree (pv=0x786ba70)
[0164.242] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0x19e434, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming", lpFilePart=0x0) returned 0x25
[0164.276] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZgolgcKGNozdg.exe", nBufferLength=0x105, lpBuffer=0x19e4b4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZgolgcKGNozdg.exe", lpFilePart=0x0) returned 0x37
[0164.276] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x19e95c) returned 1
[0164.276] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZgolgcKGNozdg.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\zgolgckgnozdg.exe"), fInfoLevelId=0x0, lpFileInformation=0x19e9d8 | out: lpFileInformation=0x19e9d8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0
[0164.277] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x19e958) returned 1
[0164.296] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZgolgcKGNozdg.exe", nBufferLength=0x105, lpBuffer=0x19e434, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZgolgcKGNozdg.exe", lpFilePart=0x0) returned 0x37
[0164.317] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZgolgcKGNozdg.exe", nBufferLength=0x105, lpBuffer=0x19e434, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZgolgcKGNozdg.exe", lpFilePart=0x0) returned 0x37
[0164.323] SetNamedSecurityInfoW () returned 0x2
[0164.692] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe", nBufferLength=0x105, lpBuffer=0x19e46c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe", lpFilePart=0x0) returned 0x62
[0164.692] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZgolgcKGNozdg.exe", nBufferLength=0x105, lpBuffer=0x19e46c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZgolgcKGNozdg.exe", lpFilePart=0x0) returned 0x37
[0164.692] CopyFileW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZgolgcKGNozdg.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\zgolgckgnozdg.exe"), bFailIfExists=1) returned 1
[0165.959] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZgolgcKGNozdg.exe", nBufferLength=0x105, lpBuffer=0x19e414, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZgolgcKGNozdg.exe", lpFilePart=0x0) returned 0x37
[0165.965] GetUserNameW (in: lpBuffer=0x19e6f4, pcbBuffer=0x19e96c | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x19e96c) returned 1
[0165.982] SetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZgolgcKGNozdg.exe", dwFileAttributes=0x2007) returned 1
[0165.996] LsaOpenPolicy (in: SystemName=0x0, ObjectAttributes=0x19e77c, DesiredAccess=0x800, PolicyHandle=0x19e73c | out: PolicyHandle=0x19e73c) returned 0x0
[0165.998] CoTaskMemAlloc (cb=0x8) returned 0x59a140
[0165.999] CoTaskMemAlloc (cb=0x1a) returned 0x5b3558
[0165.999] LsaLookupNames2 (in: PolicyHandle=0x56eef8, Flags=0x0, Count=0x1, Names="RDhJ0CNFevzX", ReferencedDomains=0x19e750, Sids=0x19e744 | out: ReferencedDomains=0x19e750, Sids=0x19e744) returned 0x0
[0166.003] CoTaskMemFree (pv=0x5b3558)
[0166.003] CoTaskMemFree (pv=0x59a140)
[0166.013] LsaClose (ObjectHandle=0x56eef8) returned 0x0
[0166.015] LsaFreeMemory (Buffer=0x5ada18) returned 0x0
[0166.015] LsaFreeMemory (Buffer=0x5b2198) returned 0x0
[0166.015] LsaOpenPolicy (in: SystemName=0x0, ObjectAttributes=0x19e77c, DesiredAccess=0x800, PolicyHandle=0x19e73c | out: PolicyHandle=0x19e73c) returned 0x0
[0166.016] CoTaskMemAlloc (cb=0x8) returned 0x59a0e0
[0166.016] CoTaskMemAlloc (cb=0x1a) returned 0x5b3508
[0166.016] LsaLookupNames2 (in: PolicyHandle=0x56f0d8, Flags=0x0, Count=0x1, Names="RDhJ0CNFevzX", ReferencedDomains=0x19e750, Sids=0x19e744 | out: ReferencedDomains=0x19e750, Sids=0x19e744) returned 0x0
[0166.016] CoTaskMemFree (pv=0x5b3508)
[0166.016] CoTaskMemFree (pv=0x59a0e0)
[0166.017] LsaClose (ObjectHandle=0x56f0d8) returned 0x0
[0166.017] LsaFreeMemory (Buffer=0x5ad948) returned 0x0
[0166.017] LsaFreeMemory (Buffer=0x5b25b8) returned 0x0
[0166.021] LsaOpenPolicy (in: SystemName=0x0, ObjectAttributes=0x19e77c, DesiredAccess=0x800, PolicyHandle=0x19e73c | out: PolicyHandle=0x19e73c) returned 0x0
[0166.021] CoTaskMemAlloc (cb=0x8) returned 0x59a1c0
[0166.021] CoTaskMemAlloc (cb=0x1a) returned 0x5b3850
[0166.021] LsaLookupNames2 (in: PolicyHandle=0x56f0d8, Flags=0x0, Count=0x1, Names="RDhJ0CNFevzX", ReferencedDomains=0x19e750, Sids=0x19e744 | out: ReferencedDomains=0x19e750, Sids=0x19e744) returned 0x0
[0166.022] CoTaskMemFree (pv=0x5b3850)
[0166.022] CoTaskMemFree (pv=0x59a1c0)
[0166.022] LsaClose (ObjectHandle=0x56f0d8) returned 0x0
[0166.022] LsaFreeMemory (Buffer=0x5ad128) returned 0x0
[0166.022] LsaFreeMemory (Buffer=0x5b2140) returned 0x0
[0166.022] LsaOpenPolicy (in: SystemName=0x0, ObjectAttributes=0x19e77c, DesiredAccess=0x800, PolicyHandle=0x19e73c | out: PolicyHandle=0x19e73c) returned 0x0
[0166.023] CoTaskMemAlloc (cb=0x8) returned 0x59a1a0
[0166.023] CoTaskMemAlloc (cb=0x1a) returned 0x5b34e0
[0166.023] LsaLookupNames2 (in: PolicyHandle=0x56eef8, Flags=0x0, Count=0x1, Names="RDhJ0CNFevzX", ReferencedDomains=0x19e750, Sids=0x19e744 | out: ReferencedDomains=0x19e750, Sids=0x19e744) returned 0x0
[0166.024] CoTaskMemFree (pv=0x5b34e0)
[0166.024] CoTaskMemFree (pv=0x59a1a0)
[0166.024] LsaClose (ObjectHandle=0x56eef8) returned 0x0
[0166.024] LsaFreeMemory (Buffer=0x5ada18) returned 0x0
[0166.024] LsaFreeMemory (Buffer=0x5b2820) returned 0x0
[0166.024] LsaOpenPolicy (in: SystemName=0x0, ObjectAttributes=0x19e77c, DesiredAccess=0x800, PolicyHandle=0x19e73c | out: PolicyHandle=0x19e73c) returned 0x0
[0166.025] CoTaskMemAlloc (cb=0x8) returned 0x59a100
[0166.025] CoTaskMemAlloc (cb=0x1a) returned 0x5b3850
[0166.025] LsaLookupNames2 (in: PolicyHandle=0x56efd8, Flags=0x0, Count=0x1, Names="RDhJ0CNFevzX", ReferencedDomains=0x19e750, Sids=0x19e744 | out: ReferencedDomains=0x19e750, Sids=0x19e744) returned 0x0
[0166.025] CoTaskMemFree (pv=0x5b3850)
[0166.025] CoTaskMemFree (pv=0x59a100)
[0166.025] LsaClose (ObjectHandle=0x56efd8) returned 0x0
[0166.026] LsaFreeMemory (Buffer=0x5ad468) returned 0x0
[0166.026] LsaFreeMemory (Buffer=0x5b2980) returned 0x0
[0166.026] LsaOpenPolicy (in: SystemName=0x0, ObjectAttributes=0x19e77c, DesiredAccess=0x800, PolicyHandle=0x19e73c | out: PolicyHandle=0x19e73c) returned 0x0
[0166.026] CoTaskMemAlloc (cb=0x8) returned 0x59a220
[0166.026] CoTaskMemAlloc (cb=0x1a) returned 0x5b3918
[0166.026] LsaLookupNames2 (in: PolicyHandle=0x56eef8, Flags=0x0, Count=0x1, Names="RDhJ0CNFevzX", ReferencedDomains=0x19e750, Sids=0x19e744 | out: ReferencedDomains=0x19e750, Sids=0x19e744) returned 0x0
[0166.027] CoTaskMemFree (pv=0x5b3918)
[0166.027] CoTaskMemFree (pv=0x59a220)
[0166.027] LsaClose (ObjectHandle=0x56eef8) returned 0x0
[0166.027] LsaFreeMemory (Buffer=0x5ad2c8) returned 0x0
[0166.027] LsaFreeMemory (Buffer=0x5b22f8) returned 0x0
[0166.027] LsaOpenPolicy (in: SystemName=0x0, ObjectAttributes=0x19e77c, DesiredAccess=0x800, PolicyHandle=0x19e73c | out: PolicyHandle=0x19e73c) returned 0x0
[0166.028] CoTaskMemAlloc (cb=0x8) returned 0x59a090
[0166.028] CoTaskMemAlloc (cb=0x1a) returned 0x5b34e0
[0166.028] LsaLookupNames2 (in: PolicyHandle=0x56eef8, Flags=0x0, Count=0x1, Names="RDhJ0CNFevzX", ReferencedDomains=0x19e750, Sids=0x19e744 | out: ReferencedDomains=0x19e750, Sids=0x19e744) returned 0x0
[0166.028] CoTaskMemFree (pv=0x5b34e0)
[0166.028] CoTaskMemFree (pv=0x59a090)
[0166.029] LsaClose (ObjectHandle=0x56eef8) returned 0x0
[0166.029] LsaFreeMemory (Buffer=0x5ad810) returned 0x0
[0166.029] LsaFreeMemory (Buffer=0x5b28d0) returned 0x0
[0166.029] LsaOpenPolicy (in: SystemName=0x0, ObjectAttributes=0x19e77c, DesiredAccess=0x800, PolicyHandle=0x19e73c | out: PolicyHandle=0x19e73c) returned 0x0
[0166.029] CoTaskMemAlloc (cb=0x8) returned 0x59a1a0
[0166.029] CoTaskMemAlloc (cb=0x1a) returned 0x5b3508
[0166.029] LsaLookupNames2 (in: PolicyHandle=0x56efd8, Flags=0x0, Count=0x1, Names="RDhJ0CNFevzX", ReferencedDomains=0x19e750, Sids=0x19e744 | out: ReferencedDomains=0x19e750, Sids=0x19e744) returned 0x0
[0166.030] CoTaskMemFree (pv=0x5b3508)
[0166.030] CoTaskMemFree (pv=0x59a1a0)
[0166.030] LsaClose (ObjectHandle=0x56efd8) returned 0x0
[0166.030] LsaFreeMemory (Buffer=0x5ad330) returned 0x0
[0166.030] LsaFreeMemory (Buffer=0x5b2668) returned 0x0
[0166.030] LsaOpenPolicy (in: SystemName=0x0, ObjectAttributes=0x19e77c, DesiredAccess=0x800, PolicyHandle=0x19e73c | out: PolicyHandle=0x19e73c) returned 0x0
[0166.031] CoTaskMemAlloc (cb=0x8) returned 0x59a070
[0166.031] CoTaskMemAlloc (cb=0x1a) returned 0x5b3670
[0166.031] LsaLookupNames2 (in: PolicyHandle=0x56eef8, Flags=0x0, Count=0x1, Names="RDhJ0CNFevzX", ReferencedDomains=0x19e750, Sids=0x19e744 | out: ReferencedDomains=0x19e750, Sids=0x19e744) returned 0x0
[0166.032] CoTaskMemFree (pv=0x5b3670)
[0166.032] CoTaskMemFree (pv=0x59a070)
[0166.032] LsaClose (ObjectHandle=0x56eef8) returned 0x0
[0166.032] LsaFreeMemory (Buffer=0x5ad398) returned 0x0
[0166.032] LsaFreeMemory (Buffer=0x5b2878) returned 0x0
[0166.032] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZgolgcKGNozdg.exe", nBufferLength=0x105, lpBuffer=0x19e414, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZgolgcKGNozdg.exe", lpFilePart=0x0) returned 0x37
[0166.032] SetNamedSecurityInfoW () returned 0x0
[0166.116] GetCurrentProcess () returned 0xffffffff
[0166.116] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19e848 | out: TokenHandle=0x19e848*=0x3c4) returned 1
[0166.127] GetTokenInformation (in: TokenHandle=0x3c4, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x19e840 | out: TokenInformation=0x0, ReturnLength=0x19e840) returned 0
[0166.127] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x59a240
[0166.127] GetTokenInformation (in: TokenHandle=0x3c4, TokenInformationClass=0x8, TokenInformation=0x59a240, TokenInformationLength=0x4, ReturnLength=0x19e840 | out: TokenInformation=0x59a240, ReturnLength=0x19e840) returned 1
[0166.128] LocalFree (hMem=0x59a240) returned 0x0
[0166.128] DuplicateTokenEx (in: hExistingToken=0x3c4, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0x19e848 | out: phNewToken=0x19e848*=0x3c8) returned 1
[0166.129] CheckTokenMembership (in: TokenHandle=0x3c8, SidToCheck=0x22ed5dc*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x19e858 | out: IsMember=0x19e858) returned 1
[0166.129] CloseHandle (hObject=0x3c8) returned 1
[0166.408] LocalAlloc (uFlags=0x0, uBytes=0x16) returned 0x56efd8
[0166.408] LocalAlloc (uFlags=0x0, uBytes=0xb4) returned 0x598998
[0166.411] ShellExecuteExW (in: pExecInfo=0x22f6bc0*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="powershell", lpParameters="Add-MpPreference -ExclusionPath \"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZgolgcKGNozdg.exe\"", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x22f6bc0*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="powershell", lpParameters="Add-MpPreference -ExclusionPath \"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZgolgcKGNozdg.exe\"", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x508)) returned 1
[0170.454] LocalFree (hMem=0x56efd8) returned 0x0
[0170.454] LocalFree (hMem=0x598998) returned 0x0
[0170.468] GetCurrentProcess () returned 0xffffffff
[0170.469] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19e8e0 | out: TokenHandle=0x19e8e0*=0x3cc) returned 1
[0170.473] GetCurrentProcess () returned 0xffffffff
[0170.474] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19e8b0 | out: TokenHandle=0x19e8b0*=0x3dc) returned 1
[0170.475] GetTokenInformation (in: TokenHandle=0x3cc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x19e8e4 | out: TokenInformation=0x0, ReturnLength=0x19e8e4) returned 0
[0170.475] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x789c9d8
[0170.476] GetTokenInformation (in: TokenHandle=0x3cc, TokenInformationClass=0x1, TokenInformation=0x789c9d8, TokenInformationLength=0x24, ReturnLength=0x19e8e4 | out: TokenInformation=0x789c9d8, ReturnLength=0x19e8e4) returned 1
[0170.477] LocalFree (hMem=0x789c9d8) returned 0x0
[0170.479] LsaOpenPolicy (in: SystemName=0x0, ObjectAttributes=0x19e800, DesiredAccess=0x800, PolicyHandle=0x19e7c0 | out: PolicyHandle=0x19e7c0) returned 0x0
[0170.481] LsaLookupSids (in: PolicyHandle=0x788e9d0, Count=0x1, Sids=0x22f6eb0*=0x22f6e54*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), ReferencedDomains=0x19e7dc, Names=0x19e7d0 | out: ReferencedDomains=0x19e7dc, Names=0x19e7d0) returned 0x0
[0170.483] LsaClose (ObjectHandle=0x788e9d0) returned 0x0
[0170.483] LsaFreeMemory (Buffer=0x5ad330) returned 0x0
[0170.483] LsaFreeMemory (Buffer=0x7892b00) returned 0x0
[0170.484] CoTaskMemAlloc (cb=0x20c) returned 0x788f978
[0170.484] GetTempPathW (in: nBufferLength=0x104, lpBuffer=0x788f978 | out: lpBuffer="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\") returned 0x25
[0170.484] CoTaskMemFree (pv=0x788f978)
[0170.484] GetLongPathNameW (in: lpszShortPath="C:\\Users\\RDHJ0C~1\\", lpszLongPath=0x19e3dc, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\RDhJ0CNFevzX\\") returned 0x16
[0170.485] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\", nBufferLength=0x105, lpBuffer=0x19e3f0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\", lpFilePart=0x0) returned 0x29
[0170.486] CoTaskMemAlloc (cb=0x20c) returned 0x788f978
[0170.486] GetTempFileNameW (in: lpPathName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\", lpPrefixString="tmp", uUnique=0x0, lpTempFileName=0x788f978 | out: lpTempFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmp95DB.tmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmp95db.tmp")) returned 0x95db
[0170.525] CoTaskMemFree (pv=0x788f978)
[0170.548] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmp95DB.tmp", nBufferLength=0x105, lpBuffer=0x19e2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmp95DB.tmp", lpFilePart=0x0) returned 0x34
[0170.548] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x19e7d8) returned 1
[0170.548] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmp95DB.tmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmp95db.tmp"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x3e4
[0170.549] GetFileType (hFile=0x3e4) returned 0x1
[0170.549] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x19e7d4) returned 1
[0170.549] GetFileType (hFile=0x3e4) returned 0x1
[0170.550] WriteFile (in: hFile=0x3e4, lpBuffer=0x22fb48c*, nNumberOfBytesToWrite=0x641, lpNumberOfBytesWritten=0x19e864, lpOverlapped=0x0 | out: lpBuffer=0x22fb48c*, lpNumberOfBytesWritten=0x19e864*=0x641, lpOverlapped=0x0) returned 1
[0170.552] CloseHandle (hObject=0x3e4) returned 1
[0170.569] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x788dd00
[0170.569] LocalAlloc (uFlags=0x0, uBytes=0xc0) returned 0x5b4190
[0170.569] ShellExecuteExW (in: pExecInfo=0x22fcd38*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="schtasks.exe", lpParameters="/Create /TN \"Updates\\ZgolgcKGNozdg\" /XML \"C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmp95DB.tmp\"", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x22fcd38*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="schtasks.exe", lpParameters="/Create /TN \"Updates\\ZgolgcKGNozdg\" /XML \"C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmp95DB.tmp\"", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x4f4)) returned 1
[0174.543] LocalFree (hMem=0x788dd00) returned 0x0
[0174.544] LocalFree (hMem=0x5b4190) returned 0x0
[0174.565] GetCurrentProcess () returned 0xffffffff
[0174.565] GetCurrentProcess () returned 0xffffffff
[0174.565] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x4f4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x19e8c8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x19e8c8*=0x48c) returned 1
[0174.567] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x19e8c0*=0x48c, lpdwindex=0x19e6dc | out: lpdwindex=0x19e6dc) returned 0x0
[0187.644] CloseHandle (hObject=0x48c) returned 1
[0187.644] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmp95DB.tmp", nBufferLength=0x105, lpBuffer=0x19e400, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmp95DB.tmp", lpFilePart=0x0) returned 0x34
[0187.645] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmp95DB.tmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmp95db.tmp")) returned 1
[0188.035] CreateFileMappingW (hFile=0xffffffff, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xfa00, lpName=0x0) returned 0x48c
[0188.035] memcpy (in: _Dst=0x920000, _Src=0x23597b4, _Size=0xfa00 | out: _Dst=0x920000) returned 0x920000
[0188.036] CloseHandle (hObject=0x48c) returned 1
[0188.218] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe", nBufferLength=0x105, lpBuffer=0x19e354, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe", lpFilePart=0x0) returned 0x62
[0188.234] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", nBufferLength=0x105, lpBuffer=0x19ddec, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", lpFilePart=0x0) returned 0x2e
[0188.337] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\RDhJ0CNFevzX\\Desktop\\9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe", cchWideChar=98, lpMultiByteStr=0x19e5a4, cbMultiByte=100, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\RDhJ0CNFevzX\\Desktop\\9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe
", lpUsedDefaultChar=0x0) returned 98
[0188.337] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="", cchWideChar=0, lpMultiByteStr=0x19e5a0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="<\x18
", lpUsedDefaultChar=0x0) returned 0
[0188.338] CreateProcessA (in: lpApplicationName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe", lpCommandLine="", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000004, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x19e664*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19e9a8 | out: lpCommandLine="", lpProcessInformation=0x19e9a8*(hProcess=0x3d0, hThread=0x48c, dwProcessId=0xb50, dwThreadId=0xa88)) returned 1
[0188.392] CoTaskMemFree (pv=0x0)
[0188.549] GetThreadContext (in: hThread=0x48c, lpContext=0x2385fcc | out: lpContext=0x2385fcc*(ContextFlags=0x10002, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x0, SegEs=0x0, SegDs=0x0, Edi=0x0, Esi=0x0, Ebx=0x322000, Edx=0x0, Ecx=0x0, Eax=0x49b6ae, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1
[0188.550] ReadProcessMemory (in: hProcess=0x3d0, lpBaseAddress=0x322008, lpBuffer=0x19e998, nSize=0x4, lpNumberOfBytesRead=0x19e9dc | out: lpBuffer=0x19e998*, lpNumberOfBytesRead=0x19e9dc*=0x4) returned 1
[0188.550] NtUnmapViewOfSection (ProcessHandle=0x3d0, BaseAddress=0x400000) returned 0x0
[0188.562] VirtualAllocEx (hProcess=0x3d0, lpAddress=0x400000, dwSize=0x12000, flAllocationType=0x3000, flProtect=0x40) returned 0x400000
[0188.563] WriteProcessMemory (in: hProcess=0x3d0, lpBaseAddress=0x400000, lpBuffer=0x2377fe8*, nSize=0x200, lpNumberOfBytesWritten=0x19e9dc | out: lpBuffer=0x2377fe8*, lpNumberOfBytesWritten=0x19e9dc*=0x200) returned 1
[0188.575] WriteProcessMemory (in: hProcess=0x3d0, lpBaseAddress=0x402000, lpBuffer=0x2386930*, nSize=0xb200, lpNumberOfBytesWritten=0x19e9dc | out: lpBuffer=0x2386930*, lpNumberOfBytesWritten=0x19e9dc*=0xb200) returned 1
[0188.609] WriteProcessMemory (in: hProcess=0x3d0, lpBaseAddress=0x40e000, lpBuffer=0x23920d8*, nSize=0x800, lpNumberOfBytesWritten=0x19e9dc | out: lpBuffer=0x23920d8*, lpNumberOfBytesWritten=0x19e9dc*=0x800) returned 1
[0188.613] WriteProcessMemory (in: hProcess=0x3d0, lpBaseAddress=0x410000, lpBuffer=0x23928e4*, nSize=0x200, lpNumberOfBytesWritten=0x19e9dc | out: lpBuffer=0x23928e4*, lpNumberOfBytesWritten=0x19e9dc*=0x200) returned 1
[0188.619] WriteProcessMemory (in: hProcess=0x3d0, lpBaseAddress=0x322008, lpBuffer=0x2392df0*, nSize=0x4, lpNumberOfBytesWritten=0x19e9dc | out: lpBuffer=0x2392df0*, lpNumberOfBytesWritten=0x19e9dc*=0x4) returned 1
[0188.622] SetThreadContext (hThread=0x48c, lpContext=0x2385fcc*(ContextFlags=0x10002, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x0, SegEs=0x0, SegDs=0x0, Edi=0x0, Esi=0x0, Ebx=0x322000, Edx=0x0, Ecx=0x0, Eax=0x40d08e, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1
[0188.624] ResumeThread (hThread=0x48c) returned 0x1
[0188.712] CoGetContextToken (in: pToken=0x19ee00 | out: pToken=0x19ee00) returned 0x0
[0188.712] CObjectContext::QueryInterface () returned 0x0
[0188.712] CObjectContext::GetCurrentThreadType () returned 0x0
[0188.713] Release () returned 0x3
[0188.713] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x13880, cHandles=0x1, pHandles=0x5183c8*=0x14c, lpdwindex=0x19eca4 | out: lpdwindex=0x19eca4) returned 0x0
Thread:
id = 2
os_tid = 0xc60
Thread:
id = 3
os_tid = 0x10e4
Thread:
id = 4
os_tid = 0x10a8
[0092.667] CoGetContextToken (in: pToken=0x439fc74 | out: pToken=0x439fc74) returned 0x800401f0
[0092.667] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
[0092.668] RoInitialize () returned 0x1
[0092.668] RoUninitialize () returned 0x0
[0188.751] SetWindowLongW (hWnd=0x70298, nIndex=-4, dwNewLong=1944586208) returned 76809702
[0188.752] SetClassLongW (hWnd=0x70298, nIndex=-24, dwNewLong=1944586208) returned 0x49405be
[0188.752] PostMessageW (hWnd=0x70298, Msg=0x10, wParam=0x0, lParam=0x0) returned 1
[0188.753] GetModuleHandleW (lpModuleName=0x0) returned 0x400000
[0188.753] UnregisterClassW (lpClassName="WindowsForms10.Window.8.app.0.141b42a_r10_ad1", hInstance=0x400000) returned 0
[0188.756] IsWindow (hWnd=0x50276) returned 1
[0188.759] GetModuleHandleW (lpModuleName="user32.dll") returned 0x743d0000
[0188.759] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x400, lpWideCharStr="DefWindowProcW", cchWideChar=14, lpMultiByteStr=0x439fa14, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DefWindowProcWUm\x93±°ö(ú\ro\x98ü9\x04\x01", lpUsedDefaultChar=0x0) returned 14
[0188.759] GetProcAddress (hModule=0x743d0000, lpProcName="DefWindowProcW") returned 0x73e807e0
[0188.759] SetWindowLongW (hWnd=0x50276, nIndex=-4, dwNewLong=1944586208) returned 76809782
[0188.760] SetClassLongW (hWnd=0x50276, nIndex=-24, dwNewLong=1944586208) returned 0x4940636
[0188.760] IsWindow (hWnd=0x50276) returned 1
[0188.760] DestroyWindow (hWnd=0x50276) returned 0
[0188.760] PostMessageW (hWnd=0x50276, Msg=0x10, wParam=0x0, lParam=0x0) returned 1
[0188.760] SetConsoleCtrlHandler (HandlerRoutine=0x494060e, Add=0) returned 1
[0188.761] EtwEventUnregister (RegHandle=0x576708) returned 0x0
[0188.769] DeleteObject (ho=0x460a054c) returned 1
[0188.779] CloseHandle (hObject=0x298) returned 1
[0188.784] DeleteObject (ho=0x4d0a0986) returned 1
[0188.784] GdipDeleteFont (font=0x482efc0) returned 0x0
[0188.785] GdipDeleteFont (font=0x5b5b080) returned 0x0
[0188.786] GetCurrentObject (hdc=0x4801090d, type=0x6) returned 0x380a06cc
[0188.786] SelectObject (hdc=0x4801090d, h=0x18a0048) returned 0x380a06cc
[0188.786] DeleteObject (ho=0x380a06cc) returned 1
[0188.786] DeleteDC (hdc=0x4801090d) returned 1
[0188.787] RestoreDC (hdc=0x0, nSavedDC=-1) returned 0
[0188.788] GdipDeleteFont (font=0x4821f08) returned 0x0
[0188.789] GdipDisposeImage (image=0x5b5f3b8) returned 0x0
[0188.802] CloseHandle (hObject=0x3dc) returned 1
[0188.803] CloseHandle (hObject=0x3cc) returned 1
[0188.803] CloseHandle (hObject=0x3c4) returned 1
[0188.805] CloseHandle (hObject=0x508) returned 1
[0188.808] CloseHandle (hObject=0x4f4) returned 1
[0188.808] RegCloseKey (hKey=0x80000004) returned 0x0
Thread:
id = 5
os_tid = 0x10dc
Thread:
id = 6
os_tid = 0x108c
[0127.774] CoGetContextToken (in: pToken=0x795fd0c | out: pToken=0x795fd0c) returned 0x0
[0127.775] CObjectContext::QueryInterface () returned 0x0
[0127.775] CObjectContext::GetCurrentThreadType () returned 0x0
[0127.775] Release () returned 0x0
Thread:
id = 7
os_tid = 0x109c
Thread:
id = 8
os_tid = 0xac4
Thread:
id = 9
os_tid = 0x12f0
Thread:
id = 10
os_tid = 0x12f4
Thread:
id = 11
os_tid = 0x12ec
Thread:
id = 12
os_tid = 0x1334
Thread:
id = 13
os_tid = 0x1330
Thread:
id = 106
os_tid = 0xb84
Process:
id = "2"
image_name = "powershell.exe"
filename = "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe"
page_root = "0x111d6000"
os_pid = "0x132c"
os_integrity_level = "0x3000"
os_privileges = "0x60800000"
monitor_reason = "child_process"
parent_id = "1"
os_parent_pid = "0xc28"
cmd_line = "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" Add-MpPreference -ExclusionPath \"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZgolgcKGNozdg.exe\""
cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
os_username = "XC64ZB\\RDhJ0CNFevzX"
bitness = "32"
os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fa87" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 549
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 550
start_va = 0x30000
end_va = 0x31fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000030000"
filename = ""
Region:
id = 551
start_va = 0x40000
end_va = 0x54fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 552
start_va = 0x60000
end_va = 0x9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000060000"
filename = ""
Region:
id = 553
start_va = 0xa0000
end_va = 0xdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000a0000"
filename = ""
Region:
id = 554
start_va = 0xe0000
end_va = 0xe3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000e0000"
filename = ""
Region:
id = 555
start_va = 0xf0000
end_va = 0xf0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000f0000"
filename = ""
Region:
id = 556
start_va = 0x100000
end_va = 0x101fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000100000"
filename = ""
Region:
id = 557
start_va = 0x330000
end_va = 0x3a0fff
monitored = 0
entry_point = 0x339c00
region_type = mapped_file
name = "powershell.exe"
filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe")
Region:
id = 558
start_va = 0x3b0000
end_va = 0x43affff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000003b0000"
filename = ""
Region:
id = 559
start_va = 0x4400000
end_va = 0x45fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004400000"
filename = ""
Region:
id = 560
start_va = 0x771d0000
end_va = 0x7734afff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")
Region:
id = 561
start_va = 0x7ffb0000
end_va = 0x7ffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007ffb0000"
filename = ""
Region:
id = 562
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 563
start_va = 0x7fff0000
end_va = 0x7dfa1676ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007fff0000"
filename = ""
Region:
id = 564
start_va = 0x7dfa16770000
end_va = 0x7ffa1676ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007dfa16770000"
filename = ""
Region:
id = 565
start_va = 0x7ffa16770000
end_va = 0x7ffa16930fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 566
start_va = 0x7ffa16931000
end_va = 0x7ffffffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00007ffa16931000"
filename = ""
Region:
id = 567
start_va = 0x110000
end_va = 0x18ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000110000"
filename = ""
Region:
id = 568
start_va = 0x640d0000
end_va = 0x6411ffff
monitored = 0
entry_point = 0x640e8180
region_type = mapped_file
name = "wow64.dll"
filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")
Region:
id = 569
start_va = 0x64050000
end_va = 0x640c9fff
monitored = 0
entry_point = 0x64063290
region_type = mapped_file
name = "wow64win.dll"
filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")
Region:
id = 570
start_va = 0x76720000
end_va = 0x767fffff
monitored = 0
entry_point = 0x76733980
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 571
start_va = 0x64120000
end_va = 0x64127fff
monitored = 0
entry_point = 0x641217c0
region_type = mapped_file
name = "wow64cpu.dll"
filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")
Region:
id = 572
start_va = 0x4600000
end_va = 0x482ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004600000"
filename = ""
Region:
id = 573
start_va = 0x76720000
end_va = 0x767fffff
monitored = 0
entry_point = 0x76733980
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 574
start_va = 0x76910000
end_va = 0x76a8dfff
monitored = 0
entry_point = 0x769c1b90
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")
Region:
id = 575
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 576
start_va = 0x7feb0000
end_va = 0x7ffaffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007feb0000"
filename = ""
Region:
id = 772
start_va = 0x190000
end_va = 0x24dfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 773
start_va = 0x20000
end_va = 0x23fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 774
start_va = 0x76600000
end_va = 0x7667afff
monitored = 0
entry_point = 0x7661e970
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")
Region:
id = 775
start_va = 0x76a90000
end_va = 0x76b4dfff
monitored = 0
entry_point = 0x76ac5630
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")
Region:
id = 776
start_va = 0x110000
end_va = 0x14ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000110000"
filename = ""
Region:
id = 777
start_va = 0x180000
end_va = 0x18ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000180000"
filename = ""
Region:
id = 778
start_va = 0x250000
end_va = 0x28ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000250000"
filename = ""
Region:
id = 779
start_va = 0x76cb0000
end_va = 0x76cf3fff
monitored = 0
entry_point = 0x76cc9d80
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")
Region:
id = 780
start_va = 0x76c00000
end_va = 0x76cacfff
monitored = 0
entry_point = 0x76c14f00
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")
Region:
id = 781
start_va = 0x73f00000
end_va = 0x73f1dfff
monitored = 0
entry_point = 0x73f0b640
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")
Region:
id = 782
start_va = 0x73ef0000
end_va = 0x73ef9fff
monitored = 0
entry_point = 0x73ef2a00
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")
Region:
id = 783
start_va = 0x76840000
end_va = 0x76897fff
monitored = 0
entry_point = 0x768825c0
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")
Region:
id = 784
start_va = 0x74dc0000
end_va = 0x74eaafff
monitored = 0
entry_point = 0x74dfd650
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")
Region:
id = 785
start_va = 0x762b0000
end_va = 0x7646cfff
monitored = 0
entry_point = 0x76392a10
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")
Region:
id = 786
start_va = 0x74ab0000
end_va = 0x74bfefff
monitored = 0
entry_point = 0x74b66820
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")
Region:
id = 788
start_va = 0x743d0000
end_va = 0x74516fff
monitored = 0
entry_point = 0x743e1cf0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")
Region:
id = 789
start_va = 0x68ef0000
end_va = 0x68f07fff
monitored = 0
entry_point = 0x68ef4820
region_type = mapped_file
name = "atl.dll"
filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll")
Region:
id = 790
start_va = 0x76680000
end_va = 0x76711fff
monitored = 0
entry_point = 0x766b8cf0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")
Region:
id = 791
start_va = 0x6f850000
end_va = 0x6f8a8fff
monitored = 1
entry_point = 0x6f860780
region_type = mapped_file
name = "mscoree.dll"
filename = "\\Windows\\SysWOW64\\mscoree.dll" (normalized: "c:\\windows\\syswow64\\mscoree.dll")
Region:
id = 792
start_va = 0x4600000
end_va = 0x46fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004600000"
filename = ""
Region:
id = 793
start_va = 0x4730000
end_va = 0x482ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004730000"
filename = ""
Region:
id = 794
start_va = 0x150000
end_va = 0x179fff
monitored = 0
entry_point = 0x155680
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")
Region:
id = 795
start_va = 0x4830000
end_va = 0x49b7fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000004830000"
filename = ""
Region:
id = 796
start_va = 0x741b0000
end_va = 0x741dafff
monitored = 0
entry_point = 0x741b5680
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")
Region:
id = 797
start_va = 0x30000
end_va = 0x32fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "powershell.exe.mui"
filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\powershell.exe.mui" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\en-us\\powershell.exe.mui")
Region:
id = 798
start_va = 0x49c0000
end_va = 0x4b40fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000049c0000"
filename = ""
Region:
id = 799
start_va = 0x4b50000
end_va = 0x5f4ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000004b50000"
filename = ""
Region:
id = 802
start_va = 0x150000
end_va = 0x150fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000150000"
filename = ""
Region:
id = 803
start_va = 0x160000
end_va = 0x160fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000160000"
filename = ""
Region:
id = 804
start_va = 0x5f50000
end_va = 0x611ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005f50000"
filename = ""
Region:
id = 815
start_va = 0x6f7d0000
end_va = 0x6f84cfff
monitored = 1
entry_point = 0x6f7e0db0
region_type = mapped_file
name = "mscoreei.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscoreei.dll")
Region:
id = 1179
start_va = 0x76d00000
end_va = 0x76d44fff
monitored = 0
entry_point = 0x76d1de90
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")
Region:
id = 1180
start_va = 0x76d50000
end_va = 0x76d5bfff
monitored = 0
entry_point = 0x76d53930
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")
Region:
id = 1181
start_va = 0x6f7c0000
end_va = 0x6f7c7fff
monitored = 0
entry_point = 0x6f7c17b0
region_type = mapped_file
name = "version.dll"
filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll")
Region:
id = 1182
start_va = 0x6f0d0000
end_va = 0x6f7b0fff
monitored = 1
entry_point = 0x6f0fcd70
region_type = mapped_file
name = "clr.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll")
Region:
id = 1183
start_va = 0x6efd0000
end_va = 0x6f0c4fff
monitored = 0
entry_point = 0x6f024160
region_type = mapped_file
name = "msvcr120_clr0400.dll"
filename = "\\Windows\\SysWOW64\\msvcr120_clr0400.dll" (normalized: "c:\\windows\\syswow64\\msvcr120_clr0400.dll")
Region:
id = 1184
start_va = 0x170000
end_va = 0x170fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000170000"
filename = ""
Region:
id = 1185
start_va = 0x290000
end_va = 0x29ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000290000"
filename = ""
Region:
id = 1186
start_va = 0x2a0000
end_va = 0x2affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000002a0000"
filename = ""
Region:
id = 1187
start_va = 0x2b0000
end_va = 0x2bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000002b0000"
filename = ""
Region:
id = 1188
start_va = 0x2c0000
end_va = 0x2cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000002c0000"
filename = ""
Region:
id = 1189
start_va = 0x2d0000
end_va = 0x2dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000002d0000"
filename = ""
Region:
id = 1190
start_va = 0x2e0000
end_va = 0x2effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000002e0000"
filename = ""
Region:
id = 1191
start_va = 0x2f0000
end_va = 0x2f0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000002f0000"
filename = ""
Region:
id = 1192
start_va = 0x300000
end_va = 0x300fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000300000"
filename = ""
Region:
id = 1193
start_va = 0x43b0000
end_va = 0x43fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000043b0000"
filename = ""
Region:
id = 1194
start_va = 0x6120000
end_va = 0x630ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006120000"
filename = ""
Region:
id = 1195
start_va = 0x43b0000
end_va = 0x43effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000043b0000"
filename = ""
Region:
id = 1196
start_va = 0x43f0000
end_va = 0x43fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000043f0000"
filename = ""
Region:
id = 1197
start_va = 0x4600000
end_va = 0x463ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004600000"
filename = ""
Region:
id = 1198
start_va = 0x46f0000
end_va = 0x46fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000046f0000"
filename = ""
Region:
id = 1199
start_va = 0x310000
end_va = 0x31ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000310000"
filename = ""
Region:
id = 1200
start_va = 0x6310000
end_va = 0x830ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006310000"
filename = ""
Region:
id = 1201
start_va = 0x310000
end_va = 0x32ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000310000"
filename = ""
Region:
id = 1202
start_va = 0x4640000
end_va = 0x467ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004640000"
filename = ""
Region:
id = 1203
start_va = 0x4680000
end_va = 0x46bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004680000"
filename = ""
Region:
id = 1224
start_va = 0x8310000
end_va = 0x8646fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 1225
start_va = 0x6dd10000
end_va = 0x6efc1fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "mscorlib.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\mscorlib\\7582400666d289c016013ad0f6e0e3e6\\mscorlib.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\mscorlib\\7582400666d289c016013ad0f6e0e3e6\\mscorlib.ni.dll")
Region:
id = 1231
start_va = 0x5f50000
end_va = 0x610ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005f50000"
filename = ""
Region:
id = 1232
start_va = 0x6110000
end_va = 0x611ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006110000"
filename = ""
Region:
id = 1256
start_va = 0x46c0000
end_va = 0x46cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000046c0000"
filename = ""
Region:
id = 1328
start_va = 0x6d2c0000
end_va = 0x6dc8bfff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System\\1be7a15b1f33bf22e4f53aaf45518c77\\System.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system\\1be7a15b1f33bf22e4f53aaf45518c77\\system.ni.dll")
Region:
id = 1329
start_va = 0x6cb90000
end_va = 0x6d2b0fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.core.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Core\\eb4cca4f06a15158c3f7e2c56516729b\\System.Core.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.core\\eb4cca4f06a15158c3f7e2c56516729b\\system.core.ni.dll")
Region:
id = 1330
start_va = 0x6cb00000
end_va = 0x6cb82fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "microsoft.powershell.consolehost.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Microsoft.Pb378ec07#\\c3373939e7c94b541b901780981fd0cc\\Microsoft.PowerShell.ConsoleHost.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\microsoft.pb378ec07#\\c3373939e7c94b541b901780981fd0cc\\microsoft.powershell.consolehost.ni.dll")
Region:
id = 1331
start_va = 0x710b0000
end_va = 0x710c2fff
monitored = 0
entry_point = 0x710b9950
region_type = mapped_file
name = "cryptsp.dll"
filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll")
Region:
id = 1332
start_va = 0x72bf0000
end_va = 0x72c1efff
monitored = 0
entry_point = 0x72c095e0
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll")
Region:
id = 1333
start_va = 0x713f0000
end_va = 0x7140afff
monitored = 0
entry_point = 0x713f9050
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll")
Region:
id = 1334
start_va = 0x6b240000
end_va = 0x6caf5fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.management.automation.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Manaa57fc8cc#\\ac360ee7d819131e00d9de15ca78e746\\System.Management.Automation.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.manaa57fc8cc#\\ac360ee7d819131e00d9de15ca78e746\\system.management.automation.ni.dll")
Region:
id = 1340
start_va = 0x5f50000
end_va = 0x5fb1fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "mscorrc.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorrc.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscorrc.dll")
Region:
id = 1341
start_va = 0x6100000
end_va = 0x610ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006100000"
filename = ""
Region:
id = 1347
start_va = 0x46d0000
end_va = 0x46d4fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "winnlsres.dll"
filename = "\\Windows\\SysWOW64\\winnlsres.dll" (normalized: "c:\\windows\\syswow64\\winnlsres.dll")
Region:
id = 1348
start_va = 0x46e0000
end_va = 0x46effff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "winnlsres.dll.mui"
filename = "\\Windows\\SysWOW64\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\winnlsres.dll.mui")
Region:
id = 1350
start_va = 0x764d0000
end_va = 0x764d5fff
monitored = 0
entry_point = 0x764d1460
region_type = mapped_file
name = "psapi.dll"
filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll")
Region:
id = 1359
start_va = 0x5fc0000
end_va = 0x60bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005fc0000"
filename = ""
Region:
id = 1419
start_va = 0x6b1f0000
end_va = 0x6b234fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.numerics.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Numerics\\d3d95e1e349be37505587e7fee918881\\System.Numerics.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.numerics\\d3d95e1e349be37505587e7fee918881\\system.numerics.ni.dll")
Region:
id = 1427
start_va = 0x4700000
end_va = 0x470ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004700000"
filename = ""
Region:
id = 1570
start_va = 0x6dc90000
end_va = 0x6dd09fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "microsoft.management.infrastructure.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Microsoft.Mf49f6405#\\5edeb849552a1a53cfc131825d3f494c\\Microsoft.Management.Infrastructure.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\microsoft.mf49f6405#\\5edeb849552a1a53cfc131825d3f494c\\microsoft.management.infrastructure.ni.dll")
Region:
id = 1595
start_va = 0x6aad0000
end_va = 0x6b1edfff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.xml.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Xml\\4fbda26d781323081b45526da6e87b35\\System.Xml.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.xml\\4fbda26d781323081b45526da6e87b35\\system.xml.ni.dll")
Region:
id = 1605
start_va = 0x4710000
end_va = 0x471ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004710000"
filename = ""
Region:
id = 1607
start_va = 0x6a9b0000
end_va = 0x6aaccfff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.directoryservices.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Dired13b18a9#\\883582fb4e073bf0dfad214569e4200f\\System.DirectoryServices.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.dired13b18a9#\\883582fb4e073bf0dfad214569e4200f\\system.directoryservices.ni.dll")
Region:
id = 1619
start_va = 0x6a890000
end_va = 0x6a9acfff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.management.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Management\\98d3949f9ba1a384939805aa5e47e933\\System.Management.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.management\\98d3949f9ba1a384939805aa5e47e933\\system.management.ni.dll")
Region:
id = 1658
start_va = 0x4720000
end_va = 0x472ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004720000"
filename = ""
Region:
id = 1678
start_va = 0x60c0000
end_va = 0x60cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000060c0000"
filename = ""
Region:
id = 1704
start_va = 0x60d0000
end_va = 0x60dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000060d0000"
filename = ""
Region:
id = 1737
start_va = 0x60e0000
end_va = 0x60effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000060e0000"
filename = ""
Region:
id = 1743
start_va = 0x60f0000
end_va = 0x60fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000060f0000"
filename = ""
Region:
id = 1744
start_va = 0x6120000
end_va = 0x612ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006120000"
filename = ""
Region:
id = 1745
start_va = 0x6300000
end_va = 0x630ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006300000"
filename = ""
Region:
id = 1746
start_va = 0x6130000
end_va = 0x613ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006130000"
filename = ""
Region:
id = 1747
start_va = 0x6140000
end_va = 0x614ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006140000"
filename = ""
Region:
id = 1748
start_va = 0x6150000
end_va = 0x615ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006150000"
filename = ""
Region:
id = 1749
start_va = 0x6160000
end_va = 0x616ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006160000"
filename = ""
Region:
id = 1853
start_va = 0x698c0000
end_va = 0x698e5fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.configuration.install.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Confe64a9051#\\7041183596eb9139825f660851fe74d6\\System.Configuration.Install.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.confe64a9051#\\7041183596eb9139825f660851fe74d6\\system.configuration.install.ni.dll")
Region:
id = 1856
start_va = 0x69680000
end_va = 0x6972efff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.transactions.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Transactions\\69b67a0435275c1ec53e3bdf64a063b1\\System.Transactions.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.transactions\\69b67a0435275c1ec53e3bdf64a063b1\\system.transactions.ni.dll")
Region:
id = 1885
start_va = 0x69590000
end_va = 0x695dafff
monitored = 1
entry_point = 0x695af8c2
region_type = mapped_file
name = "system.transactions.dll"
filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Transactions\\v4.0_4.0.0.0__b77a5c561934e089\\System.Transactions.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.transactions\\v4.0_4.0.0.0__b77a5c561934e089\\system.transactions.dll")
Region:
id = 1895
start_va = 0x6170000
end_va = 0x61bbfff
monitored = 1
entry_point = 0x618f8c2
region_type = mapped_file
name = "system.transactions.dll"
filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Transactions\\v4.0_4.0.0.0__b77a5c561934e089\\System.Transactions.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.transactions\\v4.0_4.0.0.0__b77a5c561934e089\\system.transactions.dll")
Region:
id = 1915
start_va = 0x6170000
end_va = 0x61affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006170000"
filename = ""
Region:
id = 1916
start_va = 0x61b0000
end_va = 0x61effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000061b0000"
filename = ""
Region:
id = 1917
start_va = 0x61f0000
end_va = 0x622ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000061f0000"
filename = ""
Region:
id = 1918
start_va = 0x6230000
end_va = 0x626ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006230000"
filename = ""
Region:
id = 1919
start_va = 0x6a880000
end_va = 0x6a884fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.diagnostics.tracing.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Diagd2d95910#\\737ac56ec9db6bce361220a8f94ac81e\\System.Diagnostics.Tracing.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.diagd2d95910#\\737ac56ec9db6bce361220a8f94ac81e\\system.diagnostics.tracing.ni.dll")
Region:
id = 1920
start_va = 0x74eb0000
end_va = 0x762aefff
monitored = 0
entry_point = 0x7506b990
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll")
Region:
id = 1921
start_va = 0x76800000
end_va = 0x76836fff
monitored = 0
entry_point = 0x76803b50
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll")
Region:
id = 1922
start_va = 0x745b0000
end_va = 0x74aa8fff
monitored = 0
entry_point = 0x747b7610
region_type = mapped_file
name = "windows.storage.dll"
filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll")
Region:
id = 1923
start_va = 0x74520000
end_va = 0x745acfff
monitored = 0
entry_point = 0x74569b90
region_type = mapped_file
name = "shcore.dll"
filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll")
Region:
id = 1924
start_va = 0x76470000
end_va = 0x764b3fff
monitored = 0
entry_point = 0x76477410
region_type = mapped_file
name = "powrprof.dll"
filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll")
Region:
id = 1925
start_va = 0x73f20000
end_va = 0x73f2efff
monitored = 0
entry_point = 0x73f22e40
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll")
Region:
id = 1926
start_va = 0x6270000
end_va = 0x6270fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000006270000"
filename = ""
Region:
id = 1927
start_va = 0x6280000
end_va = 0x6280fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll")
Region:
id = 1928
start_va = 0x6280000
end_va = 0x6288fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui")
Region:
id = 1929
start_va = 0x6280000
end_va = 0x6280fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll")
Region:
id = 1930
start_va = 0x6280000
end_va = 0x6288fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui")
Region:
id = 1931
start_va = 0x6280000
end_va = 0x6280fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll")
Region:
id = 1932
start_va = 0x6280000
end_va = 0x6288fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui")
Region:
id = 1933
start_va = 0x6280000
end_va = 0x62bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006280000"
filename = ""
Region:
id = 1934
start_va = 0x62c0000
end_va = 0x62fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000062c0000"
filename = ""
Region:
id = 1935
start_va = 0x8650000
end_va = 0x868ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008650000"
filename = ""
Region:
id = 1936
start_va = 0x8690000
end_va = 0x86cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008690000"
filename = ""
Region:
id = 1937
start_va = 0x698f0000
end_va = 0x6996ffff
monitored = 1
entry_point = 0x698f1180
region_type = mapped_file
name = "clrjit.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clrjit.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clrjit.dll")
Region:
id = 1938
start_va = 0x86d0000
end_va = 0x86dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000086d0000"
filename = ""
Region:
id = 1939
start_va = 0x86e0000
end_va = 0x86effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000086e0000"
filename = ""
Region:
id = 1940
start_va = 0x693d0000
end_va = 0x6941ffff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "microsoft.powershell.security.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Microsoft.P6f792626#\\d7df9e4e7fe889394ed2e9e37a85dc1b\\Microsoft.PowerShell.Security.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\microsoft.p6f792626#\\d7df9e4e7fe889394ed2e9e37a85dc1b\\microsoft.powershell.security.ni.dll")
Region:
id = 1941
start_va = 0x86f0000
end_va = 0x86fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000086f0000"
filename = ""
Region:
id = 1942
start_va = 0x72b50000
end_va = 0x72b59fff
monitored = 0
entry_point = 0x72b53200
region_type = mapped_file
name = "secur32.dll"
filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll")
Region:
id = 1943
start_va = 0x8700000
end_va = 0x877ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008700000"
filename = ""
Region:
id = 1944
start_va = 0x8780000
end_va = 0x878ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008780000"
filename = ""
Region:
id = 1945
start_va = 0x8790000
end_va = 0x879ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008790000"
filename = ""
Region:
id = 1946
start_va = 0x87a0000
end_va = 0x87affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000087a0000"
filename = ""
Region:
id = 1947
start_va = 0x692d0000
end_va = 0x693c0fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.configuration.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Configuration\\fe4b221b4109f0c78f57a792500699b5\\System.Configuration.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.configuration\\fe4b221b4109f0c78f57a792500699b5\\system.configuration.ni.dll")
Region:
id = 1948
start_va = 0x692c0000
end_va = 0x692c9fff
monitored = 0
entry_point = 0x692c2420
region_type = mapped_file
name = "wldp.dll"
filename = "\\Windows\\SysWOW64\\wldp.dll" (normalized: "c:\\windows\\syswow64\\wldp.dll")
Region:
id = 1949
start_va = 0x73f90000
end_va = 0x74107fff
monitored = 0
entry_point = 0x73fe8a90
region_type = mapped_file
name = "crypt32.dll"
filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll")
Region:
id = 1950
start_va = 0x764c0000
end_va = 0x764cdfff
monitored = 0
entry_point = 0x764c5410
region_type = mapped_file
name = "msasn1.dll"
filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll")
Region:
id = 1951
start_va = 0x74c00000
end_va = 0x74c41fff
monitored = 0
entry_point = 0x74c16f10
region_type = mapped_file
name = "wintrust.dll"
filename = "\\Windows\\SysWOW64\\wintrust.dll" (normalized: "c:\\windows\\syswow64\\wintrust.dll")
Region:
id = 1952
start_va = 0x87b0000
end_va = 0x87effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000087b0000"
filename = ""
Region:
id = 1953
start_va = 0x87f0000
end_va = 0x882ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000087f0000"
filename = ""
Region:
id = 1954
start_va = 0x8830000
end_va = 0x883ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008830000"
filename = ""
Region:
id = 1955
start_va = 0x8840000
end_va = 0x8850fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000008840000"
filename = ""
Region:
id = 1956
start_va = 0x8860000
end_va = 0x8863fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "certificate.format.ps1xml"
filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\certificate.format.ps1xml")
Region:
id = 1957
start_va = 0x8860000
end_va = 0x889ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008860000"
filename = ""
Region:
id = 1958
start_va = 0x88a0000
end_va = 0x88dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000088a0000"
filename = ""
Region:
id = 1959
start_va = 0x88e0000
end_va = 0x89dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000088e0000"
filename = ""
Region:
id = 1960
start_va = 0x89e0000
end_va = 0x8bdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000089e0000"
filename = ""
Region:
id = 1961
start_va = 0x692a0000
end_va = 0x692befff
monitored = 0
entry_point = 0x692a8a90
region_type = mapped_file
name = "gpapi.dll"
filename = "\\Windows\\SysWOW64\\gpapi.dll" (normalized: "c:\\windows\\syswow64\\gpapi.dll")
Region:
id = 1962
start_va = 0x8be0000
end_va = 0x8be9fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "crypt32.dll.mui"
filename = "\\Windows\\SysWOW64\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\crypt32.dll.mui")
Region:
id = 1963
start_va = 0x8bf0000
end_va = 0x8bf3fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "certificate.format.ps1xml"
filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\certificate.format.ps1xml")
Region:
id = 1965
start_va = 0x8bf0000
end_va = 0x8c17fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "遑"
filename = "遑" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\遑")
Thread:
id = 14
os_tid = 0x1320
Thread:
id = 25
os_tid = 0x45c
Thread:
id = 103
os_tid = 0x39c
Thread:
id = 104
os_tid = 0x38c
Thread:
id = 138
os_tid = 0xc14
Thread:
id = 139
os_tid = 0xc18
Thread:
id = 140
os_tid = 0xc3c
Thread:
id = 141
os_tid = 0xc40
Thread:
id = 142
os_tid = 0xc44
Thread:
id = 143
os_tid = 0x5b4
Process:
id = "3"
image_name = "conhost.exe"
filename = "c:\\windows\\system32\\conhost.exe"
page_root = "0x14aa3000"
os_pid = "0x1328"
os_integrity_level = "0x3000"
os_privileges = "0x60800000"
monitor_reason = "child_process"
parent_id = "2"
os_parent_pid = "0x132c"
cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1"
cur_dir = "C:\\Windows"
os_username = "XC64ZB\\RDhJ0CNFevzX"
bitness = "32"
os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fa87" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 595
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 596
start_va = 0x30000
end_va = 0x44fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 597
start_va = 0x50000
end_va = 0x8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 598
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 599
start_va = 0x400000
end_va = 0x5fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 600
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 601
start_va = 0x7df5fffc0000
end_va = 0x7df5fffe2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5fffc0000"
filename = ""
Region:
id = 602
start_va = 0x7df5ffff0000
end_va = 0x7ff5fffeffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffff0000"
filename = ""
Region:
id = 603
start_va = 0x7ff637930000
end_va = 0x7ff637940fff
monitored = 0
entry_point = 0x7ff6379316b0
region_type = mapped_file
name = "conhost.exe"
filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")
Region:
id = 604
start_va = 0x7ffa16770000
end_va = 0x7ffa16930fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 605
start_va = 0x600000
end_va = 0x86ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000600000"
filename = ""
Region:
id = 606
start_va = 0x7ffa15160000
end_va = 0x7ffa1520cfff
monitored = 0
entry_point = 0x7ffa151781a0
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 607
start_va = 0x7ffa13130000
end_va = 0x7ffa13317fff
monitored = 0
entry_point = 0x7ffa1315ba70
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 608
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 609
start_va = 0x7df5ffec0000
end_va = 0x7df5fffbffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffec0000"
filename = ""
Region:
id = 610
start_va = 0x90000
end_va = 0x14dfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 611
start_va = 0x7ffa13cc0000
end_va = 0x7ffa13d5cfff
monitored = 0
entry_point = 0x7ffa13cc78a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 612
start_va = 0x150000
end_va = 0x18ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000150000"
filename = ""
Region:
id = 613
start_va = 0x870000
end_va = 0x9effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000870000"
filename = ""
Region:
id = 614
start_va = 0x20000
end_va = 0x26fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 615
start_va = 0x7ffa0a430000
end_va = 0x7ffa0a488fff
monitored = 0
entry_point = 0x7ffa0a43fbf0
region_type = mapped_file
name = "conhostv2.dll"
filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll")
Region:
id = 616
start_va = 0x190000
end_va = 0x190fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000190000"
filename = ""
Region:
id = 617
start_va = 0x7ffa14340000
end_va = 0x7ffa145bcfff
monitored = 0
entry_point = 0x7ffa14414970
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")
Region:
id = 618
start_va = 0x7ffa145c0000
end_va = 0x7ffa146dbfff
monitored = 0
entry_point = 0x7ffa146002b0
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 619
start_va = 0x7ffa13320000
end_va = 0x7ffa13389fff
monitored = 0
entry_point = 0x7ffa13356d50
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")
Region:
id = 620
start_va = 0x7ffa13d80000
end_va = 0x7ffa13ed5fff
monitored = 0
entry_point = 0x7ffa13d8a8d0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 621
start_va = 0x7ffa13ee0000
end_va = 0x7ffa14065fff
monitored = 0
entry_point = 0x7ffa13f2ffc0
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 622
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001a0000"
filename = ""
Region:
id = 623
start_va = 0x7ffa13b70000
end_va = 0x7ffa13cb2fff
monitored = 0
entry_point = 0x7ffa13b98210
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 624
start_va = 0x7ffa14070000
end_va = 0x7ffa140cafff
monitored = 0
entry_point = 0x7ffa140838b0
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 625
start_va = 0x7ffa141e0000
end_va = 0x7ffa1421afff
monitored = 0
entry_point = 0x7ffa141e12f0
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 627
start_va = 0x7ffa147c0000
end_va = 0x7ffa14880fff
monitored = 0
entry_point = 0x7ffa147e0da0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 628
start_va = 0x7ffa11220000
end_va = 0x7ffa113a5fff
monitored = 0
entry_point = 0x7ffa1126d700
region_type = mapped_file
name = "propsys.dll"
filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")
Region:
id = 661
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001b0000"
filename = ""
Region:
id = 662
start_va = 0x1c0000
end_va = 0x1c0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001c0000"
filename = ""
Region:
id = 663
start_va = 0x9f0000
end_va = 0xb77fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000009f0000"
filename = ""
Region:
id = 664
start_va = 0xb80000
end_va = 0xd00fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000b80000"
filename = ""
Region:
id = 665
start_va = 0xd10000
end_va = 0x210ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000d10000"
filename = ""
Region:
id = 666
start_va = 0x600000
end_va = 0x64ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000600000"
filename = ""
Region:
id = 667
start_va = 0x770000
end_va = 0x86ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000770000"
filename = ""
Region:
id = 680
start_va = 0x600000
end_va = 0x63ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000600000"
filename = ""
Region:
id = 681
start_va = 0x640000
end_va = 0x64ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000640000"
filename = ""
Region:
id = 682
start_va = 0x7ffa15210000
end_va = 0x7ffa1676efff
monitored = 0
entry_point = 0x7ffa153711f0
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")
Region:
id = 690
start_va = 0x7ffa13390000
end_va = 0x7ffa133d2fff
monitored = 0
entry_point = 0x7ffa133a4b50
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")
Region:
id = 691
start_va = 0x7ffa13520000
end_va = 0x7ffa13b63fff
monitored = 0
entry_point = 0x7ffa136e64b0
region_type = mapped_file
name = "windows.storage.dll"
filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")
Region:
id = 699
start_va = 0x7ffa15090000
end_va = 0x7ffa15136fff
monitored = 0
entry_point = 0x7ffa150a58d0
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 700
start_va = 0x7ffa14ba0000
end_va = 0x7ffa14bf1fff
monitored = 0
entry_point = 0x7ffa14baf530
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")
Region:
id = 701
start_va = 0x7ffa12e10000
end_va = 0x7ffa12e1efff
monitored = 0
entry_point = 0x7ffa12e13210
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")
Region:
id = 704
start_va = 0x7ffa12e80000
end_va = 0x7ffa12f34fff
monitored = 0
entry_point = 0x7ffa12ec22e0
region_type = mapped_file
name = "shcore.dll"
filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")
Region:
id = 705
start_va = 0x7ffa12dc0000
end_va = 0x7ffa12e0afff
monitored = 0
entry_point = 0x7ffa12dc35f0
region_type = mapped_file
name = "powrprof.dll"
filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")
Region:
id = 706
start_va = 0x7ffa12d90000
end_va = 0x7ffa12da3fff
monitored = 0
entry_point = 0x7ffa12d952e0
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")
Region:
id = 707
start_va = 0x7ffa11710000
end_va = 0x7ffa117a5fff
monitored = 0
entry_point = 0x7ffa11735570
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")
Region:
id = 712
start_va = 0x2110000
end_va = 0x228ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002110000"
filename = ""
Region:
id = 718
start_va = 0x2290000
end_va = 0x25c6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 719
start_va = 0x650000
end_va = 0x74ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000650000"
filename = ""
Region:
id = 720
start_va = 0x25d0000
end_va = 0x27cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000025d0000"
filename = ""
Region:
id = 723
start_va = 0x870000
end_va = 0x8affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000870000"
filename = ""
Region:
id = 724
start_va = 0x9e0000
end_va = 0x9effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000009e0000"
filename = ""
Region:
id = 725
start_va = 0x7ffa14a40000
end_va = 0x7ffa14b99fff
monitored = 0
entry_point = 0x7ffa14a838e0
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 726
start_va = 0x50000
end_va = 0x50fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000050000"
filename = ""
Region:
id = 727
start_va = 0x8b0000
end_va = 0x96bfff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000008b0000"
filename = ""
Region:
id = 728
start_va = 0x50000
end_va = 0x53fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000050000"
filename = ""
Region:
id = 729
start_va = 0x7ffa10610000
end_va = 0x7ffa10631fff
monitored = 0
entry_point = 0x7ffa10611a40
region_type = mapped_file
name = "dwmapi.dll"
filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")
Region:
id = 737
start_va = 0x7ffa11410000
end_va = 0x7ffa11422fff
monitored = 0
entry_point = 0x7ffa11412760
region_type = mapped_file
name = "wtsapi32.dll"
filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")
Region:
id = 738
start_va = 0x7ffa12ba0000
end_va = 0x7ffa12bf5fff
monitored = 0
entry_point = 0x7ffa12bb0bf0
region_type = mapped_file
name = "winsta.dll"
filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")
Region:
id = 740
start_va = 0x60000
end_va = 0x66fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000060000"
filename = ""
Region:
id = 741
start_va = 0x70000
end_va = 0x70fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000070000"
filename = ""
Region:
id = 742
start_va = 0x80000
end_va = 0x80fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000080000"
filename = ""
Region:
id = 743
start_va = 0x1d0000
end_va = 0x1d4fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "user32.dll.mui"
filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui")
Region:
id = 744
start_va = 0x1e0000
end_va = 0x1e0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "conhostv2.dll.mui"
filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui")
Region:
id = 752
start_va = 0x1f0000
end_va = 0x1f1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001f0000"
filename = ""
Region:
id = 753
start_va = 0x7ffa080f0000
end_va = 0x7ffa08363fff
monitored = 0
entry_point = 0x7ffa08160400
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll")
Region:
id = 754
start_va = 0x750000
end_va = 0x750fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "windowsshell.manifest"
filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")
Region:
id = 755
start_va = 0x760000
end_va = 0x761fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000760000"
filename = ""
Thread:
id = 15
os_tid = 0x1324
Thread:
id = 17
os_tid = 0x134c
Thread:
id = 20
os_tid = 0x1340
Thread:
id = 22
os_tid = 0xb10
Process:
id = "4"
image_name = "schtasks.exe"
filename = "c:\\windows\\syswow64\\schtasks.exe"
page_root = "0x169e9000"
os_pid = "0x131c"
os_integrity_level = "0x3000"
os_privileges = "0x60800000"
monitor_reason = "child_process"
parent_id = "1"
os_parent_pid = "0xc28"
cmd_line = "\"C:\\Windows\\System32\\schtasks.exe\" /Create /TN \"Updates\\ZgolgcKGNozdg\" /XML \"C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmp95DB.tmp\""
cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
os_username = "XC64ZB\\RDhJ0CNFevzX"
bitness = "32"
os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fa87" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 577
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 578
start_va = 0x30000
end_va = 0x31fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000030000"
filename = ""
Region:
id = 579
start_va = 0x40000
end_va = 0x54fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 580
start_va = 0x60000
end_va = 0x9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000060000"
filename = ""
Region:
id = 581
start_va = 0xa0000
end_va = 0xdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000a0000"
filename = ""
Region:
id = 582
start_va = 0xe0000
end_va = 0xe3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000e0000"
filename = ""
Region:
id = 583
start_va = 0xf0000
end_va = 0xf0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000f0000"
filename = ""
Region:
id = 584
start_va = 0x100000
end_va = 0x101fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000100000"
filename = ""
Region:
id = 585
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 586
start_va = 0xba0000
end_va = 0xbd1fff
monitored = 1
entry_point = 0xbc05b0
region_type = mapped_file
name = "schtasks.exe"
filename = "\\Windows\\SysWOW64\\schtasks.exe" (normalized: "c:\\windows\\syswow64\\schtasks.exe")
Region:
id = 587
start_va = 0xbe0000
end_va = 0x4bdffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000be0000"
filename = ""
Region:
id = 588
start_va = 0x771d0000
end_va = 0x7734afff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")
Region:
id = 589
start_va = 0x7ffb0000
end_va = 0x7ffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007ffb0000"
filename = ""
Region:
id = 590
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 591
start_va = 0x7fff0000
end_va = 0x7dfa1676ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007fff0000"
filename = ""
Region:
id = 592
start_va = 0x7dfa16770000
end_va = 0x7ffa1676ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007dfa16770000"
filename = ""
Region:
id = 593
start_va = 0x7ffa16770000
end_va = 0x7ffa16930fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 594
start_va = 0x7ffa16931000
end_va = 0x7ffffffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00007ffa16931000"
filename = ""
Region:
id = 629
start_va = 0x110000
end_va = 0x11ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000110000"
filename = ""
Region:
id = 630
start_va = 0x640d0000
end_va = 0x6411ffff
monitored = 0
entry_point = 0x640e8180
region_type = mapped_file
name = "wow64.dll"
filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")
Region:
id = 631
start_va = 0x64050000
end_va = 0x640c9fff
monitored = 0
entry_point = 0x64063290
region_type = mapped_file
name = "wow64win.dll"
filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")
Region:
id = 632
start_va = 0x76720000
end_va = 0x767fffff
monitored = 0
entry_point = 0x76733980
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 633
start_va = 0x64120000
end_va = 0x64127fff
monitored = 0
entry_point = 0x641217c0
region_type = mapped_file
name = "wow64cpu.dll"
filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")
Region:
id = 634
start_va = 0x400000
end_va = 0x6cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 635
start_va = 0x76720000
end_va = 0x767fffff
monitored = 0
entry_point = 0x76733980
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 636
start_va = 0x76910000
end_va = 0x76a8dfff
monitored = 0
entry_point = 0x769c1b90
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")
Region:
id = 637
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 638
start_va = 0x7feb0000
end_va = 0x7ffaffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007feb0000"
filename = ""
Region:
id = 758
start_va = 0x120000
end_va = 0x1ddfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 759
start_va = 0x20000
end_va = 0x23fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 760
start_va = 0x76a90000
end_va = 0x76b4dfff
monitored = 0
entry_point = 0x76ac5630
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")
Region:
id = 761
start_va = 0x400000
end_va = 0x43ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 762
start_va = 0x440000
end_va = 0x47ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000440000"
filename = ""
Region:
id = 763
start_va = 0x5d0000
end_va = 0x6cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005d0000"
filename = ""
Region:
id = 764
start_va = 0x76680000
end_va = 0x76711fff
monitored = 0
entry_point = 0x766b8cf0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")
Region:
id = 765
start_va = 0x762b0000
end_va = 0x7646cfff
monitored = 0
entry_point = 0x76392a10
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")
Region:
id = 766
start_va = 0x76c00000
end_va = 0x76cacfff
monitored = 0
entry_point = 0x76c14f00
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")
Region:
id = 767
start_va = 0x73f00000
end_va = 0x73f1dfff
monitored = 0
entry_point = 0x73f0b640
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")
Region:
id = 768
start_va = 0x73ef0000
end_va = 0x73ef9fff
monitored = 0
entry_point = 0x73ef2a00
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")
Region:
id = 769
start_va = 0x76840000
end_va = 0x76897fff
monitored = 0
entry_point = 0x768825c0
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")
Region:
id = 770
start_va = 0x76cb0000
end_va = 0x76cf3fff
monitored = 0
entry_point = 0x76cc9d80
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")
Region:
id = 771
start_va = 0x480000
end_va = 0x52ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000480000"
filename = ""
Region:
id = 787
start_va = 0x6d0000
end_va = 0x7b9fff
monitored = 0
entry_point = 0x70d650
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")
Region:
id = 800
start_va = 0x1e0000
end_va = 0x1f2fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "schtasks.exe.mui"
filename = "\\Windows\\SysWOW64\\en-US\\schtasks.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\schtasks.exe.mui")
Region:
id = 801
start_va = 0x6d0000
end_va = 0xa06fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 805
start_va = 0x76d50000
end_va = 0x76d5bfff
monitored = 0
entry_point = 0x76d53930
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")
Region:
id = 806
start_va = 0x30000
end_va = 0x30fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 807
start_va = 0x74340000
end_va = 0x743c3fff
monitored = 0
entry_point = 0x74366220
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll")
Region:
id = 808
start_va = 0x480000
end_va = 0x480fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000480000"
filename = ""
Region:
id = 809
start_va = 0x520000
end_va = 0x52ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000520000"
filename = ""
Region:
id = 810
start_va = 0x68e60000
end_va = 0x68eebfff
monitored = 0
entry_point = 0x68e9a6c0
region_type = mapped_file
name = "taskschd.dll"
filename = "\\Windows\\SysWOW64\\taskschd.dll" (normalized: "c:\\windows\\syswow64\\taskschd.dll")
Thread:
id = 16
os_tid = 0x1350
[0185.513] GetModuleHandleA (lpModuleName=0x0) returned 0xba0000
[0185.513] __set_app_type (_Type=0x1)
[0185.513] __p__fmode () returned 0x76b44d6c
[0185.513] __p__commode () returned 0x76b45b1c
[0185.513] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xbc0840) returned 0x0
[0185.513] __wgetmainargs (in: _Argc=0xbcade0, _Argv=0xbcade4, _Env=0xbcade8, _DoWildCard=0, _StartInfo=0xbcadf4 | out: _Argc=0xbcade0, _Argv=0xbcade4, _Env=0xbcade8) returned 0
[0185.514] _onexit (_Func=0xbc2bc0) returned 0xbc2bc0
[0185.514] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
[0185.514] WinSqmIsOptedIn () returned 0x0
[0185.514] GetProcessHeap () returned 0x5d0000
[0185.514] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x10) returned 0x5d74a0
[0185.514] RtlRestoreLastWin32Error () returned 0x0
[0185.515] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x0, Condition=0x2) returned 0x18
[0185.515] VerSetConditionMask (ConditionMask=0x18, TypeMask=0x80000000, Condition=0x1) returned 0x1b
[0185.515] VerSetConditionMask (ConditionMask=0x1b, TypeMask=0x80000000, Condition=0x20) returned 0x1801b
[0185.515] RtlVerifyVersionInfo (VersionInfo=0xdf9f8, TypeMask=0x3, ConditionMask=0x1801b) returned 0x0
[0185.515] GetProcessHeap () returned 0x5d0000
[0185.515] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x10) returned 0x5d7320
[0185.515] lstrlenW (lpString="") returned 0
[0185.515] GetProcessHeap () returned 0x5d0000
[0185.515] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x2) returned 0x5d0598
[0185.515] GetProcessHeap () returned 0x5d0000
[0185.515] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x14) returned 0x5d6e50
[0185.515] GetProcessHeap () returned 0x5d0000
[0185.515] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x10) returned 0x5d74b8
[0185.515] GetProcessHeap () returned 0x5d0000
[0185.515] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x14) returned 0x5d6c18
[0185.515] GetProcessHeap () returned 0x5d0000
[0185.515] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x14) returned 0x5d6c38
[0185.515] GetProcessHeap () returned 0x5d0000
[0185.515] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x14) returned 0x5d6c58
[0185.515] GetProcessHeap () returned 0x5d0000
[0185.516] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x14) returned 0x5d6848
[0185.516] GetProcessHeap () returned 0x5d0000
[0185.516] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x10) returned 0x5d7350
[0185.516] GetProcessHeap () returned 0x5d0000
[0185.516] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x14) returned 0x5d6868
[0185.516] GetProcessHeap () returned 0x5d0000
[0185.516] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x14) returned 0x5d6888
[0185.516] GetProcessHeap () returned 0x5d0000
[0185.516] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x14) returned 0x5d65e0
[0185.516] GetProcessHeap () returned 0x5d0000
[0185.516] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x14) returned 0x5d6600
[0185.516] GetProcessHeap () returned 0x5d0000
[0185.516] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x10) returned 0x5d7398
[0185.516] GetProcessHeap () returned 0x5d0000
[0185.516] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x14) returned 0x5d6620
[0185.517] GetProcessHeap () returned 0x5d0000
[0185.517] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x14) returned 0x5d2788
[0185.517] GetProcessHeap () returned 0x5d0000
[0185.517] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x14) returned 0x5d27a8
[0185.517] GetProcessHeap () returned 0x5d0000
[0185.517] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x14) returned 0x5d27c8
[0185.517] SetThreadUILanguage (LangId=0x0) returned 0x409
[0185.852] RtlRestoreLastWin32Error () returned 0x0
[0185.852] GetProcessHeap () returned 0x5d0000
[0185.852] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x14) returned 0x5d9430
[0185.852] GetProcessHeap () returned 0x5d0000
[0185.852] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x14) returned 0x5d9650
[0185.852] GetProcessHeap () returned 0x5d0000
[0185.852] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x14) returned 0x5d9490
[0185.852] GetProcessHeap () returned 0x5d0000
[0185.852] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x14) returned 0x5d95b0
[0185.852] GetProcessHeap () returned 0x5d0000
[0185.852] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x14) returned 0x5d9350
[0185.852] GetProcessHeap () returned 0x5d0000
[0185.852] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x10) returned 0x5d7428
[0185.853] _memicmp (_Buf1=0x5d7428, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.853] GetProcessHeap () returned 0x5d0000
[0185.853] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x208) returned 0x5d8ce8
[0185.853] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x5d8ce8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\schtasks.exe" (normalized: "c:\\windows\\syswow64\\schtasks.exe")) returned 0x20
[0185.853] GetFileVersionInfoSizeExW (in: dwFlags=0x1, lpwstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", lpdwHandle=0xdfb04 | out: lpdwHandle=0xdfb04) returned 0x76c
[0185.869] GetProcessHeap () returned 0x5d0000
[0185.869] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x776) returned 0x5d9dc0
[0185.869] GetFileVersionInfoExW (in: dwFlags=0x3, lpwstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", dwHandle=0x0, dwLen=0x776, lpData=0x5d9dc0 | out: lpData=0x5d9dc0) returned 1
[0185.870] VerQueryValueW (in: pBlock=0x5d9dc0, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xdfb0c, puLen=0xdfb10 | out: lplpBuffer=0xdfb0c*=0x5da170, puLen=0xdfb10) returned 1
[0185.873] _memicmp (_Buf1=0x5d7428, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.873] _vsnwprintf (in: _Buffer=0x5d8ce8, _BufferCount=0x3f, _Format="\\StringFileInfo\\%04x%04x\\InternalName", _ArgList=0xdfaf0 | out: _Buffer="\\StringFileInfo\\040904b0\\InternalName") returned 37
[0185.873] VerQueryValueW (in: pBlock=0x5d9dc0, lpSubBlock="\\StringFileInfo\\040904b0\\InternalName", lplpBuffer=0xdfb1c, puLen=0xdfb18 | out: lplpBuffer=0xdfb1c*=0x5d9fa0, puLen=0xdfb18) returned 1
[0185.873] lstrlenW (lpString="schtasks.exe") returned 12
[0185.873] lstrlenW (lpString="schtasks.exe") returned 12
[0185.873] lstrlenW (lpString=".EXE") returned 4
[0185.873] StrStrIW (lpFirst="schtasks.exe", lpSrch=".EXE") returned=".exe"
[0185.874] lstrlenW (lpString="schtasks.exe") returned 12
[0185.874] lstrlenW (lpString=".EXE") returned 4
[0185.874] _memicmp (_Buf1=0x5d7428, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.874] lstrlenW (lpString="schtasks") returned 8
[0185.874] GetProcessHeap () returned 0x5d0000
[0185.874] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x14) returned 0x5d9570
[0185.874] GetProcessHeap () returned 0x5d0000
[0185.874] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x14) returned 0x5d9670
[0185.874] GetProcessHeap () returned 0x5d0000
[0185.874] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x14) returned 0x5d9690
[0185.874] GetProcessHeap () returned 0x5d0000
[0185.874] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x14) returned 0x5d9590
[0185.874] GetProcessHeap () returned 0x5d0000
[0185.874] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x10) returned 0x5d74d0
[0185.875] _memicmp (_Buf1=0x5d74d0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.875] GetProcessHeap () returned 0x5d0000
[0185.875] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0xa0) returned 0x5d8ef8
[0185.875] GetProcessHeap () returned 0x5d0000
[0185.875] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x14) returned 0x5d9610
[0185.875] GetProcessHeap () returned 0x5d0000
[0185.875] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x14) returned 0x5d94b0
[0185.875] GetProcessHeap () returned 0x5d0000
[0185.875] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x14) returned 0x5d9390
[0185.875] GetProcessHeap () returned 0x5d0000
[0185.875] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x10) returned 0x5d7470
[0185.875] _memicmp (_Buf1=0x5d7470, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.875] GetProcessHeap () returned 0x5d0000
[0185.875] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x200) returned 0x5da7a0
[0185.875] LoadStringW (in: hInstance=0x0, uID=0x15ed, lpBuffer=0x5da7a0, cchBufferMax=256 | out: lpBuffer="Type \"%s /?\" for usage.") returned 0x17
[0185.876] lstrlenW (lpString="Type \"%s /?\" for usage.") returned 23
[0185.876] GetProcessHeap () returned 0x5d0000
[0185.876] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x30) returned 0x5d2590
[0185.876] _vsnwprintf (in: _Buffer=0x5d8ef8, _BufferCount=0x4f, _Format="Type \"%s /?\" for usage.", _ArgList=0xdfaf4 | out: _Buffer="Type \"SCHTASKS /?\" for usage.") returned 29
[0185.876] GetProcessHeap () returned 0x5d0000
[0185.876] GetProcessHeap () returned 0x5d0000
[0185.876] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d9dc0) returned 1
[0185.876] GetProcessHeap () returned 0x5d0000
[0185.876] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d9dc0) returned 0x776
[0185.877] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d9dc0) returned 1
[0185.877] RtlRestoreLastWin32Error () returned 0x0
[0185.877] GetThreadLocale () returned 0x409
[0185.877] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0185.877] lstrlenW (lpString="?") returned 1
[0185.877] GetThreadLocale () returned 0x409
[0185.877] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0185.877] lstrlenW (lpString="create") returned 6
[0185.877] GetThreadLocale () returned 0x409
[0185.877] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0185.877] lstrlenW (lpString="delete") returned 6
[0185.877] GetThreadLocale () returned 0x409
[0185.877] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0185.877] lstrlenW (lpString="query") returned 5
[0185.877] GetThreadLocale () returned 0x409
[0185.877] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0185.877] lstrlenW (lpString="change") returned 6
[0185.877] GetThreadLocale () returned 0x409
[0185.877] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0185.877] lstrlenW (lpString="run") returned 3
[0185.877] GetThreadLocale () returned 0x409
[0185.877] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0185.878] lstrlenW (lpString="end") returned 3
[0185.878] GetThreadLocale () returned 0x409
[0185.878] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0185.878] lstrlenW (lpString="showsid") returned 7
[0185.878] GetThreadLocale () returned 0x409
[0185.878] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0185.878] RtlRestoreLastWin32Error () returned 0x0
[0185.878] RtlRestoreLastWin32Error () returned 0x0
[0185.878] lstrlenW (lpString="/Create") returned 7
[0185.878] lstrlenW (lpString="-/") returned 2
[0185.878] StrChrIW (lpStart="-/", wMatch=0x52002f) returned="/"
[0185.878] lstrlenW (lpString="?") returned 1
[0185.878] lstrlenW (lpString="?") returned 1
[0185.878] GetProcessHeap () returned 0x5d0000
[0185.878] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x10) returned 0x5d7368
[0185.878] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.878] GetProcessHeap () returned 0x5d0000
[0185.878] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0xa) returned 0x5d7380
[0185.878] lstrlenW (lpString="Create") returned 6
[0185.878] GetProcessHeap () returned 0x5d0000
[0185.878] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x10) returned 0x5d73b0
[0185.878] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.878] GetProcessHeap () returned 0x5d0000
[0185.878] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x14) returned 0x5d96d0
[0185.878] _vsnwprintf (in: _Buffer=0x5d7380, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|?|") returned 3
[0185.878] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|Create|") returned 8
[0185.878] lstrlenW (lpString="|?|") returned 3
[0185.879] lstrlenW (lpString="|Create|") returned 8
[0185.879] RtlRestoreLastWin32Error () returned 0x490
[0185.879] lstrlenW (lpString="create") returned 6
[0185.879] lstrlenW (lpString="create") returned 6
[0185.879] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.879] GetProcessHeap () returned 0x5d0000
[0185.879] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d7380) returned 1
[0185.879] GetProcessHeap () returned 0x5d0000
[0185.879] RtlReAllocateHeap (Heap=0x5d0000, Flags=0xc, Ptr=0x5d7380, Size=0x14) returned 0x5d9330
[0185.879] lstrlenW (lpString="Create") returned 6
[0185.879] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.879] _vsnwprintf (in: _Buffer=0x5d9330, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|create|") returned 8
[0185.879] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|Create|") returned 8
[0185.879] lstrlenW (lpString="|create|") returned 8
[0185.879] lstrlenW (lpString="|Create|") returned 8
[0185.879] StrStrIW (lpFirst="|create|", lpSrch="|Create|") returned="|create|"
[0185.879] RtlRestoreLastWin32Error () returned 0x0
[0185.879] RtlRestoreLastWin32Error () returned 0x0
[0185.879] RtlRestoreLastWin32Error () returned 0x0
[0185.879] lstrlenW (lpString="/TN") returned 3
[0185.879] lstrlenW (lpString="-/") returned 2
[0185.879] StrChrIW (lpStart="-/", wMatch=0x52002f) returned="/"
[0185.879] lstrlenW (lpString="?") returned 1
[0185.879] lstrlenW (lpString="?") returned 1
[0185.879] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.879] lstrlenW (lpString="TN") returned 2
[0185.880] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.880] _vsnwprintf (in: _Buffer=0x5d9330, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|?|") returned 3
[0185.880] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|TN|") returned 4
[0185.880] lstrlenW (lpString="|?|") returned 3
[0185.880] lstrlenW (lpString="|TN|") returned 4
[0185.880] RtlRestoreLastWin32Error () returned 0x490
[0185.880] lstrlenW (lpString="create") returned 6
[0185.880] lstrlenW (lpString="create") returned 6
[0185.880] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.880] lstrlenW (lpString="TN") returned 2
[0185.880] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.880] _vsnwprintf (in: _Buffer=0x5d9330, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|create|") returned 8
[0185.880] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|TN|") returned 4
[0185.880] lstrlenW (lpString="|create|") returned 8
[0185.880] lstrlenW (lpString="|TN|") returned 4
[0185.880] StrStrIW (lpFirst="|create|", lpSrch="|TN|") returned 0x0
[0185.880] RtlRestoreLastWin32Error () returned 0x490
[0185.880] lstrlenW (lpString="delete") returned 6
[0185.880] lstrlenW (lpString="delete") returned 6
[0185.880] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.880] lstrlenW (lpString="TN") returned 2
[0185.880] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.880] _vsnwprintf (in: _Buffer=0x5d9330, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|delete|") returned 8
[0185.880] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|TN|") returned 4
[0185.881] lstrlenW (lpString="|delete|") returned 8
[0185.881] lstrlenW (lpString="|TN|") returned 4
[0185.881] StrStrIW (lpFirst="|delete|", lpSrch="|TN|") returned 0x0
[0185.881] RtlRestoreLastWin32Error () returned 0x490
[0185.881] lstrlenW (lpString="query") returned 5
[0185.881] lstrlenW (lpString="query") returned 5
[0185.881] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.881] lstrlenW (lpString="TN") returned 2
[0185.881] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.881] _vsnwprintf (in: _Buffer=0x5d9330, _BufferCount=0x8, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|query|") returned 7
[0185.881] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|TN|") returned 4
[0185.881] lstrlenW (lpString="|query|") returned 7
[0185.881] lstrlenW (lpString="|TN|") returned 4
[0185.881] StrStrIW (lpFirst="|query|", lpSrch="|TN|") returned 0x0
[0185.881] RtlRestoreLastWin32Error () returned 0x490
[0185.881] lstrlenW (lpString="change") returned 6
[0185.881] lstrlenW (lpString="change") returned 6
[0185.881] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.881] lstrlenW (lpString="TN") returned 2
[0185.881] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.881] _vsnwprintf (in: _Buffer=0x5d9330, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|change|") returned 8
[0185.881] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|TN|") returned 4
[0185.881] lstrlenW (lpString="|change|") returned 8
[0185.881] lstrlenW (lpString="|TN|") returned 4
[0185.881] StrStrIW (lpFirst="|change|", lpSrch="|TN|") returned 0x0
[0185.882] RtlRestoreLastWin32Error () returned 0x490
[0185.882] lstrlenW (lpString="run") returned 3
[0185.882] lstrlenW (lpString="run") returned 3
[0185.882] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.882] lstrlenW (lpString="TN") returned 2
[0185.882] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.882] _vsnwprintf (in: _Buffer=0x5d9330, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|run|") returned 5
[0185.882] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|TN|") returned 4
[0185.882] lstrlenW (lpString="|run|") returned 5
[0185.882] lstrlenW (lpString="|TN|") returned 4
[0185.882] StrStrIW (lpFirst="|run|", lpSrch="|TN|") returned 0x0
[0185.882] RtlRestoreLastWin32Error () returned 0x490
[0185.882] lstrlenW (lpString="end") returned 3
[0185.882] lstrlenW (lpString="end") returned 3
[0185.882] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.882] lstrlenW (lpString="TN") returned 2
[0185.882] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.882] _vsnwprintf (in: _Buffer=0x5d9330, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|end|") returned 5
[0185.882] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|TN|") returned 4
[0185.882] lstrlenW (lpString="|end|") returned 5
[0185.882] lstrlenW (lpString="|TN|") returned 4
[0185.882] StrStrIW (lpFirst="|end|", lpSrch="|TN|") returned 0x0
[0185.882] RtlRestoreLastWin32Error () returned 0x490
[0185.882] lstrlenW (lpString="showsid") returned 7
[0185.882] lstrlenW (lpString="showsid") returned 7
[0185.882] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.883] GetProcessHeap () returned 0x5d0000
[0185.883] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d9330) returned 1
[0185.883] GetProcessHeap () returned 0x5d0000
[0185.883] RtlReAllocateHeap (Heap=0x5d0000, Flags=0xc, Ptr=0x5d9330, Size=0x16) returned 0x5d94f0
[0185.883] lstrlenW (lpString="TN") returned 2
[0185.883] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.883] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0xa, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|showsid|") returned 9
[0185.883] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|TN|") returned 4
[0185.883] lstrlenW (lpString="|showsid|") returned 9
[0185.883] lstrlenW (lpString="|TN|") returned 4
[0185.883] StrStrIW (lpFirst="|showsid|", lpSrch="|TN|") returned 0x0
[0185.883] RtlRestoreLastWin32Error () returned 0x490
[0185.883] RtlRestoreLastWin32Error () returned 0x490
[0185.883] RtlRestoreLastWin32Error () returned 0x0
[0185.883] lstrlenW (lpString="/TN") returned 3
[0185.883] StrChrIW (lpStart="/TN", wMatch=0x3a) returned 0x0
[0185.883] RtlRestoreLastWin32Error () returned 0x490
[0185.883] RtlRestoreLastWin32Error () returned 0x0
[0185.883] lstrlenW (lpString="/TN") returned 3
[0185.883] GetProcessHeap () returned 0x5d0000
[0185.883] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x8) returned 0x5d6c78
[0185.883] GetProcessHeap () returned 0x5d0000
[0185.883] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x14) returned 0x5d9370
[0185.883] RtlRestoreLastWin32Error () returned 0x0
[0185.883] RtlRestoreLastWin32Error () returned 0x0
[0185.883] lstrlenW (lpString="Updates\\ZgolgcKGNozdg") returned 21
[0185.883] lstrlenW (lpString="-/") returned 2
[0185.883] StrChrIW (lpStart="-/", wMatch=0x520055) returned 0x0
[0185.883] RtlRestoreLastWin32Error () returned 0x490
[0185.884] RtlRestoreLastWin32Error () returned 0x490
[0185.884] RtlRestoreLastWin32Error () returned 0x0
[0185.884] lstrlenW (lpString="Updates\\ZgolgcKGNozdg") returned 21
[0185.884] StrChrIW (lpStart="Updates\\ZgolgcKGNozdg", wMatch=0x3a) returned 0x0
[0185.884] RtlRestoreLastWin32Error () returned 0x490
[0185.884] RtlRestoreLastWin32Error () returned 0x0
[0185.884] lstrlenW (lpString="Updates\\ZgolgcKGNozdg") returned 21
[0185.884] GetProcessHeap () returned 0x5d0000
[0185.884] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x2c) returned 0x5d8fa0
[0185.884] GetProcessHeap () returned 0x5d0000
[0185.884] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x14) returned 0x5d95d0
[0185.884] RtlRestoreLastWin32Error () returned 0x0
[0185.884] RtlRestoreLastWin32Error () returned 0x0
[0185.884] lstrlenW (lpString="/XML") returned 4
[0185.884] lstrlenW (lpString="-/") returned 2
[0185.884] StrChrIW (lpStart="-/", wMatch=0x52002f) returned="/"
[0185.884] lstrlenW (lpString="?") returned 1
[0185.884] lstrlenW (lpString="?") returned 1
[0185.884] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.884] lstrlenW (lpString="XML") returned 3
[0185.884] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.884] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|?|") returned 3
[0185.884] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|XML|") returned 5
[0185.884] lstrlenW (lpString="|?|") returned 3
[0185.884] lstrlenW (lpString="|XML|") returned 5
[0185.884] RtlRestoreLastWin32Error () returned 0x490
[0185.884] lstrlenW (lpString="create") returned 6
[0185.884] lstrlenW (lpString="create") returned 6
[0185.885] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.885] lstrlenW (lpString="XML") returned 3
[0185.885] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.885] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|create|") returned 8
[0185.885] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|XML|") returned 5
[0185.885] lstrlenW (lpString="|create|") returned 8
[0185.885] lstrlenW (lpString="|XML|") returned 5
[0185.885] StrStrIW (lpFirst="|create|", lpSrch="|XML|") returned 0x0
[0185.885] RtlRestoreLastWin32Error () returned 0x490
[0185.885] lstrlenW (lpString="delete") returned 6
[0185.885] lstrlenW (lpString="delete") returned 6
[0185.885] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.885] lstrlenW (lpString="XML") returned 3
[0185.885] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.885] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|delete|") returned 8
[0185.885] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|XML|") returned 5
[0185.885] lstrlenW (lpString="|delete|") returned 8
[0185.885] lstrlenW (lpString="|XML|") returned 5
[0185.885] StrStrIW (lpFirst="|delete|", lpSrch="|XML|") returned 0x0
[0185.885] RtlRestoreLastWin32Error () returned 0x490
[0185.885] lstrlenW (lpString="query") returned 5
[0185.885] lstrlenW (lpString="query") returned 5
[0185.885] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.885] lstrlenW (lpString="XML") returned 3
[0185.885] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.886] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x8, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|query|") returned 7
[0185.886] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|XML|") returned 5
[0185.886] lstrlenW (lpString="|query|") returned 7
[0185.886] lstrlenW (lpString="|XML|") returned 5
[0185.886] StrStrIW (lpFirst="|query|", lpSrch="|XML|") returned 0x0
[0185.886] RtlRestoreLastWin32Error () returned 0x490
[0185.886] lstrlenW (lpString="change") returned 6
[0185.886] lstrlenW (lpString="change") returned 6
[0185.886] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.886] lstrlenW (lpString="XML") returned 3
[0185.886] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.886] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|change|") returned 8
[0185.886] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|XML|") returned 5
[0185.886] lstrlenW (lpString="|change|") returned 8
[0185.886] lstrlenW (lpString="|XML|") returned 5
[0185.886] StrStrIW (lpFirst="|change|", lpSrch="|XML|") returned 0x0
[0185.886] RtlRestoreLastWin32Error () returned 0x490
[0185.886] lstrlenW (lpString="run") returned 3
[0185.886] lstrlenW (lpString="run") returned 3
[0185.886] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.886] lstrlenW (lpString="XML") returned 3
[0185.886] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.886] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|run|") returned 5
[0185.886] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|XML|") returned 5
[0185.887] lstrlenW (lpString="|run|") returned 5
[0185.887] lstrlenW (lpString="|XML|") returned 5
[0185.887] StrStrIW (lpFirst="|run|", lpSrch="|XML|") returned 0x0
[0185.887] RtlRestoreLastWin32Error () returned 0x490
[0185.887] lstrlenW (lpString="end") returned 3
[0185.887] lstrlenW (lpString="end") returned 3
[0185.887] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.887] lstrlenW (lpString="XML") returned 3
[0185.887] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.887] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|end|") returned 5
[0185.887] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|XML|") returned 5
[0185.887] lstrlenW (lpString="|end|") returned 5
[0185.887] lstrlenW (lpString="|XML|") returned 5
[0185.887] StrStrIW (lpFirst="|end|", lpSrch="|XML|") returned 0x0
[0185.887] RtlRestoreLastWin32Error () returned 0x490
[0185.887] lstrlenW (lpString="showsid") returned 7
[0185.887] lstrlenW (lpString="showsid") returned 7
[0185.887] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.887] lstrlenW (lpString="XML") returned 3
[0185.887] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.887] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0xa, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|showsid|") returned 9
[0185.887] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|XML|") returned 5
[0185.887] lstrlenW (lpString="|showsid|") returned 9
[0185.887] lstrlenW (lpString="|XML|") returned 5
[0185.888] StrStrIW (lpFirst="|showsid|", lpSrch="|XML|") returned 0x0
[0185.888] RtlRestoreLastWin32Error () returned 0x490
[0185.888] RtlRestoreLastWin32Error () returned 0x490
[0185.888] RtlRestoreLastWin32Error () returned 0x0
[0185.888] lstrlenW (lpString="/XML") returned 4
[0185.888] StrChrIW (lpStart="/XML", wMatch=0x3a) returned 0x0
[0185.888] RtlRestoreLastWin32Error () returned 0x490
[0185.888] RtlRestoreLastWin32Error () returned 0x0
[0185.888] lstrlenW (lpString="/XML") returned 4
[0185.888] GetProcessHeap () returned 0x5d0000
[0185.888] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0xa) returned 0x5d7380
[0185.888] GetProcessHeap () returned 0x5d0000
[0185.888] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x14) returned 0x5d95f0
[0185.888] RtlRestoreLastWin32Error () returned 0x0
[0185.888] RtlRestoreLastWin32Error () returned 0x0
[0185.888] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmp95DB.tmp") returned 52
[0185.888] lstrlenW (lpString="-/") returned 2
[0185.888] StrChrIW (lpStart="-/", wMatch=0x520043) returned 0x0
[0185.888] RtlRestoreLastWin32Error () returned 0x490
[0185.888] RtlRestoreLastWin32Error () returned 0x490
[0185.888] RtlRestoreLastWin32Error () returned 0x0
[0185.888] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmp95DB.tmp") returned 52
[0185.888] StrChrIW (lpStart="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmp95DB.tmp", wMatch=0x3a) returned=":\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmp95DB.tmp"
[0185.888] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmp95DB.tmp") returned 52
[0185.888] GetProcessHeap () returned 0x5d0000
[0185.888] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x10) returned 0x5d73c8
[0185.888] _memicmp (_Buf1=0x5d73c8, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.888] GetProcessHeap () returned 0x5d0000
[0185.888] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0xc) returned 0x5d73e0
[0185.889] GetProcessHeap () returned 0x5d0000
[0185.889] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x10) returned 0x5daa80
[0185.889] _memicmp (_Buf1=0x5daa80, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.889] GetProcessHeap () returned 0x5d0000
[0185.889] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x6e) returned 0x5d69e8
[0185.889] RtlRestoreLastWin32Error () returned 0x7a
[0185.889] RtlRestoreLastWin32Error () returned 0x0
[0185.889] RtlRestoreLastWin32Error () returned 0x0
[0185.889] lstrlenW (lpString="C") returned 1
[0185.889] RtlRestoreLastWin32Error () returned 0x490
[0185.889] RtlRestoreLastWin32Error () returned 0x0
[0185.889] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmp95DB.tmp") returned 52
[0185.889] GetProcessHeap () returned 0x5d0000
[0185.889] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x6a) returned 0x5d6a60
[0185.889] GetProcessHeap () returned 0x5d0000
[0185.889] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x14) returned 0x5d9630
[0185.889] RtlRestoreLastWin32Error () returned 0x0
[0185.889] GetProcessHeap () returned 0x5d0000
[0185.889] GetProcessHeap () returned 0x5d0000
[0185.889] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d6c78) returned 1
[0185.889] GetProcessHeap () returned 0x5d0000
[0185.889] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d6c78) returned 0x8
[0185.889] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d6c78) returned 1
[0185.889] GetProcessHeap () returned 0x5d0000
[0185.889] GetProcessHeap () returned 0x5d0000
[0185.889] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d9370) returned 1
[0185.889] GetProcessHeap () returned 0x5d0000
[0185.889] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d9370) returned 0x14
[0185.890] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d9370) returned 1
[0185.890] GetProcessHeap () returned 0x5d0000
[0185.890] GetProcessHeap () returned 0x5d0000
[0185.890] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d8fa0) returned 1
[0185.890] GetProcessHeap () returned 0x5d0000
[0185.890] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d8fa0) returned 0x2c
[0185.890] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d8fa0) returned 1
[0185.890] GetProcessHeap () returned 0x5d0000
[0185.890] GetProcessHeap () returned 0x5d0000
[0185.890] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d95d0) returned 1
[0185.890] GetProcessHeap () returned 0x5d0000
[0185.890] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d95d0) returned 0x14
[0185.890] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d95d0) returned 1
[0185.890] GetProcessHeap () returned 0x5d0000
[0185.890] GetProcessHeap () returned 0x5d0000
[0185.890] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d7380) returned 1
[0185.891] GetProcessHeap () returned 0x5d0000
[0185.891] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d7380) returned 0xa
[0185.891] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d7380) returned 1
[0185.891] GetProcessHeap () returned 0x5d0000
[0185.891] GetProcessHeap () returned 0x5d0000
[0185.891] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d95f0) returned 1
[0185.891] GetProcessHeap () returned 0x5d0000
[0185.891] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d95f0) returned 0x14
[0185.891] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d95f0) returned 1
[0185.891] GetProcessHeap () returned 0x5d0000
[0185.891] GetProcessHeap () returned 0x5d0000
[0185.891] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d6a60) returned 1
[0185.891] GetProcessHeap () returned 0x5d0000
[0185.891] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d6a60) returned 0x6a
[0185.891] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d6a60) returned 1
[0185.892] GetProcessHeap () returned 0x5d0000
[0185.892] GetProcessHeap () returned 0x5d0000
[0185.892] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d9630) returned 1
[0185.892] GetProcessHeap () returned 0x5d0000
[0185.892] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d9630) returned 0x14
[0185.892] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d9630) returned 1
[0185.892] GetProcessHeap () returned 0x5d0000
[0185.892] GetProcessHeap () returned 0x5d0000
[0185.892] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d74a0) returned 1
[0185.892] GetProcessHeap () returned 0x5d0000
[0185.892] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d74a0) returned 0x10
[0185.892] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d74a0) returned 1
[0185.892] RtlRestoreLastWin32Error () returned 0x0
[0185.893] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x0, Condition=0x2) returned 0x18
[0185.893] VerSetConditionMask (ConditionMask=0x18, TypeMask=0x80000000, Condition=0x1) returned 0x1b
[0185.893] VerSetConditionMask (ConditionMask=0x1b, TypeMask=0x80000000, Condition=0x20) returned 0x1801b
[0185.893] RtlVerifyVersionInfo (VersionInfo=0xdce60, TypeMask=0x3, ConditionMask=0x1801b) returned 0x0
[0185.893] RtlRestoreLastWin32Error () returned 0x0
[0185.893] lstrlenW (lpString="create") returned 6
[0185.893] StrChrIW (lpStart="create", wMatch=0x7c) returned 0x0
[0185.893] RtlRestoreLastWin32Error () returned 0x490
[0185.893] RtlRestoreLastWin32Error () returned 0x0
[0185.893] lstrlenW (lpString="create") returned 6
[0185.893] GetProcessHeap () returned 0x5d0000
[0185.893] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x14) returned 0x5d96f0
[0185.893] GetProcessHeap () returned 0x5d0000
[0185.893] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x10) returned 0x5dac18
[0185.893] _memicmp (_Buf1=0x5dac18, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.893] GetProcessHeap () returned 0x5d0000
[0185.893] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x16) returned 0x5d96b0
[0185.893] RtlRestoreLastWin32Error () returned 0x0
[0185.893] _memicmp (_Buf1=0x5d7428, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.893] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x5d8ce8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\schtasks.exe" (normalized: "c:\\windows\\syswow64\\schtasks.exe")) returned 0x20
[0185.893] GetFileVersionInfoSizeExW (in: dwFlags=0x1, lpwstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", lpdwHandle=0xdcf6c | out: lpdwHandle=0xdcf6c) returned 0x76c
[0185.894] GetProcessHeap () returned 0x5d0000
[0185.894] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x776) returned 0x5d9dc0
[0185.894] GetFileVersionInfoExW (in: dwFlags=0x3, lpwstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", dwHandle=0x0, dwLen=0x776, lpData=0x5d9dc0 | out: lpData=0x5d9dc0) returned 1
[0185.894] VerQueryValueW (in: pBlock=0x5d9dc0, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xdcf74, puLen=0xdcf78 | out: lplpBuffer=0xdcf74*=0x5da170, puLen=0xdcf78) returned 1
[0185.894] _memicmp (_Buf1=0x5d7428, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.894] _vsnwprintf (in: _Buffer=0x5d8ce8, _BufferCount=0x3f, _Format="\\StringFileInfo\\%04x%04x\\InternalName", _ArgList=0xdcf58 | out: _Buffer="\\StringFileInfo\\040904b0\\InternalName") returned 37
[0185.894] VerQueryValueW (in: pBlock=0x5d9dc0, lpSubBlock="\\StringFileInfo\\040904b0\\InternalName", lplpBuffer=0xdcf84, puLen=0xdcf80 | out: lplpBuffer=0xdcf84*=0x5d9fa0, puLen=0xdcf80) returned 1
[0185.894] lstrlenW (lpString="schtasks.exe") returned 12
[0185.894] lstrlenW (lpString="schtasks.exe") returned 12
[0185.894] lstrlenW (lpString=".EXE") returned 4
[0185.894] StrStrIW (lpFirst="schtasks.exe", lpSrch=".EXE") returned=".exe"
[0185.894] lstrlenW (lpString="schtasks.exe") returned 12
[0185.894] lstrlenW (lpString=".EXE") returned 4
[0185.894] lstrlenW (lpString="schtasks") returned 8
[0185.894] lstrlenW (lpString="/create") returned 7
[0185.894] _memicmp (_Buf1=0x5d7428, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.894] _vsnwprintf (in: _Buffer=0x5d8ce8, _BufferCount=0x19, _Format="%s %s", _ArgList=0xdcf58 | out: _Buffer="schtasks /create") returned 16
[0185.895] _memicmp (_Buf1=0x5d74d0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.895] GetProcessHeap () returned 0x5d0000
[0185.895] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x14) returned 0x5d9510
[0185.895] _memicmp (_Buf1=0x5d7470, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.895] LoadStringW (in: hInstance=0x0, uID=0x15ed, lpBuffer=0x5da7a0, cchBufferMax=256 | out: lpBuffer="Type \"%s /?\" for usage.") returned 0x17
[0185.895] lstrlenW (lpString="Type \"%s /?\" for usage.") returned 23
[0185.895] GetProcessHeap () returned 0x5d0000
[0185.895] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x30) returned 0x5d8fa0
[0185.895] _vsnwprintf (in: _Buffer=0x5d8ef8, _BufferCount=0x4f, _Format="Type \"%s /?\" for usage.", _ArgList=0xdcf5c | out: _Buffer="Type \"SCHTASKS /CREATE /?\" for usage.") returned 37
[0185.895] GetProcessHeap () returned 0x5d0000
[0185.895] GetProcessHeap () returned 0x5d0000
[0185.895] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d9dc0) returned 1
[0185.895] GetProcessHeap () returned 0x5d0000
[0185.895] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d9dc0) returned 0x776
[0185.896] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d9dc0) returned 1
[0185.896] RtlRestoreLastWin32Error () returned 0x0
[0185.896] GetThreadLocale () returned 0x409
[0185.896] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0185.896] lstrlenW (lpString="create") returned 6
[0185.896] GetThreadLocale () returned 0x409
[0185.896] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0185.896] lstrlenW (lpString="?") returned 1
[0185.896] GetThreadLocale () returned 0x409
[0185.896] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0185.896] lstrlenW (lpString="s") returned 1
[0185.896] GetThreadLocale () returned 0x409
[0185.896] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0185.896] lstrlenW (lpString="u") returned 1
[0185.896] GetThreadLocale () returned 0x409
[0185.896] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0185.896] lstrlenW (lpString="p") returned 1
[0185.896] GetThreadLocale () returned 0x409
[0185.896] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0185.896] lstrlenW (lpString="ru") returned 2
[0185.896] GetThreadLocale () returned 0x409
[0185.896] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0185.896] lstrlenW (lpString="rp") returned 2
[0185.896] GetThreadLocale () returned 0x409
[0185.896] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0185.896] lstrlenW (lpString="sc") returned 2
[0185.896] GetThreadLocale () returned 0x409
[0185.897] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0185.897] lstrlenW (lpString="mo") returned 2
[0185.897] GetThreadLocale () returned 0x409
[0185.897] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0185.897] lstrlenW (lpString="d") returned 1
[0185.897] GetThreadLocale () returned 0x409
[0185.897] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0185.897] lstrlenW (lpString="m") returned 1
[0185.897] GetThreadLocale () returned 0x409
[0185.897] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0185.897] lstrlenW (lpString="i") returned 1
[0185.897] GetThreadLocale () returned 0x409
[0185.897] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0185.897] lstrlenW (lpString="tn") returned 2
[0185.897] GetThreadLocale () returned 0x409
[0185.897] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0185.897] lstrlenW (lpString="tr") returned 2
[0185.897] GetThreadLocale () returned 0x409
[0185.897] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0185.897] lstrlenW (lpString="st") returned 2
[0185.897] GetThreadLocale () returned 0x409
[0185.897] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0185.897] lstrlenW (lpString="sd") returned 2
[0185.897] GetThreadLocale () returned 0x409
[0185.897] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0185.897] lstrlenW (lpString="ed") returned 2
[0185.897] GetThreadLocale () returned 0x409
[0185.898] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0185.898] lstrlenW (lpString="it") returned 2
[0185.898] GetThreadLocale () returned 0x409
[0185.898] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0185.898] lstrlenW (lpString="et") returned 2
[0185.898] GetThreadLocale () returned 0x409
[0185.898] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0185.898] lstrlenW (lpString="k") returned 1
[0185.898] GetThreadLocale () returned 0x409
[0185.898] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0185.898] lstrlenW (lpString="du") returned 2
[0185.898] GetThreadLocale () returned 0x409
[0185.898] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0185.898] lstrlenW (lpString="ri") returned 2
[0185.898] GetThreadLocale () returned 0x409
[0185.898] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0185.898] lstrlenW (lpString="z") returned 1
[0185.898] GetThreadLocale () returned 0x409
[0185.898] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0185.898] lstrlenW (lpString="f") returned 1
[0185.898] GetThreadLocale () returned 0x409
[0185.898] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0185.898] lstrlenW (lpString="v1") returned 2
[0185.898] GetThreadLocale () returned 0x409
[0185.898] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0185.898] lstrlenW (lpString="xml") returned 3
[0185.898] GetThreadLocale () returned 0x409
[0185.898] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0185.898] lstrlenW (lpString="ec") returned 2
[0185.899] GetThreadLocale () returned 0x409
[0185.899] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0185.899] lstrlenW (lpString="rl") returned 2
[0185.899] GetThreadLocale () returned 0x409
[0185.899] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0185.899] lstrlenW (lpString="delay") returned 5
[0185.899] GetThreadLocale () returned 0x409
[0185.899] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0185.899] lstrlenW (lpString="np") returned 2
[0185.899] GetThreadLocale () returned 0x409
[0185.899] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0185.899] lstrlenW (lpString="hresult") returned 7
[0185.899] RtlRestoreLastWin32Error () returned 0x0
[0185.899] RtlRestoreLastWin32Error () returned 0x0
[0185.899] lstrlenW (lpString="/Create") returned 7
[0185.899] lstrlenW (lpString="-/") returned 2
[0185.899] StrChrIW (lpStart="-/", wMatch=0x52002f) returned="/"
[0185.899] lstrlenW (lpString="create") returned 6
[0185.899] lstrlenW (lpString="create") returned 6
[0185.899] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.899] lstrlenW (lpString="Create") returned 6
[0185.899] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.899] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|create|") returned 8
[0185.899] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|Create|") returned 8
[0185.899] lstrlenW (lpString="|create|") returned 8
[0185.899] lstrlenW (lpString="|Create|") returned 8
[0185.899] StrStrIW (lpFirst="|create|", lpSrch="|Create|") returned="|create|"
[0185.900] RtlRestoreLastWin32Error () returned 0x0
[0185.900] RtlRestoreLastWin32Error () returned 0x0
[0185.900] RtlRestoreLastWin32Error () returned 0x0
[0185.900] lstrlenW (lpString="/TN") returned 3
[0185.900] lstrlenW (lpString="-/") returned 2
[0185.900] StrChrIW (lpStart="-/", wMatch=0x52002f) returned="/"
[0185.900] lstrlenW (lpString="create") returned 6
[0185.900] lstrlenW (lpString="create") returned 6
[0185.900] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.900] lstrlenW (lpString="TN") returned 2
[0185.900] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.900] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|create|") returned 8
[0185.900] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0185.900] lstrlenW (lpString="|create|") returned 8
[0185.900] lstrlenW (lpString="|TN|") returned 4
[0185.900] StrStrIW (lpFirst="|create|", lpSrch="|TN|") returned 0x0
[0185.900] RtlRestoreLastWin32Error () returned 0x490
[0185.900] lstrlenW (lpString="?") returned 1
[0185.900] lstrlenW (lpString="?") returned 1
[0185.900] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.900] lstrlenW (lpString="TN") returned 2
[0185.900] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.900] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|?|") returned 3
[0185.900] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0185.901] lstrlenW (lpString="|?|") returned 3
[0185.901] lstrlenW (lpString="|TN|") returned 4
[0185.901] RtlRestoreLastWin32Error () returned 0x490
[0185.901] lstrlenW (lpString="s") returned 1
[0185.901] lstrlenW (lpString="s") returned 1
[0185.901] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.901] lstrlenW (lpString="TN") returned 2
[0185.901] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.901] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|s|") returned 3
[0185.901] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0185.901] lstrlenW (lpString="|s|") returned 3
[0185.901] lstrlenW (lpString="|TN|") returned 4
[0185.901] RtlRestoreLastWin32Error () returned 0x490
[0185.901] lstrlenW (lpString="u") returned 1
[0185.901] lstrlenW (lpString="u") returned 1
[0185.901] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.901] lstrlenW (lpString="TN") returned 2
[0185.901] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.901] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|u|") returned 3
[0185.901] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0185.901] lstrlenW (lpString="|u|") returned 3
[0185.901] lstrlenW (lpString="|TN|") returned 4
[0185.901] RtlRestoreLastWin32Error () returned 0x490
[0185.901] lstrlenW (lpString="p") returned 1
[0185.901] lstrlenW (lpString="p") returned 1
[0185.902] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.902] lstrlenW (lpString="TN") returned 2
[0185.902] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.902] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|p|") returned 3
[0185.902] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0185.902] lstrlenW (lpString="|p|") returned 3
[0185.902] lstrlenW (lpString="|TN|") returned 4
[0185.902] RtlRestoreLastWin32Error () returned 0x490
[0185.902] lstrlenW (lpString="ru") returned 2
[0185.902] lstrlenW (lpString="ru") returned 2
[0185.902] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.902] lstrlenW (lpString="TN") returned 2
[0185.902] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.902] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|ru|") returned 4
[0185.902] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0185.902] lstrlenW (lpString="|ru|") returned 4
[0185.902] lstrlenW (lpString="|TN|") returned 4
[0185.902] StrStrIW (lpFirst="|ru|", lpSrch="|TN|") returned 0x0
[0185.902] RtlRestoreLastWin32Error () returned 0x490
[0185.902] lstrlenW (lpString="rp") returned 2
[0185.902] lstrlenW (lpString="rp") returned 2
[0185.902] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.902] lstrlenW (lpString="TN") returned 2
[0185.902] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.903] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rp|") returned 4
[0185.903] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0185.903] lstrlenW (lpString="|rp|") returned 4
[0185.903] lstrlenW (lpString="|TN|") returned 4
[0185.903] StrStrIW (lpFirst="|rp|", lpSrch="|TN|") returned 0x0
[0185.903] RtlRestoreLastWin32Error () returned 0x490
[0185.903] lstrlenW (lpString="sc") returned 2
[0185.903] lstrlenW (lpString="sc") returned 2
[0185.903] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.903] lstrlenW (lpString="TN") returned 2
[0185.903] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.903] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|sc|") returned 4
[0185.903] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0185.903] lstrlenW (lpString="|sc|") returned 4
[0185.903] lstrlenW (lpString="|TN|") returned 4
[0185.903] StrStrIW (lpFirst="|sc|", lpSrch="|TN|") returned 0x0
[0185.903] RtlRestoreLastWin32Error () returned 0x490
[0185.903] lstrlenW (lpString="mo") returned 2
[0185.903] lstrlenW (lpString="mo") returned 2
[0185.903] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.903] lstrlenW (lpString="TN") returned 2
[0185.903] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.903] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|mo|") returned 4
[0185.903] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0185.904] lstrlenW (lpString="|mo|") returned 4
[0185.904] lstrlenW (lpString="|TN|") returned 4
[0185.904] StrStrIW (lpFirst="|mo|", lpSrch="|TN|") returned 0x0
[0185.904] RtlRestoreLastWin32Error () returned 0x490
[0185.904] lstrlenW (lpString="d") returned 1
[0185.904] lstrlenW (lpString="d") returned 1
[0185.904] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.904] lstrlenW (lpString="TN") returned 2
[0185.904] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.904] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|d|") returned 3
[0185.904] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0185.904] lstrlenW (lpString="|d|") returned 3
[0185.904] lstrlenW (lpString="|TN|") returned 4
[0185.904] RtlRestoreLastWin32Error () returned 0x490
[0185.904] lstrlenW (lpString="m") returned 1
[0185.904] lstrlenW (lpString="m") returned 1
[0185.904] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.904] lstrlenW (lpString="TN") returned 2
[0185.904] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.904] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|m|") returned 3
[0185.904] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0185.904] lstrlenW (lpString="|m|") returned 3
[0185.904] lstrlenW (lpString="|TN|") returned 4
[0185.904] RtlRestoreLastWin32Error () returned 0x490
[0185.904] lstrlenW (lpString="i") returned 1
[0185.905] lstrlenW (lpString="i") returned 1
[0185.905] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.905] lstrlenW (lpString="TN") returned 2
[0185.905] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.905] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|i|") returned 3
[0185.905] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0185.905] lstrlenW (lpString="|i|") returned 3
[0185.905] lstrlenW (lpString="|TN|") returned 4
[0185.905] RtlRestoreLastWin32Error () returned 0x490
[0185.905] lstrlenW (lpString="tn") returned 2
[0185.905] lstrlenW (lpString="tn") returned 2
[0185.905] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.905] lstrlenW (lpString="TN") returned 2
[0185.905] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.905] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tn|") returned 4
[0185.905] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0185.905] lstrlenW (lpString="|tn|") returned 4
[0185.905] lstrlenW (lpString="|TN|") returned 4
[0185.905] StrStrIW (lpFirst="|tn|", lpSrch="|TN|") returned="|tn|"
[0185.905] RtlRestoreLastWin32Error () returned 0x0
[0185.905] RtlRestoreLastWin32Error () returned 0x0
[0185.905] lstrlenW (lpString="Updates\\ZgolgcKGNozdg") returned 21
[0185.905] lstrlenW (lpString="-/") returned 2
[0185.905] StrChrIW (lpStart="-/", wMatch=0x520055) returned 0x0
[0185.905] RtlRestoreLastWin32Error () returned 0x490
[0185.906] RtlRestoreLastWin32Error () returned 0x490
[0185.906] RtlRestoreLastWin32Error () returned 0x0
[0185.906] lstrlenW (lpString="Updates\\ZgolgcKGNozdg") returned 21
[0185.906] StrChrIW (lpStart="Updates\\ZgolgcKGNozdg", wMatch=0x3a) returned 0x0
[0185.906] RtlRestoreLastWin32Error () returned 0x490
[0185.906] RtlRestoreLastWin32Error () returned 0x0
[0185.906] lstrlenW (lpString="Updates\\ZgolgcKGNozdg") returned 21
[0185.906] RtlRestoreLastWin32Error () returned 0x0
[0185.906] RtlRestoreLastWin32Error () returned 0x0
[0185.906] lstrlenW (lpString="/XML") returned 4
[0185.906] lstrlenW (lpString="-/") returned 2
[0185.906] StrChrIW (lpStart="-/", wMatch=0x52002f) returned="/"
[0185.906] lstrlenW (lpString="create") returned 6
[0185.906] lstrlenW (lpString="create") returned 6
[0185.906] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.906] lstrlenW (lpString="XML") returned 3
[0185.906] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.906] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|create|") returned 8
[0185.906] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0185.906] lstrlenW (lpString="|create|") returned 8
[0185.906] lstrlenW (lpString="|XML|") returned 5
[0185.906] StrStrIW (lpFirst="|create|", lpSrch="|XML|") returned 0x0
[0185.906] RtlRestoreLastWin32Error () returned 0x490
[0185.910] lstrlenW (lpString="?") returned 1
[0185.910] lstrlenW (lpString="?") returned 1
[0185.910] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.910] lstrlenW (lpString="XML") returned 3
[0185.910] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.910] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|?|") returned 3
[0185.910] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0185.910] lstrlenW (lpString="|?|") returned 3
[0185.910] lstrlenW (lpString="|XML|") returned 5
[0185.910] RtlRestoreLastWin32Error () returned 0x490
[0185.910] lstrlenW (lpString="s") returned 1
[0185.910] lstrlenW (lpString="s") returned 1
[0185.910] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.910] lstrlenW (lpString="XML") returned 3
[0185.910] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.910] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|s|") returned 3
[0185.910] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0185.910] lstrlenW (lpString="|s|") returned 3
[0185.910] lstrlenW (lpString="|XML|") returned 5
[0185.910] RtlRestoreLastWin32Error () returned 0x490
[0185.910] lstrlenW (lpString="u") returned 1
[0185.910] lstrlenW (lpString="u") returned 1
[0185.910] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.910] lstrlenW (lpString="XML") returned 3
[0185.911] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.911] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|u|") returned 3
[0185.911] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0185.911] lstrlenW (lpString="|u|") returned 3
[0185.911] lstrlenW (lpString="|XML|") returned 5
[0185.911] RtlRestoreLastWin32Error () returned 0x490
[0185.911] lstrlenW (lpString="p") returned 1
[0185.911] lstrlenW (lpString="p") returned 1
[0185.911] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.911] lstrlenW (lpString="XML") returned 3
[0185.911] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.911] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|p|") returned 3
[0185.911] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0185.911] lstrlenW (lpString="|p|") returned 3
[0185.911] lstrlenW (lpString="|XML|") returned 5
[0185.911] RtlRestoreLastWin32Error () returned 0x490
[0185.911] lstrlenW (lpString="ru") returned 2
[0185.911] lstrlenW (lpString="ru") returned 2
[0185.911] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.911] lstrlenW (lpString="XML") returned 3
[0185.911] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.911] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|ru|") returned 4
[0185.911] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0185.911] lstrlenW (lpString="|ru|") returned 4
[0185.911] lstrlenW (lpString="|XML|") returned 5
[0185.912] RtlRestoreLastWin32Error () returned 0x490
[0185.912] lstrlenW (lpString="rp") returned 2
[0185.912] lstrlenW (lpString="rp") returned 2
[0185.912] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.912] lstrlenW (lpString="XML") returned 3
[0185.912] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.912] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rp|") returned 4
[0185.912] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0185.912] lstrlenW (lpString="|rp|") returned 4
[0185.912] lstrlenW (lpString="|XML|") returned 5
[0185.912] RtlRestoreLastWin32Error () returned 0x490
[0185.912] lstrlenW (lpString="sc") returned 2
[0185.912] lstrlenW (lpString="sc") returned 2
[0185.912] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.912] lstrlenW (lpString="XML") returned 3
[0185.912] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.912] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|sc|") returned 4
[0185.912] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0185.912] lstrlenW (lpString="|sc|") returned 4
[0185.912] lstrlenW (lpString="|XML|") returned 5
[0185.912] RtlRestoreLastWin32Error () returned 0x490
[0185.912] lstrlenW (lpString="mo") returned 2
[0185.912] lstrlenW (lpString="mo") returned 2
[0185.912] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.913] lstrlenW (lpString="XML") returned 3
[0185.913] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.913] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|mo|") returned 4
[0185.913] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0185.913] lstrlenW (lpString="|mo|") returned 4
[0185.913] lstrlenW (lpString="|XML|") returned 5
[0185.913] RtlRestoreLastWin32Error () returned 0x490
[0185.913] lstrlenW (lpString="d") returned 1
[0185.913] lstrlenW (lpString="d") returned 1
[0185.913] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.913] lstrlenW (lpString="XML") returned 3
[0185.913] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.913] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|d|") returned 3
[0185.913] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0185.913] lstrlenW (lpString="|d|") returned 3
[0185.913] lstrlenW (lpString="|XML|") returned 5
[0185.913] RtlRestoreLastWin32Error () returned 0x490
[0185.913] lstrlenW (lpString="m") returned 1
[0185.913] lstrlenW (lpString="m") returned 1
[0185.913] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.913] lstrlenW (lpString="XML") returned 3
[0185.913] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.913] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|m|") returned 3
[0185.913] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0185.914] lstrlenW (lpString="|m|") returned 3
[0185.914] lstrlenW (lpString="|XML|") returned 5
[0185.914] RtlRestoreLastWin32Error () returned 0x490
[0185.914] lstrlenW (lpString="i") returned 1
[0185.914] lstrlenW (lpString="i") returned 1
[0185.914] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.914] lstrlenW (lpString="XML") returned 3
[0185.914] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.914] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|i|") returned 3
[0185.914] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0185.914] lstrlenW (lpString="|i|") returned 3
[0185.953] lstrlenW (lpString="|XML|") returned 5
[0185.954] RtlRestoreLastWin32Error () returned 0x490
[0185.954] lstrlenW (lpString="tn") returned 2
[0185.954] lstrlenW (lpString="tn") returned 2
[0185.954] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.954] lstrlenW (lpString="XML") returned 3
[0185.954] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.954] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tn|") returned 4
[0185.954] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0185.954] lstrlenW (lpString="|tn|") returned 4
[0185.954] lstrlenW (lpString="|XML|") returned 5
[0185.954] RtlRestoreLastWin32Error () returned 0x490
[0185.954] lstrlenW (lpString="tr") returned 2
[0185.954] lstrlenW (lpString="tr") returned 2
[0185.954] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.954] lstrlenW (lpString="XML") returned 3
[0185.954] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.954] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tr|") returned 4
[0185.954] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0185.954] lstrlenW (lpString="|tr|") returned 4
[0185.954] lstrlenW (lpString="|XML|") returned 5
[0185.954] RtlRestoreLastWin32Error () returned 0x490
[0185.954] lstrlenW (lpString="st") returned 2
[0185.954] lstrlenW (lpString="st") returned 2
[0185.954] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.955] lstrlenW (lpString="XML") returned 3
[0185.955] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.955] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|st|") returned 4
[0185.955] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0185.955] lstrlenW (lpString="|st|") returned 4
[0185.955] lstrlenW (lpString="|XML|") returned 5
[0185.955] RtlRestoreLastWin32Error () returned 0x490
[0185.955] lstrlenW (lpString="sd") returned 2
[0185.955] lstrlenW (lpString="sd") returned 2
[0185.955] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.955] lstrlenW (lpString="XML") returned 3
[0185.955] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.955] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|sd|") returned 4
[0185.955] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0185.955] lstrlenW (lpString="|sd|") returned 4
[0185.955] lstrlenW (lpString="|XML|") returned 5
[0185.955] RtlRestoreLastWin32Error () returned 0x490
[0185.955] lstrlenW (lpString="ed") returned 2
[0185.955] lstrlenW (lpString="ed") returned 2
[0185.955] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.955] lstrlenW (lpString="XML") returned 3
[0185.955] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.955] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|ed|") returned 4
[0185.955] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0185.956] lstrlenW (lpString="|ed|") returned 4
[0185.956] lstrlenW (lpString="|XML|") returned 5
[0185.956] RtlRestoreLastWin32Error () returned 0x490
[0185.956] lstrlenW (lpString="it") returned 2
[0185.956] lstrlenW (lpString="it") returned 2
[0185.956] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.956] lstrlenW (lpString="XML") returned 3
[0185.956] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.956] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|it|") returned 4
[0185.956] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0185.956] lstrlenW (lpString="|it|") returned 4
[0185.956] lstrlenW (lpString="|XML|") returned 5
[0185.956] RtlRestoreLastWin32Error () returned 0x490
[0185.956] lstrlenW (lpString="et") returned 2
[0185.956] lstrlenW (lpString="et") returned 2
[0185.956] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.956] lstrlenW (lpString="XML") returned 3
[0185.956] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.956] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|et|") returned 4
[0185.956] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0185.956] lstrlenW (lpString="|et|") returned 4
[0185.956] lstrlenW (lpString="|XML|") returned 5
[0185.956] RtlRestoreLastWin32Error () returned 0x490
[0185.956] lstrlenW (lpString="k") returned 1
[0185.957] lstrlenW (lpString="k") returned 1
[0185.957] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.957] lstrlenW (lpString="XML") returned 3
[0185.957] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.957] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|k|") returned 3
[0185.957] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0185.957] lstrlenW (lpString="|k|") returned 3
[0185.957] lstrlenW (lpString="|XML|") returned 5
[0185.957] RtlRestoreLastWin32Error () returned 0x490
[0185.957] lstrlenW (lpString="du") returned 2
[0185.957] lstrlenW (lpString="du") returned 2
[0185.957] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.957] lstrlenW (lpString="XML") returned 3
[0185.957] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.957] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|du|") returned 4
[0185.957] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0185.957] lstrlenW (lpString="|du|") returned 4
[0185.957] lstrlenW (lpString="|XML|") returned 5
[0185.957] RtlRestoreLastWin32Error () returned 0x490
[0185.957] lstrlenW (lpString="ri") returned 2
[0185.957] lstrlenW (lpString="ri") returned 2
[0185.957] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.957] lstrlenW (lpString="XML") returned 3
[0185.957] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.958] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|ri|") returned 4
[0185.958] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0185.958] lstrlenW (lpString="|ri|") returned 4
[0185.958] lstrlenW (lpString="|XML|") returned 5
[0185.958] RtlRestoreLastWin32Error () returned 0x490
[0185.958] lstrlenW (lpString="z") returned 1
[0185.958] lstrlenW (lpString="z") returned 1
[0185.958] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.958] lstrlenW (lpString="XML") returned 3
[0185.958] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.958] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|z|") returned 3
[0185.958] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0185.958] lstrlenW (lpString="|z|") returned 3
[0185.958] lstrlenW (lpString="|XML|") returned 5
[0185.958] RtlRestoreLastWin32Error () returned 0x490
[0185.958] lstrlenW (lpString="f") returned 1
[0185.958] lstrlenW (lpString="f") returned 1
[0185.958] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.958] lstrlenW (lpString="XML") returned 3
[0185.958] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.958] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3
[0185.958] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0185.958] lstrlenW (lpString="|f|") returned 3
[0185.958] lstrlenW (lpString="|XML|") returned 5
[0185.958] RtlRestoreLastWin32Error () returned 0x490
[0185.959] lstrlenW (lpString="v1") returned 2
[0185.959] lstrlenW (lpString="v1") returned 2
[0185.959] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.959] lstrlenW (lpString="XML") returned 3
[0185.959] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.959] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|v1|") returned 4
[0185.959] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0185.959] lstrlenW (lpString="|v1|") returned 4
[0185.959] lstrlenW (lpString="|XML|") returned 5
[0185.959] RtlRestoreLastWin32Error () returned 0x490
[0185.959] lstrlenW (lpString="xml") returned 3
[0185.959] lstrlenW (lpString="xml") returned 3
[0185.959] _memicmp (_Buf1=0x5d7368, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.959] lstrlenW (lpString="XML") returned 3
[0185.959] _memicmp (_Buf1=0x5d73b0, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.959] _vsnwprintf (in: _Buffer=0x5d94f0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|xml|") returned 5
[0185.959] _vsnwprintf (in: _Buffer=0x5d96d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0185.959] lstrlenW (lpString="|xml|") returned 5
[0185.959] lstrlenW (lpString="|XML|") returned 5
[0185.959] StrStrIW (lpFirst="|xml|", lpSrch="|XML|") returned="|xml|"
[0185.959] RtlRestoreLastWin32Error () returned 0x0
[0185.959] RtlRestoreLastWin32Error () returned 0x0
[0185.959] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmp95DB.tmp") returned 52
[0185.959] lstrlenW (lpString="-/") returned 2
[0185.960] StrChrIW (lpStart="-/", wMatch=0x520043) returned 0x0
[0185.960] RtlRestoreLastWin32Error () returned 0x490
[0185.960] RtlRestoreLastWin32Error () returned 0x490
[0185.960] RtlRestoreLastWin32Error () returned 0x0
[0185.960] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmp95DB.tmp") returned 52
[0185.960] StrChrIW (lpStart="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmp95DB.tmp", wMatch=0x3a) returned=":\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmp95DB.tmp"
[0185.960] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmp95DB.tmp") returned 52
[0185.960] _memicmp (_Buf1=0x5d73c8, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.960] _memicmp (_Buf1=0x5daa80, _Buf2=0xba2708, _Size=0x7) returned 0
[0185.960] RtlRestoreLastWin32Error () returned 0x7a
[0185.960] RtlRestoreLastWin32Error () returned 0x0
[0185.960] RtlRestoreLastWin32Error () returned 0x0
[0185.960] lstrlenW (lpString="C") returned 1
[0185.960] RtlRestoreLastWin32Error () returned 0x490
[0185.960] RtlRestoreLastWin32Error () returned 0x0
[0185.960] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmp95DB.tmp") returned 52
[0185.960] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmp95DB.tmp") returned 52
[0185.960] GetProcessHeap () returned 0x5d0000
[0185.960] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x6a) returned 0x5d6a60
[0185.960] RtlRestoreLastWin32Error () returned 0x0
[0185.960] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmp95DB.tmp") returned 52
[0185.960] RtlRestoreLastWin32Error () returned 0x0
[0185.961] GetProcessHeap () returned 0x5d0000
[0185.961] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x1fc) returned 0x5dadb0
[0185.961] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
[0185.967] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0
[0185.978] CoCreateInstance (in: rclsid=0xba26c0*(Data1=0xf87369f, Data2=0xa4e5, Data3=0x4cfc, Data4=([0]=0xbd, [1]=0x3e, [2]=0x73, [3]=0xe6, [4]=0x15, [5]=0x45, [6]=0x72, [7]=0xdd)), pUnkOuter=0x0, dwClsContext=0x17, riid=0xba26d0*(Data1=0x2faba4c7, Data2=0x4da9, Data3=0x4013, Data4=([0]=0x96, [1]=0x97, [2]=0x20, [3]=0xcc, [4]=0x3f, [5]=0xd4, [6]=0xf, [7]=0x85)), ppv=0xdd39c | out: ppv=0xdd39c*=0x523758) returned 0x0
[0186.299] TaskScheduler:ITaskService:Connect (This=0x523758, serverName=0xdd34c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), user=0xdd35c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), domain=0xdd36c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), password=0xdd37c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0)) returned 0x0
[0186.346] TaskScheduler:ITaskService:GetFolder (in: This=0x523758, Path=0x0, ppFolder=0xdd464 | out: ppFolder=0xdd464*=0x523880) returned 0x0
[0186.347] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmp95DB.tmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmp95db.tmp"), dwDesiredAccess=0x80000000, dwShareMode=0x5, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x12c
[0186.347] GetFileSizeEx (in: hFile=0x12c, lpFileSize=0xdcd7c | out: lpFileSize=0xdcd7c*=1601) returned 1
[0186.347] ReadFile (in: hFile=0x12c, lpBuffer=0xdcd8c, nNumberOfBytesToRead=0x2, lpNumberOfBytesRead=0xdcd88, lpOverlapped=0x0 | out: lpBuffer=0xdcd8c*, lpNumberOfBytesRead=0xdcd88*=0x2, lpOverlapped=0x0) returned 1
[0186.347] SetFilePointer (in: hFile=0x12c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0
[0186.348] malloc (_Size=0x642) returned 0x5238d0
[0186.348] ReadFile (in: hFile=0x12c, lpBuffer=0x5238d0, nNumberOfBytesToRead=0x642, lpNumberOfBytesRead=0xdcd88, lpOverlapped=0x0 | out: lpBuffer=0x5238d0*, lpNumberOfBytesRead=0xdcd88*=0x641, lpOverlapped=0x0) returned 1
[0186.348] MultiByteToWideChar (in: CodePage=0x3, dwFlags=0x0, lpMultiByteStr=0x5238d0, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 1602
[0186.348] MultiByteToWideChar (in: CodePage=0x3, dwFlags=0x0, lpMultiByteStr=0x5238d0, cbMultiByte=-1, lpWideCharStr=0x5ea774, cchWideChar=1602 | out: lpWideCharStr="\n\n \n 2014-10-25T14:27:44.8929027\n XC64ZB\\RDhJ0CNFevzX\n \n \n \n true\n XC64ZB\\RDhJ0CNFevzX\n \n \n false\n \n \n \n \n XC64ZB\\RDhJ0CNFevzX\n InteractiveToken\n LeastPrivilege\n \n \n \n StopExisting\n false\n true\n false\n true\n false\n \n true\n false\n \n true\n true\n false\n false\n false\n PT0S\n 7\n \n \n \n C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZgolgcKGNozdg.exe\n \n \n") returned 1602
[0186.348] SysStringLen (param_1="\n\n \n 2014-10-25T14:27:44.8929027\n XC64ZB\\RDhJ0CNFevzX\n \n \n \n true\n XC64ZB\\RDhJ0CNFevzX\n \n \n false\n \n \n \n \n XC64ZB\\RDhJ0CNFevzX\n InteractiveToken\n LeastPrivilege\n \n \n \n StopExisting\n false\n true\n false\n true\n false\n \n true\n false\n \n true\n true\n false\n false\n false\n PT0S\n 7\n \n \n \n C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZgolgcKGNozdg.exe\n \n \n") returned 0x641
[0186.348] VarBstrCat (in: bstrLeft=0x0, bstrRight="\n\n \n 2014-10-25T14:27:44.8929027\n XC64ZB\\RDhJ0CNFevzX\n \n \n \n true\n XC64ZB\\RDhJ0CNFevzX\n \n \n false\n \n \n \n \n XC64ZB\\RDhJ0CNFevzX\n InteractiveToken\n LeastPrivilege\n \n \n \n StopExisting\n false\n true\n false\n true\n false\n \n true\n false\n \n true\n true\n false\n false\n false\n PT0S\n 7\n \n \n \n C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZgolgcKGNozdg.exe\n \n \n", pbstrResult=0xdcd2c | out: pbstrResult=0xdcd2c) returned 0x0
[0186.349] free (_Block=0x5238d0)
[0186.349] CloseHandle (hObject=0x12c) returned 1
[0186.349] lstrlenW (lpString="") returned 0
[0186.349] malloc (_Size=0xc) returned 0x523830
[0186.349] SysStringLen (param_1="") returned 0x0
[0186.349] free (_Block=0x523830)
[0186.349] lstrlenW (lpString="") returned 0
[0186.349] ITaskFolder:RegisterTask (in: This=0x523880, Path="Updates\\ZgolgcKGNozdg", XmlText="\n\n \n 2014-10-25T14:27:44.8929027\n XC64ZB\\RDhJ0CNFevzX\n \n \n \n true\n XC64ZB\\RDhJ0CNFevzX\n \n \n false\n \n \n \n \n XC64ZB\\RDhJ0CNFevzX\n InteractiveToken\n LeastPrivilege\n \n \n \n StopExisting\n false\n true\n false\n true\n false\n \n true\n false\n \n true\n true\n false\n false\n false\n PT0S\n 7\n \n \n \n C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\ZgolgcKGNozdg.exe\n \n \n", flags=2, UserId=0xdcd60*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="", varVal2=0x0), password=0xdcd70*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), LogonType=0, sddl=0xdcd84*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), ppTask=0xdcde0 | out: ppTask=0xdcde0*=0x523908) returned 0x0
[0187.115] GetProcessHeap () returned 0x5d0000
[0187.115] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x14) returned 0x5e5758
[0187.115] _memicmp (_Buf1=0x5d7470, _Buf2=0xba2708, _Size=0x7) returned 0
[0187.115] LoadStringW (in: hInstance=0x0, uID=0x12e, lpBuffer=0x5da7a0, cchBufferMax=256 | out: lpBuffer="SUCCESS: The scheduled task \"%s\" has successfully been created.\n") returned 0x40
[0187.116] lstrlenW (lpString="SUCCESS: The scheduled task \"%s\" has successfully been created.\n") returned 64
[0187.116] GetProcessHeap () returned 0x5d0000
[0187.116] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0xc, Size=0x82) returned 0x5e92b8
[0187.116] _vsnwprintf (in: _Buffer=0xdcdf8, _BufferCount=0x1fb, _Format="SUCCESS: The scheduled task \"%s\" has successfully been created.\n", _ArgList=0xdcd94 | out: _Buffer="SUCCESS: The scheduled task \"Updates\\ZgolgcKGNozdg\" has successfully been created.\n") returned 83
[0187.116] __iob_func () returned 0x76b41208
[0187.116] _fileno (_File=0x76b41228) returned 1
[0187.116] _errno () returned 0x5205b0
[0187.116] _get_osfhandle (_FileHandle=1) returned 0x3c
[0187.116] _errno () returned 0x5205b0
[0187.116] GetFileType (hFile=0x3c) returned 0x2
[0187.116] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c
[0187.116] GetFileType (hFile=0x3c) returned 0x2
[0187.116] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xdcd68 | out: lpMode=0xdcd68) returned 1
[0187.235] __iob_func () returned 0x76b41208
[0187.235] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c
[0187.235] lstrlenW (lpString="SUCCESS: The scheduled task \"Updates\\ZgolgcKGNozdg\" has successfully been created.\n") returned 83
[0187.235] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0xdcdf8*, nNumberOfCharsToWrite=0x53, lpNumberOfCharsWritten=0xdcd8c, lpReserved=0x0 | out: lpBuffer=0xdcdf8*, lpNumberOfCharsWritten=0xdcd8c*=0x53) returned 1
[0187.330] IUnknown:Release (This=0x523908) returned 0x0
[0187.330] TaskScheduler:IUnknown:Release (This=0x523880) returned 0x0
[0187.330] TaskScheduler:IUnknown:Release (This=0x523758) returned 0x0
[0187.330] lstrlenW (lpString="") returned 0
[0187.330] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmp95DB.tmp") returned 52
[0187.331] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmp95DB.tmp", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53
[0187.331] GetProcessHeap () returned 0x5d0000
[0187.331] GetProcessHeap () returned 0x5d0000
[0187.331] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5dadb0) returned 1
[0187.331] GetProcessHeap () returned 0x5d0000
[0187.331] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5dadb0) returned 0x1fc
[0187.331] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5dadb0) returned 1
[0187.331] GetProcessHeap () returned 0x5d0000
[0187.331] GetProcessHeap () returned 0x5d0000
[0187.331] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d6a60) returned 1
[0187.331] GetProcessHeap () returned 0x5d0000
[0187.331] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d6a60) returned 0x6a
[0187.332] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d6a60) returned 1
[0187.332] GetProcessHeap () returned 0x5d0000
[0187.332] GetProcessHeap () returned 0x5d0000
[0187.332] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d96b0) returned 1
[0187.332] GetProcessHeap () returned 0x5d0000
[0187.332] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d96b0) returned 0x16
[0187.332] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d96b0) returned 1
[0187.332] GetProcessHeap () returned 0x5d0000
[0187.332] GetProcessHeap () returned 0x5d0000
[0187.332] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5dac18) returned 1
[0187.332] GetProcessHeap () returned 0x5d0000
[0187.332] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5dac18) returned 0x10
[0187.332] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5dac18) returned 1
[0187.332] GetProcessHeap () returned 0x5d0000
[0187.332] GetProcessHeap () returned 0x5d0000
[0187.332] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d96f0) returned 1
[0187.332] GetProcessHeap () returned 0x5d0000
[0187.332] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d96f0) returned 0x14
[0187.332] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d96f0) returned 1
[0187.333] GetProcessHeap () returned 0x5d0000
[0187.333] GetProcessHeap () returned 0x5d0000
[0187.333] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d8ef8) returned 1
[0187.333] GetProcessHeap () returned 0x5d0000
[0187.333] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d8ef8) returned 0xa0
[0187.333] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d8ef8) returned 1
[0187.333] GetProcessHeap () returned 0x5d0000
[0187.333] GetProcessHeap () returned 0x5d0000
[0187.333] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d74d0) returned 1
[0187.333] GetProcessHeap () returned 0x5d0000
[0187.333] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d74d0) returned 0x10
[0187.333] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d74d0) returned 1
[0187.333] GetProcessHeap () returned 0x5d0000
[0187.333] GetProcessHeap () returned 0x5d0000
[0187.333] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d9590) returned 1
[0187.333] GetProcessHeap () returned 0x5d0000
[0187.333] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d9590) returned 0x14
[0187.333] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d9590) returned 1
[0187.333] GetProcessHeap () returned 0x5d0000
[0187.334] GetProcessHeap () returned 0x5d0000
[0187.334] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d69e8) returned 1
[0187.334] GetProcessHeap () returned 0x5d0000
[0187.334] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d69e8) returned 0x6e
[0187.334] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d69e8) returned 1
[0187.334] GetProcessHeap () returned 0x5d0000
[0187.334] GetProcessHeap () returned 0x5d0000
[0187.334] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5daa80) returned 1
[0187.334] GetProcessHeap () returned 0x5d0000
[0187.334] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5daa80) returned 0x10
[0187.334] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5daa80) returned 1
[0187.334] GetProcessHeap () returned 0x5d0000
[0187.334] GetProcessHeap () returned 0x5d0000
[0187.334] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d9670) returned 1
[0187.334] GetProcessHeap () returned 0x5d0000
[0187.334] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d9670) returned 0x14
[0187.334] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d9670) returned 1
[0187.334] GetProcessHeap () returned 0x5d0000
[0187.335] GetProcessHeap () returned 0x5d0000
[0187.335] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d73e0) returned 1
[0187.335] GetProcessHeap () returned 0x5d0000
[0187.335] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d73e0) returned 0xc
[0187.335] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d73e0) returned 1
[0187.335] GetProcessHeap () returned 0x5d0000
[0187.335] GetProcessHeap () returned 0x5d0000
[0187.335] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d73c8) returned 1
[0187.335] GetProcessHeap () returned 0x5d0000
[0187.335] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d73c8) returned 0x10
[0187.335] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d73c8) returned 1
[0187.335] GetProcessHeap () returned 0x5d0000
[0187.335] GetProcessHeap () returned 0x5d0000
[0187.335] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d9570) returned 1
[0187.335] GetProcessHeap () returned 0x5d0000
[0187.335] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d9570) returned 0x14
[0187.335] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d9570) returned 1
[0187.335] GetProcessHeap () returned 0x5d0000
[0187.335] GetProcessHeap () returned 0x5d0000
[0187.335] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d8ce8) returned 1
[0187.335] GetProcessHeap () returned 0x5d0000
[0187.335] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d8ce8) returned 0x208
[0187.336] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d8ce8) returned 1
[0187.336] GetProcessHeap () returned 0x5d0000
[0187.336] GetProcessHeap () returned 0x5d0000
[0187.336] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d7428) returned 1
[0187.336] GetProcessHeap () returned 0x5d0000
[0187.336] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d7428) returned 0x10
[0187.336] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d7428) returned 1
[0187.336] GetProcessHeap () returned 0x5d0000
[0187.336] GetProcessHeap () returned 0x5d0000
[0187.336] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d9350) returned 1
[0187.336] GetProcessHeap () returned 0x5d0000
[0187.336] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d9350) returned 0x14
[0187.336] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d9350) returned 1
[0187.336] GetProcessHeap () returned 0x5d0000
[0187.336] GetProcessHeap () returned 0x5d0000
[0187.336] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5da7a0) returned 1
[0187.336] GetProcessHeap () returned 0x5d0000
[0187.337] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5da7a0) returned 0x200
[0187.337] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5da7a0) returned 1
[0187.337] GetProcessHeap () returned 0x5d0000
[0187.337] GetProcessHeap () returned 0x5d0000
[0187.337] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d7470) returned 1
[0187.337] GetProcessHeap () returned 0x5d0000
[0187.337] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d7470) returned 0x10
[0187.337] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d7470) returned 1
[0187.337] GetProcessHeap () returned 0x5d0000
[0187.337] GetProcessHeap () returned 0x5d0000
[0187.337] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d9650) returned 1
[0187.337] GetProcessHeap () returned 0x5d0000
[0187.337] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d9650) returned 0x14
[0187.337] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d9650) returned 1
[0187.337] GetProcessHeap () returned 0x5d0000
[0187.337] GetProcessHeap () returned 0x5d0000
[0187.337] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d96d0) returned 1
[0187.337] GetProcessHeap () returned 0x5d0000
[0187.337] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d96d0) returned 0x14
[0187.337] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d96d0) returned 1
[0187.338] GetProcessHeap () returned 0x5d0000
[0187.338] GetProcessHeap () returned 0x5d0000
[0187.338] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d73b0) returned 1
[0187.338] GetProcessHeap () returned 0x5d0000
[0187.338] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d73b0) returned 0x10
[0187.338] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d73b0) returned 1
[0187.338] GetProcessHeap () returned 0x5d0000
[0187.338] GetProcessHeap () returned 0x5d0000
[0187.338] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d2788) returned 1
[0187.338] GetProcessHeap () returned 0x5d0000
[0187.338] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d2788) returned 0x14
[0187.338] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d2788) returned 1
[0187.338] GetProcessHeap () returned 0x5d0000
[0187.338] GetProcessHeap () returned 0x5d0000
[0187.338] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d94f0) returned 1
[0187.338] GetProcessHeap () returned 0x5d0000
[0187.338] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d94f0) returned 0x16
[0187.338] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d94f0) returned 1
[0187.338] GetProcessHeap () returned 0x5d0000
[0187.338] GetProcessHeap () returned 0x5d0000
[0187.338] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d7368) returned 1
[0187.338] GetProcessHeap () returned 0x5d0000
[0187.338] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d7368) returned 0x10
[0187.338] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d7368) returned 1
[0187.338] GetProcessHeap () returned 0x5d0000
[0187.338] GetProcessHeap () returned 0x5d0000
[0187.338] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d6620) returned 1
[0187.339] GetProcessHeap () returned 0x5d0000
[0187.339] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d6620) returned 0x14
[0187.339] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d6620) returned 1
[0187.339] GetProcessHeap () returned 0x5d0000
[0187.339] GetProcessHeap () returned 0x5d0000
[0187.339] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d0598) returned 1
[0187.339] GetProcessHeap () returned 0x5d0000
[0187.339] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d0598) returned 0x2
[0187.339] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d0598) returned 1
[0187.339] GetProcessHeap () returned 0x5d0000
[0187.339] GetProcessHeap () returned 0x5d0000
[0187.339] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d6e50) returned 1
[0187.339] GetProcessHeap () returned 0x5d0000
[0187.339] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d6e50) returned 0x14
[0187.339] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d6e50) returned 1
[0187.339] GetProcessHeap () returned 0x5d0000
[0187.339] GetProcessHeap () returned 0x5d0000
[0187.339] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d6c18) returned 1
[0187.339] GetProcessHeap () returned 0x5d0000
[0187.339] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d6c18) returned 0x14
[0187.339] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d6c18) returned 1
[0187.339] GetProcessHeap () returned 0x5d0000
[0187.339] GetProcessHeap () returned 0x5d0000
[0187.339] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d6c38) returned 1
[0187.339] GetProcessHeap () returned 0x5d0000
[0187.340] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d6c38) returned 0x14
[0187.340] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d6c38) returned 1
[0187.340] GetProcessHeap () returned 0x5d0000
[0187.340] GetProcessHeap () returned 0x5d0000
[0187.340] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d6c58) returned 1
[0187.340] GetProcessHeap () returned 0x5d0000
[0187.340] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d6c58) returned 0x14
[0187.340] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d6c58) returned 1
[0187.340] GetProcessHeap () returned 0x5d0000
[0187.340] GetProcessHeap () returned 0x5d0000
[0187.340] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d9610) returned 1
[0187.340] GetProcessHeap () returned 0x5d0000
[0187.340] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d9610) returned 0x14
[0187.340] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d9610) returned 1
[0187.340] GetProcessHeap () returned 0x5d0000
[0187.340] GetProcessHeap () returned 0x5d0000
[0187.340] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d94b0) returned 1
[0187.340] GetProcessHeap () returned 0x5d0000
[0187.340] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d94b0) returned 0x14
[0187.340] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d94b0) returned 1
[0187.340] GetProcessHeap () returned 0x5d0000
[0187.340] GetProcessHeap () returned 0x5d0000
[0187.340] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d2590) returned 1
[0187.340] GetProcessHeap () returned 0x5d0000
[0187.340] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d2590) returned 0x30
[0187.341] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d2590) returned 1
[0187.341] GetProcessHeap () returned 0x5d0000
[0187.341] GetProcessHeap () returned 0x5d0000
[0187.341] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d9390) returned 1
[0187.341] GetProcessHeap () returned 0x5d0000
[0187.341] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d9390) returned 0x14
[0187.341] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d9390) returned 1
[0187.341] GetProcessHeap () returned 0x5d0000
[0187.341] GetProcessHeap () returned 0x5d0000
[0187.341] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d8fa0) returned 1
[0187.341] GetProcessHeap () returned 0x5d0000
[0187.341] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d8fa0) returned 0x30
[0187.341] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d8fa0) returned 1
[0187.342] GetProcessHeap () returned 0x5d0000
[0187.342] GetProcessHeap () returned 0x5d0000
[0187.342] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d9510) returned 1
[0187.342] GetProcessHeap () returned 0x5d0000
[0187.342] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d9510) returned 0x14
[0187.342] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d9510) returned 1
[0187.342] GetProcessHeap () returned 0x5d0000
[0187.342] GetProcessHeap () returned 0x5d0000
[0187.342] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e92b8) returned 1
[0187.342] GetProcessHeap () returned 0x5d0000
[0187.342] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5e92b8) returned 0x82
[0187.342] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5e92b8) returned 1
[0187.342] GetProcessHeap () returned 0x5d0000
[0187.342] GetProcessHeap () returned 0x5d0000
[0187.342] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e5758) returned 1
[0187.342] GetProcessHeap () returned 0x5d0000
[0187.342] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5e5758) returned 0x14
[0187.342] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5e5758) returned 1
[0187.342] GetProcessHeap () returned 0x5d0000
[0187.342] GetProcessHeap () returned 0x5d0000
[0187.342] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d74b8) returned 1
[0187.343] GetProcessHeap () returned 0x5d0000
[0187.343] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d74b8) returned 0x10
[0187.343] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d74b8) returned 1
[0187.343] GetProcessHeap () returned 0x5d0000
[0187.343] GetProcessHeap () returned 0x5d0000
[0187.343] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d6848) returned 1
[0187.343] GetProcessHeap () returned 0x5d0000
[0187.343] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d6848) returned 0x14
[0187.343] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d6848) returned 1
[0187.343] GetProcessHeap () returned 0x5d0000
[0187.343] GetProcessHeap () returned 0x5d0000
[0187.343] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d6868) returned 1
[0187.343] GetProcessHeap () returned 0x5d0000
[0187.343] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d6868) returned 0x14
[0187.343] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d6868) returned 1
[0187.343] GetProcessHeap () returned 0x5d0000
[0187.343] GetProcessHeap () returned 0x5d0000
[0187.343] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d6888) returned 1
[0187.343] GetProcessHeap () returned 0x5d0000
[0187.343] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d6888) returned 0x14
[0187.343] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d6888) returned 1
[0187.343] GetProcessHeap () returned 0x5d0000
[0187.343] GetProcessHeap () returned 0x5d0000
[0187.343] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d65e0) returned 1
[0187.343] GetProcessHeap () returned 0x5d0000
[0187.343] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d65e0) returned 0x14
[0187.344] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d65e0) returned 1
[0187.344] GetProcessHeap () returned 0x5d0000
[0187.344] GetProcessHeap () returned 0x5d0000
[0187.344] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d7350) returned 1
[0187.344] GetProcessHeap () returned 0x5d0000
[0187.344] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d7350) returned 0x10
[0187.344] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d7350) returned 1
[0187.344] GetProcessHeap () returned 0x5d0000
[0187.344] GetProcessHeap () returned 0x5d0000
[0187.344] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d6600) returned 1
[0187.344] GetProcessHeap () returned 0x5d0000
[0187.344] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d6600) returned 0x14
[0187.344] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d6600) returned 1
[0187.344] GetProcessHeap () returned 0x5d0000
[0187.344] GetProcessHeap () returned 0x5d0000
[0187.344] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d27a8) returned 1
[0187.344] GetProcessHeap () returned 0x5d0000
[0187.344] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d27a8) returned 0x14
[0187.345] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d27a8) returned 1
[0187.345] GetProcessHeap () returned 0x5d0000
[0187.345] GetProcessHeap () returned 0x5d0000
[0187.345] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d9430) returned 1
[0187.345] GetProcessHeap () returned 0x5d0000
[0187.345] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d9430) returned 0x14
[0187.345] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d9430) returned 1
[0187.345] GetProcessHeap () returned 0x5d0000
[0187.345] GetProcessHeap () returned 0x5d0000
[0187.345] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d9490) returned 1
[0187.345] GetProcessHeap () returned 0x5d0000
[0187.345] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d9490) returned 0x14
[0187.345] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d9490) returned 1
[0187.345] GetProcessHeap () returned 0x5d0000
[0187.345] GetProcessHeap () returned 0x5d0000
[0187.345] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d95b0) returned 1
[0187.345] GetProcessHeap () returned 0x5d0000
[0187.345] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d95b0) returned 0x14
[0187.345] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d95b0) returned 1
[0187.345] GetProcessHeap () returned 0x5d0000
[0187.345] GetProcessHeap () returned 0x5d0000
[0187.345] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d9690) returned 1
[0187.345] GetProcessHeap () returned 0x5d0000
[0187.345] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d9690) returned 0x14
[0187.345] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d9690) returned 1
[0187.345] GetProcessHeap () returned 0x5d0000
[0187.345] GetProcessHeap () returned 0x5d0000
[0187.345] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d7398) returned 1
[0187.346] GetProcessHeap () returned 0x5d0000
[0187.346] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d7398) returned 0x10
[0187.346] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d7398) returned 1
[0187.346] GetProcessHeap () returned 0x5d0000
[0187.346] GetProcessHeap () returned 0x5d0000
[0187.346] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d27c8) returned 1
[0187.346] GetProcessHeap () returned 0x5d0000
[0187.346] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d27c8) returned 0x14
[0187.346] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d27c8) returned 1
[0187.346] GetProcessHeap () returned 0x5d0000
[0187.346] GetProcessHeap () returned 0x5d0000
[0187.346] HeapValidate (hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5d7320) returned 1
[0187.346] GetProcessHeap () returned 0x5d0000
[0187.346] RtlSizeHeap (HeapHandle=0x5d0000, Flags=0x0, MemoryPointer=0x5d7320) returned 0x10
[0187.346] RtlFreeHeap (HeapHandle=0x5d0000, Flags=0x0, BaseAddress=0x5d7320) returned 1
[0187.346] exit (_Code=0)
Thread:
id = 24
os_tid = 0x808
Process:
id = "5"
image_name = "conhost.exe"
filename = "c:\\windows\\system32\\conhost.exe"
page_root = "0x36429000"
os_pid = "0x1348"
os_integrity_level = "0x3000"
os_privileges = "0x60800000"
monitor_reason = "child_process"
parent_id = "4"
os_parent_pid = "0x131c"
cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1"
cur_dir = "C:\\Windows"
os_username = "XC64ZB\\RDhJ0CNFevzX"
bitness = "32"
os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fa87" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 639
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 640
start_va = 0x30000
end_va = 0x44fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 641
start_va = 0x50000
end_va = 0x8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 642
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 643
start_va = 0x400000
end_va = 0x5fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 644
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 645
start_va = 0x7df5fffc0000
end_va = 0x7df5fffe2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5fffc0000"
filename = ""
Region:
id = 646
start_va = 0x7df5ffff0000
end_va = 0x7ff5fffeffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffff0000"
filename = ""
Region:
id = 647
start_va = 0x7ff637930000
end_va = 0x7ff637940fff
monitored = 0
entry_point = 0x7ff6379316b0
region_type = mapped_file
name = "conhost.exe"
filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")
Region:
id = 648
start_va = 0x7ffa16770000
end_va = 0x7ffa16930fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 649
start_va = 0x600000
end_va = 0x8effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000600000"
filename = ""
Region:
id = 650
start_va = 0x7ffa15160000
end_va = 0x7ffa1520cfff
monitored = 0
entry_point = 0x7ffa151781a0
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 651
start_va = 0x7ffa13130000
end_va = 0x7ffa13317fff
monitored = 0
entry_point = 0x7ffa1315ba70
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 652
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 653
start_va = 0x7df5ffec0000
end_va = 0x7df5fffbffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffec0000"
filename = ""
Region:
id = 654
start_va = 0x90000
end_va = 0x14dfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 655
start_va = 0x7ffa13cc0000
end_va = 0x7ffa13d5cfff
monitored = 0
entry_point = 0x7ffa13cc78a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 656
start_va = 0x150000
end_va = 0x18ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000150000"
filename = ""
Region:
id = 657
start_va = 0x600000
end_va = 0x7cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000600000"
filename = ""
Region:
id = 658
start_va = 0x7f0000
end_va = 0x8effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000007f0000"
filename = ""
Region:
id = 659
start_va = 0x20000
end_va = 0x26fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 660
start_va = 0x7ffa0a430000
end_va = 0x7ffa0a488fff
monitored = 0
entry_point = 0x7ffa0a43fbf0
region_type = mapped_file
name = "conhostv2.dll"
filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll")
Region:
id = 668
start_va = 0x190000
end_va = 0x190fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000190000"
filename = ""
Region:
id = 669
start_va = 0x7ffa14340000
end_va = 0x7ffa145bcfff
monitored = 0
entry_point = 0x7ffa14414970
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")
Region:
id = 670
start_va = 0x7ffa145c0000
end_va = 0x7ffa146dbfff
monitored = 0
entry_point = 0x7ffa146002b0
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 671
start_va = 0x7ffa13320000
end_va = 0x7ffa13389fff
monitored = 0
entry_point = 0x7ffa13356d50
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")
Region:
id = 672
start_va = 0x7ffa13d80000
end_va = 0x7ffa13ed5fff
monitored = 0
entry_point = 0x7ffa13d8a8d0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 673
start_va = 0x7ffa13ee0000
end_va = 0x7ffa14065fff
monitored = 0
entry_point = 0x7ffa13f2ffc0
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 674
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001a0000"
filename = ""
Region:
id = 675
start_va = 0x7ffa13b70000
end_va = 0x7ffa13cb2fff
monitored = 0
entry_point = 0x7ffa13b98210
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 676
start_va = 0x7ffa14070000
end_va = 0x7ffa140cafff
monitored = 0
entry_point = 0x7ffa140838b0
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 677
start_va = 0x7ffa141e0000
end_va = 0x7ffa1421afff
monitored = 0
entry_point = 0x7ffa141e12f0
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 678
start_va = 0x7ffa147c0000
end_va = 0x7ffa14880fff
monitored = 0
entry_point = 0x7ffa147e0da0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 679
start_va = 0x7ffa11220000
end_va = 0x7ffa113a5fff
monitored = 0
entry_point = 0x7ffa1126d700
region_type = mapped_file
name = "propsys.dll"
filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")
Region:
id = 683
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001b0000"
filename = ""
Region:
id = 684
start_va = 0x1c0000
end_va = 0x1c0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001c0000"
filename = ""
Region:
id = 685
start_va = 0x600000
end_va = 0x787fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000600000"
filename = ""
Region:
id = 686
start_va = 0x7c0000
end_va = 0x7cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000007c0000"
filename = ""
Region:
id = 687
start_va = 0x8f0000
end_va = 0xa70fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000008f0000"
filename = ""
Region:
id = 688
start_va = 0xa80000
end_va = 0x1e7ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000a80000"
filename = ""
Region:
id = 689
start_va = 0x1e80000
end_va = 0x1fbffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001e80000"
filename = ""
Region:
id = 692
start_va = 0x1e80000
end_va = 0x1ebffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001e80000"
filename = ""
Region:
id = 693
start_va = 0x1fb0000
end_va = 0x1fbffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001fb0000"
filename = ""
Region:
id = 694
start_va = 0x7ffa15210000
end_va = 0x7ffa1676efff
monitored = 0
entry_point = 0x7ffa153711f0
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")
Region:
id = 695
start_va = 0x7ffa13390000
end_va = 0x7ffa133d2fff
monitored = 0
entry_point = 0x7ffa133a4b50
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")
Region:
id = 696
start_va = 0x7ffa13520000
end_va = 0x7ffa13b63fff
monitored = 0
entry_point = 0x7ffa136e64b0
region_type = mapped_file
name = "windows.storage.dll"
filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")
Region:
id = 697
start_va = 0x7ffa15090000
end_va = 0x7ffa15136fff
monitored = 0
entry_point = 0x7ffa150a58d0
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 698
start_va = 0x7ffa14ba0000
end_va = 0x7ffa14bf1fff
monitored = 0
entry_point = 0x7ffa14baf530
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")
Region:
id = 702
start_va = 0x7ffa12e10000
end_va = 0x7ffa12e1efff
monitored = 0
entry_point = 0x7ffa12e13210
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")
Region:
id = 703
start_va = 0x7ffa12e80000
end_va = 0x7ffa12f34fff
monitored = 0
entry_point = 0x7ffa12ec22e0
region_type = mapped_file
name = "shcore.dll"
filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")
Region:
id = 708
start_va = 0x7ffa12dc0000
end_va = 0x7ffa12e0afff
monitored = 0
entry_point = 0x7ffa12dc35f0
region_type = mapped_file
name = "powrprof.dll"
filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")
Region:
id = 709
start_va = 0x7ffa12d90000
end_va = 0x7ffa12da3fff
monitored = 0
entry_point = 0x7ffa12d952e0
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")
Region:
id = 710
start_va = 0x7ffa11710000
end_va = 0x7ffa117a5fff
monitored = 0
entry_point = 0x7ffa11735570
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")
Region:
id = 711
start_va = 0x1fc0000
end_va = 0x20dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001fc0000"
filename = ""
Region:
id = 713
start_va = 0x20e0000
end_va = 0x2416fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 714
start_va = 0x2420000
end_va = 0x2638fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002420000"
filename = ""
Region:
id = 715
start_va = 0x2640000
end_va = 0x2856fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002640000"
filename = ""
Region:
id = 716
start_va = 0x1fc0000
end_va = 0x20cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001fc0000"
filename = ""
Region:
id = 717
start_va = 0x20d0000
end_va = 0x20dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000020d0000"
filename = ""
Region:
id = 721
start_va = 0x2860000
end_va = 0x2a75fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002860000"
filename = ""
Region:
id = 722
start_va = 0x2a80000
end_va = 0x2b91fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002a80000"
filename = ""
Region:
id = 730
start_va = 0x1ec0000
end_va = 0x1efffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001ec0000"
filename = ""
Region:
id = 731
start_va = 0x7ffa14a40000
end_va = 0x7ffa14b99fff
monitored = 0
entry_point = 0x7ffa14a838e0
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 732
start_va = 0x50000
end_va = 0x50fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000050000"
filename = ""
Region:
id = 733
start_va = 0x2ba0000
end_va = 0x2c5bfff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002ba0000"
filename = ""
Region:
id = 734
start_va = 0x50000
end_va = 0x53fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000050000"
filename = ""
Region:
id = 735
start_va = 0x7ffa10610000
end_va = 0x7ffa10631fff
monitored = 0
entry_point = 0x7ffa10611a40
region_type = mapped_file
name = "dwmapi.dll"
filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")
Region:
id = 736
start_va = 0x7ffa11410000
end_va = 0x7ffa11422fff
monitored = 0
entry_point = 0x7ffa11412760
region_type = mapped_file
name = "wtsapi32.dll"
filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")
Region:
id = 739
start_va = 0x7ffa12ba0000
end_va = 0x7ffa12bf5fff
monitored = 0
entry_point = 0x7ffa12bb0bf0
region_type = mapped_file
name = "winsta.dll"
filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")
Region:
id = 745
start_va = 0x60000
end_va = 0x66fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000060000"
filename = ""
Region:
id = 746
start_va = 0x70000
end_va = 0x70fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000070000"
filename = ""
Region:
id = 747
start_va = 0x80000
end_va = 0x80fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000080000"
filename = ""
Region:
id = 748
start_va = 0x1d0000
end_va = 0x1d4fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "user32.dll.mui"
filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui")
Region:
id = 749
start_va = 0x1e0000
end_va = 0x1e0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "conhostv2.dll.mui"
filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui")
Region:
id = 750
start_va = 0x1f0000
end_va = 0x1f1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001f0000"
filename = ""
Region:
id = 751
start_va = 0x7ffa080f0000
end_va = 0x7ffa08363fff
monitored = 0
entry_point = 0x7ffa08160400
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll")
Region:
id = 756
start_va = 0x790000
end_va = 0x790fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "windowsshell.manifest"
filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")
Region:
id = 757
start_va = 0x7a0000
end_va = 0x7a1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000007a0000"
filename = ""
Thread:
id = 18
os_tid = 0x133c
Thread:
id = 19
os_tid = 0x1344
Thread:
id = 21
os_tid = 0x1338
Thread:
id = 23
os_tid = 0xc50
Process:
id = "6"
image_name = "svchost.exe"
filename = "c:\\windows\\system32\\svchost.exe"
page_root = "0x75956000"
os_pid = "0x360"
os_integrity_level = "0x4000"
os_privileges = "0xe60b1e890"
monitor_reason = "created_scheduled_job"
parent_id = "4"
os_parent_pid = "0x214"
cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs"
cur_dir = "C:\\Windows\\system32\\"
os_username = "NT AUTHORITY\\SYSTEM"
bitness = "32"
os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\DcpSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\lfsvc" [0xa], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\RetailDemo" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\UsoSvc" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000abff" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe]
Region:
id = 816
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 817
start_va = 0x20000
end_va = 0x20fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "svchost.exe.mui"
filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui")
Region:
id = 818
start_va = 0x30000
end_va = 0x44fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 819
start_va = 0x50000
end_va = 0xcffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 820
start_va = 0xd0000
end_va = 0xd3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000d0000"
filename = ""
Region:
id = 821
start_va = 0xe0000
end_va = 0xe0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000e0000"
filename = ""
Region:
id = 822
start_va = 0xf0000
end_va = 0xf1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000f0000"
filename = ""
Region:
id = 823
start_va = 0x100000
end_va = 0x1bdfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 824
start_va = 0x1c0000
end_va = 0x1c0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001c0000"
filename = ""
Region:
id = 825
start_va = 0x1d0000
end_va = 0x1d0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001d0000"
filename = ""
Region:
id = 826
start_va = 0x1e0000
end_va = 0x1e0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001e0000"
filename = ""
Region:
id = 827
start_va = 0x1f0000
end_va = 0x1f0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001f0000"
filename = ""
Region:
id = 828
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 829
start_va = 0x400000
end_va = 0x400fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 830
start_va = 0x410000
end_va = 0x414fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "winnlsres.dll"
filename = "\\Windows\\System32\\winnlsres.dll" (normalized: "c:\\windows\\system32\\winnlsres.dll")
Region:
id = 831
start_va = 0x420000
end_va = 0x42ffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "winnlsres.dll.mui"
filename = "\\Windows\\System32\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winnlsres.dll.mui")
Region:
id = 832
start_va = 0x430000
end_va = 0x431fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "dosvc.dll.mui"
filename = "\\Windows\\System32\\en-US\\dosvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\dosvc.dll.mui")
Region:
id = 833
start_va = 0x440000
end_va = 0x442fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "mswsock.dll.mui"
filename = "\\Windows\\System32\\en-US\\mswsock.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\mswsock.dll.mui")
Region:
id = 834
start_va = 0x460000
end_va = 0x469fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "crypt32.dll.mui"
filename = "\\Windows\\System32\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\crypt32.dll.mui")
Region:
id = 835
start_va = 0x470000
end_va = 0x470fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000470000"
filename = ""
Region:
id = 836
start_va = 0x480000
end_va = 0x53ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000480000"
filename = ""
Region:
id = 837
start_va = 0x540000
end_va = 0x546fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000540000"
filename = ""
Region:
id = 838
start_va = 0x550000
end_va = 0x5cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000550000"
filename = ""
Region:
id = 839
start_va = 0x5d0000
end_va = 0x5d6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005d0000"
filename = ""
Region:
id = 840
start_va = 0x5e0000
end_va = 0x5e0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "usocore.dll.mui"
filename = "\\Windows\\System32\\en-US\\usocore.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\usocore.dll.mui")
Region:
id = 841
start_va = 0x5f0000
end_va = 0x5f1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000005f0000"
filename = ""
Region:
id = 842
start_va = 0x600000
end_va = 0x6fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000600000"
filename = ""
Region:
id = 843
start_va = 0x700000
end_va = 0x887fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000700000"
filename = ""
Region:
id = 844
start_va = 0x890000
end_va = 0x890fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000890000"
filename = ""
Region:
id = 845
start_va = 0x8a0000
end_va = 0x8a0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000008a0000"
filename = ""
Region:
id = 846
start_va = 0x8b0000
end_va = 0x8bcfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "gpsvc.dll.mui"
filename = "\\Windows\\System32\\en-US\\gpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\gpsvc.dll.mui")
Region:
id = 847
start_va = 0x8c0000
end_va = 0x8c1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000008c0000"
filename = ""
Region:
id = 848
start_va = 0x8d0000
end_va = 0x8d0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000008d0000"
filename = ""
Region:
id = 849
start_va = 0x8e0000
end_va = 0x8e3fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 850
start_va = 0x8f0000
end_va = 0x8f6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000008f0000"
filename = ""
Region:
id = 851
start_va = 0x900000
end_va = 0x9fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000900000"
filename = ""
Region:
id = 852
start_va = 0xa00000
end_va = 0xb80fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000a00000"
filename = ""
Region:
id = 853
start_va = 0xb90000
end_va = 0xc8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000b90000"
filename = ""
Region:
id = 854
start_va = 0xc90000
end_va = 0xc93fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 855
start_va = 0xca0000
end_va = 0xcb0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "propsys.dll.mui"
filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui")
Region:
id = 856
start_va = 0xcc0000
end_va = 0xcc6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000cc0000"
filename = ""
Region:
id = 857
start_va = 0xcd0000
end_va = 0xd14fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000c.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db")
Region:
id = 858
start_va = 0xd20000
end_va = 0xd2cfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "iphlpsvc.dll.mui"
filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui")
Region:
id = 859
start_va = 0xd30000
end_va = 0xd36fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000d30000"
filename = ""
Region:
id = 860
start_va = 0xdc0000
end_va = 0xdc8fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "vsstrace.dll.mui"
filename = "\\Windows\\System32\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\vsstrace.dll.mui")
Region:
id = 861
start_va = 0xdd0000
end_va = 0xdd6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000dd0000"
filename = ""
Region:
id = 862
start_va = 0xde0000
end_va = 0xde1fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "activeds.dll.mui"
filename = "\\Windows\\System32\\en-US\\activeds.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\activeds.dll.mui")
Region:
id = 863
start_va = 0xdf0000
end_va = 0xdf1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000df0000"
filename = ""
Region:
id = 864
start_va = 0xe00000
end_va = 0xefffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000e00000"
filename = ""
Region:
id = 865
start_va = 0xf00000
end_va = 0xffffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000f00000"
filename = ""
Region:
id = 866
start_va = 0x1000000
end_va = 0x1336fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 867
start_va = 0x1340000
end_va = 0x143ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001340000"
filename = ""
Region:
id = 868
start_va = 0x1440000
end_va = 0x153ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001440000"
filename = ""
Region:
id = 869
start_va = 0x1540000
end_va = 0x15bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001540000"
filename = ""
Region:
id = 870
start_va = 0x15c0000
end_va = 0x15c0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000015c0000"
filename = ""
Region:
id = 871
start_va = 0x1600000
end_va = 0x16fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001600000"
filename = ""
Region:
id = 872
start_va = 0x1700000
end_va = 0x17fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001700000"
filename = ""
Region:
id = 873
start_va = 0x1800000
end_va = 0x18dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "kernelbase.dll.mui"
filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui")
Region:
id = 874
start_va = 0x18e0000
end_va = 0x18f0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_1256.nls"
filename = "\\Windows\\System32\\C_1256.NLS" (normalized: "c:\\windows\\system32\\c_1256.nls")
Region:
id = 875
start_va = 0x1900000
end_va = 0x19fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001900000"
filename = ""
Region:
id = 876
start_va = 0x1a00000
end_va = 0x1a7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001a00000"
filename = ""
Region:
id = 877
start_va = 0x1a80000
end_va = 0x1b7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001a80000"
filename = ""
Region:
id = 878
start_va = 0x1b80000
end_va = 0x1c7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001b80000"
filename = ""
Region:
id = 879
start_va = 0x1c80000
end_va = 0x1cfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001c80000"
filename = ""
Region:
id = 880
start_va = 0x1d00000
end_va = 0x1d7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001d00000"
filename = ""
Region:
id = 881
start_va = 0x1d80000
end_va = 0x1e7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001d80000"
filename = ""
Region:
id = 882
start_va = 0x1e80000
end_va = 0x1f7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001e80000"
filename = ""
Region:
id = 883
start_va = 0x1f80000
end_va = 0x207ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001f80000"
filename = ""
Region:
id = 884
start_va = 0x2080000
end_va = 0x217ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002080000"
filename = ""
Region:
id = 885
start_va = 0x2180000
end_va = 0x227ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002180000"
filename = ""
Region:
id = 886
start_va = 0x2280000
end_va = 0x237ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002280000"
filename = ""
Region:
id = 887
start_va = 0x2380000
end_va = 0x247ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002380000"
filename = ""
Region:
id = 888
start_va = 0x2480000
end_va = 0x24fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002480000"
filename = ""
Region:
id = 889
start_va = 0x2500000
end_va = 0x25fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002500000"
filename = ""
Region:
id = 890
start_va = 0x2640000
end_va = 0x26bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002640000"
filename = ""
Region:
id = 891
start_va = 0x2700000
end_va = 0x277ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002700000"
filename = ""
Region:
id = 892
start_va = 0x2790000
end_va = 0x2796fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002790000"
filename = ""
Region:
id = 893
start_va = 0x27b0000
end_va = 0x27b6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000027b0000"
filename = ""
Region:
id = 894
start_va = 0x27c0000
end_va = 0x27d0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_1251.nls"
filename = "\\Windows\\System32\\C_1251.NLS" (normalized: "c:\\windows\\system32\\c_1251.nls")
Region:
id = 895
start_va = 0x27e0000
end_va = 0x27f0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_1254.nls"
filename = "\\Windows\\System32\\C_1254.NLS" (normalized: "c:\\windows\\system32\\c_1254.nls")
Region:
id = 896
start_va = 0x2800000
end_va = 0x28fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002800000"
filename = ""
Region:
id = 897
start_va = 0x2900000
end_va = 0x29fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002900000"
filename = ""
Region:
id = 898
start_va = 0x2b00000
end_va = 0x2bfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002b00000"
filename = ""
Region:
id = 899
start_va = 0x2c00000
end_va = 0x2c8dfff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db")
Region:
id = 900
start_va = 0x2c90000
end_va = 0x2d0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002c90000"
filename = ""
Region:
id = 901
start_va = 0x2d10000
end_va = 0x2e0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002d10000"
filename = ""
Region:
id = 902
start_va = 0x2e10000
end_va = 0x2f0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002e10000"
filename = ""
Region:
id = 903
start_va = 0x2f10000
end_va = 0x2f20fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_1250.nls"
filename = "\\Windows\\System32\\C_1250.NLS" (normalized: "c:\\windows\\system32\\c_1250.nls")
Region:
id = 904
start_va = 0x2f30000
end_va = 0x2f40fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_1253.nls"
filename = "\\Windows\\System32\\C_1253.NLS" (normalized: "c:\\windows\\system32\\c_1253.nls")
Region:
id = 905
start_va = 0x2f50000
end_va = 0x2f60fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_1257.nls"
filename = "\\Windows\\System32\\C_1257.NLS" (normalized: "c:\\windows\\system32\\c_1257.nls")
Region:
id = 906
start_va = 0x2f70000
end_va = 0x2f80fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_1255.nls"
filename = "\\Windows\\System32\\C_1255.NLS" (normalized: "c:\\windows\\system32\\c_1255.nls")
Region:
id = 907
start_va = 0x2f90000
end_va = 0x2fb7fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_932.nls"
filename = "\\Windows\\System32\\C_932.NLS" (normalized: "c:\\windows\\system32\\c_932.nls")
Region:
id = 908
start_va = 0x2fc0000
end_va = 0x2ff0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_949.nls"
filename = "\\Windows\\System32\\C_949.NLS" (normalized: "c:\\windows\\system32\\c_949.nls")
Region:
id = 909
start_va = 0x3110000
end_va = 0x3120fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_874.nls"
filename = "\\Windows\\System32\\C_874.NLS" (normalized: "c:\\windows\\system32\\c_874.nls")
Region:
id = 910
start_va = 0x3130000
end_va = 0x3140fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_1258.nls"
filename = "\\Windows\\System32\\C_1258.NLS" (normalized: "c:\\windows\\system32\\c_1258.nls")
Region:
id = 911
start_va = 0x3150000
end_va = 0x3180fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_936.nls"
filename = "\\Windows\\System32\\C_936.NLS" (normalized: "c:\\windows\\system32\\c_936.nls")
Region:
id = 912
start_va = 0x3190000
end_va = 0x328ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003190000"
filename = ""
Region:
id = 913
start_va = 0x3290000
end_va = 0x330ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003290000"
filename = ""
Region:
id = 914
start_va = 0x3310000
end_va = 0x3340fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_950.nls"
filename = "\\Windows\\System32\\C_950.NLS" (normalized: "c:\\windows\\system32\\c_950.nls")
Region:
id = 915
start_va = 0x3390000
end_va = 0x3396fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003390000"
filename = ""
Region:
id = 916
start_va = 0x34a0000
end_va = 0x359ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000034a0000"
filename = ""
Region:
id = 917
start_va = 0x3670000
end_va = 0x376ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003670000"
filename = ""
Region:
id = 918
start_va = 0x3770000
end_va = 0x386ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003770000"
filename = ""
Region:
id = 919
start_va = 0x3870000
end_va = 0x38effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003870000"
filename = ""
Region:
id = 920
start_va = 0x3900000
end_va = 0x39fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003900000"
filename = ""
Region:
id = 921
start_va = 0x3a00000
end_va = 0x3afffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003a00000"
filename = ""
Region:
id = 922
start_va = 0x3b00000
end_va = 0x3bfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003b00000"
filename = ""
Region:
id = 923
start_va = 0x3c00000
end_va = 0x3c7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003c00000"
filename = ""
Region:
id = 924
start_va = 0x3c80000
end_va = 0x3cfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003c80000"
filename = ""
Region:
id = 925
start_va = 0x3d00000
end_va = 0x3dfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003d00000"
filename = ""
Region:
id = 926
start_va = 0x3e00000
end_va = 0x3e7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003e00000"
filename = ""
Region:
id = 927
start_va = 0x3e80000
end_va = 0x3f7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003e80000"
filename = ""
Region:
id = 928
start_va = 0x4000000
end_va = 0x40fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004000000"
filename = ""
Region:
id = 929
start_va = 0x4100000
end_va = 0x41fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004100000"
filename = ""
Region:
id = 930
start_va = 0x4200000
end_va = 0x42fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004200000"
filename = ""
Region:
id = 931
start_va = 0x4300000
end_va = 0x43fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004300000"
filename = ""
Region:
id = 932
start_va = 0x4400000
end_va = 0x44fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004400000"
filename = ""
Region:
id = 933
start_va = 0x4500000
end_va = 0x45fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004500000"
filename = ""
Region:
id = 934
start_va = 0x4600000
end_va = 0x46fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004600000"
filename = ""
Region:
id = 935
start_va = 0x4700000
end_va = 0x47fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004700000"
filename = ""
Region:
id = 936
start_va = 0x4800000
end_va = 0x48fffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000004800000"
filename = ""
Region:
id = 937
start_va = 0x4940000
end_va = 0x4946fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004940000"
filename = ""
Region:
id = 938
start_va = 0x4a00000
end_va = 0x4afffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004a00000"
filename = ""
Region:
id = 939
start_va = 0x4b00000
end_va = 0x4bfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004b00000"
filename = ""
Region:
id = 940
start_va = 0x4c00000
end_va = 0x4cfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004c00000"
filename = ""
Region:
id = 941
start_va = 0x4d00000
end_va = 0x4dfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004d00000"
filename = ""
Region:
id = 942
start_va = 0x4e00000
end_va = 0x4efffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004e00000"
filename = ""
Region:
id = 943
start_va = 0x4f00000
end_va = 0x4ffffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004f00000"
filename = ""
Region:
id = 944
start_va = 0x5000000
end_va = 0x50fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005000000"
filename = ""
Region:
id = 945
start_va = 0x5100000
end_va = 0x51fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005100000"
filename = ""
Region:
id = 946
start_va = 0x5200000
end_va = 0x52fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005200000"
filename = ""
Region:
id = 947
start_va = 0x5400000
end_va = 0x54fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005400000"
filename = ""
Region:
id = 948
start_va = 0x5700000
end_va = 0x57fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005700000"
filename = ""
Region:
id = 949
start_va = 0x5800000
end_va = 0x58fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005800000"
filename = ""
Region:
id = 950
start_va = 0x5900000
end_va = 0x59fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005900000"
filename = ""
Region:
id = 951
start_va = 0x5a00000
end_va = 0x5afffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005a00000"
filename = ""
Region:
id = 952
start_va = 0x5b00000
end_va = 0x5bfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005b00000"
filename = ""
Region:
id = 953
start_va = 0x5c00000
end_va = 0x5cfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005c00000"
filename = ""
Region:
id = 954
start_va = 0x5d00000
end_va = 0x5dfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005d00000"
filename = ""
Region:
id = 955
start_va = 0x5e00000
end_va = 0x5efffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005e00000"
filename = ""
Region:
id = 956
start_va = 0x5f00000
end_va = 0x5ffffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005f00000"
filename = ""
Region:
id = 957
start_va = 0x6000000
end_va = 0x60fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006000000"
filename = ""
Region:
id = 958
start_va = 0x6100000
end_va = 0x61fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006100000"
filename = ""
Region:
id = 959
start_va = 0x6200000
end_va = 0x62fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006200000"
filename = ""
Region:
id = 960
start_va = 0x6400000
end_va = 0x64fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006400000"
filename = ""
Region:
id = 961
start_va = 0x6500000
end_va = 0x65fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006500000"
filename = ""
Region:
id = 962
start_va = 0x6600000
end_va = 0x66fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006600000"
filename = ""
Region:
id = 963
start_va = 0x6700000
end_va = 0x67fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006700000"
filename = ""
Region:
id = 964
start_va = 0x6800000
end_va = 0x68fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006800000"
filename = ""
Region:
id = 965
start_va = 0x6900000
end_va = 0x69fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006900000"
filename = ""
Region:
id = 966
start_va = 0x6a00000
end_va = 0x6afffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006a00000"
filename = ""
Region:
id = 967
start_va = 0x6b00000
end_va = 0x6bfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006b00000"
filename = ""
Region:
id = 968
start_va = 0x6c00000
end_va = 0x6cfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006c00000"
filename = ""
Region:
id = 969
start_va = 0x6d00000
end_va = 0x6dfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006d00000"
filename = ""
Region:
id = 970
start_va = 0x6e00000
end_va = 0x6efffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006e00000"
filename = ""
Region:
id = 971
start_va = 0x6f00000
end_va = 0x6ffffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006f00000"
filename = ""
Region:
id = 972
start_va = 0x7100000
end_va = 0x71fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007100000"
filename = ""
Region:
id = 973
start_va = 0x7200000
end_va = 0x72fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007200000"
filename = ""
Region:
id = 974
start_va = 0x7600000
end_va = 0x76fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007600000"
filename = ""
Region:
id = 975
start_va = 0x8200000
end_va = 0x82fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008200000"
filename = ""
Region:
id = 976
start_va = 0x8700000
end_va = 0x87fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008700000"
filename = ""
Region:
id = 977
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 978
start_va = 0x7df5ffec0000
end_va = 0x7df5fffbffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffec0000"
filename = ""
Region:
id = 979
start_va = 0x7df5fffc0000
end_va = 0x7df5fffe2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5fffc0000"
filename = ""
Region:
id = 980
start_va = 0x7df5ffff0000
end_va = 0x7ff5fffeffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffff0000"
filename = ""
Region:
id = 981
start_va = 0x7ff681250000
end_va = 0x7ff68125cfff
monitored = 0
entry_point = 0x7ff681253980
region_type = mapped_file
name = "svchost.exe"
filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe")
Region:
id = 982
start_va = 0x7ff9fc2d0000
end_va = 0x7ff9fc57ffff
monitored = 0
entry_point = 0x7ff9fc2d1cf0
region_type = mapped_file
name = "netshell.dll"
filename = "\\Windows\\System32\\netshell.dll" (normalized: "c:\\windows\\system32\\netshell.dll")
Region:
id = 983
start_va = 0x7ff9fc5c0000
end_va = 0x7ff9fc694fff
monitored = 0
entry_point = 0x7ff9fc5dcf80
region_type = mapped_file
name = "wuapi.dll"
filename = "\\Windows\\System32\\wuapi.dll" (normalized: "c:\\windows\\system32\\wuapi.dll")
Region:
id = 984
start_va = 0x7ff9fc6a0000
end_va = 0x7ff9fc6e3fff
monitored = 0
entry_point = 0x7ff9fc6c83e0
region_type = mapped_file
name = "updatehandlers.dll"
filename = "\\Windows\\System32\\updatehandlers.dll" (normalized: "c:\\windows\\system32\\updatehandlers.dll")
Region:
id = 985
start_va = 0x7ff9fc7a0000
end_va = 0x7ff9fc7fcfff
monitored = 0
entry_point = 0x7ff9fc7ce510
region_type = mapped_file
name = "usocore.dll"
filename = "\\Windows\\System32\\usocore.dll" (normalized: "c:\\windows\\system32\\usocore.dll")
Region:
id = 986
start_va = 0x7ff9fdf90000
end_va = 0x7ff9fdfc5fff
monitored = 0
entry_point = 0x7ff9fdf927f0
region_type = mapped_file
name = "windows.networking.hostname.dll"
filename = "\\Windows\\System32\\Windows.Networking.HostName.dll" (normalized: "c:\\windows\\system32\\windows.networking.hostname.dll")
Region:
id = 987
start_va = 0x7ff9fe230000
end_va = 0x7ff9fe26efff
monitored = 0
entry_point = 0x7ff9fe2582d0
region_type = mapped_file
name = "tcpipcfg.dll"
filename = "\\Windows\\System32\\tcpipcfg.dll" (normalized: "c:\\windows\\system32\\tcpipcfg.dll")
Region:
id = 988
start_va = 0x7ff9fe270000
end_va = 0x7ff9fe291fff
monitored = 0
entry_point = 0x7ff9fe282540
region_type = mapped_file
name = "updatepolicy.dll"
filename = "\\Windows\\System32\\updatepolicy.dll" (normalized: "c:\\windows\\system32\\updatepolicy.dll")
Region:
id = 989
start_va = 0x7ff9fe2a0000
end_va = 0x7ff9fe31ffff
monitored = 0
entry_point = 0x7ff9fe2cd280
region_type = mapped_file
name = "webio.dll"
filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll")
Region:
id = 990
start_va = 0x7ff9fe3f0000
end_va = 0x7ff9fe401fff
monitored = 0
entry_point = 0x7ff9fe3f1a80
region_type = mapped_file
name = "bitsproxy.dll"
filename = "\\Windows\\System32\\BitsProxy.dll" (normalized: "c:\\windows\\system32\\bitsproxy.dll")
Region:
id = 991
start_va = 0x7ff9fe410000
end_va = 0x7ff9fe427fff
monitored = 0
entry_point = 0x7ff9fe41b850
region_type = mapped_file
name = "dmcmnutils.dll"
filename = "\\Windows\\System32\\dmcmnutils.dll" (normalized: "c:\\windows\\system32\\dmcmnutils.dll")
Region:
id = 992
start_va = 0x7ff9fe450000
end_va = 0x7ff9fe466fff
monitored = 0
entry_point = 0x7ff9fe457520
region_type = mapped_file
name = "usoapi.dll"
filename = "\\Windows\\System32\\usoapi.dll" (normalized: "c:\\windows\\system32\\usoapi.dll")
Region:
id = 993
start_va = 0x7ff9ff2d0000
end_va = 0x7ff9ff301fff
monitored = 0
entry_point = 0x7ff9ff2db0c0
region_type = mapped_file
name = "shacct.dll"
filename = "\\Windows\\System32\\shacct.dll" (normalized: "c:\\windows\\system32\\shacct.dll")
Region:
id = 994
start_va = 0x7ff9ff310000
end_va = 0x7ff9ff320fff
monitored = 0
entry_point = 0x7ff9ff3128d0
region_type = mapped_file
name = "credentialmigrationhandler.dll"
filename = "\\Windows\\System32\\CredentialMigrationHandler.dll" (normalized: "c:\\windows\\system32\\credentialmigrationhandler.dll")
Region:
id = 995
start_va = 0x7ff9ffc40000
end_va = 0x7ff9ffc47fff
monitored = 0
entry_point = 0x7ff9ffc413b0
region_type = mapped_file
name = "dmiso8601utils.dll"
filename = "\\Windows\\System32\\dmiso8601utils.dll" (normalized: "c:\\windows\\system32\\dmiso8601utils.dll")
Region:
id = 996
start_va = 0x7ff9ffd60000
end_va = 0x7ff9ffe6efff
monitored = 0
entry_point = 0x7ff9ffd9c010
region_type = mapped_file
name = "dosvc.dll"
filename = "\\Windows\\System32\\dosvc.dll" (normalized: "c:\\windows\\system32\\dosvc.dll")
Region:
id = 997
start_va = 0x7ff9fffa0000
end_va = 0x7ffa00006fff
monitored = 0
entry_point = 0x7ff9fffab160
region_type = mapped_file
name = "upnp.dll"
filename = "\\Windows\\System32\\upnp.dll" (normalized: "c:\\windows\\system32\\upnp.dll")
Region:
id = 998
start_va = 0x7ffa01260000
end_va = 0x7ffa0127cfff
monitored = 0
entry_point = 0x7ffa01264f60
region_type = mapped_file
name = "appinfo.dll"
filename = "\\Windows\\System32\\appinfo.dll" (normalized: "c:\\windows\\system32\\appinfo.dll")
Region:
id = 999
start_va = 0x7ffa01690000
end_va = 0x7ffa016a3fff
monitored = 0
entry_point = 0x7ffa01693710
region_type = mapped_file
name = "mskeyprotect.dll"
filename = "\\Windows\\System32\\mskeyprotect.dll" (normalized: "c:\\windows\\system32\\mskeyprotect.dll")
Region:
id = 1000
start_va = 0x7ffa01740000
end_va = 0x7ffa0175dfff
monitored = 0
entry_point = 0x7ffa0174ef80
region_type = mapped_file
name = "ncryptsslp.dll"
filename = "\\Windows\\System32\\ncryptsslp.dll" (normalized: "c:\\windows\\system32\\ncryptsslp.dll")
Region:
id = 1001
start_va = 0x7ffa069a0000
end_va = 0x7ffa069b5fff
monitored = 0
entry_point = 0x7ffa069a1d50
region_type = mapped_file
name = "wwapi.dll"
filename = "\\Windows\\System32\\wwapi.dll" (normalized: "c:\\windows\\system32\\wwapi.dll")
Region:
id = 1002
start_va = 0x7ffa07a20000
end_va = 0x7ffa07a30fff
monitored = 0
entry_point = 0x7ffa07a27480
region_type = mapped_file
name = "tetheringclient.dll"
filename = "\\Windows\\System32\\tetheringclient.dll" (normalized: "c:\\windows\\system32\\tetheringclient.dll")
Region:
id = 1003
start_va = 0x7ffa07a40000
end_va = 0x7ffa07ac3fff
monitored = 0
entry_point = 0x7ffa07a58d50
region_type = mapped_file
name = "wbemess.dll"
filename = "\\Windows\\System32\\wbem\\wbemess.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemess.dll")
Region:
id = 1004
start_va = 0x7ffa07ad0000
end_va = 0x7ffa07ae5fff
monitored = 0
entry_point = 0x7ffa07ad55e0
region_type = mapped_file
name = "ncobjapi.dll"
filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll")
Region:
id = 1005
start_va = 0x7ffa07af0000
end_va = 0x7ffa07bc5fff
monitored = 0
entry_point = 0x7ffa07b1a800
region_type = mapped_file
name = "wmiprvsd.dll"
filename = "\\Windows\\System32\\wbem\\WmiPrvSD.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprvsd.dll")
Region:
id = 1006
start_va = 0x7ffa07c20000
end_va = 0x7ffa07c83fff
monitored = 0
entry_point = 0x7ffa07c3bed0
region_type = mapped_file
name = "repdrvfs.dll"
filename = "\\Windows\\System32\\wbem\\repdrvfs.dll" (normalized: "c:\\windows\\system32\\wbem\\repdrvfs.dll")
Region:
id = 1007
start_va = 0x7ffa07c90000
end_va = 0x7ffa07cb4fff
monitored = 0
entry_point = 0x7ffa07c99900
region_type = mapped_file
name = "wmiutils.dll"
filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll")
Region:
id = 1008
start_va = 0x7ffa07cc0000
end_va = 0x7ffa07cd3fff
monitored = 0
entry_point = 0x7ffa07cc1800
region_type = mapped_file
name = "wbemsvc.dll"
filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll")
Region:
id = 1009
start_va = 0x7ffa07ce0000
end_va = 0x7ffa07dd5fff
monitored = 0
entry_point = 0x7ffa07d19590
region_type = mapped_file
name = "fastprox.dll"
filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll")
Region:
id = 1010
start_va = 0x7ffa07de0000
end_va = 0x7ffa07e53fff
monitored = 0
entry_point = 0x7ffa07df5eb0
region_type = mapped_file
name = "esscli.dll"
filename = "\\Windows\\System32\\wbem\\esscli.dll" (normalized: "c:\\windows\\system32\\wbem\\esscli.dll")
Region:
id = 1011
start_va = 0x7ffa07e60000
end_va = 0x7ffa07f96fff
monitored = 0
entry_point = 0x7ffa07ea0480
region_type = mapped_file
name = "wbemcore.dll"
filename = "\\Windows\\System32\\wbem\\wbemcore.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemcore.dll")
Region:
id = 1012
start_va = 0x7ffa08390000
end_va = 0x7ffa083a0fff
monitored = 0
entry_point = 0x7ffa08392fc0
region_type = mapped_file
name = "wbemprox.dll"
filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll")
Region:
id = 1013
start_va = 0x7ffa083b0000
end_va = 0x7ffa083cdfff
monitored = 0
entry_point = 0x7ffa083b3a40
region_type = mapped_file
name = "atl.dll"
filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll")
Region:
id = 1014
start_va = 0x7ffa083d0000
end_va = 0x7ffa08451fff
monitored = 0
entry_point = 0x7ffa083d2a10
region_type = mapped_file
name = "hnetcfg.dll"
filename = "\\Windows\\System32\\hnetcfg.dll" (normalized: "c:\\windows\\system32\\hnetcfg.dll")
Region:
id = 1015
start_va = 0x7ffa08460000
end_va = 0x7ffa08475fff
monitored = 0
entry_point = 0x7ffa08461af0
region_type = mapped_file
name = "napinsp.dll"
filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll")
Region:
id = 1016
start_va = 0x7ffa08480000
end_va = 0x7ffa08499fff
monitored = 0
entry_point = 0x7ffa08482330
region_type = mapped_file
name = "pnrpnsp.dll"
filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll")
Region:
id = 1017
start_va = 0x7ffa088d0000
end_va = 0x7ffa08915fff
monitored = 0
entry_point = 0x7ffa088d79a0
region_type = mapped_file
name = "adsldp.dll"
filename = "\\Windows\\System32\\adsldp.dll" (normalized: "c:\\windows\\system32\\adsldp.dll")
Region:
id = 1018
start_va = 0x7ffa08940000
end_va = 0x7ffa0894efff
monitored = 0
entry_point = 0x7ffa08944960
region_type = mapped_file
name = "nci.dll"
filename = "\\Windows\\System32\\nci.dll" (normalized: "c:\\windows\\system32\\nci.dll")
Region:
id = 1019
start_va = 0x7ffa08a00000
end_va = 0x7ffa08a0bfff
monitored = 0
entry_point = 0x7ffa08a035c0
region_type = mapped_file
name = "secur32.dll"
filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll")
Region:
id = 1020
start_va = 0x7ffa08a10000
end_va = 0x7ffa08a4ffff
monitored = 0
entry_point = 0x7ffa08a1cbe0
region_type = mapped_file
name = "adsldpc.dll"
filename = "\\Windows\\System32\\adsldpc.dll" (normalized: "c:\\windows\\system32\\adsldpc.dll")
Region:
id = 1021
start_va = 0x7ffa08a50000
end_va = 0x7ffa08a96fff
monitored = 0
entry_point = 0x7ffa08a51d10
region_type = mapped_file
name = "activeds.dll"
filename = "\\Windows\\System32\\activeds.dll" (normalized: "c:\\windows\\system32\\activeds.dll")
Region:
id = 1022
start_va = 0x7ffa08ae0000
end_va = 0x7ffa08b21fff
monitored = 0
entry_point = 0x7ffa08ae3670
region_type = mapped_file
name = "wdscore.dll"
filename = "\\Windows\\System32\\wdscore.dll" (normalized: "c:\\windows\\system32\\wdscore.dll")
Region:
id = 1023
start_va = 0x7ffa08e00000
end_va = 0x7ffa08e1efff
monitored = 0
entry_point = 0x7ffa08e037e0
region_type = mapped_file
name = "netsetupapi.dll"
filename = "\\Windows\\System32\\NetSetupApi.dll" (normalized: "c:\\windows\\system32\\netsetupapi.dll")
Region:
id = 1024
start_va = 0x7ffa08e20000
end_va = 0x7ffa08e98fff
monitored = 0
entry_point = 0x7ffa08e276a0
region_type = mapped_file
name = "netsetupshim.dll"
filename = "\\Windows\\System32\\NetSetupShim.dll" (normalized: "c:\\windows\\system32\\netsetupshim.dll")
Region:
id = 1025
start_va = 0x7ffa08eb0000
end_va = 0x7ffa08eeffff
monitored = 0
entry_point = 0x7ffa08ec6c60
region_type = mapped_file
name = "netprofm.dll"
filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll")
Region:
id = 1026
start_va = 0x7ffa08f10000
end_va = 0x7ffa08f27fff
monitored = 0
entry_point = 0x7ffa08f14e10
region_type = mapped_file
name = "adhsvc.dll"
filename = "\\Windows\\System32\\adhsvc.dll" (normalized: "c:\\windows\\system32\\adhsvc.dll")
Region:
id = 1027
start_va = 0x7ffa08f30000
end_va = 0x7ffa08f54fff
monitored = 0
entry_point = 0x7ffa08f35ca0
region_type = mapped_file
name = "httpprxm.dll"
filename = "\\Windows\\System32\\httpprxm.dll" (normalized: "c:\\windows\\system32\\httpprxm.dll")
Region:
id = 1028
start_va = 0x7ffa08f60000
end_va = 0x7ffa090e1fff
monitored = 0
entry_point = 0x7ffa08f782a0
region_type = mapped_file
name = "vssapi.dll"
filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll")
Region:
id = 1029
start_va = 0x7ffa090f0000
end_va = 0x7ffa09192fff
monitored = 0
entry_point = 0x7ffa090f2c10
region_type = mapped_file
name = "clusapi.dll"
filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll")
Region:
id = 1030
start_va = 0x7ffa091a0000
end_va = 0x7ffa091f1fff
monitored = 0
entry_point = 0x7ffa091a5770
region_type = mapped_file
name = "resutils.dll"
filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll")
Region:
id = 1031
start_va = 0x7ffa09200000
end_va = 0x7ffa0922dfff
monitored = 1
entry_point = 0x7ffa09202300
region_type = mapped_file
name = "wmidcom.dll"
filename = "\\Windows\\System32\\wmidcom.dll" (normalized: "c:\\windows\\system32\\wmidcom.dll")
Region:
id = 1032
start_va = 0x7ffa09230000
end_va = 0x7ffa0928dfff
monitored = 0
entry_point = 0x7ffa09235080
region_type = mapped_file
name = "miutils.dll"
filename = "\\Windows\\System32\\miutils.dll" (normalized: "c:\\windows\\system32\\miutils.dll")
Region:
id = 1033
start_va = 0x7ffa09290000
end_va = 0x7ffa092affff
monitored = 0
entry_point = 0x7ffa09291f50
region_type = mapped_file
name = "mi.dll"
filename = "\\Windows\\System32\\mi.dll" (normalized: "c:\\windows\\system32\\mi.dll")
Region:
id = 1034
start_va = 0x7ffa092b0000
end_va = 0x7ffa092b8fff
monitored = 0
entry_point = 0x7ffa092b18f0
region_type = mapped_file
name = "sscoreext.dll"
filename = "\\Windows\\System32\\sscoreext.dll" (normalized: "c:\\windows\\system32\\sscoreext.dll")
Region:
id = 1035
start_va = 0x7ffa092c0000
end_va = 0x7ffa092d0fff
monitored = 0
entry_point = 0x7ffa092c1d30
region_type = mapped_file
name = "sscore.dll"
filename = "\\Windows\\System32\\sscore.dll" (normalized: "c:\\windows\\system32\\sscore.dll")
Region:
id = 1036
start_va = 0x7ffa09330000
end_va = 0x7ffa09347fff
monitored = 0
entry_point = 0x7ffa09332000
region_type = mapped_file
name = "vsstrace.dll"
filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll")
Region:
id = 1037
start_va = 0x7ffa09350000
end_va = 0x7ffa09390fff
monitored = 0
entry_point = 0x7ffa09353750
region_type = mapped_file
name = "sqmapi.dll"
filename = "\\Windows\\System32\\sqmapi.dll" (normalized: "c:\\windows\\system32\\sqmapi.dll")
Region:
id = 1038
start_va = 0x7ffa09430000
end_va = 0x7ffa0947bfff
monitored = 0
entry_point = 0x7ffa09445310
region_type = mapped_file
name = "srvsvc.dll"
filename = "\\Windows\\System32\\srvsvc.dll" (normalized: "c:\\windows\\system32\\srvsvc.dll")
Region:
id = 1039
start_va = 0x7ffa09490000
end_va = 0x7ffa0950efff
monitored = 0
entry_point = 0x7ffa094a7110
region_type = mapped_file
name = "wbemcomn.dll"
filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll")
Region:
id = 1040
start_va = 0x7ffa09510000
end_va = 0x7ffa0954bfff
monitored = 0
entry_point = 0x7ffa09516aa0
region_type = mapped_file
name = "wmisvc.dll"
filename = "\\Windows\\System32\\wbem\\WMIsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wmisvc.dll")
Region:
id = 1041
start_va = 0x7ffa09c80000
end_va = 0x7ffa09c88fff
monitored = 0
entry_point = 0x7ffa09c821d0
region_type = mapped_file
name = "httpprxc.dll"
filename = "\\Windows\\System32\\httpprxc.dll" (normalized: "c:\\windows\\system32\\httpprxc.dll")
Region:
id = 1042
start_va = 0x7ffa09c90000
end_va = 0x7ffa09cc4fff
monitored = 0
entry_point = 0x7ffa09c9a270
region_type = mapped_file
name = "fwpolicyiomgr.dll"
filename = "\\Windows\\System32\\fwpolicyiomgr.dll" (normalized: "c:\\windows\\system32\\fwpolicyiomgr.dll")
Region:
id = 1043
start_va = 0x7ffa0a560000
end_va = 0x7ffa0a652fff
monitored = 0
entry_point = 0x7ffa0a585d80
region_type = mapped_file
name = "iphlpsvc.dll"
filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll")
Region:
id = 1044
start_va = 0x7ffa0ac50000
end_va = 0x7ffa0ac59fff
monitored = 0
entry_point = 0x7ffa0ac514c0
region_type = mapped_file
name = "rasadhlp.dll"
filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll")
Region:
id = 1045
start_va = 0x7ffa0afc0000
end_va = 0x7ffa0afd1fff
monitored = 0
entry_point = 0x7ffa0afc3580
region_type = mapped_file
name = "cscapi.dll"
filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll")
Region:
id = 1046
start_va = 0x7ffa0b050000
end_va = 0x7ffa0b06afff
monitored = 0
entry_point = 0x7ffa0b051040
region_type = mapped_file
name = "mpr.dll"
filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll")
Region:
id = 1047
start_va = 0x7ffa0b300000
end_va = 0x7ffa0b314fff
monitored = 0
entry_point = 0x7ffa0b302dc0
region_type = mapped_file
name = "ondemandconnroutehelper.dll"
filename = "\\Windows\\System32\\OnDemandConnRouteHelper.dll" (normalized: "c:\\windows\\system32\\ondemandconnroutehelper.dll")
Region:
id = 1048
start_va = 0x7ffa0b320000
end_va = 0x7ffa0b32dfff
monitored = 0
entry_point = 0x7ffa0b321460
region_type = mapped_file
name = "npmproxy.dll"
filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll")
Region:
id = 1049
start_va = 0x7ffa0b330000
end_va = 0x7ffa0b33bfff
monitored = 0
entry_point = 0x7ffa0b332830
region_type = mapped_file
name = "bi.dll"
filename = "\\Windows\\System32\\bi.dll" (normalized: "c:\\windows\\system32\\bi.dll")
Region:
id = 1050
start_va = 0x7ffa0b340000
end_va = 0x7ffa0b34ffff
monitored = 0
entry_point = 0x7ffa0b341700
region_type = mapped_file
name = "proximityservicepal.dll"
filename = "\\Windows\\System32\\ProximityServicePal.dll" (normalized: "c:\\windows\\system32\\proximityservicepal.dll")
Region:
id = 1051
start_va = 0x7ffa0b350000
end_va = 0x7ffa0b358fff
monitored = 0
entry_point = 0x7ffa0b351ed0
region_type = mapped_file
name = "proximitycommonpal.dll"
filename = "\\Windows\\System32\\ProximityCommonPal.dll" (normalized: "c:\\windows\\system32\\proximitycommonpal.dll")
Region:
id = 1052
start_va = 0x7ffa0b360000
end_va = 0x7ffa0b38cfff
monitored = 0
entry_point = 0x7ffa0b362290
region_type = mapped_file
name = "proximitycommon.dll"
filename = "\\Windows\\System32\\ProximityCommon.dll" (normalized: "c:\\windows\\system32\\proximitycommon.dll")
Region:
id = 1053
start_va = 0x7ffa0b390000
end_va = 0x7ffa0b3e1fff
monitored = 0
entry_point = 0x7ffa0b3938e0
region_type = mapped_file
name = "proximityservice.dll"
filename = "\\Windows\\System32\\ProximityService.dll" (normalized: "c:\\windows\\system32\\proximityservice.dll")
Region:
id = 1054
start_va = 0x7ffa0b4a0000
end_va = 0x7ffa0b4b4fff
monitored = 0
entry_point = 0x7ffa0b4a3460
region_type = mapped_file
name = "ssdpapi.dll"
filename = "\\Windows\\System32\\ssdpapi.dll" (normalized: "c:\\windows\\system32\\ssdpapi.dll")
Region:
id = 1055
start_va = 0x7ffa0b4c0000
end_va = 0x7ffa0b559fff
monitored = 0
entry_point = 0x7ffa0b4dada0
region_type = mapped_file
name = "shsvcs.dll"
filename = "\\Windows\\System32\\shsvcs.dll" (normalized: "c:\\windows\\system32\\shsvcs.dll")
Region:
id = 1056
start_va = 0x7ffa0b640000
end_va = 0x7ffa0b6a6fff
monitored = 0
entry_point = 0x7ffa0b6463e0
region_type = mapped_file
name = "fwpuclnt.dll"
filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll")
Region:
id = 1057
start_va = 0x7ffa0b7a0000
end_va = 0x7ffa0b7aafff
monitored = 0
entry_point = 0x7ffa0b7a1d30
region_type = mapped_file
name = "winnsi.dll"
filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll")
Region:
id = 1058
start_va = 0x7ffa0b800000
end_va = 0x7ffa0b8bffff
monitored = 0
entry_point = 0x7ffa0b82fd20
region_type = mapped_file
name = "fveapi.dll"
filename = "\\Windows\\System32\\fveapi.dll" (normalized: "c:\\windows\\system32\\fveapi.dll")
Region:
id = 1059
start_va = 0x7ffa0b9f0000
end_va = 0x7ffa0ba09fff
monitored = 0
entry_point = 0x7ffa0b9f2430
region_type = mapped_file
name = "dhcpcsvc.dll"
filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll")
Region:
id = 1060
start_va = 0x7ffa0ba10000
end_va = 0x7ffa0ba25fff
monitored = 0
entry_point = 0x7ffa0ba119f0
region_type = mapped_file
name = "dhcpcsvc6.dll"
filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll")
Region:
id = 1061
start_va = 0x7ffa0baf0000
end_va = 0x7ffa0bb27fff
monitored = 0
entry_point = 0x7ffa0bb08cc0
region_type = mapped_file
name = "iphlpapi.dll"
filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll")
Region:
id = 1062
start_va = 0x7ffa0bbe0000
end_va = 0x7ffa0bc8dfff
monitored = 0
entry_point = 0x7ffa0bbf80c0
region_type = mapped_file
name = "windows.networking.connectivity.dll"
filename = "\\Windows\\System32\\Windows.Networking.Connectivity.dll" (normalized: "c:\\windows\\system32\\windows.networking.connectivity.dll")
Region:
id = 1063
start_va = 0x7ffa0bc90000
end_va = 0x7ffa0bca1fff
monitored = 0
entry_point = 0x7ffa0bc99260
region_type = mapped_file
name = "rilproxy.dll"
filename = "\\Windows\\System32\\rilproxy.dll" (normalized: "c:\\windows\\system32\\rilproxy.dll")
Region:
id = 1064
start_va = 0x7ffa0bcb0000
end_va = 0x7ffa0bd60fff
monitored = 0
entry_point = 0x7ffa0bd288b0
region_type = mapped_file
name = "cellularapi.dll"
filename = "\\Windows\\System32\\CellularAPI.dll" (normalized: "c:\\windows\\system32\\cellularapi.dll")
Region:
id = 1065
start_va = 0x7ffa0bd70000
end_va = 0x7ffa0bd83fff
monitored = 0
entry_point = 0x7ffa0bd72d50
region_type = mapped_file
name = "rtutils.dll"
filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll")
Region:
id = 1066
start_va = 0x7ffa0bed0000
end_va = 0x7ffa0bfecfff
monitored = 0
entry_point = 0x7ffa0beffe60
region_type = mapped_file
name = "qmgr.dll"
filename = "\\Windows\\System32\\qmgr.dll" (normalized: "c:\\windows\\system32\\qmgr.dll")
Region:
id = 1067
start_va = 0x7ffa0c070000
end_va = 0x7ffa0c102fff
monitored = 0
entry_point = 0x7ffa0c079680
region_type = mapped_file
name = "msvcp_win.dll"
filename = "\\Windows\\System32\\msvcp_win.dll" (normalized: "c:\\windows\\system32\\msvcp_win.dll")
Region:
id = 1068
start_va = 0x7ffa0c2b0000
end_va = 0x7ffa0c2d4fff
monitored = 0
entry_point = 0x7ffa0c2c2f20
region_type = mapped_file
name = "wificonnapi.dll"
filename = "\\Windows\\System32\\wificonnapi.dll" (normalized: "c:\\windows\\system32\\wificonnapi.dll")
Region:
id = 1069
start_va = 0x7ffa0c2e0000
end_va = 0x7ffa0c2f0fff
monitored = 0
entry_point = 0x7ffa0c2e7ea0
region_type = mapped_file
name = "dcpapi.dll"
filename = "\\Windows\\System32\\dcpapi.dll" (normalized: "c:\\windows\\system32\\dcpapi.dll")
Region:
id = 1070
start_va = 0x7ffa0c300000
end_va = 0x7ffa0c318fff
monitored = 0
entry_point = 0x7ffa0c304520
region_type = mapped_file
name = "samcli.dll"
filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll")
Region:
id = 1071
start_va = 0x7ffa0ca80000
end_va = 0x7ffa0ca99fff
monitored = 0
entry_point = 0x7ffa0ca82cf0
region_type = mapped_file
name = "locationpelegacywinlocation.dll"
filename = "\\Windows\\System32\\LocationPeLegacyWinLocation.dll" (normalized: "c:\\windows\\system32\\locationpelegacywinlocation.dll")
Region:
id = 1072
start_va = 0x7ffa0ce40000
end_va = 0x7ffa0d1c1fff
monitored = 0
entry_point = 0x7ffa0ce91220
region_type = mapped_file
name = "iertutil.dll"
filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll")
Region:
id = 1073
start_va = 0x7ffa0e2c0000
end_va = 0x7ffa0e3cdfff
monitored = 0
entry_point = 0x7ffa0e30eaa0
region_type = mapped_file
name = "mrmcorer.dll"
filename = "\\Windows\\System32\\MrmCoreR.dll" (normalized: "c:\\windows\\system32\\mrmcorer.dll")
Region:
id = 1074
start_va = 0x7ffa0e460000
end_va = 0x7ffa0e473fff
monitored = 0
entry_point = 0x7ffa0e462a00
region_type = mapped_file
name = "bitsigd.dll"
filename = "\\Windows\\System32\\bitsigd.dll" (normalized: "c:\\windows\\system32\\bitsigd.dll")
Region:
id = 1075
start_va = 0x7ffa0e6d0000
end_va = 0x7ffa0e724fff
monitored = 0
entry_point = 0x7ffa0e6d3fb0
region_type = mapped_file
name = "policymanager.dll"
filename = "\\Windows\\System32\\policymanager.dll" (normalized: "c:\\windows\\system32\\policymanager.dll")
Region:
id = 1076
start_va = 0x7ffa0e730000
end_va = 0x7ffa0e766fff
monitored = 0
entry_point = 0x7ffa0e736020
region_type = mapped_file
name = "gnssadapter.dll"
filename = "\\Windows\\System32\\GnssAdapter.dll" (normalized: "c:\\windows\\system32\\gnssadapter.dll")
Region:
id = 1077
start_va = 0x7ffa0e770000
end_va = 0x7ffa0e78ffff
monitored = 0
entry_point = 0x7ffa0e7739a0
region_type = mapped_file
name = "locationwinpalmisc.dll"
filename = "\\Windows\\System32\\LocationWinPalMisc.dll" (normalized: "c:\\windows\\system32\\locationwinpalmisc.dll")
Region:
id = 1078
start_va = 0x7ffa0e790000
end_va = 0x7ffa0e7a6fff
monitored = 0
entry_point = 0x7ffa0e795630
region_type = mapped_file
name = "sens.dll"
filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll")
Region:
id = 1079
start_va = 0x7ffa0e7b0000
end_va = 0x7ffa0e7c2fff
monitored = 0
entry_point = 0x7ffa0e7b57f0
region_type = mapped_file
name = "themeservice.dll"
filename = "\\Windows\\System32\\themeservice.dll" (normalized: "c:\\windows\\system32\\themeservice.dll")
Region:
id = 1080
start_va = 0x7ffa0e7d0000
end_va = 0x7ffa0e849fff
monitored = 0
entry_point = 0x7ffa0e7f7630
region_type = mapped_file
name = "es.dll"
filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll")
Region:
id = 1081
start_va = 0x7ffa0e850000
end_va = 0x7ffa0e87dfff
monitored = 0
entry_point = 0x7ffa0e857550
region_type = mapped_file
name = "netjoin.dll"
filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll")
Region:
id = 1082
start_va = 0x7ffa0e880000
end_va = 0x7ffa0e895fff
monitored = 0
entry_point = 0x7ffa0e881b60
region_type = mapped_file
name = "wkscli.dll"
filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll")
Region:
id = 1083
start_va = 0x7ffa0e8a0000
end_va = 0x7ffa0e903fff
monitored = 0
entry_point = 0x7ffa0e8b5ae0
region_type = mapped_file
name = "wevtapi.dll"
filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll")
Region:
id = 1084
start_va = 0x7ffa0ead0000
end_va = 0x7ffa0eb10fff
monitored = 0
entry_point = 0x7ffa0ead4840
region_type = mapped_file
name = "usermgrproxy.dll"
filename = "\\Windows\\System32\\UserMgrProxy.dll" (normalized: "c:\\windows\\system32\\usermgrproxy.dll")
Region:
id = 1085
start_va = 0x7ffa0eb20000
end_va = 0x7ffa0eb2bfff
monitored = 0
entry_point = 0x7ffa0eb214d0
region_type = mapped_file
name = "locationframeworkps.dll"
filename = "\\Windows\\System32\\LocationFrameworkPS.dll" (normalized: "c:\\windows\\system32\\locationframeworkps.dll")
Region:
id = 1086
start_va = 0x7ffa0eb30000
end_va = 0x7ffa0ec65fff
monitored = 0
entry_point = 0x7ffa0eb5f350
region_type = mapped_file
name = "wintypes.dll"
filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll")
Region:
id = 1087
start_va = 0x7ffa0ec70000
end_va = 0x7ffa0ed55fff
monitored = 0
entry_point = 0x7ffa0ec8cf10
region_type = mapped_file
name = "usermgr.dll"
filename = "\\Windows\\System32\\usermgr.dll" (normalized: "c:\\windows\\system32\\usermgr.dll")
Region:
id = 1088
start_va = 0x7ffa0ed60000
end_va = 0x7ffa0ee27fff
monitored = 0
entry_point = 0x7ffa0eda13f0
region_type = mapped_file
name = "winhttp.dll"
filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll")
Region:
id = 1089
start_va = 0x7ffa0ee30000
end_va = 0x7ffa0ee90fff
monitored = 0
entry_point = 0x7ffa0ee34b50
region_type = mapped_file
name = "wlanapi.dll"
filename = "\\Windows\\System32\\wlanapi.dll" (normalized: "c:\\windows\\system32\\wlanapi.dll")
Region:
id = 1090
start_va = 0x7ffa0eea0000
end_va = 0x7ffa0f01bfff
monitored = 0
entry_point = 0x7ffa0eef1650
region_type = mapped_file
name = "locationframework.dll"
filename = "\\Windows\\System32\\LocationFramework.dll" (normalized: "c:\\windows\\system32\\locationframework.dll")
Region:
id = 1091
start_va = 0x7ffa0f020000
end_va = 0x7ffa0f02afff
monitored = 0
entry_point = 0x7ffa0f021770
region_type = mapped_file
name = "lfsvc.dll"
filename = "\\Windows\\System32\\lfsvc.dll" (normalized: "c:\\windows\\system32\\lfsvc.dll")
Region:
id = 1092
start_va = 0x7ffa0f030000
end_va = 0x7ffa0f06dfff
monitored = 0
entry_point = 0x7ffa0f03a050
region_type = mapped_file
name = "logoncli.dll"
filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll")
Region:
id = 1093
start_va = 0x7ffa0f070000
end_va = 0x7ffa0f096fff
monitored = 0
entry_point = 0x7ffa0f073bf0
region_type = mapped_file
name = "profsvcext.dll"
filename = "\\Windows\\System32\\profsvcext.dll" (normalized: "c:\\windows\\system32\\profsvcext.dll")
Region:
id = 1094
start_va = 0x7ffa0f0a0000
end_va = 0x7ffa0f0e9fff
monitored = 0
entry_point = 0x7ffa0f0aac30
region_type = mapped_file
name = "deviceaccess.dll"
filename = "\\Windows\\System32\\deviceaccess.dll" (normalized: "c:\\windows\\system32\\deviceaccess.dll")
Region:
id = 1095
start_va = 0x7ffa0f0f0000
end_va = 0x7ffa0f144fff
monitored = 0
entry_point = 0x7ffa0f0ffc00
region_type = mapped_file
name = "profsvc.dll"
filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll")
Region:
id = 1096
start_va = 0x7ffa0f190000
end_va = 0x7ffa0f221fff
monitored = 0
entry_point = 0x7ffa0f1da780
region_type = mapped_file
name = "msvcp110_win.dll"
filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll")
Region:
id = 1097
start_va = 0x7ffa0f2b0000
end_va = 0x7ffa0f2bcfff
monitored = 0
entry_point = 0x7ffa0f2b1420
region_type = mapped_file
name = "winrnr.dll"
filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll")
Region:
id = 1098
start_va = 0x7ffa0f2d0000
end_va = 0x7ffa0f2dffff
monitored = 0
entry_point = 0x7ffa0f2d2c60
region_type = mapped_file
name = "usermgrcli.dll"
filename = "\\Windows\\System32\\usermgrcli.dll" (normalized: "c:\\windows\\system32\\usermgrcli.dll")
Region:
id = 1099
start_va = 0x7ffa0f2e0000
end_va = 0x7ffa0f2ecfff
monitored = 0
entry_point = 0x7ffa0f2e2ca0
region_type = mapped_file
name = "csystemeventsbrokerclient.dll"
filename = "\\Windows\\System32\\CSystemEventsBrokerClient.dll" (normalized: "c:\\windows\\system32\\csystemeventsbrokerclient.dll")
Region:
id = 1100
start_va = 0x7ffa0f2f0000
end_va = 0x7ffa0f31efff
monitored = 0
entry_point = 0x7ffa0f2f8910
region_type = mapped_file
name = "wptaskscheduler.dll"
filename = "\\Windows\\System32\\WPTaskScheduler.dll" (normalized: "c:\\windows\\system32\\wptaskscheduler.dll")
Region:
id = 1101
start_va = 0x7ffa0f370000
end_va = 0x7ffa0f3ddfff
monitored = 0
entry_point = 0x7ffa0f377f60
region_type = mapped_file
name = "taskcomp.dll"
filename = "\\Windows\\System32\\taskcomp.dll" (normalized: "c:\\windows\\system32\\taskcomp.dll")
Region:
id = 1102
start_va = 0x7ffa0f3e0000
end_va = 0x7ffa0f3f0fff
monitored = 0
entry_point = 0x7ffa0f3e3320
region_type = mapped_file
name = "wmiclnt.dll"
filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll")
Region:
id = 1103
start_va = 0x7ffa0f430000
end_va = 0x7ffa0f465fff
monitored = 0
entry_point = 0x7ffa0f440070
region_type = mapped_file
name = "xmllite.dll"
filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll")
Region:
id = 1104
start_va = 0x7ffa0fc30000
end_va = 0x7ffa0fc70fff
monitored = 0
entry_point = 0x7ffa0fc47eb0
region_type = mapped_file
name = "ubpm.dll"
filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll")
Region:
id = 1105
start_va = 0x7ffa0fc80000
end_va = 0x7ffa0fd7bfff
monitored = 0
entry_point = 0x7ffa0fcb6df0
region_type = mapped_file
name = "schedsvc.dll"
filename = "\\Windows\\System32\\schedsvc.dll" (normalized: "c:\\windows\\system32\\schedsvc.dll")
Region:
id = 1106
start_va = 0x7ffa0fe10000
end_va = 0x7ffa0fecefff
monitored = 0
entry_point = 0x7ffa0fe31c50
region_type = mapped_file
name = "taskschd.dll"
filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll")
Region:
id = 1107
start_va = 0x7ffa0ff20000
end_va = 0x7ffa0ff29fff
monitored = 0
entry_point = 0x7ffa0ff21660
region_type = mapped_file
name = "dsrole.dll"
filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll")
Region:
id = 1108
start_va = 0x7ffa0ff30000
end_va = 0x7ffa0ff47fff
monitored = 0
entry_point = 0x7ffa0ff35910
region_type = mapped_file
name = "nlaapi.dll"
filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll")
Region:
id = 1109
start_va = 0x7ffa0ff50000
end_va = 0x7ffa1009cfff
monitored = 0
entry_point = 0x7ffa0ff93da0
region_type = mapped_file
name = "gpsvc.dll"
filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll")
Region:
id = 1110
start_va = 0x7ffa10cc0000
end_va = 0x7ffa11152fff
monitored = 0
entry_point = 0x7ffa10ccf760
region_type = mapped_file
name = "actxprxy.dll"
filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll")
Region:
id = 1111
start_va = 0x7ffa11160000
end_va = 0x7ffa111c6fff
monitored = 0
entry_point = 0x7ffa1117e710
region_type = mapped_file
name = "bcp47langs.dll"
filename = "\\Windows\\System32\\BCP47Langs.dll" (normalized: "c:\\windows\\system32\\bcp47langs.dll")
Region:
id = 1112
start_va = 0x7ffa11220000
end_va = 0x7ffa113a5fff
monitored = 0
entry_point = 0x7ffa1126d700
region_type = mapped_file
name = "propsys.dll"
filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")
Region:
id = 1113
start_va = 0x7ffa113b0000
end_va = 0x7ffa113cbfff
monitored = 0
entry_point = 0x7ffa113b37a0
region_type = mapped_file
name = "samlib.dll"
filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll")
Region:
id = 1114
start_va = 0x7ffa113d0000
end_va = 0x7ffa113eefff
monitored = 0
entry_point = 0x7ffa113d4960
region_type = mapped_file
name = "ncprov.dll"
filename = "\\Windows\\System32\\wbem\\NCProv.dll" (normalized: "c:\\windows\\system32\\wbem\\ncprov.dll")
Region:
id = 1115
start_va = 0x7ffa11410000
end_va = 0x7ffa11422fff
monitored = 0
entry_point = 0x7ffa11412760
region_type = mapped_file
name = "wtsapi32.dll"
filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")
Region:
id = 1116
start_va = 0x7ffa114c0000
end_va = 0x7ffa114c9fff
monitored = 0
entry_point = 0x7ffa114c1350
region_type = mapped_file
name = "version.dll"
filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll")
Region:
id = 1117
start_va = 0x7ffa11550000
end_va = 0x7ffa1155afff
monitored = 0
entry_point = 0x7ffa11551de0
region_type = mapped_file
name = "bitsperf.dll"
filename = "\\Windows\\System32\\bitsperf.dll" (normalized: "c:\\windows\\system32\\bitsperf.dll")
Region:
id = 1118
start_va = 0x7ffa11560000
end_va = 0x7ffa11577fff
monitored = 0
entry_point = 0x7ffa11561b10
region_type = mapped_file
name = "locationframeworkinternalps.dll"
filename = "\\Windows\\System32\\LocationFrameworkInternalPS.dll" (normalized: "c:\\windows\\system32\\locationframeworkinternalps.dll")
Region:
id = 1119
start_va = 0x7ffa11580000
end_va = 0x7ffa115f8fff
monitored = 0
entry_point = 0x7ffa1159fb90
region_type = mapped_file
name = "apphelp.dll"
filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll")
Region:
id = 1120
start_va = 0x7ffa11600000
end_va = 0x7ffa11607fff
monitored = 0
entry_point = 0x7ffa116013e0
region_type = mapped_file
name = "dabapi.dll"
filename = "\\Windows\\System32\\dabapi.dll" (normalized: "c:\\windows\\system32\\dabapi.dll")
Region:
id = 1121
start_va = 0x7ffa11640000
end_va = 0x7ffa1167ffff
monitored = 0
entry_point = 0x7ffa11651960
region_type = mapped_file
name = "brokerlib.dll"
filename = "\\Windows\\System32\\BrokerLib.dll" (normalized: "c:\\windows\\system32\\brokerlib.dll")
Region:
id = 1122
start_va = 0x7ffa117d0000
end_va = 0x7ffa117f6fff
monitored = 0
entry_point = 0x7ffa117d7940
region_type = mapped_file
name = "devobj.dll"
filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll")
Region:
id = 1123
start_va = 0x7ffa11800000
end_va = 0x7ffa118a9fff
monitored = 0
entry_point = 0x7ffa11827910
region_type = mapped_file
name = "dnsapi.dll"
filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll")
Region:
id = 1124
start_va = 0x7ffa118b0000
end_va = 0x7ffa119affff
monitored = 0
entry_point = 0x7ffa118f0f80
region_type = mapped_file
name = "twinapi.appcore.dll"
filename = "\\Windows\\System32\\twinapi.appcore.dll" (normalized: "c:\\windows\\system32\\twinapi.appcore.dll")
Region:
id = 1125
start_va = 0x7ffa11a40000
end_va = 0x7ffa11a4bfff
monitored = 0
entry_point = 0x7ffa11a42480
region_type = mapped_file
name = "sysntfy.dll"
filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll")
Region:
id = 1126
start_va = 0x7ffa11b10000
end_va = 0x7ffa11b41fff
monitored = 0
entry_point = 0x7ffa11b22340
region_type = mapped_file
name = "fwbase.dll"
filename = "\\Windows\\System32\\fwbase.dll" (normalized: "c:\\windows\\system32\\fwbase.dll")
Region:
id = 1127
start_va = 0x7ffa11d80000
end_va = 0x7ffa11d8bfff
monitored = 0
entry_point = 0x7ffa11d82790
region_type = mapped_file
name = "hid.dll"
filename = "\\Windows\\System32\\hid.dll" (normalized: "c:\\windows\\system32\\hid.dll")
Region:
id = 1128
start_va = 0x7ffa11d90000
end_va = 0x7ffa11db3fff
monitored = 0
entry_point = 0x7ffa11d93260
region_type = mapped_file
name = "gpapi.dll"
filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll")
Region:
id = 1129
start_va = 0x7ffa11f30000
end_va = 0x7ffa12023fff
monitored = 0
entry_point = 0x7ffa11f3a960
region_type = mapped_file
name = "ucrtbase.dll"
filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll")
Region:
id = 1130
start_va = 0x7ffa12080000
end_va = 0x7ffa120c8fff
monitored = 0
entry_point = 0x7ffa1208a090
region_type = mapped_file
name = "authz.dll"
filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll")
Region:
id = 1131
start_va = 0x7ffa121a0000
end_va = 0x7ffa121abfff
monitored = 0
entry_point = 0x7ffa121a27e0
region_type = mapped_file
name = "netutils.dll"
filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll")
Region:
id = 1132
start_va = 0x7ffa12280000
end_va = 0x7ffa122b0fff
monitored = 0
entry_point = 0x7ffa12287d10
region_type = mapped_file
name = "ntmarta.dll"
filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll")
Region:
id = 1133
start_va = 0x7ffa122e0000
end_va = 0x7ffa12359fff
monitored = 0
entry_point = 0x7ffa12301a50
region_type = mapped_file
name = "schannel.dll"
filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll")
Region:
id = 1134
start_va = 0x7ffa123a0000
end_va = 0x7ffa123d3fff
monitored = 0
entry_point = 0x7ffa123bae70
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 1135
start_va = 0x7ffa123e0000
end_va = 0x7ffa123e9fff
monitored = 0
entry_point = 0x7ffa123e1830
region_type = mapped_file
name = "dpapi.dll"
filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll")
Region:
id = 1136
start_va = 0x7ffa124f0000
end_va = 0x7ffa1250efff
monitored = 0
entry_point = 0x7ffa124f5d30
region_type = mapped_file
name = "userenv.dll"
filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll")
Region:
id = 1137
start_va = 0x7ffa12660000
end_va = 0x7ffa126bbfff
monitored = 0
entry_point = 0x7ffa12676f70
region_type = mapped_file
name = "mswsock.dll"
filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll")
Region:
id = 1138
start_va = 0x7ffa12710000
end_va = 0x7ffa12726fff
monitored = 0
entry_point = 0x7ffa127179d0
region_type = mapped_file
name = "cryptsp.dll"
filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll")
Region:
id = 1139
start_va = 0x7ffa12830000
end_va = 0x7ffa1283afff
monitored = 0
entry_point = 0x7ffa128319a0
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll")
Region:
id = 1140
start_va = 0x7ffa12870000
end_va = 0x7ffa12890fff
monitored = 0
entry_point = 0x7ffa12880250
region_type = mapped_file
name = "joinutil.dll"
filename = "\\Windows\\System32\\joinutil.dll" (normalized: "c:\\windows\\system32\\joinutil.dll")
Region:
id = 1141
start_va = 0x7ffa128c0000
end_va = 0x7ffa128f9fff
monitored = 0
entry_point = 0x7ffa128c8d20
region_type = mapped_file
name = "ntasn1.dll"
filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll")
Region:
id = 1142
start_va = 0x7ffa12900000
end_va = 0x7ffa12926fff
monitored = 0
entry_point = 0x7ffa12910aa0
region_type = mapped_file
name = "ncrypt.dll"
filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll")
Region:
id = 1143
start_va = 0x7ffa12a10000
end_va = 0x7ffa12a3cfff
monitored = 0
entry_point = 0x7ffa12a29d40
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll")
Region:
id = 1144
start_va = 0x7ffa12ba0000
end_va = 0x7ffa12bf5fff
monitored = 0
entry_point = 0x7ffa12bb0bf0
region_type = mapped_file
name = "winsta.dll"
filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")
Region:
id = 1145
start_va = 0x7ffa12c00000
end_va = 0x7ffa12c18fff
monitored = 0
entry_point = 0x7ffa12c05e10
region_type = mapped_file
name = "eventaggregation.dll"
filename = "\\Windows\\System32\\EventAggregation.dll" (normalized: "c:\\windows\\system32\\eventaggregation.dll")
Region:
id = 1146
start_va = 0x7ffa12c20000
end_va = 0x7ffa12c48fff
monitored = 0
entry_point = 0x7ffa12c34530
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll")
Region:
id = 1147
start_va = 0x7ffa12c50000
end_va = 0x7ffa12ce8fff
monitored = 0
entry_point = 0x7ffa12c7f4e0
region_type = mapped_file
name = "sxs.dll"
filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll")
Region:
id = 1148
start_va = 0x7ffa12d90000
end_va = 0x7ffa12da3fff
monitored = 0
entry_point = 0x7ffa12d952e0
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")
Region:
id = 1149
start_va = 0x7ffa12db0000
end_va = 0x7ffa12dbffff
monitored = 0
entry_point = 0x7ffa12db56e0
region_type = mapped_file
name = "msasn1.dll"
filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll")
Region:
id = 1150
start_va = 0x7ffa12dc0000
end_va = 0x7ffa12e0afff
monitored = 0
entry_point = 0x7ffa12dc35f0
region_type = mapped_file
name = "powrprof.dll"
filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")
Region:
id = 1151
start_va = 0x7ffa12e10000
end_va = 0x7ffa12e1efff
monitored = 0
entry_point = 0x7ffa12e13210
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")
Region:
id = 1152
start_va = 0x7ffa12e20000
end_va = 0x7ffa12e74fff
monitored = 0
entry_point = 0x7ffa12e37970
region_type = mapped_file
name = "wintrust.dll"
filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll")
Region:
id = 1153
start_va = 0x7ffa12e80000
end_va = 0x7ffa12f34fff
monitored = 0
entry_point = 0x7ffa12ec22e0
region_type = mapped_file
name = "shcore.dll"
filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")
Region:
id = 1154
start_va = 0x7ffa12f40000
end_va = 0x7ffa13106fff
monitored = 0
entry_point = 0x7ffa12f9db80
region_type = mapped_file
name = "crypt32.dll"
filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll")
Region:
id = 1155
start_va = 0x7ffa13110000
end_va = 0x7ffa13126fff
monitored = 0
entry_point = 0x7ffa13111390
region_type = mapped_file
name = "netapi32.dll"
filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll")
Region:
id = 1156
start_va = 0x7ffa13130000
end_va = 0x7ffa13317fff
monitored = 0
entry_point = 0x7ffa1315ba70
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 1157
start_va = 0x7ffa13320000
end_va = 0x7ffa13389fff
monitored = 0
entry_point = 0x7ffa13356d50
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")
Region:
id = 1158
start_va = 0x7ffa13390000
end_va = 0x7ffa133d2fff
monitored = 0
entry_point = 0x7ffa133a4b50
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")
Region:
id = 1159
start_va = 0x7ffa133e0000
end_va = 0x7ffa13465fff
monitored = 0
entry_point = 0x7ffa133ed8f0
region_type = mapped_file
name = "firewallapi.dll"
filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll")
Region:
id = 1160
start_va = 0x7ffa13520000
end_va = 0x7ffa13b63fff
monitored = 0
entry_point = 0x7ffa136e64b0
region_type = mapped_file
name = "windows.storage.dll"
filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")
Region:
id = 1161
start_va = 0x7ffa13b70000
end_va = 0x7ffa13cb2fff
monitored = 0
entry_point = 0x7ffa13b98210
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 1162
start_va = 0x7ffa13cc0000
end_va = 0x7ffa13d5cfff
monitored = 0
entry_point = 0x7ffa13cc78a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 1163
start_va = 0x7ffa13d60000
end_va = 0x7ffa13d67fff
monitored = 0
entry_point = 0x7ffa13d61ea0
region_type = mapped_file
name = "nsi.dll"
filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll")
Region:
id = 1164
start_va = 0x7ffa13d80000
end_va = 0x7ffa13ed5fff
monitored = 0
entry_point = 0x7ffa13d8a8d0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 1165
start_va = 0x7ffa13ee0000
end_va = 0x7ffa14065fff
monitored = 0
entry_point = 0x7ffa13f2ffc0
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 1166
start_va = 0x7ffa14070000
end_va = 0x7ffa140cafff
monitored = 0
entry_point = 0x7ffa140838b0
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 1167
start_va = 0x7ffa14220000
end_va = 0x7ffa142c6fff
monitored = 0
entry_point = 0x7ffa1422b4d0
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")
Region:
id = 1168
start_va = 0x7ffa14340000
end_va = 0x7ffa145bcfff
monitored = 0
entry_point = 0x7ffa14414970
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")
Region:
id = 1169
start_va = 0x7ffa145c0000
end_va = 0x7ffa146dbfff
monitored = 0
entry_point = 0x7ffa146002b0
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 1170
start_va = 0x7ffa146e0000
end_va = 0x7ffa1474afff
monitored = 0
entry_point = 0x7ffa146f90c0
region_type = mapped_file
name = "ws2_32.dll"
filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll")
Region:
id = 1171
start_va = 0x7ffa147c0000
end_va = 0x7ffa14880fff
monitored = 0
entry_point = 0x7ffa147e0da0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 1172
start_va = 0x7ffa14ba0000
end_va = 0x7ffa14bf1fff
monitored = 0
entry_point = 0x7ffa14baf530
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")
Region:
id = 1173
start_va = 0x7ffa14c00000
end_va = 0x7ffa15028fff
monitored = 0
entry_point = 0x7ffa14c28740
region_type = mapped_file
name = "setupapi.dll"
filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll")
Region:
id = 1174
start_va = 0x7ffa15030000
end_va = 0x7ffa1508bfff
monitored = 0
entry_point = 0x7ffa1504b720
region_type = mapped_file
name = "wldap32.dll"
filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll")
Region:
id = 1175
start_va = 0x7ffa15090000
end_va = 0x7ffa15136fff
monitored = 0
entry_point = 0x7ffa150a58d0
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 1176
start_va = 0x7ffa15160000
end_va = 0x7ffa1520cfff
monitored = 0
entry_point = 0x7ffa151781a0
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 1177
start_va = 0x7ffa15210000
end_va = 0x7ffa1676efff
monitored = 0
entry_point = 0x7ffa153711f0
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")
Region:
id = 1178
start_va = 0x7ffa16770000
end_va = 0x7ffa16930fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 1371
start_va = 0x450000
end_va = 0x450fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000450000"
filename = ""
Region:
id = 1964
start_va = 0x450000
end_va = 0x450fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000450000"
filename = ""
Region:
id = 1966
start_va = 0x8800000
end_va = 0x88fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008800000"
filename = ""
Region:
id = 1967
start_va = 0x8900000
end_va = 0x89fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008900000"
filename = ""
Region:
id = 1968
start_va = 0x8a00000
end_va = 0x8afffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008a00000"
filename = ""
Region:
id = 1969
start_va = 0xd40000
end_va = 0xdbffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000d40000"
filename = ""
Region:
id = 1970
start_va = 0x2a00000
end_va = 0x2a7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002a00000"
filename = ""
Region:
id = 1971
start_va = 0x450000
end_va = 0x451fff
monitored = 0
entry_point = 0x455630
region_type = mapped_file
name = "sens.dll"
filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll")
Region:
id = 1972
start_va = 0x15d0000
end_va = 0x15d4fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "stdole2.tlb"
filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb")
Region:
id = 1973
start_va = 0x7ffa10bc0000
end_va = 0x7ffa10c10fff
monitored = 0
entry_point = 0x7ffa10bc25e0
region_type = mapped_file
name = "cscobj.dll"
filename = "\\Windows\\System32\\cscobj.dll" (normalized: "c:\\windows\\system32\\cscobj.dll")
Region:
id = 1974
start_va = 0x33a0000
end_va = 0x349ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000033a0000"
filename = ""
Thread:
id = 26
os_tid = 0x12f8
Thread:
id = 27
os_tid = 0xcbc
Thread:
id = 28
os_tid = 0x1288
Thread:
id = 29
os_tid = 0x10b0
Thread:
id = 30
os_tid = 0x1078
Thread:
id = 31
os_tid = 0xf04
Thread:
id = 32
os_tid = 0xa54
Thread:
id = 33
os_tid = 0xa08
Thread:
id = 34
os_tid = 0x830
Thread:
id = 35
os_tid = 0x81c
Thread:
id = 36
os_tid = 0x448
Thread:
id = 37
os_tid = 0x4f8
Thread:
id = 38
os_tid = 0x790
Thread:
id = 39
os_tid = 0x4f4
Thread:
id = 40
os_tid = 0xb0c
Thread:
id = 41
os_tid = 0xab0
Thread:
id = 42
os_tid = 0x9d4
Thread:
id = 43
os_tid = 0x85c
Thread:
id = 44
os_tid = 0x530
Thread:
id = 45
os_tid = 0x6f0
Thread:
id = 46
os_tid = 0x914
Thread:
id = 47
os_tid = 0x60c
Thread:
id = 48
os_tid = 0x5a0
Thread:
id = 49
os_tid = 0x594
Thread:
id = 50
os_tid = 0x46c
Thread:
id = 51
os_tid = 0x8c
Thread:
id = 52
os_tid = 0x340
Thread:
id = 53
os_tid = 0x1d0
Thread:
id = 54
os_tid = 0x804
Thread:
id = 55
os_tid = 0x820
Thread:
id = 56
os_tid = 0xbf4
Thread:
id = 57
os_tid = 0xa80
Thread:
id = 58
os_tid = 0xb9c
Thread:
id = 59
os_tid = 0xbb8
Thread:
id = 60
os_tid = 0xbb4
Thread:
id = 61
os_tid = 0xbb0
Thread:
id = 62
os_tid = 0xa50
Thread:
id = 63
os_tid = 0x47c
Thread:
id = 64
os_tid = 0xb90
Thread:
id = 65
os_tid = 0xafc
Thread:
id = 66
os_tid = 0x5ec
Thread:
id = 67
os_tid = 0x780
Thread:
id = 68
os_tid = 0x5ac
Thread:
id = 69
os_tid = 0x728
Thread:
id = 70
os_tid = 0x5e0
Thread:
id = 71
os_tid = 0x428
Thread:
id = 72
os_tid = 0x4f8
Thread:
id = 73
os_tid = 0x7fc
Thread:
id = 74
os_tid = 0x7e4
Thread:
id = 75
os_tid = 0x7e0
Thread:
id = 76
os_tid = 0x7dc
Thread:
id = 77
os_tid = 0x7d8
Thread:
id = 78
os_tid = 0x7c4
Thread:
id = 79
os_tid = 0x7b0
Thread:
id = 80
os_tid = 0x788
Thread:
id = 81
os_tid = 0x744
Thread:
id = 82
os_tid = 0x448
Thread:
id = 83
os_tid = 0x6f8
Thread:
id = 84
os_tid = 0x6d4
Thread:
id = 85
os_tid = 0x648
Thread:
id = 86
os_tid = 0x62c
Thread:
id = 87
os_tid = 0x4a8
Thread:
id = 88
os_tid = 0x2ac
Thread:
id = 89
os_tid = 0x270
Thread:
id = 90
os_tid = 0x154
Thread:
id = 91
os_tid = 0x1b8
Thread:
id = 92
os_tid = 0x1bc
Thread:
id = 93
os_tid = 0x180
Thread:
id = 94
os_tid = 0x188
Thread:
id = 95
os_tid = 0x148
Thread:
id = 96
os_tid = 0x12c
Thread:
id = 97
os_tid = 0xfc
Thread:
id = 98
os_tid = 0x60
Thread:
id = 99
os_tid = 0x3f0
Thread:
id = 100
os_tid = 0x3e8
Thread:
id = 101
os_tid = 0x3cc
Thread:
id = 102
os_tid = 0x364
Thread:
id = 144
os_tid = 0xcc4
Thread:
id = 145
os_tid = 0xcdc
Thread:
id = 146
os_tid = 0xaf8
Thread:
id = 147
os_tid = 0xccc
Thread:
id = 148
os_tid = 0xadc
Thread:
id = 149
os_tid = 0xc54
Thread:
id = 150
os_tid = 0x48c
Thread:
id = 151
os_tid = 0xc78
Process:
id = "7"
image_name = "9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe"
filename = "c:\\users\\rdhj0cnfevzx\\desktop\\9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe"
page_root = "0x388c2000"
os_pid = "0xb50"
os_integrity_level = "0x3000"
os_privileges = "0x60800000"
monitor_reason = "child_process"
parent_id = "1"
os_parent_pid = "0xc28"
cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe\""
cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
os_username = "XC64ZB\\RDhJ0CNFevzX"
bitness = "32"
os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fa87" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 1233
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 1234
start_va = 0x30000
end_va = 0x31fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000030000"
filename = ""
Region:
id = 1235
start_va = 0x40000
end_va = 0x54fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 1236
start_va = 0x60000
end_va = 0x9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000060000"
filename = ""
Region:
id = 1237
start_va = 0xa0000
end_va = 0x19ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000a0000"
filename = ""
Region:
id = 1238
start_va = 0x1a0000
end_va = 0x1a3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001a0000"
filename = ""
Region:
id = 1239
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001b0000"
filename = ""
Region:
id = 1240
start_va = 0x1c0000
end_va = 0x1c1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001c0000"
filename = ""
Region:
id = 1241
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 1242
start_va = 0x400000
end_va = 0x49ffff
monitored = 1
entry_point = 0x49b6ae
region_type = mapped_file
name = "9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe"
filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe")
Region:
id = 1243
start_va = 0x771d0000
end_va = 0x7734afff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")
Region:
id = 1244
start_va = 0x7ffb0000
end_va = 0x7ffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007ffb0000"
filename = ""
Region:
id = 1245
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 1246
start_va = 0x7fff0000
end_va = 0x7ffa1676ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007fff0000"
filename = ""
Region:
id = 1247
start_va = 0x7ffa16770000
end_va = 0x7ffa16930fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 1248
start_va = 0x7ffa16931000
end_va = 0x7ffffffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00007ffa16931000"
filename = ""
Region:
id = 1249
start_va = 0x400000
end_va = 0x411fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 1250
start_va = 0x420000
end_va = 0x56ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000420000"
filename = ""
Region:
id = 1251
start_va = 0x640d0000
end_va = 0x6411ffff
monitored = 0
entry_point = 0x640e8180
region_type = mapped_file
name = "wow64.dll"
filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")
Region:
id = 1252
start_va = 0x64050000
end_va = 0x640c9fff
monitored = 0
entry_point = 0x64063290
region_type = mapped_file
name = "wow64win.dll"
filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")
Region:
id = 1253
start_va = 0x76720000
end_va = 0x767fffff
monitored = 0
entry_point = 0x76733980
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 1254
start_va = 0x64120000
end_va = 0x64127fff
monitored = 0
entry_point = 0x641217c0
region_type = mapped_file
name = "wow64cpu.dll"
filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")
Region:
id = 1255
start_va = 0x570000
end_va = 0x82ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000570000"
filename = ""
Region:
id = 1257
start_va = 0x6f850000
end_va = 0x6f8a8fff
monitored = 1
entry_point = 0x6f860780
region_type = mapped_file
name = "mscoree.dll"
filename = "\\Windows\\SysWOW64\\mscoree.dll" (normalized: "c:\\windows\\syswow64\\mscoree.dll")
Region:
id = 1258
start_va = 0x76720000
end_va = 0x767fffff
monitored = 0
entry_point = 0x76733980
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 1259
start_va = 0x76910000
end_va = 0x76a8dfff
monitored = 0
entry_point = 0x769c1b90
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")
Region:
id = 1260
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 1261
start_va = 0x7feb0000
end_va = 0x7ffaffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007feb0000"
filename = ""
Region:
id = 1262
start_va = 0x420000
end_va = 0x4ddfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 1263
start_va = 0x560000
end_va = 0x56ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000560000"
filename = ""
Region:
id = 1264
start_va = 0x570000
end_va = 0x65ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000570000"
filename = ""
Region:
id = 1265
start_va = 0x730000
end_va = 0x82ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000730000"
filename = ""
Region:
id = 1266
start_va = 0x20000
end_va = 0x23fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 1269
start_va = 0x76600000
end_va = 0x7667afff
monitored = 0
entry_point = 0x7661e970
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")
Region:
id = 1270
start_va = 0x76a90000
end_va = 0x76b4dfff
monitored = 0
entry_point = 0x76ac5630
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")
Region:
id = 1271
start_va = 0x4e0000
end_va = 0x51ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000004e0000"
filename = ""
Region:
id = 1272
start_va = 0x830000
end_va = 0x92ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000830000"
filename = ""
Region:
id = 1273
start_va = 0x76cb0000
end_va = 0x76cf3fff
monitored = 0
entry_point = 0x76cc9d80
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")
Region:
id = 1274
start_va = 0x76c00000
end_va = 0x76cacfff
monitored = 0
entry_point = 0x76c14f00
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")
Region:
id = 1275
start_va = 0x73f00000
end_va = 0x73f1dfff
monitored = 0
entry_point = 0x73f0b640
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")
Region:
id = 1276
start_va = 0x73ef0000
end_va = 0x73ef9fff
monitored = 0
entry_point = 0x73ef2a00
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")
Region:
id = 1277
start_va = 0x76840000
end_va = 0x76897fff
monitored = 0
entry_point = 0x768825c0
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")
Region:
id = 1278
start_va = 0x930000
end_va = 0xa2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000930000"
filename = ""
Region:
id = 1279
start_va = 0x6f7d0000
end_va = 0x6f84cfff
monitored = 1
entry_point = 0x6f7e0db0
region_type = mapped_file
name = "mscoreei.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscoreei.dll")
Region:
id = 1280
start_va = 0x76d00000
end_va = 0x76d44fff
monitored = 0
entry_point = 0x76d1de90
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")
Region:
id = 1281
start_va = 0x762b0000
end_va = 0x7646cfff
monitored = 0
entry_point = 0x76392a10
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")
Region:
id = 1282
start_va = 0x74ab0000
end_va = 0x74bfefff
monitored = 0
entry_point = 0x74b66820
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")
Region:
id = 1283
start_va = 0x743d0000
end_va = 0x74516fff
monitored = 0
entry_point = 0x743e1cf0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")
Region:
id = 1284
start_va = 0x1d0000
end_va = 0x1f9fff
monitored = 0
entry_point = 0x1d5680
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")
Region:
id = 1285
start_va = 0xa30000
end_va = 0xbb7fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000a30000"
filename = ""
Region:
id = 1286
start_va = 0x741b0000
end_va = 0x741dafff
monitored = 0
entry_point = 0x741b5680
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")
Region:
id = 1287
start_va = 0x30000
end_va = 0x30fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000030000"
filename = ""
Region:
id = 1288
start_va = 0x1d0000
end_va = 0x1d0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001d0000"
filename = ""
Region:
id = 1289
start_va = 0xbc0000
end_va = 0xd40fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000bc0000"
filename = ""
Region:
id = 1290
start_va = 0xd50000
end_va = 0x214ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000d50000"
filename = ""
Region:
id = 1291
start_va = 0x570000
end_va = 0x60afff
monitored = 1
entry_point = 0x60b6ae
region_type = mapped_file
name = "9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe"
filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe")
Region:
id = 1292
start_va = 0x650000
end_va = 0x65ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000650000"
filename = ""
Region:
id = 1293
start_va = 0x76d50000
end_va = 0x76d5bfff
monitored = 0
entry_point = 0x76d53930
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")
Region:
id = 1294
start_va = 0x6f7c0000
end_va = 0x6f7c7fff
monitored = 0
entry_point = 0x6f7c17b0
region_type = mapped_file
name = "version.dll"
filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll")
Region:
id = 1295
start_va = 0x6f0d0000
end_va = 0x6f7b0fff
monitored = 1
entry_point = 0x6f0fcd70
region_type = mapped_file
name = "clr.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll")
Region:
id = 1296
start_va = 0x6efd0000
end_va = 0x6f0c4fff
monitored = 0
entry_point = 0x6f024160
region_type = mapped_file
name = "msvcr120_clr0400.dll"
filename = "\\Windows\\SysWOW64\\msvcr120_clr0400.dll" (normalized: "c:\\windows\\syswow64\\msvcr120_clr0400.dll")
Region:
id = 1297
start_va = 0x1e0000
end_va = 0x1e0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001e0000"
filename = ""
Region:
id = 1298
start_va = 0x1f0000
end_va = 0x1fffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001f0000"
filename = ""
Region:
id = 1299
start_va = 0x520000
end_va = 0x52ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000520000"
filename = ""
Region:
id = 1300
start_va = 0x530000
end_va = 0x53ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000530000"
filename = ""
Region:
id = 1301
start_va = 0x540000
end_va = 0x54ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000540000"
filename = ""
Region:
id = 1302
start_va = 0x550000
end_va = 0x55ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000550000"
filename = ""
Region:
id = 1303
start_va = 0x570000
end_va = 0x57ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000570000"
filename = ""
Region:
id = 1304
start_va = 0x580000
end_va = 0x580fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000580000"
filename = ""
Region:
id = 1305
start_va = 0x590000
end_va = 0x590fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000590000"
filename = ""
Region:
id = 1306
start_va = 0x2150000
end_va = 0x231ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002150000"
filename = ""
Region:
id = 1307
start_va = 0x2320000
end_va = 0x24effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002320000"
filename = ""
Region:
id = 1308
start_va = 0x5a0000
end_va = 0x5dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005a0000"
filename = ""
Region:
id = 1309
start_va = 0x2150000
end_va = 0x224ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002150000"
filename = ""
Region:
id = 1310
start_va = 0x2310000
end_va = 0x231ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002310000"
filename = ""
Region:
id = 1311
start_va = 0x5e0000
end_va = 0x5effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005e0000"
filename = ""
Region:
id = 1312
start_va = 0x24f0000
end_va = 0x44effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000024f0000"
filename = ""
Region:
id = 1313
start_va = 0x660000
end_va = 0x6fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000660000"
filename = ""
Region:
id = 1314
start_va = 0x5e0000
end_va = 0x61ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005e0000"
filename = ""
Region:
id = 1315
start_va = 0x2320000
end_va = 0x241ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002320000"
filename = ""
Region:
id = 1316
start_va = 0x24e0000
end_va = 0x24effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000024e0000"
filename = ""
Region:
id = 1317
start_va = 0x44f0000
end_va = 0x4826fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 1318
start_va = 0x6dd10000
end_va = 0x6efc1fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "mscorlib.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\mscorlib\\7582400666d289c016013ad0f6e0e3e6\\mscorlib.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\mscorlib\\7582400666d289c016013ad0f6e0e3e6\\mscorlib.ni.dll")
Region:
id = 1319
start_va = 0x74dc0000
end_va = 0x74eaafff
monitored = 0
entry_point = 0x74dfd650
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")
Region:
id = 1320
start_va = 0x930000
end_va = 0x9c0fff
monitored = 0
entry_point = 0x968cf0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")
Region:
id = 1321
start_va = 0xa20000
end_va = 0xa2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000a20000"
filename = ""
Region:
id = 1322
start_va = 0x620000
end_va = 0x62ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000620000"
filename = ""
Region:
id = 1323
start_va = 0x6dc90000
end_va = 0x6dd0ffff
monitored = 1
entry_point = 0x6dc91180
region_type = mapped_file
name = "clrjit.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clrjit.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clrjit.dll")
Region:
id = 1324
start_va = 0x76680000
end_va = 0x76711fff
monitored = 0
entry_point = 0x766b8cf0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")
Region:
id = 1325
start_va = 0x630000
end_va = 0x63ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000630000"
filename = ""
Region:
id = 1326
start_va = 0x640000
end_va = 0x64ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000640000"
filename = ""
Region:
id = 1327
start_va = 0x640000
end_va = 0x64ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000640000"
filename = ""
Region:
id = 1335
start_va = 0x6d2c0000
end_va = 0x6dc8bfff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System\\1be7a15b1f33bf22e4f53aaf45518c77\\System.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system\\1be7a15b1f33bf22e4f53aaf45518c77\\system.ni.dll")
Region:
id = 1336
start_va = 0x640000
end_va = 0x64ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000640000"
filename = ""
Region:
id = 1337
start_va = 0x710b0000
end_va = 0x710c2fff
monitored = 0
entry_point = 0x710b9950
region_type = mapped_file
name = "cryptsp.dll"
filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll")
Region:
id = 1338
start_va = 0x72bf0000
end_va = 0x72c1efff
monitored = 0
entry_point = 0x72c095e0
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll")
Region:
id = 1339
start_va = 0x713f0000
end_va = 0x7140afff
monitored = 0
entry_point = 0x713f9050
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll")
Region:
id = 1342
start_va = 0x6cb90000
end_va = 0x6d2b0fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.core.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Core\\eb4cca4f06a15158c3f7e2c56516729b\\System.Core.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.core\\eb4cca4f06a15158c3f7e2c56516729b\\system.core.ni.dll")
Region:
id = 1343
start_va = 0x640000
end_va = 0x64ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000640000"
filename = ""
Region:
id = 1344
start_va = 0x930000
end_va = 0x97ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000930000"
filename = ""
Region:
id = 1345
start_va = 0x640000
end_va = 0x64ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000640000"
filename = ""
Region:
id = 1346
start_va = 0x73f90000
end_va = 0x74107fff
monitored = 0
entry_point = 0x73fe8a90
region_type = mapped_file
name = "crypt32.dll"
filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll")
Region:
id = 1349
start_va = 0x764c0000
end_va = 0x764cdfff
monitored = 0
entry_point = 0x764c5410
region_type = mapped_file
name = "msasn1.dll"
filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll")
Region:
id = 1351
start_va = 0x700000
end_va = 0x709fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "crypt32.dll.mui"
filename = "\\Windows\\SysWOW64\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\crypt32.dll.mui")
Region:
id = 1352
start_va = 0x73f20000
end_va = 0x73f2efff
monitored = 0
entry_point = 0x73f22e40
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll")
Region:
id = 1353
start_va = 0x74eb0000
end_va = 0x762aefff
monitored = 0
entry_point = 0x7506b990
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll")
Region:
id = 1354
start_va = 0x76800000
end_va = 0x76836fff
monitored = 0
entry_point = 0x76803b50
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll")
Region:
id = 1355
start_va = 0x745b0000
end_va = 0x74aa8fff
monitored = 0
entry_point = 0x747b7610
region_type = mapped_file
name = "windows.storage.dll"
filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll")
Region:
id = 1356
start_va = 0x74520000
end_va = 0x745acfff
monitored = 0
entry_point = 0x74569b90
region_type = mapped_file
name = "shcore.dll"
filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll")
Region:
id = 1357
start_va = 0x76470000
end_va = 0x764b3fff
monitored = 0
entry_point = 0x76477410
region_type = mapped_file
name = "powrprof.dll"
filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll")
Region:
id = 1358
start_va = 0x710000
end_va = 0x710fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000710000"
filename = ""
Region:
id = 1360
start_va = 0x5e430000
end_va = 0x5e4cbfff
monitored = 1
entry_point = 0x5e4be9a6
region_type = mapped_file
name = "microsoft.visualbasic.dll"
filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\v4.0_10.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualBasic.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_msil\\microsoft.visualbasic\\v4.0_10.0.0.0__b03f5f7f11d50a3a\\microsoft.visualbasic.dll")
Region:
id = 1361
start_va = 0x980000
end_va = 0xa1bfff
monitored = 1
entry_point = 0xa0e9a6
region_type = mapped_file
name = "microsoft.visualbasic.dll"
filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\v4.0_10.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualBasic.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_msil\\microsoft.visualbasic\\v4.0_10.0.0.0__b03f5f7f11d50a3a\\microsoft.visualbasic.dll")
Region:
id = 1362
start_va = 0x720000
end_va = 0x72ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000720000"
filename = ""
Region:
id = 1363
start_va = 0x764d0000
end_va = 0x764d5fff
monitored = 0
entry_point = 0x764d1460
region_type = mapped_file
name = "psapi.dll"
filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll")
Region:
id = 1364
start_va = 0x4830000
end_va = 0x492ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004830000"
filename = ""
Region:
id = 1365
start_va = 0x4930000
end_va = 0x4a0ffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "kernelbase.dll.mui"
filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui")
Region:
id = 1366
start_va = 0x930000
end_va = 0x96ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000930000"
filename = ""
Region:
id = 1367
start_va = 0x970000
end_va = 0x97ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000970000"
filename = ""
Region:
id = 1368
start_va = 0x4a10000
end_va = 0x4b0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004a10000"
filename = ""
Region:
id = 1369
start_va = 0x73dd0000
end_va = 0x73e44fff
monitored = 0
entry_point = 0x73e09a60
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll")
Region:
id = 1370
start_va = 0x2250000
end_va = 0x228ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002250000"
filename = ""
Region:
id = 1372
start_va = 0x2290000
end_va = 0x22cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002290000"
filename = ""
Region:
id = 1373
start_va = 0x4b10000
end_va = 0x4c0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004b10000"
filename = ""
Region:
id = 1374
start_va = 0x6fc50000
end_va = 0x6fd9afff
monitored = 0
entry_point = 0x6fcb1660
region_type = mapped_file
name = "propsys.dll"
filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll")
Region:
id = 1375
start_va = 0x22d0000
end_va = 0x230ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000022d0000"
filename = ""
Region:
id = 1376
start_va = 0x4c10000
end_va = 0x4d0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004c10000"
filename = ""
Region:
id = 1377
start_va = 0x2420000
end_va = 0x245ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002420000"
filename = ""
Region:
id = 1378
start_va = 0x2460000
end_va = 0x249ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002460000"
filename = ""
Region:
id = 1379
start_va = 0x4d10000
end_va = 0x4e0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004d10000"
filename = ""
Region:
id = 1380
start_va = 0x4e10000
end_va = 0x4f0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004e10000"
filename = ""
Region:
id = 1381
start_va = 0x720000
end_va = 0x720fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000720000"
filename = ""
Region:
id = 1382
start_va = 0x74340000
end_va = 0x743c3fff
monitored = 0
entry_point = 0x74366220
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll")
Region:
id = 1383
start_va = 0x6fa30000
end_va = 0x6fc4bfff
monitored = 0
entry_point = 0x6fbfbc40
region_type = mapped_file
name = "actxprxy.dll"
filename = "\\Windows\\SysWOW64\\actxprxy.dll" (normalized: "c:\\windows\\syswow64\\actxprxy.dll")
Region:
id = 1384
start_va = 0x2250000
end_va = 0x2250fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002250000"
filename = ""
Region:
id = 1385
start_va = 0x2280000
end_va = 0x228ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002280000"
filename = ""
Region:
id = 1386
start_va = 0x24a0000
end_va = 0x24dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000024a0000"
filename = ""
Region:
id = 1387
start_va = 0x4f10000
end_va = 0x500ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004f10000"
filename = ""
Region:
id = 1388
start_va = 0x2260000
end_va = 0x2263fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 1389
start_va = 0x5010000
end_va = 0x5054fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000c.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db")
Region:
id = 1390
start_va = 0x2270000
end_va = 0x2273fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 1391
start_va = 0x5060000
end_va = 0x50edfff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db")
Region:
id = 1392
start_va = 0x50f0000
end_va = 0x5100fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "propsys.dll.mui"
filename = "\\Windows\\SysWOW64\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\propsys.dll.mui")
Region:
id = 1393
start_va = 0x5110000
end_va = 0x514ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005110000"
filename = ""
Region:
id = 1394
start_va = 0x5150000
end_va = 0x524ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005150000"
filename = ""
Region:
id = 1395
start_va = 0x5250000
end_va = 0x5253fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.1.db"
filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db")
Region:
id = 1396
start_va = 0x5260000
end_va = 0x5273fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000016.db"
filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000016.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000016.db")
Region:
id = 1397
start_va = 0x5280000
end_va = 0x5280fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000005280000"
filename = ""
Region:
id = 1398
start_va = 0x71630000
end_va = 0x717adfff
monitored = 0
entry_point = 0x716ac630
region_type = mapped_file
name = "urlmon.dll"
filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll")
Region:
id = 1399
start_va = 0x73ae0000
end_va = 0x73daafff
monitored = 0
entry_point = 0x73d1c4c0
region_type = mapped_file
name = "iertutil.dll"
filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll")
Region:
id = 1400
start_va = 0x5250000
end_va = 0x5250fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000005250000"
filename = ""
Thread:
id = 105
os_tid = 0xa88
[0190.164] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
[0190.167] RoInitialize () returned 0x1
[0190.167] RoUninitialize () returned 0x0
[0197.666] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x7e7e38) returned 1
[0197.671] CryptGetProvParam (in: hProv=0x7e7e38, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x1 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1
[0197.672] CoTaskMemAlloc (cb=0x20) returned 0x775cf8
[0197.672] CryptGetProvParam (in: hProv=0x7e7e38, dwParam=0x1, pbData=0x775cf8, pdwDataLen=0x19f3bc, dwFlags=0x1 | out: pbData=0x775cf8, pdwDataLen=0x19f3bc) returned 1
[0197.673] CoTaskMemFree (pv=0x775cf8)
[0197.673] CryptGetProvParam (in: hProv=0x7e7e38, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1
[0197.674] CoTaskMemAlloc (cb=0x20) returned 0x775cf8
[0197.674] CryptGetProvParam (in: hProv=0x7e7e38, dwParam=0x1, pbData=0x775cf8, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x775cf8, pdwDataLen=0x19f3bc) returned 1
[0197.674] CoTaskMemFree (pv=0x775cf8)
[0197.674] CryptGetProvParam (in: hProv=0x7e7e38, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1
[0197.674] CoTaskMemAlloc (cb=0x20) returned 0x775cf8
[0197.674] CryptGetProvParam (in: hProv=0x7e7e38, dwParam=0x1, pbData=0x775cf8, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x775cf8, pdwDataLen=0x19f3bc) returned 1
[0197.674] CoTaskMemFree (pv=0x775cf8)
[0197.674] CryptGetProvParam (in: hProv=0x7e7e38, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1
[0197.674] CoTaskMemAlloc (cb=0x20) returned 0x775cf8
[0197.674] CryptGetProvParam (in: hProv=0x7e7e38, dwParam=0x1, pbData=0x775cf8, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x775cf8, pdwDataLen=0x19f3bc) returned 1
[0197.674] CoTaskMemFree (pv=0x775cf8)
[0197.674] CryptGetProvParam (in: hProv=0x7e7e38, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1
[0197.674] CoTaskMemAlloc (cb=0x20) returned 0x775cf8
[0197.674] CryptGetProvParam (in: hProv=0x7e7e38, dwParam=0x1, pbData=0x775cf8, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x775cf8, pdwDataLen=0x19f3bc) returned 1
[0197.674] CoTaskMemFree (pv=0x775cf8)
[0197.674] CryptGetProvParam (in: hProv=0x7e7e38, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1
[0197.674] CoTaskMemAlloc (cb=0x20) returned 0x775cf8
[0197.674] CryptGetProvParam (in: hProv=0x7e7e38, dwParam=0x1, pbData=0x775cf8, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x775cf8, pdwDataLen=0x19f3bc) returned 1
[0197.674] CoTaskMemFree (pv=0x775cf8)
[0197.675] CryptGetProvParam (in: hProv=0x7e7e38, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1
[0197.675] CoTaskMemAlloc (cb=0x20) returned 0x775cf8
[0197.675] CryptGetProvParam (in: hProv=0x7e7e38, dwParam=0x1, pbData=0x775cf8, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x775cf8, pdwDataLen=0x19f3bc) returned 1
[0197.675] CoTaskMemFree (pv=0x775cf8)
[0197.675] CryptGetProvParam (in: hProv=0x7e7e38, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1
[0197.675] CoTaskMemAlloc (cb=0x20) returned 0x775cf8
[0197.675] CryptGetProvParam (in: hProv=0x7e7e38, dwParam=0x1, pbData=0x775cf8, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x775cf8, pdwDataLen=0x19f3bc) returned 1
[0197.675] CoTaskMemFree (pv=0x775cf8)
[0197.675] CryptGetProvParam (in: hProv=0x7e7e38, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1
[0197.675] CoTaskMemAlloc (cb=0x20) returned 0x775cf8
[0197.675] CryptGetProvParam (in: hProv=0x7e7e38, dwParam=0x1, pbData=0x775cf8, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x775cf8, pdwDataLen=0x19f3bc) returned 1
[0197.675] CoTaskMemFree (pv=0x775cf8)
[0197.675] CryptGetProvParam (in: hProv=0x7e7e38, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1
[0197.675] CoTaskMemAlloc (cb=0x20) returned 0x775cf8
[0197.675] CryptGetProvParam (in: hProv=0x7e7e38, dwParam=0x1, pbData=0x775cf8, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x775cf8, pdwDataLen=0x19f3bc) returned 1
[0197.675] CoTaskMemFree (pv=0x775cf8)
[0197.675] CryptGetProvParam (in: hProv=0x7e7e38, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1
[0197.675] CoTaskMemAlloc (cb=0x20) returned 0x775cf8
[0197.675] CryptGetProvParam (in: hProv=0x7e7e38, dwParam=0x1, pbData=0x775cf8, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x775cf8, pdwDataLen=0x19f3bc) returned 1
[0197.676] CoTaskMemFree (pv=0x775cf8)
[0197.676] CryptGetProvParam (in: hProv=0x7e7e38, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1
[0197.676] CoTaskMemAlloc (cb=0x20) returned 0x775cf8
[0197.676] CryptGetProvParam (in: hProv=0x7e7e38, dwParam=0x1, pbData=0x775cf8, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x775cf8, pdwDataLen=0x19f3bc) returned 1
[0197.676] CoTaskMemFree (pv=0x775cf8)
[0197.676] CryptGetProvParam (in: hProv=0x7e7e38, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1
[0197.676] CoTaskMemAlloc (cb=0x20) returned 0x775cf8
[0197.676] CryptGetProvParam (in: hProv=0x7e7e38, dwParam=0x1, pbData=0x775cf8, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x775cf8, pdwDataLen=0x19f3bc) returned 1
[0197.676] CoTaskMemFree (pv=0x775cf8)
[0197.676] CryptGetProvParam (in: hProv=0x7e7e38, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1
[0197.676] CoTaskMemAlloc (cb=0x20) returned 0x775cf8
[0197.676] CryptGetProvParam (in: hProv=0x7e7e38, dwParam=0x1, pbData=0x775cf8, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x775cf8, pdwDataLen=0x19f3bc) returned 1
[0197.676] CoTaskMemFree (pv=0x775cf8)
[0197.676] CryptGetProvParam (in: hProv=0x7e7e38, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1
[0197.676] CoTaskMemAlloc (cb=0x20) returned 0x775cf8
[0197.676] CryptGetProvParam (in: hProv=0x7e7e38, dwParam=0x1, pbData=0x775cf8, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x775cf8, pdwDataLen=0x19f3bc) returned 1
[0197.676] CoTaskMemFree (pv=0x775cf8)
[0197.676] CryptGetProvParam (in: hProv=0x7e7e38, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1
[0197.676] CoTaskMemAlloc (cb=0x20) returned 0x775cf8
[0197.677] CryptGetProvParam (in: hProv=0x7e7e38, dwParam=0x1, pbData=0x775cf8, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x775cf8, pdwDataLen=0x19f3bc) returned 1
[0197.677] CoTaskMemFree (pv=0x775cf8)
[0197.677] CryptGetProvParam (in: hProv=0x7e7e38, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1
[0197.677] CoTaskMemAlloc (cb=0x20) returned 0x775cf8
[0197.677] CryptGetProvParam (in: hProv=0x7e7e38, dwParam=0x1, pbData=0x775cf8, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x775cf8, pdwDataLen=0x19f3bc) returned 1
[0197.677] CoTaskMemFree (pv=0x775cf8)
[0197.677] CryptGetProvParam (in: hProv=0x7e7e38, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1
[0197.677] CoTaskMemAlloc (cb=0x20) returned 0x775cf8
[0197.677] CryptGetProvParam (in: hProv=0x7e7e38, dwParam=0x1, pbData=0x775cf8, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x775cf8, pdwDataLen=0x19f3bc) returned 1
[0197.677] CoTaskMemFree (pv=0x775cf8)
[0197.677] CryptGetProvParam (in: hProv=0x7e7e38, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1
[0197.677] CoTaskMemAlloc (cb=0x20) returned 0x775cf8
[0197.677] CryptGetProvParam (in: hProv=0x7e7e38, dwParam=0x1, pbData=0x775cf8, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x775cf8, pdwDataLen=0x19f3bc) returned 1
[0197.677] CoTaskMemFree (pv=0x775cf8)
[0197.677] CryptGetProvParam (in: hProv=0x7e7e38, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 1
[0197.678] CoTaskMemAlloc (cb=0x20) returned 0x775cf8
[0197.678] CryptGetProvParam (in: hProv=0x7e7e38, dwParam=0x1, pbData=0x775cf8, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x775cf8, pdwDataLen=0x19f3bc) returned 1
[0197.678] CoTaskMemFree (pv=0x775cf8)
[0197.678] CryptGetProvParam (in: hProv=0x7e7e38, dwParam=0x1, pbData=0x0, pdwDataLen=0x19f3bc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x19f3bc) returned 0
[0197.684] CryptImportKey (in: hProv=0x7e7e38, pbData=0x25c84a0, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x77d3a0) returned 1
[0197.686] CryptContextAddRef (hProv=0x7e7e38, pdwReserved=0x0, dwFlags=0x0) returned 1
[0197.697] BCryptGetFipsAlgorithmMode (in: pfEnabled=0x19f3e8 | out: pfEnabled=0x19f3e8) returned 0x0
[0197.704] CryptContextAddRef (hProv=0x7e7e38, pdwReserved=0x0, dwFlags=0x0) returned 1
[0197.705] CryptDuplicateKey (in: hKey=0x77d3a0, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x77d420) returned 1
[0197.705] CryptContextAddRef (hProv=0x7e7e38, pdwReserved=0x0, dwFlags=0x0) returned 1
[0197.705] CryptSetKeyParam (hKey=0x77d420, dwParam=0x4, pbData=0x25c8e80*=0x1, dwFlags=0x0) returned 1
[0197.705] CryptSetKeyParam (hKey=0x77d420, dwParam=0x1, pbData=0x25c8e4c, dwFlags=0x0) returned 1
[0197.708] CryptDecrypt (in: hKey=0x77d420, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x25c8f60, pdwDataLen=0x19f3f8 | out: pbData=0x25c8f60, pdwDataLen=0x19f3f8) returned 1
[0197.757] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\AppContext", ulOptions=0x0, samDesired=0x20019, phkResult=0x19de18 | out: phkResult=0x19de18*=0x0) returned 0x2
[0197.759] CryptDecrypt (in: hKey=0x77d420, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x25c9064, pdwDataLen=0x19f3f8 | out: pbData=0x25c9064, pdwDataLen=0x19f3f8) returned 0
[0197.760] CryptDestroyKey (hKey=0x77d3a0) returned 1
[0197.760] CryptReleaseContext (hProv=0x7e7e38, dwFlags=0x0) returned 1
[0197.760] CryptReleaseContext (hProv=0x7e7e38, dwFlags=0x0) returned 1
[0197.760] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x7e7c18) returned 1
[0197.761] CryptImportKey (in: hProv=0x7e7c18, pbData=0x25ca904, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x77cee0) returned 1
[0197.761] CryptContextAddRef (hProv=0x7e7c18, pdwReserved=0x0, dwFlags=0x0) returned 1
[0197.761] CryptContextAddRef (hProv=0x7e7c18, pdwReserved=0x0, dwFlags=0x0) returned 1
[0197.761] CryptDuplicateKey (in: hKey=0x77cee0, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x77d220) returned 1
[0197.761] CryptContextAddRef (hProv=0x7e7c18, pdwReserved=0x0, dwFlags=0x0) returned 1
[0197.761] CryptSetKeyParam (hKey=0x77d220, dwParam=0x4, pbData=0x25cb05c*=0x1, dwFlags=0x0) returned 1
[0197.761] CryptSetKeyParam (hKey=0x77d220, dwParam=0x1, pbData=0x25cb028, dwFlags=0x0) returned 1
[0197.761] CryptDecrypt (in: hKey=0x77d220, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x25cb13c, pdwDataLen=0x19f3f8 | out: pbData=0x25cb13c, pdwDataLen=0x19f3f8) returned 1
[0197.761] CryptDecrypt (in: hKey=0x77d220, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x25cb170, pdwDataLen=0x19f3f8 | out: pbData=0x25cb170, pdwDataLen=0x19f3f8) returned 0
[0197.762] CryptDestroyKey (hKey=0x77cee0) returned 1
[0197.762] CryptReleaseContext (hProv=0x7e7c18, dwFlags=0x0) returned 1
[0197.762] CryptReleaseContext (hProv=0x7e7c18, dwFlags=0x0) returned 1
[0197.762] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x7e8520) returned 1
[0197.762] CryptImportKey (in: hProv=0x7e8520, pbData=0x25cb2d8, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x77d520) returned 1
[0197.762] CryptContextAddRef (hProv=0x7e8520, pdwReserved=0x0, dwFlags=0x0) returned 1
[0197.763] CryptContextAddRef (hProv=0x7e8520, pdwReserved=0x0, dwFlags=0x0) returned 1
[0197.763] CryptDuplicateKey (in: hKey=0x77d520, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x77cee0) returned 1
[0197.763] CryptContextAddRef (hProv=0x7e8520, pdwReserved=0x0, dwFlags=0x0) returned 1
[0197.763] CryptSetKeyParam (hKey=0x77cee0, dwParam=0x4, pbData=0x25cba30*=0x1, dwFlags=0x0) returned 1
[0197.763] CryptSetKeyParam (hKey=0x77cee0, dwParam=0x1, pbData=0x25cb9fc, dwFlags=0x0) returned 1
[0197.763] CryptDecrypt (in: hKey=0x77cee0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x25cbb10, pdwDataLen=0x19f3f8 | out: pbData=0x25cbb10, pdwDataLen=0x19f3f8) returned 1
[0197.763] CryptDecrypt (in: hKey=0x77cee0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x25cbb40, pdwDataLen=0x19f3f8 | out: pbData=0x25cbb40, pdwDataLen=0x19f3f8) returned 0
[0197.763] CryptDestroyKey (hKey=0x77d520) returned 1
[0197.763] CryptReleaseContext (hProv=0x7e8520, dwFlags=0x0) returned 1
[0197.763] CryptReleaseContext (hProv=0x7e8520, dwFlags=0x0) returned 1
[0197.763] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x7e85a8) returned 1
[0197.764] CryptImportKey (in: hProv=0x7e85a8, pbData=0x25cbc9c, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x77cf20) returned 1
[0197.764] CryptContextAddRef (hProv=0x7e85a8, pdwReserved=0x0, dwFlags=0x0) returned 1
[0197.764] CryptContextAddRef (hProv=0x7e85a8, pdwReserved=0x0, dwFlags=0x0) returned 1
[0197.764] CryptDuplicateKey (in: hKey=0x77cf20, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x77d3a0) returned 1
[0197.764] CryptContextAddRef (hProv=0x7e85a8, pdwReserved=0x0, dwFlags=0x0) returned 1
[0197.764] CryptSetKeyParam (hKey=0x77d3a0, dwParam=0x4, pbData=0x25cc3f4*=0x1, dwFlags=0x0) returned 1
[0197.764] CryptSetKeyParam (hKey=0x77d3a0, dwParam=0x1, pbData=0x25cc3c0, dwFlags=0x0) returned 1
[0197.765] CryptDecrypt (in: hKey=0x77d3a0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x25cc4d4, pdwDataLen=0x19f3f8 | out: pbData=0x25cc4d4, pdwDataLen=0x19f3f8) returned 1
[0197.765] CryptDecrypt (in: hKey=0x77d3a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x25cc500, pdwDataLen=0x19f3f8 | out: pbData=0x25cc500, pdwDataLen=0x19f3f8) returned 0
[0197.765] CryptDestroyKey (hKey=0x77cf20) returned 1
[0197.765] CryptReleaseContext (hProv=0x7e85a8, dwFlags=0x0) returned 1
[0197.765] CryptReleaseContext (hProv=0x7e85a8, dwFlags=0x0) returned 1
[0197.765] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x7e7ec0) returned 1
[0197.765] CryptImportKey (in: hProv=0x7e7ec0, pbData=0x25cc664, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x77d320) returned 1
[0197.766] CryptContextAddRef (hProv=0x7e7ec0, pdwReserved=0x0, dwFlags=0x0) returned 1
[0197.766] CryptContextAddRef (hProv=0x7e7ec0, pdwReserved=0x0, dwFlags=0x0) returned 1
[0197.766] CryptDuplicateKey (in: hKey=0x77d320, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x77d360) returned 1
[0197.766] CryptContextAddRef (hProv=0x7e7ec0, pdwReserved=0x0, dwFlags=0x0) returned 1
[0197.766] CryptSetKeyParam (hKey=0x77d360, dwParam=0x4, pbData=0x25ccdcc*=0x1, dwFlags=0x0) returned 1
[0197.766] CryptSetKeyParam (hKey=0x77d360, dwParam=0x1, pbData=0x25ccd98, dwFlags=0x0) returned 1
[0197.766] CryptDecrypt (in: hKey=0x77d360, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x25cceb0, pdwDataLen=0x19f3c8 | out: pbData=0x25cceb0, pdwDataLen=0x19f3c8) returned 1
[0197.766] CryptDecrypt (in: hKey=0x77d360, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x25ccef8, pdwDataLen=0x19f3f8 | out: pbData=0x25ccef8, pdwDataLen=0x19f3f8) returned 1
[0197.766] CryptDecrypt (in: hKey=0x77d360, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x25ccf24, pdwDataLen=0x19f3f8 | out: pbData=0x25ccf24, pdwDataLen=0x19f3f8) returned 0
[0197.766] CryptDestroyKey (hKey=0x77d320) returned 1
[0197.766] CryptReleaseContext (hProv=0x7e7ec0, dwFlags=0x0) returned 1
[0197.766] CryptReleaseContext (hProv=0x7e7ec0, dwFlags=0x0) returned 1
[0197.766] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x7e8740) returned 1
[0197.767] CryptImportKey (in: hProv=0x7e8740, pbData=0x25cd0a8, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x77cfe0) returned 1
[0197.767] CryptContextAddRef (hProv=0x7e8740, pdwReserved=0x0, dwFlags=0x0) returned 1
[0197.767] CryptContextAddRef (hProv=0x7e8740, pdwReserved=0x0, dwFlags=0x0) returned 1
[0197.767] CryptDuplicateKey (in: hKey=0x77cfe0, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x77d460) returned 1
[0197.767] CryptContextAddRef (hProv=0x7e8740, pdwReserved=0x0, dwFlags=0x0) returned 1
[0197.767] CryptSetKeyParam (hKey=0x77d460, dwParam=0x4, pbData=0x25cd800*=0x1, dwFlags=0x0) returned 1
[0197.768] CryptSetKeyParam (hKey=0x77d460, dwParam=0x1, pbData=0x25cd7cc, dwFlags=0x0) returned 1
[0197.768] CryptDecrypt (in: hKey=0x77d460, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x25cd8e0, pdwDataLen=0x19f3f8 | out: pbData=0x25cd8e0, pdwDataLen=0x19f3f8) returned 1
[0197.768] CryptDecrypt (in: hKey=0x77d460, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x25cd90c, pdwDataLen=0x19f3f8 | out: pbData=0x25cd90c, pdwDataLen=0x19f3f8) returned 0
[0197.768] CryptDestroyKey (hKey=0x77cfe0) returned 1
[0197.768] CryptReleaseContext (hProv=0x7e8740, dwFlags=0x0) returned 1
[0197.768] CryptReleaseContext (hProv=0x7e8740, dwFlags=0x0) returned 1
[0197.768] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x7e8278) returned 1
[0197.768] CryptImportKey (in: hProv=0x7e8278, pbData=0x25cda60, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x77d320) returned 1
[0197.769] CryptContextAddRef (hProv=0x7e8278, pdwReserved=0x0, dwFlags=0x0) returned 1
[0197.769] CryptContextAddRef (hProv=0x7e8278, pdwReserved=0x0, dwFlags=0x0) returned 1
[0197.769] CryptDuplicateKey (in: hKey=0x77d320, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x77cf20) returned 1
[0197.769] CryptContextAddRef (hProv=0x7e8278, pdwReserved=0x0, dwFlags=0x0) returned 1
[0197.769] CryptSetKeyParam (hKey=0x77cf20, dwParam=0x4, pbData=0x25ce1b8*=0x1, dwFlags=0x0) returned 1
[0197.769] CryptSetKeyParam (hKey=0x77cf20, dwParam=0x1, pbData=0x25ce184, dwFlags=0x0) returned 1
[0197.769] CryptDecrypt (in: hKey=0x77cf20, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x25ce298, pdwDataLen=0x19f3f8 | out: pbData=0x25ce298, pdwDataLen=0x19f3f8) returned 1
[0197.769] CryptDecrypt (in: hKey=0x77cf20, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x25ce2c8, pdwDataLen=0x19f3f8 | out: pbData=0x25ce2c8, pdwDataLen=0x19f3f8) returned 0
[0197.769] CryptDestroyKey (hKey=0x77d320) returned 1
[0197.769] CryptReleaseContext (hProv=0x7e8278, dwFlags=0x0) returned 1
[0197.769] CryptReleaseContext (hProv=0x7e8278, dwFlags=0x0) returned 1
[0197.769] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x7e7d28) returned 1
[0197.770] CryptImportKey (in: hProv=0x7e7d28, pbData=0x25ce420, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x77d320) returned 1
[0197.770] CryptContextAddRef (hProv=0x7e7d28, pdwReserved=0x0, dwFlags=0x0) returned 1
[0197.770] CryptContextAddRef (hProv=0x7e7d28, pdwReserved=0x0, dwFlags=0x0) returned 1
[0197.770] CryptDuplicateKey (in: hKey=0x77d320, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x77cfe0) returned 1
[0197.770] CryptContextAddRef (hProv=0x7e7d28, pdwReserved=0x0, dwFlags=0x0) returned 1
[0197.770] CryptSetKeyParam (hKey=0x77cfe0, dwParam=0x4, pbData=0x25ceb78*=0x1, dwFlags=0x0) returned 1
[0197.770] CryptSetKeyParam (hKey=0x77cfe0, dwParam=0x1, pbData=0x25ceb44, dwFlags=0x0) returned 1
[0197.771] CryptDecrypt (in: hKey=0x77cfe0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x25cec58, pdwDataLen=0x19f3f8 | out: pbData=0x25cec58, pdwDataLen=0x19f3f8) returned 1
[0197.771] CryptDecrypt (in: hKey=0x77cfe0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x25cec88, pdwDataLen=0x19f3f8 | out: pbData=0x25cec88, pdwDataLen=0x19f3f8) returned 0
[0197.771] CryptDestroyKey (hKey=0x77d320) returned 1
[0197.771] CryptReleaseContext (hProv=0x7e7d28, dwFlags=0x0) returned 1
[0197.771] CryptReleaseContext (hProv=0x7e7d28, dwFlags=0x0) returned 1
[0197.771] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x7e7b08) returned 1
[0197.771] CryptImportKey (in: hProv=0x7e7b08, pbData=0x25cede0, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x77d060) returned 1
[0197.771] CryptContextAddRef (hProv=0x7e7b08, pdwReserved=0x0, dwFlags=0x0) returned 1
[0197.772] CryptContextAddRef (hProv=0x7e7b08, pdwReserved=0x0, dwFlags=0x0) returned 1
[0197.772] CryptDuplicateKey (in: hKey=0x77d060, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x77d120) returned 1
[0197.772] CryptContextAddRef (hProv=0x7e7b08, pdwReserved=0x0, dwFlags=0x0) returned 1
[0197.772] CryptSetKeyParam (hKey=0x77d120, dwParam=0x4, pbData=0x25cf538*=0x1, dwFlags=0x0) returned 1
[0197.772] CryptSetKeyParam (hKey=0x77d120, dwParam=0x1, pbData=0x25cf504, dwFlags=0x0) returned 1
[0197.772] CryptDecrypt (in: hKey=0x77d120, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x25cf618, pdwDataLen=0x19f3f8 | out: pbData=0x25cf618, pdwDataLen=0x19f3f8) returned 1
[0197.772] CryptDecrypt (in: hKey=0x77d120, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x25cf648, pdwDataLen=0x19f3f8 | out: pbData=0x25cf648, pdwDataLen=0x19f3f8) returned 0
[0197.772] CryptDestroyKey (hKey=0x77d060) returned 1
[0197.772] CryptReleaseContext (hProv=0x7e7b08, dwFlags=0x0) returned 1
[0197.772] CryptReleaseContext (hProv=0x7e7b08, dwFlags=0x0) returned 1
[0197.800] GetUserNameW (in: lpBuffer=0x19f20c, pcbBuffer=0x19f484 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x19f484) returned 1
[0197.804] GetComputerNameW (in: lpBuffer=0x19f20c, nSize=0x19f484 | out: lpBuffer="XC64ZB", nSize=0x19f484) returned 1
[0197.804] CoTaskMemAlloc (cb=0x20c) returned 0x7ed978
[0197.804] GetSystemDirectoryW (in: lpBuffer=0x7ed978, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13
[0197.804] CoTaskMemFree (pv=0x7ed978)
[0197.809] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x19eea4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3
[0197.810] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x19f440) returned 1
[0197.810] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x19f46c, lpTotalNumberOfBytes=0x19f464, lpTotalNumberOfFreeBytes=0x19f45c | out: lpFreeBytesAvailableToCaller=0x19f46c, lpTotalNumberOfBytes=0x19f464, lpTotalNumberOfFreeBytes=0x19f45c) returned 1
[0197.811] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x19f43c) returned 1
[0197.881] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x7e7970) returned 1
[0197.881] CryptImportKey (in: hProv=0x7e7970, pbData=0x25d1708, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x77cd60) returned 1
[0197.881] CryptContextAddRef (hProv=0x7e7970, pdwReserved=0x0, dwFlags=0x0) returned 1
[0197.882] CryptContextAddRef (hProv=0x7e7970, pdwReserved=0x0, dwFlags=0x0) returned 1
[0197.882] CryptDuplicateKey (in: hKey=0x77cd60, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x77cde0) returned 1
[0197.882] CryptContextAddRef (hProv=0x7e7970, pdwReserved=0x0, dwFlags=0x0) returned 1
[0197.882] CryptSetKeyParam (hKey=0x77cde0, dwParam=0x4, pbData=0x25d23c0*=0x1, dwFlags=0x0) returned 1
[0197.882] CryptSetKeyParam (hKey=0x77cde0, dwParam=0x1, pbData=0x25d238c, dwFlags=0x0) returned 1
[0197.882] CryptDecrypt (in: hKey=0x77cde0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x25d29c4, pdwDataLen=0x19f3c8 | out: pbData=0x25d29c4, pdwDataLen=0x19f3c8) returned 1
[0197.882] CryptDecrypt (in: hKey=0x77cde0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x25d2c9c, pdwDataLen=0x19f3f8 | out: pbData=0x25d2c9c, pdwDataLen=0x19f3f8) returned 1
[0197.882] CryptDecrypt (in: hKey=0x77cde0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x25d2cd0, pdwDataLen=0x19f3f8 | out: pbData=0x25d2cd0, pdwDataLen=0x19f3f8) returned 0
[0197.882] CryptDestroyKey (hKey=0x77cd60) returned 1
[0197.883] CryptReleaseContext (hProv=0x7e7970, dwFlags=0x0) returned 1
[0197.883] CryptReleaseContext (hProv=0x7e7970, dwFlags=0x0) returned 1
[0197.883] CryptAcquireContextW (in: phProv=0x19f3f8, szContainer=0x0, szProvider="Microsoft Enhanced RSA and AES Cryptographic Provider", dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f3f8*=0x7e7f48) returned 1
[0197.883] CryptImportKey (in: hProv=0x7e7f48, pbData=0x25d3d2c, dwDataLen=0x2c, hPubKey=0x0, dwFlags=0x1, phKey=0x19f3c8 | out: phKey=0x19f3c8*=0x77cce0) returned 1
[0197.883] CryptContextAddRef (hProv=0x7e7f48, pdwReserved=0x0, dwFlags=0x0) returned 1
[0197.884] CryptContextAddRef (hProv=0x7e7f48, pdwReserved=0x0, dwFlags=0x0) returned 1
[0197.884] CryptDuplicateKey (in: hKey=0x77cce0, pdwReserved=0x0, dwFlags=0x0, phKey=0x19f3b8 | out: phKey=0x19f3b8*=0x77c960) returned 1
[0197.884] CryptContextAddRef (hProv=0x7e7f48, pdwReserved=0x0, dwFlags=0x0) returned 1
[0197.884] CryptSetKeyParam (hKey=0x77c960, dwParam=0x4, pbData=0x25d51e4*=0x1, dwFlags=0x0) returned 1
[0197.884] CryptSetKeyParam (hKey=0x77c960, dwParam=0x1, pbData=0x25d51b0, dwFlags=0x0) returned 1
[0197.885] CryptDecrypt (in: hKey=0x77c960, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x25d5fe8, pdwDataLen=0x19f3c8 | out: pbData=0x25d5fe8, pdwDataLen=0x19f3c8) returned 1
[0197.885] CryptDecrypt (in: hKey=0x77c960, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x25d66c0, pdwDataLen=0x19f3f8 | out: pbData=0x25d66c0, pdwDataLen=0x19f3f8) returned 1
[0197.885] CryptDecrypt (in: hKey=0x77c960, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x25d66e8, pdwDataLen=0x19f3f8 | out: pbData=0x25d66e8, pdwDataLen=0x19f3f8) returned 0
[0197.885] CryptDestroyKey (hKey=0x77cce0) returned 1
[0197.885] CryptReleaseContext (hProv=0x7e7f48, dwFlags=0x0) returned 1
[0197.885] CryptReleaseContext (hProv=0x7e7f48, dwFlags=0x0) returned 1
[0198.620] CertDuplicateCertificateContext (pCertContext=0x7e5fc0) returned 0x7e5fc0
[0198.639] LocalAlloc (uFlags=0x0, uBytes=0x2a) returned 0x77a720
[0198.709] CryptFindOIDInfo (dwKeyType=0x2, pvKey=0x77a720, dwGroupId=0x3) returned 0x0
[0198.728] LocalFree (hMem=0x77a720) returned 0x0
[0198.728] LocalAlloc (uFlags=0x0, uBytes=0x2a) returned 0x7825c8
[0198.728] CryptFindOIDInfo (dwKeyType=0x2, pvKey=0x7825c8, dwGroupId=0x0) returned 0x0
[0198.736] LocalFree (hMem=0x7825c8) returned 0x0
[0198.738] LocalAlloc (uFlags=0x0, uBytes=0x15) returned 0x7e3ca0
[0198.738] CryptFindOIDInfo (dwKeyType=0x1, pvKey=0x7e3ca0, dwGroupId=0x0) returned 0x73f9d6c0
[0198.816] CryptDecodeObject (in: dwCertEncodingType=0x10001, lpszStructType=0x13, pbEncoded=0x25d891c, cbEncoded=0x20e, dwFlags=0x0, pvStructInfo=0x0, pcbStructInfo=0x19f434 | out: pvStructInfo=0x0, pcbStructInfo=0x19f434) returned 1
[0198.816] LocalAlloc (uFlags=0x0, uBytes=0x214) returned 0x7ef7e8
[0198.816] CryptDecodeObject (in: dwCertEncodingType=0x10001, lpszStructType=0x13, pbEncoded=0x25d891c, cbEncoded=0x20e, dwFlags=0x0, pvStructInfo=0x7ef7e8, pcbStructInfo=0x19f434 | out: pvStructInfo=0x7ef7e8, pcbStructInfo=0x19f434) returned 1
[0198.817] LocalFree (hMem=0x7ef7e8) returned 0x0
[0198.904] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", nBufferLength=0x105, lpBuffer=0x19eda4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", lpFilePart=0x0) returned 0x43
[0198.905] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", nBufferLength=0x105, lpBuffer=0x19ee08, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", lpFilePart=0x0) returned 0x43
[0198.905] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x19f2b0) returned 1
[0198.905] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x19f32c | out: lpFileInformation=0x19f32c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56a29ff, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97df7583, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97df7583, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x8c8f)) returned 1
[0198.906] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x19f2ac) returned 1
[0198.964] CoTaskMemAlloc (cb=0x2e) returned 0x7821a0
[0198.969] CryptFindOIDInfo (dwKeyType=0x2, pvKey=0x7821a0, dwGroupId=0x1) returned 0x0
[0198.969] CryptFindOIDInfo (dwKeyType=0x2, pvKey=0x7821a0, dwGroupId=0x0) returned 0x0
[0198.969] CoTaskMemFree (pv=0x7821a0)
[0198.977] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="AsyncMutex_6SI8OkPnk") returned 0x2f0
[0199.124] ExpandEnvironmentStringsW (in: lpSrc="%AppData%", lpDst=0x19f328, nSize=0x64 | out: lpDst="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming") returned 0x26
[0199.124] ExpandEnvironmentStringsW (in: lpSrc="%AppData%", lpDst=0x19f328, nSize=0x64 | out: lpDst="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming") returned 0x26
[0199.125] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", nBufferLength=0x105, lpBuffer=0x19ef24, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", lpFilePart=0x0) returned 0x2a
[0199.126] GetCurrentProcessId () returned 0xb50
[0199.131] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x19ecc4 | out: lpLuid=0x19ecc4*(LowPart=0x14, HighPart=0)) returned 1
[0199.132] GetCurrentProcess () returned 0xffffffff
[0199.132] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x19ecc0 | out: TokenHandle=0x19ecc0*=0x300) returned 1
[0199.132] AdjustTokenPrivileges (in: TokenHandle=0x300, DisableAllPrivileges=0, NewState=0x25fa44c*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1
[0199.133] CloseHandle (hObject=0x300) returned 1
[0199.135] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xb50) returned 0x300
[0199.142] EnumProcessModules (in: hProcess=0x300, lphModule=0x25fa490, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x25fa490, lpcbNeeded=0x19f434) returned 1
[0199.144] GetModuleInformation (in: hProcess=0x300, hModule=0x400000, lpmodinfo=0x25fa5d0, cb=0xc | out: lpmodinfo=0x25fa5d0*(lpBaseOfDll=0x400000, SizeOfImage=0x12000, EntryPoint=0x0)) returned 1
[0199.144] CoTaskMemAlloc (cb=0x804) returned 0x78af30
[0199.145] GetModuleBaseNameW (in: hProcess=0x300, hModule=0x400000, lpBaseName=0x78af30, nSize=0x800 | out: lpBaseName="9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe") returned 0x44
[0199.145] CoTaskMemFree (pv=0x78af30)
[0199.145] CoTaskMemAlloc (cb=0x804) returned 0x78af30
[0199.145] GetModuleFileNameExW (in: hProcess=0x300, hModule=0x400000, lpFilename=0x78af30, nSize=0x800 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe")) returned 0x62
[0199.146] CoTaskMemFree (pv=0x78af30)
[0199.146] CloseHandle (hObject=0x300) returned 1
[0199.163] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x34f54f0, Length=0x20000, ResultLength=0x19f43c | out: SystemInformation=0x34f54f0, ResultLength=0x19f43c*=0x14820) returned 0x0
[0199.256] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xd14) returned 0x300
[0199.256] EnumProcessModules (in: hProcess=0x300, lphModule=0x2621484, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2621484, lpcbNeeded=0x19f434) returned 1
[0199.258] GetModuleInformation (in: hProcess=0x300, hModule=0x880000, lpmodinfo=0x26215c4, cb=0xc | out: lpmodinfo=0x26215c4*(lpBaseOfDll=0x880000, SizeOfImage=0x17000, EntryPoint=0x8814a1)) returned 1
[0199.258] CoTaskMemAlloc (cb=0x804) returned 0x78af30
[0199.258] GetModuleBaseNameW (in: hProcess=0x300, hModule=0x880000, lpBaseName=0x78af30, nSize=0x800 | out: lpBaseName="office.exe") returned 0xa
[0199.259] CoTaskMemFree (pv=0x78af30)
[0199.259] CoTaskMemAlloc (cb=0x804) returned 0x78af30
[0199.259] GetModuleFileNameExW (in: hProcess=0x300, hModule=0x880000, lpFilename=0x78af30, nSize=0x800 | out: lpFilename="C:\\Program Files\\Windows Photo Viewer\\office.exe" (normalized: "c:\\program files\\windows photo viewer\\office.exe")) returned 0x30
[0199.259] CoTaskMemFree (pv=0x78af30)
[0199.259] CloseHandle (hObject=0x300) returned 1
[0199.260] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xf60) returned 0x300
[0199.260] EnumProcessModules (in: hProcess=0x300, lphModule=0x2623734, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2623734, lpcbNeeded=0x19f434) returned 1
[0199.264] GetModuleInformation (in: hProcess=0x300, hModule=0xfd0000, lpmodinfo=0x2623874, cb=0xc | out: lpmodinfo=0x2623874*(lpBaseOfDll=0xfd0000, SizeOfImage=0x17000, EntryPoint=0xfd14a1)) returned 1
[0199.264] CoTaskMemAlloc (cb=0x804) returned 0x78af30
[0199.264] GetModuleBaseNameW (in: hProcess=0x300, hModule=0xfd0000, lpBaseName=0x78af30, nSize=0x800 | out: lpBaseName="aldelo.exe") returned 0xa
[0199.264] CoTaskMemFree (pv=0x78af30)
[0199.264] CoTaskMemAlloc (cb=0x804) returned 0x78af30
[0199.265] GetModuleFileNameExW (in: hProcess=0x300, hModule=0xfd0000, lpFilename=0x78af30, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Windows Multimedia Platform\\aldelo.exe" (normalized: "c:\\program files (x86)\\windows multimedia platform\\aldelo.exe")) returned 0x3d
[0199.265] CoTaskMemFree (pv=0x78af30)
[0199.265] CloseHandle (hObject=0x300) returned 1
[0199.265] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x184) returned 0x0
[0199.267] EnumProcesses (in: lpidProcess=0x26259fc, cb=0x400, lpcbNeeded=0x19f3a4 | out: lpidProcess=0x26259fc, lpcbNeeded=0x19f3a4) returned 1
[0199.275] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x19f100, nSize=0x101, Arguments=0x0 | out: lpBuffer="Access is denied.\r\n") returned 0x13
[0199.348] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x30c) returned 0x308
[0199.348] EnumProcessModules (in: hProcess=0x308, lphModule=0x262659c, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x262659c, lpcbNeeded=0x19f434) returned 0
[0199.348] GetCurrentProcessId () returned 0xb50
[0199.348] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb50) returned 0x30c
[0199.350] IsWow64Process (in: hProcess=0x30c, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1
[0199.350] IsWow64Process (in: hProcess=0x308, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1
[0199.358] EtwEventRegister (in: ProviderId=0x2626f20, EnableCallback=0x9706ee, CallbackContext=0x0, RegHandle=0x2626efc | out: RegHandle=0x2626efc) returned 0x0
[0199.360] EtwEventSetInformation (RegHandle=0x785f00, InformationClass=0x38, EventInformation=0x2, InformationLength=0x2626ec0) returned 0x0
[0199.380] CloseHandle (hObject=0x30c) returned 1
[0199.380] CloseHandle (hObject=0x308) returned 1
[0199.380] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xd0c) returned 0x308
[0199.380] EnumProcessModules (in: hProcess=0x308, lphModule=0x2628610, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2628610, lpcbNeeded=0x19f434) returned 1
[0199.382] GetModuleInformation (in: hProcess=0x308, hModule=0x2e0000, lpmodinfo=0x2628750, cb=0xc | out: lpmodinfo=0x2628750*(lpBaseOfDll=0x2e0000, SizeOfImage=0x17000, EntryPoint=0x2e14a1)) returned 1
[0199.382] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.382] GetModuleBaseNameW (in: hProcess=0x308, hModule=0x2e0000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="thing_really.exe") returned 0x10
[0199.383] CoTaskMemFree (pv=0x78b790)
[0199.383] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.383] GetModuleFileNameExW (in: hProcess=0x308, hModule=0x2e0000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files\\Windows Mail\\thing_really.exe" (normalized: "c:\\program files\\windows mail\\thing_really.exe")) returned 0x2e
[0199.383] CoTaskMemFree (pv=0x78b790)
[0199.383] CloseHandle (hObject=0x308) returned 1
[0199.383] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xdd0) returned 0x308
[0199.383] EnumProcessModules (in: hProcess=0x308, lphModule=0x262a8c8, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x262a8c8, lpcbNeeded=0x19f434) returned 1
[0199.385] GetModuleInformation (in: hProcess=0x308, hModule=0x110000, lpmodinfo=0x262aa08, cb=0xc | out: lpmodinfo=0x262aa08*(lpBaseOfDll=0x110000, SizeOfImage=0x17000, EntryPoint=0x1114a1)) returned 1
[0199.419] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.420] GetModuleBaseNameW (in: hProcess=0x308, hModule=0x110000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="3dftp.exe") returned 0x9
[0199.420] CoTaskMemFree (pv=0x78b790)
[0199.420] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.420] GetModuleFileNameExW (in: hProcess=0x308, hModule=0x110000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files\\Windows Multimedia Platform\\3dftp.exe" (normalized: "c:\\program files\\windows multimedia platform\\3dftp.exe")) returned 0x36
[0199.421] CoTaskMemFree (pv=0x78b790)
[0199.421] CloseHandle (hObject=0x308) returned 1
[0199.421] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xf58) returned 0x308
[0199.421] EnumProcessModules (in: hProcess=0x308, lphModule=0x262cb80, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x262cb80, lpcbNeeded=0x19f434) returned 1
[0199.422] GetModuleInformation (in: hProcess=0x308, hModule=0xac0000, lpmodinfo=0x262ccc0, cb=0xc | out: lpmodinfo=0x262ccc0*(lpBaseOfDll=0xac0000, SizeOfImage=0x17000, EntryPoint=0xac14a1)) returned 1
[0199.423] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.423] GetModuleBaseNameW (in: hProcess=0x308, hModule=0xac0000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="afr38.exe") returned 0x9
[0199.423] CoTaskMemFree (pv=0x78b790)
[0199.423] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.423] GetModuleFileNameExW (in: hProcess=0x308, hModule=0xac0000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Windows Defender\\afr38.exe" (normalized: "c:\\program files (x86)\\windows defender\\afr38.exe")) returned 0x31
[0199.424] CoTaskMemFree (pv=0x78b790)
[0199.424] CloseHandle (hObject=0x308) returned 1
[0199.424] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xe90) returned 0x308
[0199.424] EnumProcessModules (in: hProcess=0x308, lphModule=0x262ee2c, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x262ee2c, lpcbNeeded=0x19f434) returned 1
[0199.426] GetModuleInformation (in: hProcess=0x308, hModule=0x1c0000, lpmodinfo=0x262ef6c, cb=0xc | out: lpmodinfo=0x262ef6c*(lpBaseOfDll=0x1c0000, SizeOfImage=0x17000, EntryPoint=0x1c14a1)) returned 1
[0199.426] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.426] GetModuleBaseNameW (in: hProcess=0x308, hModule=0x1c0000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="operamail.exe") returned 0xd
[0199.426] CoTaskMemFree (pv=0x78b790)
[0199.426] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.426] GetModuleFileNameExW (in: hProcess=0x308, hModule=0x1c0000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Microsoft Analysis Services\\operamail.exe" (normalized: "c:\\program files (x86)\\microsoft analysis services\\operamail.exe")) returned 0x40
[0199.427] CoTaskMemFree (pv=0x78b790)
[0199.427] CloseHandle (hObject=0x308) returned 1
[0199.427] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xd04) returned 0x308
[0199.427] EnumProcessModules (in: hProcess=0x308, lphModule=0x2631100, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2631100, lpcbNeeded=0x19f434) returned 1
[0199.429] GetModuleInformation (in: hProcess=0x308, hModule=0x1040000, lpmodinfo=0x2631240, cb=0xc | out: lpmodinfo=0x2631240*(lpBaseOfDll=0x1040000, SizeOfImage=0x17000, EntryPoint=0x10414a1)) returned 1
[0199.429] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.429] GetModuleBaseNameW (in: hProcess=0x308, hModule=0x1040000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="protect.exe") returned 0xb
[0199.430] CoTaskMemFree (pv=0x78b790)
[0199.430] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.430] GetModuleFileNameExW (in: hProcess=0x308, hModule=0x1040000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files\\Microsoft Office\\protect.exe" (normalized: "c:\\program files\\microsoft office\\protect.exe")) returned 0x2d
[0199.430] CoTaskMemFree (pv=0x78b790)
[0199.430] CloseHandle (hObject=0x308) returned 1
[0199.430] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1328) returned 0x308
[0199.430] EnumProcessModules (in: hProcess=0x308, lphModule=0x26333a8, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x26333a8, lpcbNeeded=0x19f434) returned 0
[0199.431] GetCurrentProcessId () returned 0xb50
[0199.431] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb50) returned 0x30c
[0199.431] IsWow64Process (in: hProcess=0x30c, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1
[0199.431] IsWow64Process (in: hProcess=0x308, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1
[0199.443] CloseHandle (hObject=0x30c) returned 1
[0199.443] CloseHandle (hObject=0x308) returned 1
[0199.443] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x54c) returned 0x308
[0199.443] EnumProcessModules (in: hProcess=0x308, lphModule=0x263361c, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x263361c, lpcbNeeded=0x19f434) returned 0
[0199.443] GetCurrentProcessId () returned 0xb50
[0199.443] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb50) returned 0x30c
[0199.443] IsWow64Process (in: hProcess=0x30c, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1
[0199.444] IsWow64Process (in: hProcess=0x308, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1
[0199.445] CloseHandle (hObject=0x30c) returned 1
[0199.445] CloseHandle (hObject=0x308) returned 1
[0199.445] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xf48) returned 0x308
[0199.445] EnumProcessModules (in: hProcess=0x308, lphModule=0x2633890, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2633890, lpcbNeeded=0x19f434) returned 1
[0199.447] GetModuleInformation (in: hProcess=0x308, hModule=0x1310000, lpmodinfo=0x26339d0, cb=0xc | out: lpmodinfo=0x26339d0*(lpBaseOfDll=0x1310000, SizeOfImage=0x17000, EntryPoint=0x13114a1)) returned 1
[0199.447] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.447] GetModuleBaseNameW (in: hProcess=0x308, hModule=0x1310000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="accupos.exe") returned 0xb
[0199.451] CoTaskMemFree (pv=0x78b790)
[0199.451] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.451] GetModuleFileNameExW (in: hProcess=0x308, hModule=0x1310000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Microsoft SQL Server\\accupos.exe" (normalized: "c:\\program files (x86)\\microsoft sql server\\accupos.exe")) returned 0x37
[0199.452] CoTaskMemFree (pv=0x78b790)
[0199.452] CloseHandle (hObject=0x308) returned 1
[0199.452] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xcf8) returned 0x308
[0199.452] EnumProcessModules (in: hProcess=0x308, lphModule=0x2635b4c, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2635b4c, lpcbNeeded=0x19f434) returned 1
[0199.454] GetModuleInformation (in: hProcess=0x308, hModule=0x1160000, lpmodinfo=0x2635c8c, cb=0xc | out: lpmodinfo=0x2635c8c*(lpBaseOfDll=0x1160000, SizeOfImage=0x17000, EntryPoint=0x11614a1)) returned 1
[0199.454] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.454] GetModuleBaseNameW (in: hProcess=0x308, hModule=0x1160000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="thesepolice.exe") returned 0xf
[0199.454] CoTaskMemFree (pv=0x78b790)
[0199.454] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.454] GetModuleFileNameExW (in: hProcess=0x308, hModule=0x1160000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files\\Windows Mail\\thesepolice.exe" (normalized: "c:\\program files\\windows mail\\thesepolice.exe")) returned 0x2d
[0199.455] CoTaskMemFree (pv=0x78b790)
[0199.455] CloseHandle (hObject=0x308) returned 1
[0199.455] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xdbc) returned 0x308
[0199.455] EnumProcessModules (in: hProcess=0x308, lphModule=0x2637dfc, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2637dfc, lpcbNeeded=0x19f434) returned 1
[0199.457] GetModuleInformation (in: hProcess=0x308, hModule=0xed0000, lpmodinfo=0x2637f3c, cb=0xc | out: lpmodinfo=0x2637f3c*(lpBaseOfDll=0xed0000, SizeOfImage=0x17000, EntryPoint=0xed14a1)) returned 1
[0199.457] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.457] GetModuleBaseNameW (in: hProcess=0x308, hModule=0xed0000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="republican-opportunity.exe") returned 0x1a
[0199.458] CoTaskMemFree (pv=0x78b790)
[0199.458] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.458] GetModuleFileNameExW (in: hProcess=0x308, hModule=0xed0000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files\\Internet Explorer\\republican-opportunity.exe" (normalized: "c:\\program files\\internet explorer\\republican-opportunity.exe")) returned 0x3d
[0199.458] CoTaskMemFree (pv=0x78b790)
[0199.458] CloseHandle (hObject=0x308) returned 1
[0199.458] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xe80) returned 0x308
[0199.458] EnumProcessModules (in: hProcess=0x308, lphModule=0x263a0e4, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x263a0e4, lpcbNeeded=0x19f434) returned 1
[0199.460] GetModuleInformation (in: hProcess=0x308, hModule=0x1340000, lpmodinfo=0x263a224, cb=0xc | out: lpmodinfo=0x263a224*(lpBaseOfDll=0x1340000, SizeOfImage=0x17000, EntryPoint=0x13414a1)) returned 1
[0199.460] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.460] GetModuleBaseNameW (in: hProcess=0x308, hModule=0x1340000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="ncftp.exe") returned 0x9
[0199.461] CoTaskMemFree (pv=0x78b790)
[0199.461] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.461] GetModuleFileNameExW (in: hProcess=0x308, hModule=0x1340000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Reference Assemblies\\ncftp.exe" (normalized: "c:\\program files (x86)\\reference assemblies\\ncftp.exe")) returned 0x35
[0199.461] CoTaskMemFree (pv=0x78b790)
[0199.461] CloseHandle (hObject=0x308) returned 1
[0199.461] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xfe0) returned 0x308
[0199.461] EnumProcessModules (in: hProcess=0x308, lphModule=0x263c398, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x263c398, lpcbNeeded=0x19f434) returned 1
[0199.463] GetModuleInformation (in: hProcess=0x308, hModule=0x110000, lpmodinfo=0x263c4d8, cb=0xc | out: lpmodinfo=0x263c4d8*(lpBaseOfDll=0x110000, SizeOfImage=0x17000, EntryPoint=0x1114a1)) returned 1
[0199.465] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.465] GetModuleBaseNameW (in: hProcess=0x308, hModule=0x110000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="utg2.exe") returned 0x8
[0199.466] CoTaskMemFree (pv=0x78b790)
[0199.466] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.466] GetModuleFileNameExW (in: hProcess=0x308, hModule=0x110000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files\\Windows Media Player\\utg2.exe" (normalized: "c:\\program files\\windows media player\\utg2.exe")) returned 0x2e
[0199.466] CoTaskMemFree (pv=0x78b790)
[0199.466] CloseHandle (hObject=0x308) returned 1
[0199.466] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x604) returned 0x308
[0199.466] EnumProcessModules (in: hProcess=0x308, lphModule=0x263e640, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x263e640, lpcbNeeded=0x19f434) returned 0
[0199.467] GetCurrentProcessId () returned 0xb50
[0199.467] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb50) returned 0x30c
[0199.467] IsWow64Process (in: hProcess=0x30c, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1
[0199.467] IsWow64Process (in: hProcess=0x308, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1
[0199.468] CloseHandle (hObject=0x30c) returned 1
[0199.468] CloseHandle (hObject=0x308) returned 1
[0199.468] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1004) returned 0x308
[0199.468] EnumProcessModules (in: hProcess=0x308, lphModule=0x263e8b4, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x263e8b4, lpcbNeeded=0x19f434) returned 1
[0199.470] GetModuleInformation (in: hProcess=0x308, hModule=0x380000, lpmodinfo=0x263e9f4, cb=0xc | out: lpmodinfo=0x263e9f4*(lpBaseOfDll=0x380000, SizeOfImage=0x17000, EntryPoint=0x3814a1)) returned 1
[0199.470] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.471] GetModuleBaseNameW (in: hProcess=0x308, hModule=0x380000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="approach-time.exe") returned 0x11
[0199.471] CoTaskMemFree (pv=0x78b790)
[0199.471] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.471] GetModuleFileNameExW (in: hProcess=0x308, hModule=0x380000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files\\Windows Portable Devices\\approach-time.exe" (normalized: "c:\\program files\\windows portable devices\\approach-time.exe")) returned 0x3b
[0199.472] CoTaskMemFree (pv=0x78b790)
[0199.472] CloseHandle (hObject=0x308) returned 1
[0199.472] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xdb4) returned 0x308
[0199.472] EnumProcessModules (in: hProcess=0x308, lphModule=0x2640b84, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2640b84, lpcbNeeded=0x19f434) returned 1
[0199.474] GetModuleInformation (in: hProcess=0x308, hModule=0x180000, lpmodinfo=0x2640cc4, cb=0xc | out: lpmodinfo=0x2640cc4*(lpBaseOfDll=0x180000, SizeOfImage=0x17000, EntryPoint=0x1814a1)) returned 1
[0199.474] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.474] GetModuleBaseNameW (in: hProcess=0x308, hModule=0x180000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="film.exe") returned 0x8
[0199.474] CoTaskMemFree (pv=0x78b790)
[0199.474] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.474] GetModuleFileNameExW (in: hProcess=0x308, hModule=0x180000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files\\MSBuild\\film.exe" (normalized: "c:\\program files\\msbuild\\film.exe")) returned 0x21
[0199.475] CoTaskMemFree (pv=0x78b790)
[0199.475] CloseHandle (hObject=0x308) returned 1
[0199.475] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xf30) returned 0x308
[0199.475] EnumProcessModules (in: hProcess=0x308, lphModule=0x2642e10, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2642e10, lpcbNeeded=0x19f434) returned 1
[0199.477] GetModuleInformation (in: hProcess=0x308, hModule=0x840000, lpmodinfo=0x2642f50, cb=0xc | out: lpmodinfo=0x2642f50*(lpBaseOfDll=0x840000, SizeOfImage=0x17000, EntryPoint=0x8414a1)) returned 1
[0199.477] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.477] GetModuleBaseNameW (in: hProcess=0x308, hModule=0x840000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="yahoomessenger.exe") returned 0x12
[0199.477] CoTaskMemFree (pv=0x78b790)
[0199.477] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.477] GetModuleFileNameExW (in: hProcess=0x308, hModule=0x840000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files\\MSBuild\\yahoomessenger.exe" (normalized: "c:\\program files\\msbuild\\yahoomessenger.exe")) returned 0x2b
[0199.478] CoTaskMemFree (pv=0x78b790)
[0199.478] CloseHandle (hObject=0x308) returned 1
[0199.478] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xf38) returned 0x308
[0199.478] EnumProcessModules (in: hProcess=0x308, lphModule=0x26450c4, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x26450c4, lpcbNeeded=0x19f434) returned 1
[0199.530] GetModuleInformation (in: hProcess=0x308, hModule=0x9c0000, lpmodinfo=0x2645204, cb=0xc | out: lpmodinfo=0x2645204*(lpBaseOfDll=0x9c0000, SizeOfImage=0x17000, EntryPoint=0x9c14a1)) returned 1
[0199.530] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.530] GetModuleBaseNameW (in: hProcess=0x308, hModule=0x9c0000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="active-charge.exe") returned 0x11
[0199.531] CoTaskMemFree (pv=0x78b790)
[0199.531] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.531] GetModuleFileNameExW (in: hProcess=0x308, hModule=0x9c0000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files\\Windows Journal\\active-charge.exe" (normalized: "c:\\program files\\windows journal\\active-charge.exe")) returned 0x32
[0199.531] CoTaskMemFree (pv=0x78b790)
[0199.531] CloseHandle (hObject=0x308) returned 1
[0199.531] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xffc) returned 0x308
[0199.531] EnumProcessModules (in: hProcess=0x308, lphModule=0x2647384, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2647384, lpcbNeeded=0x19f434) returned 1
[0199.533] GetModuleInformation (in: hProcess=0x308, hModule=0xc90000, lpmodinfo=0x26474c4, cb=0xc | out: lpmodinfo=0x26474c4*(lpBaseOfDll=0xc90000, SizeOfImage=0x17000, EntryPoint=0xc914a1)) returned 1
[0199.533] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.533] GetModuleBaseNameW (in: hProcess=0x308, hModule=0xc90000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="involve_off.exe") returned 0xf
[0199.534] CoTaskMemFree (pv=0x78b790)
[0199.534] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.534] GetModuleFileNameExW (in: hProcess=0x308, hModule=0xc90000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\WindowsPowerShell\\involve_off.exe" (normalized: "c:\\program files (x86)\\windowspowershell\\involve_off.exe")) returned 0x38
[0199.534] CoTaskMemFree (pv=0x78b790)
[0199.534] CloseHandle (hObject=0x308) returned 1
[0199.534] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xdac) returned 0x308
[0199.534] EnumProcessModules (in: hProcess=0x308, lphModule=0x264964c, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x264964c, lpcbNeeded=0x19f434) returned 1
[0199.536] GetModuleInformation (in: hProcess=0x308, hModule=0x860000, lpmodinfo=0x264978c, cb=0xc | out: lpmodinfo=0x264978c*(lpBaseOfDll=0x860000, SizeOfImage=0x17000, EntryPoint=0x8614a1)) returned 1
[0199.537] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.537] GetModuleBaseNameW (in: hProcess=0x308, hModule=0x860000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="top.exe") returned 0x7
[0199.537] CoTaskMemFree (pv=0x78b790)
[0199.537] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.537] GetModuleFileNameExW (in: hProcess=0x308, hModule=0x860000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Microsoft Office\\top.exe" (normalized: "c:\\program files (x86)\\microsoft office\\top.exe")) returned 0x2f
[0199.537] CoTaskMemFree (pv=0x78b790)
[0199.537] CloseHandle (hObject=0x308) returned 1
[0199.538] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xe70) returned 0x308
[0199.538] EnumProcessModules (in: hProcess=0x308, lphModule=0x264b8f0, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x264b8f0, lpcbNeeded=0x19f434) returned 1
[0199.539] GetModuleInformation (in: hProcess=0x308, hModule=0x170000, lpmodinfo=0x264ba30, cb=0xc | out: lpmodinfo=0x264ba30*(lpBaseOfDll=0x170000, SizeOfImage=0x17000, EntryPoint=0x1714a1)) returned 1
[0199.540] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.540] GetModuleBaseNameW (in: hProcess=0x308, hModule=0x170000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="notepad.exe") returned 0xb
[0199.540] CoTaskMemFree (pv=0x78b790)
[0199.540] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.540] GetModuleFileNameExW (in: hProcess=0x308, hModule=0x170000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Windows Photo Viewer\\notepad.exe" (normalized: "c:\\program files (x86)\\windows photo viewer\\notepad.exe")) returned 0x37
[0199.541] CoTaskMemFree (pv=0x78b790)
[0199.541] CloseHandle (hObject=0x308) returned 1
[0199.541] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xee4) returned 0x308
[0199.541] EnumProcessModules (in: hProcess=0x308, lphModule=0x264dbac, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x264dbac, lpcbNeeded=0x19f434) returned 1
[0199.544] GetModuleInformation (in: hProcess=0x308, hModule=0x90000, lpmodinfo=0x264dcec, cb=0xc | out: lpmodinfo=0x264dcec*(lpBaseOfDll=0x90000, SizeOfImage=0x17000, EntryPoint=0x914a1)) returned 1
[0199.545] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.545] GetModuleBaseNameW (in: hProcess=0x308, hModule=0x90000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="thunderbird.exe") returned 0xf
[0199.545] CoTaskMemFree (pv=0x78b790)
[0199.545] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.545] GetModuleFileNameExW (in: hProcess=0x308, hModule=0x90000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files\\Reference Assemblies\\thunderbird.exe" (normalized: "c:\\program files\\reference assemblies\\thunderbird.exe")) returned 0x35
[0199.546] CoTaskMemFree (pv=0x78b790)
[0199.546] CloseHandle (hObject=0x308) returned 1
[0199.546] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x21c) returned 0x308
[0199.546] EnumProcessModules (in: hProcess=0x308, lphModule=0x264fe6c, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x264fe6c, lpcbNeeded=0x19f434) returned 0
[0199.546] GetCurrentProcessId () returned 0xb50
[0199.546] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb50) returned 0x30c
[0199.546] IsWow64Process (in: hProcess=0x30c, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1
[0199.546] IsWow64Process (in: hProcess=0x308, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1
[0199.548] CloseHandle (hObject=0x30c) returned 1
[0199.548] CloseHandle (hObject=0x308) returned 1
[0199.548] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x908) returned 0x308
[0199.548] EnumProcessModules (in: hProcess=0x308, lphModule=0x26500e0, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x26500e0, lpcbNeeded=0x19f434) returned 0
[0199.548] GetCurrentProcessId () returned 0xb50
[0199.548] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb50) returned 0x30c
[0199.548] IsWow64Process (in: hProcess=0x30c, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1
[0199.548] IsWow64Process (in: hProcess=0x308, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1
[0199.549] CloseHandle (hObject=0x30c) returned 1
[0199.549] CloseHandle (hObject=0x308) returned 1
[0199.549] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xff4) returned 0x308
[0199.550] EnumProcessModules (in: hProcess=0x308, lphModule=0x2650354, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2650354, lpcbNeeded=0x19f434) returned 1
[0199.551] GetModuleInformation (in: hProcess=0x308, hModule=0xff0000, lpmodinfo=0x2650494, cb=0xc | out: lpmodinfo=0x2650494*(lpBaseOfDll=0xff0000, SizeOfImage=0x17000, EntryPoint=0xff14a1)) returned 1
[0199.552] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.552] GetModuleBaseNameW (in: hProcess=0x308, hModule=0xff0000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="certainlyifmaterial.exe") returned 0x17
[0199.552] CoTaskMemFree (pv=0x78b790)
[0199.552] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.552] GetModuleFileNameExW (in: hProcess=0x308, hModule=0xff0000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files\\Windows Media Player\\certainlyifmaterial.exe" (normalized: "c:\\program files\\windows media player\\certainlyifmaterial.exe")) returned 0x3d
[0199.553] CoTaskMemFree (pv=0x78b790)
[0199.553] CloseHandle (hObject=0x308) returned 1
[0199.553] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x3a0) returned 0x308
[0199.553] EnumProcessModules (in: hProcess=0x308, lphModule=0x2652634, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2652634, lpcbNeeded=0x19f434) returned 0
[0199.553] GetCurrentProcessId () returned 0xb50
[0199.553] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb50) returned 0x30c
[0199.553] IsWow64Process (in: hProcess=0x30c, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1
[0199.553] IsWow64Process (in: hProcess=0x308, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1
[0199.554] CloseHandle (hObject=0x30c) returned 1
[0199.554] CloseHandle (hObject=0x308) returned 1
[0199.554] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x214) returned 0x0
[0199.554] EnumProcesses (in: lpidProcess=0x26528a8, cb=0x400, lpcbNeeded=0x19f3a4 | out: lpidProcess=0x26528a8, lpcbNeeded=0x19f3a4) returned 1
[0199.561] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x19f100, nSize=0x101, Arguments=0x0 | out: lpBuffer="Access is denied.\r\n") returned 0x13
[0199.562] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xf28) returned 0x308
[0199.562] EnumProcessModules (in: hProcess=0x308, lphModule=0x2653408, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2653408, lpcbNeeded=0x19f434) returned 1
[0199.564] GetModuleInformation (in: hProcess=0x308, hModule=0x1c0000, lpmodinfo=0x2653548, cb=0xc | out: lpmodinfo=0x2653548*(lpBaseOfDll=0x1c0000, SizeOfImage=0x17000, EntryPoint=0x1c14a1)) returned 1
[0199.564] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.564] GetModuleBaseNameW (in: hProcess=0x308, hModule=0x1c0000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="winscp.exe") returned 0xa
[0199.564] CoTaskMemFree (pv=0x78b790)
[0199.564] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.564] GetModuleFileNameExW (in: hProcess=0x308, hModule=0x1c0000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files\\Windows Journal\\winscp.exe" (normalized: "c:\\program files\\windows journal\\winscp.exe")) returned 0x2b
[0199.565] CoTaskMemFree (pv=0x78b790)
[0199.565] CloseHandle (hObject=0x308) returned 1
[0199.565] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x460) returned 0x308
[0199.565] EnumProcessModules (in: hProcess=0x308, lphModule=0x26556ac, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x26556ac, lpcbNeeded=0x19f434) returned 0
[0199.565] GetCurrentProcessId () returned 0xb50
[0199.565] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb50) returned 0x30c
[0199.565] IsWow64Process (in: hProcess=0x30c, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1
[0199.565] IsWow64Process (in: hProcess=0x308, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1
[0199.567] CloseHandle (hObject=0x30c) returned 1
[0199.567] CloseHandle (hObject=0x308) returned 1
[0199.567] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x210) returned 0x308
[0199.567] EnumProcessModules (in: hProcess=0x308, lphModule=0x2655920, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2655920, lpcbNeeded=0x19f434) returned 0
[0199.567] GetCurrentProcessId () returned 0xb50
[0199.567] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb50) returned 0x30c
[0199.567] IsWow64Process (in: hProcess=0x30c, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1
[0199.567] IsWow64Process (in: hProcess=0x308, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1
[0199.568] CloseHandle (hObject=0x30c) returned 1
[0199.568] CloseHandle (hObject=0x308) returned 1
[0199.568] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xd98) returned 0x308
[0199.569] EnumProcessModules (in: hProcess=0x308, lphModule=0x2655b94, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2655b94, lpcbNeeded=0x19f434) returned 1
[0199.570] GetModuleInformation (in: hProcess=0x308, hModule=0x90000, lpmodinfo=0x2655cd4, cb=0xc | out: lpmodinfo=0x2655cd4*(lpBaseOfDll=0x90000, SizeOfImage=0x17000, EntryPoint=0x914a1)) returned 1
[0199.571] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.571] GetModuleBaseNameW (in: hProcess=0x308, hModule=0x90000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="allow_note.exe") returned 0xe
[0199.571] CoTaskMemFree (pv=0x78b790)
[0199.571] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.571] GetModuleFileNameExW (in: hProcess=0x308, hModule=0x90000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files\\Reference Assemblies\\allow_note.exe" (normalized: "c:\\program files\\reference assemblies\\allow_note.exe")) returned 0x34
[0199.572] CoTaskMemFree (pv=0x78b790)
[0199.572] CloseHandle (hObject=0x308) returned 1
[0199.572] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xe58) returned 0x308
[0199.572] EnumProcessModules (in: hProcess=0x308, lphModule=0x2657e54, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2657e54, lpcbNeeded=0x19f434) returned 1
[0199.603] GetModuleInformation (in: hProcess=0x308, hModule=0x120000, lpmodinfo=0x2657f94, cb=0xc | out: lpmodinfo=0x2657f94*(lpBaseOfDll=0x120000, SizeOfImage=0x17000, EntryPoint=0x1214a1)) returned 1
[0199.603] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.603] GetModuleBaseNameW (in: hProcess=0x308, hModule=0x120000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="gmailnotifierpro.exe") returned 0x14
[0199.603] CoTaskMemFree (pv=0x78b790)
[0199.603] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.603] GetModuleFileNameExW (in: hProcess=0x308, hModule=0x120000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files\\Internet Explorer\\gmailnotifierpro.exe" (normalized: "c:\\program files\\internet explorer\\gmailnotifierpro.exe")) returned 0x37
[0199.604] CoTaskMemFree (pv=0x78b790)
[0199.604] CloseHandle (hObject=0x308) returned 1
[0199.604] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x390) returned 0x308
[0199.604] EnumProcessModules (in: hProcess=0x308, lphModule=0x265a124, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x265a124, lpcbNeeded=0x19f434) returned 0
[0199.604] GetCurrentProcessId () returned 0xb50
[0199.604] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb50) returned 0x30c
[0199.604] IsWow64Process (in: hProcess=0x30c, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1
[0199.605] IsWow64Process (in: hProcess=0x308, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1
[0199.606] CloseHandle (hObject=0x30c) returned 1
[0199.606] CloseHandle (hObject=0x308) returned 1
[0199.606] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xd90) returned 0x308
[0199.606] EnumProcessModules (in: hProcess=0x308, lphModule=0x265a398, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x265a398, lpcbNeeded=0x19f434) returned 1
[0199.608] GetModuleInformation (in: hProcess=0x308, hModule=0x12f0000, lpmodinfo=0x265a4d8, cb=0xc | out: lpmodinfo=0x265a4d8*(lpBaseOfDll=0x12f0000, SizeOfImage=0x17000, EntryPoint=0x12f14a1)) returned 1
[0199.608] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.608] GetModuleBaseNameW (in: hProcess=0x308, hModule=0x12f0000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="talk.exe") returned 0x8
[0199.609] CoTaskMemFree (pv=0x78b790)
[0199.609] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.609] GetModuleFileNameExW (in: hProcess=0x308, hModule=0x12f0000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files\\Windows NT\\talk.exe" (normalized: "c:\\program files\\windows nt\\talk.exe")) returned 0x24
[0199.609] CoTaskMemFree (pv=0x78b790)
[0199.609] CloseHandle (hObject=0x308) returned 1
[0199.609] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xd88) returned 0x308
[0199.609] EnumProcessModules (in: hProcess=0x308, lphModule=0x265c62c, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x265c62c, lpcbNeeded=0x19f434) returned 1
[0199.611] GetModuleInformation (in: hProcess=0x308, hModule=0x870000, lpmodinfo=0x265c76c, cb=0xc | out: lpmodinfo=0x265c76c*(lpBaseOfDll=0x870000, SizeOfImage=0x17000, EntryPoint=0x8714a1)) returned 1
[0199.611] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.611] GetModuleBaseNameW (in: hProcess=0x308, hModule=0x870000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="budget senior.exe") returned 0x11
[0199.612] CoTaskMemFree (pv=0x78b790)
[0199.612] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.612] GetModuleFileNameExW (in: hProcess=0x308, hModule=0x870000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files\\Windows NT\\budget senior.exe" (normalized: "c:\\program files\\windows nt\\budget senior.exe")) returned 0x2d
[0199.612] CoTaskMemFree (pv=0x78b790)
[0199.612] CloseHandle (hObject=0x308) returned 1
[0199.612] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xe50) returned 0x308
[0199.613] EnumProcessModules (in: hProcess=0x308, lphModule=0x265e8e0, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x265e8e0, lpcbNeeded=0x19f434) returned 1
[0199.614] GetModuleInformation (in: hProcess=0x308, hModule=0xb30000, lpmodinfo=0x265ea20, cb=0xc | out: lpmodinfo=0x265ea20*(lpBaseOfDll=0xb30000, SizeOfImage=0x17000, EntryPoint=0xb314a1)) returned 1
[0199.615] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.615] GetModuleBaseNameW (in: hProcess=0x308, hModule=0xb30000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="icq.exe") returned 0x7
[0199.615] CoTaskMemFree (pv=0x78b790)
[0199.615] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.615] GetModuleFileNameExW (in: hProcess=0x308, hModule=0xb30000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Windows Defender\\icq.exe" (normalized: "c:\\program files (x86)\\windows defender\\icq.exe")) returned 0x2f
[0199.615] CoTaskMemFree (pv=0x78b790)
[0199.615] CloseHandle (hObject=0x308) returned 1
[0199.616] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xfd8) returned 0x308
[0199.616] EnumProcessModules (in: hProcess=0x308, lphModule=0x2660b84, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2660b84, lpcbNeeded=0x19f434) returned 1
[0199.617] GetModuleInformation (in: hProcess=0x308, hModule=0x290000, lpmodinfo=0x2660cc4, cb=0xc | out: lpmodinfo=0x2660cc4*(lpBaseOfDll=0x290000, SizeOfImage=0x17000, EntryPoint=0x2914a1)) returned 1
[0199.618] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.618] GetModuleBaseNameW (in: hProcess=0x308, hModule=0x290000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="spgagentservice.exe") returned 0x13
[0199.618] CoTaskMemFree (pv=0x78b790)
[0199.618] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.618] GetModuleFileNameExW (in: hProcess=0x308, hModule=0x290000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files\\Reference Assemblies\\spgagentservice.exe" (normalized: "c:\\program files\\reference assemblies\\spgagentservice.exe")) returned 0x39
[0199.619] CoTaskMemFree (pv=0x78b790)
[0199.619] CloseHandle (hObject=0x308) returned 1
[0199.619] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x138) returned 0x0
[0199.619] EnumProcesses (in: lpidProcess=0x2662e54, cb=0x400, lpcbNeeded=0x19f3a4 | out: lpidProcess=0x2662e54, lpcbNeeded=0x19f3a4) returned 1
[0199.626] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x19f100, nSize=0x101, Arguments=0x0 | out: lpBuffer="Access is denied.\r\n") returned 0x13
[0199.628] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1fc) returned 0x308
[0199.628] EnumProcessModules (in: hProcess=0x308, lphModule=0x26639b4, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x26639b4, lpcbNeeded=0x19f434) returned 0
[0199.628] GetCurrentProcessId () returned 0xb50
[0199.628] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb50) returned 0x30c
[0199.628] IsWow64Process (in: hProcess=0x30c, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1
[0199.628] IsWow64Process (in: hProcess=0x308, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1
[0199.629] CloseHandle (hObject=0x30c) returned 1
[0199.629] CloseHandle (hObject=0x308) returned 1
[0199.629] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x115c) returned 0x308
[0199.630] EnumProcessModules (in: hProcess=0x308, lphModule=0x2663c28, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2663c28, lpcbNeeded=0x19f434) returned 0
[0199.630] GetCurrentProcessId () returned 0xb50
[0199.630] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb50) returned 0x30c
[0199.630] IsWow64Process (in: hProcess=0x30c, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1
[0199.630] IsWow64Process (in: hProcess=0x308, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1
[0199.631] CloseHandle (hObject=0x30c) returned 1
[0199.631] CloseHandle (hObject=0x308) returned 1
[0199.631] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xf0c) returned 0x308
[0199.631] EnumProcessModules (in: hProcess=0x308, lphModule=0x2663e9c, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2663e9c, lpcbNeeded=0x19f434) returned 1
[0199.633] GetModuleInformation (in: hProcess=0x308, hModule=0x10c0000, lpmodinfo=0x2663fdc, cb=0xc | out: lpmodinfo=0x2663fdc*(lpBaseOfDll=0x10c0000, SizeOfImage=0x17000, EntryPoint=0x10c14a1)) returned 1
[0199.633] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.633] GetModuleBaseNameW (in: hProcess=0x308, hModule=0x10c0000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="whatsapp.exe") returned 0xc
[0199.634] CoTaskMemFree (pv=0x78b790)
[0199.634] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.634] GetModuleFileNameExW (in: hProcess=0x308, hModule=0x10c0000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Common Files\\whatsapp.exe" (normalized: "c:\\program files (x86)\\common files\\whatsapp.exe")) returned 0x30
[0199.634] CoTaskMemFree (pv=0x78b790)
[0199.634] CloseHandle (hObject=0x308) returned 1
[0199.634] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xe44) returned 0x308
[0199.635] EnumProcessModules (in: hProcess=0x308, lphModule=0x2666150, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2666150, lpcbNeeded=0x19f434) returned 1
[0199.639] GetModuleInformation (in: hProcess=0x308, hModule=0xe0000, lpmodinfo=0x2666290, cb=0xc | out: lpmodinfo=0x2666290*(lpBaseOfDll=0xe0000, SizeOfImage=0x17000, EntryPoint=0xe14a1)) returned 1
[0199.639] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.639] GetModuleBaseNameW (in: hProcess=0x308, hModule=0xe0000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="fling.exe") returned 0x9
[0199.639] CoTaskMemFree (pv=0x78b790)
[0199.639] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.639] GetModuleFileNameExW (in: hProcess=0x308, hModule=0xe0000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Windows Media Player\\fling.exe" (normalized: "c:\\program files (x86)\\windows media player\\fling.exe")) returned 0x35
[0199.640] CoTaskMemFree (pv=0x78b790)
[0199.640] CloseHandle (hObject=0x308) returned 1
[0199.640] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xfcc) returned 0x308
[0199.640] EnumProcessModules (in: hProcess=0x308, lphModule=0x2668404, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2668404, lpcbNeeded=0x19f434) returned 1
[0199.642] GetModuleInformation (in: hProcess=0x308, hModule=0x1340000, lpmodinfo=0x2668544, cb=0xc | out: lpmodinfo=0x2668544*(lpBaseOfDll=0x1340000, SizeOfImage=0x17000, EntryPoint=0x13414a1)) returned 1
[0199.642] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.642] GetModuleBaseNameW (in: hProcess=0x308, hModule=0x1340000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="spcwin.exe") returned 0xa
[0199.642] CoTaskMemFree (pv=0x78b790)
[0199.642] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.642] GetModuleFileNameExW (in: hProcess=0x308, hModule=0x1340000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Microsoft SQL Server\\spcwin.exe" (normalized: "c:\\program files (x86)\\microsoft sql server\\spcwin.exe")) returned 0x36
[0199.643] CoTaskMemFree (pv=0x78b790)
[0199.643] CloseHandle (hObject=0x308) returned 1
[0199.643] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x378) returned 0x308
[0199.643] EnumProcessModules (in: hProcess=0x308, lphModule=0x266a6c0, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x266a6c0, lpcbNeeded=0x19f434) returned 0
[0199.643] GetCurrentProcessId () returned 0xb50
[0199.643] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb50) returned 0x30c
[0199.643] IsWow64Process (in: hProcess=0x30c, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1
[0199.643] IsWow64Process (in: hProcess=0x308, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1
[0199.645] CloseHandle (hObject=0x30c) returned 1
[0199.645] CloseHandle (hObject=0x308) returned 1
[0199.645] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xe3c) returned 0x308
[0199.645] EnumProcessModules (in: hProcess=0x308, lphModule=0x266a934, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x266a934, lpcbNeeded=0x19f434) returned 1
[0199.646] GetModuleInformation (in: hProcess=0x308, hModule=0xf70000, lpmodinfo=0x266aa74, cb=0xc | out: lpmodinfo=0x266aa74*(lpBaseOfDll=0xf70000, SizeOfImage=0x17000, EntryPoint=0xf714a1)) returned 1
[0199.647] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.647] GetModuleBaseNameW (in: hProcess=0x308, hModule=0xf70000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="foxmailincmail.exe") returned 0x12
[0199.647] CoTaskMemFree (pv=0x78b790)
[0199.647] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.647] GetModuleFileNameExW (in: hProcess=0x308, hModule=0xf70000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\WindowsPowerShell\\foxmailincmail.exe" (normalized: "c:\\program files (x86)\\windowspowershell\\foxmailincmail.exe")) returned 0x3b
[0199.648] CoTaskMemFree (pv=0x78b790)
[0199.648] CloseHandle (hObject=0x308) returned 1
[0199.648] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x100c) returned 0x308
[0199.648] EnumProcessModules (in: hProcess=0x308, lphModule=0x266cc08, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x266cc08, lpcbNeeded=0x19f434) returned 1
[0199.650] GetModuleInformation (in: hProcess=0x308, hModule=0x1090000, lpmodinfo=0x266cd48, cb=0xc | out: lpmodinfo=0x266cd48*(lpBaseOfDll=0x1090000, SizeOfImage=0x17000, EntryPoint=0x10914a1)) returned 1
[0199.650] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.650] GetModuleBaseNameW (in: hProcess=0x308, hModule=0x1090000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="thank.exe") returned 0x9
[0199.650] CoTaskMemFree (pv=0x78b790)
[0199.650] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.650] GetModuleFileNameExW (in: hProcess=0x308, hModule=0x1090000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Common Files\\thank.exe" (normalized: "c:\\program files (x86)\\common files\\thank.exe")) returned 0x2d
[0199.653] CoTaskMemFree (pv=0x78b790)
[0199.653] CloseHandle (hObject=0x308) returned 1
[0199.653] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xd74) returned 0x308
[0199.653] EnumProcessModules (in: hProcess=0x308, lphModule=0x266eeac, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x266eeac, lpcbNeeded=0x19f434) returned 1
[0199.655] GetModuleInformation (in: hProcess=0x308, hModule=0x12d0000, lpmodinfo=0x266efec, cb=0xc | out: lpmodinfo=0x266efec*(lpBaseOfDll=0x12d0000, SizeOfImage=0x17000, EntryPoint=0x12d14a1)) returned 1
[0199.655] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.655] GetModuleBaseNameW (in: hProcess=0x308, hModule=0x12d0000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="minute-bed.exe") returned 0xe
[0199.655] CoTaskMemFree (pv=0x78b790)
[0199.655] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.655] GetModuleFileNameExW (in: hProcess=0x308, hModule=0x12d0000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Windows Defender\\minute-bed.exe" (normalized: "c:\\program files (x86)\\windows defender\\minute-bed.exe")) returned 0x36
[0199.656] CoTaskMemFree (pv=0x78b790)
[0199.656] CloseHandle (hObject=0x308) returned 1
[0199.656] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x810) returned 0x308
[0199.656] EnumProcessModules (in: hProcess=0x308, lphModule=0x2671170, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2671170, lpcbNeeded=0x19f434) returned 0
[0199.656] GetCurrentProcessId () returned 0xb50
[0199.656] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb50) returned 0x30c
[0199.656] IsWow64Process (in: hProcess=0x30c, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1
[0199.656] IsWow64Process (in: hProcess=0x308, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1
[0199.658] CloseHandle (hObject=0x30c) returned 1
[0199.659] CloseHandle (hObject=0x308) returned 1
[0199.659] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xefc) returned 0x308
[0199.659] EnumProcessModules (in: hProcess=0x308, lphModule=0x26713e4, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x26713e4, lpcbNeeded=0x19f434) returned 1
[0199.660] GetModuleInformation (in: hProcess=0x308, hModule=0xeb0000, lpmodinfo=0x2671524, cb=0xc | out: lpmodinfo=0x2671524*(lpBaseOfDll=0xeb0000, SizeOfImage=0x17000, EntryPoint=0xeb14a1)) returned 1
[0199.661] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.661] GetModuleBaseNameW (in: hProcess=0x308, hModule=0xeb0000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="webdrive.exe") returned 0xc
[0199.661] CoTaskMemFree (pv=0x78b790)
[0199.661] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.661] GetModuleFileNameExW (in: hProcess=0x308, hModule=0xeb0000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files\\Windows Sidebar\\webdrive.exe" (normalized: "c:\\program files\\windows sidebar\\webdrive.exe")) returned 0x2d
[0199.662] CoTaskMemFree (pv=0x78b790)
[0199.662] CloseHandle (hObject=0x308) returned 1
[0199.662] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xfc0) returned 0x308
[0199.662] EnumProcessModules (in: hProcess=0x308, lphModule=0x2673690, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2673690, lpcbNeeded=0x19f434) returned 1
[0199.663] GetModuleInformation (in: hProcess=0x308, hModule=0x810000, lpmodinfo=0x26737d0, cb=0xc | out: lpmodinfo=0x26737d0*(lpBaseOfDll=0x810000, SizeOfImage=0x17000, EntryPoint=0x8114a1)) returned 1
[0199.664] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.664] GetModuleBaseNameW (in: hProcess=0x308, hModule=0x810000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="omnipos.exe") returned 0xb
[0199.664] CoTaskMemFree (pv=0x78b790)
[0199.664] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.664] GetModuleFileNameExW (in: hProcess=0x308, hModule=0x810000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Microsoft SQL Server\\omnipos.exe" (normalized: "c:\\program files (x86)\\microsoft sql server\\omnipos.exe")) returned 0x37
[0199.665] CoTaskMemFree (pv=0x78b790)
[0199.665] CloseHandle (hObject=0x308) returned 1
[0199.665] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xe34) returned 0x308
[0199.665] EnumProcessModules (in: hProcess=0x308, lphModule=0x267594c, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x267594c, lpcbNeeded=0x19f434) returned 1
[0199.667] GetModuleInformation (in: hProcess=0x308, hModule=0x370000, lpmodinfo=0x2675a8c, cb=0xc | out: lpmodinfo=0x2675a8c*(lpBaseOfDll=0x370000, SizeOfImage=0x17000, EntryPoint=0x3714a1)) returned 1
[0199.667] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.667] GetModuleBaseNameW (in: hProcess=0x308, hModule=0x370000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="flashfxp.exe") returned 0xc
[0199.667] CoTaskMemFree (pv=0x78b790)
[0199.667] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.667] GetModuleFileNameExW (in: hProcess=0x308, hModule=0x370000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Windows Sidebar\\flashfxp.exe" (normalized: "c:\\program files (x86)\\windows sidebar\\flashfxp.exe")) returned 0x33
[0199.670] CoTaskMemFree (pv=0x78b790)
[0199.670] CloseHandle (hObject=0x308) returned 1
[0199.670] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x13dc) returned 0x0
[0199.670] EnumProcesses (in: lpidProcess=0x2677c04, cb=0x400, lpcbNeeded=0x19f3a4 | out: lpidProcess=0x2677c04, lpcbNeeded=0x19f3a4) returned 1
[0199.674] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x19f100, nSize=0x101, Arguments=0x0 | out: lpBuffer="Access is denied.\r\n") returned 0x13
[0199.676] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x5b8) returned 0x308
[0199.676] EnumProcessModules (in: hProcess=0x308, lphModule=0x2678764, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2678764, lpcbNeeded=0x19f434) returned 0
[0199.700] GetCurrentProcessId () returned 0xb50
[0199.700] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb50) returned 0x30c
[0199.700] IsWow64Process (in: hProcess=0x30c, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1
[0199.701] IsWow64Process (in: hProcess=0x308, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1
[0199.702] CloseHandle (hObject=0x30c) returned 1
[0199.702] CloseHandle (hObject=0x308) returned 1
[0199.702] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xfb8) returned 0x308
[0199.702] EnumProcessModules (in: hProcess=0x308, lphModule=0x26789d8, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x26789d8, lpcbNeeded=0x19f434) returned 1
[0199.704] GetModuleInformation (in: hProcess=0x308, hModule=0x950000, lpmodinfo=0x2678b18, cb=0xc | out: lpmodinfo=0x2678b18*(lpBaseOfDll=0x950000, SizeOfImage=0x17000, EntryPoint=0x9514a1)) returned 1
[0199.704] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.704] GetModuleBaseNameW (in: hProcess=0x308, hModule=0x950000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="mxslipstream.exe") returned 0x10
[0199.705] CoTaskMemFree (pv=0x78b790)
[0199.705] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.705] GetModuleFileNameExW (in: hProcess=0x308, hModule=0x950000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files\\Windows Journal\\mxslipstream.exe" (normalized: "c:\\program files\\windows journal\\mxslipstream.exe")) returned 0x31
[0199.705] CoTaskMemFree (pv=0x78b790)
[0199.705] CloseHandle (hObject=0x308) returned 1
[0199.705] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x132c) returned 0x308
[0199.705] EnumProcessModules (in: hProcess=0x308, lphModule=0x267ac94, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x267ac94, lpcbNeeded=0x19f434) returned 1
[0199.708] GetModuleInformation (in: hProcess=0x308, hModule=0x330000, lpmodinfo=0x267add4, cb=0xc | out: lpmodinfo=0x267add4*(lpBaseOfDll=0x330000, SizeOfImage=0x71000, EntryPoint=0x339c00)) returned 1
[0199.709] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.709] GetModuleBaseNameW (in: hProcess=0x308, hModule=0x330000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe
[0199.709] CoTaskMemFree (pv=0x78b790)
[0199.709] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.709] GetModuleFileNameExW (in: hProcess=0x308, hModule=0x330000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39
[0199.710] CoTaskMemFree (pv=0x78b790)
[0199.710] CloseHandle (hObject=0x308) returned 1
[0199.710] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xe2c) returned 0x308
[0199.710] EnumProcessModules (in: hProcess=0x308, lphModule=0x267cf5c, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x267cf5c, lpcbNeeded=0x19f434) returned 1
[0199.711] GetModuleInformation (in: hProcess=0x308, hModule=0xe80000, lpmodinfo=0x267d09c, cb=0xc | out: lpmodinfo=0x267d09c*(lpBaseOfDll=0xe80000, SizeOfImage=0x17000, EntryPoint=0xe814a1)) returned 1
[0199.712] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.712] GetModuleBaseNameW (in: hProcess=0x308, hModule=0xe80000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="filezilla.exe") returned 0xd
[0199.712] CoTaskMemFree (pv=0x78b790)
[0199.712] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.712] GetModuleFileNameExW (in: hProcess=0x308, hModule=0xe80000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Windows NT\\filezilla.exe" (normalized: "c:\\program files (x86)\\windows nt\\filezilla.exe")) returned 0x2f
[0199.713] CoTaskMemFree (pv=0x78b790)
[0199.713] CloseHandle (hObject=0x308) returned 1
[0199.713] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xd64) returned 0x308
[0199.713] EnumProcessModules (in: hProcess=0x308, lphModule=0x267f20c, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x267f20c, lpcbNeeded=0x19f434) returned 1
[0199.717] GetModuleInformation (in: hProcess=0x308, hModule=0xd60000, lpmodinfo=0x267f34c, cb=0xc | out: lpmodinfo=0x267f34c*(lpBaseOfDll=0xd60000, SizeOfImage=0x17000, EntryPoint=0xd614a1)) returned 1
[0199.717] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.717] GetModuleBaseNameW (in: hProcess=0x308, hModule=0xd60000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="any contain meet.exe") returned 0x14
[0199.718] CoTaskMemFree (pv=0x78b790)
[0199.718] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.718] GetModuleFileNameExW (in: hProcess=0x308, hModule=0xd60000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files\\Windows Sidebar\\any contain meet.exe" (normalized: "c:\\program files\\windows sidebar\\any contain meet.exe")) returned 0x35
[0199.718] CoTaskMemFree (pv=0x78b790)
[0199.718] CloseHandle (hObject=0x308) returned 1
[0199.719] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xeec) returned 0x308
[0199.719] EnumProcessModules (in: hProcess=0x308, lphModule=0x26814d8, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x26814d8, lpcbNeeded=0x19f434) returned 1
[0199.720] GetModuleInformation (in: hProcess=0x308, hModule=0x940000, lpmodinfo=0x2681618, cb=0xc | out: lpmodinfo=0x2681618*(lpBaseOfDll=0x940000, SizeOfImage=0x17000, EntryPoint=0x9414a1)) returned 1
[0199.721] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.721] GetModuleBaseNameW (in: hProcess=0x308, hModule=0x940000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="trillian.exe") returned 0xc
[0199.721] CoTaskMemFree (pv=0x78b790)
[0199.721] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.721] GetModuleFileNameExW (in: hProcess=0x308, hModule=0x940000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files\\Windows Sidebar\\trillian.exe" (normalized: "c:\\program files\\windows sidebar\\trillian.exe")) returned 0x2d
[0199.722] CoTaskMemFree (pv=0x78b790)
[0199.722] CloseHandle (hObject=0x308) returned 1
[0199.722] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x360) returned 0x308
[0199.722] EnumProcessModules (in: hProcess=0x308, lphModule=0x2683784, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2683784, lpcbNeeded=0x19f434) returned 0
[0199.722] GetCurrentProcessId () returned 0xb50
[0199.722] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb50) returned 0x30c
[0199.722] IsWow64Process (in: hProcess=0x30c, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1
[0199.722] IsWow64Process (in: hProcess=0x308, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1
[0199.723] CloseHandle (hObject=0x30c) returned 1
[0199.723] CloseHandle (hObject=0x308) returned 1
[0199.724] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x8c0) returned 0x308
[0199.724] EnumProcessModules (in: hProcess=0x308, lphModule=0x26839f8, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x26839f8, lpcbNeeded=0x19f434) returned 0
[0199.724] GetCurrentProcessId () returned 0xb50
[0199.724] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb50) returned 0x30c
[0199.724] IsWow64Process (in: hProcess=0x30c, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1
[0199.724] IsWow64Process (in: hProcess=0x308, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1
[0199.725] CloseHandle (hObject=0x30c) returned 1
[0199.725] CloseHandle (hObject=0x308) returned 1
[0199.725] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x294) returned 0x308
[0199.725] EnumProcessModules (in: hProcess=0x308, lphModule=0x2683c6c, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2683c6c, lpcbNeeded=0x19f434) returned 0
[0199.726] GetCurrentProcessId () returned 0xb50
[0199.726] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb50) returned 0x30c
[0199.726] IsWow64Process (in: hProcess=0x30c, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1
[0199.726] IsWow64Process (in: hProcess=0x308, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1
[0199.728] CloseHandle (hObject=0x30c) returned 1
[0199.728] CloseHandle (hObject=0x308) returned 1
[0199.728] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xe60) returned 0x308
[0199.728] EnumProcessModules (in: hProcess=0x308, lphModule=0x2683ee0, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2683ee0, lpcbNeeded=0x19f434) returned 1
[0199.732] GetModuleInformation (in: hProcess=0x308, hModule=0xb30000, lpmodinfo=0x2684020, cb=0xc | out: lpmodinfo=0x2684020*(lpBaseOfDll=0xb30000, SizeOfImage=0x17000, EntryPoint=0xb314a1)) returned 1
[0199.732] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.732] GetModuleBaseNameW (in: hProcess=0x308, hModule=0xb30000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="leechftp.exe") returned 0xc
[0199.732] CoTaskMemFree (pv=0x78b790)
[0199.732] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.732] GetModuleFileNameExW (in: hProcess=0x308, hModule=0xb30000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files\\Windows Journal\\leechftp.exe" (normalized: "c:\\program files\\windows journal\\leechftp.exe")) returned 0x2d
[0199.733] CoTaskMemFree (pv=0x78b790)
[0199.733] CloseHandle (hObject=0x308) returned 1
[0199.733] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x4e0) returned 0x308
[0199.733] EnumProcessModules (in: hProcess=0x308, lphModule=0x268618c, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x268618c, lpcbNeeded=0x19f434) returned 0
[0199.733] GetCurrentProcessId () returned 0xb50
[0199.733] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb50) returned 0x30c
[0199.733] IsWow64Process (in: hProcess=0x30c, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1
[0199.733] IsWow64Process (in: hProcess=0x308, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1
[0199.735] CloseHandle (hObject=0x30c) returned 1
[0199.735] CloseHandle (hObject=0x308) returned 1
[0199.735] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xfa4) returned 0x308
[0199.735] EnumProcessModules (in: hProcess=0x308, lphModule=0x2686400, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2686400, lpcbNeeded=0x19f434) returned 1
[0199.737] GetModuleInformation (in: hProcess=0x308, hModule=0x2b0000, lpmodinfo=0x2686540, cb=0xc | out: lpmodinfo=0x2686540*(lpBaseOfDll=0x2b0000, SizeOfImage=0x17000, EntryPoint=0x2b14a1)) returned 1
[0199.737] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.737] GetModuleBaseNameW (in: hProcess=0x308, hModule=0x2b0000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="isspos.exe") returned 0xa
[0199.737] CoTaskMemFree (pv=0x78b790)
[0199.737] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.737] GetModuleFileNameExW (in: hProcess=0x308, hModule=0x2b0000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files\\Windows Defender\\isspos.exe" (normalized: "c:\\program files\\windows defender\\isspos.exe")) returned 0x2c
[0199.738] CoTaskMemFree (pv=0x78b790)
[0199.738] CloseHandle (hObject=0x308) returned 1
[0199.738] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xddc) returned 0x308
[0199.738] EnumProcessModules (in: hProcess=0x308, lphModule=0x26886a8, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x26886a8, lpcbNeeded=0x19f434) returned 1
[0199.740] GetModuleInformation (in: hProcess=0x308, hModule=0x1080000, lpmodinfo=0x26887e8, cb=0xc | out: lpmodinfo=0x26887e8*(lpBaseOfDll=0x1080000, SizeOfImage=0x17000, EntryPoint=0x10814a1)) returned 1
[0199.740] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.740] GetModuleBaseNameW (in: hProcess=0x308, hModule=0x1080000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="barca.exe") returned 0x9
[0199.740] CoTaskMemFree (pv=0x78b790)
[0199.740] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.740] GetModuleFileNameExW (in: hProcess=0x308, hModule=0x1080000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files\\Windows Mail\\barca.exe" (normalized: "c:\\program files\\windows mail\\barca.exe")) returned 0x27
[0199.741] CoTaskMemFree (pv=0x78b790)
[0199.741] CloseHandle (hObject=0x308) returned 1
[0199.741] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1c8) returned 0x0
[0199.741] EnumProcesses (in: lpidProcess=0x268a940, cb=0x400, lpcbNeeded=0x19f3a4 | out: lpidProcess=0x268a940, lpcbNeeded=0x19f3a4) returned 1
[0199.748] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x19f100, nSize=0x101, Arguments=0x0 | out: lpBuffer="Access is denied.\r\n") returned 0x13
[0199.749] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x7ec) returned 0x308
[0199.749] EnumProcessModules (in: hProcess=0x308, lphModule=0x268b4a0, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x268b4a0, lpcbNeeded=0x19f434) returned 0
[0199.749] GetCurrentProcessId () returned 0xb50
[0199.749] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb50) returned 0x30c
[0199.749] IsWow64Process (in: hProcess=0x30c, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1
[0199.749] IsWow64Process (in: hProcess=0x308, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1
[0199.750] CloseHandle (hObject=0x30c) returned 1
[0199.750] CloseHandle (hObject=0x308) returned 1
[0199.750] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xed8) returned 0x308
[0199.750] EnumProcessModules (in: hProcess=0x308, lphModule=0x268b714, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x268b714, lpcbNeeded=0x19f434) returned 1
[0199.752] GetModuleInformation (in: hProcess=0x308, hModule=0x100000, lpmodinfo=0x268b854, cb=0xc | out: lpmodinfo=0x268b854*(lpBaseOfDll=0x100000, SizeOfImage=0x17000, EntryPoint=0x1014a1)) returned 1
[0199.753] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.753] GetModuleBaseNameW (in: hProcess=0x308, hModule=0x100000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="smartftp.exe") returned 0xc
[0199.753] CoTaskMemFree (pv=0x78b790)
[0199.753] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.753] GetModuleFileNameExW (in: hProcess=0x308, hModule=0x100000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files\\Microsoft Office\\smartftp.exe" (normalized: "c:\\program files\\microsoft office\\smartftp.exe")) returned 0x2e
[0199.753] CoTaskMemFree (pv=0x78b790)
[0199.753] CloseHandle (hObject=0x308) returned 1
[0199.754] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xf9c) returned 0x308
[0199.754] EnumProcessModules (in: hProcess=0x308, lphModule=0x268d9c4, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x268d9c4, lpcbNeeded=0x19f434) returned 1
[0199.755] GetModuleInformation (in: hProcess=0x308, hModule=0xfd0000, lpmodinfo=0x268db04, cb=0xc | out: lpmodinfo=0x268db04*(lpBaseOfDll=0xfd0000, SizeOfImage=0x17000, EntryPoint=0xfd14a1)) returned 1
[0199.756] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.756] GetModuleBaseNameW (in: hProcess=0x308, hModule=0xfd0000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="fpos.exe") returned 0x8
[0199.756] CoTaskMemFree (pv=0x78b790)
[0199.756] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.756] GetModuleFileNameExW (in: hProcess=0x308, hModule=0xfd0000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files\\Windows Sidebar\\fpos.exe" (normalized: "c:\\program files\\windows sidebar\\fpos.exe")) returned 0x29
[0199.757] CoTaskMemFree (pv=0x78b790)
[0199.757] CloseHandle (hObject=0x308) returned 1
[0199.757] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1c0) returned 0x0
[0199.757] EnumProcesses (in: lpidProcess=0x268fc60, cb=0x400, lpcbNeeded=0x19f3a4 | out: lpidProcess=0x268fc60, lpcbNeeded=0x19f3a4) returned 1
[0199.763] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x5, dwLanguageId=0x0, lpBuffer=0x19f100, nSize=0x101, Arguments=0x0 | out: lpBuffer="Access is denied.\r\n") returned 0x13
[0199.764] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xed0) returned 0x308
[0199.765] EnumProcessModules (in: hProcess=0x308, lphModule=0x26907c0, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x26907c0, lpcbNeeded=0x19f434) returned 1
[0199.766] GetModuleInformation (in: hProcess=0x308, hModule=0x820000, lpmodinfo=0x2690900, cb=0xc | out: lpmodinfo=0x2690900*(lpBaseOfDll=0x820000, SizeOfImage=0x17000, EntryPoint=0x8214a1)) returned 1
[0199.766] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.767] GetModuleBaseNameW (in: hProcess=0x308, hModule=0x820000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="skype.exe") returned 0x9
[0199.767] CoTaskMemFree (pv=0x78b790)
[0199.767] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.767] GetModuleFileNameExW (in: hProcess=0x308, hModule=0x820000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Windows Portable Devices\\skype.exe" (normalized: "c:\\program files (x86)\\windows portable devices\\skype.exe")) returned 0x39
[0199.767] CoTaskMemFree (pv=0x78b790)
[0199.767] CloseHandle (hObject=0x308) returned 1
[0199.768] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xf94) returned 0x308
[0199.768] EnumProcessModules (in: hProcess=0x308, lphModule=0x2692a7c, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2692a7c, lpcbNeeded=0x19f434) returned 1
[0199.769] GetModuleInformation (in: hProcess=0x308, hModule=0xde0000, lpmodinfo=0x2692bbc, cb=0xc | out: lpmodinfo=0x2692bbc*(lpBaseOfDll=0xde0000, SizeOfImage=0x17000, EntryPoint=0xde14a1)) returned 1
[0199.770] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.770] GetModuleBaseNameW (in: hProcess=0x308, hModule=0xde0000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="edcsvr.exe") returned 0xa
[0199.770] CoTaskMemFree (pv=0x78b790)
[0199.770] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.770] GetModuleFileNameExW (in: hProcess=0x308, hModule=0xde0000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files\\WindowsPowerShell\\edcsvr.exe" (normalized: "c:\\program files\\windowspowershell\\edcsvr.exe")) returned 0x2d
[0199.770] CoTaskMemFree (pv=0x78b790)
[0199.771] CloseHandle (hObject=0x308) returned 1
[0199.771] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xe04) returned 0x308
[0199.771] EnumProcessModules (in: hProcess=0x308, lphModule=0x2694d24, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2694d24, lpcbNeeded=0x19f434) returned 1
[0199.772] GetModuleInformation (in: hProcess=0x308, hModule=0xaa0000, lpmodinfo=0x2694e64, cb=0xc | out: lpmodinfo=0x2694e64*(lpBaseOfDll=0xaa0000, SizeOfImage=0x17000, EntryPoint=0xaa14a1)) returned 1
[0199.773] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.773] GetModuleBaseNameW (in: hProcess=0x308, hModule=0xaa0000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="far.exe") returned 0x7
[0199.773] CoTaskMemFree (pv=0x78b790)
[0199.773] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.773] GetModuleFileNameExW (in: hProcess=0x308, hModule=0xaa0000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files\\WindowsPowerShell\\far.exe" (normalized: "c:\\program files\\windowspowershell\\far.exe")) returned 0x2a
[0199.774] CoTaskMemFree (pv=0x78b790)
[0199.774] CloseHandle (hObject=0x308) returned 1
[0199.774] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xd3c) returned 0x308
[0199.774] EnumProcessModules (in: hProcess=0x308, lphModule=0x2696fc0, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2696fc0, lpcbNeeded=0x19f434) returned 1
[0199.776] GetModuleInformation (in: hProcess=0x308, hModule=0xd40000, lpmodinfo=0x2697100, cb=0xc | out: lpmodinfo=0x2697100*(lpBaseOfDll=0xd40000, SizeOfImage=0x17000, EntryPoint=0xd414a1)) returned 1
[0199.778] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.778] GetModuleBaseNameW (in: hProcess=0x308, hModule=0xd40000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="officer water student.exe") returned 0x19
[0199.778] CoTaskMemFree (pv=0x78b790)
[0199.778] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.778] GetModuleFileNameExW (in: hProcess=0x308, hModule=0xd40000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files\\Reference Assemblies\\officer water student.exe" (normalized: "c:\\program files\\reference assemblies\\officer water student.exe")) returned 0x3f
[0199.779] CoTaskMemFree (pv=0x78b790)
[0199.779] CloseHandle (hObject=0x308) returned 1
[0199.779] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x274) returned 0x308
[0199.779] EnumProcessModules (in: hProcess=0x308, lphModule=0x26992a8, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x26992a8, lpcbNeeded=0x19f434) returned 0
[0199.779] GetCurrentProcessId () returned 0xb50
[0199.779] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb50) returned 0x30c
[0199.779] IsWow64Process (in: hProcess=0x30c, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1
[0199.779] IsWow64Process (in: hProcess=0x308, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1
[0199.780] CloseHandle (hObject=0x30c) returned 1
[0199.781] CloseHandle (hObject=0x308) returned 1
[0199.781] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x64c) returned 0x308
[0199.781] EnumProcessModules (in: hProcess=0x308, lphModule=0x269951c, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x269951c, lpcbNeeded=0x19f434) returned 0
[0199.781] GetCurrentProcessId () returned 0xb50
[0199.781] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb50) returned 0x30c
[0199.781] IsWow64Process (in: hProcess=0x30c, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1
[0199.781] IsWow64Process (in: hProcess=0x308, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1
[0199.783] CloseHandle (hObject=0x30c) returned 1
[0199.783] CloseHandle (hObject=0x308) returned 1
[0199.783] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x10c4) returned 0x308
[0199.783] EnumProcessModules (in: hProcess=0x308, lphModule=0x2699790, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x2699790, lpcbNeeded=0x19f434) returned 1
[0199.790] EnumProcessModules (in: hProcess=0x308, lphModule=0x269989c, cb=0x200, lpcbNeeded=0x19f434 | out: lphModule=0x269989c, lpcbNeeded=0x19f434) returned 1
[0199.799] GetModuleInformation (in: hProcess=0x308, hModule=0x370000, lpmodinfo=0x2699adc, cb=0xc | out: lpmodinfo=0x2699adc*(lpBaseOfDll=0x370000, SizeOfImage=0xca000, EntryPoint=0x373a40)) returned 1
[0199.800] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.800] GetModuleBaseNameW (in: hProcess=0x308, hModule=0x370000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="IEXPLORE.EXE") returned 0xc
[0199.800] CoTaskMemFree (pv=0x78b790)
[0199.800] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.800] GetModuleFileNameExW (in: hProcess=0x308, hModule=0x370000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE" (normalized: "c:\\program files (x86)\\internet explorer\\iexplore.exe")) returned 0x35
[0199.801] CoTaskMemFree (pv=0x78b790)
[0199.801] CloseHandle (hObject=0x308) returned 1
[0199.801] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xdfc) returned 0x308
[0199.801] EnumProcessModules (in: hProcess=0x308, lphModule=0x269bc58, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x269bc58, lpcbNeeded=0x19f434) returned 1
[0199.802] GetModuleInformation (in: hProcess=0x308, hModule=0xf60000, lpmodinfo=0x269bd98, cb=0xc | out: lpmodinfo=0x269bd98*(lpBaseOfDll=0xf60000, SizeOfImage=0x17000, EntryPoint=0xf614a1)) returned 1
[0199.803] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.803] GetModuleBaseNameW (in: hProcess=0x308, hModule=0xf60000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="coreftp.exe") returned 0xb
[0199.803] CoTaskMemFree (pv=0x78b790)
[0199.803] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.803] GetModuleFileNameExW (in: hProcess=0x308, hModule=0xf60000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Windows Sidebar\\coreftp.exe" (normalized: "c:\\program files (x86)\\windows sidebar\\coreftp.exe")) returned 0x32
[0199.804] CoTaskMemFree (pv=0x78b790)
[0199.804] CloseHandle (hObject=0x308) returned 1
[0199.804] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xec0) returned 0x308
[0199.804] EnumProcessModules (in: hProcess=0x308, lphModule=0x269df0c, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x269df0c, lpcbNeeded=0x19f434) returned 1
[0199.806] GetModuleInformation (in: hProcess=0x308, hModule=0x990000, lpmodinfo=0x269e04c, cb=0xc | out: lpmodinfo=0x269e04c*(lpBaseOfDll=0x990000, SizeOfImage=0x17000, EntryPoint=0x9914a1)) returned 1
[0199.806] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.806] GetModuleBaseNameW (in: hProcess=0x308, hModule=0x990000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="scriptftp.exe") returned 0xd
[0199.807] CoTaskMemFree (pv=0x78b790)
[0199.807] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.807] GetModuleFileNameExW (in: hProcess=0x308, hModule=0x990000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files\\Windows Defender\\scriptftp.exe" (normalized: "c:\\program files\\windows defender\\scriptftp.exe")) returned 0x2f
[0199.807] CoTaskMemFree (pv=0x78b790)
[0199.807] CloseHandle (hObject=0x308) returned 1
[0199.808] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xf84) returned 0x308
[0199.808] EnumProcessModules (in: hProcess=0x308, lphModule=0x26a01bc, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x26a01bc, lpcbNeeded=0x19f434) returned 1
[0199.812] GetModuleInformation (in: hProcess=0x308, hModule=0x200000, lpmodinfo=0x26a02fc, cb=0xc | out: lpmodinfo=0x26a02fc*(lpBaseOfDll=0x200000, SizeOfImage=0x17000, EntryPoint=0x2014a1)) returned 1
[0199.813] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.813] GetModuleBaseNameW (in: hProcess=0x308, hModule=0x200000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="creditservice.exe") returned 0x11
[0199.813] CoTaskMemFree (pv=0x78b790)
[0199.813] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.813] GetModuleFileNameExW (in: hProcess=0x308, hModule=0x200000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Windows NT\\creditservice.exe" (normalized: "c:\\program files (x86)\\windows nt\\creditservice.exe")) returned 0x33
[0199.814] CoTaskMemFree (pv=0x78b790)
[0199.814] CloseHandle (hObject=0x308) returned 1
[0199.814] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xd34) returned 0x308
[0199.814] EnumProcessModules (in: hProcess=0x308, lphModule=0x26a247c, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x26a247c, lpcbNeeded=0x19f434) returned 1
[0199.817] GetModuleInformation (in: hProcess=0x308, hModule=0x10b0000, lpmodinfo=0x26a25bc, cb=0xc | out: lpmodinfo=0x26a25bc*(lpBaseOfDll=0x10b0000, SizeOfImage=0x17000, EntryPoint=0x10b14a1)) returned 1
[0199.817] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.817] GetModuleBaseNameW (in: hProcess=0x308, hModule=0x10b0000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="other.exe") returned 0x9
[0199.818] CoTaskMemFree (pv=0x78b790)
[0199.823] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.823] GetModuleFileNameExW (in: hProcess=0x308, hModule=0x10b0000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Windows Mail\\other.exe" (normalized: "c:\\program files (x86)\\windows mail\\other.exe")) returned 0x2d
[0199.823] CoTaskMemFree (pv=0x78b790)
[0199.823] CloseHandle (hObject=0x308) returned 1
[0199.824] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x894) returned 0x308
[0199.824] EnumProcessModules (in: hProcess=0x308, lphModule=0x26a4720, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x26a4720, lpcbNeeded=0x19f434) returned 0
[0199.825] GetCurrentProcessId () returned 0xb50
[0199.825] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb50) returned 0x30c
[0199.825] IsWow64Process (in: hProcess=0x30c, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1
[0199.825] IsWow64Process (in: hProcess=0x308, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1
[0199.826] CloseHandle (hObject=0x30c) returned 1
[0199.826] CloseHandle (hObject=0x308) returned 1
[0199.827] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x958) returned 0x308
[0199.828] EnumProcessModules (in: hProcess=0x308, lphModule=0x26a4994, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x26a4994, lpcbNeeded=0x19f434) returned 0
[0199.828] GetCurrentProcessId () returned 0xb50
[0199.828] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb50) returned 0x30c
[0199.828] IsWow64Process (in: hProcess=0x30c, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1
[0199.828] IsWow64Process (in: hProcess=0x308, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1
[0199.830] CloseHandle (hObject=0x30c) returned 1
[0199.830] CloseHandle (hObject=0x308) returned 1
[0199.830] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x3f4) returned 0x308
[0199.830] EnumProcessModules (in: hProcess=0x308, lphModule=0x26a4c08, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x26a4c08, lpcbNeeded=0x19f434) returned 0
[0199.830] GetCurrentProcessId () returned 0xb50
[0199.830] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb50) returned 0x30c
[0199.830] IsWow64Process (in: hProcess=0x30c, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1
[0199.830] IsWow64Process (in: hProcess=0x308, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1
[0199.832] CloseHandle (hObject=0x30c) returned 1
[0199.832] CloseHandle (hObject=0x308) returned 1
[0199.832] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xdf4) returned 0x308
[0199.832] EnumProcessModules (in: hProcess=0x308, lphModule=0x26a4e7c, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x26a4e7c, lpcbNeeded=0x19f434) returned 1
[0199.834] GetModuleInformation (in: hProcess=0x308, hModule=0x130000, lpmodinfo=0x26a4fbc, cb=0xc | out: lpmodinfo=0x26a4fbc*(lpBaseOfDll=0x130000, SizeOfImage=0x17000, EntryPoint=0x1314a1)) returned 1
[0199.835] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.835] GetModuleBaseNameW (in: hProcess=0x308, hModule=0x130000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="absolutetelnet.exe") returned 0x12
[0199.835] CoTaskMemFree (pv=0x78b790)
[0199.836] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.836] GetModuleFileNameExW (in: hProcess=0x308, hModule=0x130000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Mozilla Firefox\\absolutetelnet.exe" (normalized: "c:\\program files (x86)\\mozilla firefox\\absolutetelnet.exe")) returned 0x39
[0199.836] CoTaskMemFree (pv=0x78b790)
[0199.836] CloseHandle (hObject=0x308) returned 1
[0199.836] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xeb8) returned 0x308
[0199.836] EnumProcessModules (in: hProcess=0x308, lphModule=0x26a714c, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x26a714c, lpcbNeeded=0x19f434) returned 1
[0199.839] GetModuleInformation (in: hProcess=0x308, hModule=0x810000, lpmodinfo=0x26a728c, cb=0xc | out: lpmodinfo=0x26a728c*(lpBaseOfDll=0x810000, SizeOfImage=0x17000, EntryPoint=0x8114a1)) returned 1
[0199.839] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.839] GetModuleBaseNameW (in: hProcess=0x308, hModule=0x810000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="pidgin.exe") returned 0xa
[0199.842] CoTaskMemFree (pv=0x78b790)
[0199.842] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.842] GetModuleFileNameExW (in: hProcess=0x308, hModule=0x810000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files\\Common Files\\pidgin.exe" (normalized: "c:\\program files\\common files\\pidgin.exe")) returned 0x28
[0199.843] CoTaskMemFree (pv=0x78b790)
[0199.843] CloseHandle (hObject=0x308) returned 1
[0199.843] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xd2c) returned 0x308
[0199.843] EnumProcessModules (in: hProcess=0x308, lphModule=0x26a93ec, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x26a93ec, lpcbNeeded=0x19f434) returned 1
[0199.845] GetModuleInformation (in: hProcess=0x308, hModule=0xf60000, lpmodinfo=0x26a952c, cb=0xc | out: lpmodinfo=0x26a952c*(lpBaseOfDll=0xf60000, SizeOfImage=0x17000, EntryPoint=0xf614a1)) returned 1
[0199.846] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.846] GetModuleBaseNameW (in: hProcess=0x308, hModule=0xf60000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="hard.exe") returned 0x8
[0199.846] CoTaskMemFree (pv=0x78b790)
[0199.846] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.846] GetModuleFileNameExW (in: hProcess=0x308, hModule=0xf60000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Windows Portable Devices\\hard.exe" (normalized: "c:\\program files (x86)\\windows portable devices\\hard.exe")) returned 0x38
[0199.847] CoTaskMemFree (pv=0x78b790)
[0199.847] CloseHandle (hObject=0x308) returned 1
[0199.847] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xdec) returned 0x308
[0199.847] EnumProcessModules (in: hProcess=0x308, lphModule=0x26ab6a8, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x26ab6a8, lpcbNeeded=0x19f434) returned 1
[0199.849] GetModuleInformation (in: hProcess=0x308, hModule=0xe80000, lpmodinfo=0x26ab7e8, cb=0xc | out: lpmodinfo=0x26ab7e8*(lpBaseOfDll=0xe80000, SizeOfImage=0x17000, EntryPoint=0xe814a1)) returned 1
[0199.849] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.849] GetModuleBaseNameW (in: hProcess=0x308, hModule=0xe80000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="alftp.exe") returned 0x9
[0199.849] CoTaskMemFree (pv=0x78b790)
[0199.850] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.850] GetModuleFileNameExW (in: hProcess=0x308, hModule=0xe80000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files\\Windows Portable Devices\\alftp.exe" (normalized: "c:\\program files\\windows portable devices\\alftp.exe")) returned 0x33
[0199.850] CoTaskMemFree (pv=0x78b790)
[0199.850] CloseHandle (hObject=0x308) returned 1
[0199.850] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xf74) returned 0x308
[0199.850] EnumProcessModules (in: hProcess=0x308, lphModule=0x26ad958, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x26ad958, lpcbNeeded=0x19f434) returned 1
[0199.852] GetModuleInformation (in: hProcess=0x308, hModule=0xc10000, lpmodinfo=0x26ada98, cb=0xc | out: lpmodinfo=0x26ada98*(lpBaseOfDll=0xc10000, SizeOfImage=0x17000, EntryPoint=0xc114a1)) returned 1
[0199.852] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.852] GetModuleBaseNameW (in: hProcess=0x308, hModule=0xc10000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="centralcreditcard.exe") returned 0x15
[0199.853] CoTaskMemFree (pv=0x78b790)
[0199.853] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.853] GetModuleFileNameExW (in: hProcess=0x308, hModule=0xc10000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files\\Windows Sidebar\\centralcreditcard.exe" (normalized: "c:\\program files\\windows sidebar\\centralcreditcard.exe")) returned 0x36
[0199.853] CoTaskMemFree (pv=0x78b790)
[0199.853] CloseHandle (hObject=0x308) returned 1
[0199.853] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xd24) returned 0x308
[0199.853] EnumProcessModules (in: hProcess=0x308, lphModule=0x26afc28, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x26afc28, lpcbNeeded=0x19f434) returned 1
[0199.857] GetModuleInformation (in: hProcess=0x308, hModule=0xa30000, lpmodinfo=0x26afd68, cb=0xc | out: lpmodinfo=0x26afd68*(lpBaseOfDll=0xa30000, SizeOfImage=0x17000, EntryPoint=0xa314a1)) returned 1
[0199.857] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.857] GetModuleBaseNameW (in: hProcess=0x308, hModule=0xa30000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="oh represent.exe") returned 0x10
[0199.858] CoTaskMemFree (pv=0x78b790)
[0199.858] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.858] GetModuleFileNameExW (in: hProcess=0x308, hModule=0xa30000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files\\Common Files\\oh represent.exe" (normalized: "c:\\program files\\common files\\oh represent.exe")) returned 0x2e
[0199.858] CoTaskMemFree (pv=0x78b790)
[0199.858] CloseHandle (hObject=0x308) returned 1
[0199.858] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xde4) returned 0x308
[0199.858] EnumProcessModules (in: hProcess=0x308, lphModule=0x26b1ee0, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x26b1ee0, lpcbNeeded=0x19f434) returned 1
[0199.860] GetModuleInformation (in: hProcess=0x308, hModule=0xc30000, lpmodinfo=0x26b2020, cb=0xc | out: lpmodinfo=0x26b2020*(lpBaseOfDll=0xc30000, SizeOfImage=0x17000, EntryPoint=0xc314a1)) returned 1
[0199.860] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.860] GetModuleBaseNameW (in: hProcess=0x308, hModule=0xc30000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="bitkinex.exe") returned 0xc
[0199.861] CoTaskMemFree (pv=0x78b790)
[0199.861] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.861] GetModuleFileNameExW (in: hProcess=0x308, hModule=0xc30000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files\\MSBuild\\bitkinex.exe" (normalized: "c:\\program files\\msbuild\\bitkinex.exe")) returned 0x25
[0199.861] CoTaskMemFree (pv=0x78b790)
[0199.861] CloseHandle (hObject=0x308) returned 1
[0199.861] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xf6c) returned 0x308
[0199.861] EnumProcessModules (in: hProcess=0x308, lphModule=0x26b417c, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x26b417c, lpcbNeeded=0x19f434) returned 1
[0199.863] GetModuleInformation (in: hProcess=0x308, hModule=0x1010000, lpmodinfo=0x26b42bc, cb=0xc | out: lpmodinfo=0x26b42bc*(lpBaseOfDll=0x1010000, SizeOfImage=0x17000, EntryPoint=0x10114a1)) returned 1
[0199.863] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.863] GetModuleBaseNameW (in: hProcess=0x308, hModule=0x1010000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="ccv_server.exe") returned 0xe
[0199.864] CoTaskMemFree (pv=0x78b790)
[0199.864] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.864] GetModuleFileNameExW (in: hProcess=0x308, hModule=0x1010000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files (x86)\\Microsoft SQL Server\\ccv_server.exe" (normalized: "c:\\program files (x86)\\microsoft sql server\\ccv_server.exe")) returned 0x3a
[0199.864] CoTaskMemFree (pv=0x78b790)
[0199.864] CloseHandle (hObject=0x308) returned 1
[0199.864] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xb50) returned 0x308
[0199.864] EnumProcessModules (in: hProcess=0x308, lphModule=0x26b6448, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x26b6448, lpcbNeeded=0x19f434) returned 1
[0199.865] GetModuleInformation (in: hProcess=0x308, hModule=0x400000, lpmodinfo=0x26b6588, cb=0xc | out: lpmodinfo=0x26b6588*(lpBaseOfDll=0x400000, SizeOfImage=0x12000, EntryPoint=0x0)) returned 1
[0199.865] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.865] GetModuleBaseNameW (in: hProcess=0x308, hModule=0x400000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe") returned 0x44
[0199.865] CoTaskMemFree (pv=0x78b790)
[0199.865] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.865] GetModuleFileNameExW (in: hProcess=0x308, hModule=0x400000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe")) returned 0x62
[0199.866] CoTaskMemFree (pv=0x78b790)
[0199.866] CloseHandle (hObject=0x308) returned 1
[0199.866] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xea4) returned 0x308
[0199.866] EnumProcessModules (in: hProcess=0x308, lphModule=0x26b87d0, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x26b87d0, lpcbNeeded=0x19f434) returned 1
[0199.867] GetModuleInformation (in: hProcess=0x308, hModule=0xe10000, lpmodinfo=0x26b8910, cb=0xc | out: lpmodinfo=0x26b8910*(lpBaseOfDll=0xe10000, SizeOfImage=0x17000, EntryPoint=0xe114a1)) returned 1
[0199.868] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.868] GetModuleBaseNameW (in: hProcess=0x308, hModule=0xe10000, lpBaseName=0x78b790, nSize=0x800 | out: lpBaseName="outlook.exe") returned 0xb
[0199.868] CoTaskMemFree (pv=0x78b790)
[0199.868] CoTaskMemAlloc (cb=0x804) returned 0x78b790
[0199.868] GetModuleFileNameExW (in: hProcess=0x308, hModule=0xe10000, lpFilename=0x78b790, nSize=0x800 | out: lpFilename="C:\\Program Files\\Windows Mail\\outlook.exe" (normalized: "c:\\program files\\windows mail\\outlook.exe")) returned 0x29
[0199.869] CoTaskMemFree (pv=0x78b790)
[0199.869] CloseHandle (hObject=0x308) returned 1
[0199.879] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x7b4) returned 0x308
[0199.879] EnumProcessModules (in: hProcess=0x308, lphModule=0x26bac4c, cb=0x100, lpcbNeeded=0x19f434 | out: lphModule=0x26bac4c, lpcbNeeded=0x19f434) returned 0
[0199.880] GetCurrentProcessId () returned 0xb50
[0199.880] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb50) returned 0x30c
[0199.880] IsWow64Process (in: hProcess=0x30c, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=1) returned 1
[0199.880] IsWow64Process (in: hProcess=0x308, Wow64Process=0x19f3ac | out: Wow64Process=0x19f3ac*=0) returned 1
[0199.881] CloseHandle (hObject=0x30c) returned 1
[0199.881] CloseHandle (hObject=0x308) returned 1
[0199.910] GetCurrentProcess () returned 0xffffffff
[0199.910] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19f404 | out: TokenHandle=0x19f404*=0x308) returned 1
[0199.925] GetTokenInformation (in: TokenHandle=0x308, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x19f404 | out: TokenInformation=0x0, ReturnLength=0x19f404) returned 0
[0199.925] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x7e6f18
[0199.925] GetTokenInformation (in: TokenHandle=0x308, TokenInformationClass=0x8, TokenInformation=0x7e6f18, TokenInformationLength=0x4, ReturnLength=0x19f404 | out: TokenInformation=0x7e6f18, ReturnLength=0x19f404) returned 1
[0199.929] LocalFree (hMem=0x7e6f18) returned 0x0
[0199.930] DuplicateTokenEx (in: hExistingToken=0x308, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0x19f40c | out: phNewToken=0x19f40c*=0x30c) returned 1
[0199.930] CheckTokenMembership (in: TokenHandle=0x30c, SidToCheck=0x26bbdb8*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x19f41c | out: IsMember=0x19f41c) returned 1
[0199.930] CloseHandle (hObject=0x30c) returned 1
[0199.934] LocalAlloc (uFlags=0x0, uBytes=0x8) returned 0x7e6f08
[0199.934] LocalAlloc (uFlags=0x0, uBytes=0xe0) returned 0x782ad8
[0201.019] LocalFree (hMem=0x7e6f08) returned 0x0
[0201.020] LocalFree (hMem=0x782ad8) returned 0x0
[0201.025] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", nBufferLength=0x105, lpBuffer=0x19ef28, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", lpFilePart=0x0) returned 0x2a
[0201.025] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x19f3d0) returned 1
[0201.025] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\.exe"), fInfoLevelId=0x0, lpFileInformation=0x19f44c | out: lpFileInformation=0x19f44c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0
[0201.027] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x19f3cc) returned 1
[0201.037] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", nBufferLength=0x105, lpBuffer=0x19ee48, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", lpFilePart=0x0) returned 0x2a
[0201.037] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x19f380) returned 1
[0201.053] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x334
[0201.055] GetFileType (hFile=0x334) returned 0x1
[0201.055] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x19f37c) returned 1
[0201.056] GetFileType (hFile=0x334) returned 0x1
[0201.056] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe", nBufferLength=0x105, lpBuffer=0x19ee24, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe", lpFilePart=0x0) returned 0x62
[0201.056] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x19f35c) returned 1
[0201.056] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\9d19de1d4be447775e3345eae357a9571bd86a607eaf25df48a6840acbc390cc.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x344
[0201.056] GetFileType (hFile=0x344) returned 0x1
[0201.056] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x19f358) returned 1
[0201.056] GetFileType (hFile=0x344) returned 0x1
[0201.056] GetFileSize (in: hFile=0x344, lpFileSizeHigh=0x19f458 | out: lpFileSizeHigh=0x19f458*=0x0) returned 0x9a200
[0201.059] ReadFile (in: hFile=0x344, lpBuffer=0x3515510, nNumberOfBytesToRead=0x9a200, lpNumberOfBytesRead=0x19f404, lpOverlapped=0x0 | out: lpBuffer=0x3515510*, lpNumberOfBytesRead=0x19f404*=0x9a200, lpOverlapped=0x0) returned 1
[0201.069] CloseHandle (hObject=0x344) returned 1
[0201.069] WriteFile (in: hFile=0x334, lpBuffer=0x3515510*, nNumberOfBytesToWrite=0x9a200, lpNumberOfBytesWritten=0x19f43c, lpOverlapped=0x0 | out: lpBuffer=0x3515510*, lpNumberOfBytesWritten=0x19f43c*=0x9a200, lpOverlapped=0x0) returned 1
[0201.153] CloseHandle (hObject=0x2f0) returned 1
[0201.154] CoTaskMemAlloc (cb=0x20c) returned 0x7a0bb8
[0201.154] GetTempPathW (in: nBufferLength=0x104, lpBuffer=0x7a0bb8 | out: lpBuffer="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\") returned 0x25
[0201.154] CoTaskMemFree (pv=0x7a0bb8)
[0201.155] GetLongPathNameW (in: lpszShortPath="C:\\Users\\RDHJ0C~1\\", lpszLongPath=0x19ef10, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\RDhJ0CNFevzX\\") returned 0x16
[0201.155] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\", nBufferLength=0x105, lpBuffer=0x19ef24, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\", lpFilePart=0x0) returned 0x29
[0201.155] CoTaskMemAlloc (cb=0x20c) returned 0x7a0bb8
[0201.155] GetTempFileNameW (in: lpPathName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\", lpPrefixString="tmp", uUnique=0x0, lpTempFileName=0x7a0bb8 | out: lpTempFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDAB.tmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmpdab.tmp")) returned 0xdab
[0201.157] CoTaskMemFree (pv=0x7a0bb8)
[0201.158] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDAB.tmp.bat", nBufferLength=0x105, lpBuffer=0x19ee08, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDAB.tmp.bat", lpFilePart=0x0) returned 0x37
[0201.158] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x19f340) returned 1
[0201.158] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDAB.tmp.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmpdab.tmp.bat"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x2f0
[0201.159] GetFileType (hFile=0x2f0) returned 0x1
[0201.159] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x19f33c) returned 1
[0201.159] GetFileType (hFile=0x2f0) returned 0x1
[0201.159] CoTaskMemAlloc (cb=0x20c) returned 0x7a0bb8
[0201.159] GetTempPathW (in: nBufferLength=0x104, lpBuffer=0x7a0bb8 | out: lpBuffer="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\") returned 0x25
[0201.159] CoTaskMemFree (pv=0x7a0bb8)
[0201.159] GetLongPathNameW (in: lpszShortPath="C:\\Users\\RDHJ0C~1\\", lpszLongPath=0x19ef20, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\RDhJ0CNFevzX\\") returned 0x16
[0201.160] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\", nBufferLength=0x105, lpBuffer=0x19ef34, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\", lpFilePart=0x0) returned 0x29
[0201.160] WriteFile (in: hFile=0x2f0, lpBuffer=0x26bf33c*, nNumberOfBytesToWrite=0x9d, lpNumberOfBytesWritten=0x19f3dc, lpOverlapped=0x0 | out: lpBuffer=0x26bf33c*, lpNumberOfBytesWritten=0x19f3dc*=0x9d, lpOverlapped=0x0) returned 1
[0201.161] CloseHandle (hObject=0x2f0) returned 1
[0201.184] CoTaskMemAlloc (cb=0x20e) returned 0x7a0bb8
[0201.184] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x7a0bb8 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d
[0201.184] CoTaskMemFree (pv=0x7a0bb8)
[0201.185] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDAB.tmp.bat\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x19f1ec*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x26c0668 | out: lpCommandLine="\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDAB.tmp.bat\"", lpProcessInformation=0x26c0668*(hProcess=0x344, hThread=0x2f0, dwProcessId=0x320, dwThreadId=0x61c)) returned 1
[0201.316] CloseHandle (hObject=0x2f0) returned 1
[0201.317] CoGetContextToken (in: pToken=0x19f320 | out: pToken=0x19f320) returned 0x0
[0201.317] CObjectContext::QueryInterface () returned 0x0
[0201.317] CObjectContext::GetCurrentThreadType () returned 0x0
[0201.317] Release () returned 0x0
[0201.318] CoGetContextToken (in: pToken=0x19f03c | out: pToken=0x19f03c) returned 0x0
[0201.318] CObjectContext::QueryInterface () returned 0x0
[0201.318] CObjectContext::GetCurrentThreadType () returned 0x0
[0201.318] Release () returned 0x0
[0201.319] CoGetContextToken (in: pToken=0x19f03c | out: pToken=0x19f03c) returned 0x0
[0201.319] CObjectContext::QueryInterface () returned 0x0
[0201.319] CObjectContext::GetCurrentThreadType () returned 0x0
[0201.319] Release () returned 0x0
[0201.361] CoGetContextToken (in: pToken=0x19f03c | out: pToken=0x19f03c) returned 0x0
[0201.361] CObjectContext::QueryInterface () returned 0x0
[0201.361] CObjectContext::GetCurrentThreadType () returned 0x0
[0201.361] Release () returned 0x0
[0201.364] CoGetContextToken (in: pToken=0x19f054 | out: pToken=0x19f054) returned 0x0
[0201.364] CObjectContext::QueryInterface () returned 0x0
[0201.364] CObjectContext::GetCurrentThreadType () returned 0x0
[0201.364] Release () returned 0x0
[0201.364] CoUninitialize ()
Thread:
id = 107
os_tid = 0xb4c
Thread:
id = 108
os_tid = 0xbd4
Thread:
id = 109
os_tid = 0xbc4
[0190.167] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
[0190.167] RoInitialize () returned 0x1
[0190.167] RoUninitialize () returned 0x0
[0201.319] EtwEventUnregister (RegHandle=0x785f00) returned 0x0
[0201.321] CloseHandle (hObject=0x334) returned 1
[0201.342] CloseHandle (hObject=0x308) returned 1
[0201.344] CloseHandle (hObject=0x344) returned 1
[0201.344] CloseHandle (hObject=0x474) returned 1
[0201.346] LocalFree (hMem=0x7e3ca0) returned 0x0
[0201.346] CertFreeCertificateContext (pCertContext=0x7e5fc0) returned 1
[0201.348] CryptDestroyKey (hKey=0x77c960) returned 1
[0201.348] CryptReleaseContext (hProv=0x7e7f48, dwFlags=0x0) returned 1
[0201.348] CryptReleaseContext (hProv=0x7e7f48, dwFlags=0x0) returned 1
[0201.348] CryptDestroyKey (hKey=0x77cde0) returned 1
[0201.348] CryptReleaseContext (hProv=0x7e7970, dwFlags=0x0) returned 1
[0201.348] CryptReleaseContext (hProv=0x7e7970, dwFlags=0x0) returned 1
[0201.349] CryptDestroyKey (hKey=0x77d120) returned 1
[0201.349] CryptReleaseContext (hProv=0x7e7b08, dwFlags=0x0) returned 1
[0201.349] CryptReleaseContext (hProv=0x7e7b08, dwFlags=0x0) returned 1
[0201.349] CryptDestroyKey (hKey=0x77cfe0) returned 1
[0201.350] CryptReleaseContext (hProv=0x7e7d28, dwFlags=0x0) returned 1
[0201.350] CryptReleaseContext (hProv=0x7e7d28, dwFlags=0x0) returned 1
[0201.350] CryptDestroyKey (hKey=0x77cf20) returned 1
[0201.350] CryptReleaseContext (hProv=0x7e8278, dwFlags=0x0) returned 1
[0201.350] CryptReleaseContext (hProv=0x7e8278, dwFlags=0x0) returned 1
[0201.351] CryptDestroyKey (hKey=0x77d460) returned 1
[0201.351] CryptReleaseContext (hProv=0x7e8740, dwFlags=0x0) returned 1
[0201.351] CryptReleaseContext (hProv=0x7e8740, dwFlags=0x0) returned 1
[0201.351] CryptDestroyKey (hKey=0x77d360) returned 1
[0201.351] CryptReleaseContext (hProv=0x7e7ec0, dwFlags=0x0) returned 1
[0201.351] CryptReleaseContext (hProv=0x7e7ec0, dwFlags=0x0) returned 1
[0201.352] CryptDestroyKey (hKey=0x77d3a0) returned 1
[0201.352] CryptReleaseContext (hProv=0x7e85a8, dwFlags=0x0) returned 1
[0201.352] CryptReleaseContext (hProv=0x7e85a8, dwFlags=0x0) returned 1
[0201.352] CryptDestroyKey (hKey=0x77cee0) returned 1
[0201.352] CryptReleaseContext (hProv=0x7e8520, dwFlags=0x0) returned 1
[0201.353] CryptReleaseContext (hProv=0x7e8520, dwFlags=0x0) returned 1
[0201.353] CryptDestroyKey (hKey=0x77d220) returned 1
[0201.353] CryptReleaseContext (hProv=0x7e7c18, dwFlags=0x0) returned 1
[0201.353] CryptReleaseContext (hProv=0x7e7c18, dwFlags=0x0) returned 1
[0201.354] RegCloseKey (hKey=0x80000004) returned 0x0
[0201.354] CryptDestroyKey (hKey=0x77d420) returned 1
[0201.354] CryptReleaseContext (hProv=0x7e7e38, dwFlags=0x0) returned 1
[0201.354] CryptReleaseContext (hProv=0x7e7e38, dwFlags=0x0) returned 1
Thread:
id = 110
os_tid = 0xb58
[0199.942] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0
[0199.967] RoInitialize () returned 0x1
[0199.967] RoUninitialize () returned 0x0
[0199.973] ShellExecuteExW (in: pExecInfo=0x26bc23c*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="cmd", lpParameters="/c schtasks /create /f /sc onlogon /rl highest /tn \"\" /tr '\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe\"' & exit", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x26bc23c*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="cmd", lpParameters="/c schtasks /create /f /sc onlogon /rl highest /tn \"\" /tr '\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe\"' & exit", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x474)) returned 1
[0200.961] CoGetContextToken (in: pToken=0x4b0fd20 | out: pToken=0x4b0fd20) returned 0x0
[0200.963] CoUninitialize ()
Thread:
id = 111
os_tid = 0xb74
Thread:
id = 112
os_tid = 0xb00
Thread:
id = 113
os_tid = 0xb54
Thread:
id = 114
os_tid = 0x7a8
Thread:
id = 115
os_tid = 0x784
Thread:
id = 116
os_tid = 0x7cc
Process:
id = "8"
image_name = "cmd.exe"
filename = "c:\\windows\\syswow64\\cmd.exe"
page_root = "0x13a3b000"
os_pid = "0xb5c"
os_integrity_level = "0x3000"
os_privileges = "0x60800000"
monitor_reason = "child_process"
parent_id = "7"
os_parent_pid = "0xb50"
cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c schtasks /create /f /sc onlogon /rl highest /tn \"\" /tr '\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe\"' & exit"
cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
os_username = "XC64ZB\\RDhJ0CNFevzX"
bitness = "32"
os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fa87" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 1401
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 1402
start_va = 0x30000
end_va = 0x31fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000030000"
filename = ""
Region:
id = 1403
start_va = 0x40000
end_va = 0x54fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 1404
start_va = 0x60000
end_va = 0x63fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000060000"
filename = ""
Region:
id = 1405
start_va = 0x70000
end_va = 0x70fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000070000"
filename = ""
Region:
id = 1406
start_va = 0x80000
end_va = 0x81fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000080000"
filename = ""
Region:
id = 1407
start_va = 0x90000
end_va = 0xe1fff
monitored = 1
entry_point = 0xa4fd0
region_type = mapped_file
name = "cmd.exe"
filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")
Region:
id = 1408
start_va = 0xf0000
end_va = 0x40effff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000f0000"
filename = ""
Region:
id = 1409
start_va = 0x40f0000
end_va = 0x412ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000040f0000"
filename = ""
Region:
id = 1410
start_va = 0x4200000
end_va = 0x43fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004200000"
filename = ""
Region:
id = 1411
start_va = 0x4400000
end_va = 0x44fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004400000"
filename = ""
Region:
id = 1412
start_va = 0x771d0000
end_va = 0x7734afff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")
Region:
id = 1413
start_va = 0x7ffb0000
end_va = 0x7ffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007ffb0000"
filename = ""
Region:
id = 1414
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 1415
start_va = 0x7fff0000
end_va = 0x7dfa1676ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007fff0000"
filename = ""
Region:
id = 1416
start_va = 0x7dfa16770000
end_va = 0x7ffa1676ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007dfa16770000"
filename = ""
Region:
id = 1417
start_va = 0x7ffa16770000
end_va = 0x7ffa16930fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 1418
start_va = 0x7ffa16931000
end_va = 0x7ffffffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00007ffa16931000"
filename = ""
Region:
id = 1420
start_va = 0x4500000
end_va = 0x462ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004500000"
filename = ""
Region:
id = 1421
start_va = 0x640d0000
end_va = 0x6411ffff
monitored = 0
entry_point = 0x640e8180
region_type = mapped_file
name = "wow64.dll"
filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")
Region:
id = 1422
start_va = 0x64050000
end_va = 0x640c9fff
monitored = 0
entry_point = 0x64063290
region_type = mapped_file
name = "wow64win.dll"
filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")
Region:
id = 1423
start_va = 0x76720000
end_va = 0x767fffff
monitored = 0
entry_point = 0x76733980
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 1424
start_va = 0x64120000
end_va = 0x64127fff
monitored = 0
entry_point = 0x641217c0
region_type = mapped_file
name = "wow64cpu.dll"
filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")
Region:
id = 1425
start_va = 0x4500000
end_va = 0x45fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004500000"
filename = ""
Region:
id = 1426
start_va = 0x4620000
end_va = 0x462ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004620000"
filename = ""
Region:
id = 1428
start_va = 0x76720000
end_va = 0x767fffff
monitored = 0
entry_point = 0x76733980
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 1429
start_va = 0x76910000
end_va = 0x76a8dfff
monitored = 0
entry_point = 0x769c1b90
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")
Region:
id = 1430
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 1431
start_va = 0x7feb0000
end_va = 0x7ffaffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007feb0000"
filename = ""
Region:
id = 1613
start_va = 0x4130000
end_va = 0x41edfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 1614
start_va = 0x76a90000
end_va = 0x76b4dfff
monitored = 0
entry_point = 0x76ac5630
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")
Region:
id = 1615
start_va = 0x4630000
end_va = 0x466ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004630000"
filename = ""
Region:
id = 1616
start_va = 0x4670000
end_va = 0x476ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004670000"
filename = ""
Region:
id = 1617
start_va = 0x4770000
end_va = 0x489ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004770000"
filename = ""
Region:
id = 1618
start_va = 0x20000
end_va = 0x23fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 1621
start_va = 0x30000
end_va = 0x33fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000030000"
filename = ""
Region:
id = 1629
start_va = 0x48a0000
end_va = 0x4bd6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Thread:
id = 117
os_tid = 0xb8
[0203.308] GetProcAddress (hModule=0x76720000, lpProcName="SetConsoleInputExeNameW") returned 0x76a2b440
[0203.308] GetProcessHeap () returned 0x4500000
[0203.308] RtlAllocateHeap (HeapHandle=0x4500000, Flags=0x8, Size=0x400a) returned 0x450bd78
[0203.308] GetProcessHeap () returned 0x4500000
[0203.309] RtlFreeHeap (HeapHandle=0x4500000, Flags=0x0, BaseAddress=0x450bd78) returned 1
[0203.310] _wcsicmp (_String1="schtasks", _String2=")") returned 74
[0203.310] _wcsicmp (_String1="FOR", _String2="schtasks") returned -13
[0203.310] _wcsicmp (_String1="FOR/?", _String2="schtasks") returned -13
[0203.310] _wcsicmp (_String1="IF", _String2="schtasks") returned -10
[0203.310] _wcsicmp (_String1="IF/?", _String2="schtasks") returned -10
[0203.310] _wcsicmp (_String1="REM", _String2="schtasks") returned -1
[0203.310] _wcsicmp (_String1="REM/?", _String2="schtasks") returned -1
[0203.310] GetProcessHeap () returned 0x4500000
[0203.311] RtlAllocateHeap (HeapHandle=0x4500000, Flags=0x8, Size=0x58) returned 0x450ac48
[0203.311] GetProcessHeap () returned 0x4500000
[0203.311] RtlAllocateHeap (HeapHandle=0x4500000, Flags=0x8, Size=0x1a) returned 0x4500578
[0203.313] GetProcessHeap () returned 0x4500000
[0203.313] RtlAllocateHeap (HeapHandle=0x4500000, Flags=0x8, Size=0xc6) returned 0x450aca8
[0203.313] GetProcessHeap () returned 0x4500000
[0203.314] RtlAllocateHeap (HeapHandle=0x4500000, Flags=0x8, Size=0x58) returned 0x450ad78
[0203.314] _wcsicmp (_String1="exit", _String2=")") returned 60
[0203.314] _wcsicmp (_String1="FOR", _String2="exit") returned 1
[0203.314] _wcsicmp (_String1="FOR/?", _String2="exit") returned 1
[0203.314] _wcsicmp (_String1="IF", _String2="exit") returned 4
[0203.314] _wcsicmp (_String1="IF/?", _String2="exit") returned 4
[0203.314] _wcsicmp (_String1="REM", _String2="exit") returned 13
[0203.314] _wcsicmp (_String1="REM/?", _String2="exit") returned 13
[0203.314] GetProcessHeap () returned 0x4500000
[0203.314] RtlAllocateHeap (HeapHandle=0x4500000, Flags=0x8, Size=0x58) returned 0x450add8
[0203.314] GetProcessHeap () returned 0x4500000
[0203.314] RtlAllocateHeap (HeapHandle=0x4500000, Flags=0x8, Size=0x12) returned 0x4507730
[0203.315] GetConsoleTitleW (in: lpConsoleTitle=0x44ffa10, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0203.364] _wcsicmp (_String1="schtasks", _String2="DIR") returned 15
[0203.364] _wcsicmp (_String1="schtasks", _String2="ERASE") returned 14
[0203.364] _wcsicmp (_String1="schtasks", _String2="DEL") returned 15
[0203.364] _wcsicmp (_String1="schtasks", _String2="TYPE") returned -1
[0203.364] _wcsicmp (_String1="schtasks", _String2="COPY") returned 16
[0203.364] _wcsicmp (_String1="schtasks", _String2="CD") returned 16
[0203.364] _wcsicmp (_String1="schtasks", _String2="CHDIR") returned 16
[0203.364] _wcsicmp (_String1="schtasks", _String2="RENAME") returned 1
[0203.364] _wcsicmp (_String1="schtasks", _String2="REN") returned 1
[0203.364] _wcsicmp (_String1="schtasks", _String2="ECHO") returned 14
[0203.364] _wcsicmp (_String1="schtasks", _String2="SET") returned -2
[0203.364] _wcsicmp (_String1="schtasks", _String2="PAUSE") returned 3
[0203.364] _wcsicmp (_String1="schtasks", _String2="DATE") returned 15
[0203.365] _wcsicmp (_String1="schtasks", _String2="TIME") returned -1
[0203.365] _wcsicmp (_String1="schtasks", _String2="PROMPT") returned 3
[0203.365] _wcsicmp (_String1="schtasks", _String2="MD") returned 6
[0203.365] _wcsicmp (_String1="schtasks", _String2="MKDIR") returned 6
[0203.365] _wcsicmp (_String1="schtasks", _String2="RD") returned 1
[0203.365] _wcsicmp (_String1="schtasks", _String2="RMDIR") returned 1
[0203.365] _wcsicmp (_String1="schtasks", _String2="PATH") returned 3
[0203.365] _wcsicmp (_String1="schtasks", _String2="GOTO") returned 12
[0203.365] _wcsicmp (_String1="schtasks", _String2="SHIFT") returned -5
[0203.365] _wcsicmp (_String1="schtasks", _String2="CLS") returned 16
[0203.365] _wcsicmp (_String1="schtasks", _String2="CALL") returned 16
[0203.365] _wcsicmp (_String1="schtasks", _String2="VERIFY") returned -3
[0203.365] _wcsicmp (_String1="schtasks", _String2="VER") returned -3
[0203.365] _wcsicmp (_String1="schtasks", _String2="VOL") returned -3
[0203.365] _wcsicmp (_String1="schtasks", _String2="EXIT") returned 14
[0203.365] _wcsicmp (_String1="schtasks", _String2="SETLOCAL") returned -2
[0203.365] _wcsicmp (_String1="schtasks", _String2="ENDLOCAL") returned 14
[0203.365] _wcsicmp (_String1="schtasks", _String2="TITLE") returned -1
[0203.365] _wcsicmp (_String1="schtasks", _String2="START") returned -17
[0203.365] _wcsicmp (_String1="schtasks", _String2="DPATH") returned 15
[0203.365] _wcsicmp (_String1="schtasks", _String2="KEYS") returned 8
[0203.365] _wcsicmp (_String1="schtasks", _String2="MOVE") returned 6
[0203.365] _wcsicmp (_String1="schtasks", _String2="PUSHD") returned 3
[0203.365] _wcsicmp (_String1="schtasks", _String2="POPD") returned 3
[0203.365] _wcsicmp (_String1="schtasks", _String2="ASSOC") returned 18
[0203.365] _wcsicmp (_String1="schtasks", _String2="FTYPE") returned 13
[0203.365] _wcsicmp (_String1="schtasks", _String2="BREAK") returned 17
[0203.365] _wcsicmp (_String1="schtasks", _String2="COLOR") returned 16
[0203.365] _wcsicmp (_String1="schtasks", _String2="MKLINK") returned 6
[0203.365] _wcsicmp (_String1="schtasks", _String2="DIR") returned 15
[0203.365] _wcsicmp (_String1="schtasks", _String2="ERASE") returned 14
[0203.365] _wcsicmp (_String1="schtasks", _String2="DEL") returned 15
[0203.365] _wcsicmp (_String1="schtasks", _String2="TYPE") returned -1
[0203.366] _wcsicmp (_String1="schtasks", _String2="COPY") returned 16
[0203.366] _wcsicmp (_String1="schtasks", _String2="CD") returned 16
[0203.366] _wcsicmp (_String1="schtasks", _String2="CHDIR") returned 16
[0203.366] _wcsicmp (_String1="schtasks", _String2="RENAME") returned 1
[0203.366] _wcsicmp (_String1="schtasks", _String2="REN") returned 1
[0203.366] _wcsicmp (_String1="schtasks", _String2="ECHO") returned 14
[0203.366] _wcsicmp (_String1="schtasks", _String2="SET") returned -2
[0203.366] _wcsicmp (_String1="schtasks", _String2="PAUSE") returned 3
[0203.366] _wcsicmp (_String1="schtasks", _String2="DATE") returned 15
[0203.366] _wcsicmp (_String1="schtasks", _String2="TIME") returned -1
[0203.366] _wcsicmp (_String1="schtasks", _String2="PROMPT") returned 3
[0203.366] _wcsicmp (_String1="schtasks", _String2="MD") returned 6
[0203.366] _wcsicmp (_String1="schtasks", _String2="MKDIR") returned 6
[0203.366] _wcsicmp (_String1="schtasks", _String2="RD") returned 1
[0203.366] _wcsicmp (_String1="schtasks", _String2="RMDIR") returned 1
[0203.366] _wcsicmp (_String1="schtasks", _String2="PATH") returned 3
[0203.366] _wcsicmp (_String1="schtasks", _String2="GOTO") returned 12
[0203.366] _wcsicmp (_String1="schtasks", _String2="SHIFT") returned -5
[0203.366] _wcsicmp (_String1="schtasks", _String2="CLS") returned 16
[0203.366] _wcsicmp (_String1="schtasks", _String2="CALL") returned 16
[0203.366] _wcsicmp (_String1="schtasks", _String2="VERIFY") returned -3
[0203.366] _wcsicmp (_String1="schtasks", _String2="VER") returned -3
[0203.366] _wcsicmp (_String1="schtasks", _String2="VOL") returned -3
[0203.366] _wcsicmp (_String1="schtasks", _String2="EXIT") returned 14
[0203.366] _wcsicmp (_String1="schtasks", _String2="SETLOCAL") returned -2
[0203.366] _wcsicmp (_String1="schtasks", _String2="ENDLOCAL") returned 14
[0203.366] _wcsicmp (_String1="schtasks", _String2="TITLE") returned -1
[0203.366] _wcsicmp (_String1="schtasks", _String2="START") returned -17
[0203.366] _wcsicmp (_String1="schtasks", _String2="DPATH") returned 15
[0203.366] _wcsicmp (_String1="schtasks", _String2="KEYS") returned 8
[0203.366] _wcsicmp (_String1="schtasks", _String2="MOVE") returned 6
[0203.366] _wcsicmp (_String1="schtasks", _String2="PUSHD") returned 3
[0203.367] _wcsicmp (_String1="schtasks", _String2="POPD") returned 3
[0203.367] _wcsicmp (_String1="schtasks", _String2="ASSOC") returned 18
[0203.367] _wcsicmp (_String1="schtasks", _String2="FTYPE") returned 13
[0203.367] _wcsicmp (_String1="schtasks", _String2="BREAK") returned 17
[0203.367] _wcsicmp (_String1="schtasks", _String2="COLOR") returned 16
[0203.367] _wcsicmp (_String1="schtasks", _String2="MKLINK") returned 6
[0203.367] _wcsicmp (_String1="schtasks", _String2="FOR") returned 13
[0203.367] _wcsicmp (_String1="schtasks", _String2="IF") returned 10
[0203.367] _wcsicmp (_String1="schtasks", _String2="REM") returned 1
[0203.367] GetProcessHeap () returned 0x4500000
[0203.367] RtlAllocateHeap (HeapHandle=0x4500000, Flags=0x8, Size=0x210) returned 0x450ae38
[0203.367] GetProcessHeap () returned 0x4500000
[0203.367] RtlAllocateHeap (HeapHandle=0x4500000, Flags=0x8, Size=0xd8) returned 0x450b050
[0203.367] _wcsnicmp (_String1="scht", _String2="cmd ", _MaxCount=0x4) returned 16
[0203.368] GetProcessHeap () returned 0x4500000
[0203.368] RtlAllocateHeap (HeapHandle=0x4500000, Flags=0x8, Size=0x418) returned 0x45005c8
[0203.368] SetErrorMode (uMode=0x0) returned 0x0
[0203.368] SetErrorMode (uMode=0x1) returned 0x0
[0203.368] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x45005d0, lpFilePart=0x44ff51c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x44ff51c*="Desktop") returned 0x1d
[0203.368] SetErrorMode (uMode=0x0) returned 0x1
[0203.368] GetProcessHeap () returned 0x4500000
[0203.368] RtlReAllocateHeap (Heap=0x4500000, Flags=0x0, Ptr=0x45005c8, Size=0x56) returned 0x45005c8
[0203.368] GetProcessHeap () returned 0x4500000
[0203.368] RtlSizeHeap (HeapHandle=0x4500000, Flags=0x0, MemoryPointer=0x45005c8) returned 0x56
[0203.368] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xbf4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63
[0203.368] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
[0203.368] GetProcessHeap () returned 0x4500000
[0203.368] RtlAllocateHeap (HeapHandle=0x4500000, Flags=0x8, Size=0x110) returned 0x450b130
[0203.368] GetProcessHeap () returned 0x4500000
[0203.368] RtlAllocateHeap (HeapHandle=0x4500000, Flags=0x8, Size=0x218) returned 0x4500628
[0203.375] GetProcessHeap () returned 0x4500000
[0203.375] RtlReAllocateHeap (Heap=0x4500000, Flags=0x0, Ptr=0x4500628, Size=0x112) returned 0x4500628
[0203.375] GetProcessHeap () returned 0x4500000
[0203.375] RtlSizeHeap (HeapHandle=0x4500000, Flags=0x0, MemoryPointer=0x4500628) returned 0x112
[0203.375] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xbf4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35
[0203.375] GetProcessHeap () returned 0x4500000
[0203.375] RtlAllocateHeap (HeapHandle=0x4500000, Flags=0x8, Size=0xe0) returned 0x4500748
[0203.377] GetProcessHeap () returned 0x4500000
[0203.377] RtlReAllocateHeap (Heap=0x4500000, Flags=0x0, Ptr=0x4500748, Size=0x76) returned 0x4500748
[0203.377] GetProcessHeap () returned 0x4500000
[0203.377] RtlSizeHeap (HeapHandle=0x4500000, Flags=0x0, MemoryPointer=0x4500748) returned 0x76
[0203.377] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0203.378] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\schtasks.*" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\schtasks.*"), fInfoLevelId=0x1, lpFindFileData=0x44ff2a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x44ff2a8) returned 0xffffffff
[0203.378] GetLastError () returned 0x2
[0203.378] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0203.378] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\schtasks.*" (normalized: "c:\\windows\\syswow64\\schtasks.*"), fInfoLevelId=0x1, lpFindFileData=0x44ff2a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x44ff2a8) returned 0x450b248
[0203.378] GetProcessHeap () returned 0x4500000
[0203.378] RtlAllocateHeap (HeapHandle=0x4500000, Flags=0x0, Size=0x14) returned 0x45076f0
[0203.378] FindClose (in: hFindFile=0x450b248 | out: hFindFile=0x450b248) returned 1
[0203.378] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\schtasks.COM" (normalized: "c:\\windows\\syswow64\\schtasks.com"), fInfoLevelId=0x1, lpFindFileData=0x44ff2a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x44ff2a8) returned 0xffffffff
[0203.379] GetLastError () returned 0x2
[0203.379] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\schtasks.EXE" (normalized: "c:\\windows\\syswow64\\schtasks.exe"), fInfoLevelId=0x1, lpFindFileData=0x44ff2a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x44ff2a8) returned 0x450b248
[0203.379] GetProcessHeap () returned 0x4500000
[0203.379] RtlReAllocateHeap (Heap=0x4500000, Flags=0x0, Ptr=0x45076f0, Size=0x4) returned 0x450b288
[0203.379] FindClose (in: hFindFile=0x450b248 | out: hFindFile=0x450b248) returned 1
[0203.379] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
[0203.379] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
[0203.379] GetConsoleTitleW (in: lpConsoleTitle=0x44ff79c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0203.512] InitializeProcThreadAttributeList (in: lpAttributeList=0x44ff6c8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x44ff6ac | out: lpAttributeList=0x44ff6c8, lpSize=0x44ff6ac) returned 1
[0203.512] UpdateProcThreadAttribute (in: lpAttributeList=0x44ff6c8, dwFlags=0x0, Attribute=0x60001, lpValue=0x44ff6b4, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x44ff6c8, lpPreviousValue=0x0) returned 1
[0203.512] GetStartupInfoW (in: lpStartupInfo=0x44ff700 | out: lpStartupInfo=0x44ff700*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0))
[0203.512] GetProcessHeap () returned 0x4500000
[0203.512] RtlAllocateHeap (HeapHandle=0x4500000, Flags=0x8, Size=0x18) returned 0x45075f0
[0203.512] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38
[0203.512] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2
[0203.512] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2
[0203.512] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
[0203.512] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
[0203.513] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
[0203.513] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3
[0203.513] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3
[0203.513] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5
[0203.513] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5
[0203.513] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9
[0203.513] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9
[0203.513] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11
[0203.513] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12
[0203.513] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13
[0203.513] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13
[0203.513] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
[0203.513] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
[0203.513] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
[0203.513] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
[0203.513] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
[0203.513] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
[0203.513] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
[0203.513] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
[0203.513] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
[0203.513] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13
[0203.513] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13
[0203.513] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13
[0203.513] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16
[0203.513] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16
[0203.513] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17
[0203.514] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17
[0203.514] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
[0203.514] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
[0203.514] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18
[0203.514] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18
[0203.514] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20
[0203.514] GetProcessHeap () returned 0x4500000
[0203.514] RtlFreeHeap (HeapHandle=0x4500000, Flags=0x0, BaseAddress=0x45075f0) returned 1
[0203.514] GetProcessHeap () returned 0x4500000
[0203.514] RtlAllocateHeap (HeapHandle=0x4500000, Flags=0x8, Size=0xa) returned 0x450b248
[0203.514] lstrcmpW (lpString1="\\schtasks.exe", lpString2="\\XCOPY.EXE") returned -1
[0203.518] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\schtasks.exe", lpCommandLine="schtasks /create /f /sc onlogon /rl highest /tn \"\" /tr '\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe\"' ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x44ff650*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="schtasks /create /f /sc onlogon /rl highest /tn \"\" /tr '\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe\"' ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x44ff69c | out: lpCommandLine="schtasks /create /f /sc onlogon /rl highest /tn \"\" /tr '\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe\"' ", lpProcessInformation=0x44ff69c*(hProcess=0xa8, hThread=0xa4, dwProcessId=0x504, dwThreadId=0x674)) returned 1
[0203.536] CloseHandle (hObject=0xa4) returned 1
[0203.536] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
[0203.536] GetProcessHeap () returned 0x4500000
[0203.536] RtlFreeHeap (HeapHandle=0x4500000, Flags=0x0, BaseAddress=0x4509e78) returned 1
[0203.536] GetEnvironmentStringsW () returned 0x4509e78*
[0203.536] GetProcessHeap () returned 0x4500000
[0203.536] RtlAllocateHeap (HeapHandle=0x4500000, Flags=0x8, Size=0xa76) returned 0x4507de8
[0203.536] memcpy (in: _Dst=0x4507de8, _Src=0x4509e78, _Size=0xa76 | out: _Dst=0x4507de8) returned 0x4507de8
[0203.536] FreeEnvironmentStringsA (penv="=") returned 1
[0203.536] WaitForSingleObject (hHandle=0xa8, dwMilliseconds=0xffffffff) returned 0x0
[0205.299] GetExitCodeProcess (in: hProcess=0xa8, lpExitCode=0x44ff634 | out: lpExitCode=0x44ff634*=0x0) returned 1
[0205.299] CloseHandle (hObject=0xa8) returned 1
[0205.299] _vsnwprintf (in: _Buffer=0x44ff71c, _BufferCount=0x13, _Format="%08X", _ArgList=0x44ff63c | out: _Buffer="00000000") returned 8
[0205.299] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1
[0205.299] GetProcessHeap () returned 0x4500000
[0205.300] RtlFreeHeap (HeapHandle=0x4500000, Flags=0x0, BaseAddress=0x4507de8) returned 1
[0205.300] GetEnvironmentStringsW () returned 0x450b298*
[0205.300] GetProcessHeap () returned 0x4500000
[0205.300] RtlAllocateHeap (HeapHandle=0x4500000, Flags=0x8, Size=0xa9c) returned 0x4507de8
[0205.300] memcpy (in: _Dst=0x4507de8, _Src=0x450b298, _Size=0xa9c | out: _Dst=0x4507de8) returned 0x4507de8
[0205.300] FreeEnvironmentStringsA (penv="=") returned 1
[0205.300] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1
[0205.300] GetProcessHeap () returned 0x4500000
[0205.301] RtlFreeHeap (HeapHandle=0x4500000, Flags=0x0, BaseAddress=0x4507de8) returned 1
[0205.301] GetEnvironmentStringsW () returned 0x450b298*
[0205.301] GetProcessHeap () returned 0x4500000
[0205.301] RtlAllocateHeap (HeapHandle=0x4500000, Flags=0x8, Size=0xa9c) returned 0x4507de8
[0205.301] memcpy (in: _Dst=0x4507de8, _Src=0x450b298, _Size=0xa9c | out: _Dst=0x4507de8) returned 0x4507de8
[0205.301] FreeEnvironmentStringsA (penv="=") returned 1
[0205.301] GetProcessHeap () returned 0x4500000
[0205.301] RtlFreeHeap (HeapHandle=0x4500000, Flags=0x0, BaseAddress=0x450b248) returned 1
[0205.301] DeleteProcThreadAttributeList (in: lpAttributeList=0x44ff6c8 | out: lpAttributeList=0x44ff6c8)
[0205.301] GetConsoleTitleW (in: lpConsoleTitle=0x44ffa10, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b
[0205.431] _wcsicmp (_String1="exit", _String2="DIR") returned 1
[0205.431] _wcsicmp (_String1="exit", _String2="ERASE") returned 6
[0205.431] _wcsicmp (_String1="exit", _String2="DEL") returned 1
[0205.431] _wcsicmp (_String1="exit", _String2="TYPE") returned -15
[0205.431] _wcsicmp (_String1="exit", _String2="COPY") returned 2
[0205.431] _wcsicmp (_String1="exit", _String2="CD") returned 2
[0205.431] _wcsicmp (_String1="exit", _String2="CHDIR") returned 2
[0205.431] _wcsicmp (_String1="exit", _String2="RENAME") returned -13
[0205.431] _wcsicmp (_String1="exit", _String2="REN") returned -13
[0205.431] _wcsicmp (_String1="exit", _String2="ECHO") returned 21
[0205.431] _wcsicmp (_String1="exit", _String2="SET") returned -14
[0205.431] _wcsicmp (_String1="exit", _String2="PAUSE") returned -11
[0205.431] _wcsicmp (_String1="exit", _String2="DATE") returned 1
[0205.432] _wcsicmp (_String1="exit", _String2="TIME") returned -15
[0205.432] _wcsicmp (_String1="exit", _String2="PROMPT") returned -11
[0205.432] _wcsicmp (_String1="exit", _String2="MD") returned -8
[0205.432] _wcsicmp (_String1="exit", _String2="MKDIR") returned -8
[0205.432] _wcsicmp (_String1="exit", _String2="RD") returned -13
[0205.432] _wcsicmp (_String1="exit", _String2="RMDIR") returned -13
[0205.432] _wcsicmp (_String1="exit", _String2="PATH") returned -11
[0205.432] _wcsicmp (_String1="exit", _String2="GOTO") returned -2
[0205.432] _wcsicmp (_String1="exit", _String2="SHIFT") returned -14
[0205.432] _wcsicmp (_String1="exit", _String2="CLS") returned 2
[0205.432] _wcsicmp (_String1="exit", _String2="CALL") returned 2
[0205.432] _wcsicmp (_String1="exit", _String2="VERIFY") returned -17
[0205.432] _wcsicmp (_String1="exit", _String2="VER") returned -17
[0205.432] _wcsicmp (_String1="exit", _String2="VOL") returned -17
[0205.432] _wcsicmp (_String1="exit", _String2="EXIT") returned 0
[0205.432] GetProcessHeap () returned 0x4500000
[0205.432] RtlAllocateHeap (HeapHandle=0x4500000, Flags=0x8, Size=0xc) returned 0x450b248
[0205.432] GetProcessHeap () returned 0x4500000
[0205.432] RtlAllocateHeap (HeapHandle=0x4500000, Flags=0x8, Size=0x12) returned 0x45078f0
[0205.432] exit (_Code=0)
Thread:
id = 127
os_tid = 0xb04
Process:
id = "9"
image_name = "conhost.exe"
filename = "c:\\windows\\system32\\conhost.exe"
page_root = "0x67b11000"
os_pid = "0x3b4"
os_integrity_level = "0x3000"
os_privileges = "0x60800000"
monitor_reason = "child_process"
parent_id = "8"
os_parent_pid = "0xb5c"
cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1"
cur_dir = "C:\\Windows"
os_username = "XC64ZB\\RDhJ0CNFevzX"
bitness = "32"
os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fa87" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 1450
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 1451
start_va = 0x30000
end_va = 0x44fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 1452
start_va = 0x50000
end_va = 0x8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 1453
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 1454
start_va = 0x400000
end_va = 0x5fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 1455
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 1456
start_va = 0x7df5fffc0000
end_va = 0x7df5fffe2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5fffc0000"
filename = ""
Region:
id = 1457
start_va = 0x7df5ffff0000
end_va = 0x7ff5fffeffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffff0000"
filename = ""
Region:
id = 1458
start_va = 0x7ff637930000
end_va = 0x7ff637940fff
monitored = 0
entry_point = 0x7ff6379316b0
region_type = mapped_file
name = "conhost.exe"
filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")
Region:
id = 1459
start_va = 0x7ffa16770000
end_va = 0x7ffa16930fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 1460
start_va = 0x600000
end_va = 0x7cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000600000"
filename = ""
Region:
id = 1461
start_va = 0x7ffa15160000
end_va = 0x7ffa1520cfff
monitored = 0
entry_point = 0x7ffa151781a0
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 1462
start_va = 0x7ffa13130000
end_va = 0x7ffa13317fff
monitored = 0
entry_point = 0x7ffa1315ba70
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 1463
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 1464
start_va = 0x7df5ffec0000
end_va = 0x7df5fffbffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffec0000"
filename = ""
Region:
id = 1465
start_va = 0x90000
end_va = 0x14dfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 1466
start_va = 0x7ffa13cc0000
end_va = 0x7ffa13d5cfff
monitored = 0
entry_point = 0x7ffa13cc78a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 1467
start_va = 0x150000
end_va = 0x18ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000150000"
filename = ""
Region:
id = 1468
start_va = 0x7d0000
end_va = 0x8cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000007d0000"
filename = ""
Region:
id = 1469
start_va = 0x20000
end_va = 0x26fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 1475
start_va = 0x7ffa0a430000
end_va = 0x7ffa0a488fff
monitored = 0
entry_point = 0x7ffa0a43fbf0
region_type = mapped_file
name = "conhostv2.dll"
filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll")
Region:
id = 1476
start_va = 0x190000
end_va = 0x190fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000190000"
filename = ""
Region:
id = 1477
start_va = 0x7ffa14340000
end_va = 0x7ffa145bcfff
monitored = 0
entry_point = 0x7ffa14414970
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")
Region:
id = 1478
start_va = 0x7ffa145c0000
end_va = 0x7ffa146dbfff
monitored = 0
entry_point = 0x7ffa146002b0
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 1479
start_va = 0x7ffa13320000
end_va = 0x7ffa13389fff
monitored = 0
entry_point = 0x7ffa13356d50
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")
Region:
id = 1480
start_va = 0x7ffa13d80000
end_va = 0x7ffa13ed5fff
monitored = 0
entry_point = 0x7ffa13d8a8d0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 1481
start_va = 0x7ffa13ee0000
end_va = 0x7ffa14065fff
monitored = 0
entry_point = 0x7ffa13f2ffc0
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 1482
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001a0000"
filename = ""
Region:
id = 1483
start_va = 0x7ffa13b70000
end_va = 0x7ffa13cb2fff
monitored = 0
entry_point = 0x7ffa13b98210
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 1484
start_va = 0x7ffa14070000
end_va = 0x7ffa140cafff
monitored = 0
entry_point = 0x7ffa140838b0
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 1485
start_va = 0x7ffa141e0000
end_va = 0x7ffa1421afff
monitored = 0
entry_point = 0x7ffa141e12f0
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 1486
start_va = 0x7ffa147c0000
end_va = 0x7ffa14880fff
monitored = 0
entry_point = 0x7ffa147e0da0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 1487
start_va = 0x7ffa11220000
end_va = 0x7ffa113a5fff
monitored = 0
entry_point = 0x7ffa1126d700
region_type = mapped_file
name = "propsys.dll"
filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")
Region:
id = 1506
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001b0000"
filename = ""
Region:
id = 1507
start_va = 0x1c0000
end_va = 0x1c0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001c0000"
filename = ""
Region:
id = 1508
start_va = 0x8d0000
end_va = 0xa57fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000008d0000"
filename = ""
Region:
id = 1509
start_va = 0xa60000
end_va = 0xbe0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000a60000"
filename = ""
Region:
id = 1510
start_va = 0xbf0000
end_va = 0x1feffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000bf0000"
filename = ""
Region:
id = 1511
start_va = 0x1ff0000
end_va = 0x217ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001ff0000"
filename = ""
Region:
id = 1518
start_va = 0x600000
end_va = 0x63ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000600000"
filename = ""
Region:
id = 1519
start_va = 0x6d0000
end_va = 0x7cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000006d0000"
filename = ""
Region:
id = 1520
start_va = 0x7ffa15210000
end_va = 0x7ffa1676efff
monitored = 0
entry_point = 0x7ffa153711f0
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")
Region:
id = 1521
start_va = 0x7ffa13390000
end_va = 0x7ffa133d2fff
monitored = 0
entry_point = 0x7ffa133a4b50
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")
Region:
id = 1522
start_va = 0x7ffa13520000
end_va = 0x7ffa13b63fff
monitored = 0
entry_point = 0x7ffa136e64b0
region_type = mapped_file
name = "windows.storage.dll"
filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")
Region:
id = 1523
start_va = 0x7ffa15090000
end_va = 0x7ffa15136fff
monitored = 0
entry_point = 0x7ffa150a58d0
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 1524
start_va = 0x7ffa14ba0000
end_va = 0x7ffa14bf1fff
monitored = 0
entry_point = 0x7ffa14baf530
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")
Region:
id = 1525
start_va = 0x7ffa12e10000
end_va = 0x7ffa12e1efff
monitored = 0
entry_point = 0x7ffa12e13210
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")
Region:
id = 1526
start_va = 0x7ffa12e80000
end_va = 0x7ffa12f34fff
monitored = 0
entry_point = 0x7ffa12ec22e0
region_type = mapped_file
name = "shcore.dll"
filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")
Region:
id = 1527
start_va = 0x7ffa12dc0000
end_va = 0x7ffa12e0afff
monitored = 0
entry_point = 0x7ffa12dc35f0
region_type = mapped_file
name = "powrprof.dll"
filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")
Region:
id = 1528
start_va = 0x7ffa12d90000
end_va = 0x7ffa12da3fff
monitored = 0
entry_point = 0x7ffa12d952e0
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")
Region:
id = 1529
start_va = 0x7ffa11710000
end_va = 0x7ffa117a5fff
monitored = 0
entry_point = 0x7ffa11735570
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")
Region:
id = 1530
start_va = 0x7d0000
end_va = 0x8bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000007d0000"
filename = ""
Region:
id = 1531
start_va = 0x8c0000
end_va = 0x8cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000008c0000"
filename = ""
Region:
id = 1567
start_va = 0x2180000
end_va = 0x24b6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 1568
start_va = 0x50000
end_va = 0x70fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "cmd.exe.mui"
filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui")
Region:
id = 1569
start_va = 0x640000
end_va = 0x699fff
monitored = 1
entry_point = 0x6553f0
region_type = mapped_file
name = "cmd.exe"
filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")
Region:
id = 1571
start_va = 0x24c0000
end_va = 0x26d3fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000024c0000"
filename = ""
Region:
id = 1572
start_va = 0x26e0000
end_va = 0x28f6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000026e0000"
filename = ""
Region:
id = 1573
start_va = 0x1ff0000
end_va = 0x2106fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001ff0000"
filename = ""
Region:
id = 1574
start_va = 0x2170000
end_va = 0x217ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002170000"
filename = ""
Region:
id = 1575
start_va = 0x2900000
end_va = 0x2b13fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002900000"
filename = ""
Region:
id = 1576
start_va = 0x2b20000
end_va = 0x2c2cfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002b20000"
filename = ""
Region:
id = 1586
start_va = 0x640000
end_va = 0x67ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000640000"
filename = ""
Region:
id = 1587
start_va = 0x7ffa14a40000
end_va = 0x7ffa14b99fff
monitored = 0
entry_point = 0x7ffa14a838e0
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 1588
start_va = 0x50000
end_va = 0x50fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000050000"
filename = ""
Region:
id = 1589
start_va = 0x7d0000
end_va = 0x88bfff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000007d0000"
filename = ""
Region:
id = 1590
start_va = 0x8b0000
end_va = 0x8bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000008b0000"
filename = ""
Region:
id = 1591
start_va = 0x50000
end_va = 0x53fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000050000"
filename = ""
Region:
id = 1592
start_va = 0x7ffa10610000
end_va = 0x7ffa10631fff
monitored = 0
entry_point = 0x7ffa10611a40
region_type = mapped_file
name = "dwmapi.dll"
filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")
Region:
id = 1593
start_va = 0x7ffa11410000
end_va = 0x7ffa11422fff
monitored = 0
entry_point = 0x7ffa11412760
region_type = mapped_file
name = "wtsapi32.dll"
filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")
Region:
id = 1594
start_va = 0x7ffa12ba0000
end_va = 0x7ffa12bf5fff
monitored = 0
entry_point = 0x7ffa12bb0bf0
region_type = mapped_file
name = "winsta.dll"
filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")
Region:
id = 1596
start_va = 0x60000
end_va = 0x66fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000060000"
filename = ""
Region:
id = 1597
start_va = 0x70000
end_va = 0x70fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000070000"
filename = ""
Region:
id = 1598
start_va = 0x80000
end_va = 0x80fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000080000"
filename = ""
Region:
id = 1599
start_va = 0x1d0000
end_va = 0x1d4fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "user32.dll.mui"
filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui")
Region:
id = 1600
start_va = 0x1e0000
end_va = 0x1e0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "conhostv2.dll.mui"
filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui")
Region:
id = 1601
start_va = 0x1f0000
end_va = 0x1f1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001f0000"
filename = ""
Region:
id = 1602
start_va = 0x7ffa080f0000
end_va = 0x7ffa08363fff
monitored = 0
entry_point = 0x7ffa08160400
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll")
Region:
id = 1603
start_va = 0x680000
end_va = 0x680fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "windowsshell.manifest"
filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")
Region:
id = 1604
start_va = 0x690000
end_va = 0x691fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000690000"
filename = ""
Thread:
id = 118
os_tid = 0x40c
Thread:
id = 120
os_tid = 0x688
Thread:
id = 122
os_tid = 0x658
Thread:
id = 125
os_tid = 0x6f4
Process:
id = "10"
image_name = "cmd.exe"
filename = "c:\\windows\\syswow64\\cmd.exe"
page_root = "0x358f2000"
os_pid = "0x320"
os_integrity_level = "0x3000"
os_privileges = "0x60800000"
monitor_reason = "child_process"
parent_id = "7"
os_parent_pid = "0xb50"
cmd_line = "C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDAB.tmp.bat\"\""
cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
os_username = "XC64ZB\\RDhJ0CNFevzX"
bitness = "32"
os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fa87" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 1432
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 1433
start_va = 0x30000
end_va = 0x31fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000030000"
filename = ""
Region:
id = 1434
start_va = 0x40000
end_va = 0x54fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 1435
start_va = 0x60000
end_va = 0x63fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000060000"
filename = ""
Region:
id = 1436
start_va = 0x70000
end_va = 0x70fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000070000"
filename = ""
Region:
id = 1437
start_va = 0x80000
end_va = 0x81fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000080000"
filename = ""
Region:
id = 1438
start_va = 0x90000
end_va = 0xe1fff
monitored = 1
entry_point = 0xa4fd0
region_type = mapped_file
name = "cmd.exe"
filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")
Region:
id = 1439
start_va = 0xf0000
end_va = 0x40effff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000f0000"
filename = ""
Region:
id = 1440
start_va = 0x40f0000
end_va = 0x412ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000040f0000"
filename = ""
Region:
id = 1441
start_va = 0x4200000
end_va = 0x43fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004200000"
filename = ""
Region:
id = 1442
start_va = 0x4400000
end_va = 0x44fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004400000"
filename = ""
Region:
id = 1443
start_va = 0x771d0000
end_va = 0x7734afff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")
Region:
id = 1444
start_va = 0x7ffb0000
end_va = 0x7ffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007ffb0000"
filename = ""
Region:
id = 1445
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 1446
start_va = 0x7fff0000
end_va = 0x7dfa1676ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007fff0000"
filename = ""
Region:
id = 1447
start_va = 0x7dfa16770000
end_va = 0x7ffa1676ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007dfa16770000"
filename = ""
Region:
id = 1448
start_va = 0x7ffa16770000
end_va = 0x7ffa16930fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 1449
start_va = 0x7ffa16931000
end_va = 0x7ffffffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00007ffa16931000"
filename = ""
Region:
id = 1470
start_va = 0x4130000
end_va = 0x414ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004130000"
filename = ""
Region:
id = 1471
start_va = 0x640d0000
end_va = 0x6411ffff
monitored = 0
entry_point = 0x640e8180
region_type = mapped_file
name = "wow64.dll"
filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")
Region:
id = 1472
start_va = 0x64050000
end_va = 0x640c9fff
monitored = 0
entry_point = 0x64063290
region_type = mapped_file
name = "wow64win.dll"
filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")
Region:
id = 1473
start_va = 0x76720000
end_va = 0x767fffff
monitored = 0
entry_point = 0x76733980
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 1474
start_va = 0x64120000
end_va = 0x64127fff
monitored = 0
entry_point = 0x641217c0
region_type = mapped_file
name = "wow64cpu.dll"
filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")
Region:
id = 1488
start_va = 0x4500000
end_va = 0x462ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004500000"
filename = ""
Region:
id = 1489
start_va = 0x76720000
end_va = 0x767fffff
monitored = 0
entry_point = 0x76733980
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 1490
start_va = 0x76910000
end_va = 0x76a8dfff
monitored = 0
entry_point = 0x769c1b90
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")
Region:
id = 1491
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 1492
start_va = 0x7feb0000
end_va = 0x7ffaffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007feb0000"
filename = ""
Region:
id = 1606
start_va = 0x4630000
end_va = 0x46edfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 1608
start_va = 0x76a90000
end_va = 0x76b4dfff
monitored = 0
entry_point = 0x76ac5630
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")
Region:
id = 1609
start_va = 0x4150000
end_va = 0x418ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004150000"
filename = ""
Region:
id = 1610
start_va = 0x46f0000
end_va = 0x47effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000046f0000"
filename = ""
Region:
id = 1611
start_va = 0x47f0000
end_va = 0x48cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000047f0000"
filename = ""
Region:
id = 1612
start_va = 0x20000
end_va = 0x23fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 1620
start_va = 0x30000
end_va = 0x33fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000030000"
filename = ""
Region:
id = 1622
start_va = 0x6a880000
end_va = 0x6a887fff
monitored = 0
entry_point = 0x6a881840
region_type = mapped_file
name = "cmdext.dll"
filename = "\\Windows\\SysWOW64\\cmdext.dll" (normalized: "c:\\windows\\syswow64\\cmdext.dll")
Region:
id = 1623
start_va = 0x76600000
end_va = 0x7667afff
monitored = 0
entry_point = 0x7661e970
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")
Region:
id = 1624
start_va = 0x76cb0000
end_va = 0x76cf3fff
monitored = 0
entry_point = 0x76cc9d80
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")
Region:
id = 1625
start_va = 0x76c00000
end_va = 0x76cacfff
monitored = 0
entry_point = 0x76c14f00
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")
Region:
id = 1626
start_va = 0x73f00000
end_va = 0x73f1dfff
monitored = 0
entry_point = 0x73f0b640
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")
Region:
id = 1627
start_va = 0x73ef0000
end_va = 0x73ef9fff
monitored = 0
entry_point = 0x73ef2a00
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")
Region:
id = 1628
start_va = 0x76840000
end_va = 0x76897fff
monitored = 0
entry_point = 0x768825c0
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")
Region:
id = 1648
start_va = 0x4130000
end_va = 0x413ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004130000"
filename = ""
Region:
id = 1649
start_va = 0x4140000
end_va = 0x414ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004140000"
filename = ""
Region:
id = 1685
start_va = 0x48d0000
end_va = 0x4c06fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 1750
start_va = 0x73e50000
end_va = 0x73ee1fff
monitored = 0
entry_point = 0x73e90380
region_type = mapped_file
name = "apphelp.dll"
filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll")
Region:
id = 1751
start_va = 0x7fb00000
end_va = 0x7fea0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sysmain.sdb"
filename = "\\Windows\\AppPatch\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\sysmain.sdb")
Region:
id = 1857
start_va = 0x4190000
end_va = 0x41b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "cmd.exe.mui"
filename = "\\Windows\\SysWOW64\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\cmd.exe.mui")
Thread:
id = 119
os_tid = 0x61c
[0202.918] GetModuleHandleA (lpModuleName=0x0) returned 0x90000
[0202.918] __set_app_type (_Type=0x1)
[0202.918] __p__fmode () returned 0x76b44d6c
[0202.918] __p__commode () returned 0x76b45b1c
[0202.918] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xa5200) returned 0x0
[0202.918] __getmainargs (in: _Argc=0xb60e8, _Argv=0xb60ec, _Env=0xb60f0, _DoWildCard=0, _StartInfo=0xb60fc | out: _Argc=0xb60e8, _Argv=0xb60ec, _Env=0xb60f0) returned 0
[0202.918] GetCurrentThreadId () returned 0x61c
[0202.918] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x61c) returned 0x84
[0202.919] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76720000
[0202.919] GetProcAddress (hModule=0x76720000, lpProcName="SetThreadUILanguage") returned 0x76762510
[0202.919] SetThreadUILanguage (LangId=0x0) returned 0x409
[0202.997] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
[0202.997] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x44fff18 | out: phkResult=0x44fff18*=0x0) returned 0x2
[0202.997] VirtualQuery (in: lpAddress=0x44fff1f, lpBuffer=0x44ffed0, dwLength=0x1c | out: lpBuffer=0x44ffed0*(BaseAddress=0x44ff000, AllocationBase=0x4400000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c
[0202.997] VirtualQuery (in: lpAddress=0x4400000, lpBuffer=0x44ffed0, dwLength=0x1c | out: lpBuffer=0x44ffed0*(BaseAddress=0x4400000, AllocationBase=0x4400000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c
[0202.997] VirtualQuery (in: lpAddress=0x4401000, lpBuffer=0x44ffed0, dwLength=0x1c | out: lpBuffer=0x44ffed0*(BaseAddress=0x4401000, AllocationBase=0x4400000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c
[0202.997] VirtualQuery (in: lpAddress=0x4403000, lpBuffer=0x44ffed0, dwLength=0x1c | out: lpBuffer=0x44ffed0*(BaseAddress=0x4403000, AllocationBase=0x4400000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c
[0202.997] VirtualQuery (in: lpAddress=0x4500000, lpBuffer=0x44ffed0, dwLength=0x1c | out: lpBuffer=0x44ffed0*(BaseAddress=0x4500000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x30000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c
[0202.997] GetConsoleOutputCP () returned 0x1b5
[0203.120] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xbf460 | out: lpCPInfo=0xbf460) returned 1
[0203.120] SetConsoleCtrlHandler (HandlerRoutine=0xb0e40, Add=1) returned 1
[0203.121] _get_osfhandle (_FileHandle=1) returned 0x3c
[0203.121] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x0) returned 1
[0203.172] _get_osfhandle (_FileHandle=1) returned 0x3c
[0203.173] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xbf40c | out: lpMode=0xbf40c) returned 1
[0203.175] _get_osfhandle (_FileHandle=1) returned 0x3c
[0203.175] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1
[0203.186] _get_osfhandle (_FileHandle=0) returned 0x38
[0203.186] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xbf408 | out: lpMode=0xbf408) returned 1
[0203.201] _get_osfhandle (_FileHandle=0) returned 0x38
[0203.201] SetConsoleMode (hConsoleHandle=0x38, dwMode=0x1a7) returned 1
[0203.206] GetEnvironmentStringsW () returned 0x4537d50*
[0203.206] GetProcessHeap () returned 0x4530000
[0203.207] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0xa1a) returned 0x4538778
[0203.208] memcpy (in: _Dst=0x4538778, _Src=0x4537d50, _Size=0xa1a | out: _Dst=0x4538778) returned 0x4538778
[0203.208] FreeEnvironmentStringsA (penv="A") returned 1
[0203.208] GetProcessHeap () returned 0x4530000
[0203.208] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x4) returned 0x4530550
[0203.208] GetEnvironmentStringsW () returned 0x4537d50*
[0203.208] GetProcessHeap () returned 0x4530000
[0203.208] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0xa1a) returned 0x45391a0
[0203.208] memcpy (in: _Dst=0x45391a0, _Src=0x4537d50, _Size=0xa1a | out: _Dst=0x45391a0) returned 0x45391a0
[0203.208] FreeEnvironmentStringsA (penv="A") returned 1
[0203.208] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x44fee7c | out: phkResult=0x44fee7c*=0x94) returned 0x0
[0203.208] RegQueryValueExW (in: hKey=0x94, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x44fee84, lpData=0x44fee88, lpcbData=0x44fee80*=0x1000 | out: lpType=0x44fee84*=0x0, lpData=0x44fee88*=0x49, lpcbData=0x44fee80*=0x1000) returned 0x2
[0203.209] RegQueryValueExW (in: hKey=0x94, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x44fee84, lpData=0x44fee88, lpcbData=0x44fee80*=0x1000 | out: lpType=0x44fee84*=0x4, lpData=0x44fee88*=0x1, lpcbData=0x44fee80*=0x4) returned 0x0
[0203.209] RegQueryValueExW (in: hKey=0x94, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x44fee84, lpData=0x44fee88, lpcbData=0x44fee80*=0x1000 | out: lpType=0x44fee84*=0x0, lpData=0x44fee88*=0x1, lpcbData=0x44fee80*=0x1000) returned 0x2
[0203.209] RegQueryValueExW (in: hKey=0x94, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x44fee84, lpData=0x44fee88, lpcbData=0x44fee80*=0x1000 | out: lpType=0x44fee84*=0x4, lpData=0x44fee88*=0x0, lpcbData=0x44fee80*=0x4) returned 0x0
[0203.209] RegQueryValueExW (in: hKey=0x94, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x44fee84, lpData=0x44fee88, lpcbData=0x44fee80*=0x1000 | out: lpType=0x44fee84*=0x4, lpData=0x44fee88*=0x40, lpcbData=0x44fee80*=0x4) returned 0x0
[0203.209] RegQueryValueExW (in: hKey=0x94, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x44fee84, lpData=0x44fee88, lpcbData=0x44fee80*=0x1000 | out: lpType=0x44fee84*=0x4, lpData=0x44fee88*=0x40, lpcbData=0x44fee80*=0x4) returned 0x0
[0203.209] RegQueryValueExW (in: hKey=0x94, lpValueName="AutoRun", lpReserved=0x0, lpType=0x44fee84, lpData=0x44fee88, lpcbData=0x44fee80*=0x1000 | out: lpType=0x44fee84*=0x0, lpData=0x44fee88*=0x40, lpcbData=0x44fee80*=0x1000) returned 0x2
[0203.209] RegCloseKey (hKey=0x94) returned 0x0
[0203.209] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x44fee7c | out: phkResult=0x44fee7c*=0x94) returned 0x0
[0203.209] RegQueryValueExW (in: hKey=0x94, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x44fee84, lpData=0x44fee88, lpcbData=0x44fee80*=0x1000 | out: lpType=0x44fee84*=0x0, lpData=0x44fee88*=0x40, lpcbData=0x44fee80*=0x1000) returned 0x2
[0203.209] RegQueryValueExW (in: hKey=0x94, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x44fee84, lpData=0x44fee88, lpcbData=0x44fee80*=0x1000 | out: lpType=0x44fee84*=0x4, lpData=0x44fee88*=0x1, lpcbData=0x44fee80*=0x4) returned 0x0
[0203.209] RegQueryValueExW (in: hKey=0x94, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x44fee84, lpData=0x44fee88, lpcbData=0x44fee80*=0x1000 | out: lpType=0x44fee84*=0x0, lpData=0x44fee88*=0x1, lpcbData=0x44fee80*=0x1000) returned 0x2
[0203.209] RegQueryValueExW (in: hKey=0x94, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x44fee84, lpData=0x44fee88, lpcbData=0x44fee80*=0x1000 | out: lpType=0x44fee84*=0x4, lpData=0x44fee88*=0x0, lpcbData=0x44fee80*=0x4) returned 0x0
[0203.209] RegQueryValueExW (in: hKey=0x94, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x44fee84, lpData=0x44fee88, lpcbData=0x44fee80*=0x1000 | out: lpType=0x44fee84*=0x4, lpData=0x44fee88*=0x9, lpcbData=0x44fee80*=0x4) returned 0x0
[0203.209] RegQueryValueExW (in: hKey=0x94, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x44fee84, lpData=0x44fee88, lpcbData=0x44fee80*=0x1000 | out: lpType=0x44fee84*=0x4, lpData=0x44fee88*=0x9, lpcbData=0x44fee80*=0x4) returned 0x0
[0203.209] RegQueryValueExW (in: hKey=0x94, lpValueName="AutoRun", lpReserved=0x0, lpType=0x44fee84, lpData=0x44fee88, lpcbData=0x44fee80*=0x1000 | out: lpType=0x44fee84*=0x0, lpData=0x44fee88*=0x9, lpcbData=0x44fee80*=0x1000) returned 0x2
[0203.209] RegCloseKey (hKey=0x94) returned 0x0
[0203.210] time (in: timer=0x0 | out: timer=0x0) returned 0x62ed7707
[0203.210] srand (_Seed=0x62ed7707)
[0203.210] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDAB.tmp.bat\"\""
[0203.210] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDAB.tmp.bat\"\""
[0203.210] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xc7720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d
[0203.210] GetProcessHeap () returned 0x4530000
[0203.210] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x210) returned 0x4539bc8
[0203.210] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4539bd0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b
[0203.210] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xbf4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63
[0203.210] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xbf4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35
[0203.210] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xbf4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0
[0203.210] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13
[0203.210] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11
[0203.210] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13
[0203.210] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13
[0203.210] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12
[0203.210] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4
[0203.211] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2
[0203.211] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8
[0203.211] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1
[0203.211] GetProcessHeap () returned 0x4530000
[0203.212] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4538778) returned 1
[0203.212] GetEnvironmentStringsW () returned 0x4537d50*
[0203.212] GetProcessHeap () returned 0x4530000
[0203.212] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0xa32) returned 0x453a820
[0203.212] memcpy (in: _Dst=0x453a820, _Src=0x4537d50, _Size=0xa32 | out: _Dst=0x453a820) returned 0x453a820
[0203.212] FreeEnvironmentStringsA (penv="A") returned 1
[0203.212] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xbf4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b
[0203.212] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xbf4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0
[0203.212] _wcsicmp (_String1="KEYS", _String2="CD") returned 8
[0203.212] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6
[0203.212] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8
[0203.212] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8
[0203.212] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7
[0203.212] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9
[0203.212] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7
[0203.212] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3
[0203.212] GetProcessHeap () returned 0x4530000
[0203.212] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x44) returned 0x45305c8
[0203.212] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x44ffc54 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d
[0203.213] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop", nBufferLength=0x104, lpBuffer=0x44ffc54, lpFilePart=0x44ffc4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x44ffc4c*="Desktop") returned 0x1d
[0203.213] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11
[0203.213] FindFirstFileW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), lpFindFileData=0x44ff9d0 | out: lpFindFileData=0x44ff9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x4530618
[0203.213] FindClose (in: hFindFile=0x4530618 | out: hFindFile=0x4530618) returned 1
[0203.213] memcpy (in: _Dst=0x44ffc5a, _Src=0x44ff9fc, _Size=0xa | out: _Dst=0x44ffc5a) returned 0x44ffc5a
[0203.213] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX" (normalized: "c:\\users\\rdhj0cnfevzx"), lpFindFileData=0x44ff9d0 | out: lpFindFileData=0x44ff9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x4530618
[0203.214] FindClose (in: hFindFile=0x4530618 | out: hFindFile=0x4530618) returned 1
[0203.214] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16
[0203.214] memcpy (in: _Dst=0x44ffc66, _Src=0x44ff9fc, _Size=0x18 | out: _Dst=0x44ffc66) returned 0x44ffc66
[0203.214] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop"), lpFindFileData=0x44ff9d0 | out: lpFindFileData=0x44ff9d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0xc2969193, ftLastAccessTime.dwHighDateTime=0x1d8a905, ftLastWriteTime.dwLowDateTime=0xc2969193, ftLastWriteTime.dwHighDateTime=0x1d8a905, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x4530618
[0203.214] FindClose (in: hFindFile=0x4530618 | out: hFindFile=0x4530618) returned 1
[0203.214] memcpy (in: _Dst=0x44ffc80, _Src=0x44ff9fc, _Size=0xe | out: _Dst=0x44ffc80) returned 0x44ffc80
[0203.214] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 0x11
[0203.214] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\Desktop" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop")) returned 1
[0203.215] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 1
[0203.215] GetProcessHeap () returned 0x4530000
[0203.215] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x453a820) returned 1
[0203.215] GetEnvironmentStringsW () returned 0x4537d50*
[0203.215] GetProcessHeap () returned 0x4530000
[0203.215] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0xa76) returned 0x4539de0
[0203.215] memcpy (in: _Dst=0x4539de0, _Src=0x4537d50, _Size=0xa76 | out: _Dst=0x4539de0) returned 0x4539de0
[0203.215] FreeEnvironmentStringsA (penv="=") returned 1
[0203.215] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xc7720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d
[0203.215] GetProcessHeap () returned 0x4530000
[0203.216] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x45305c8) returned 1
[0203.216] GetProcessHeap () returned 0x4530000
[0203.216] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x400e) returned 0x453bce0
[0203.217] GetProcessHeap () returned 0x4530000
[0203.217] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x84) returned 0x453a860
[0203.217] GetProcessHeap () returned 0x4530000
[0203.217] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x4008) returned 0x453fcf8
[0203.217] GetProcessHeap () returned 0x4530000
[0203.217] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x4008) returned 0x4543d08
[0203.217] GetProcessHeap () returned 0x4530000
[0203.218] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x453bce0) returned 1
[0203.218] GetConsoleOutputCP () returned 0x1b5
[0203.276] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xbf460 | out: lpCPInfo=0xbf460) returned 1
[0203.276] GetUserDefaultLCID () returned 0x409
[0203.285] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xc34a0, cchData=8 | out: lpLCData=":") returned 2
[0203.285] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x44ffd84, cchData=128 | out: lpLCData="0") returned 2
[0203.285] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x44ffd84, cchData=128 | out: lpLCData="0") returned 2
[0203.285] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x44ffd84, cchData=128 | out: lpLCData="1") returned 2
[0203.285] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xc34b0, cchData=8 | out: lpLCData="/") returned 2
[0203.285] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xc3500, cchData=32 | out: lpLCData="Mon") returned 4
[0203.285] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xc3540, cchData=32 | out: lpLCData="Tue") returned 4
[0203.285] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xc3580, cchData=32 | out: lpLCData="Wed") returned 4
[0203.285] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xc35c0, cchData=32 | out: lpLCData="Thu") returned 4
[0203.285] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xc3600, cchData=32 | out: lpLCData="Fri") returned 4
[0203.285] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xc3640, cchData=32 | out: lpLCData="Sat") returned 4
[0203.285] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xc3680, cchData=32 | out: lpLCData="Sun") returned 4
[0203.285] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xc34c0, cchData=8 | out: lpLCData=".") returned 2
[0203.285] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xc34e0, cchData=8 | out: lpLCData=",") returned 2
[0203.285] setlocale (category=0, locale=".OCP") returned="English_United States.437"
[0203.287] GetProcessHeap () returned 0x4530000
[0203.287] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x0, Size=0x20c) returned 0x453a938
[0203.287] GetConsoleTitleW (in: lpConsoleTitle=0x453a938, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0203.297] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76720000
[0203.297] GetProcAddress (hModule=0x76720000, lpProcName="CopyFileExW") returned 0x7673ffc0
[0203.297] GetProcAddress (hModule=0x76720000, lpProcName="IsDebuggerPresent") returned 0x7673b0b0
[0203.297] GetProcAddress (hModule=0x76720000, lpProcName="SetConsoleInputExeNameW") returned 0x76a2b440
[0203.297] GetProcessHeap () returned 0x4530000
[0203.298] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x400a) returned 0x453bce0
[0203.298] GetProcessHeap () returned 0x4530000
[0203.298] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x453bce0) returned 1
[0203.300] _wcsicmp (_String1="\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDAB.tmp.bat\"", _String2=")") returned -7
[0203.300] _wcsicmp (_String1="FOR", _String2="\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDAB.tmp.bat\"") returned 68
[0203.300] _wcsicmp (_String1="FOR/?", _String2="\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDAB.tmp.bat\"") returned 68
[0203.300] _wcsicmp (_String1="IF", _String2="\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDAB.tmp.bat\"") returned 71
[0203.300] _wcsicmp (_String1="IF/?", _String2="\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDAB.tmp.bat\"") returned 71
[0203.300] _wcsicmp (_String1="REM", _String2="\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDAB.tmp.bat\"") returned 80
[0203.300] _wcsicmp (_String1="REM/?", _String2="\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDAB.tmp.bat\"") returned 80
[0203.300] GetProcessHeap () returned 0x4530000
[0203.300] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x58) returned 0x453ab50
[0203.300] GetProcessHeap () returned 0x4530000
[0203.300] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x7c) returned 0x453abb0
[0203.301] GetConsoleTitleW (in: lpConsoleTitle=0x44ffa70, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0203.321] GetFileAttributesW (lpFileName="\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDAB.tmp.bat\"" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\\"c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmpdab.tmp.bat\"")) returned 0xffffffff
[0203.324] _wcsicmp (_String1="\"C", _String2="DIR") returned -66
[0203.354] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67
[0203.354] _wcsicmp (_String1="\"C", _String2="DEL") returned -66
[0203.354] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82
[0203.354] _wcsicmp (_String1="\"C", _String2="COPY") returned -65
[0203.354] _wcsicmp (_String1="\"C", _String2="CD") returned -65
[0203.354] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65
[0203.354] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80
[0203.354] _wcsicmp (_String1="\"C", _String2="REN") returned -80
[0203.354] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67
[0203.354] _wcsicmp (_String1="\"C", _String2="SET") returned -81
[0203.355] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78
[0203.355] _wcsicmp (_String1="\"C", _String2="DATE") returned -66
[0203.355] _wcsicmp (_String1="\"C", _String2="TIME") returned -82
[0203.355] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78
[0203.355] _wcsicmp (_String1="\"C", _String2="MD") returned -75
[0203.355] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75
[0203.355] _wcsicmp (_String1="\"C", _String2="RD") returned -80
[0203.355] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80
[0203.355] _wcsicmp (_String1="\"C", _String2="PATH") returned -78
[0203.355] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69
[0203.355] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81
[0203.355] _wcsicmp (_String1="\"C", _String2="CLS") returned -65
[0203.355] _wcsicmp (_String1="\"C", _String2="CALL") returned -65
[0203.355] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84
[0203.355] _wcsicmp (_String1="\"C", _String2="VER") returned -84
[0203.355] _wcsicmp (_String1="\"C", _String2="VOL") returned -84
[0203.355] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67
[0203.355] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81
[0203.355] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67
[0203.355] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82
[0203.355] _wcsicmp (_String1="\"C", _String2="START") returned -81
[0203.355] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66
[0203.355] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73
[0203.355] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75
[0203.355] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78
[0203.355] _wcsicmp (_String1="\"C", _String2="POPD") returned -78
[0203.355] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63
[0203.355] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68
[0203.355] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64
[0203.355] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65
[0203.356] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75
[0203.356] _wcsicmp (_String1="\"C", _String2="DIR") returned -66
[0203.356] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67
[0203.356] _wcsicmp (_String1="\"C", _String2="DEL") returned -66
[0203.356] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82
[0203.356] _wcsicmp (_String1="\"C", _String2="COPY") returned -65
[0203.356] _wcsicmp (_String1="\"C", _String2="CD") returned -65
[0203.356] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65
[0203.356] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80
[0203.356] _wcsicmp (_String1="\"C", _String2="REN") returned -80
[0203.356] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67
[0203.356] _wcsicmp (_String1="\"C", _String2="SET") returned -81
[0203.356] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78
[0203.356] _wcsicmp (_String1="\"C", _String2="DATE") returned -66
[0203.356] _wcsicmp (_String1="\"C", _String2="TIME") returned -82
[0203.356] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78
[0203.356] _wcsicmp (_String1="\"C", _String2="MD") returned -75
[0203.356] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75
[0203.356] _wcsicmp (_String1="\"C", _String2="RD") returned -80
[0203.356] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80
[0203.356] _wcsicmp (_String1="\"C", _String2="PATH") returned -78
[0203.356] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69
[0203.356] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81
[0203.356] _wcsicmp (_String1="\"C", _String2="CLS") returned -65
[0203.356] _wcsicmp (_String1="\"C", _String2="CALL") returned -65
[0203.356] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84
[0203.356] _wcsicmp (_String1="\"C", _String2="VER") returned -84
[0203.356] _wcsicmp (_String1="\"C", _String2="VOL") returned -84
[0203.356] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67
[0203.357] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81
[0203.357] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67
[0203.357] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82
[0203.357] _wcsicmp (_String1="\"C", _String2="START") returned -81
[0203.357] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66
[0203.357] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73
[0203.357] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75
[0203.357] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78
[0203.357] _wcsicmp (_String1="\"C", _String2="POPD") returned -78
[0203.357] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63
[0203.357] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68
[0203.357] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64
[0203.357] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65
[0203.357] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75
[0203.357] _wcsicmp (_String1="\"C", _String2="FOR") returned -68
[0203.357] _wcsicmp (_String1="\"C", _String2="IF") returned -71
[0203.357] _wcsicmp (_String1="\"C", _String2="REM") returned -80
[0203.357] GetProcessHeap () returned 0x4530000
[0203.357] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x210) returned 0x453ac38
[0203.357] GetProcessHeap () returned 0x4530000
[0203.357] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x7c) returned 0x453ae50
[0203.358] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51
[0203.358] GetProcessHeap () returned 0x4530000
[0203.358] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x418) returned 0x45305c8
[0203.358] SetErrorMode (uMode=0x0) returned 0x0
[0203.358] SetErrorMode (uMode=0x1) returned 0x0
[0203.358] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\.", nBufferLength=0x208, lpBuffer=0x45305d0, lpFilePart=0x44ff57c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp", lpFilePart=0x44ff57c*="Temp") returned 0x28
[0203.358] SetErrorMode (uMode=0x0) returned 0x1
[0203.358] GetProcessHeap () returned 0x4530000
[0203.358] RtlReAllocateHeap (Heap=0x4530000, Flags=0x0, Ptr=0x45305c8, Size=0x78) returned 0x45305c8
[0203.358] GetProcessHeap () returned 0x4530000
[0203.358] RtlSizeHeap (HeapHandle=0x4530000, Flags=0x0, MemoryPointer=0x45305c8) returned 0x78
[0203.358] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\.") returned 1
[0203.358] GetProcessHeap () returned 0x4530000
[0203.358] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x60) returned 0x453aed8
[0203.358] GetProcessHeap () returned 0x4530000
[0203.358] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0xb4) returned 0x453af40
[0203.359] GetProcessHeap () returned 0x4530000
[0203.359] RtlReAllocateHeap (Heap=0x4530000, Flags=0x0, Ptr=0x453af40, Size=0x60) returned 0x453af40
[0203.359] GetProcessHeap () returned 0x4530000
[0203.359] RtlSizeHeap (HeapHandle=0x4530000, Flags=0x0, MemoryPointer=0x453af40) returned 0x60
[0203.359] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xbf4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35
[0203.359] GetProcessHeap () returned 0x4530000
[0203.359] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0xe0) returned 0x453afa8
[0203.362] GetProcessHeap () returned 0x4530000
[0203.362] RtlReAllocateHeap (Heap=0x4530000, Flags=0x0, Ptr=0x453afa8, Size=0x76) returned 0x453afa8
[0203.362] GetProcessHeap () returned 0x4530000
[0203.363] RtlSizeHeap (HeapHandle=0x4530000, Flags=0x0, MemoryPointer=0x453afa8) returned 0x76
[0203.363] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0203.363] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDAB.tmp.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmpdab.tmp.bat"), fInfoLevelId=0x1, lpFindFileData=0x44ff328, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x44ff328) returned 0x453b028
[0203.363] GetProcessHeap () returned 0x4530000
[0203.363] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x0, Size=0x14) returned 0x45376b8
[0203.363] FindClose (in: hFindFile=0x453b028 | out: hFindFile=0x453b028) returned 1
[0203.363] _wcsicmp (_String1=".bat", _String2=".CMD") returned -1
[0203.364] _wcsicmp (_String1=".bat", _String2=".BAT") returned 0
[0203.364] GetConsoleTitleW (in: lpConsoleTitle=0x44ff7fc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0203.417] GetProcessHeap () returned 0x4530000
[0203.417] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x11c) returned 0x453b028
[0203.417] ApiSetQueryApiSetPresence () returned 0x0
[0203.417] ResolveDelayLoadedAPI () returned 0x6a8814a0
[0203.448] SaferWorker () returned 0x0
[0203.549] SetErrorMode (uMode=0x0) returned 0x0
[0203.549] SetErrorMode (uMode=0x1) returned 0x0
[0203.549] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDAB.tmp.bat", nBufferLength=0x104, lpBuffer=0x453ac40, lpFilePart=0x44ff6ac | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDAB.tmp.bat", lpFilePart=0x44ff6ac*="tmpDAB.tmp.bat") returned 0x37
[0203.549] SetErrorMode (uMode=0x0) returned 0x1
[0203.549] GetProcessHeap () returned 0x4530000
[0203.549] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x7c) returned 0x4548278
[0203.550] CmdBatNotificationStub () returned 0x1
[0203.550] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDAB.tmp.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmpdab.tmp.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x44ff73c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4
[0203.550] _open_osfhandle (_OSFileHandle=0xb4, _Flags=8) returned 3
[0203.550] _get_osfhandle (_FileHandle=3) returned 0xb4
[0203.550] SetFilePointer (in: hFile=0xb4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0
[0203.550] _get_osfhandle (_FileHandle=3) returned 0xb4
[0203.550] SetFilePointer (in: hFile=0xb4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0
[0203.550] ReadFile (in: hFile=0xb4, lpBuffer=0xcb960, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x44ff6c4, lpOverlapped=0x0 | out: lpBuffer=0xcb960*, lpNumberOfBytesRead=0x44ff6c4*=0x9d, lpOverlapped=0x0) returned 1
[0203.551] SetFilePointer (in: hFile=0xb4, lDistanceToMove=11, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb
[0203.552] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0xcb960, cbMultiByte=11, lpWideCharStr=0xb67e0, cchWideChar=8191 | out: lpWideCharStr="@echo off\r\n") returned 11
[0203.552] _get_osfhandle (_FileHandle=3) returned 0xb4
[0203.552] GetFileType (hFile=0xb4) returned 0x1
[0203.552] _get_osfhandle (_FileHandle=3) returned 0xb4
[0203.552] SetFilePointer (in: hFile=0xb4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb
[0203.552] GetProcessHeap () returned 0x4530000
[0203.552] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x400a) returned 0x453bce0
[0203.552] GetProcessHeap () returned 0x4530000
[0203.553] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x453bce0) returned 1
[0203.553] GetProcessHeap () returned 0x4530000
[0203.553] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x58) returned 0x4530a28
[0203.553] _wcsicmp (_String1="echo", _String2=")") returned 60
[0203.553] _wcsicmp (_String1="FOR", _String2="echo") returned 1
[0203.553] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1
[0203.553] _wcsicmp (_String1="IF", _String2="echo") returned 4
[0203.553] _wcsicmp (_String1="IF/?", _String2="echo") returned 4
[0203.553] _wcsicmp (_String1="REM", _String2="echo") returned 13
[0203.554] _wcsicmp (_String1="REM/?", _String2="echo") returned 13
[0203.554] GetProcessHeap () returned 0x4530000
[0203.554] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x58) returned 0x4548300
[0203.554] GetProcessHeap () returned 0x4530000
[0203.554] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x12) returned 0x4537818
[0203.554] GetProcessHeap () returned 0x4530000
[0203.554] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x12) returned 0x4537578
[0203.555] _tell (_FileHandle=3) returned 11
[0203.555] _close (_FileHandle=3) returned 0
[0203.556] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0203.556] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0203.556] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0203.556] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0203.556] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0203.556] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0203.556] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0203.556] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0203.556] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0203.556] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0203.556] GetConsoleTitleW (in: lpConsoleTitle=0x44ff2f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0203.704] _wcsicmp (_String1="echo", _String2="DIR") returned 1
[0203.704] _wcsicmp (_String1="echo", _String2="ERASE") returned -15
[0203.704] _wcsicmp (_String1="echo", _String2="DEL") returned 1
[0203.704] _wcsicmp (_String1="echo", _String2="TYPE") returned -15
[0203.704] _wcsicmp (_String1="echo", _String2="COPY") returned 2
[0203.704] _wcsicmp (_String1="echo", _String2="CD") returned 2
[0203.704] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2
[0203.704] _wcsicmp (_String1="echo", _String2="RENAME") returned -13
[0203.704] _wcsicmp (_String1="echo", _String2="REN") returned -13
[0203.704] _wcsicmp (_String1="echo", _String2="ECHO") returned 0
[0203.704] GetProcessHeap () returned 0x4530000
[0203.704] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x1c) returned 0x4530898
[0203.705] GetProcessHeap () returned 0x4530000
[0203.705] RtlReAllocateHeap (Heap=0x4530000, Flags=0x0, Ptr=0x4530898, Size=0x12) returned 0x4530898
[0203.705] GetProcessHeap () returned 0x4530000
[0203.705] RtlSizeHeap (HeapHandle=0x4530000, Flags=0x0, MemoryPointer=0x4530898) returned 0x12
[0203.705] GetProcessHeap () returned 0x4530000
[0203.705] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x1c) returned 0x4538e48
[0203.705] _wcsnicmp (_String1="off", _String2="off", _MaxCount=0x3) returned 0
[0203.705] _get_osfhandle (_FileHandle=1) returned 0x3c
[0203.705] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1
[0203.807] _get_osfhandle (_FileHandle=1) returned 0x3c
[0203.807] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xbf40c | out: lpMode=0xbf40c) returned 1
[0203.949] _get_osfhandle (_FileHandle=0) returned 0x38
[0203.949] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xbf408 | out: lpMode=0xbf408) returned 1
[0204.064] SetConsoleInputExeNameW () returned 0x1
[0204.064] GetConsoleOutputCP () returned 0x1b5
[0204.230] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xbf460 | out: lpCPInfo=0xbf460) returned 1
[0204.230] SetThreadUILanguage (LangId=0x0) returned 0x409
[0204.348] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDAB.tmp.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmpdab.tmp.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x44ff73c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4
[0204.348] _open_osfhandle (_OSFileHandle=0xb4, _Flags=8) returned 3
[0204.348] _get_osfhandle (_FileHandle=3) returned 0xb4
[0204.348] SetFilePointer (in: hFile=0xb4, lDistanceToMove=11, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb
[0204.348] GetProcessHeap () returned 0x4530000
[0204.348] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4538e48) returned 1
[0204.348] GetProcessHeap () returned 0x4530000
[0204.348] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4530898) returned 1
[0204.348] GetProcessHeap () returned 0x4530000
[0204.348] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4537578) returned 1
[0204.348] GetProcessHeap () returned 0x4530000
[0204.348] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4537818) returned 1
[0204.348] GetProcessHeap () returned 0x4530000
[0204.349] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4548300) returned 1
[0204.349] GetProcessHeap () returned 0x4530000
[0204.350] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4530a28) returned 1
[0204.350] _get_osfhandle (_FileHandle=3) returned 0xb4
[0204.350] SetFilePointer (in: hFile=0xb4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb
[0204.350] ReadFile (in: hFile=0xb4, lpBuffer=0xcb960, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x44ff6c4, lpOverlapped=0x0 | out: lpBuffer=0xcb960*, lpNumberOfBytesRead=0x44ff6c4*=0x92, lpOverlapped=0x0) returned 1
[0204.350] SetFilePointer (in: hFile=0xb4, lDistanceToMove=28, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1c
[0204.350] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0xcb960, cbMultiByte=17, lpWideCharStr=0xb67e0, cchWideChar=8191 | out: lpWideCharStr="timeout 3 > NUL\r\n") returned 17
[0204.351] _get_osfhandle (_FileHandle=3) returned 0xb4
[0204.351] GetFileType (hFile=0xb4) returned 0x1
[0204.351] _get_osfhandle (_FileHandle=3) returned 0xb4
[0204.351] SetFilePointer (in: hFile=0xb4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1c
[0204.351] GetProcessHeap () returned 0x4530000
[0204.351] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x400a) returned 0x453bce0
[0204.351] GetProcessHeap () returned 0x4530000
[0204.352] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x453bce0) returned 1
[0204.352] _wcsicmp (_String1="timeout", _String2=")") returned 75
[0204.352] _wcsicmp (_String1="FOR", _String2="timeout") returned -14
[0204.353] _wcsicmp (_String1="FOR/?", _String2="timeout") returned -14
[0204.353] _wcsicmp (_String1="IF", _String2="timeout") returned -11
[0204.353] _wcsicmp (_String1="IF/?", _String2="timeout") returned -11
[0204.353] _wcsicmp (_String1="REM", _String2="timeout") returned -2
[0204.353] _wcsicmp (_String1="REM/?", _String2="timeout") returned -2
[0204.353] GetProcessHeap () returned 0x4530000
[0204.353] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x58) returned 0x4530a28
[0204.353] GetProcessHeap () returned 0x4530000
[0204.353] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x18) returned 0x4537858
[0204.353] GetProcessHeap () returned 0x4530000
[0204.353] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x10) returned 0x4548050
[0204.353] GetProcessHeap () returned 0x4530000
[0204.353] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x20) returned 0x4530898
[0204.354] GetProcessHeap () returned 0x4530000
[0204.354] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x10) returned 0x4547ee8
[0204.355] _tell (_FileHandle=3) returned 28
[0204.355] _close (_FileHandle=3) returned 0
[0204.355] _wcsicmp (_String1="timeout", _String2="DIR") returned 16
[0204.355] _wcsicmp (_String1="timeout", _String2="ERASE") returned 15
[0204.355] _wcsicmp (_String1="timeout", _String2="DEL") returned 16
[0204.355] _wcsicmp (_String1="timeout", _String2="TYPE") returned -16
[0204.355] _wcsicmp (_String1="timeout", _String2="COPY") returned 17
[0204.355] _wcsicmp (_String1="timeout", _String2="CD") returned 17
[0204.355] _wcsicmp (_String1="timeout", _String2="CHDIR") returned 17
[0204.355] _wcsicmp (_String1="timeout", _String2="RENAME") returned 2
[0204.355] _wcsicmp (_String1="timeout", _String2="REN") returned 2
[0204.355] _wcsicmp (_String1="timeout", _String2="ECHO") returned 15
[0204.355] _wcsicmp (_String1="timeout", _String2="SET") returned 1
[0204.355] _wcsicmp (_String1="timeout", _String2="PAUSE") returned 4
[0204.355] _wcsicmp (_String1="timeout", _String2="DATE") returned 16
[0204.355] _wcsicmp (_String1="timeout", _String2="TIME") returned 111
[0204.356] _wcsicmp (_String1="timeout", _String2="PROMPT") returned 4
[0204.356] _wcsicmp (_String1="timeout", _String2="MD") returned 7
[0204.356] _wcsicmp (_String1="timeout", _String2="MKDIR") returned 7
[0204.356] _wcsicmp (_String1="timeout", _String2="RD") returned 2
[0204.356] _wcsicmp (_String1="timeout", _String2="RMDIR") returned 2
[0204.356] _wcsicmp (_String1="timeout", _String2="PATH") returned 4
[0204.356] _wcsicmp (_String1="timeout", _String2="GOTO") returned 13
[0204.356] _wcsicmp (_String1="timeout", _String2="SHIFT") returned 1
[0204.356] _wcsicmp (_String1="timeout", _String2="CLS") returned 17
[0204.356] _wcsicmp (_String1="timeout", _String2="CALL") returned 17
[0204.356] _wcsicmp (_String1="timeout", _String2="VERIFY") returned -2
[0204.356] _wcsicmp (_String1="timeout", _String2="VER") returned -2
[0204.356] _wcsicmp (_String1="timeout", _String2="VOL") returned -2
[0204.356] _wcsicmp (_String1="timeout", _String2="EXIT") returned 15
[0204.356] _wcsicmp (_String1="timeout", _String2="SETLOCAL") returned 1
[0204.356] _wcsicmp (_String1="timeout", _String2="ENDLOCAL") returned 15
[0204.356] _wcsicmp (_String1="timeout", _String2="TITLE") returned -7
[0204.356] _wcsicmp (_String1="timeout", _String2="START") returned 1
[0204.356] _wcsicmp (_String1="timeout", _String2="DPATH") returned 16
[0204.356] _wcsicmp (_String1="timeout", _String2="KEYS") returned 9
[0204.356] _wcsicmp (_String1="timeout", _String2="MOVE") returned 7
[0204.356] _wcsicmp (_String1="timeout", _String2="PUSHD") returned 4
[0204.356] _wcsicmp (_String1="timeout", _String2="POPD") returned 4
[0204.356] _wcsicmp (_String1="timeout", _String2="ASSOC") returned 19
[0204.356] _wcsicmp (_String1="timeout", _String2="FTYPE") returned 14
[0204.356] _wcsicmp (_String1="timeout", _String2="BREAK") returned 18
[0204.357] _wcsicmp (_String1="timeout", _String2="COLOR") returned 17
[0204.357] _wcsicmp (_String1="timeout", _String2="MKLINK") returned 7
[0204.357] _wcsnicmp (_String1="time", _String2="cmd ", _MaxCount=0x4) returned 17
[0204.357] GetProcessHeap () returned 0x4530000
[0204.357] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x418) returned 0x4548300
[0204.357] SetErrorMode (uMode=0x0) returned 0x0
[0204.357] SetErrorMode (uMode=0x1) returned 0x0
[0204.357] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x4548308, lpFilePart=0x44ff51c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x44ff51c*="Desktop") returned 0x1d
[0204.357] SetErrorMode (uMode=0x0) returned 0x1
[0204.357] GetProcessHeap () returned 0x4530000
[0204.357] RtlReAllocateHeap (Heap=0x4530000, Flags=0x0, Ptr=0x4548300, Size=0x54) returned 0x4548300
[0204.357] GetProcessHeap () returned 0x4530000
[0204.357] RtlSizeHeap (HeapHandle=0x4530000, Flags=0x0, MemoryPointer=0x4548300) returned 0x54
[0204.358] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xbf4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63
[0204.358] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
[0204.358] GetProcessHeap () returned 0x4530000
[0204.358] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x110) returned 0x4548360
[0204.358] GetProcessHeap () returned 0x4530000
[0204.358] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x218) returned 0x4548478
[0204.362] GetProcessHeap () returned 0x4530000
[0204.362] RtlReAllocateHeap (Heap=0x4530000, Flags=0x0, Ptr=0x4548478, Size=0x112) returned 0x4548478
[0204.362] GetProcessHeap () returned 0x4530000
[0204.362] RtlSizeHeap (HeapHandle=0x4530000, Flags=0x0, MemoryPointer=0x4548478) returned 0x112
[0204.362] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xbf4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35
[0204.362] GetProcessHeap () returned 0x4530000
[0204.362] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0xe0) returned 0x4548598
[0204.364] GetProcessHeap () returned 0x4530000
[0204.364] RtlReAllocateHeap (Heap=0x4530000, Flags=0x0, Ptr=0x4548598, Size=0x76) returned 0x4548598
[0204.364] GetProcessHeap () returned 0x4530000
[0204.364] RtlSizeHeap (HeapHandle=0x4530000, Flags=0x0, MemoryPointer=0x4548598) returned 0x76
[0204.364] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0204.364] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\timeout.*" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\timeout.*"), fInfoLevelId=0x1, lpFindFileData=0x44ff2a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x44ff2a8) returned 0xffffffff
[0204.364] GetLastError () returned 0x2
[0204.364] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0204.365] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\timeout.*" (normalized: "c:\\windows\\syswow64\\timeout.*"), fInfoLevelId=0x1, lpFindFileData=0x44ff2a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x44ff2a8) returned 0x4548618
[0204.365] GetProcessHeap () returned 0x4530000
[0204.365] RtlReAllocateHeap (Heap=0x4530000, Flags=0x0, Ptr=0x45376b8, Size=0x4) returned 0x4530a88
[0204.365] FindClose (in: hFindFile=0x4548618 | out: hFindFile=0x4548618) returned 1
[0204.365] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\timeout.COM" (normalized: "c:\\windows\\syswow64\\timeout.com"), fInfoLevelId=0x1, lpFindFileData=0x44ff2a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x44ff2a8) returned 0xffffffff
[0204.365] GetLastError () returned 0x2
[0204.365] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\timeout.EXE" (normalized: "c:\\windows\\syswow64\\timeout.exe"), fInfoLevelId=0x1, lpFindFileData=0x44ff2a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x44ff2a8) returned 0x4548618
[0204.366] FindClose (in: hFindFile=0x4548618 | out: hFindFile=0x4548618) returned 1
[0204.366] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
[0204.366] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
[0204.366] GetProcessHeap () returned 0x4530000
[0204.366] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x18) returned 0x4537518
[0204.366] _get_osfhandle (_FileHandle=1) returned 0x3c
[0204.366] _get_osfhandle (_FileHandle=1) returned 0x3c
[0204.366] _get_osfhandle (_FileHandle=1) returned 0x3c
[0204.366] GetFileType (hFile=0x3c) returned 0x2
[0204.366] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c
[0204.366] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x44ff4f4 | out: lpMode=0x44ff4f4) returned 1
[0204.581] _dup (_FileHandle=1) returned 3
[0204.581] _close (_FileHandle=1) returned 0
[0204.581] _wcsicmp (_String1="NUL", _String2="con") returned 11
[0204.581] CreateFileW (lpFileName="NUL" (normalized: "\\device\\null"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x44ff4d4, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3c
[0204.583] _open_osfhandle (_OSFileHandle=0x3c, _Flags=8) returned 1
[0204.583] GetConsoleTitleW (in: lpConsoleTitle=0x44ff2f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0204.721] _wcsicmp (_String1="timeout", _String2="DIR") returned 16
[0204.721] _wcsicmp (_String1="timeout", _String2="ERASE") returned 15
[0204.721] _wcsicmp (_String1="timeout", _String2="DEL") returned 16
[0204.722] _wcsicmp (_String1="timeout", _String2="TYPE") returned -16
[0204.722] _wcsicmp (_String1="timeout", _String2="COPY") returned 17
[0204.722] _wcsicmp (_String1="timeout", _String2="CD") returned 17
[0204.722] _wcsicmp (_String1="timeout", _String2="CHDIR") returned 17
[0204.722] _wcsicmp (_String1="timeout", _String2="RENAME") returned 2
[0204.722] _wcsicmp (_String1="timeout", _String2="REN") returned 2
[0204.722] _wcsicmp (_String1="timeout", _String2="ECHO") returned 15
[0204.722] _wcsicmp (_String1="timeout", _String2="SET") returned 1
[0204.722] _wcsicmp (_String1="timeout", _String2="PAUSE") returned 4
[0204.722] _wcsicmp (_String1="timeout", _String2="DATE") returned 16
[0204.722] _wcsicmp (_String1="timeout", _String2="TIME") returned 111
[0204.722] _wcsicmp (_String1="timeout", _String2="PROMPT") returned 4
[0204.722] _wcsicmp (_String1="timeout", _String2="MD") returned 7
[0204.722] _wcsicmp (_String1="timeout", _String2="MKDIR") returned 7
[0204.722] _wcsicmp (_String1="timeout", _String2="RD") returned 2
[0204.722] _wcsicmp (_String1="timeout", _String2="RMDIR") returned 2
[0204.722] _wcsicmp (_String1="timeout", _String2="PATH") returned 4
[0204.722] _wcsicmp (_String1="timeout", _String2="GOTO") returned 13
[0204.722] _wcsicmp (_String1="timeout", _String2="SHIFT") returned 1
[0204.722] _wcsicmp (_String1="timeout", _String2="CLS") returned 17
[0204.722] _wcsicmp (_String1="timeout", _String2="CALL") returned 17
[0204.722] _wcsicmp (_String1="timeout", _String2="VERIFY") returned -2
[0204.722] _wcsicmp (_String1="timeout", _String2="VER") returned -2
[0204.722] _wcsicmp (_String1="timeout", _String2="VOL") returned -2
[0204.723] _wcsicmp (_String1="timeout", _String2="EXIT") returned 15
[0204.723] _wcsicmp (_String1="timeout", _String2="SETLOCAL") returned 1
[0204.723] _wcsicmp (_String1="timeout", _String2="ENDLOCAL") returned 15
[0204.723] _wcsicmp (_String1="timeout", _String2="TITLE") returned -7
[0204.723] _wcsicmp (_String1="timeout", _String2="START") returned 1
[0204.723] _wcsicmp (_String1="timeout", _String2="DPATH") returned 16
[0204.723] _wcsicmp (_String1="timeout", _String2="KEYS") returned 9
[0204.723] _wcsicmp (_String1="timeout", _String2="MOVE") returned 7
[0204.723] _wcsicmp (_String1="timeout", _String2="PUSHD") returned 4
[0204.723] _wcsicmp (_String1="timeout", _String2="POPD") returned 4
[0204.723] _wcsicmp (_String1="timeout", _String2="ASSOC") returned 19
[0204.723] _wcsicmp (_String1="timeout", _String2="FTYPE") returned 14
[0204.723] _wcsicmp (_String1="timeout", _String2="BREAK") returned 18
[0204.723] _wcsicmp (_String1="timeout", _String2="COLOR") returned 17
[0204.723] _wcsicmp (_String1="timeout", _String2="MKLINK") returned 7
[0204.723] _wcsicmp (_String1="timeout", _String2="DIR") returned 16
[0204.723] _wcsicmp (_String1="timeout", _String2="ERASE") returned 15
[0204.723] _wcsicmp (_String1="timeout", _String2="DEL") returned 16
[0204.723] _wcsicmp (_String1="timeout", _String2="TYPE") returned -16
[0204.723] _wcsicmp (_String1="timeout", _String2="COPY") returned 17
[0204.723] _wcsicmp (_String1="timeout", _String2="CD") returned 17
[0204.723] _wcsicmp (_String1="timeout", _String2="CHDIR") returned 17
[0204.723] _wcsicmp (_String1="timeout", _String2="RENAME") returned 2
[0204.723] _wcsicmp (_String1="timeout", _String2="REN") returned 2
[0204.723] _wcsicmp (_String1="timeout", _String2="ECHO") returned 15
[0204.723] _wcsicmp (_String1="timeout", _String2="SET") returned 1
[0204.723] _wcsicmp (_String1="timeout", _String2="PAUSE") returned 4
[0204.724] _wcsicmp (_String1="timeout", _String2="DATE") returned 16
[0204.724] _wcsicmp (_String1="timeout", _String2="TIME") returned 111
[0204.724] _wcsicmp (_String1="timeout", _String2="PROMPT") returned 4
[0204.724] _wcsicmp (_String1="timeout", _String2="MD") returned 7
[0204.724] _wcsicmp (_String1="timeout", _String2="MKDIR") returned 7
[0204.724] _wcsicmp (_String1="timeout", _String2="RD") returned 2
[0204.724] _wcsicmp (_String1="timeout", _String2="RMDIR") returned 2
[0204.724] _wcsicmp (_String1="timeout", _String2="PATH") returned 4
[0204.724] _wcsicmp (_String1="timeout", _String2="GOTO") returned 13
[0204.724] _wcsicmp (_String1="timeout", _String2="SHIFT") returned 1
[0204.724] _wcsicmp (_String1="timeout", _String2="CLS") returned 17
[0204.724] _wcsicmp (_String1="timeout", _String2="CALL") returned 17
[0204.724] _wcsicmp (_String1="timeout", _String2="VERIFY") returned -2
[0204.724] _wcsicmp (_String1="timeout", _String2="VER") returned -2
[0204.724] _wcsicmp (_String1="timeout", _String2="VOL") returned -2
[0204.724] _wcsicmp (_String1="timeout", _String2="EXIT") returned 15
[0204.724] _wcsicmp (_String1="timeout", _String2="SETLOCAL") returned 1
[0204.724] _wcsicmp (_String1="timeout", _String2="ENDLOCAL") returned 15
[0204.724] _wcsicmp (_String1="timeout", _String2="TITLE") returned -7
[0204.724] _wcsicmp (_String1="timeout", _String2="START") returned 1
[0204.724] _wcsicmp (_String1="timeout", _String2="DPATH") returned 16
[0204.724] _wcsicmp (_String1="timeout", _String2="KEYS") returned 9
[0204.724] _wcsicmp (_String1="timeout", _String2="MOVE") returned 7
[0204.724] _wcsicmp (_String1="timeout", _String2="PUSHD") returned 4
[0204.724] _wcsicmp (_String1="timeout", _String2="POPD") returned 4
[0204.724] _wcsicmp (_String1="timeout", _String2="ASSOC") returned 19
[0204.725] _wcsicmp (_String1="timeout", _String2="FTYPE") returned 14
[0204.725] _wcsicmp (_String1="timeout", _String2="BREAK") returned 18
[0204.725] _wcsicmp (_String1="timeout", _String2="COLOR") returned 17
[0204.725] _wcsicmp (_String1="timeout", _String2="MKLINK") returned 7
[0204.725] _wcsicmp (_String1="timeout", _String2="FOR") returned 14
[0204.725] _wcsicmp (_String1="timeout", _String2="IF") returned 11
[0204.725] _wcsicmp (_String1="timeout", _String2="REM") returned 2
[0204.725] GetProcessHeap () returned 0x4530000
[0204.725] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x210) returned 0x4548618
[0204.725] GetProcessHeap () returned 0x4530000
[0204.725] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x20) returned 0x4538e48
[0204.725] _wcsnicmp (_String1="time", _String2="cmd ", _MaxCount=0x4) returned 17
[0204.725] GetProcessHeap () returned 0x4530000
[0204.725] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x418) returned 0x4548830
[0204.725] SetErrorMode (uMode=0x0) returned 0x0
[0204.725] SetErrorMode (uMode=0x1) returned 0x0
[0204.725] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x4548838, lpFilePart=0x44fedfc | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpFilePart=0x44fedfc*="Desktop") returned 0x1d
[0204.725] SetErrorMode (uMode=0x0) returned 0x1
[0204.725] GetProcessHeap () returned 0x4530000
[0204.725] RtlReAllocateHeap (Heap=0x4530000, Flags=0x0, Ptr=0x4548830, Size=0x54) returned 0x4548830
[0204.726] GetProcessHeap () returned 0x4530000
[0204.726] RtlSizeHeap (HeapHandle=0x4530000, Flags=0x0, MemoryPointer=0x4548830) returned 0x54
[0204.726] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xbf4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63
[0204.726] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1
[0204.726] GetProcessHeap () returned 0x4530000
[0204.726] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x110) returned 0x4548890
[0204.726] GetProcessHeap () returned 0x4530000
[0204.726] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x218) returned 0x45489a8
[0204.726] GetProcessHeap () returned 0x4530000
[0204.726] RtlReAllocateHeap (Heap=0x4530000, Flags=0x0, Ptr=0x45489a8, Size=0x112) returned 0x45489a8
[0204.726] GetProcessHeap () returned 0x4530000
[0204.726] RtlSizeHeap (HeapHandle=0x4530000, Flags=0x0, MemoryPointer=0x45489a8) returned 0x112
[0204.726] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xbf4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35
[0204.726] GetProcessHeap () returned 0x4530000
[0204.726] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0xe0) returned 0x4548ac8
[0204.726] GetProcessHeap () returned 0x4530000
[0204.726] RtlReAllocateHeap (Heap=0x4530000, Flags=0x0, Ptr=0x4548ac8, Size=0x76) returned 0x4548ac8
[0204.726] GetProcessHeap () returned 0x4530000
[0204.726] RtlSizeHeap (HeapHandle=0x4530000, Flags=0x0, MemoryPointer=0x4548ac8) returned 0x76
[0204.726] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0204.726] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\timeout.*" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\timeout.*"), fInfoLevelId=0x1, lpFindFileData=0x44feb88, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x44feb88) returned 0xffffffff
[0204.727] GetLastError () returned 0x2
[0204.727] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0204.727] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\timeout.*" (normalized: "c:\\windows\\syswow64\\timeout.*"), fInfoLevelId=0x1, lpFindFileData=0x44feb88, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x44feb88) returned 0x4548b48
[0204.727] FindClose (in: hFindFile=0x4548b48 | out: hFindFile=0x4548b48) returned 1
[0204.727] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\timeout.COM" (normalized: "c:\\windows\\syswow64\\timeout.com"), fInfoLevelId=0x1, lpFindFileData=0x44feb88, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x44feb88) returned 0xffffffff
[0204.728] GetLastError () returned 0x2
[0204.728] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\timeout.EXE" (normalized: "c:\\windows\\syswow64\\timeout.exe"), fInfoLevelId=0x1, lpFindFileData=0x44feb88, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x44feb88) returned 0x4548b48
[0204.728] FindClose (in: hFindFile=0x4548b48 | out: hFindFile=0x4548b48) returned 1
[0204.728] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3
[0204.728] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2
[0204.728] GetConsoleTitleW (in: lpConsoleTitle=0x44ff07c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0204.814] InitializeProcThreadAttributeList (in: lpAttributeList=0x44fefa8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x44fef8c | out: lpAttributeList=0x44fefa8, lpSize=0x44fef8c) returned 1
[0204.814] UpdateProcThreadAttribute (in: lpAttributeList=0x44fefa8, dwFlags=0x0, Attribute=0x60001, lpValue=0x44fef94, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x44fefa8, lpPreviousValue=0x0) returned 1
[0204.814] GetStartupInfoW (in: lpStartupInfo=0x44fefe0 | out: lpStartupInfo=0x44fefe0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0))
[0204.814] GetProcessHeap () returned 0x4530000
[0204.814] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x18) returned 0x45375d8
[0204.814] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38
[0204.814] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2
[0204.814] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2
[0204.814] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
[0204.814] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
[0204.814] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3
[0204.814] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3
[0204.814] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3
[0204.814] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5
[0204.814] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5
[0204.814] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9
[0204.814] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9
[0204.814] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11
[0204.814] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12
[0204.815] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13
[0204.815] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13
[0204.815] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
[0204.815] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
[0204.815] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
[0204.815] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
[0204.815] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13
[0204.815] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
[0204.815] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
[0204.815] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
[0204.815] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13
[0204.815] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13
[0204.815] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13
[0204.815] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13
[0204.815] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16
[0204.815] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16
[0204.815] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17
[0204.815] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17
[0204.815] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
[0204.815] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18
[0204.815] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18
[0204.815] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18
[0204.815] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20
[0204.815] GetProcessHeap () returned 0x4530000
[0204.815] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x45375d8) returned 1
[0204.815] GetProcessHeap () returned 0x4530000
[0204.815] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0xa) returned 0x4547f78
[0204.815] lstrcmpW (lpString1="\\timeout.exe", lpString2="\\XCOPY.EXE") returned -1
[0204.819] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\timeout.exe", lpCommandLine="timeout 3 ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\RDhJ0CNFevzX\\Desktop", lpStartupInfo=0x44fef30*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="timeout 3 ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x44fef7c | out: lpCommandLine="timeout 3 ", lpProcessInformation=0x44fef7c*(hProcess=0xbc, hThread=0xb8, dwProcessId=0x7bc, dwThreadId=0x628)) returned 1
[0205.346] CloseHandle (hObject=0xb8) returned 1
[0205.346] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1
[0205.346] GetProcessHeap () returned 0x4530000
[0205.347] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4539de0) returned 1
[0205.347] GetEnvironmentStringsW () returned 0x4539de0*
[0205.347] GetProcessHeap () returned 0x4530000
[0205.347] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0xa76) returned 0x4549038
[0205.347] memcpy (in: _Dst=0x4549038, _Src=0x4539de0, _Size=0xa76 | out: _Dst=0x4549038) returned 0x4549038
[0205.347] FreeEnvironmentStringsA (penv="=") returned 1
[0205.347] WaitForSingleObject (hHandle=0xbc, dwMilliseconds=0xffffffff) returned 0x0
[0210.086] GetExitCodeProcess (in: hProcess=0xbc, lpExitCode=0x44fef14 | out: lpExitCode=0x44fef14*=0x0) returned 1
[0210.087] CloseHandle (hObject=0xbc) returned 1
[0210.087] _vsnwprintf (in: _Buffer=0x44feffc, _BufferCount=0x13, _Format="%08X", _ArgList=0x44fef1c | out: _Buffer="00000000") returned 8
[0210.087] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1
[0210.087] GetProcessHeap () returned 0x4530000
[0210.088] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4549038) returned 1
[0210.088] GetEnvironmentStringsW () returned 0x453b260*
[0210.088] GetProcessHeap () returned 0x4530000
[0210.088] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0xa9c) returned 0x453bd08
[0210.088] memcpy (in: _Dst=0x453bd08, _Src=0x453b260, _Size=0xa9c | out: _Dst=0x453bd08) returned 0x453bd08
[0210.088] FreeEnvironmentStringsA (penv="=") returned 1
[0210.088] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1
[0210.088] GetProcessHeap () returned 0x4530000
[0210.089] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x453bd08) returned 1
[0210.089] GetEnvironmentStringsW () returned 0x453b260*
[0210.089] GetProcessHeap () returned 0x4530000
[0210.089] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0xa9c) returned 0x453bd08
[0210.089] memcpy (in: _Dst=0x453bd08, _Src=0x453b260, _Size=0xa9c | out: _Dst=0x453bd08) returned 0x453bd08
[0210.089] FreeEnvironmentStringsA (penv="=") returned 1
[0210.089] GetProcessHeap () returned 0x4530000
[0210.089] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4547f78) returned 1
[0210.089] DeleteProcThreadAttributeList (in: lpAttributeList=0x44fefa8 | out: lpAttributeList=0x44fefa8)
[0210.089] _dup2 (_FileHandleSrc=3, _FileHandleDst=1) returned 0
[0210.089] _close (_FileHandle=3) returned 0
[0210.089] _get_osfhandle (_FileHandle=1) returned 0x3c
[0210.089] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1
[0210.180] _get_osfhandle (_FileHandle=1) returned 0x3c
[0210.180] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xbf40c | out: lpMode=0xbf40c) returned 1
[0210.229] _get_osfhandle (_FileHandle=0) returned 0x38
[0210.229] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xbf408 | out: lpMode=0xbf408) returned 1
[0210.236] _get_osfhandle (_FileHandle=0) returned 0x38
[0210.236] SetConsoleMode (hConsoleHandle=0x38, dwMode=0x1a7) returned 1
[0210.270] SetConsoleInputExeNameW () returned 0x1
[0210.270] GetConsoleOutputCP () returned 0x1b5
[0210.288] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xbf460 | out: lpCPInfo=0xbf460) returned 1
[0210.305] SetThreadUILanguage (LangId=0x0) returned 0x409
[0210.340] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDAB.tmp.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmpdab.tmp.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x44ff73c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xb4
[0210.341] _open_osfhandle (_OSFileHandle=0xb4, _Flags=8) returned 3
[0210.341] _get_osfhandle (_FileHandle=3) returned 0xb4
[0210.341] SetFilePointer (in: hFile=0xb4, lDistanceToMove=28, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1c
[0210.341] GetProcessHeap () returned 0x4530000
[0210.341] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4548ac8) returned 1
[0210.341] GetProcessHeap () returned 0x4530000
[0210.342] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x45489a8) returned 1
[0210.342] GetProcessHeap () returned 0x4530000
[0210.342] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4548890) returned 1
[0210.342] GetProcessHeap () returned 0x4530000
[0210.342] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4548830) returned 1
[0210.342] GetProcessHeap () returned 0x4530000
[0210.342] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4538e48) returned 1
[0210.342] GetProcessHeap () returned 0x4530000
[0210.343] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4548618) returned 1
[0210.343] GetProcessHeap () returned 0x4530000
[0210.343] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4537518) returned 1
[0210.343] GetProcessHeap () returned 0x4530000
[0210.343] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4548598) returned 1
[0210.343] GetProcessHeap () returned 0x4530000
[0210.343] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4548478) returned 1
[0210.343] GetProcessHeap () returned 0x4530000
[0210.344] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4548360) returned 1
[0210.344] GetProcessHeap () returned 0x4530000
[0210.344] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4548300) returned 1
[0210.344] GetProcessHeap () returned 0x4530000
[0210.344] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4547ee8) returned 1
[0210.344] GetProcessHeap () returned 0x4530000
[0210.344] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4530898) returned 1
[0210.344] GetProcessHeap () returned 0x4530000
[0210.344] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4548050) returned 1
[0210.344] GetProcessHeap () returned 0x4530000
[0210.344] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4537858) returned 1
[0210.344] GetProcessHeap () returned 0x4530000
[0210.345] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4530a28) returned 1
[0210.345] _get_osfhandle (_FileHandle=3) returned 0xb4
[0210.345] SetFilePointer (in: hFile=0xb4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x1c
[0210.345] ReadFile (in: hFile=0xb4, lpBuffer=0xcb960, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x44ff6c4, lpOverlapped=0x0 | out: lpBuffer=0xcb960*, lpNumberOfBytesRead=0x44ff6c4*=0x81, lpOverlapped=0x0) returned 1
[0210.345] SetFilePointer (in: hFile=0xb4, lDistanceToMove=83, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53
[0210.345] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0xcb960, cbMultiByte=55, lpWideCharStr=0xb67e0, cchWideChar=8191 | out: lpWideCharStr="START \"\" \"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe\"\r\n") returned 55
[0210.345] _get_osfhandle (_FileHandle=3) returned 0xb4
[0210.345] GetFileType (hFile=0xb4) returned 0x1
[0210.345] _get_osfhandle (_FileHandle=3) returned 0xb4
[0210.345] SetFilePointer (in: hFile=0xb4, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53
[0210.345] GetProcessHeap () returned 0x4530000
[0210.345] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x400a) returned 0x454a560
[0210.346] GetProcessHeap () returned 0x4530000
[0210.346] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x454a560) returned 1
[0210.346] _wcsicmp (_String1="START", _String2=")") returned 74
[0210.346] _wcsicmp (_String1="FOR", _String2="START") returned -13
[0210.346] _wcsicmp (_String1="FOR/?", _String2="START") returned -13
[0210.346] _wcsicmp (_String1="IF", _String2="START") returned -10
[0210.346] _wcsicmp (_String1="IF/?", _String2="START") returned -10
[0210.346] _wcsicmp (_String1="REM", _String2="START") returned -1
[0210.346] _wcsicmp (_String1="REM/?", _String2="START") returned -1
[0210.346] GetProcessHeap () returned 0x4530000
[0210.346] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x58) returned 0x4530a28
[0210.347] GetProcessHeap () returned 0x4530000
[0210.347] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x14) returned 0x45376d8
[0210.347] GetProcessHeap () returned 0x4530000
[0210.347] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x6a) returned 0x4548c78
[0210.347] _tell (_FileHandle=3) returned 83
[0210.347] _close (_FileHandle=3) returned 0
[0210.348] _wcsicmp (_String1="START", _String2="DIR") returned 15
[0210.348] _wcsicmp (_String1="START", _String2="ERASE") returned 14
[0210.348] _wcsicmp (_String1="START", _String2="DEL") returned 15
[0210.348] _wcsicmp (_String1="START", _String2="TYPE") returned -1
[0210.348] _wcsicmp (_String1="START", _String2="COPY") returned 16
[0210.348] _wcsicmp (_String1="START", _String2="CD") returned 16
[0210.348] _wcsicmp (_String1="START", _String2="CHDIR") returned 16
[0210.348] _wcsicmp (_String1="START", _String2="RENAME") returned 1
[0210.348] _wcsicmp (_String1="START", _String2="REN") returned 1
[0210.348] _wcsicmp (_String1="START", _String2="ECHO") returned 14
[0210.348] _wcsicmp (_String1="START", _String2="SET") returned 15
[0210.348] _wcsicmp (_String1="START", _String2="PAUSE") returned 3
[0210.348] _wcsicmp (_String1="START", _String2="DATE") returned 15
[0210.348] _wcsicmp (_String1="START", _String2="TIME") returned -1
[0210.348] _wcsicmp (_String1="START", _String2="PROMPT") returned 3
[0210.348] _wcsicmp (_String1="START", _String2="MD") returned 6
[0210.348] _wcsicmp (_String1="START", _String2="MKDIR") returned 6
[0210.348] _wcsicmp (_String1="START", _String2="RD") returned 1
[0210.348] _wcsicmp (_String1="START", _String2="RMDIR") returned 1
[0210.348] _wcsicmp (_String1="START", _String2="PATH") returned 3
[0210.349] _wcsicmp (_String1="START", _String2="GOTO") returned 12
[0210.349] _wcsicmp (_String1="START", _String2="SHIFT") returned 12
[0210.349] _wcsicmp (_String1="START", _String2="CLS") returned 16
[0210.349] _wcsicmp (_String1="START", _String2="CALL") returned 16
[0210.349] _wcsicmp (_String1="START", _String2="VERIFY") returned -3
[0210.349] _wcsicmp (_String1="START", _String2="VER") returned -3
[0210.349] _wcsicmp (_String1="START", _String2="VOL") returned -3
[0210.349] _wcsicmp (_String1="START", _String2="EXIT") returned 14
[0210.349] _wcsicmp (_String1="START", _String2="SETLOCAL") returned 15
[0210.349] _wcsicmp (_String1="START", _String2="ENDLOCAL") returned 14
[0210.349] _wcsicmp (_String1="START", _String2="TITLE") returned -1
[0210.349] _wcsicmp (_String1="START", _String2="START") returned 0
[0210.349] GetConsoleTitleW (in: lpConsoleTitle=0x44ff2f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0210.383] _wcsicmp (_String1="START", _String2="DIR") returned 15
[0210.383] _wcsicmp (_String1="START", _String2="ERASE") returned 14
[0210.383] _wcsicmp (_String1="START", _String2="DEL") returned 15
[0210.383] _wcsicmp (_String1="START", _String2="TYPE") returned -1
[0210.383] _wcsicmp (_String1="START", _String2="COPY") returned 16
[0210.384] _wcsicmp (_String1="START", _String2="CD") returned 16
[0210.384] _wcsicmp (_String1="START", _String2="CHDIR") returned 16
[0210.394] _wcsicmp (_String1="START", _String2="RENAME") returned 1
[0210.394] _wcsicmp (_String1="START", _String2="REN") returned 1
[0210.394] _wcsicmp (_String1="START", _String2="ECHO") returned 14
[0210.394] _wcsicmp (_String1="START", _String2="SET") returned 15
[0210.394] _wcsicmp (_String1="START", _String2="PAUSE") returned 3
[0210.394] _wcsicmp (_String1="START", _String2="DATE") returned 15
[0210.394] _wcsicmp (_String1="START", _String2="TIME") returned -1
[0210.394] _wcsicmp (_String1="START", _String2="PROMPT") returned 3
[0210.395] _wcsicmp (_String1="START", _String2="MD") returned 6
[0210.395] _wcsicmp (_String1="START", _String2="MKDIR") returned 6
[0210.395] _wcsicmp (_String1="START", _String2="RD") returned 1
[0210.395] _wcsicmp (_String1="START", _String2="RMDIR") returned 1
[0210.395] _wcsicmp (_String1="START", _String2="PATH") returned 3
[0210.395] _wcsicmp (_String1="START", _String2="GOTO") returned 12
[0210.395] _wcsicmp (_String1="START", _String2="SHIFT") returned 12
[0210.395] _wcsicmp (_String1="START", _String2="CLS") returned 16
[0210.395] _wcsicmp (_String1="START", _String2="CALL") returned 16
[0210.395] _wcsicmp (_String1="START", _String2="VERIFY") returned -3
[0210.395] _wcsicmp (_String1="START", _String2="VER") returned -3
[0210.395] _wcsicmp (_String1="START", _String2="VOL") returned -3
[0210.395] _wcsicmp (_String1="START", _String2="EXIT") returned 14
[0210.395] _wcsicmp (_String1="START", _String2="SETLOCAL") returned 15
[0210.395] _wcsicmp (_String1="START", _String2="ENDLOCAL") returned 14
[0210.395] _wcsicmp (_String1="START", _String2="TITLE") returned -1
[0210.395] _wcsicmp (_String1="START", _String2="START") returned 0
[0210.395] GetProcessHeap () returned 0x4530000
[0210.395] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0xcc) returned 0x4548cf0
[0210.395] GetProcessHeap () returned 0x4530000
[0210.395] RtlReAllocateHeap (Heap=0x4530000, Flags=0x0, Ptr=0x4548cf0, Size=0x6a) returned 0x4548cf0
[0210.395] GetProcessHeap () returned 0x4530000
[0210.395] RtlSizeHeap (HeapHandle=0x4530000, Flags=0x0, MemoryPointer=0x4548cf0) returned 0x6a
[0210.395] GetProcessHeap () returned 0x4530000
[0210.395] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x76) returned 0x4538778
[0210.397] GetStdHandle (nStdHandle=0xfffffff6) returned 0x38
[0210.397] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c
[0210.397] GetStdHandle (nStdHandle=0xfffffff4) returned 0x40
[0210.400] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="DIR") returned -1
[0210.400] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="ERASE") returned -2
[0210.400] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="DEL") returned -1
[0210.400] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="TYPE") returned -17
[0210.400] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="COPY") returned -53
[0210.400] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="CD") returned -42
[0210.400] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="CHDIR") returned -46
[0210.400] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="RENAME") returned -15
[0210.400] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="REN") returned -15
[0210.401] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="ECHO") returned -2
[0210.401] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="SET") returned -16
[0210.401] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="PAUSE") returned -13
[0210.401] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="DATE") returned -1
[0210.401] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="TIME") returned -17
[0210.401] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="PROMPT") returned -13
[0210.401] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="MD") returned -10
[0210.401] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="MKDIR") returned -10
[0210.401] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="RD") returned -15
[0210.401] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="RMDIR") returned -15
[0210.401] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="PATH") returned -13
[0210.401] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="GOTO") returned -4
[0210.401] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="SHIFT") returned -16
[0210.401] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="CLS") returned -50
[0210.401] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="CALL") returned -39
[0210.401] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="VERIFY") returned -19
[0210.401] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="VER") returned -19
[0210.401] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="VOL") returned -19
[0210.401] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="EXIT") returned -2
[0210.401] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="SETLOCAL") returned -16
[0210.401] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="ENDLOCAL") returned -2
[0210.401] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="TITLE") returned -17
[0210.401] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="START") returned -16
[0210.401] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="DPATH") returned -1
[0210.401] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="KEYS") returned -8
[0210.401] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="MOVE") returned -10
[0210.401] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="PUSHD") returned -13
[0210.401] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="POPD") returned -13
[0210.401] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="ASSOC") returned 2
[0210.401] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="FTYPE") returned -3
[0210.401] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="BREAK") returned 1
[0210.402] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="COLOR") returned -53
[0210.402] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="MKLINK") returned -10
[0210.402] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="FOR") returned -3
[0210.402] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="IF") returned -6
[0210.402] _wcsicmp (_String1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", _String2="REM") returned -15
[0210.402] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51
[0210.402] GetProcessHeap () returned 0x4530000
[0210.402] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x418) returned 0x4548300
[0210.402] SetErrorMode (uMode=0x0) returned 0x0
[0210.402] SetErrorMode (uMode=0x1) returned 0x0
[0210.402] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.", nBufferLength=0x208, lpBuffer=0x4548308, lpFilePart=0x44e2b24 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming", lpFilePart=0x44e2b24*="Roaming") returned 0x25
[0210.402] SetErrorMode (uMode=0x0) returned 0x1
[0210.402] GetProcessHeap () returned 0x4530000
[0210.402] RtlReAllocateHeap (Heap=0x4530000, Flags=0x0, Ptr=0x4548300, Size=0x5e) returned 0x4548300
[0210.402] GetProcessHeap () returned 0x4530000
[0210.402] RtlSizeHeap (HeapHandle=0x4530000, Flags=0x0, MemoryPointer=0x4548300) returned 0x5e
[0210.402] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.") returned 1
[0210.402] GetProcessHeap () returned 0x4530000
[0210.402] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x5a) returned 0x4548d68
[0210.402] GetProcessHeap () returned 0x4530000
[0210.402] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0xa8) returned 0x4548dd0
[0210.402] GetProcessHeap () returned 0x4530000
[0210.402] RtlReAllocateHeap (Heap=0x4530000, Flags=0x0, Ptr=0x4548dd0, Size=0x5a) returned 0x4548dd0
[0210.402] GetProcessHeap () returned 0x4530000
[0210.403] RtlSizeHeap (HeapHandle=0x4530000, Flags=0x0, MemoryPointer=0x4548dd0) returned 0x5a
[0210.403] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xbf4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35
[0210.403] GetProcessHeap () returned 0x4530000
[0210.403] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0xe0) returned 0x4548368
[0210.403] GetProcessHeap () returned 0x4530000
[0210.403] RtlReAllocateHeap (Heap=0x4530000, Flags=0x0, Ptr=0x4548368, Size=0x76) returned 0x4548368
[0210.403] GetProcessHeap () returned 0x4530000
[0210.403] RtlSizeHeap (HeapHandle=0x4530000, Flags=0x0, MemoryPointer=0x4548368) returned 0x76
[0210.403] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0210.403] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\.exe"), fInfoLevelId=0x1, lpFindFileData=0x44e28d0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x44e28d0) returned 0x4548e38
[0210.403] FindClose (in: hFindFile=0x4548e38 | out: hFindFile=0x4548e38) returned 1
[0210.404] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2
[0210.404] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3
[0210.404] GetStartupInfoW (in: lpStartupInfo=0x44e2e28 | out: lpStartupInfo=0x44e2e28*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0))
[0210.404] InitializeProcThreadAttributeList (in: lpAttributeList=0x0, dwAttributeCount=0x2, dwFlags=0x0, lpSize=0x44e2dc4 | out: lpAttributeList=0x0, lpSize=0x44e2dc4) returned 0
[0210.404] GetLastError () returned 0x7a
[0210.404] GetProcessHeap () returned 0x4530000
[0210.404] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x2c) returned 0x4548e38
[0210.404] InitializeProcThreadAttributeList (in: lpAttributeList=0x4548e38, dwAttributeCount=0x2, dwFlags=0x0, lpSize=0x44e2dc4 | out: lpAttributeList=0x4548e38, lpSize=0x44e2dc4) returned 1
[0210.404] UpdateProcThreadAttribute (in: lpAttributeList=0x4548e38, dwFlags=0x0, Attribute=0x60001, lpValue=0x44e2ddc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x4548e38, lpPreviousValue=0x0) returned 1
[0210.404] CreateProcessW (in: lpApplicationName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe", lpCommandLine="\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80410, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x44e2de0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x38, hStdOutput=0x3c, hStdError=0x40), lpProcessInformation=0x44e2dcc | out: lpCommandLine="\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe\" ", lpProcessInformation=0x44e2dcc*(hProcess=0xbc, hThread=0xb4, dwProcessId=0xae4, dwThreadId=0x79c)) returned 1
[0210.501] DeleteProcThreadAttributeList (in: lpAttributeList=0x4548e38 | out: lpAttributeList=0x4548e38)
[0210.501] GetProcessHeap () returned 0x4530000
[0210.502] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4548e38) returned 1
[0210.502] GetLastError () returned 0x0
[0210.502] ResumeThread (hThread=0xb4) returned 0x0
[0210.502] CloseHandle (hObject=0xb4) returned 1
[0210.502] CloseHandle (hObject=0xbc) returned 1
[0210.502] _get_osfhandle (_FileHandle=1) returned 0x3c
[0210.502] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1
[0210.674] _get_osfhandle (_FileHandle=1) returned 0x3c
[0210.674] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xbf40c | out: lpMode=0xbf40c) returned 1
[0210.866] _get_osfhandle (_FileHandle=0) returned 0x38
[0210.866] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xbf408 | out: lpMode=0xbf408) returned 1
[0210.992] SetConsoleInputExeNameW () returned 0x1
[0210.992] GetConsoleOutputCP () returned 0x1b5
[0211.168] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xbf460 | out: lpCPInfo=0xbf460) returned 1
[0211.168] SetThreadUILanguage (LangId=0x0) returned 0x409
[0211.368] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDAB.tmp.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmpdab.tmp.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x44ff73c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xbc
[0211.369] _open_osfhandle (_OSFileHandle=0xbc, _Flags=8) returned 3
[0211.369] _get_osfhandle (_FileHandle=3) returned 0xbc
[0211.369] SetFilePointer (in: hFile=0xbc, lDistanceToMove=83, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x53
[0211.369] GetProcessHeap () returned 0x4530000
[0211.369] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4548368) returned 1
[0211.369] GetProcessHeap () returned 0x4530000
[0211.370] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4548dd0) returned 1
[0211.370] GetProcessHeap () returned 0x4530000
[0211.370] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4548d68) returned 1
[0211.370] GetProcessHeap () returned 0x4530000
[0211.370] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4548300) returned 1
[0211.370] GetProcessHeap () returned 0x4530000
[0211.371] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4538778) returned 1
[0211.371] GetProcessHeap () returned 0x4530000
[0211.371] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4548cf0) returned 1
[0211.371] GetProcessHeap () returned 0x4530000
[0211.371] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4548c78) returned 1
[0211.371] GetProcessHeap () returned 0x4530000
[0211.371] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x45376d8) returned 1
[0211.371] GetProcessHeap () returned 0x4530000
[0211.371] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4530a28) returned 1
[0211.372] _get_osfhandle (_FileHandle=3) returned 0xbc
[0211.372] SetFilePointer (in: hFile=0xbc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x53
[0211.372] ReadFile (in: hFile=0xbc, lpBuffer=0xcb960, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x44ff6c4, lpOverlapped=0x0 | out: lpBuffer=0xcb960*, lpNumberOfBytesRead=0x44ff6c4*=0x4a, lpOverlapped=0x0) returned 1
[0211.372] SetFilePointer (in: hFile=0xbc, lDistanceToMove=129, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x81
[0211.372] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0xcb960, cbMultiByte=46, lpWideCharStr=0xb67e0, cchWideChar=8191 | out: lpWideCharStr="CD C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\\r\ng\\.exe\"\r\n") returned 46
[0211.372] _get_osfhandle (_FileHandle=3) returned 0xbc
[0211.372] GetFileType (hFile=0xbc) returned 0x1
[0211.372] _get_osfhandle (_FileHandle=3) returned 0xbc
[0211.372] SetFilePointer (in: hFile=0xbc, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81
[0211.372] GetProcessHeap () returned 0x4530000
[0211.372] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x400a) returned 0x454a560
[0211.372] GetProcessHeap () returned 0x4530000
[0211.373] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x454a560) returned 1
[0211.373] _wcsicmp (_String1="CD", _String2=")") returned 58
[0211.373] _wcsicmp (_String1="FOR", _String2="CD") returned 3
[0211.373] _wcsicmp (_String1="FOR/?", _String2="CD") returned 3
[0211.373] _wcsicmp (_String1="IF", _String2="CD") returned 6
[0211.373] _wcsicmp (_String1="IF/?", _String2="CD") returned 6
[0211.373] _wcsicmp (_String1="REM", _String2="CD") returned 15
[0211.373] _wcsicmp (_String1="REM/?", _String2="CD") returned 15
[0211.373] GetProcessHeap () returned 0x4530000
[0211.373] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x58) returned 0x4530a28
[0211.373] GetProcessHeap () returned 0x4530000
[0211.373] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0xe) returned 0x45480b0
[0211.374] GetProcessHeap () returned 0x4530000
[0211.374] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x5e) returned 0x453a7e8
[0211.374] _tell (_FileHandle=3) returned 129
[0211.374] _close (_FileHandle=3) returned 0
[0211.374] _wcsicmp (_String1="CD", _String2="DIR") returned -1
[0211.374] _wcsicmp (_String1="CD", _String2="ERASE") returned -2
[0211.374] _wcsicmp (_String1="CD", _String2="DEL") returned -1
[0211.374] _wcsicmp (_String1="CD", _String2="TYPE") returned -17
[0211.374] _wcsicmp (_String1="CD", _String2="COPY") returned -11
[0211.375] _wcsicmp (_String1="CD", _String2="CD") returned 0
[0211.375] GetConsoleTitleW (in: lpConsoleTitle=0x44ff2f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0211.555] _wcsicmp (_String1="CD", _String2="DIR") returned -1
[0211.555] _wcsicmp (_String1="CD", _String2="ERASE") returned -2
[0211.555] _wcsicmp (_String1="CD", _String2="DEL") returned -1
[0211.555] _wcsicmp (_String1="CD", _String2="TYPE") returned -17
[0211.555] _wcsicmp (_String1="CD", _String2="COPY") returned -11
[0211.555] _wcsicmp (_String1="CD", _String2="CD") returned 0
[0211.555] GetProcessHeap () returned 0x4530000
[0211.555] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0xb4) returned 0x4548c78
[0211.555] GetProcessHeap () returned 0x4530000
[0211.555] RtlReAllocateHeap (Heap=0x4530000, Flags=0x0, Ptr=0x4548c78, Size=0x5e) returned 0x4548c78
[0211.555] GetProcessHeap () returned 0x4530000
[0211.555] RtlSizeHeap (HeapHandle=0x4530000, Flags=0x0, MemoryPointer=0x4548c78) returned 0x5e
[0211.555] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0211.555] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3
[0211.556] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x44ff0a8, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x44ff0a0, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x44ff0a0*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1
[0211.556] GetProcessHeap () returned 0x4530000
[0211.556] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x64) returned 0x4548ce0
[0211.556] GetProcessHeap () returned 0x4530000
[0211.556] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0xb4) returned 0x453c7d8
[0211.556] GetProcessHeap () returned 0x4530000
[0211.556] RtlReAllocateHeap (Heap=0x4530000, Flags=0x0, Ptr=0x453c7d8, Size=0x5e) returned 0x4548d50
[0211.556] GetProcessHeap () returned 0x4530000
[0211.556] RtlSizeHeap (HeapHandle=0x4530000, Flags=0x0, MemoryPointer=0x4548d50) returned 0x5e
[0211.556] _wcsnicmp (_String1="C:", _String2="/D", _MaxCount=0x2) returned 52
[0211.556] GetProcessHeap () returned 0x4530000
[0211.556] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x5c) returned 0x4548db8
[0211.556] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x44fee4c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop") returned 0x1d
[0211.557] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\", nBufferLength=0x104, lpBuffer=0x44fee4c, lpFilePart=0x44fee44 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\", lpFilePart=0x44fee44*=0x0) returned 0x29
[0211.557] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp")) returned 0x10
[0211.557] FindFirstFileW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), lpFindFileData=0x44febc8 | out: lpFindFileData=0x44febc8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x3ce179de, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3ce179de, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x4548780
[0211.557] FindClose (in: hFindFile=0x4548780 | out: hFindFile=0x4548780) returned 1
[0211.557] memcpy (in: _Dst=0x44fee52, _Src=0x44febf4, _Size=0xa | out: _Dst=0x44fee52) returned 0x44fee52
[0211.557] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX" (normalized: "c:\\users\\rdhj0cnfevzx"), lpFindFileData=0x44febc8 | out: lpFindFileData=0x44febc8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3ce179de, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x84ac775d, ftLastAccessTime.dwHighDateTime=0x1d70074, ftLastWriteTime.dwLowDateTime=0x84ac775d, ftLastWriteTime.dwHighDateTime=0x1d70074, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RDhJ0CNFevzX", cAlternateFileName="RDHJ0C~1")) returned 0x4548780
[0211.557] FindClose (in: hFindFile=0x4548780 | out: hFindFile=0x4548780) returned 1
[0211.557] _wcsnicmp (_String1="RDHJ0C~1", _String2="RDhJ0CNFevzX", _MaxCount=0xc) returned 16
[0211.557] memcpy (in: _Dst=0x44fee5e, _Src=0x44febf4, _Size=0x18 | out: _Dst=0x44fee5e) returned 0x44fee5e
[0211.557] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata"), lpFindFileData=0x44febc8 | out: lpFindFileData=0x44febc8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x3ced6473, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x3d39b021, ftLastAccessTime.dwHighDateTime=0x1d70068, ftLastWriteTime.dwLowDateTime=0x3d39b021, ftLastWriteTime.dwHighDateTime=0x1d70068, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 0x4548780
[0211.664] FindClose (in: hFindFile=0x4548780 | out: hFindFile=0x4548780) returned 1
[0211.665] memcpy (in: _Dst=0x44fee78, _Src=0x44febf4, _Size=0xe | out: _Dst=0x44fee78) returned 0x44fee78
[0211.665] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local"), lpFindFileData=0x44febc8 | out: lpFindFileData=0x44febc8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x50b344cd, ftLastAccessTime.dwHighDateTime=0x1d8a64c, ftLastWriteTime.dwLowDateTime=0x50b344cd, ftLastWriteTime.dwHighDateTime=0x1d8a64c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Local", cAlternateFileName="")) returned 0x4548780
[0211.665] FindClose (in: hFindFile=0x4548780 | out: hFindFile=0x4548780) returned 1
[0211.665] memcpy (in: _Dst=0x44fee88, _Src=0x44febf4, _Size=0xa | out: _Dst=0x44fee88) returned 0x44fee88
[0211.665] FindFirstFileW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp"), lpFindFileData=0x44febc8 | out: lpFindFileData=0x44febc8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3cefc6a2, ftCreationTime.dwHighDateTime=0x1d70068, ftLastAccessTime.dwLowDateTime=0x1b312bf0, ftLastAccessTime.dwHighDateTime=0x1d8a906, ftLastWriteTime.dwLowDateTime=0x1b312bf0, ftLastWriteTime.dwHighDateTime=0x1d8a906, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 0x4548780
[0211.665] FindClose (in: hFindFile=0x4548780 | out: hFindFile=0x4548780) returned 1
[0211.665] memcpy (in: _Dst=0x44fee94, _Src=0x44febf4, _Size=0x8 | out: _Dst=0x44fee94) returned 0x44fee94
[0211.665] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp")) returned 0x10
[0211.665] SetCurrentDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp")) returned 1
[0211.665] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp") returned 1
[0211.665] GetProcessHeap () returned 0x4530000
[0211.666] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x453bd08) returned 1
[0211.666] GetEnvironmentStringsW () returned 0x453b260*
[0211.666] GetProcessHeap () returned 0x4530000
[0211.666] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0xab2) returned 0x453e278
[0211.666] memcpy (in: _Dst=0x453e278, _Src=0x453b260, _Size=0xab2 | out: _Dst=0x453e278) returned 0x453e278
[0211.666] FreeEnvironmentStringsA (penv="=") returned 1
[0211.666] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xc7720 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp") returned 0x28
[0211.666] GetProcessHeap () returned 0x4530000
[0211.666] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4548db8) returned 1
[0211.666] _get_osfhandle (_FileHandle=1) returned 0x3c
[0211.666] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1
[0211.868] _get_osfhandle (_FileHandle=1) returned 0x3c
[0211.868] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xbf40c | out: lpMode=0xbf40c) returned 1
[0211.985] _get_osfhandle (_FileHandle=0) returned 0x38
[0211.985] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xbf408 | out: lpMode=0xbf408) returned 1
[0212.160] SetConsoleInputExeNameW () returned 0x1
[0212.160] GetConsoleOutputCP () returned 0x1b5
[0212.322] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xbf460 | out: lpCPInfo=0xbf460) returned 1
[0212.322] SetThreadUILanguage (LangId=0x0) returned 0x409
[0212.441] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDAB.tmp.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmpdab.tmp.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x44ff73c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x28
[0212.441] _open_osfhandle (_OSFileHandle=0x28, _Flags=8) returned 3
[0212.441] _get_osfhandle (_FileHandle=3) returned 0x28
[0212.441] SetFilePointer (in: hFile=0x28, lDistanceToMove=129, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x81
[0212.441] GetProcessHeap () returned 0x4530000
[0212.442] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4548d50) returned 1
[0212.442] GetProcessHeap () returned 0x4530000
[0212.442] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4548ce0) returned 1
[0212.442] GetProcessHeap () returned 0x4530000
[0212.442] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4548c78) returned 1
[0212.442] GetProcessHeap () returned 0x4530000
[0212.442] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x453a7e8) returned 1
[0212.442] GetProcessHeap () returned 0x4530000
[0212.443] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x45480b0) returned 1
[0212.443] GetProcessHeap () returned 0x4530000
[0212.443] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4530a28) returned 1
[0212.443] _get_osfhandle (_FileHandle=3) returned 0x28
[0212.443] SetFilePointer (in: hFile=0x28, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x81
[0212.443] ReadFile (in: hFile=0x28, lpBuffer=0xcb960, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x44ff6c4, lpOverlapped=0x0 | out: lpBuffer=0xcb960*, lpNumberOfBytesRead=0x44ff6c4*=0x1c, lpOverlapped=0x0) returned 1
[0212.444] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0xcb960, cbMultiByte=28, lpWideCharStr=0xb67e0, cchWideChar=8191 | out: lpWideCharStr="DEL \"tmpDAB.tmp.bat\" /f /q\r\nData\\Local\\Temp\\\r\ng\\.exe\"\r\n") returned 28
[0212.444] _get_osfhandle (_FileHandle=3) returned 0x28
[0212.444] GetFileType (hFile=0x28) returned 0x1
[0212.444] _get_osfhandle (_FileHandle=3) returned 0x28
[0212.444] SetFilePointer (in: hFile=0x28, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9d
[0212.444] GetProcessHeap () returned 0x4530000
[0212.444] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x400a) returned 0x4549508
[0212.444] GetProcessHeap () returned 0x4530000
[0212.444] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4549508) returned 1
[0212.445] _wcsicmp (_String1="DEL", _String2=")") returned 59
[0212.445] _wcsicmp (_String1="FOR", _String2="DEL") returned 2
[0212.445] _wcsicmp (_String1="FOR/?", _String2="DEL") returned 2
[0212.445] _wcsicmp (_String1="IF", _String2="DEL") returned 5
[0212.445] _wcsicmp (_String1="IF/?", _String2="DEL") returned 5
[0212.445] _wcsicmp (_String1="REM", _String2="DEL") returned 14
[0212.445] _wcsicmp (_String1="REM/?", _String2="DEL") returned 14
[0212.445] GetProcessHeap () returned 0x4530000
[0212.445] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x58) returned 0x4530a28
[0212.445] GetProcessHeap () returned 0x4530000
[0212.455] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x10) returned 0x4547f48
[0212.455] GetProcessHeap () returned 0x4530000
[0212.455] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x38) returned 0x4548780
[0212.456] _tell (_FileHandle=3) returned 157
[0212.456] _close (_FileHandle=3) returned 0
[0212.456] _wcsicmp (_String1="DEL", _String2="DIR") returned -4
[0212.456] _wcsicmp (_String1="DEL", _String2="ERASE") returned -1
[0212.456] _wcsicmp (_String1="DEL", _String2="DEL") returned 0
[0212.456] GetConsoleTitleW (in: lpConsoleTitle=0x44ff2f0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b
[0212.587] _wcsicmp (_String1="DEL", _String2="DIR") returned -4
[0212.587] _wcsicmp (_String1="DEL", _String2="ERASE") returned -1
[0212.587] _wcsicmp (_String1="DEL", _String2="DEL") returned 0
[0212.587] GetProcessHeap () returned 0x4530000
[0212.587] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x68) returned 0x453a7e8
[0212.587] GetProcessHeap () returned 0x4530000
[0212.587] RtlReAllocateHeap (Heap=0x4530000, Flags=0x0, Ptr=0x453a7e8, Size=0x3c) returned 0x453a7e8
[0212.587] GetProcessHeap () returned 0x4530000
[0212.587] RtlSizeHeap (HeapHandle=0x4530000, Flags=0x0, MemoryPointer=0x453a7e8) returned 0x3c
[0212.587] GetProcessHeap () returned 0x4530000
[0212.587] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x40) returned 0x4548af0
[0212.587] GetProcessHeap () returned 0x4530000
[0212.587] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x68) returned 0x45322b8
[0212.587] GetProcessHeap () returned 0x4530000
[0212.587] RtlReAllocateHeap (Heap=0x4530000, Flags=0x0, Ptr=0x45322b8, Size=0x3c) returned 0x45322b8
[0212.588] GetProcessHeap () returned 0x4530000
[0212.588] RtlSizeHeap (HeapHandle=0x4530000, Flags=0x0, MemoryPointer=0x45322b8) returned 0x3c
[0212.588] GetProcessHeap () returned 0x4530000
[0212.588] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x26) returned 0x453a830
[0212.588] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x44ff098 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp") returned 0x28
[0212.588] GetProcessHeap () returned 0x4530000
[0212.588] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x38) returned 0x4532300
[0212.588] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x44fe108 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp") returned 0x28
[0212.588] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x44fe33c, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x44fe340, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x44fe33c*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1
[0212.588] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8
[0212.588] GetProcessHeap () returned 0x4530000
[0212.588] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x2c) returned 0x4532340
[0212.588] GetProcessHeap () returned 0x4530000
[0212.588] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x258) returned 0x4548c78
[0212.589] _wcsicmp (_String1="tmpDAB.tmp.bat", _String2=".") returned 70
[0212.589] _wcsicmp (_String1="tmpDAB.tmp.bat", _String2="..") returned 70
[0212.589] GetFileAttributesW (lpFileName="tmpDAB.tmp.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmpdab.tmp.bat")) returned 0x20
[0212.589] GetProcessHeap () returned 0x4530000
[0212.589] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x210) returned 0x4548300
[0212.589] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4548308 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp") returned 0x28
[0212.589] SetErrorMode (uMode=0x0) returned 0x0
[0212.589] SetErrorMode (uMode=0x1) returned 0x0
[0212.590] GetFullPathNameW (in: lpFileName="tmpDAB.tmp.bat", nBufferLength=0x104, lpBuffer=0x44fe768, lpFilePart=0x44fe73c | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDAB.tmp.bat", lpFilePart=0x44fe73c*="tmpDAB.tmp.bat") returned 0x37
[0212.590] SetErrorMode (uMode=0x0) returned 0x1
[0212.590] GetProcessHeap () returned 0x4530000
[0212.590] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x258) returned 0x453ed38
[0212.590] _wcsicmp (_String1="tmpDAB.tmp.bat", _String2=".") returned 70
[0212.590] _wcsicmp (_String1="tmpDAB.tmp.bat", _String2="..") returned 70
[0212.590] GetFileAttributesW (lpFileName="tmpDAB.tmp.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmpdab.tmp.bat")) returned 0x20
[0212.590] GetProcessHeap () returned 0x4530000
[0212.590] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x26) returned 0x4530fc0
[0212.590] GetProcessHeap () returned 0x4530000
[0212.590] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x5a) returned 0x4548518
[0212.590] GetProcessHeap () returned 0x4530000
[0212.590] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x5a) returned 0x4548580
[0212.590] GetProcessHeap () returned 0x4530000
[0212.590] RtlAllocateHeap (HeapHandle=0x4530000, Flags=0x8, Size=0x808) returned 0x453ef98
[0212.590] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDAB.tmp.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmpdab.tmp.bat"), fInfoLevelId=0x0, lpFindFileData=0x453efa4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x453efa4) returned 0x45485e8
[0212.590] RtlDosPathNameToRelativeNtPathName_U_WithStatus () returned 0x0
[0212.590] NtOpenFile (in: FileHandle=0x44fe63c, DesiredAccess=0x10000, ObjectAttributes=0x44fe604*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDAB.tmp.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmpdab.tmp.bat"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x44fe62c, ShareAccess=0x4, OpenOptions=0x5040 | out: FileHandle=0x44fe63c*=0xb4, IoStatusBlock=0x44fe62c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0
[0212.591] RtlReleaseRelativeName () returned 0x44fe61c
[0212.591] RtlFreeAnsiString (AnsiString="\\")
[0212.591] NtQueryVolumeInformationFile (in: FileHandle=0xb4, IoStatusBlock=0x44fe568, FsInformation=0x44fe570, Length=0x8, FsInformationClass=0x4 | out: IoStatusBlock=0x44fe568, FsInformation=0x44fe570) returned 0x0
[0212.591] CloseHandle (hObject=0xb4) returned 1
[0212.592] FindNextFileW (in: hFindFile=0x45485e8, lpFindFileData=0x453efa4 | out: lpFindFileData=0x453efa4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b312bf0, ftCreationTime.dwHighDateTime=0x1d8a906, ftLastAccessTime.dwLowDateTime=0x1b312bf0, ftLastAccessTime.dwHighDateTime=0x1d8a906, ftLastWriteTime.dwLowDateTime=0x1b312bf0, ftLastWriteTime.dwHighDateTime=0x1d8a906, nFileSizeHigh=0x0, nFileSizeLow=0x9d, dwReserved0=0x0, dwReserved1=0x0, cFileName="tmpDAB.tmp.bat", cAlternateFileName="TMPDAB~1.BAT")) returned 0
[0212.593] GetLastError () returned 0x12
[0212.593] FindClose (in: hFindFile=0x45485e8 | out: hFindFile=0x45485e8) returned 1
[0212.593] GetProcessHeap () returned 0x4530000
[0212.594] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x453ef98) returned 1
[0212.594] GetProcessHeap () returned 0x4530000
[0212.594] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4548580) returned 1
[0212.594] GetProcessHeap () returned 0x4530000
[0212.595] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4530fc0) returned 1
[0212.595] GetProcessHeap () returned 0x4530000
[0212.595] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4548518) returned 1
[0212.595] GetProcessHeap () returned 0x4530000
[0212.596] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x453ed38) returned 1
[0212.596] GetProcessHeap () returned 0x4530000
[0212.596] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4548300) returned 1
[0212.597] GetProcessHeap () returned 0x4530000
[0212.597] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4548c78) returned 1
[0212.597] GetProcessHeap () returned 0x4530000
[0212.597] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4532340) returned 1
[0212.598] GetProcessHeap () returned 0x4530000
[0212.598] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x4532300) returned 1
[0212.598] GetProcessHeap () returned 0x4530000
[0212.598] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x453a830) returned 1
[0212.598] GetProcessHeap () returned 0x4530000
[0212.599] RtlFreeHeap (HeapHandle=0x4530000, Flags=0x0, BaseAddress=0x45322b8) returned 1
[0212.599] _get_osfhandle (_FileHandle=1) returned 0x3c
[0212.599] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1
[0212.787] _get_osfhandle (_FileHandle=1) returned 0x3c
[0212.787] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xbf40c | out: lpMode=0xbf40c) returned 1
[0212.951] _get_osfhandle (_FileHandle=0) returned 0x38
[0212.951] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xbf408 | out: lpMode=0xbf408) returned 1
[0213.133] SetConsoleInputExeNameW () returned 0x1
[0213.133] GetConsoleOutputCP () returned 0x1b5
[0213.320] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xbf460 | out: lpCPInfo=0xbf460) returned 1
[0213.320] SetThreadUILanguage (LangId=0x0) returned 0x409
[0213.477] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpDAB.tmp.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmpdab.tmp.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x44ff73c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff
[0213.477] GetLastError () returned 0x2
[0213.477] _get_osfhandle (_FileHandle=2) returned 0x40
[0213.477] GetFileType (hFile=0x40) returned 0x2
[0213.477] GetStdHandle (nStdHandle=0xfffffff4) returned 0x40
[0213.477] GetConsoleMode (in: hConsoleHandle=0x40, lpMode=0x44ff6d4 | out: lpMode=0x44ff6d4) returned 1
[0213.664] _get_osfhandle (_FileHandle=2) returned 0x40
[0213.665] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x40, lpConsoleScreenBufferInfo=0x44ff724 | out: lpConsoleScreenBufferInfo=0x44ff724) returned 1
[0213.821] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236c, dwLanguageId=0x0, lpBuffer=0xc7940, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The batch file cannot be found.\r\n") returned 0x21
[0213.840] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236c, dwLanguageId=0x0, lpBuffer=0xc7940, nSize=0x2000, Arguments=0x44ff754 | out: lpBuffer="The batch file cannot be found.\r\n") returned 0x21
[0213.840] WriteConsoleW (in: hConsoleOutput=0x40, lpBuffer=0xc7940*, nNumberOfCharsToWrite=0x21, lpNumberOfCharsWritten=0x44ff708, lpReserved=0x0 | out: lpBuffer=0xc7940*, lpNumberOfCharsWritten=0x44ff708*=0x21) returned 1
[0213.974] CmdBatNotificationStub () returned 0x1
[0213.974] _get_osfhandle (_FileHandle=1) returned 0x3c
[0213.974] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1
[0214.073] _get_osfhandle (_FileHandle=1) returned 0x3c
[0214.073] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xbf40c | out: lpMode=0xbf40c) returned 1
[0214.164] _get_osfhandle (_FileHandle=0) returned 0x38
[0214.164] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xbf408 | out: lpMode=0xbf408) returned 1
[0214.378] SetConsoleInputExeNameW () returned 0x1
[0214.378] GetConsoleOutputCP () returned 0x1b5
[0214.545] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xbf460 | out: lpCPInfo=0xbf460) returned 1
[0214.545] SetThreadUILanguage (LangId=0x0) returned 0x409
[0214.739] exit (_Code=1)
Thread:
id = 126
os_tid = 0x5c0
Process:
id = "11"
image_name = "conhost.exe"
filename = "c:\\windows\\system32\\conhost.exe"
page_root = "0x34a58000"
os_pid = "0x860"
os_integrity_level = "0x3000"
os_privileges = "0x60800000"
monitor_reason = "child_process"
parent_id = "10"
os_parent_pid = "0x320"
cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1"
cur_dir = "C:\\Windows"
os_username = "XC64ZB\\RDhJ0CNFevzX"
bitness = "32"
os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fa87" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 1493
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 1494
start_va = 0x30000
end_va = 0x44fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 1495
start_va = 0x50000
end_va = 0x8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 1496
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 1497
start_va = 0x400000
end_va = 0x5fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 1498
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 1499
start_va = 0x7df5fffc0000
end_va = 0x7df5fffe2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5fffc0000"
filename = ""
Region:
id = 1500
start_va = 0x7df5ffff0000
end_va = 0x7ff5fffeffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffff0000"
filename = ""
Region:
id = 1501
start_va = 0x7ff637930000
end_va = 0x7ff637940fff
monitored = 0
entry_point = 0x7ff6379316b0
region_type = mapped_file
name = "conhost.exe"
filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")
Region:
id = 1502
start_va = 0x7ffa16770000
end_va = 0x7ffa16930fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 1503
start_va = 0x600000
end_va = 0x8bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000600000"
filename = ""
Region:
id = 1504
start_va = 0x7ffa15160000
end_va = 0x7ffa1520cfff
monitored = 0
entry_point = 0x7ffa151781a0
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 1505
start_va = 0x7ffa13130000
end_va = 0x7ffa13317fff
monitored = 0
entry_point = 0x7ffa1315ba70
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 1512
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 1513
start_va = 0x7df5ffec0000
end_va = 0x7df5fffbffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffec0000"
filename = ""
Region:
id = 1514
start_va = 0x90000
end_va = 0x14dfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 1515
start_va = 0x7ffa13cc0000
end_va = 0x7ffa13d5cfff
monitored = 0
entry_point = 0x7ffa13cc78a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 1516
start_va = 0x150000
end_va = 0x18ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000150000"
filename = ""
Region:
id = 1517
start_va = 0x190000
end_va = 0x1bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000190000"
filename = ""
Region:
id = 1532
start_va = 0x20000
end_va = 0x26fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 1533
start_va = 0x7ffa0a430000
end_va = 0x7ffa0a488fff
monitored = 0
entry_point = 0x7ffa0a43fbf0
region_type = mapped_file
name = "conhostv2.dll"
filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll")
Region:
id = 1534
start_va = 0x190000
end_va = 0x190fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000190000"
filename = ""
Region:
id = 1535
start_va = 0x1b0000
end_va = 0x1bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001b0000"
filename = ""
Region:
id = 1536
start_va = 0x7ffa14340000
end_va = 0x7ffa145bcfff
monitored = 0
entry_point = 0x7ffa14414970
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")
Region:
id = 1537
start_va = 0x7ffa145c0000
end_va = 0x7ffa146dbfff
monitored = 0
entry_point = 0x7ffa146002b0
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 1538
start_va = 0x7ffa13320000
end_va = 0x7ffa13389fff
monitored = 0
entry_point = 0x7ffa13356d50
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")
Region:
id = 1539
start_va = 0x7ffa13d80000
end_va = 0x7ffa13ed5fff
monitored = 0
entry_point = 0x7ffa13d8a8d0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 1540
start_va = 0x7ffa13ee0000
end_va = 0x7ffa14065fff
monitored = 0
entry_point = 0x7ffa13f2ffc0
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 1541
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001a0000"
filename = ""
Region:
id = 1542
start_va = 0x7ffa13b70000
end_va = 0x7ffa13cb2fff
monitored = 0
entry_point = 0x7ffa13b98210
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 1543
start_va = 0x7ffa14070000
end_va = 0x7ffa140cafff
monitored = 0
entry_point = 0x7ffa140838b0
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 1544
start_va = 0x7ffa141e0000
end_va = 0x7ffa1421afff
monitored = 0
entry_point = 0x7ffa141e12f0
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 1545
start_va = 0x7ffa147c0000
end_va = 0x7ffa14880fff
monitored = 0
entry_point = 0x7ffa147e0da0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 1546
start_va = 0x7ffa11220000
end_va = 0x7ffa113a5fff
monitored = 0
entry_point = 0x7ffa1126d700
region_type = mapped_file
name = "propsys.dll"
filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")
Region:
id = 1547
start_va = 0x1c0000
end_va = 0x1c0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001c0000"
filename = ""
Region:
id = 1548
start_va = 0x1d0000
end_va = 0x1d0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001d0000"
filename = ""
Region:
id = 1549
start_va = 0x600000
end_va = 0x787fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000600000"
filename = ""
Region:
id = 1550
start_va = 0x7c0000
end_va = 0x8bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000007c0000"
filename = ""
Region:
id = 1551
start_va = 0x8c0000
end_va = 0xa40fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000008c0000"
filename = ""
Region:
id = 1552
start_va = 0xa50000
end_va = 0x1e4ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000a50000"
filename = ""
Region:
id = 1553
start_va = 0x1e50000
end_va = 0x200ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001e50000"
filename = ""
Region:
id = 1554
start_va = 0x1e50000
end_va = 0x1e8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001e50000"
filename = ""
Region:
id = 1555
start_va = 0x2000000
end_va = 0x200ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002000000"
filename = ""
Region:
id = 1556
start_va = 0x7ffa15210000
end_va = 0x7ffa1676efff
monitored = 0
entry_point = 0x7ffa153711f0
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")
Region:
id = 1557
start_va = 0x7ffa13390000
end_va = 0x7ffa133d2fff
monitored = 0
entry_point = 0x7ffa133a4b50
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")
Region:
id = 1558
start_va = 0x7ffa13520000
end_va = 0x7ffa13b63fff
monitored = 0
entry_point = 0x7ffa136e64b0
region_type = mapped_file
name = "windows.storage.dll"
filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")
Region:
id = 1559
start_va = 0x7ffa15090000
end_va = 0x7ffa15136fff
monitored = 0
entry_point = 0x7ffa150a58d0
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 1560
start_va = 0x7ffa14ba0000
end_va = 0x7ffa14bf1fff
monitored = 0
entry_point = 0x7ffa14baf530
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")
Region:
id = 1561
start_va = 0x7ffa12e10000
end_va = 0x7ffa12e1efff
monitored = 0
entry_point = 0x7ffa12e13210
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")
Region:
id = 1562
start_va = 0x7ffa12e80000
end_va = 0x7ffa12f34fff
monitored = 0
entry_point = 0x7ffa12ec22e0
region_type = mapped_file
name = "shcore.dll"
filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")
Region:
id = 1563
start_va = 0x7ffa12dc0000
end_va = 0x7ffa12e0afff
monitored = 0
entry_point = 0x7ffa12dc35f0
region_type = mapped_file
name = "powrprof.dll"
filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")
Region:
id = 1564
start_va = 0x7ffa12d90000
end_va = 0x7ffa12da3fff
monitored = 0
entry_point = 0x7ffa12d952e0
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")
Region:
id = 1565
start_va = 0x7ffa11710000
end_va = 0x7ffa117a5fff
monitored = 0
entry_point = 0x7ffa11735570
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")
Region:
id = 1566
start_va = 0x1e90000
end_va = 0x1fdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001e90000"
filename = ""
Region:
id = 1577
start_va = 0x2010000
end_va = 0x2346fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 1578
start_va = 0x50000
end_va = 0x70fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "cmd.exe.mui"
filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui")
Region:
id = 1579
start_va = 0x1e90000
end_va = 0x1ee9fff
monitored = 1
entry_point = 0x1ea53f0
region_type = mapped_file
name = "cmd.exe"
filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")
Region:
id = 1580
start_va = 0x1fd0000
end_va = 0x1fdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001fd0000"
filename = ""
Region:
id = 1581
start_va = 0x2350000
end_va = 0x2569fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002350000"
filename = ""
Region:
id = 1582
start_va = 0x2570000
end_va = 0x278dfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002570000"
filename = ""
Region:
id = 1583
start_va = 0x1e90000
end_va = 0x1fa6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001e90000"
filename = ""
Region:
id = 1584
start_va = 0x2790000
end_va = 0x29aafff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002790000"
filename = ""
Region:
id = 1585
start_va = 0x29b0000
end_va = 0x2ac7fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000029b0000"
filename = ""
Thread:
id = 121
os_tid = 0x954
Thread:
id = 123
os_tid = 0xa68
Thread:
id = 124
os_tid = 0x2c0
Process:
id = "12"
image_name = "schtasks.exe"
filename = "c:\\windows\\syswow64\\schtasks.exe"
page_root = "0x30648000"
os_pid = "0x504"
os_integrity_level = "0x3000"
os_privileges = "0x60800000"
monitor_reason = "child_process"
parent_id = "8"
os_parent_pid = "0xb5c"
cmd_line = "schtasks /create /f /sc onlogon /rl highest /tn \"\" /tr '\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe\"' "
cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
os_username = "XC64ZB\\RDhJ0CNFevzX"
bitness = "32"
os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fa87" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 1630
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 1631
start_va = 0x30000
end_va = 0x31fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000030000"
filename = ""
Region:
id = 1632
start_va = 0x40000
end_va = 0x54fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 1633
start_va = 0x60000
end_va = 0x9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000060000"
filename = ""
Region:
id = 1634
start_va = 0xa0000
end_va = 0xdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000a0000"
filename = ""
Region:
id = 1635
start_va = 0xe0000
end_va = 0xe3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000e0000"
filename = ""
Region:
id = 1636
start_va = 0xf0000
end_va = 0xf0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000f0000"
filename = ""
Region:
id = 1637
start_va = 0x100000
end_va = 0x101fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000100000"
filename = ""
Region:
id = 1638
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 1639
start_va = 0xba0000
end_va = 0xbd1fff
monitored = 1
entry_point = 0xbc05b0
region_type = mapped_file
name = "schtasks.exe"
filename = "\\Windows\\SysWOW64\\schtasks.exe" (normalized: "c:\\windows\\syswow64\\schtasks.exe")
Region:
id = 1640
start_va = 0xbe0000
end_va = 0x4bdffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000be0000"
filename = ""
Region:
id = 1641
start_va = 0x771d0000
end_va = 0x7734afff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")
Region:
id = 1642
start_va = 0x7ffb0000
end_va = 0x7ffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007ffb0000"
filename = ""
Region:
id = 1643
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 1644
start_va = 0x7fff0000
end_va = 0x7dfa1676ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007fff0000"
filename = ""
Region:
id = 1645
start_va = 0x7dfa16770000
end_va = 0x7ffa1676ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007dfa16770000"
filename = ""
Region:
id = 1646
start_va = 0x7ffa16770000
end_va = 0x7ffa16930fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 1647
start_va = 0x7ffa16931000
end_va = 0x7ffffffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00007ffa16931000"
filename = ""
Region:
id = 1650
start_va = 0x110000
end_va = 0x15ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000110000"
filename = ""
Region:
id = 1651
start_va = 0x640d0000
end_va = 0x6411ffff
monitored = 0
entry_point = 0x640e8180
region_type = mapped_file
name = "wow64.dll"
filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")
Region:
id = 1652
start_va = 0x64050000
end_va = 0x640c9fff
monitored = 0
entry_point = 0x64063290
region_type = mapped_file
name = "wow64win.dll"
filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")
Region:
id = 1653
start_va = 0x76720000
end_va = 0x767fffff
monitored = 0
entry_point = 0x76733980
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 1654
start_va = 0x64120000
end_va = 0x64127fff
monitored = 0
entry_point = 0x641217c0
region_type = mapped_file
name = "wow64cpu.dll"
filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")
Region:
id = 1655
start_va = 0x400000
end_va = 0x53ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 1656
start_va = 0x76720000
end_va = 0x767fffff
monitored = 0
entry_point = 0x76733980
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 1657
start_va = 0x76910000
end_va = 0x76a8dfff
monitored = 0
entry_point = 0x769c1b90
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")
Region:
id = 1659
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 1660
start_va = 0x7feb0000
end_va = 0x7ffaffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007feb0000"
filename = ""
Region:
id = 1661
start_va = 0x540000
end_va = 0x5fdfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 1662
start_va = 0x20000
end_va = 0x23fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 1663
start_va = 0x76a90000
end_va = 0x76b4dfff
monitored = 0
entry_point = 0x76ac5630
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")
Region:
id = 1664
start_va = 0x110000
end_va = 0x14ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000110000"
filename = ""
Region:
id = 1665
start_va = 0x150000
end_va = 0x15ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000150000"
filename = ""
Region:
id = 1666
start_va = 0x160000
end_va = 0x19ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000160000"
filename = ""
Region:
id = 1667
start_va = 0x76680000
end_va = 0x76711fff
monitored = 0
entry_point = 0x766b8cf0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")
Region:
id = 1668
start_va = 0x762b0000
end_va = 0x7646cfff
monitored = 0
entry_point = 0x76392a10
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")
Region:
id = 1669
start_va = 0x76c00000
end_va = 0x76cacfff
monitored = 0
entry_point = 0x76c14f00
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")
Region:
id = 1670
start_va = 0x73f00000
end_va = 0x73f1dfff
monitored = 0
entry_point = 0x73f0b640
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")
Region:
id = 1671
start_va = 0x73ef0000
end_va = 0x73ef9fff
monitored = 0
entry_point = 0x73ef2a00
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")
Region:
id = 1672
start_va = 0x76840000
end_va = 0x76897fff
monitored = 0
entry_point = 0x768825c0
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")
Region:
id = 1673
start_va = 0x76cb0000
end_va = 0x76cf3fff
monitored = 0
entry_point = 0x76cc9d80
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")
Region:
id = 1674
start_va = 0x600000
end_va = 0x68ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000600000"
filename = ""
Region:
id = 1675
start_va = 0x690000
end_va = 0x779fff
monitored = 0
entry_point = 0x6cd650
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")
Region:
id = 1676
start_va = 0x1a0000
end_va = 0x1b2fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "schtasks.exe.mui"
filename = "\\Windows\\SysWOW64\\en-US\\schtasks.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\schtasks.exe.mui")
Region:
id = 1677
start_va = 0x690000
end_va = 0x9c6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 1679
start_va = 0x76d50000
end_va = 0x76d5bfff
monitored = 0
entry_point = 0x76d53930
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")
Region:
id = 1680
start_va = 0x30000
end_va = 0x30fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 1681
start_va = 0x74340000
end_va = 0x743c3fff
monitored = 0
entry_point = 0x74366220
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll")
Region:
id = 1682
start_va = 0x1c0000
end_va = 0x1c0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001c0000"
filename = ""
Region:
id = 1683
start_va = 0x6a7f0000
end_va = 0x6a87bfff
monitored = 0
entry_point = 0x6a82a6c0
region_type = mapped_file
name = "taskschd.dll"
filename = "\\Windows\\SysWOW64\\taskschd.dll" (normalized: "c:\\windows\\syswow64\\taskschd.dll")
Region:
id = 1684
start_va = 0x6f8b0000
end_va = 0x6f8dcfff
monitored = 0
entry_point = 0x6f8c2b00
region_type = mapped_file
name = "xmllite.dll"
filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll")
Thread:
id = 128
os_tid = 0x674
[0203.941] GetModuleHandleA (lpModuleName=0x0) returned 0xba0000
[0203.941] __set_app_type (_Type=0x1)
[0203.941] __p__fmode () returned 0x76b44d6c
[0203.941] __p__commode () returned 0x76b45b1c
[0203.941] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xbc0840) returned 0x0
[0203.942] __wgetmainargs (in: _Argc=0xbcade0, _Argv=0xbcade4, _Env=0xbcade8, _DoWildCard=0, _StartInfo=0xbcadf4 | out: _Argc=0xbcade0, _Argv=0xbcade4, _Env=0xbcade8) returned 0
[0203.942] _onexit (_Func=0xbc2bc0) returned 0xbc2bc0
[0203.943] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
[0203.943] WinSqmIsOptedIn () returned 0x0
[0203.944] GetProcessHeap () returned 0x440000
[0203.944] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x10) returned 0x447450
[0203.944] RtlRestoreLastWin32Error () returned 0x0
[0203.944] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x0, Condition=0x2) returned 0x18
[0203.945] VerSetConditionMask (ConditionMask=0x18, TypeMask=0x80000000, Condition=0x1) returned 0x1b
[0203.945] VerSetConditionMask (ConditionMask=0x1b, TypeMask=0x80000000, Condition=0x20) returned 0x1801b
[0203.945] RtlVerifyVersionInfo (VersionInfo=0xdf9f8, TypeMask=0x3, ConditionMask=0x1801b) returned 0x0
[0203.945] GetProcessHeap () returned 0x440000
[0203.945] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x10) returned 0x447510
[0203.945] lstrlenW (lpString="") returned 0
[0203.945] GetProcessHeap () returned 0x440000
[0203.945] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x2) returned 0x440598
[0203.945] GetProcessHeap () returned 0x440000
[0203.945] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x446f38
[0203.945] GetProcessHeap () returned 0x440000
[0203.945] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x10) returned 0x447438
[0203.946] GetProcessHeap () returned 0x440000
[0203.946] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x446d00
[0203.946] GetProcessHeap () returned 0x440000
[0203.946] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x446d20
[0203.946] GetProcessHeap () returned 0x440000
[0203.946] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x446d40
[0203.946] GetProcessHeap () returned 0x440000
[0203.946] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x446930
[0203.946] GetProcessHeap () returned 0x440000
[0203.946] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x10) returned 0x447468
[0203.946] GetProcessHeap () returned 0x440000
[0203.946] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x446950
[0203.946] GetProcessHeap () returned 0x440000
[0203.946] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x446970
[0203.946] GetProcessHeap () returned 0x440000
[0203.946] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x4466c8
[0203.947] GetProcessHeap () returned 0x440000
[0203.947] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x4466e8
[0203.947] GetProcessHeap () returned 0x440000
[0203.947] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x10) returned 0x447420
[0203.947] GetProcessHeap () returned 0x440000
[0203.947] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x446708
[0203.947] GetProcessHeap () returned 0x440000
[0203.947] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x442890
[0203.947] GetProcessHeap () returned 0x440000
[0203.947] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x4428b0
[0203.947] GetProcessHeap () returned 0x440000
[0203.947] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x4428d0
[0203.947] SetThreadUILanguage (LangId=0x0) returned 0x409
[0204.107] RtlRestoreLastWin32Error () returned 0x0
[0204.107] GetProcessHeap () returned 0x440000
[0204.107] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x449510
[0204.107] GetProcessHeap () returned 0x440000
[0204.107] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x4493b0
[0204.107] GetProcessHeap () returned 0x440000
[0204.107] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x449670
[0204.107] GetProcessHeap () returned 0x440000
[0204.107] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x449550
[0204.107] GetProcessHeap () returned 0x440000
[0204.107] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x4494f0
[0204.107] GetProcessHeap () returned 0x440000
[0204.107] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x10) returned 0x447480
[0204.107] _memicmp (_Buf1=0x447480, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.107] GetProcessHeap () returned 0x440000
[0204.107] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x208) returned 0x448d48
[0204.107] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x448d48, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\schtasks.exe" (normalized: "c:\\windows\\syswow64\\schtasks.exe")) returned 0x20
[0204.107] GetFileVersionInfoSizeExW (in: dwFlags=0x1, lpwstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", lpdwHandle=0xdfb04 | out: lpdwHandle=0xdfb04) returned 0x76c
[0204.111] GetProcessHeap () returned 0x440000
[0204.111] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x776) returned 0x449e20
[0204.111] GetFileVersionInfoExW (in: dwFlags=0x3, lpwstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", dwHandle=0x0, dwLen=0x776, lpData=0x449e20 | out: lpData=0x449e20) returned 1
[0204.111] VerQueryValueW (in: pBlock=0x449e20, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xdfb0c, puLen=0xdfb10 | out: lplpBuffer=0xdfb0c*=0x44a1d0, puLen=0xdfb10) returned 1
[0204.113] _memicmp (_Buf1=0x447480, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.113] _vsnwprintf (in: _Buffer=0x448d48, _BufferCount=0x3f, _Format="\\StringFileInfo\\%04x%04x\\InternalName", _ArgList=0xdfaf0 | out: _Buffer="\\StringFileInfo\\040904b0\\InternalName") returned 37
[0204.113] VerQueryValueW (in: pBlock=0x449e20, lpSubBlock="\\StringFileInfo\\040904b0\\InternalName", lplpBuffer=0xdfb1c, puLen=0xdfb18 | out: lplpBuffer=0xdfb1c*=0x44a000, puLen=0xdfb18) returned 1
[0204.114] lstrlenW (lpString="schtasks.exe") returned 12
[0204.114] lstrlenW (lpString="schtasks.exe") returned 12
[0204.114] lstrlenW (lpString=".EXE") returned 4
[0204.114] StrStrIW (lpFirst="schtasks.exe", lpSrch=".EXE") returned=".exe"
[0204.114] lstrlenW (lpString="schtasks.exe") returned 12
[0204.114] lstrlenW (lpString=".EXE") returned 4
[0204.114] _memicmp (_Buf1=0x447480, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.114] lstrlenW (lpString="schtasks") returned 8
[0204.114] GetProcessHeap () returned 0x440000
[0204.114] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x4493d0
[0204.114] GetProcessHeap () returned 0x440000
[0204.114] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x449530
[0204.114] GetProcessHeap () returned 0x440000
[0204.114] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x449730
[0204.114] GetProcessHeap () returned 0x440000
[0204.114] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x4496f0
[0204.115] GetProcessHeap () returned 0x440000
[0204.115] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x10) returned 0x447498
[0204.115] _memicmp (_Buf1=0x447498, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.115] GetProcessHeap () returned 0x440000
[0204.115] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0xa0) returned 0x446ad0
[0204.115] GetProcessHeap () returned 0x440000
[0204.115] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x449570
[0204.115] GetProcessHeap () returned 0x440000
[0204.115] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x449710
[0204.115] GetProcessHeap () returned 0x440000
[0204.115] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x449590
[0204.115] GetProcessHeap () returned 0x440000
[0204.115] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x10) returned 0x4474e0
[0204.115] _memicmp (_Buf1=0x4474e0, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.115] GetProcessHeap () returned 0x440000
[0204.115] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x200) returned 0x44a800
[0204.115] LoadStringW (in: hInstance=0x0, uID=0x15ed, lpBuffer=0x44a800, cchBufferMax=256 | out: lpBuffer="Type \"%s /?\" for usage.") returned 0x17
[0204.115] lstrlenW (lpString="Type \"%s /?\" for usage.") returned 23
[0204.115] GetProcessHeap () returned 0x440000
[0204.115] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x30) returned 0x4464b0
[0204.115] _vsnwprintf (in: _Buffer=0x446ad0, _BufferCount=0x4f, _Format="Type \"%s /?\" for usage.", _ArgList=0xdfaf4 | out: _Buffer="Type \"SCHTASKS /?\" for usage.") returned 29
[0204.115] GetProcessHeap () returned 0x440000
[0204.115] GetProcessHeap () returned 0x440000
[0204.116] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x449e20) returned 1
[0204.116] GetProcessHeap () returned 0x440000
[0204.116] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x449e20) returned 0x776
[0204.116] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x449e20) returned 1
[0204.116] RtlRestoreLastWin32Error () returned 0x0
[0204.116] GetThreadLocale () returned 0x409
[0204.116] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0204.116] lstrlenW (lpString="?") returned 1
[0204.116] GetThreadLocale () returned 0x409
[0204.116] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0204.116] lstrlenW (lpString="create") returned 6
[0204.116] GetThreadLocale () returned 0x409
[0204.117] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0204.117] lstrlenW (lpString="delete") returned 6
[0204.117] GetThreadLocale () returned 0x409
[0204.117] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0204.117] lstrlenW (lpString="query") returned 5
[0204.117] GetThreadLocale () returned 0x409
[0204.117] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0204.117] lstrlenW (lpString="change") returned 6
[0204.117] GetThreadLocale () returned 0x409
[0204.117] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0204.117] lstrlenW (lpString="run") returned 3
[0204.117] GetThreadLocale () returned 0x409
[0204.117] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0204.117] lstrlenW (lpString="end") returned 3
[0204.117] GetThreadLocale () returned 0x409
[0204.117] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0204.117] lstrlenW (lpString="showsid") returned 7
[0204.117] GetThreadLocale () returned 0x409
[0204.117] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0204.117] RtlRestoreLastWin32Error () returned 0x0
[0204.117] RtlRestoreLastWin32Error () returned 0x0
[0204.117] lstrlenW (lpString="/create") returned 7
[0204.117] lstrlenW (lpString="-/") returned 2
[0204.117] StrChrIW (lpStart="-/", wMatch=0x68002f) returned="/"
[0204.117] lstrlenW (lpString="?") returned 1
[0204.117] lstrlenW (lpString="?") returned 1
[0204.117] GetProcessHeap () returned 0x440000
[0204.117] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x10) returned 0x4474f8
[0204.117] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.117] GetProcessHeap () returned 0x440000
[0204.117] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0xa) returned 0x447528
[0204.117] lstrlenW (lpString="create") returned 6
[0204.117] GetProcessHeap () returned 0x440000
[0204.118] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x10) returned 0x447540
[0204.118] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.118] GetProcessHeap () returned 0x440000
[0204.118] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x449750
[0204.118] _vsnwprintf (in: _Buffer=0x447528, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|?|") returned 3
[0204.118] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|create|") returned 8
[0204.118] lstrlenW (lpString="|?|") returned 3
[0204.118] lstrlenW (lpString="|create|") returned 8
[0204.118] RtlRestoreLastWin32Error () returned 0x490
[0204.118] lstrlenW (lpString="create") returned 6
[0204.118] lstrlenW (lpString="create") returned 6
[0204.118] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.118] GetProcessHeap () returned 0x440000
[0204.118] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x447528) returned 1
[0204.118] GetProcessHeap () returned 0x440000
[0204.118] RtlReAllocateHeap (Heap=0x440000, Flags=0xc, Ptr=0x447528, Size=0x14) returned 0x4495b0
[0204.118] lstrlenW (lpString="create") returned 6
[0204.118] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.118] _vsnwprintf (in: _Buffer=0x4495b0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|create|") returned 8
[0204.118] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|create|") returned 8
[0204.118] lstrlenW (lpString="|create|") returned 8
[0204.118] lstrlenW (lpString="|create|") returned 8
[0204.118] StrStrIW (lpFirst="|create|", lpSrch="|create|") returned="|create|"
[0204.118] RtlRestoreLastWin32Error () returned 0x0
[0204.118] RtlRestoreLastWin32Error () returned 0x0
[0204.118] RtlRestoreLastWin32Error () returned 0x0
[0204.118] lstrlenW (lpString="/f") returned 2
[0204.118] lstrlenW (lpString="-/") returned 2
[0204.118] StrChrIW (lpStart="-/", wMatch=0x68002f) returned="/"
[0204.118] lstrlenW (lpString="?") returned 1
[0204.118] lstrlenW (lpString="?") returned 1
[0204.119] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.119] lstrlenW (lpString="f") returned 1
[0204.119] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.119] _vsnwprintf (in: _Buffer=0x4495b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|?|") returned 3
[0204.119] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|f|") returned 3
[0204.119] lstrlenW (lpString="|?|") returned 3
[0204.119] lstrlenW (lpString="|f|") returned 3
[0204.119] StrStrIW (lpFirst="|?|", lpSrch="|f|") returned 0x0
[0204.119] RtlRestoreLastWin32Error () returned 0x490
[0204.119] lstrlenW (lpString="create") returned 6
[0204.119] lstrlenW (lpString="create") returned 6
[0204.119] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.119] lstrlenW (lpString="f") returned 1
[0204.119] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.119] _vsnwprintf (in: _Buffer=0x4495b0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|create|") returned 8
[0204.119] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|f|") returned 3
[0204.119] lstrlenW (lpString="|create|") returned 8
[0204.119] lstrlenW (lpString="|f|") returned 3
[0204.119] StrStrIW (lpFirst="|create|", lpSrch="|f|") returned 0x0
[0204.119] RtlRestoreLastWin32Error () returned 0x490
[0204.119] lstrlenW (lpString="delete") returned 6
[0204.119] lstrlenW (lpString="delete") returned 6
[0204.119] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.119] lstrlenW (lpString="f") returned 1
[0204.119] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.119] _vsnwprintf (in: _Buffer=0x4495b0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|delete|") returned 8
[0204.119] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|f|") returned 3
[0204.119] lstrlenW (lpString="|delete|") returned 8
[0204.119] lstrlenW (lpString="|f|") returned 3
[0204.120] StrStrIW (lpFirst="|delete|", lpSrch="|f|") returned 0x0
[0204.120] RtlRestoreLastWin32Error () returned 0x490
[0204.120] lstrlenW (lpString="query") returned 5
[0204.120] lstrlenW (lpString="query") returned 5
[0204.120] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.120] lstrlenW (lpString="f") returned 1
[0204.120] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.120] _vsnwprintf (in: _Buffer=0x4495b0, _BufferCount=0x8, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|query|") returned 7
[0204.120] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|f|") returned 3
[0204.120] lstrlenW (lpString="|query|") returned 7
[0204.120] lstrlenW (lpString="|f|") returned 3
[0204.120] StrStrIW (lpFirst="|query|", lpSrch="|f|") returned 0x0
[0204.120] RtlRestoreLastWin32Error () returned 0x490
[0204.120] lstrlenW (lpString="change") returned 6
[0204.120] lstrlenW (lpString="change") returned 6
[0204.120] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.120] lstrlenW (lpString="f") returned 1
[0204.120] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.120] _vsnwprintf (in: _Buffer=0x4495b0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|change|") returned 8
[0204.120] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|f|") returned 3
[0204.120] lstrlenW (lpString="|change|") returned 8
[0204.120] lstrlenW (lpString="|f|") returned 3
[0204.120] StrStrIW (lpFirst="|change|", lpSrch="|f|") returned 0x0
[0204.120] RtlRestoreLastWin32Error () returned 0x490
[0204.121] lstrlenW (lpString="run") returned 3
[0204.121] lstrlenW (lpString="run") returned 3
[0204.121] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.121] lstrlenW (lpString="f") returned 1
[0204.121] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.121] _vsnwprintf (in: _Buffer=0x4495b0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|run|") returned 5
[0204.121] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|f|") returned 3
[0204.121] lstrlenW (lpString="|run|") returned 5
[0204.121] lstrlenW (lpString="|f|") returned 3
[0204.121] StrStrIW (lpFirst="|run|", lpSrch="|f|") returned 0x0
[0204.121] RtlRestoreLastWin32Error () returned 0x490
[0204.121] lstrlenW (lpString="end") returned 3
[0204.121] lstrlenW (lpString="end") returned 3
[0204.121] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.121] lstrlenW (lpString="f") returned 1
[0204.121] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.121] _vsnwprintf (in: _Buffer=0x4495b0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|end|") returned 5
[0204.121] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|f|") returned 3
[0204.121] lstrlenW (lpString="|end|") returned 5
[0204.121] lstrlenW (lpString="|f|") returned 3
[0204.121] StrStrIW (lpFirst="|end|", lpSrch="|f|") returned 0x0
[0204.121] RtlRestoreLastWin32Error () returned 0x490
[0204.121] lstrlenW (lpString="showsid") returned 7
[0204.121] lstrlenW (lpString="showsid") returned 7
[0204.121] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.121] GetProcessHeap () returned 0x440000
[0204.121] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x4495b0) returned 1
[0204.121] GetProcessHeap () returned 0x440000
[0204.121] RtlReAllocateHeap (Heap=0x440000, Flags=0xc, Ptr=0x4495b0, Size=0x16) returned 0x4493f0
[0204.121] lstrlenW (lpString="f") returned 1
[0204.121] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.122] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0xa, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|showsid|") returned 9
[0204.122] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|f|") returned 3
[0204.122] lstrlenW (lpString="|showsid|") returned 9
[0204.122] lstrlenW (lpString="|f|") returned 3
[0204.122] StrStrIW (lpFirst="|showsid|", lpSrch="|f|") returned 0x0
[0204.122] RtlRestoreLastWin32Error () returned 0x490
[0204.122] RtlRestoreLastWin32Error () returned 0x490
[0204.122] RtlRestoreLastWin32Error () returned 0x0
[0204.122] lstrlenW (lpString="/f") returned 2
[0204.122] StrChrIW (lpStart="/f", wMatch=0x3a) returned 0x0
[0204.122] RtlRestoreLastWin32Error () returned 0x490
[0204.122] RtlRestoreLastWin32Error () returned 0x0
[0204.122] lstrlenW (lpString="/f") returned 2
[0204.122] GetProcessHeap () returned 0x440000
[0204.122] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x6) returned 0x446d60
[0204.122] GetProcessHeap () returned 0x440000
[0204.122] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x449610
[0204.122] RtlRestoreLastWin32Error () returned 0x0
[0204.122] RtlRestoreLastWin32Error () returned 0x0
[0204.122] lstrlenW (lpString="/sc") returned 3
[0204.122] lstrlenW (lpString="-/") returned 2
[0204.122] StrChrIW (lpStart="-/", wMatch=0x68002f) returned="/"
[0204.122] lstrlenW (lpString="?") returned 1
[0204.122] lstrlenW (lpString="?") returned 1
[0204.122] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.122] lstrlenW (lpString="sc") returned 2
[0204.122] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.122] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|?|") returned 3
[0204.122] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|sc|") returned 4
[0204.122] lstrlenW (lpString="|?|") returned 3
[0204.122] lstrlenW (lpString="|sc|") returned 4
[0204.122] RtlRestoreLastWin32Error () returned 0x490
[0204.122] lstrlenW (lpString="create") returned 6
[0204.122] lstrlenW (lpString="create") returned 6
[0204.123] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.123] lstrlenW (lpString="sc") returned 2
[0204.123] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.123] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|create|") returned 8
[0204.123] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|sc|") returned 4
[0204.123] lstrlenW (lpString="|create|") returned 8
[0204.123] lstrlenW (lpString="|sc|") returned 4
[0204.123] StrStrIW (lpFirst="|create|", lpSrch="|sc|") returned 0x0
[0204.123] RtlRestoreLastWin32Error () returned 0x490
[0204.123] lstrlenW (lpString="delete") returned 6
[0204.123] lstrlenW (lpString="delete") returned 6
[0204.123] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.123] lstrlenW (lpString="sc") returned 2
[0204.123] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.123] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|delete|") returned 8
[0204.123] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|sc|") returned 4
[0204.123] lstrlenW (lpString="|delete|") returned 8
[0204.123] lstrlenW (lpString="|sc|") returned 4
[0204.123] StrStrIW (lpFirst="|delete|", lpSrch="|sc|") returned 0x0
[0204.123] RtlRestoreLastWin32Error () returned 0x490
[0204.123] lstrlenW (lpString="query") returned 5
[0204.123] lstrlenW (lpString="query") returned 5
[0204.123] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.123] lstrlenW (lpString="sc") returned 2
[0204.123] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.123] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x8, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|query|") returned 7
[0204.123] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|sc|") returned 4
[0204.123] lstrlenW (lpString="|query|") returned 7
[0204.123] lstrlenW (lpString="|sc|") returned 4
[0204.123] StrStrIW (lpFirst="|query|", lpSrch="|sc|") returned 0x0
[0204.123] RtlRestoreLastWin32Error () returned 0x490
[0204.124] lstrlenW (lpString="change") returned 6
[0204.124] lstrlenW (lpString="change") returned 6
[0204.124] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.124] lstrlenW (lpString="sc") returned 2
[0204.124] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.124] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|change|") returned 8
[0204.124] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|sc|") returned 4
[0204.124] lstrlenW (lpString="|change|") returned 8
[0204.124] lstrlenW (lpString="|sc|") returned 4
[0204.124] StrStrIW (lpFirst="|change|", lpSrch="|sc|") returned 0x0
[0204.124] RtlRestoreLastWin32Error () returned 0x490
[0204.124] lstrlenW (lpString="run") returned 3
[0204.124] lstrlenW (lpString="run") returned 3
[0204.124] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.124] lstrlenW (lpString="sc") returned 2
[0204.124] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.124] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|run|") returned 5
[0204.124] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|sc|") returned 4
[0204.124] lstrlenW (lpString="|run|") returned 5
[0204.124] lstrlenW (lpString="|sc|") returned 4
[0204.124] StrStrIW (lpFirst="|run|", lpSrch="|sc|") returned 0x0
[0204.124] RtlRestoreLastWin32Error () returned 0x490
[0204.124] lstrlenW (lpString="end") returned 3
[0204.124] lstrlenW (lpString="end") returned 3
[0204.124] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.124] lstrlenW (lpString="sc") returned 2
[0204.124] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.124] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|end|") returned 5
[0204.124] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|sc|") returned 4
[0204.125] lstrlenW (lpString="|end|") returned 5
[0204.125] lstrlenW (lpString="|sc|") returned 4
[0204.125] StrStrIW (lpFirst="|end|", lpSrch="|sc|") returned 0x0
[0204.125] RtlRestoreLastWin32Error () returned 0x490
[0204.125] lstrlenW (lpString="showsid") returned 7
[0204.125] lstrlenW (lpString="showsid") returned 7
[0204.125] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.125] lstrlenW (lpString="sc") returned 2
[0204.125] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.125] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0xa, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|showsid|") returned 9
[0204.125] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|sc|") returned 4
[0204.125] lstrlenW (lpString="|showsid|") returned 9
[0204.125] lstrlenW (lpString="|sc|") returned 4
[0204.125] StrStrIW (lpFirst="|showsid|", lpSrch="|sc|") returned 0x0
[0204.125] RtlRestoreLastWin32Error () returned 0x490
[0204.125] RtlRestoreLastWin32Error () returned 0x490
[0204.125] RtlRestoreLastWin32Error () returned 0x0
[0204.125] lstrlenW (lpString="/sc") returned 3
[0204.125] StrChrIW (lpStart="/sc", wMatch=0x3a) returned 0x0
[0204.125] RtlRestoreLastWin32Error () returned 0x490
[0204.125] RtlRestoreLastWin32Error () returned 0x0
[0204.125] lstrlenW (lpString="/sc") returned 3
[0204.125] GetProcessHeap () returned 0x440000
[0204.125] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x8) returned 0x4464e8
[0204.125] GetProcessHeap () returned 0x440000
[0204.125] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x449390
[0204.125] RtlRestoreLastWin32Error () returned 0x0
[0204.125] RtlRestoreLastWin32Error () returned 0x0
[0204.125] lstrlenW (lpString="onlogon") returned 7
[0204.125] lstrlenW (lpString="-/") returned 2
[0204.125] StrChrIW (lpStart="-/", wMatch=0x68006f) returned 0x0
[0204.125] RtlRestoreLastWin32Error () returned 0x490
[0204.125] RtlRestoreLastWin32Error () returned 0x490
[0204.125] RtlRestoreLastWin32Error () returned 0x0
[0204.125] lstrlenW (lpString="onlogon") returned 7
[0204.126] StrChrIW (lpStart="onlogon", wMatch=0x3a) returned 0x0
[0204.126] RtlRestoreLastWin32Error () returned 0x490
[0204.126] RtlRestoreLastWin32Error () returned 0x0
[0204.126] lstrlenW (lpString="onlogon") returned 7
[0204.126] GetProcessHeap () returned 0x440000
[0204.126] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x10) returned 0x447528
[0204.126] GetProcessHeap () returned 0x440000
[0204.126] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x4495f0
[0204.126] RtlRestoreLastWin32Error () returned 0x0
[0204.126] RtlRestoreLastWin32Error () returned 0x0
[0204.126] lstrlenW (lpString="/rl") returned 3
[0204.126] lstrlenW (lpString="-/") returned 2
[0204.126] StrChrIW (lpStart="-/", wMatch=0x68002f) returned="/"
[0204.126] lstrlenW (lpString="?") returned 1
[0204.126] lstrlenW (lpString="?") returned 1
[0204.126] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.126] lstrlenW (lpString="rl") returned 2
[0204.126] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.126] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|?|") returned 3
[0204.126] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|rl|") returned 4
[0204.126] lstrlenW (lpString="|?|") returned 3
[0204.126] lstrlenW (lpString="|rl|") returned 4
[0204.126] RtlRestoreLastWin32Error () returned 0x490
[0204.126] lstrlenW (lpString="create") returned 6
[0204.126] lstrlenW (lpString="create") returned 6
[0204.126] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.126] lstrlenW (lpString="rl") returned 2
[0204.126] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.126] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|create|") returned 8
[0204.126] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|rl|") returned 4
[0204.126] lstrlenW (lpString="|create|") returned 8
[0204.126] lstrlenW (lpString="|rl|") returned 4
[0204.126] StrStrIW (lpFirst="|create|", lpSrch="|rl|") returned 0x0
[0204.127] RtlRestoreLastWin32Error () returned 0x490
[0204.127] lstrlenW (lpString="delete") returned 6
[0204.127] lstrlenW (lpString="delete") returned 6
[0204.127] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.127] lstrlenW (lpString="rl") returned 2
[0204.127] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.127] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|delete|") returned 8
[0204.127] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|rl|") returned 4
[0204.127] lstrlenW (lpString="|delete|") returned 8
[0204.127] lstrlenW (lpString="|rl|") returned 4
[0204.127] StrStrIW (lpFirst="|delete|", lpSrch="|rl|") returned 0x0
[0204.127] RtlRestoreLastWin32Error () returned 0x490
[0204.127] lstrlenW (lpString="query") returned 5
[0204.127] lstrlenW (lpString="query") returned 5
[0204.127] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.127] lstrlenW (lpString="rl") returned 2
[0204.127] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.127] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x8, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|query|") returned 7
[0204.127] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|rl|") returned 4
[0204.127] lstrlenW (lpString="|query|") returned 7
[0204.127] lstrlenW (lpString="|rl|") returned 4
[0204.127] StrStrIW (lpFirst="|query|", lpSrch="|rl|") returned 0x0
[0204.127] RtlRestoreLastWin32Error () returned 0x490
[0204.127] lstrlenW (lpString="change") returned 6
[0204.127] lstrlenW (lpString="change") returned 6
[0204.127] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.127] lstrlenW (lpString="rl") returned 2
[0204.127] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.127] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|change|") returned 8
[0204.127] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|rl|") returned 4
[0204.128] lstrlenW (lpString="|change|") returned 8
[0204.128] lstrlenW (lpString="|rl|") returned 4
[0204.128] StrStrIW (lpFirst="|change|", lpSrch="|rl|") returned 0x0
[0204.128] RtlRestoreLastWin32Error () returned 0x490
[0204.128] lstrlenW (lpString="run") returned 3
[0204.128] lstrlenW (lpString="run") returned 3
[0204.128] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.128] lstrlenW (lpString="rl") returned 2
[0204.128] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.128] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|run|") returned 5
[0204.128] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|rl|") returned 4
[0204.128] lstrlenW (lpString="|run|") returned 5
[0204.128] lstrlenW (lpString="|rl|") returned 4
[0204.128] StrStrIW (lpFirst="|run|", lpSrch="|rl|") returned 0x0
[0204.128] RtlRestoreLastWin32Error () returned 0x490
[0204.128] lstrlenW (lpString="end") returned 3
[0204.128] lstrlenW (lpString="end") returned 3
[0204.128] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.128] lstrlenW (lpString="rl") returned 2
[0204.128] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.128] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|end|") returned 5
[0204.128] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|rl|") returned 4
[0204.128] lstrlenW (lpString="|end|") returned 5
[0204.128] lstrlenW (lpString="|rl|") returned 4
[0204.128] StrStrIW (lpFirst="|end|", lpSrch="|rl|") returned 0x0
[0204.128] RtlRestoreLastWin32Error () returned 0x490
[0204.128] lstrlenW (lpString="showsid") returned 7
[0204.128] lstrlenW (lpString="showsid") returned 7
[0204.128] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.128] lstrlenW (lpString="rl") returned 2
[0204.128] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.129] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0xa, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|showsid|") returned 9
[0204.129] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|rl|") returned 4
[0204.129] lstrlenW (lpString="|showsid|") returned 9
[0204.129] lstrlenW (lpString="|rl|") returned 4
[0204.129] StrStrIW (lpFirst="|showsid|", lpSrch="|rl|") returned 0x0
[0204.129] RtlRestoreLastWin32Error () returned 0x490
[0204.129] RtlRestoreLastWin32Error () returned 0x490
[0204.129] RtlRestoreLastWin32Error () returned 0x0
[0204.129] lstrlenW (lpString="/rl") returned 3
[0204.129] StrChrIW (lpStart="/rl", wMatch=0x3a) returned 0x0
[0204.129] RtlRestoreLastWin32Error () returned 0x490
[0204.129] RtlRestoreLastWin32Error () returned 0x0
[0204.129] lstrlenW (lpString="/rl") returned 3
[0204.129] GetProcessHeap () returned 0x440000
[0204.129] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x8) returned 0x447220
[0204.129] GetProcessHeap () returned 0x440000
[0204.129] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x4495b0
[0204.129] RtlRestoreLastWin32Error () returned 0x0
[0204.129] RtlRestoreLastWin32Error () returned 0x0
[0204.129] lstrlenW (lpString="highest") returned 7
[0204.129] lstrlenW (lpString="-/") returned 2
[0204.129] StrChrIW (lpStart="-/", wMatch=0x680068) returned 0x0
[0204.129] RtlRestoreLastWin32Error () returned 0x490
[0204.129] RtlRestoreLastWin32Error () returned 0x490
[0204.129] RtlRestoreLastWin32Error () returned 0x0
[0204.129] lstrlenW (lpString="highest") returned 7
[0204.129] StrChrIW (lpStart="highest", wMatch=0x3a) returned 0x0
[0204.129] RtlRestoreLastWin32Error () returned 0x490
[0204.129] RtlRestoreLastWin32Error () returned 0x0
[0204.129] lstrlenW (lpString="highest") returned 7
[0204.129] GetProcessHeap () returned 0x440000
[0204.129] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x10) returned 0x447558
[0204.129] GetProcessHeap () returned 0x440000
[0204.129] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x449410
[0204.129] RtlRestoreLastWin32Error () returned 0x0
[0204.130] RtlRestoreLastWin32Error () returned 0x0
[0204.130] lstrlenW (lpString="/tn") returned 3
[0204.130] lstrlenW (lpString="-/") returned 2
[0204.130] StrChrIW (lpStart="-/", wMatch=0x68002f) returned="/"
[0204.130] lstrlenW (lpString="?") returned 1
[0204.130] lstrlenW (lpString="?") returned 1
[0204.130] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.130] lstrlenW (lpString="tn") returned 2
[0204.130] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.130] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|?|") returned 3
[0204.130] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|tn|") returned 4
[0204.130] lstrlenW (lpString="|?|") returned 3
[0204.130] lstrlenW (lpString="|tn|") returned 4
[0204.130] RtlRestoreLastWin32Error () returned 0x490
[0204.130] lstrlenW (lpString="create") returned 6
[0204.130] lstrlenW (lpString="create") returned 6
[0204.130] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.130] lstrlenW (lpString="tn") returned 2
[0204.130] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.130] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|create|") returned 8
[0204.130] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|tn|") returned 4
[0204.130] lstrlenW (lpString="|create|") returned 8
[0204.130] lstrlenW (lpString="|tn|") returned 4
[0204.130] StrStrIW (lpFirst="|create|", lpSrch="|tn|") returned 0x0
[0204.130] RtlRestoreLastWin32Error () returned 0x490
[0204.130] lstrlenW (lpString="delete") returned 6
[0204.130] lstrlenW (lpString="delete") returned 6
[0204.130] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.130] lstrlenW (lpString="tn") returned 2
[0204.130] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.130] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|delete|") returned 8
[0204.131] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|tn|") returned 4
[0204.131] lstrlenW (lpString="|delete|") returned 8
[0204.131] lstrlenW (lpString="|tn|") returned 4
[0204.131] StrStrIW (lpFirst="|delete|", lpSrch="|tn|") returned 0x0
[0204.131] RtlRestoreLastWin32Error () returned 0x490
[0204.131] lstrlenW (lpString="query") returned 5
[0204.131] lstrlenW (lpString="query") returned 5
[0204.131] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.131] lstrlenW (lpString="tn") returned 2
[0204.131] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.131] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x8, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|query|") returned 7
[0204.131] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|tn|") returned 4
[0204.131] lstrlenW (lpString="|query|") returned 7
[0204.131] lstrlenW (lpString="|tn|") returned 4
[0204.131] StrStrIW (lpFirst="|query|", lpSrch="|tn|") returned 0x0
[0204.131] RtlRestoreLastWin32Error () returned 0x490
[0204.131] lstrlenW (lpString="change") returned 6
[0204.131] lstrlenW (lpString="change") returned 6
[0204.131] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.131] lstrlenW (lpString="tn") returned 2
[0204.131] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.131] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|change|") returned 8
[0204.131] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|tn|") returned 4
[0204.131] lstrlenW (lpString="|change|") returned 8
[0204.131] lstrlenW (lpString="|tn|") returned 4
[0204.131] StrStrIW (lpFirst="|change|", lpSrch="|tn|") returned 0x0
[0204.131] RtlRestoreLastWin32Error () returned 0x490
[0204.131] lstrlenW (lpString="run") returned 3
[0204.131] lstrlenW (lpString="run") returned 3
[0204.131] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.131] lstrlenW (lpString="tn") returned 2
[0204.132] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.132] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|run|") returned 5
[0204.132] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|tn|") returned 4
[0204.132] lstrlenW (lpString="|run|") returned 5
[0204.132] lstrlenW (lpString="|tn|") returned 4
[0204.132] StrStrIW (lpFirst="|run|", lpSrch="|tn|") returned 0x0
[0204.132] RtlRestoreLastWin32Error () returned 0x490
[0204.132] lstrlenW (lpString="end") returned 3
[0204.132] lstrlenW (lpString="end") returned 3
[0204.132] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.132] lstrlenW (lpString="tn") returned 2
[0204.132] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.132] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|end|") returned 5
[0204.132] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|tn|") returned 4
[0204.132] lstrlenW (lpString="|end|") returned 5
[0204.132] lstrlenW (lpString="|tn|") returned 4
[0204.132] StrStrIW (lpFirst="|end|", lpSrch="|tn|") returned 0x0
[0204.132] RtlRestoreLastWin32Error () returned 0x490
[0204.132] lstrlenW (lpString="showsid") returned 7
[0204.132] lstrlenW (lpString="showsid") returned 7
[0204.132] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.132] lstrlenW (lpString="tn") returned 2
[0204.132] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.132] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0xa, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|showsid|") returned 9
[0204.132] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|tn|") returned 4
[0204.132] lstrlenW (lpString="|showsid|") returned 9
[0204.132] lstrlenW (lpString="|tn|") returned 4
[0204.132] StrStrIW (lpFirst="|showsid|", lpSrch="|tn|") returned 0x0
[0204.132] RtlRestoreLastWin32Error () returned 0x490
[0204.132] RtlRestoreLastWin32Error () returned 0x490
[0204.133] RtlRestoreLastWin32Error () returned 0x0
[0204.133] lstrlenW (lpString="/tn") returned 3
[0204.133] StrChrIW (lpStart="/tn", wMatch=0x3a) returned 0x0
[0204.133] RtlRestoreLastWin32Error () returned 0x490
[0204.133] RtlRestoreLastWin32Error () returned 0x0
[0204.133] lstrlenW (lpString="/tn") returned 3
[0204.133] GetProcessHeap () returned 0x440000
[0204.133] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x8) returned 0x446698
[0204.133] GetProcessHeap () returned 0x440000
[0204.133] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x449690
[0204.133] RtlRestoreLastWin32Error () returned 0x0
[0204.133] RtlRestoreLastWin32Error () returned 0x0
[0204.133] lstrlenW (lpString="") returned 0
[0204.133] RtlRestoreLastWin32Error () returned 0x490
[0204.133] RtlRestoreLastWin32Error () returned 0x0
[0204.133] lstrlenW (lpString="") returned 0
[0204.133] RtlRestoreLastWin32Error () returned 0x490
[0204.133] RtlRestoreLastWin32Error () returned 0x0
[0204.133] lstrlenW (lpString="") returned 0
[0204.133] GetProcessHeap () returned 0x440000
[0204.133] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x2) returned 0x4428f0
[0204.133] GetProcessHeap () returned 0x440000
[0204.133] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x449430
[0204.133] RtlRestoreLastWin32Error () returned 0x0
[0204.133] RtlRestoreLastWin32Error () returned 0x0
[0204.133] lstrlenW (lpString="/tr") returned 3
[0204.133] lstrlenW (lpString="-/") returned 2
[0204.133] StrChrIW (lpStart="-/", wMatch=0x68002f) returned="/"
[0204.133] lstrlenW (lpString="?") returned 1
[0204.133] lstrlenW (lpString="?") returned 1
[0204.133] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.133] lstrlenW (lpString="tr") returned 2
[0204.133] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.133] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|?|") returned 3
[0204.133] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|tr|") returned 4
[0204.134] lstrlenW (lpString="|?|") returned 3
[0204.134] lstrlenW (lpString="|tr|") returned 4
[0204.134] RtlRestoreLastWin32Error () returned 0x490
[0204.134] lstrlenW (lpString="create") returned 6
[0204.134] lstrlenW (lpString="create") returned 6
[0204.134] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.134] lstrlenW (lpString="tr") returned 2
[0204.134] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.134] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|create|") returned 8
[0204.134] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|tr|") returned 4
[0204.134] lstrlenW (lpString="|create|") returned 8
[0204.134] lstrlenW (lpString="|tr|") returned 4
[0204.134] StrStrIW (lpFirst="|create|", lpSrch="|tr|") returned 0x0
[0204.134] RtlRestoreLastWin32Error () returned 0x490
[0204.134] lstrlenW (lpString="delete") returned 6
[0204.134] lstrlenW (lpString="delete") returned 6
[0204.134] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.134] lstrlenW (lpString="tr") returned 2
[0204.134] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.134] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|delete|") returned 8
[0204.134] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|tr|") returned 4
[0204.134] lstrlenW (lpString="|delete|") returned 8
[0204.134] lstrlenW (lpString="|tr|") returned 4
[0204.134] StrStrIW (lpFirst="|delete|", lpSrch="|tr|") returned 0x0
[0204.134] RtlRestoreLastWin32Error () returned 0x490
[0204.134] lstrlenW (lpString="query") returned 5
[0204.134] lstrlenW (lpString="query") returned 5
[0204.134] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.134] lstrlenW (lpString="tr") returned 2
[0204.134] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.134] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x8, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|query|") returned 7
[0204.135] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|tr|") returned 4
[0204.135] lstrlenW (lpString="|query|") returned 7
[0204.135] lstrlenW (lpString="|tr|") returned 4
[0204.135] StrStrIW (lpFirst="|query|", lpSrch="|tr|") returned 0x0
[0204.135] RtlRestoreLastWin32Error () returned 0x490
[0204.135] lstrlenW (lpString="change") returned 6
[0204.135] lstrlenW (lpString="change") returned 6
[0204.135] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.135] lstrlenW (lpString="tr") returned 2
[0204.135] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.135] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|change|") returned 8
[0204.135] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|tr|") returned 4
[0204.135] lstrlenW (lpString="|change|") returned 8
[0204.135] lstrlenW (lpString="|tr|") returned 4
[0204.135] StrStrIW (lpFirst="|change|", lpSrch="|tr|") returned 0x0
[0204.135] RtlRestoreLastWin32Error () returned 0x490
[0204.135] lstrlenW (lpString="run") returned 3
[0204.135] lstrlenW (lpString="run") returned 3
[0204.135] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.135] lstrlenW (lpString="tr") returned 2
[0204.135] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.135] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|run|") returned 5
[0204.135] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|tr|") returned 4
[0204.135] lstrlenW (lpString="|run|") returned 5
[0204.135] lstrlenW (lpString="|tr|") returned 4
[0204.136] StrStrIW (lpFirst="|run|", lpSrch="|tr|") returned 0x0
[0204.136] RtlRestoreLastWin32Error () returned 0x490
[0204.136] lstrlenW (lpString="end") returned 3
[0204.136] lstrlenW (lpString="end") returned 3
[0204.136] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.136] lstrlenW (lpString="tr") returned 2
[0204.136] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.136] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|end|") returned 5
[0204.136] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|tr|") returned 4
[0204.136] lstrlenW (lpString="|end|") returned 5
[0204.136] lstrlenW (lpString="|tr|") returned 4
[0204.136] StrStrIW (lpFirst="|end|", lpSrch="|tr|") returned 0x0
[0204.136] RtlRestoreLastWin32Error () returned 0x490
[0204.136] lstrlenW (lpString="showsid") returned 7
[0204.136] lstrlenW (lpString="showsid") returned 7
[0204.136] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.136] lstrlenW (lpString="tr") returned 2
[0204.136] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.136] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0xa, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|showsid|") returned 9
[0204.136] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|tr|") returned 4
[0204.136] lstrlenW (lpString="|showsid|") returned 9
[0204.136] lstrlenW (lpString="|tr|") returned 4
[0204.136] StrStrIW (lpFirst="|showsid|", lpSrch="|tr|") returned 0x0
[0204.136] RtlRestoreLastWin32Error () returned 0x490
[0204.136] RtlRestoreLastWin32Error () returned 0x490
[0204.136] RtlRestoreLastWin32Error () returned 0x0
[0204.136] lstrlenW (lpString="/tr") returned 3
[0204.136] StrChrIW (lpStart="/tr", wMatch=0x3a) returned 0x0
[0204.136] RtlRestoreLastWin32Error () returned 0x490
[0204.136] RtlRestoreLastWin32Error () returned 0x0
[0204.136] lstrlenW (lpString="/tr") returned 3
[0204.136] GetProcessHeap () returned 0x440000
[0204.137] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x8) returned 0x446728
[0204.137] GetProcessHeap () returned 0x440000
[0204.137] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x4494b0
[0204.137] RtlRestoreLastWin32Error () returned 0x0
[0204.137] RtlRestoreLastWin32Error () returned 0x0
[0204.137] lstrlenW (lpString="'C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe'") returned 44
[0204.137] lstrlenW (lpString="-/") returned 2
[0204.137] StrChrIW (lpStart="-/", wMatch=0x680027) returned 0x0
[0204.137] RtlRestoreLastWin32Error () returned 0x490
[0204.137] RtlRestoreLastWin32Error () returned 0x490
[0204.137] RtlRestoreLastWin32Error () returned 0x0
[0204.137] lstrlenW (lpString="'C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe'") returned 44
[0204.137] StrChrIW (lpStart="'C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe'", wMatch=0x3a) returned=":\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe'"
[0204.137] lstrlenW (lpString="'C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe'") returned 44
[0204.137] GetProcessHeap () returned 0x440000
[0204.137] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x10) returned 0x447570
[0204.137] _memicmp (_Buf1=0x447570, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.137] GetProcessHeap () returned 0x440000
[0204.137] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0xe) returned 0x44abe8
[0204.137] GetProcessHeap () returned 0x440000
[0204.137] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x10) returned 0x44aa68
[0204.137] _memicmp (_Buf1=0x44aa68, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.137] GetProcessHeap () returned 0x440000
[0204.137] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x5c) returned 0x44ae10
[0204.137] RtlRestoreLastWin32Error () returned 0x7a
[0204.137] RtlRestoreLastWin32Error () returned 0x0
[0204.137] RtlRestoreLastWin32Error () returned 0x0
[0204.137] lstrlenW (lpString="'C") returned 2
[0204.137] lstrlenW (lpString="-/") returned 2
[0204.137] StrChrIW (lpStart="-/", wMatch=0x440027) returned 0x0
[0204.137] RtlRestoreLastWin32Error () returned 0x490
[0204.137] RtlRestoreLastWin32Error () returned 0x490
[0204.137] RtlRestoreLastWin32Error () returned 0x0
[0204.138] lstrlenW (lpString="'C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe'") returned 44
[0204.138] GetProcessHeap () returned 0x440000
[0204.138] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x5a) returned 0x44ae78
[0204.138] GetProcessHeap () returned 0x440000
[0204.138] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x449650
[0204.138] RtlRestoreLastWin32Error () returned 0x0
[0204.138] GetProcessHeap () returned 0x440000
[0204.138] GetProcessHeap () returned 0x440000
[0204.138] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x446d60) returned 1
[0204.138] GetProcessHeap () returned 0x440000
[0204.138] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x446d60) returned 0x6
[0204.138] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x446d60) returned 1
[0204.138] GetProcessHeap () returned 0x440000
[0204.138] GetProcessHeap () returned 0x440000
[0204.138] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x449610) returned 1
[0204.138] GetProcessHeap () returned 0x440000
[0204.138] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x449610) returned 0x14
[0204.138] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x449610) returned 1
[0204.138] GetProcessHeap () returned 0x440000
[0204.138] GetProcessHeap () returned 0x440000
[0204.138] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x4464e8) returned 1
[0204.138] GetProcessHeap () returned 0x440000
[0204.138] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x4464e8) returned 0x8
[0204.138] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x4464e8) returned 1
[0204.138] GetProcessHeap () returned 0x440000
[0204.138] GetProcessHeap () returned 0x440000
[0204.138] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x449390) returned 1
[0204.138] GetProcessHeap () returned 0x440000
[0204.138] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x449390) returned 0x14
[0204.138] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x449390) returned 1
[0204.138] GetProcessHeap () returned 0x440000
[0204.138] GetProcessHeap () returned 0x440000
[0204.138] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x447528) returned 1
[0204.138] GetProcessHeap () returned 0x440000
[0204.138] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x447528) returned 0x10
[0204.138] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x447528) returned 1
[0204.139] GetProcessHeap () returned 0x440000
[0204.139] GetProcessHeap () returned 0x440000
[0204.139] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x4495f0) returned 1
[0204.139] GetProcessHeap () returned 0x440000
[0204.139] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x4495f0) returned 0x14
[0204.139] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x4495f0) returned 1
[0204.139] GetProcessHeap () returned 0x440000
[0204.139] GetProcessHeap () returned 0x440000
[0204.139] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x447220) returned 1
[0204.139] GetProcessHeap () returned 0x440000
[0204.139] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x447220) returned 0x8
[0204.139] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x447220) returned 1
[0204.139] GetProcessHeap () returned 0x440000
[0204.139] GetProcessHeap () returned 0x440000
[0204.139] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x4495b0) returned 1
[0204.139] GetProcessHeap () returned 0x440000
[0204.139] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x4495b0) returned 0x14
[0204.139] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x4495b0) returned 1
[0204.139] GetProcessHeap () returned 0x440000
[0204.139] GetProcessHeap () returned 0x440000
[0204.139] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x447558) returned 1
[0204.139] GetProcessHeap () returned 0x440000
[0204.139] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x447558) returned 0x10
[0204.139] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x447558) returned 1
[0204.139] GetProcessHeap () returned 0x440000
[0204.139] GetProcessHeap () returned 0x440000
[0204.139] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x449410) returned 1
[0204.139] GetProcessHeap () returned 0x440000
[0204.139] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x449410) returned 0x14
[0204.139] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x449410) returned 1
[0204.139] GetProcessHeap () returned 0x440000
[0204.139] GetProcessHeap () returned 0x440000
[0204.139] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x446698) returned 1
[0204.139] GetProcessHeap () returned 0x440000
[0204.139] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x446698) returned 0x8
[0204.140] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x446698) returned 1
[0204.140] GetProcessHeap () returned 0x440000
[0204.140] GetProcessHeap () returned 0x440000
[0204.140] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x449690) returned 1
[0204.140] GetProcessHeap () returned 0x440000
[0204.140] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x449690) returned 0x14
[0204.140] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x449690) returned 1
[0204.140] GetProcessHeap () returned 0x440000
[0204.140] GetProcessHeap () returned 0x440000
[0204.140] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x4428f0) returned 1
[0204.140] GetProcessHeap () returned 0x440000
[0204.140] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x4428f0) returned 0x2
[0204.140] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x4428f0) returned 1
[0204.140] GetProcessHeap () returned 0x440000
[0204.140] GetProcessHeap () returned 0x440000
[0204.140] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x449430) returned 1
[0204.140] GetProcessHeap () returned 0x440000
[0204.140] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x449430) returned 0x14
[0204.140] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x449430) returned 1
[0204.140] GetProcessHeap () returned 0x440000
[0204.140] GetProcessHeap () returned 0x440000
[0204.140] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x446728) returned 1
[0204.140] GetProcessHeap () returned 0x440000
[0204.140] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x446728) returned 0x8
[0204.140] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x446728) returned 1
[0204.140] GetProcessHeap () returned 0x440000
[0204.140] GetProcessHeap () returned 0x440000
[0204.140] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x4494b0) returned 1
[0204.140] GetProcessHeap () returned 0x440000
[0204.140] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x4494b0) returned 0x14
[0204.140] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x4494b0) returned 1
[0204.140] GetProcessHeap () returned 0x440000
[0204.140] GetProcessHeap () returned 0x440000
[0204.140] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x44ae78) returned 1
[0204.140] GetProcessHeap () returned 0x440000
[0204.141] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x44ae78) returned 0x5a
[0204.141] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x44ae78) returned 1
[0204.141] GetProcessHeap () returned 0x440000
[0204.141] GetProcessHeap () returned 0x440000
[0204.141] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x449650) returned 1
[0204.141] GetProcessHeap () returned 0x440000
[0204.141] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x449650) returned 0x14
[0204.141] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x449650) returned 1
[0204.141] GetProcessHeap () returned 0x440000
[0204.141] GetProcessHeap () returned 0x440000
[0204.141] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x447450) returned 1
[0204.141] GetProcessHeap () returned 0x440000
[0204.141] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x447450) returned 0x10
[0204.141] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x447450) returned 1
[0204.142] RtlRestoreLastWin32Error () returned 0x0
[0204.142] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x0, Condition=0x2) returned 0x18
[0204.142] VerSetConditionMask (ConditionMask=0x18, TypeMask=0x80000000, Condition=0x1) returned 0x1b
[0204.142] VerSetConditionMask (ConditionMask=0x1b, TypeMask=0x80000000, Condition=0x20) returned 0x1801b
[0204.142] RtlVerifyVersionInfo (VersionInfo=0xdce60, TypeMask=0x3, ConditionMask=0x1801b) returned 0x0
[0204.142] RtlRestoreLastWin32Error () returned 0x0
[0204.142] lstrlenW (lpString="create") returned 6
[0204.142] StrChrIW (lpStart="create", wMatch=0x7c) returned 0x0
[0204.142] RtlRestoreLastWin32Error () returned 0x490
[0204.142] RtlRestoreLastWin32Error () returned 0x0
[0204.142] lstrlenW (lpString="create") returned 6
[0204.142] GetProcessHeap () returned 0x440000
[0204.142] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x449490
[0204.142] GetProcessHeap () returned 0x440000
[0204.142] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x10) returned 0x44ab88
[0204.142] _memicmp (_Buf1=0x44ab88, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.142] GetProcessHeap () returned 0x440000
[0204.142] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x16) returned 0x4494b0
[0204.142] RtlRestoreLastWin32Error () returned 0x0
[0204.142] _memicmp (_Buf1=0x447480, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.142] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x448d48, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\schtasks.exe" (normalized: "c:\\windows\\syswow64\\schtasks.exe")) returned 0x20
[0204.142] GetFileVersionInfoSizeExW (in: dwFlags=0x1, lpwstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", lpdwHandle=0xdcf6c | out: lpdwHandle=0xdcf6c) returned 0x76c
[0204.143] GetProcessHeap () returned 0x440000
[0204.143] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x776) returned 0x449e20
[0204.143] GetFileVersionInfoExW (in: dwFlags=0x3, lpwstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", dwHandle=0x0, dwLen=0x776, lpData=0x449e20 | out: lpData=0x449e20) returned 1
[0204.143] VerQueryValueW (in: pBlock=0x449e20, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xdcf74, puLen=0xdcf78 | out: lplpBuffer=0xdcf74*=0x44a1d0, puLen=0xdcf78) returned 1
[0204.143] _memicmp (_Buf1=0x447480, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.143] _vsnwprintf (in: _Buffer=0x448d48, _BufferCount=0x3f, _Format="\\StringFileInfo\\%04x%04x\\InternalName", _ArgList=0xdcf58 | out: _Buffer="\\StringFileInfo\\040904b0\\InternalName") returned 37
[0204.143] VerQueryValueW (in: pBlock=0x449e20, lpSubBlock="\\StringFileInfo\\040904b0\\InternalName", lplpBuffer=0xdcf84, puLen=0xdcf80 | out: lplpBuffer=0xdcf84*=0x44a000, puLen=0xdcf80) returned 1
[0204.143] lstrlenW (lpString="schtasks.exe") returned 12
[0204.143] lstrlenW (lpString="schtasks.exe") returned 12
[0204.143] lstrlenW (lpString=".EXE") returned 4
[0204.143] StrStrIW (lpFirst="schtasks.exe", lpSrch=".EXE") returned=".exe"
[0204.143] lstrlenW (lpString="schtasks.exe") returned 12
[0204.143] lstrlenW (lpString=".EXE") returned 4
[0204.143] lstrlenW (lpString="schtasks") returned 8
[0204.143] lstrlenW (lpString="/create") returned 7
[0204.143] _memicmp (_Buf1=0x447480, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.143] _vsnwprintf (in: _Buffer=0x448d48, _BufferCount=0x19, _Format="%s %s", _ArgList=0xdcf58 | out: _Buffer="schtasks /create") returned 16
[0204.143] _memicmp (_Buf1=0x447498, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.143] GetProcessHeap () returned 0x440000
[0204.143] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x449390
[0204.143] _memicmp (_Buf1=0x4474e0, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.143] LoadStringW (in: hInstance=0x0, uID=0x15ed, lpBuffer=0x44a800, cchBufferMax=256 | out: lpBuffer="Type \"%s /?\" for usage.") returned 0x17
[0204.144] lstrlenW (lpString="Type \"%s /?\" for usage.") returned 23
[0204.144] GetProcessHeap () returned 0x440000
[0204.144] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x30) returned 0x446b78
[0204.144] _vsnwprintf (in: _Buffer=0x446ad0, _BufferCount=0x4f, _Format="Type \"%s /?\" for usage.", _ArgList=0xdcf5c | out: _Buffer="Type \"SCHTASKS /CREATE /?\" for usage.") returned 37
[0204.144] GetProcessHeap () returned 0x440000
[0204.144] GetProcessHeap () returned 0x440000
[0204.144] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x449e20) returned 1
[0204.144] GetProcessHeap () returned 0x440000
[0204.144] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x449e20) returned 0x776
[0204.144] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x449e20) returned 1
[0204.144] RtlRestoreLastWin32Error () returned 0x0
[0204.144] GetThreadLocale () returned 0x409
[0204.144] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0204.144] lstrlenW (lpString="create") returned 6
[0204.144] GetThreadLocale () returned 0x409
[0204.144] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0204.144] lstrlenW (lpString="?") returned 1
[0204.144] GetThreadLocale () returned 0x409
[0204.144] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0204.145] lstrlenW (lpString="s") returned 1
[0204.145] GetThreadLocale () returned 0x409
[0204.145] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0204.145] lstrlenW (lpString="u") returned 1
[0204.145] GetThreadLocale () returned 0x409
[0204.145] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0204.145] lstrlenW (lpString="p") returned 1
[0204.145] GetThreadLocale () returned 0x409
[0204.145] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0204.145] lstrlenW (lpString="ru") returned 2
[0204.145] GetThreadLocale () returned 0x409
[0204.145] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0204.145] lstrlenW (lpString="rp") returned 2
[0204.145] GetThreadLocale () returned 0x409
[0204.145] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0204.145] lstrlenW (lpString="sc") returned 2
[0204.145] GetThreadLocale () returned 0x409
[0204.145] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0204.145] lstrlenW (lpString="mo") returned 2
[0204.145] GetThreadLocale () returned 0x409
[0204.145] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0204.145] lstrlenW (lpString="d") returned 1
[0204.145] GetThreadLocale () returned 0x409
[0204.145] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0204.145] lstrlenW (lpString="m") returned 1
[0204.145] GetThreadLocale () returned 0x409
[0204.145] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0204.145] lstrlenW (lpString="i") returned 1
[0204.145] GetThreadLocale () returned 0x409
[0204.145] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0204.145] lstrlenW (lpString="tn") returned 2
[0204.145] GetThreadLocale () returned 0x409
[0204.145] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0204.145] lstrlenW (lpString="tr") returned 2
[0204.145] GetThreadLocale () returned 0x409
[0204.146] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0204.146] lstrlenW (lpString="st") returned 2
[0204.146] GetThreadLocale () returned 0x409
[0204.146] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0204.146] lstrlenW (lpString="sd") returned 2
[0204.146] GetThreadLocale () returned 0x409
[0204.146] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0204.146] lstrlenW (lpString="ed") returned 2
[0204.146] GetThreadLocale () returned 0x409
[0204.146] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0204.146] lstrlenW (lpString="it") returned 2
[0204.146] GetThreadLocale () returned 0x409
[0204.146] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0204.146] lstrlenW (lpString="et") returned 2
[0204.146] GetThreadLocale () returned 0x409
[0204.146] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0204.146] lstrlenW (lpString="k") returned 1
[0204.146] GetThreadLocale () returned 0x409
[0204.146] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0204.146] lstrlenW (lpString="du") returned 2
[0204.146] GetThreadLocale () returned 0x409
[0204.146] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0204.146] lstrlenW (lpString="ri") returned 2
[0204.146] GetThreadLocale () returned 0x409
[0204.146] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0204.146] lstrlenW (lpString="z") returned 1
[0204.146] GetThreadLocale () returned 0x409
[0204.146] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0204.146] lstrlenW (lpString="f") returned 1
[0204.146] GetThreadLocale () returned 0x409
[0204.146] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0204.146] lstrlenW (lpString="v1") returned 2
[0204.146] GetThreadLocale () returned 0x409
[0204.146] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0204.147] lstrlenW (lpString="xml") returned 3
[0204.147] GetThreadLocale () returned 0x409
[0204.147] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0204.147] lstrlenW (lpString="ec") returned 2
[0204.147] GetThreadLocale () returned 0x409
[0204.147] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0204.147] lstrlenW (lpString="rl") returned 2
[0204.147] GetThreadLocale () returned 0x409
[0204.147] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0204.147] lstrlenW (lpString="delay") returned 5
[0204.147] GetThreadLocale () returned 0x409
[0204.147] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0204.147] lstrlenW (lpString="np") returned 2
[0204.147] GetThreadLocale () returned 0x409
[0204.147] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0204.147] lstrlenW (lpString="hresult") returned 7
[0204.147] RtlRestoreLastWin32Error () returned 0x0
[0204.147] RtlRestoreLastWin32Error () returned 0x0
[0204.147] lstrlenW (lpString="/create") returned 7
[0204.147] lstrlenW (lpString="-/") returned 2
[0204.147] StrChrIW (lpStart="-/", wMatch=0x68002f) returned="/"
[0204.147] lstrlenW (lpString="create") returned 6
[0204.147] lstrlenW (lpString="create") returned 6
[0204.147] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.147] lstrlenW (lpString="create") returned 6
[0204.147] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.147] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|create|") returned 8
[0204.147] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|create|") returned 8
[0204.147] lstrlenW (lpString="|create|") returned 8
[0204.147] lstrlenW (lpString="|create|") returned 8
[0204.148] StrStrIW (lpFirst="|create|", lpSrch="|create|") returned="|create|"
[0204.148] RtlRestoreLastWin32Error () returned 0x0
[0204.148] RtlRestoreLastWin32Error () returned 0x0
[0204.148] RtlRestoreLastWin32Error () returned 0x0
[0204.148] lstrlenW (lpString="/f") returned 2
[0204.148] lstrlenW (lpString="-/") returned 2
[0204.148] StrChrIW (lpStart="-/", wMatch=0x68002f) returned="/"
[0204.148] lstrlenW (lpString="create") returned 6
[0204.148] lstrlenW (lpString="create") returned 6
[0204.148] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.148] lstrlenW (lpString="f") returned 1
[0204.148] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.148] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|create|") returned 8
[0204.148] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3
[0204.148] lstrlenW (lpString="|create|") returned 8
[0204.148] lstrlenW (lpString="|f|") returned 3
[0204.148] StrStrIW (lpFirst="|create|", lpSrch="|f|") returned 0x0
[0204.148] RtlRestoreLastWin32Error () returned 0x490
[0204.148] lstrlenW (lpString="?") returned 1
[0204.148] lstrlenW (lpString="?") returned 1
[0204.148] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.148] lstrlenW (lpString="f") returned 1
[0204.148] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.148] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|?|") returned 3
[0204.148] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3
[0204.148] lstrlenW (lpString="|?|") returned 3
[0204.148] lstrlenW (lpString="|f|") returned 3
[0204.148] StrStrIW (lpFirst="|?|", lpSrch="|f|") returned 0x0
[0204.148] RtlRestoreLastWin32Error () returned 0x490
[0204.149] lstrlenW (lpString="s") returned 1
[0204.149] lstrlenW (lpString="s") returned 1
[0204.149] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.149] lstrlenW (lpString="f") returned 1
[0204.149] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.149] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|s|") returned 3
[0204.149] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3
[0204.149] lstrlenW (lpString="|s|") returned 3
[0204.149] lstrlenW (lpString="|f|") returned 3
[0204.149] StrStrIW (lpFirst="|s|", lpSrch="|f|") returned 0x0
[0204.149] RtlRestoreLastWin32Error () returned 0x490
[0204.149] lstrlenW (lpString="u") returned 1
[0204.149] lstrlenW (lpString="u") returned 1
[0204.149] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.149] lstrlenW (lpString="f") returned 1
[0204.149] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.149] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|u|") returned 3
[0204.149] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3
[0204.149] lstrlenW (lpString="|u|") returned 3
[0204.149] lstrlenW (lpString="|f|") returned 3
[0204.149] StrStrIW (lpFirst="|u|", lpSrch="|f|") returned 0x0
[0204.149] RtlRestoreLastWin32Error () returned 0x490
[0204.149] lstrlenW (lpString="p") returned 1
[0204.149] lstrlenW (lpString="p") returned 1
[0204.149] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.149] lstrlenW (lpString="f") returned 1
[0204.149] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.149] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|p|") returned 3
[0204.149] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3
[0204.149] lstrlenW (lpString="|p|") returned 3
[0204.150] lstrlenW (lpString="|f|") returned 3
[0204.150] StrStrIW (lpFirst="|p|", lpSrch="|f|") returned 0x0
[0204.150] RtlRestoreLastWin32Error () returned 0x490
[0204.150] lstrlenW (lpString="ru") returned 2
[0204.150] lstrlenW (lpString="ru") returned 2
[0204.150] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.150] lstrlenW (lpString="f") returned 1
[0204.150] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.150] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|ru|") returned 4
[0204.150] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3
[0204.150] lstrlenW (lpString="|ru|") returned 4
[0204.150] lstrlenW (lpString="|f|") returned 3
[0204.150] StrStrIW (lpFirst="|ru|", lpSrch="|f|") returned 0x0
[0204.150] RtlRestoreLastWin32Error () returned 0x490
[0204.150] lstrlenW (lpString="rp") returned 2
[0204.150] lstrlenW (lpString="rp") returned 2
[0204.150] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.150] lstrlenW (lpString="f") returned 1
[0204.150] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.150] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rp|") returned 4
[0204.150] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3
[0204.150] lstrlenW (lpString="|rp|") returned 4
[0204.150] lstrlenW (lpString="|f|") returned 3
[0204.150] StrStrIW (lpFirst="|rp|", lpSrch="|f|") returned 0x0
[0204.150] RtlRestoreLastWin32Error () returned 0x490
[0204.150] lstrlenW (lpString="sc") returned 2
[0204.150] lstrlenW (lpString="sc") returned 2
[0204.150] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.150] lstrlenW (lpString="f") returned 1
[0204.150] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.151] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|sc|") returned 4
[0204.151] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3
[0204.151] lstrlenW (lpString="|sc|") returned 4
[0204.151] lstrlenW (lpString="|f|") returned 3
[0204.151] StrStrIW (lpFirst="|sc|", lpSrch="|f|") returned 0x0
[0204.151] RtlRestoreLastWin32Error () returned 0x490
[0204.151] lstrlenW (lpString="mo") returned 2
[0204.186] lstrlenW (lpString="mo") returned 2
[0204.186] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.186] lstrlenW (lpString="f") returned 1
[0204.186] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.186] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|mo|") returned 4
[0204.186] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3
[0204.187] lstrlenW (lpString="|mo|") returned 4
[0204.187] lstrlenW (lpString="|f|") returned 3
[0204.187] StrStrIW (lpFirst="|mo|", lpSrch="|f|") returned 0x0
[0204.187] RtlRestoreLastWin32Error () returned 0x490
[0204.187] lstrlenW (lpString="d") returned 1
[0204.187] lstrlenW (lpString="d") returned 1
[0204.187] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.187] lstrlenW (lpString="f") returned 1
[0204.187] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.187] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|d|") returned 3
[0204.187] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3
[0204.187] lstrlenW (lpString="|d|") returned 3
[0204.187] lstrlenW (lpString="|f|") returned 3
[0204.187] StrStrIW (lpFirst="|d|", lpSrch="|f|") returned 0x0
[0204.187] RtlRestoreLastWin32Error () returned 0x490
[0204.187] lstrlenW (lpString="m") returned 1
[0204.187] lstrlenW (lpString="m") returned 1
[0204.187] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.187] lstrlenW (lpString="f") returned 1
[0204.187] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.187] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|m|") returned 3
[0204.187] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3
[0204.187] lstrlenW (lpString="|m|") returned 3
[0204.187] lstrlenW (lpString="|f|") returned 3
[0204.187] StrStrIW (lpFirst="|m|", lpSrch="|f|") returned 0x0
[0204.187] RtlRestoreLastWin32Error () returned 0x490
[0204.187] lstrlenW (lpString="i") returned 1
[0204.187] lstrlenW (lpString="i") returned 1
[0204.187] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.188] lstrlenW (lpString="f") returned 1
[0204.188] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.188] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|i|") returned 3
[0204.188] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3
[0204.188] lstrlenW (lpString="|i|") returned 3
[0204.188] lstrlenW (lpString="|f|") returned 3
[0204.188] StrStrIW (lpFirst="|i|", lpSrch="|f|") returned 0x0
[0204.188] RtlRestoreLastWin32Error () returned 0x490
[0204.188] lstrlenW (lpString="tn") returned 2
[0204.188] lstrlenW (lpString="tn") returned 2
[0204.188] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.188] lstrlenW (lpString="f") returned 1
[0204.188] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.188] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tn|") returned 4
[0204.188] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3
[0204.188] lstrlenW (lpString="|tn|") returned 4
[0204.188] lstrlenW (lpString="|f|") returned 3
[0204.188] StrStrIW (lpFirst="|tn|", lpSrch="|f|") returned 0x0
[0204.188] RtlRestoreLastWin32Error () returned 0x490
[0204.188] lstrlenW (lpString="tr") returned 2
[0204.188] lstrlenW (lpString="tr") returned 2
[0204.188] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.188] lstrlenW (lpString="f") returned 1
[0204.188] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.188] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tr|") returned 4
[0204.188] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3
[0204.188] lstrlenW (lpString="|tr|") returned 4
[0204.188] lstrlenW (lpString="|f|") returned 3
[0204.188] StrStrIW (lpFirst="|tr|", lpSrch="|f|") returned 0x0
[0204.188] RtlRestoreLastWin32Error () returned 0x490
[0204.188] lstrlenW (lpString="st") returned 2
[0204.189] lstrlenW (lpString="st") returned 2
[0204.189] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.189] lstrlenW (lpString="f") returned 1
[0204.189] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.189] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|st|") returned 4
[0204.189] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3
[0204.189] lstrlenW (lpString="|st|") returned 4
[0204.189] lstrlenW (lpString="|f|") returned 3
[0204.189] StrStrIW (lpFirst="|st|", lpSrch="|f|") returned 0x0
[0204.189] RtlRestoreLastWin32Error () returned 0x490
[0204.189] lstrlenW (lpString="sd") returned 2
[0204.189] lstrlenW (lpString="sd") returned 2
[0204.189] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.189] lstrlenW (lpString="f") returned 1
[0204.189] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.189] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|sd|") returned 4
[0204.189] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3
[0204.189] lstrlenW (lpString="|sd|") returned 4
[0204.189] lstrlenW (lpString="|f|") returned 3
[0204.189] StrStrIW (lpFirst="|sd|", lpSrch="|f|") returned 0x0
[0204.189] RtlRestoreLastWin32Error () returned 0x490
[0204.189] lstrlenW (lpString="ed") returned 2
[0204.189] lstrlenW (lpString="ed") returned 2
[0204.189] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.189] lstrlenW (lpString="f") returned 1
[0204.189] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.189] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|ed|") returned 4
[0204.189] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3
[0204.189] lstrlenW (lpString="|ed|") returned 4
[0204.189] lstrlenW (lpString="|f|") returned 3
[0204.190] StrStrIW (lpFirst="|ed|", lpSrch="|f|") returned 0x0
[0204.190] RtlRestoreLastWin32Error () returned 0x490
[0204.190] lstrlenW (lpString="it") returned 2
[0204.190] lstrlenW (lpString="it") returned 2
[0204.190] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.190] lstrlenW (lpString="f") returned 1
[0204.190] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.190] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|it|") returned 4
[0204.190] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3
[0204.190] lstrlenW (lpString="|it|") returned 4
[0204.190] lstrlenW (lpString="|f|") returned 3
[0204.190] StrStrIW (lpFirst="|it|", lpSrch="|f|") returned 0x0
[0204.190] RtlRestoreLastWin32Error () returned 0x490
[0204.190] lstrlenW (lpString="et") returned 2
[0204.190] lstrlenW (lpString="et") returned 2
[0204.190] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.190] lstrlenW (lpString="f") returned 1
[0204.190] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.190] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|et|") returned 4
[0204.190] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3
[0204.190] lstrlenW (lpString="|et|") returned 4
[0204.190] lstrlenW (lpString="|f|") returned 3
[0204.190] StrStrIW (lpFirst="|et|", lpSrch="|f|") returned 0x0
[0204.190] RtlRestoreLastWin32Error () returned 0x490
[0204.190] lstrlenW (lpString="k") returned 1
[0204.190] lstrlenW (lpString="k") returned 1
[0204.190] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.190] lstrlenW (lpString="f") returned 1
[0204.190] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.190] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|k|") returned 3
[0204.190] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3
[0204.190] lstrlenW (lpString="|k|") returned 3
[0204.191] lstrlenW (lpString="|f|") returned 3
[0204.191] StrStrIW (lpFirst="|k|", lpSrch="|f|") returned 0x0
[0204.191] RtlRestoreLastWin32Error () returned 0x490
[0204.191] lstrlenW (lpString="du") returned 2
[0204.191] lstrlenW (lpString="du") returned 2
[0204.191] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.191] lstrlenW (lpString="f") returned 1
[0204.191] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.191] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|du|") returned 4
[0204.191] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3
[0204.191] lstrlenW (lpString="|du|") returned 4
[0204.191] lstrlenW (lpString="|f|") returned 3
[0204.191] StrStrIW (lpFirst="|du|", lpSrch="|f|") returned 0x0
[0204.191] RtlRestoreLastWin32Error () returned 0x490
[0204.191] lstrlenW (lpString="ri") returned 2
[0204.191] lstrlenW (lpString="ri") returned 2
[0204.191] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.191] lstrlenW (lpString="f") returned 1
[0204.191] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.191] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|ri|") returned 4
[0204.191] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3
[0204.191] lstrlenW (lpString="|ri|") returned 4
[0204.191] lstrlenW (lpString="|f|") returned 3
[0204.191] StrStrIW (lpFirst="|ri|", lpSrch="|f|") returned 0x0
[0204.191] RtlRestoreLastWin32Error () returned 0x490
[0204.191] lstrlenW (lpString="z") returned 1
[0204.191] lstrlenW (lpString="z") returned 1
[0204.191] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.191] lstrlenW (lpString="f") returned 1
[0204.191] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.191] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|z|") returned 3
[0204.191] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3
[0204.192] lstrlenW (lpString="|z|") returned 3
[0204.192] lstrlenW (lpString="|f|") returned 3
[0204.192] StrStrIW (lpFirst="|z|", lpSrch="|f|") returned 0x0
[0204.192] RtlRestoreLastWin32Error () returned 0x490
[0204.192] lstrlenW (lpString="f") returned 1
[0204.192] lstrlenW (lpString="f") returned 1
[0204.192] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.192] lstrlenW (lpString="f") returned 1
[0204.192] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.192] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3
[0204.192] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3
[0204.192] lstrlenW (lpString="|f|") returned 3
[0204.192] lstrlenW (lpString="|f|") returned 3
[0204.192] StrStrIW (lpFirst="|f|", lpSrch="|f|") returned="|f|"
[0204.192] RtlRestoreLastWin32Error () returned 0x0
[0204.192] RtlRestoreLastWin32Error () returned 0x0
[0204.192] RtlRestoreLastWin32Error () returned 0x0
[0204.192] lstrlenW (lpString="/sc") returned 3
[0204.192] lstrlenW (lpString="-/") returned 2
[0204.192] StrChrIW (lpStart="-/", wMatch=0x68002f) returned="/"
[0204.192] lstrlenW (lpString="create") returned 6
[0204.192] lstrlenW (lpString="create") returned 6
[0204.192] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.192] lstrlenW (lpString="sc") returned 2
[0204.192] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.192] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|create|") returned 8
[0204.192] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|sc|") returned 4
[0204.192] lstrlenW (lpString="|create|") returned 8
[0204.192] lstrlenW (lpString="|sc|") returned 4
[0204.192] StrStrIW (lpFirst="|create|", lpSrch="|sc|") returned 0x0
[0204.192] RtlRestoreLastWin32Error () returned 0x490
[0204.192] lstrlenW (lpString="?") returned 1
[0204.193] lstrlenW (lpString="?") returned 1
[0204.193] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.193] lstrlenW (lpString="sc") returned 2
[0204.193] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.193] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|?|") returned 3
[0204.193] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|sc|") returned 4
[0204.193] lstrlenW (lpString="|?|") returned 3
[0204.193] lstrlenW (lpString="|sc|") returned 4
[0204.193] RtlRestoreLastWin32Error () returned 0x490
[0204.193] lstrlenW (lpString="s") returned 1
[0204.193] lstrlenW (lpString="s") returned 1
[0204.193] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.193] lstrlenW (lpString="sc") returned 2
[0204.193] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.193] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|s|") returned 3
[0204.193] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|sc|") returned 4
[0204.193] lstrlenW (lpString="|s|") returned 3
[0204.193] lstrlenW (lpString="|sc|") returned 4
[0204.193] RtlRestoreLastWin32Error () returned 0x490
[0204.193] lstrlenW (lpString="u") returned 1
[0204.193] lstrlenW (lpString="u") returned 1
[0204.193] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.193] lstrlenW (lpString="sc") returned 2
[0204.193] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.193] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|u|") returned 3
[0204.193] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|sc|") returned 4
[0204.193] lstrlenW (lpString="|u|") returned 3
[0204.193] lstrlenW (lpString="|sc|") returned 4
[0204.193] RtlRestoreLastWin32Error () returned 0x490
[0204.193] lstrlenW (lpString="p") returned 1
[0204.193] lstrlenW (lpString="p") returned 1
[0204.194] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.194] lstrlenW (lpString="sc") returned 2
[0204.194] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.194] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|p|") returned 3
[0204.194] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|sc|") returned 4
[0204.194] lstrlenW (lpString="|p|") returned 3
[0204.194] lstrlenW (lpString="|sc|") returned 4
[0204.194] RtlRestoreLastWin32Error () returned 0x490
[0204.194] lstrlenW (lpString="ru") returned 2
[0204.194] lstrlenW (lpString="ru") returned 2
[0204.194] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.194] lstrlenW (lpString="sc") returned 2
[0204.194] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.194] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|ru|") returned 4
[0204.194] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|sc|") returned 4
[0204.194] lstrlenW (lpString="|ru|") returned 4
[0204.194] lstrlenW (lpString="|sc|") returned 4
[0204.194] StrStrIW (lpFirst="|ru|", lpSrch="|sc|") returned 0x0
[0204.194] RtlRestoreLastWin32Error () returned 0x490
[0204.194] lstrlenW (lpString="rp") returned 2
[0204.194] lstrlenW (lpString="rp") returned 2
[0204.194] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.194] lstrlenW (lpString="sc") returned 2
[0204.194] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.194] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rp|") returned 4
[0204.194] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|sc|") returned 4
[0204.194] lstrlenW (lpString="|rp|") returned 4
[0204.194] lstrlenW (lpString="|sc|") returned 4
[0204.194] StrStrIW (lpFirst="|rp|", lpSrch="|sc|") returned 0x0
[0204.194] RtlRestoreLastWin32Error () returned 0x490
[0204.194] lstrlenW (lpString="sc") returned 2
[0204.195] lstrlenW (lpString="sc") returned 2
[0204.195] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.195] lstrlenW (lpString="sc") returned 2
[0204.195] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.195] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|sc|") returned 4
[0204.195] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|sc|") returned 4
[0204.195] lstrlenW (lpString="|sc|") returned 4
[0204.195] lstrlenW (lpString="|sc|") returned 4
[0204.195] StrStrIW (lpFirst="|sc|", lpSrch="|sc|") returned="|sc|"
[0204.195] RtlRestoreLastWin32Error () returned 0x0
[0204.195] RtlRestoreLastWin32Error () returned 0x0
[0204.195] lstrlenW (lpString="onlogon") returned 7
[0204.195] lstrlenW (lpString="-/") returned 2
[0204.195] StrChrIW (lpStart="-/", wMatch=0x68006f) returned 0x0
[0204.195] RtlRestoreLastWin32Error () returned 0x490
[0204.195] RtlRestoreLastWin32Error () returned 0x490
[0204.195] RtlRestoreLastWin32Error () returned 0x0
[0204.195] lstrlenW (lpString="onlogon") returned 7
[0204.195] StrChrIW (lpStart="onlogon", wMatch=0x3a) returned 0x0
[0204.195] RtlRestoreLastWin32Error () returned 0x490
[0204.195] RtlRestoreLastWin32Error () returned 0x0
[0204.195] GetProcessHeap () returned 0x440000
[0204.195] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x10) returned 0x44ad20
[0204.195] _memicmp (_Buf1=0x44ad20, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.195] lstrlenW (lpString="onlogon") returned 7
[0204.195] GetProcessHeap () returned 0x440000
[0204.195] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x10) returned 0x44ac90
[0204.195] lstrlenW (lpString="onlogon") returned 7
[0204.195] lstrlenW (lpString=" \x09") returned 2
[0204.195] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0
[0204.195] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0
[0204.195] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0
[0204.195] StrChrW (lpStart=" \x09", wMatch=0x6c) returned 0x0
[0204.195] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0
[0204.196] StrChrW (lpStart=" \x09", wMatch=0x67) returned 0x0
[0204.196] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0
[0204.196] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0
[0204.196] GetLastError () returned 0x0
[0204.196] lstrlenW (lpString="onlogon") returned 7
[0204.196] lstrlenW (lpString="onlogon") returned 7
[0204.196] RtlRestoreLastWin32Error () returned 0x0
[0204.196] RtlRestoreLastWin32Error () returned 0x0
[0204.196] lstrlenW (lpString="/rl") returned 3
[0204.196] lstrlenW (lpString="-/") returned 2
[0204.196] StrChrIW (lpStart="-/", wMatch=0x68002f) returned="/"
[0204.196] lstrlenW (lpString="create") returned 6
[0204.196] lstrlenW (lpString="create") returned 6
[0204.196] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.196] lstrlenW (lpString="rl") returned 2
[0204.196] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.196] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|create|") returned 8
[0204.196] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4
[0204.196] lstrlenW (lpString="|create|") returned 8
[0204.196] lstrlenW (lpString="|rl|") returned 4
[0204.196] StrStrIW (lpFirst="|create|", lpSrch="|rl|") returned 0x0
[0204.196] RtlRestoreLastWin32Error () returned 0x490
[0204.196] lstrlenW (lpString="?") returned 1
[0204.196] lstrlenW (lpString="?") returned 1
[0204.196] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.196] lstrlenW (lpString="rl") returned 2
[0204.196] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.196] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|?|") returned 3
[0204.196] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4
[0204.196] lstrlenW (lpString="|?|") returned 3
[0204.196] lstrlenW (lpString="|rl|") returned 4
[0204.196] RtlRestoreLastWin32Error () returned 0x490
[0204.197] lstrlenW (lpString="s") returned 1
[0204.197] lstrlenW (lpString="s") returned 1
[0204.197] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.197] lstrlenW (lpString="rl") returned 2
[0204.197] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.197] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|s|") returned 3
[0204.197] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4
[0204.197] lstrlenW (lpString="|s|") returned 3
[0204.197] lstrlenW (lpString="|rl|") returned 4
[0204.197] RtlRestoreLastWin32Error () returned 0x490
[0204.197] lstrlenW (lpString="u") returned 1
[0204.197] lstrlenW (lpString="u") returned 1
[0204.197] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.197] lstrlenW (lpString="rl") returned 2
[0204.197] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.197] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|u|") returned 3
[0204.197] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4
[0204.197] lstrlenW (lpString="|u|") returned 3
[0204.197] lstrlenW (lpString="|rl|") returned 4
[0204.197] RtlRestoreLastWin32Error () returned 0x490
[0204.197] lstrlenW (lpString="p") returned 1
[0204.197] lstrlenW (lpString="p") returned 1
[0204.197] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.197] lstrlenW (lpString="rl") returned 2
[0204.197] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.197] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|p|") returned 3
[0204.197] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4
[0204.197] lstrlenW (lpString="|p|") returned 3
[0204.197] lstrlenW (lpString="|rl|") returned 4
[0204.197] RtlRestoreLastWin32Error () returned 0x490
[0204.197] lstrlenW (lpString="ru") returned 2
[0204.198] lstrlenW (lpString="ru") returned 2
[0204.198] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.198] lstrlenW (lpString="rl") returned 2
[0204.198] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.198] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|ru|") returned 4
[0204.198] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4
[0204.198] lstrlenW (lpString="|ru|") returned 4
[0204.198] lstrlenW (lpString="|rl|") returned 4
[0204.198] StrStrIW (lpFirst="|ru|", lpSrch="|rl|") returned 0x0
[0204.198] RtlRestoreLastWin32Error () returned 0x490
[0204.198] lstrlenW (lpString="rp") returned 2
[0204.198] lstrlenW (lpString="rp") returned 2
[0204.198] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.198] lstrlenW (lpString="rl") returned 2
[0204.198] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.198] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rp|") returned 4
[0204.198] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4
[0204.198] lstrlenW (lpString="|rp|") returned 4
[0204.198] lstrlenW (lpString="|rl|") returned 4
[0204.198] StrStrIW (lpFirst="|rp|", lpSrch="|rl|") returned 0x0
[0204.198] RtlRestoreLastWin32Error () returned 0x490
[0204.198] lstrlenW (lpString="sc") returned 2
[0204.198] lstrlenW (lpString="sc") returned 2
[0204.198] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.198] lstrlenW (lpString="rl") returned 2
[0204.198] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.198] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|sc|") returned 4
[0204.199] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4
[0204.199] lstrlenW (lpString="|sc|") returned 4
[0204.199] lstrlenW (lpString="|rl|") returned 4
[0204.199] StrStrIW (lpFirst="|sc|", lpSrch="|rl|") returned 0x0
[0204.199] RtlRestoreLastWin32Error () returned 0x490
[0204.199] lstrlenW (lpString="mo") returned 2
[0204.199] lstrlenW (lpString="mo") returned 2
[0204.199] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.199] lstrlenW (lpString="rl") returned 2
[0204.199] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.199] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|mo|") returned 4
[0204.199] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4
[0204.199] lstrlenW (lpString="|mo|") returned 4
[0204.199] lstrlenW (lpString="|rl|") returned 4
[0204.199] StrStrIW (lpFirst="|mo|", lpSrch="|rl|") returned 0x0
[0204.199] RtlRestoreLastWin32Error () returned 0x490
[0204.199] lstrlenW (lpString="d") returned 1
[0204.199] lstrlenW (lpString="d") returned 1
[0204.199] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.199] lstrlenW (lpString="rl") returned 2
[0204.199] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.199] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|d|") returned 3
[0204.199] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4
[0204.199] lstrlenW (lpString="|d|") returned 3
[0204.199] lstrlenW (lpString="|rl|") returned 4
[0204.199] RtlRestoreLastWin32Error () returned 0x490
[0204.199] lstrlenW (lpString="m") returned 1
[0204.199] lstrlenW (lpString="m") returned 1
[0204.199] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.199] lstrlenW (lpString="rl") returned 2
[0204.199] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.200] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|m|") returned 3
[0204.200] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4
[0204.200] lstrlenW (lpString="|m|") returned 3
[0204.200] lstrlenW (lpString="|rl|") returned 4
[0204.200] RtlRestoreLastWin32Error () returned 0x490
[0204.200] lstrlenW (lpString="i") returned 1
[0204.200] lstrlenW (lpString="i") returned 1
[0204.200] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.200] lstrlenW (lpString="rl") returned 2
[0204.200] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.200] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|i|") returned 3
[0204.200] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4
[0204.200] lstrlenW (lpString="|i|") returned 3
[0204.200] lstrlenW (lpString="|rl|") returned 4
[0204.200] RtlRestoreLastWin32Error () returned 0x490
[0204.200] lstrlenW (lpString="tn") returned 2
[0204.200] lstrlenW (lpString="tn") returned 2
[0204.200] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.200] lstrlenW (lpString="rl") returned 2
[0204.200] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.200] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tn|") returned 4
[0204.201] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4
[0204.201] lstrlenW (lpString="|tn|") returned 4
[0204.201] lstrlenW (lpString="|rl|") returned 4
[0204.201] StrStrIW (lpFirst="|tn|", lpSrch="|rl|") returned 0x0
[0204.201] RtlRestoreLastWin32Error () returned 0x490
[0204.201] lstrlenW (lpString="tr") returned 2
[0204.201] lstrlenW (lpString="tr") returned 2
[0204.201] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.201] lstrlenW (lpString="rl") returned 2
[0204.201] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.201] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tr|") returned 4
[0204.201] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4
[0204.201] lstrlenW (lpString="|tr|") returned 4
[0204.201] lstrlenW (lpString="|rl|") returned 4
[0204.201] StrStrIW (lpFirst="|tr|", lpSrch="|rl|") returned 0x0
[0204.201] RtlRestoreLastWin32Error () returned 0x490
[0204.201] lstrlenW (lpString="st") returned 2
[0204.201] lstrlenW (lpString="st") returned 2
[0204.201] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.201] lstrlenW (lpString="rl") returned 2
[0204.201] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.201] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|st|") returned 4
[0204.201] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4
[0204.201] lstrlenW (lpString="|st|") returned 4
[0204.201] lstrlenW (lpString="|rl|") returned 4
[0204.201] StrStrIW (lpFirst="|st|", lpSrch="|rl|") returned 0x0
[0204.201] RtlRestoreLastWin32Error () returned 0x490
[0204.201] lstrlenW (lpString="sd") returned 2
[0204.201] lstrlenW (lpString="sd") returned 2
[0204.201] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.201] lstrlenW (lpString="rl") returned 2
[0204.202] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.202] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|sd|") returned 4
[0204.202] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4
[0204.202] lstrlenW (lpString="|sd|") returned 4
[0204.202] lstrlenW (lpString="|rl|") returned 4
[0204.202] StrStrIW (lpFirst="|sd|", lpSrch="|rl|") returned 0x0
[0204.202] RtlRestoreLastWin32Error () returned 0x490
[0204.202] lstrlenW (lpString="ed") returned 2
[0204.202] lstrlenW (lpString="ed") returned 2
[0204.202] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.202] lstrlenW (lpString="rl") returned 2
[0204.202] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.202] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|ed|") returned 4
[0204.202] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4
[0204.202] lstrlenW (lpString="|ed|") returned 4
[0204.202] lstrlenW (lpString="|rl|") returned 4
[0204.202] StrStrIW (lpFirst="|ed|", lpSrch="|rl|") returned 0x0
[0204.202] RtlRestoreLastWin32Error () returned 0x490
[0204.202] lstrlenW (lpString="it") returned 2
[0204.202] lstrlenW (lpString="it") returned 2
[0204.202] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.202] lstrlenW (lpString="rl") returned 2
[0204.202] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.202] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|it|") returned 4
[0204.202] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4
[0204.202] lstrlenW (lpString="|it|") returned 4
[0204.202] lstrlenW (lpString="|rl|") returned 4
[0204.202] StrStrIW (lpFirst="|it|", lpSrch="|rl|") returned 0x0
[0204.202] RtlRestoreLastWin32Error () returned 0x490
[0204.202] lstrlenW (lpString="et") returned 2
[0204.202] lstrlenW (lpString="et") returned 2
[0204.202] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.203] lstrlenW (lpString="rl") returned 2
[0204.203] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.203] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|et|") returned 4
[0204.203] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4
[0204.203] lstrlenW (lpString="|et|") returned 4
[0204.203] lstrlenW (lpString="|rl|") returned 4
[0204.203] StrStrIW (lpFirst="|et|", lpSrch="|rl|") returned 0x0
[0204.203] RtlRestoreLastWin32Error () returned 0x490
[0204.203] lstrlenW (lpString="k") returned 1
[0204.203] lstrlenW (lpString="k") returned 1
[0204.203] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.203] lstrlenW (lpString="rl") returned 2
[0204.203] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.203] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|k|") returned 3
[0204.203] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4
[0204.203] lstrlenW (lpString="|k|") returned 3
[0204.203] lstrlenW (lpString="|rl|") returned 4
[0204.203] RtlRestoreLastWin32Error () returned 0x490
[0204.203] lstrlenW (lpString="du") returned 2
[0204.203] lstrlenW (lpString="du") returned 2
[0204.203] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.203] lstrlenW (lpString="rl") returned 2
[0204.203] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.203] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|du|") returned 4
[0204.203] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4
[0204.203] lstrlenW (lpString="|du|") returned 4
[0204.203] lstrlenW (lpString="|rl|") returned 4
[0204.203] StrStrIW (lpFirst="|du|", lpSrch="|rl|") returned 0x0
[0204.203] RtlRestoreLastWin32Error () returned 0x490
[0204.203] lstrlenW (lpString="ri") returned 2
[0204.203] lstrlenW (lpString="ri") returned 2
[0204.204] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.204] lstrlenW (lpString="rl") returned 2
[0204.204] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.204] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|ri|") returned 4
[0204.204] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4
[0204.204] lstrlenW (lpString="|ri|") returned 4
[0204.204] lstrlenW (lpString="|rl|") returned 4
[0204.204] StrStrIW (lpFirst="|ri|", lpSrch="|rl|") returned 0x0
[0204.204] RtlRestoreLastWin32Error () returned 0x490
[0204.204] lstrlenW (lpString="z") returned 1
[0204.204] lstrlenW (lpString="z") returned 1
[0204.204] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.204] lstrlenW (lpString="rl") returned 2
[0204.204] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.204] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|z|") returned 3
[0204.204] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4
[0204.204] lstrlenW (lpString="|z|") returned 3
[0204.204] lstrlenW (lpString="|rl|") returned 4
[0204.204] RtlRestoreLastWin32Error () returned 0x490
[0204.204] lstrlenW (lpString="f") returned 1
[0204.204] lstrlenW (lpString="f") returned 1
[0204.204] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.204] lstrlenW (lpString="rl") returned 2
[0204.204] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.204] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3
[0204.204] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4
[0204.204] lstrlenW (lpString="|f|") returned 3
[0204.204] lstrlenW (lpString="|rl|") returned 4
[0204.204] RtlRestoreLastWin32Error () returned 0x490
[0204.204] lstrlenW (lpString="v1") returned 2
[0204.204] lstrlenW (lpString="v1") returned 2
[0204.204] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.205] lstrlenW (lpString="rl") returned 2
[0204.205] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.205] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|v1|") returned 4
[0204.205] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4
[0204.205] lstrlenW (lpString="|v1|") returned 4
[0204.205] lstrlenW (lpString="|rl|") returned 4
[0204.205] StrStrIW (lpFirst="|v1|", lpSrch="|rl|") returned 0x0
[0204.205] RtlRestoreLastWin32Error () returned 0x490
[0204.205] lstrlenW (lpString="xml") returned 3
[0204.205] lstrlenW (lpString="xml") returned 3
[0204.205] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.205] lstrlenW (lpString="rl") returned 2
[0204.205] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.205] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|xml|") returned 5
[0204.205] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4
[0204.205] lstrlenW (lpString="|xml|") returned 5
[0204.205] lstrlenW (lpString="|rl|") returned 4
[0204.205] StrStrIW (lpFirst="|xml|", lpSrch="|rl|") returned 0x0
[0204.205] RtlRestoreLastWin32Error () returned 0x490
[0204.205] lstrlenW (lpString="ec") returned 2
[0204.205] lstrlenW (lpString="ec") returned 2
[0204.205] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.205] lstrlenW (lpString="rl") returned 2
[0204.205] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.205] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|ec|") returned 4
[0204.205] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4
[0204.205] lstrlenW (lpString="|ec|") returned 4
[0204.205] lstrlenW (lpString="|rl|") returned 4
[0204.205] StrStrIW (lpFirst="|ec|", lpSrch="|rl|") returned 0x0
[0204.205] RtlRestoreLastWin32Error () returned 0x490
[0204.205] lstrlenW (lpString="rl") returned 2
[0204.206] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.206] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.206] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4
[0204.206] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rl|") returned 4
[0204.206] StrStrIW (lpFirst="|rl|", lpSrch="|rl|") returned="|rl|"
[0204.206] RtlRestoreLastWin32Error () returned 0x0
[0204.206] RtlRestoreLastWin32Error () returned 0x0
[0204.206] lstrlenW (lpString="highest") returned 7
[0204.206] StrChrIW (lpStart="-/", wMatch=0x680068) returned 0x0
[0204.206] RtlRestoreLastWin32Error () returned 0x490
[0204.206] RtlRestoreLastWin32Error () returned 0x490
[0204.206] RtlRestoreLastWin32Error () returned 0x0
[0204.206] lstrlenW (lpString="highest") returned 7
[0204.206] StrChrIW (lpStart="highest", wMatch=0x3a) returned 0x0
[0204.206] RtlRestoreLastWin32Error () returned 0x490
[0204.206] RtlRestoreLastWin32Error () returned 0x0
[0204.206] _memicmp (_Buf1=0x44ad20, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.206] lstrlenW (lpString="highest") returned 7
[0204.206] lstrlenW (lpString="highest") returned 7
[0204.206] lstrlenW (lpString=" \x09") returned 2
[0204.206] StrChrW (lpStart=" \x09", wMatch=0x68) returned 0x0
[0204.206] StrChrW (lpStart=" \x09", wMatch=0x68) returned 0x0
[0204.206] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0
[0204.206] StrChrW (lpStart=" \x09", wMatch=0x67) returned 0x0
[0204.206] StrChrW (lpStart=" \x09", wMatch=0x68) returned 0x0
[0204.206] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0
[0204.206] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0
[0204.206] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0
[0204.206] GetLastError () returned 0x0
[0204.206] lstrlenW (lpString="highest") returned 7
[0204.207] lstrlenW (lpString="highest") returned 7
[0204.207] RtlRestoreLastWin32Error () returned 0x0
[0204.207] RtlRestoreLastWin32Error () returned 0x0
[0204.207] lstrlenW (lpString="/tn") returned 3
[0204.207] lstrlenW (lpString="-/") returned 2
[0204.207] StrChrIW (lpStart="-/", wMatch=0x68002f) returned="/"
[0204.207] lstrlenW (lpString="create") returned 6
[0204.207] lstrlenW (lpString="create") returned 6
[0204.207] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.207] lstrlenW (lpString="tn") returned 2
[0204.207] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.207] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|create|") returned 8
[0204.207] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tn|") returned 4
[0204.207] lstrlenW (lpString="|create|") returned 8
[0204.207] lstrlenW (lpString="|tn|") returned 4
[0204.207] StrStrIW (lpFirst="|create|", lpSrch="|tn|") returned 0x0
[0204.207] RtlRestoreLastWin32Error () returned 0x490
[0204.207] lstrlenW (lpString="?") returned 1
[0204.207] lstrlenW (lpString="?") returned 1
[0204.207] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.207] lstrlenW (lpString="tn") returned 2
[0204.207] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.207] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|?|") returned 3
[0204.207] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tn|") returned 4
[0204.207] lstrlenW (lpString="|?|") returned 3
[0204.207] lstrlenW (lpString="|tn|") returned 4
[0204.208] RtlRestoreLastWin32Error () returned 0x490
[0204.208] lstrlenW (lpString="s") returned 1
[0204.208] lstrlenW (lpString="s") returned 1
[0204.208] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.208] lstrlenW (lpString="tn") returned 2
[0204.208] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.208] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|s|") returned 3
[0204.208] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tn|") returned 4
[0204.208] lstrlenW (lpString="|s|") returned 3
[0204.208] lstrlenW (lpString="|tn|") returned 4
[0204.208] RtlRestoreLastWin32Error () returned 0x490
[0204.208] lstrlenW (lpString="u") returned 1
[0204.208] lstrlenW (lpString="u") returned 1
[0204.208] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.208] lstrlenW (lpString="tn") returned 2
[0204.208] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.208] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|u|") returned 3
[0204.208] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tn|") returned 4
[0204.208] lstrlenW (lpString="|u|") returned 3
[0204.208] lstrlenW (lpString="|tn|") returned 4
[0204.208] RtlRestoreLastWin32Error () returned 0x490
[0204.208] lstrlenW (lpString="p") returned 1
[0204.208] lstrlenW (lpString="p") returned 1
[0204.208] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.208] lstrlenW (lpString="tn") returned 2
[0204.208] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.209] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|p|") returned 3
[0204.209] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tn|") returned 4
[0204.209] lstrlenW (lpString="|p|") returned 3
[0204.209] lstrlenW (lpString="|tn|") returned 4
[0204.209] RtlRestoreLastWin32Error () returned 0x490
[0204.209] lstrlenW (lpString="ru") returned 2
[0204.209] lstrlenW (lpString="ru") returned 2
[0204.209] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.209] lstrlenW (lpString="tn") returned 2
[0204.209] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.209] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|ru|") returned 4
[0204.209] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tn|") returned 4
[0204.209] lstrlenW (lpString="|ru|") returned 4
[0204.209] lstrlenW (lpString="|tn|") returned 4
[0204.209] StrStrIW (lpFirst="|ru|", lpSrch="|tn|") returned 0x0
[0204.209] RtlRestoreLastWin32Error () returned 0x490
[0204.209] lstrlenW (lpString="rp") returned 2
[0204.209] lstrlenW (lpString="rp") returned 2
[0204.209] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.209] lstrlenW (lpString="tn") returned 2
[0204.209] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.209] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rp|") returned 4
[0204.209] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tn|") returned 4
[0204.209] lstrlenW (lpString="|rp|") returned 4
[0204.209] lstrlenW (lpString="|tn|") returned 4
[0204.209] StrStrIW (lpFirst="|rp|", lpSrch="|tn|") returned 0x0
[0204.209] RtlRestoreLastWin32Error () returned 0x490
[0204.209] lstrlenW (lpString="sc") returned 2
[0204.209] lstrlenW (lpString="sc") returned 2
[0204.209] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.209] lstrlenW (lpString="tn") returned 2
[0204.210] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.210] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|sc|") returned 4
[0204.210] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tn|") returned 4
[0204.210] lstrlenW (lpString="|sc|") returned 4
[0204.210] lstrlenW (lpString="|tn|") returned 4
[0204.210] StrStrIW (lpFirst="|sc|", lpSrch="|tn|") returned 0x0
[0204.210] RtlRestoreLastWin32Error () returned 0x490
[0204.210] lstrlenW (lpString="mo") returned 2
[0204.210] lstrlenW (lpString="mo") returned 2
[0204.210] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.210] lstrlenW (lpString="tn") returned 2
[0204.210] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.210] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|mo|") returned 4
[0204.210] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tn|") returned 4
[0204.210] lstrlenW (lpString="|mo|") returned 4
[0204.210] lstrlenW (lpString="|tn|") returned 4
[0204.210] StrStrIW (lpFirst="|mo|", lpSrch="|tn|") returned 0x0
[0204.210] RtlRestoreLastWin32Error () returned 0x490
[0204.210] lstrlenW (lpString="d") returned 1
[0204.210] lstrlenW (lpString="d") returned 1
[0204.210] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.210] lstrlenW (lpString="tn") returned 2
[0204.210] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.210] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|d|") returned 3
[0204.210] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tn|") returned 4
[0204.210] lstrlenW (lpString="|d|") returned 3
[0204.210] lstrlenW (lpString="|tn|") returned 4
[0204.210] RtlRestoreLastWin32Error () returned 0x490
[0204.210] lstrlenW (lpString="m") returned 1
[0204.210] lstrlenW (lpString="m") returned 1
[0204.210] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.210] lstrlenW (lpString="tn") returned 2
[0204.211] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.211] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|m|") returned 3
[0204.211] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tn|") returned 4
[0204.211] lstrlenW (lpString="|m|") returned 3
[0204.211] lstrlenW (lpString="|tn|") returned 4
[0204.211] RtlRestoreLastWin32Error () returned 0x490
[0204.211] lstrlenW (lpString="i") returned 1
[0204.211] lstrlenW (lpString="i") returned 1
[0204.211] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.211] lstrlenW (lpString="tn") returned 2
[0204.211] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.211] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|i|") returned 3
[0204.211] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tn|") returned 4
[0204.211] lstrlenW (lpString="|i|") returned 3
[0204.211] lstrlenW (lpString="|tn|") returned 4
[0204.211] RtlRestoreLastWin32Error () returned 0x490
[0204.211] lstrlenW (lpString="tn") returned 2
[0204.211] lstrlenW (lpString="tn") returned 2
[0204.211] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.211] lstrlenW (lpString="tn") returned 2
[0204.211] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.211] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tn|") returned 4
[0204.211] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tn|") returned 4
[0204.211] lstrlenW (lpString="|tn|") returned 4
[0204.211] lstrlenW (lpString="|tn|") returned 4
[0204.211] StrStrIW (lpFirst="|tn|", lpSrch="|tn|") returned="|tn|"
[0204.211] RtlRestoreLastWin32Error () returned 0x0
[0204.211] RtlRestoreLastWin32Error () returned 0x0
[0204.211] lstrlenW (lpString="") returned 0
[0204.211] RtlRestoreLastWin32Error () returned 0x490
[0204.211] RtlRestoreLastWin32Error () returned 0x0
[0204.211] lstrlenW (lpString="") returned 0
[0204.211] RtlRestoreLastWin32Error () returned 0x490
[0204.211] RtlRestoreLastWin32Error () returned 0x0
[0204.212] lstrlenW (lpString="") returned 0
[0204.212] RtlRestoreLastWin32Error () returned 0x0
[0204.212] RtlRestoreLastWin32Error () returned 0x0
[0204.212] lstrlenW (lpString="/tr") returned 3
[0204.212] lstrlenW (lpString="-/") returned 2
[0204.212] StrChrIW (lpStart="-/", wMatch=0x68002f) returned="/"
[0204.212] lstrlenW (lpString="create") returned 6
[0204.212] lstrlenW (lpString="create") returned 6
[0204.212] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.212] lstrlenW (lpString="tr") returned 2
[0204.212] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.212] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|create|") returned 8
[0204.212] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tr|") returned 4
[0204.212] lstrlenW (lpString="|create|") returned 8
[0204.212] lstrlenW (lpString="|tr|") returned 4
[0204.212] StrStrIW (lpFirst="|create|", lpSrch="|tr|") returned 0x0
[0204.212] RtlRestoreLastWin32Error () returned 0x490
[0204.212] lstrlenW (lpString="?") returned 1
[0204.212] lstrlenW (lpString="?") returned 1
[0204.212] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.212] lstrlenW (lpString="tr") returned 2
[0204.212] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.212] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|?|") returned 3
[0204.212] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tr|") returned 4
[0204.212] lstrlenW (lpString="|?|") returned 3
[0204.212] lstrlenW (lpString="|tr|") returned 4
[0204.212] RtlRestoreLastWin32Error () returned 0x490
[0204.212] lstrlenW (lpString="s") returned 1
[0204.212] lstrlenW (lpString="s") returned 1
[0204.212] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.212] lstrlenW (lpString="tr") returned 2
[0204.212] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.212] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|s|") returned 3
[0204.213] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tr|") returned 4
[0204.213] lstrlenW (lpString="|s|") returned 3
[0204.213] lstrlenW (lpString="|tr|") returned 4
[0204.213] RtlRestoreLastWin32Error () returned 0x490
[0204.213] lstrlenW (lpString="u") returned 1
[0204.213] lstrlenW (lpString="u") returned 1
[0204.213] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.213] lstrlenW (lpString="tr") returned 2
[0204.213] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.213] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|u|") returned 3
[0204.213] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tr|") returned 4
[0204.213] lstrlenW (lpString="|u|") returned 3
[0204.213] lstrlenW (lpString="|tr|") returned 4
[0204.213] RtlRestoreLastWin32Error () returned 0x490
[0204.213] lstrlenW (lpString="p") returned 1
[0204.213] lstrlenW (lpString="p") returned 1
[0204.213] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.213] lstrlenW (lpString="tr") returned 2
[0204.213] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.213] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|p|") returned 3
[0204.213] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tr|") returned 4
[0204.213] lstrlenW (lpString="|p|") returned 3
[0204.213] lstrlenW (lpString="|tr|") returned 4
[0204.213] RtlRestoreLastWin32Error () returned 0x490
[0204.213] lstrlenW (lpString="ru") returned 2
[0204.213] lstrlenW (lpString="ru") returned 2
[0204.213] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.213] lstrlenW (lpString="tr") returned 2
[0204.213] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.214] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|ru|") returned 4
[0204.214] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tr|") returned 4
[0204.214] lstrlenW (lpString="|ru|") returned 4
[0204.214] lstrlenW (lpString="|tr|") returned 4
[0204.214] StrStrIW (lpFirst="|ru|", lpSrch="|tr|") returned 0x0
[0204.214] RtlRestoreLastWin32Error () returned 0x490
[0204.214] lstrlenW (lpString="rp") returned 2
[0204.214] lstrlenW (lpString="rp") returned 2
[0204.214] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.214] lstrlenW (lpString="tr") returned 2
[0204.214] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.214] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rp|") returned 4
[0204.214] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tr|") returned 4
[0204.214] lstrlenW (lpString="|rp|") returned 4
[0204.214] lstrlenW (lpString="|tr|") returned 4
[0204.214] StrStrIW (lpFirst="|rp|", lpSrch="|tr|") returned 0x0
[0204.214] RtlRestoreLastWin32Error () returned 0x490
[0204.214] lstrlenW (lpString="sc") returned 2
[0204.214] lstrlenW (lpString="sc") returned 2
[0204.214] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.214] lstrlenW (lpString="tr") returned 2
[0204.214] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.214] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|sc|") returned 4
[0204.214] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tr|") returned 4
[0204.214] lstrlenW (lpString="|sc|") returned 4
[0204.214] lstrlenW (lpString="|tr|") returned 4
[0204.214] StrStrIW (lpFirst="|sc|", lpSrch="|tr|") returned 0x0
[0204.214] RtlRestoreLastWin32Error () returned 0x490
[0204.214] lstrlenW (lpString="mo") returned 2
[0204.214] lstrlenW (lpString="mo") returned 2
[0204.214] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.214] lstrlenW (lpString="tr") returned 2
[0204.214] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.214] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|mo|") returned 4
[0204.215] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tr|") returned 4
[0204.215] lstrlenW (lpString="|mo|") returned 4
[0204.215] lstrlenW (lpString="|tr|") returned 4
[0204.215] StrStrIW (lpFirst="|mo|", lpSrch="|tr|") returned 0x0
[0204.215] RtlRestoreLastWin32Error () returned 0x490
[0204.215] lstrlenW (lpString="d") returned 1
[0204.215] lstrlenW (lpString="d") returned 1
[0204.215] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.215] lstrlenW (lpString="tr") returned 2
[0204.215] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.215] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|d|") returned 3
[0204.215] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tr|") returned 4
[0204.215] lstrlenW (lpString="|d|") returned 3
[0204.215] lstrlenW (lpString="|tr|") returned 4
[0204.215] RtlRestoreLastWin32Error () returned 0x490
[0204.215] lstrlenW (lpString="m") returned 1
[0204.215] lstrlenW (lpString="m") returned 1
[0204.215] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.215] lstrlenW (lpString="tr") returned 2
[0204.215] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.215] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|m|") returned 3
[0204.215] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tr|") returned 4
[0204.215] lstrlenW (lpString="|m|") returned 3
[0204.215] lstrlenW (lpString="|tr|") returned 4
[0204.215] RtlRestoreLastWin32Error () returned 0x490
[0204.215] lstrlenW (lpString="i") returned 1
[0204.215] lstrlenW (lpString="i") returned 1
[0204.215] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.215] lstrlenW (lpString="tr") returned 2
[0204.215] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.215] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|i|") returned 3
[0204.215] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tr|") returned 4
[0204.216] lstrlenW (lpString="|i|") returned 3
[0204.216] lstrlenW (lpString="|tr|") returned 4
[0204.216] RtlRestoreLastWin32Error () returned 0x490
[0204.216] lstrlenW (lpString="tn") returned 2
[0204.216] lstrlenW (lpString="tn") returned 2
[0204.216] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.216] lstrlenW (lpString="tr") returned 2
[0204.216] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.216] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tn|") returned 4
[0204.216] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tr|") returned 4
[0204.216] lstrlenW (lpString="|tn|") returned 4
[0204.216] lstrlenW (lpString="|tr|") returned 4
[0204.216] StrStrIW (lpFirst="|tn|", lpSrch="|tr|") returned 0x0
[0204.216] RtlRestoreLastWin32Error () returned 0x490
[0204.216] lstrlenW (lpString="tr") returned 2
[0204.216] lstrlenW (lpString="tr") returned 2
[0204.216] _memicmp (_Buf1=0x4474f8, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.216] lstrlenW (lpString="tr") returned 2
[0204.216] _memicmp (_Buf1=0x447540, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.216] _vsnwprintf (in: _Buffer=0x4493f0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tr|") returned 4
[0204.216] _vsnwprintf (in: _Buffer=0x449750, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tr|") returned 4
[0204.216] lstrlenW (lpString="|tr|") returned 4
[0204.216] lstrlenW (lpString="|tr|") returned 4
[0204.216] StrStrIW (lpFirst="|tr|", lpSrch="|tr|") returned="|tr|"
[0204.216] RtlRestoreLastWin32Error () returned 0x0
[0204.216] RtlRestoreLastWin32Error () returned 0x0
[0204.216] lstrlenW (lpString="'C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe'") returned 44
[0204.216] lstrlenW (lpString="-/") returned 2
[0204.216] StrChrIW (lpStart="-/", wMatch=0x680027) returned 0x0
[0204.216] RtlRestoreLastWin32Error () returned 0x490
[0204.216] RtlRestoreLastWin32Error () returned 0x490
[0204.216] RtlRestoreLastWin32Error () returned 0x0
[0204.216] lstrlenW (lpString="'C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe'") returned 44
[0204.216] StrChrIW (lpStart="'C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe'", wMatch=0x3a) returned=":\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe'"
[0204.216] lstrlenW (lpString="'C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe'") returned 44
[0204.217] _memicmp (_Buf1=0x447570, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.217] _memicmp (_Buf1=0x44aa68, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.217] RtlRestoreLastWin32Error () returned 0x7a
[0204.217] RtlRestoreLastWin32Error () returned 0x0
[0204.217] RtlRestoreLastWin32Error () returned 0x0
[0204.217] lstrlenW (lpString="'C") returned 2
[0204.217] lstrlenW (lpString="-/") returned 2
[0204.217] StrChrIW (lpStart="-/", wMatch=0x440027) returned 0x0
[0204.217] RtlRestoreLastWin32Error () returned 0x490
[0204.217] RtlRestoreLastWin32Error () returned 0x490
[0204.217] RtlRestoreLastWin32Error () returned 0x0
[0204.217] _memicmp (_Buf1=0x44ad20, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.217] lstrlenW (lpString="'C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe'") returned 44
[0204.217] GetProcessHeap () returned 0x440000
[0204.217] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x44ac90) returned 1
[0204.217] GetProcessHeap () returned 0x440000
[0204.217] RtlReAllocateHeap (Heap=0x440000, Flags=0xc, Ptr=0x44ac90, Size=0x5a) returned 0x44ae78
[0204.217] lstrlenW (lpString="'C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe'") returned 44
[0204.217] lstrlenW (lpString=" \x09") returned 2
[0204.217] StrChrW (lpStart=" \x09", wMatch=0x27) returned 0x0
[0204.217] StrChrW (lpStart=" \x09", wMatch=0x27) returned 0x0
[0204.217] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0
[0204.217] StrChrW (lpStart=" \x09", wMatch=0x3a) returned 0x0
[0204.217] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0
[0204.217] StrChrW (lpStart=" \x09", wMatch=0x55) returned 0x0
[0204.217] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0
[0204.217] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0
[0204.217] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0
[0204.217] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0
[0204.217] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0
[0204.217] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0
[0204.217] StrChrW (lpStart=" \x09", wMatch=0x44) returned 0x0
[0204.217] StrChrW (lpStart=" \x09", wMatch=0x68) returned 0x0
[0204.217] StrChrW (lpStart=" \x09", wMatch=0x4a) returned 0x0
[0204.217] StrChrW (lpStart=" \x09", wMatch=0x30) returned 0x0
[0204.218] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0
[0204.218] StrChrW (lpStart=" \x09", wMatch=0x4e) returned 0x0
[0204.218] StrChrW (lpStart=" \x09", wMatch=0x46) returned 0x0
[0204.218] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0
[0204.218] StrChrW (lpStart=" \x09", wMatch=0x76) returned 0x0
[0204.218] StrChrW (lpStart=" \x09", wMatch=0x7a) returned 0x0
[0204.218] StrChrW (lpStart=" \x09", wMatch=0x58) returned 0x0
[0204.218] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0
[0204.218] StrChrW (lpStart=" \x09", wMatch=0x41) returned 0x0
[0204.218] StrChrW (lpStart=" \x09", wMatch=0x70) returned 0x0
[0204.218] StrChrW (lpStart=" \x09", wMatch=0x70) returned 0x0
[0204.218] StrChrW (lpStart=" \x09", wMatch=0x44) returned 0x0
[0204.218] StrChrW (lpStart=" \x09", wMatch=0x61) returned 0x0
[0204.218] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0
[0204.218] StrChrW (lpStart=" \x09", wMatch=0x61) returned 0x0
[0204.218] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0
[0204.218] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0
[0204.218] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0
[0204.218] StrChrW (lpStart=" \x09", wMatch=0x61) returned 0x0
[0204.218] StrChrW (lpStart=" \x09", wMatch=0x6d) returned 0x0
[0204.218] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0
[0204.218] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0
[0204.218] StrChrW (lpStart=" \x09", wMatch=0x67) returned 0x0
[0204.218] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0
[0204.218] StrChrW (lpStart=" \x09", wMatch=0x2e) returned 0x0
[0204.218] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0
[0204.218] StrChrW (lpStart=" \x09", wMatch=0x78) returned 0x0
[0204.218] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0
[0204.218] StrChrW (lpStart=" \x09", wMatch=0x27) returned 0x0
[0204.218] GetLastError () returned 0x0
[0204.218] lstrlenW (lpString="'C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe'") returned 44
[0204.218] lstrlenW (lpString="'C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe'") returned 44
[0204.218] RtlRestoreLastWin32Error () returned 0x0
[0204.218] GetProcessHeap () returned 0x440000
[0204.218] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x449450
[0204.219] _memicmp (_Buf1=0x4474e0, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.219] LoadStringW (in: hInstance=0x0, uID=0x20d, lpBuffer=0x44a800, cchBufferMax=256 | out: lpBuffer="LIMITED") returned 0x7
[0204.219] lstrlenW (lpString="LIMITED") returned 7
[0204.219] GetProcessHeap () returned 0x440000
[0204.219] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x10) returned 0x44aba0
[0204.219] GetThreadLocale () returned 0x409
[0204.219] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="highest", cchCount1=-1, lpString2="LIMITED", cchCount2=-1) returned 1
[0204.219] GetProcessHeap () returned 0x440000
[0204.219] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x449470
[0204.219] _memicmp (_Buf1=0x4474e0, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.219] LoadStringW (in: hInstance=0x0, uID=0x20e, lpBuffer=0x44a800, cchBufferMax=256 | out: lpBuffer="HIGHEST") returned 0x7
[0204.219] lstrlenW (lpString="HIGHEST") returned 7
[0204.219] GetProcessHeap () returned 0x440000
[0204.219] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x10) returned 0x44ac78
[0204.219] GetThreadLocale () returned 0x409
[0204.219] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="highest", cchCount1=-1, lpString2="HIGHEST", cchCount2=-1) returned 2
[0204.219] GetProcessHeap () returned 0x440000
[0204.219] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x4495b0
[0204.219] _memicmp (_Buf1=0x4474e0, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.219] LoadStringW (in: hInstance=0x0, uID=0x1ae, lpBuffer=0x44a800, cchBufferMax=256 | out: lpBuffer="MINUTE") returned 0x6
[0204.219] lstrlenW (lpString="MINUTE") returned 6
[0204.219] GetProcessHeap () returned 0x440000
[0204.219] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0xe) returned 0x44aac8
[0204.219] GetThreadLocale () returned 0x409
[0204.219] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="onlogon", cchCount1=-1, lpString2="MINUTE", cchCount2=-1) returned 3
[0204.219] GetProcessHeap () returned 0x440000
[0204.219] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x449410
[0204.219] _memicmp (_Buf1=0x4474e0, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.219] LoadStringW (in: hInstance=0x0, uID=0x1af, lpBuffer=0x44a800, cchBufferMax=256 | out: lpBuffer="HOURLY") returned 0x6
[0204.219] lstrlenW (lpString="HOURLY") returned 6
[0204.219] GetProcessHeap () returned 0x440000
[0204.220] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0xe) returned 0x44abd0
[0204.220] GetThreadLocale () returned 0x409
[0204.220] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="onlogon", cchCount1=-1, lpString2="HOURLY", cchCount2=-1) returned 3
[0204.220] GetProcessHeap () returned 0x440000
[0204.220] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x4495f0
[0204.220] _memicmp (_Buf1=0x4474e0, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.220] LoadStringW (in: hInstance=0x0, uID=0x1b0, lpBuffer=0x44a800, cchBufferMax=256 | out: lpBuffer="DAILY") returned 0x5
[0204.220] lstrlenW (lpString="DAILY") returned 5
[0204.220] GetProcessHeap () returned 0x440000
[0204.220] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0xc) returned 0x44ac48
[0204.220] GetThreadLocale () returned 0x409
[0204.220] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="onlogon", cchCount1=-1, lpString2="DAILY", cchCount2=-1) returned 3
[0204.220] GetProcessHeap () returned 0x440000
[0204.220] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x449650
[0204.220] _memicmp (_Buf1=0x4474e0, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.220] LoadStringW (in: hInstance=0x0, uID=0x1b1, lpBuffer=0x44a800, cchBufferMax=256 | out: lpBuffer="WEEKLY") returned 0x6
[0204.220] lstrlenW (lpString="WEEKLY") returned 6
[0204.220] GetProcessHeap () returned 0x440000
[0204.220] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0xe) returned 0x44abb8
[0204.220] GetThreadLocale () returned 0x409
[0204.220] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="onlogon", cchCount1=-1, lpString2="WEEKLY", cchCount2=-1) returned 1
[0204.220] GetProcessHeap () returned 0x440000
[0204.220] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x14) returned 0x449610
[0204.220] _memicmp (_Buf1=0x4474e0, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.220] LoadStringW (in: hInstance=0x0, uID=0x1b2, lpBuffer=0x44a800, cchBufferMax=256 | out: lpBuffer="MONTHLY") returned 0x7
[0204.220] lstrlenW (lpString="MONTHLY") returned 7
[0204.220] GetProcessHeap () returned 0x440000
[0204.220] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x10) returned 0x44ac00
[0204.220] GetThreadLocale () returned 0x409
[0204.220] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="onlogon", cchCount1=-1, lpString2="MONTHLY", cchCount2=-1) returned 3
[0204.220] _memicmp (_Buf1=0x4474e0, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.220] LoadStringW (in: hInstance=0x0, uID=0x1b3, lpBuffer=0x44a800, cchBufferMax=256 | out: lpBuffer="ONCE") returned 0x4
[0204.220] lstrlenW (lpString="ONCE") returned 4
[0204.220] GetProcessHeap () returned 0x440000
[0204.220] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0xa) returned 0x44ab10
[0204.221] GetThreadLocale () returned 0x409
[0204.221] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="onlogon", cchCount1=-1, lpString2="ONCE", cchCount2=-1) returned 3
[0204.221] _memicmp (_Buf1=0x4474e0, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.221] LoadStringW (in: hInstance=0x0, uID=0x1b4, lpBuffer=0x44a800, cchBufferMax=256 | out: lpBuffer="ONSTART") returned 0x7
[0204.221] lstrlenW (lpString="ONSTART") returned 7
[0204.221] GetThreadLocale () returned 0x409
[0204.221] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="onlogon", cchCount1=-1, lpString2="ONSTART", cchCount2=-1) returned 1
[0204.221] _memicmp (_Buf1=0x4474e0, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.221] LoadStringW (in: hInstance=0x0, uID=0x1b5, lpBuffer=0x44a800, cchBufferMax=256 | out: lpBuffer="ONLOGON") returned 0x7
[0204.221] lstrlenW (lpString="ONLOGON") returned 7
[0204.221] GetThreadLocale () returned 0x409
[0204.221] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="onlogon", cchCount1=-1, lpString2="ONLOGON", cchCount2=-1) returned 2
[0204.221] RtlRestoreLastWin32Error () returned 0x0
[0204.221] GetProcessHeap () returned 0x440000
[0204.221] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x1fc) returned 0x449e20
[0204.221] _memicmp (_Buf1=0x4474e0, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.221] LoadStringW (in: hInstance=0x0, uID=0x1d7, lpBuffer=0x44a800, cchBufferMax=256 | out: lpBuffer="First") returned 0x5
[0204.221] lstrlenW (lpString="First") returned 5
[0204.221] _memicmp (_Buf1=0x4474e0, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.221] LoadStringW (in: hInstance=0x0, uID=0x1d8, lpBuffer=0x44a800, cchBufferMax=256 | out: lpBuffer="Second") returned 0x6
[0204.221] lstrlenW (lpString="Second") returned 6
[0204.221] _memicmp (_Buf1=0x4474e0, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.221] LoadStringW (in: hInstance=0x0, uID=0x1d9, lpBuffer=0x44a800, cchBufferMax=256 | out: lpBuffer="Third") returned 0x5
[0204.221] lstrlenW (lpString="Third") returned 5
[0204.221] _memicmp (_Buf1=0x4474e0, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.221] LoadStringW (in: hInstance=0x0, uID=0x1da, lpBuffer=0x44a800, cchBufferMax=256 | out: lpBuffer="Fourth") returned 0x6
[0204.221] lstrlenW (lpString="Fourth") returned 6
[0204.221] _memicmp (_Buf1=0x4474e0, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.221] LoadStringW (in: hInstance=0x0, uID=0x1db, lpBuffer=0x44a800, cchBufferMax=256 | out: lpBuffer="Last") returned 0x4
[0204.221] lstrlenW (lpString="Last") returned 4
[0204.222] _memicmp (_Buf1=0x4474e0, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.222] LoadStringW (in: hInstance=0x0, uID=0x1d7, lpBuffer=0x44a800, cchBufferMax=256 | out: lpBuffer="First") returned 0x5
[0204.222] lstrlenW (lpString="First") returned 5
[0204.222] _memicmp (_Buf1=0x4474e0, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.222] LoadStringW (in: hInstance=0x0, uID=0x1d8, lpBuffer=0x44a800, cchBufferMax=256 | out: lpBuffer="Second") returned 0x6
[0204.222] lstrlenW (lpString="Second") returned 6
[0204.222] _memicmp (_Buf1=0x4474e0, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.222] LoadStringW (in: hInstance=0x0, uID=0x1d9, lpBuffer=0x44a800, cchBufferMax=256 | out: lpBuffer="Third") returned 0x5
[0204.222] lstrlenW (lpString="Third") returned 5
[0204.222] GetProcessHeap () returned 0x440000
[0204.222] GetProcessHeap () returned 0x440000
[0204.222] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x44ab10) returned 1
[0204.222] GetProcessHeap () returned 0x440000
[0204.222] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x44ab10) returned 0xa
[0204.222] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x44ab10) returned 1
[0204.222] GetProcessHeap () returned 0x440000
[0204.222] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0xc) returned 0x44acd8
[0204.222] _memicmp (_Buf1=0x4474e0, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.222] LoadStringW (in: hInstance=0x0, uID=0x1da, lpBuffer=0x44a800, cchBufferMax=256 | out: lpBuffer="Fourth") returned 0x6
[0204.222] lstrlenW (lpString="Fourth") returned 6
[0204.222] _memicmp (_Buf1=0x4474e0, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.222] LoadStringW (in: hInstance=0x0, uID=0x1db, lpBuffer=0x44a800, cchBufferMax=256 | out: lpBuffer="Last") returned 0x4
[0204.222] lstrlenW (lpString="Last") returned 4
[0204.222] GetLocaleInfoW (in: Locale=0x400, LCType=0x21, lpLCData=0xdcde8, cchData=128 | out: lpLCData="0") returned 2
[0204.222] _memicmp (_Buf1=0x4474e0, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.222] LoadStringW (in: hInstance=0x0, uID=0x19c, lpBuffer=0x44a800, cchBufferMax=256 | out: lpBuffer="mm/dd/yyyy") returned 0xa
[0204.222] lstrlenW (lpString="mm/dd/yyyy") returned 10
[0204.222] GetProcessHeap () returned 0x440000
[0204.223] GetProcessHeap () returned 0x440000
[0204.223] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x44aba0) returned 1
[0204.223] GetProcessHeap () returned 0x440000
[0204.223] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x44aba0) returned 0x10
[0204.223] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x44aba0) returned 1
[0204.223] GetProcessHeap () returned 0x440000
[0204.223] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x16) returned 0x449690
[0204.223] GetLocaleInfoW (in: Locale=0x400, LCType=0x21, lpLCData=0xdcdec, cchData=128 | out: lpLCData="0") returned 2
[0204.223] _memicmp (_Buf1=0x4474e0, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.223] LoadStringW (in: hInstance=0x0, uID=0x19c, lpBuffer=0x44a800, cchBufferMax=256 | out: lpBuffer="mm/dd/yyyy") returned 0xa
[0204.223] lstrlenW (lpString="mm/dd/yyyy") returned 10
[0204.223] GetProcessHeap () returned 0x440000
[0204.223] GetProcessHeap () returned 0x440000
[0204.223] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x44ac78) returned 1
[0204.223] GetProcessHeap () returned 0x440000
[0204.223] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x44ac78) returned 0x10
[0204.223] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x44ac78) returned 1
[0204.223] GetProcessHeap () returned 0x440000
[0204.223] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x16) returned 0x4496b0
[0204.223] GetLocalTime (in: lpSystemTime=0xdcfcc | out: lpSystemTime=0xdcfcc*(wYear=0x7e6, wMonth=0x8, wDayOfWeek=0x5, wDay=0x5, wHour=0x16, wMinute=0x1, wSecond=0xc, wMilliseconds=0x394))
[0204.223] GetLocalTime (in: lpSystemTime=0xdd480 | out: lpSystemTime=0xdd480*(wYear=0x7e6, wMonth=0x8, wDayOfWeek=0x5, wDay=0x5, wHour=0x16, wMinute=0x1, wSecond=0xc, wMilliseconds=0x394))
[0204.223] lstrlenW (lpString="") returned 0
[0204.223] lstrlenW (lpString="") returned 0
[0204.223] lstrlenW (lpString="") returned 0
[0204.223] lstrlenW (lpString="") returned 0
[0204.223] lstrlenW (lpString="") returned 0
[0204.223] lstrlenW (lpString="") returned 0
[0204.223] lstrlenW (lpString="") returned 0
[0204.223] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
[0204.227] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0
[0204.289] CoCreateInstance (in: rclsid=0xba26c0*(Data1=0xf87369f, Data2=0xa4e5, Data3=0x4cfc, Data4=([0]=0xbd, [1]=0x3e, [2]=0x73, [3]=0xe6, [4]=0x15, [5]=0x45, [6]=0x72, [7]=0xdd)), pUnkOuter=0x0, dwClsContext=0x17, riid=0xba26d0*(Data1=0x2faba4c7, Data2=0x4da9, Data3=0x4013, Data4=([0]=0x96, [1]=0x97, [2]=0x20, [3]=0xcc, [4]=0x3f, [5]=0xd4, [6]=0xf, [7]=0x85)), ppv=0xdd39c | out: ppv=0xdd39c*=0x6837c0) returned 0x0
[0204.388] TaskScheduler:ITaskService:Connect (This=0x6837c0, serverName=0xdd34c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), user=0xdd35c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), domain=0xdd36c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), password=0xdd37c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0)) returned 0x0
[0204.453] TaskScheduler:ITaskService:GetFolder (in: This=0x6837c0, Path=0x0, ppFolder=0xdd464 | out: ppFolder=0xdd464*=0x6838e8) returned 0x0
[0204.457] TaskScheduler:ITaskService:NewTask (in: This=0x6837c0, flags=0x0, ppDefinition=0xdd474 | out: ppDefinition=0xdd474*=0x683938) returned 0x0
[0204.458] ITaskDefinition:get_Actions (in: This=0x683938, ppActions=0xdd3e8 | out: ppActions=0xdd3e8*=0x683988) returned 0x0
[0204.458] IActionCollection:Create (in: This=0x683988, Type=0, ppAction=0xdd3ec | out: ppAction=0xdd3ec*=0x683be0) returned 0x0
[0204.458] lstrlenW (lpString="'C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe'") returned 44
[0204.458] lstrlenW (lpString="'C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe'") returned 44
[0204.458] lstrlenW (lpString=" ") returned 1
[0204.458] StrChrW (lpStart=" ", wMatch=0x27) returned 0x0
[0204.458] StrChrW (lpStart=" ", wMatch=0x27) returned 0x0
[0204.458] StrChrW (lpStart=" ", wMatch=0x43) returned 0x0
[0204.458] StrChrW (lpStart=" ", wMatch=0x3a) returned 0x0
[0204.459] StrChrW (lpStart=" ", wMatch=0x5c) returned 0x0
[0204.459] StrChrW (lpStart=" ", wMatch=0x55) returned 0x0
[0204.459] StrChrW (lpStart=" ", wMatch=0x73) returned 0x0
[0204.459] StrChrW (lpStart=" ", wMatch=0x65) returned 0x0
[0204.459] StrChrW (lpStart=" ", wMatch=0x72) returned 0x0
[0204.459] StrChrW (lpStart=" ", wMatch=0x73) returned 0x0
[0204.459] StrChrW (lpStart=" ", wMatch=0x5c) returned 0x0
[0204.459] StrChrW (lpStart=" ", wMatch=0x52) returned 0x0
[0204.459] StrChrW (lpStart=" ", wMatch=0x44) returned 0x0
[0204.459] StrChrW (lpStart=" ", wMatch=0x68) returned 0x0
[0204.459] StrChrW (lpStart=" ", wMatch=0x4a) returned 0x0
[0204.459] StrChrW (lpStart=" ", wMatch=0x30) returned 0x0
[0204.459] StrChrW (lpStart=" ", wMatch=0x43) returned 0x0
[0204.459] StrChrW (lpStart=" ", wMatch=0x4e) returned 0x0
[0204.459] StrChrW (lpStart=" ", wMatch=0x46) returned 0x0
[0204.459] StrChrW (lpStart=" ", wMatch=0x65) returned 0x0
[0204.459] StrChrW (lpStart=" ", wMatch=0x76) returned 0x0
[0204.459] StrChrW (lpStart=" ", wMatch=0x7a) returned 0x0
[0204.459] StrChrW (lpStart=" ", wMatch=0x58) returned 0x0
[0204.459] StrChrW (lpStart=" ", wMatch=0x5c) returned 0x0
[0204.459] StrChrW (lpStart=" ", wMatch=0x41) returned 0x0
[0204.459] StrChrW (lpStart=" ", wMatch=0x70) returned 0x0
[0204.459] StrChrW (lpStart=" ", wMatch=0x70) returned 0x0
[0204.459] StrChrW (lpStart=" ", wMatch=0x44) returned 0x0
[0204.459] StrChrW (lpStart=" ", wMatch=0x61) returned 0x0
[0204.459] StrChrW (lpStart=" ", wMatch=0x74) returned 0x0
[0204.460] StrChrW (lpStart=" ", wMatch=0x61) returned 0x0
[0204.460] StrChrW (lpStart=" ", wMatch=0x5c) returned 0x0
[0204.460] StrChrW (lpStart=" ", wMatch=0x52) returned 0x0
[0204.460] StrChrW (lpStart=" ", wMatch=0x6f) returned 0x0
[0204.460] StrChrW (lpStart=" ", wMatch=0x61) returned 0x0
[0204.460] StrChrW (lpStart=" ", wMatch=0x6d) returned 0x0
[0204.460] StrChrW (lpStart=" ", wMatch=0x69) returned 0x0
[0204.460] StrChrW (lpStart=" ", wMatch=0x6e) returned 0x0
[0204.460] StrChrW (lpStart=" ", wMatch=0x67) returned 0x0
[0204.460] StrChrW (lpStart=" ", wMatch=0x5c) returned 0x0
[0204.460] StrChrW (lpStart=" ", wMatch=0x2e) returned 0x0
[0204.460] StrChrW (lpStart=" ", wMatch=0x65) returned 0x0
[0204.460] StrChrW (lpStart=" ", wMatch=0x78) returned 0x0
[0204.460] StrChrW (lpStart=" ", wMatch=0x65) returned 0x0
[0204.460] StrChrW (lpStart=" ", wMatch=0x27) returned 0x0
[0204.460] IUnknown:Release (This=0x683be0) returned 0x1
[0204.460] IUnknown:Release (This=0x683988) returned 0x1
[0204.460] ITaskDefinition:get_Triggers (in: This=0x683938, ppTriggers=0xdcfb8 | out: ppTriggers=0xdcfb8*=0x683b28) returned 0x0
[0204.461] ITriggerCollection:Create (in: This=0x683b28, Type=9, ppTrigger=0xdcfcc | out: ppTrigger=0xdcfcc*=0x683c20) returned 0x0
[0204.461] IUnknown:QueryInterface (in: This=0x683c20, riid=0xba13b4*(Data1=0x72dade38, Data2=0xfae4, Data3=0x4b3e, Data4=([0]=0xba, [1]=0xf4, [2]=0x5d, [3]=0x0, [4]=0x9a, [5]=0xf0, [6]=0x2b, [7]=0x1c)), ppvObject=0xdcfb4 | out: ppvObject=0xdcfb4*=0x683c20) returned 0x0
[0204.461] IUnknown:Release (This=0x683c20) returned 0x2
[0204.461] _vsnwprintf (in: _Buffer=0xdcf3c, _BufferCount=0x1f, _Format="%04u-%02u-%02dT%02u:%02u:00", _ArgList=0xdcf1c | out: _Buffer="2022-08-05T22:01:00") returned 19
[0204.461] ITrigger:put_StartBoundary (This=0x683c20, StartBoundary="2022-08-05T22:01:00") returned 0x0
[0204.461] lstrlenW (lpString="") returned 0
[0204.462] lstrlenW (lpString="") returned 0
[0204.462] lstrlenW (lpString="") returned 0
[0204.462] lstrlenW (lpString="") returned 0
[0204.462] IUnknown:Release (This=0x683c20) returned 0x1
[0204.462] IUnknown:Release (This=0x683b28) returned 0x1
[0204.462] ITaskDefinition:get_Settings (in: This=0x683938, ppSettings=0xdd3f4 | out: ppSettings=0xdd3f4*=0x683a40) returned 0x0
[0204.462] lstrlenW (lpString="") returned 0
[0204.462] IUnknown:Release (This=0x683a40) returned 0x3
[0204.462] GetLocalTime (in: lpSystemTime=0xdd2e8 | out: lpSystemTime=0xdd2e8*(wYear=0x7e6, wMonth=0x8, wDayOfWeek=0x5, wDay=0x5, wHour=0x16, wMinute=0x1, wSecond=0xd, wMilliseconds=0x9c))
[0204.462] ResolveDelayLoadedAPI () returned 0x73f0c5f0
[0204.463] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0xdd2f8, nSize=0xdd2e0 | out: lpNameBuffer="XC64ZB\\RDhJ0CNFevzX", nSize=0xdd2e0) returned 0x1
[0204.463] ITaskDefinition:get_RegistrationInfo (in: This=0x683938, ppRegistrationInfo=0xdd2e4 | out: ppRegistrationInfo=0xdd2e4*=0x6839d0) returned 0x0
[0204.463] IRegistrationInfo:put_Author (This=0x6839d0, Author="XC64ZB\\RDhJ0CNFevzX") returned 0x0
[0204.463] _vsnwprintf (in: _Buffer=0xdd2f8, _BufferCount=0x7f, _Format="%d-%02d-%02dT%02d:%02d:%02d", _ArgList=0xdd2b8 | out: _Buffer="2022-08-05T22:01:13") returned 19
[0204.464] IRegistrationInfo:put_Date (This=0x6839d0, Date="2022-08-05T22:01:13") returned 0x0
[0204.464] IUnknown:Release (This=0x6839d0) returned 0x1
[0204.464] malloc (_Size=0xc) returned 0x683cb0
[0204.464] free (_Block=0x683cb0)
[0204.464] lstrlenW (lpString="") returned 0
[0204.464] ITaskDefinition:get_Principal (in: This=0x683938, ppPrincipal=0xdd47c | out: ppPrincipal=0xdd47c*=0x683b68) returned 0x0
[0204.464] IPrincipal:put_RunLevel (This=0x683b68, RunLevel=1) returned 0x0
[0204.464] IUnknown:Release (This=0x683b68) returned 0x1
[0204.464] malloc (_Size=0xc) returned 0x683cb0
[0204.465] ITaskFolder:RegisterTaskDefinition (in: This=0x6838e8, Path="", pDefinition=0x683938, flags=6, UserId=0xdd3d8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), password=0xdd3e8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), LogonType=3, sddl=0xdd3fc*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), ppTask=0xdd444 | out: ppTask=0xdd444*=0x682a18) returned 0x0
[0204.775] free (_Block=0x683cb0)
[0204.775] _memicmp (_Buf1=0x4474e0, _Buf2=0xba2708, _Size=0x7) returned 0
[0204.775] LoadStringW (in: hInstance=0x0, uID=0x12e, lpBuffer=0x44a800, cchBufferMax=256 | out: lpBuffer="SUCCESS: The scheduled task \"%s\" has successfully been created.\n") returned 0x40
[0204.775] lstrlenW (lpString="SUCCESS: The scheduled task \"%s\" has successfully been created.\n") returned 64
[0204.775] GetProcessHeap () returned 0x440000
[0204.775] GetProcessHeap () returned 0x440000
[0204.775] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x44aac8) returned 1
[0204.775] GetProcessHeap () returned 0x440000
[0204.775] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x44aac8) returned 0xe
[0204.775] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x44aac8) returned 1
[0204.775] GetProcessHeap () returned 0x440000
[0204.775] RtlAllocateHeap (HeapHandle=0x440000, Flags=0xc, Size=0x82) returned 0x459458
[0204.775] _vsnwprintf (in: _Buffer=0xdd898, _BufferCount=0x1fb, _Format="SUCCESS: The scheduled task \"%s\" has successfully been created.\n", _ArgList=0xdd40c | out: _Buffer="SUCCESS: The scheduled task \"\" has successfully been created.\n") returned 62
[0204.775] __iob_func () returned 0x76b41208
[0204.776] _fileno (_File=0x76b41228) returned 1
[0204.776] _errno () returned 0x6805b0
[0204.776] _get_osfhandle (_FileHandle=1) returned 0x3c
[0204.776] _errno () returned 0x6805b0
[0204.776] GetFileType (hFile=0x3c) returned 0x2
[0204.776] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c
[0204.776] GetFileType (hFile=0x3c) returned 0x2
[0204.776] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xdd3e0 | out: lpMode=0xdd3e0) returned 1
[0205.033] __iob_func () returned 0x76b41208
[0205.033] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c
[0205.033] lstrlenW (lpString="SUCCESS: The scheduled task \"\" has successfully been created.\n") returned 62
[0205.033] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0xdd898*, nNumberOfCharsToWrite=0x3e, lpNumberOfCharsWritten=0xdd404, lpReserved=0x0 | out: lpBuffer=0xdd898*, lpNumberOfCharsWritten=0xdd404*=0x3e) returned 1
[0205.128] IUnknown:Release (This=0x682a18) returned 0x0
[0205.128] TaskScheduler:IUnknown:Release (This=0x683938) returned 0x0
[0205.128] TaskScheduler:IUnknown:Release (This=0x6838e8) returned 0x0
[0205.128] TaskScheduler:IUnknown:Release (This=0x6837c0) returned 0x0
[0205.128] lstrlenW (lpString="") returned 0
[0205.128] GetProcessHeap () returned 0x440000
[0205.128] GetProcessHeap () returned 0x440000
[0205.128] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x449e20) returned 1
[0205.128] GetProcessHeap () returned 0x440000
[0205.128] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x449e20) returned 0x1fc
[0205.129] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x449e20) returned 1
[0205.129] GetProcessHeap () returned 0x440000
[0205.129] GetProcessHeap () returned 0x440000
[0205.129] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x4494b0) returned 1
[0205.129] GetProcessHeap () returned 0x440000
[0205.129] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x4494b0) returned 0x16
[0205.129] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x4494b0) returned 1
[0205.129] GetProcessHeap () returned 0x440000
[0205.129] GetProcessHeap () returned 0x440000
[0205.129] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x44ab88) returned 1
[0205.129] GetProcessHeap () returned 0x440000
[0205.129] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x44ab88) returned 0x10
[0205.130] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x44ab88) returned 1
[0205.130] GetProcessHeap () returned 0x440000
[0205.130] GetProcessHeap () returned 0x440000
[0205.130] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x449490) returned 1
[0205.130] GetProcessHeap () returned 0x440000
[0205.130] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x449490) returned 0x14
[0205.130] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x449490) returned 1
[0205.130] GetProcessHeap () returned 0x440000
[0205.130] GetProcessHeap () returned 0x440000
[0205.130] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x446ad0) returned 1
[0205.130] GetProcessHeap () returned 0x440000
[0205.130] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x446ad0) returned 0xa0
[0205.130] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x446ad0) returned 1
[0205.130] GetProcessHeap () returned 0x440000
[0205.130] GetProcessHeap () returned 0x440000
[0205.130] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x447498) returned 1
[0205.130] GetProcessHeap () returned 0x440000
[0205.130] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x447498) returned 0x10
[0205.130] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x447498) returned 1
[0205.130] GetProcessHeap () returned 0x440000
[0205.130] GetProcessHeap () returned 0x440000
[0205.130] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x4496f0) returned 1
[0205.131] GetProcessHeap () returned 0x440000
[0205.131] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x4496f0) returned 0x14
[0205.131] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x4496f0) returned 1
[0205.131] GetProcessHeap () returned 0x440000
[0205.131] GetProcessHeap () returned 0x440000
[0205.131] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x44ae78) returned 1
[0205.131] GetProcessHeap () returned 0x440000
[0205.131] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x44ae78) returned 0x5a
[0205.131] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x44ae78) returned 1
[0205.131] GetProcessHeap () returned 0x440000
[0205.131] GetProcessHeap () returned 0x440000
[0205.131] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x44ad20) returned 1
[0205.131] GetProcessHeap () returned 0x440000
[0205.131] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x44ad20) returned 0x10
[0205.131] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x44ad20) returned 1
[0205.131] GetProcessHeap () returned 0x440000
[0205.131] GetProcessHeap () returned 0x440000
[0205.131] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x449730) returned 1
[0205.131] GetProcessHeap () returned 0x440000
[0205.131] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x449730) returned 0x14
[0205.131] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x449730) returned 1
[0205.131] GetProcessHeap () returned 0x440000
[0205.131] GetProcessHeap () returned 0x440000
[0205.131] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x44ae10) returned 1
[0205.131] GetProcessHeap () returned 0x440000
[0205.131] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x44ae10) returned 0x5c
[0205.132] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x44ae10) returned 1
[0205.132] GetProcessHeap () returned 0x440000
[0205.132] GetProcessHeap () returned 0x440000
[0205.132] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x44aa68) returned 1
[0205.132] GetProcessHeap () returned 0x440000
[0205.132] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x44aa68) returned 0x10
[0205.132] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x44aa68) returned 1
[0205.132] GetProcessHeap () returned 0x440000
[0205.132] GetProcessHeap () returned 0x440000
[0205.132] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x449530) returned 1
[0205.132] GetProcessHeap () returned 0x440000
[0205.132] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x449530) returned 0x14
[0205.132] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x449530) returned 1
[0205.132] GetProcessHeap () returned 0x440000
[0205.132] GetProcessHeap () returned 0x440000
[0205.132] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x44abe8) returned 1
[0205.132] GetProcessHeap () returned 0x440000
[0205.132] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x44abe8) returned 0xe
[0205.132] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x44abe8) returned 1
[0205.132] GetProcessHeap () returned 0x440000
[0205.132] GetProcessHeap () returned 0x440000
[0205.132] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x447570) returned 1
[0205.132] GetProcessHeap () returned 0x440000
[0205.132] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x447570) returned 0x10
[0205.132] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x447570) returned 1
[0205.132] GetProcessHeap () returned 0x440000
[0205.132] GetProcessHeap () returned 0x440000
[0205.132] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x4493d0) returned 1
[0205.132] GetProcessHeap () returned 0x440000
[0205.133] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x4493d0) returned 0x14
[0205.133] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x4493d0) returned 1
[0205.133] GetProcessHeap () returned 0x440000
[0205.133] GetProcessHeap () returned 0x440000
[0205.133] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x448d48) returned 1
[0205.133] GetProcessHeap () returned 0x440000
[0205.133] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x448d48) returned 0x208
[0205.133] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x448d48) returned 1
[0205.133] GetProcessHeap () returned 0x440000
[0205.133] GetProcessHeap () returned 0x440000
[0205.133] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x447480) returned 1
[0205.133] GetProcessHeap () returned 0x440000
[0205.133] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x447480) returned 0x10
[0205.133] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x447480) returned 1
[0205.133] GetProcessHeap () returned 0x440000
[0205.133] GetProcessHeap () returned 0x440000
[0205.133] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x4494f0) returned 1
[0205.133] GetProcessHeap () returned 0x440000
[0205.133] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x4494f0) returned 0x14
[0205.133] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x4494f0) returned 1
[0205.133] GetProcessHeap () returned 0x440000
[0205.133] GetProcessHeap () returned 0x440000
[0205.133] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x44a800) returned 1
[0205.133] GetProcessHeap () returned 0x440000
[0205.133] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x44a800) returned 0x200
[0205.134] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x44a800) returned 1
[0205.134] GetProcessHeap () returned 0x440000
[0205.134] GetProcessHeap () returned 0x440000
[0205.134] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x4474e0) returned 1
[0205.134] GetProcessHeap () returned 0x440000
[0205.134] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x4474e0) returned 0x10
[0205.134] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x4474e0) returned 1
[0205.134] GetProcessHeap () returned 0x440000
[0205.134] GetProcessHeap () returned 0x440000
[0205.134] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x4493b0) returned 1
[0205.134] GetProcessHeap () returned 0x440000
[0205.134] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x4493b0) returned 0x14
[0205.134] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x4493b0) returned 1
[0205.134] GetProcessHeap () returned 0x440000
[0205.134] GetProcessHeap () returned 0x440000
[0205.134] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x449750) returned 1
[0205.134] GetProcessHeap () returned 0x440000
[0205.134] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x449750) returned 0x14
[0205.134] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x449750) returned 1
[0205.134] GetProcessHeap () returned 0x440000
[0205.134] GetProcessHeap () returned 0x440000
[0205.134] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x447540) returned 1
[0205.134] GetProcessHeap () returned 0x440000
[0205.134] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x447540) returned 0x10
[0205.134] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x447540) returned 1
[0205.134] GetProcessHeap () returned 0x440000
[0205.134] GetProcessHeap () returned 0x440000
[0205.135] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x442890) returned 1
[0205.135] GetProcessHeap () returned 0x440000
[0205.135] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x442890) returned 0x14
[0205.135] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x442890) returned 1
[0205.135] GetProcessHeap () returned 0x440000
[0205.135] GetProcessHeap () returned 0x440000
[0205.135] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x4493f0) returned 1
[0205.135] GetProcessHeap () returned 0x440000
[0205.135] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x4493f0) returned 0x16
[0205.135] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x4493f0) returned 1
[0205.135] GetProcessHeap () returned 0x440000
[0205.135] GetProcessHeap () returned 0x440000
[0205.135] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x4474f8) returned 1
[0205.135] GetProcessHeap () returned 0x440000
[0205.135] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x4474f8) returned 0x10
[0205.135] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x4474f8) returned 1
[0205.135] GetProcessHeap () returned 0x440000
[0205.135] GetProcessHeap () returned 0x440000
[0205.135] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x446708) returned 1
[0205.135] GetProcessHeap () returned 0x440000
[0205.135] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x446708) returned 0x14
[0205.135] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x446708) returned 1
[0205.135] GetProcessHeap () returned 0x440000
[0205.135] GetProcessHeap () returned 0x440000
[0205.135] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x440598) returned 1
[0205.135] GetProcessHeap () returned 0x440000
[0205.135] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x440598) returned 0x2
[0205.135] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x440598) returned 1
[0205.135] GetProcessHeap () returned 0x440000
[0205.135] GetProcessHeap () returned 0x440000
[0205.135] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x446f38) returned 1
[0205.135] GetProcessHeap () returned 0x440000
[0205.135] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x446f38) returned 0x14
[0205.135] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x446f38) returned 1
[0205.136] GetProcessHeap () returned 0x440000
[0205.136] GetProcessHeap () returned 0x440000
[0205.136] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x446d00) returned 1
[0205.136] GetProcessHeap () returned 0x440000
[0205.136] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x446d00) returned 0x14
[0205.136] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x446d00) returned 1
[0205.136] GetProcessHeap () returned 0x440000
[0205.136] GetProcessHeap () returned 0x440000
[0205.136] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x446d20) returned 1
[0205.136] GetProcessHeap () returned 0x440000
[0205.136] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x446d20) returned 0x14
[0205.136] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x446d20) returned 1
[0205.136] GetProcessHeap () returned 0x440000
[0205.136] GetProcessHeap () returned 0x440000
[0205.136] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x446d40) returned 1
[0205.136] GetProcessHeap () returned 0x440000
[0205.136] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x446d40) returned 0x14
[0205.136] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x446d40) returned 1
[0205.136] GetProcessHeap () returned 0x440000
[0205.136] GetProcessHeap () returned 0x440000
[0205.136] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x449570) returned 1
[0205.136] GetProcessHeap () returned 0x440000
[0205.136] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x449570) returned 0x14
[0205.136] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x449570) returned 1
[0205.136] GetProcessHeap () returned 0x440000
[0205.136] GetProcessHeap () returned 0x440000
[0205.136] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x44acd8) returned 1
[0205.136] GetProcessHeap () returned 0x440000
[0205.136] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x44acd8) returned 0xc
[0205.136] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x44acd8) returned 1
[0205.136] GetProcessHeap () returned 0x440000
[0205.136] GetProcessHeap () returned 0x440000
[0205.136] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x449710) returned 1
[0205.136] GetProcessHeap () returned 0x440000
[0205.136] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x449710) returned 0x14
[0205.136] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x449710) returned 1
[0205.137] GetProcessHeap () returned 0x440000
[0205.137] GetProcessHeap () returned 0x440000
[0205.137] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x4464b0) returned 1
[0205.137] GetProcessHeap () returned 0x440000
[0205.137] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x4464b0) returned 0x30
[0205.137] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x4464b0) returned 1
[0205.137] GetProcessHeap () returned 0x440000
[0205.137] GetProcessHeap () returned 0x440000
[0205.137] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x449590) returned 1
[0205.137] GetProcessHeap () returned 0x440000
[0205.137] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x449590) returned 0x14
[0205.137] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x449590) returned 1
[0205.137] GetProcessHeap () returned 0x440000
[0205.137] GetProcessHeap () returned 0x440000
[0205.137] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x446b78) returned 1
[0205.137] GetProcessHeap () returned 0x440000
[0205.137] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x446b78) returned 0x30
[0205.138] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x446b78) returned 1
[0205.138] GetProcessHeap () returned 0x440000
[0205.138] GetProcessHeap () returned 0x440000
[0205.138] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x449390) returned 1
[0205.138] GetProcessHeap () returned 0x440000
[0205.138] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x449390) returned 0x14
[0205.138] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x449390) returned 1
[0205.138] GetProcessHeap () returned 0x440000
[0205.138] GetProcessHeap () returned 0x440000
[0205.138] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x449690) returned 1
[0205.138] GetProcessHeap () returned 0x440000
[0205.138] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x449690) returned 0x16
[0205.138] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x449690) returned 1
[0205.138] GetProcessHeap () returned 0x440000
[0205.138] GetProcessHeap () returned 0x440000
[0205.138] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x449450) returned 1
[0205.138] GetProcessHeap () returned 0x440000
[0205.138] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x449450) returned 0x14
[0205.138] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x449450) returned 1
[0205.138] GetProcessHeap () returned 0x440000
[0205.138] GetProcessHeap () returned 0x440000
[0205.138] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x4496b0) returned 1
[0205.138] GetProcessHeap () returned 0x440000
[0205.138] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x4496b0) returned 0x16
[0205.138] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x4496b0) returned 1
[0205.138] GetProcessHeap () returned 0x440000
[0205.138] GetProcessHeap () returned 0x440000
[0205.138] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x449470) returned 1
[0205.138] GetProcessHeap () returned 0x440000
[0205.138] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x449470) returned 0x14
[0205.138] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x449470) returned 1
[0205.138] GetProcessHeap () returned 0x440000
[0205.138] GetProcessHeap () returned 0x440000
[0205.139] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x459458) returned 1
[0205.139] GetProcessHeap () returned 0x440000
[0205.139] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x459458) returned 0x82
[0205.139] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x459458) returned 1
[0205.139] GetProcessHeap () returned 0x440000
[0205.139] GetProcessHeap () returned 0x440000
[0205.139] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x4495b0) returned 1
[0205.139] GetProcessHeap () returned 0x440000
[0205.139] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x4495b0) returned 0x14
[0205.139] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x4495b0) returned 1
[0205.139] GetProcessHeap () returned 0x440000
[0205.139] GetProcessHeap () returned 0x440000
[0205.139] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x44abd0) returned 1
[0205.139] GetProcessHeap () returned 0x440000
[0205.139] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x44abd0) returned 0xe
[0205.139] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x44abd0) returned 1
[0205.139] GetProcessHeap () returned 0x440000
[0205.139] GetProcessHeap () returned 0x440000
[0205.139] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x449410) returned 1
[0205.139] GetProcessHeap () returned 0x440000
[0205.139] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x449410) returned 0x14
[0205.139] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x449410) returned 1
[0205.139] GetProcessHeap () returned 0x440000
[0205.139] GetProcessHeap () returned 0x440000
[0205.139] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x44ac48) returned 1
[0205.139] GetProcessHeap () returned 0x440000
[0205.140] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x44ac48) returned 0xc
[0205.140] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x44ac48) returned 1
[0205.140] GetProcessHeap () returned 0x440000
[0205.140] GetProcessHeap () returned 0x440000
[0205.140] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x4495f0) returned 1
[0205.140] GetProcessHeap () returned 0x440000
[0205.140] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x4495f0) returned 0x14
[0205.140] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x4495f0) returned 1
[0205.140] GetProcessHeap () returned 0x440000
[0205.140] GetProcessHeap () returned 0x440000
[0205.140] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x44abb8) returned 1
[0205.140] GetProcessHeap () returned 0x440000
[0205.140] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x44abb8) returned 0xe
[0205.140] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x44abb8) returned 1
[0205.140] GetProcessHeap () returned 0x440000
[0205.140] GetProcessHeap () returned 0x440000
[0205.140] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x449650) returned 1
[0205.140] GetProcessHeap () returned 0x440000
[0205.140] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x449650) returned 0x14
[0205.140] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x449650) returned 1
[0205.140] GetProcessHeap () returned 0x440000
[0205.140] GetProcessHeap () returned 0x440000
[0205.140] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x44ac00) returned 1
[0205.140] GetProcessHeap () returned 0x440000
[0205.140] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x44ac00) returned 0x10
[0205.140] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x44ac00) returned 1
[0205.140] GetProcessHeap () returned 0x440000
[0205.140] GetProcessHeap () returned 0x440000
[0205.140] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x449610) returned 1
[0205.140] GetProcessHeap () returned 0x440000
[0205.140] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x449610) returned 0x14
[0205.140] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x449610) returned 1
[0205.140] GetProcessHeap () returned 0x440000
[0205.140] GetProcessHeap () returned 0x440000
[0205.140] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x447438) returned 1
[0205.141] GetProcessHeap () returned 0x440000
[0205.141] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x447438) returned 0x10
[0205.141] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x447438) returned 1
[0205.141] GetProcessHeap () returned 0x440000
[0205.141] GetProcessHeap () returned 0x440000
[0205.141] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x446930) returned 1
[0205.141] GetProcessHeap () returned 0x440000
[0205.141] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x446930) returned 0x14
[0205.141] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x446930) returned 1
[0205.141] GetProcessHeap () returned 0x440000
[0205.141] GetProcessHeap () returned 0x440000
[0205.141] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x446950) returned 1
[0205.141] GetProcessHeap () returned 0x440000
[0205.141] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x446950) returned 0x14
[0205.141] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x446950) returned 1
[0205.141] GetProcessHeap () returned 0x440000
[0205.141] GetProcessHeap () returned 0x440000
[0205.141] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x446970) returned 1
[0205.141] GetProcessHeap () returned 0x440000
[0205.141] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x446970) returned 0x14
[0205.141] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x446970) returned 1
[0205.141] GetProcessHeap () returned 0x440000
[0205.141] GetProcessHeap () returned 0x440000
[0205.141] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x4466c8) returned 1
[0205.141] GetProcessHeap () returned 0x440000
[0205.141] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x4466c8) returned 0x14
[0205.141] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x4466c8) returned 1
[0205.141] GetProcessHeap () returned 0x440000
[0205.141] GetProcessHeap () returned 0x440000
[0205.141] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x447468) returned 1
[0205.141] GetProcessHeap () returned 0x440000
[0205.141] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x447468) returned 0x10
[0205.141] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x447468) returned 1
[0205.141] GetProcessHeap () returned 0x440000
[0205.141] GetProcessHeap () returned 0x440000
[0205.142] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x4466e8) returned 1
[0205.142] GetProcessHeap () returned 0x440000
[0205.142] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x4466e8) returned 0x14
[0205.142] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x4466e8) returned 1
[0205.142] GetProcessHeap () returned 0x440000
[0205.142] GetProcessHeap () returned 0x440000
[0205.142] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x4428b0) returned 1
[0205.142] GetProcessHeap () returned 0x440000
[0205.142] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x4428b0) returned 0x14
[0205.142] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x4428b0) returned 1
[0205.142] GetProcessHeap () returned 0x440000
[0205.142] GetProcessHeap () returned 0x440000
[0205.142] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x449510) returned 1
[0205.142] GetProcessHeap () returned 0x440000
[0205.142] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x449510) returned 0x14
[0205.142] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x449510) returned 1
[0205.142] GetProcessHeap () returned 0x440000
[0205.142] GetProcessHeap () returned 0x440000
[0205.142] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x449670) returned 1
[0205.142] GetProcessHeap () returned 0x440000
[0205.142] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x449670) returned 0x14
[0205.142] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x449670) returned 1
[0205.142] GetProcessHeap () returned 0x440000
[0205.142] GetProcessHeap () returned 0x440000
[0205.142] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x449550) returned 1
[0205.142] GetProcessHeap () returned 0x440000
[0205.142] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x449550) returned 0x14
[0205.142] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x449550) returned 1
[0205.142] GetProcessHeap () returned 0x440000
[0205.142] GetProcessHeap () returned 0x440000
[0205.142] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x447420) returned 1
[0205.142] GetProcessHeap () returned 0x440000
[0205.142] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x447420) returned 0x10
[0205.142] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x447420) returned 1
[0205.142] GetProcessHeap () returned 0x440000
[0205.142] GetProcessHeap () returned 0x440000
[0205.142] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x4428d0) returned 1
[0205.142] GetProcessHeap () returned 0x440000
[0205.143] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x4428d0) returned 0x14
[0205.143] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x4428d0) returned 1
[0205.143] GetProcessHeap () returned 0x440000
[0205.143] GetProcessHeap () returned 0x440000
[0205.143] HeapValidate (hHeap=0x440000, dwFlags=0x0, lpMem=0x447510) returned 1
[0205.143] GetProcessHeap () returned 0x440000
[0205.143] RtlSizeHeap (HeapHandle=0x440000, Flags=0x0, MemoryPointer=0x447510) returned 0x10
[0205.143] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x447510) returned 1
[0205.143] exit (_Code=0)
Thread:
id = 129
os_tid = 0x828
Process:
id = "13"
image_name = "timeout.exe"
filename = "c:\\windows\\syswow64\\timeout.exe"
page_root = "0x172dc000"
os_pid = "0x7bc"
os_integrity_level = "0x3000"
os_privileges = "0x60800000"
monitor_reason = "child_process"
parent_id = "10"
os_parent_pid = "0x320"
cmd_line = "timeout 3 "
cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
os_username = "XC64ZB\\RDhJ0CNFevzX"
bitness = "32"
os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fa87" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 1686
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 1687
start_va = 0x30000
end_va = 0x30fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000030000"
filename = ""
Region:
id = 1688
start_va = 0x40000
end_va = 0x54fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 1689
start_va = 0x60000
end_va = 0x9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000060000"
filename = ""
Region:
id = 1690
start_va = 0xa0000
end_va = 0xdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000a0000"
filename = ""
Region:
id = 1691
start_va = 0xe0000
end_va = 0xe3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000e0000"
filename = ""
Region:
id = 1692
start_va = 0xf0000
end_va = 0xf0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000f0000"
filename = ""
Region:
id = 1693
start_va = 0x100000
end_va = 0x101fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000100000"
filename = ""
Region:
id = 1694
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 1695
start_va = 0x1370000
end_va = 0x1379fff
monitored = 1
entry_point = 0x1374fb0
region_type = mapped_file
name = "timeout.exe"
filename = "\\Windows\\SysWOW64\\timeout.exe" (normalized: "c:\\windows\\syswow64\\timeout.exe")
Region:
id = 1696
start_va = 0x1380000
end_va = 0x537ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001380000"
filename = ""
Region:
id = 1697
start_va = 0x771d0000
end_va = 0x7734afff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")
Region:
id = 1698
start_va = 0x7ffb0000
end_va = 0x7ffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007ffb0000"
filename = ""
Region:
id = 1699
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 1700
start_va = 0x7fff0000
end_va = 0x7dfa1676ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007fff0000"
filename = ""
Region:
id = 1701
start_va = 0x7dfa16770000
end_va = 0x7ffa1676ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007dfa16770000"
filename = ""
Region:
id = 1702
start_va = 0x7ffa16770000
end_va = 0x7ffa16930fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 1703
start_va = 0x7ffa16931000
end_va = 0x7ffffffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00007ffa16931000"
filename = ""
Region:
id = 1705
start_va = 0x400000
end_va = 0x55ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 1706
start_va = 0x640d0000
end_va = 0x6411ffff
monitored = 0
entry_point = 0x640e8180
region_type = mapped_file
name = "wow64.dll"
filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")
Region:
id = 1707
start_va = 0x64050000
end_va = 0x640c9fff
monitored = 0
entry_point = 0x64063290
region_type = mapped_file
name = "wow64win.dll"
filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")
Region:
id = 1708
start_va = 0x76720000
end_va = 0x767fffff
monitored = 0
entry_point = 0x76733980
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 1709
start_va = 0x64120000
end_va = 0x64127fff
monitored = 0
entry_point = 0x641217c0
region_type = mapped_file
name = "wow64cpu.dll"
filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")
Region:
id = 1710
start_va = 0x560000
end_va = 0x7affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000560000"
filename = ""
Region:
id = 1711
start_va = 0x76720000
end_va = 0x767fffff
monitored = 0
entry_point = 0x76733980
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 1712
start_va = 0x76910000
end_va = 0x76a8dfff
monitored = 0
entry_point = 0x769c1b90
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")
Region:
id = 1713
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 1714
start_va = 0x7feb0000
end_va = 0x7ffaffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007feb0000"
filename = ""
Region:
id = 1715
start_va = 0x110000
end_va = 0x1cdfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 1716
start_va = 0x743d0000
end_va = 0x74516fff
monitored = 0
entry_point = 0x743e1cf0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")
Region:
id = 1717
start_va = 0x74ab0000
end_va = 0x74bfefff
monitored = 0
entry_point = 0x74b66820
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")
Region:
id = 1718
start_va = 0x400000
end_va = 0x43ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 1719
start_va = 0x440000
end_va = 0x47ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000440000"
filename = ""
Region:
id = 1720
start_va = 0x550000
end_va = 0x55ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000550000"
filename = ""
Region:
id = 1721
start_va = 0x73f30000
end_va = 0x73f8efff
monitored = 0
entry_point = 0x73f34af0
region_type = mapped_file
name = "ws2_32.dll"
filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll")
Region:
id = 1722
start_va = 0x20000
end_va = 0x23fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 1723
start_va = 0x76cb0000
end_va = 0x76cf3fff
monitored = 0
entry_point = 0x76cc9d80
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")
Region:
id = 1724
start_va = 0x76c00000
end_va = 0x76cacfff
monitored = 0
entry_point = 0x76c14f00
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")
Region:
id = 1725
start_va = 0x73f00000
end_va = 0x73f1dfff
monitored = 0
entry_point = 0x73f0b640
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")
Region:
id = 1726
start_va = 0x73ef0000
end_va = 0x73ef9fff
monitored = 0
entry_point = 0x73ef2a00
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")
Region:
id = 1727
start_va = 0x76840000
end_va = 0x76897fff
monitored = 0
entry_point = 0x768825c0
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")
Region:
id = 1728
start_va = 0x76d00000
end_va = 0x76d44fff
monitored = 0
entry_point = 0x76d1de90
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")
Region:
id = 1729
start_va = 0x76a90000
end_va = 0x76b4dfff
monitored = 0
entry_point = 0x76ac5630
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")
Region:
id = 1730
start_va = 0x762b0000
end_va = 0x7646cfff
monitored = 0
entry_point = 0x76392a10
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")
Region:
id = 1731
start_va = 0x6f7c0000
end_va = 0x6f7c7fff
monitored = 0
entry_point = 0x6f7c17b0
region_type = mapped_file
name = "version.dll"
filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll")
Region:
id = 1732
start_va = 0x1d0000
end_va = 0x1f9fff
monitored = 0
entry_point = 0x1d5680
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")
Region:
id = 1733
start_va = 0x7b0000
end_va = 0x937fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000007b0000"
filename = ""
Region:
id = 1734
start_va = 0x741b0000
end_va = 0x741dafff
monitored = 0
entry_point = 0x741b5680
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")
Region:
id = 1735
start_va = 0x940000
end_va = 0xac0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000940000"
filename = ""
Region:
id = 1736
start_va = 0x5380000
end_va = 0x677ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000005380000"
filename = ""
Region:
id = 1738
start_va = 0x30000
end_va = 0x32fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "timeout.exe.mui"
filename = "\\Windows\\SysWOW64\\en-US\\timeout.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\timeout.exe.mui")
Region:
id = 1739
start_va = 0x1d0000
end_va = 0x1d0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001d0000"
filename = ""
Region:
id = 1740
start_va = 0x1e0000
end_va = 0x1e0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001e0000"
filename = ""
Region:
id = 1741
start_va = 0x480000
end_va = 0x49ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000480000"
filename = ""
Region:
id = 1742
start_va = 0xad0000
end_va = 0xe06fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Thread:
id = 130
os_tid = 0x628
[0206.690] GetModuleHandleA (lpModuleName=0x0) returned 0x1370000
[0206.690] __set_app_type (_Type=0x1)
[0206.690] __p__fmode () returned 0x76b44d6c
[0206.690] __p__commode () returned 0x76b45b1c
[0206.690] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1374fe0) returned 0x0
[0206.690] __wgetmainargs (in: _Argc=0x1376018, _Argv=0x137601c, _Env=0x1376020, _DoWildCard=0, _StartInfo=0x137602c | out: _Argc=0x1376018, _Argv=0x137601c, _Env=0x1376020) returned 0
[0206.690] SetThreadUILanguage (LangId=0x0) returned 0x409
[0206.787] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
[0206.788] SetLastError (dwErrCode=0x0)
[0206.788] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x0, Condition=0x2) returned 0x18
[0206.788] VerSetConditionMask (ConditionMask=0x18, TypeMask=0x80000000, Condition=0x1) returned 0x1b
[0206.788] VerSetConditionMask (ConditionMask=0x1b, TypeMask=0x80000000, Condition=0x20) returned 0x1801b
[0206.788] RtlVerifyVersionInfo (VersionInfo=0xdf7d8, TypeMask=0x3, ConditionMask=0x1801b) returned 0x0
[0206.788] GetProcessHeap () returned 0x6b0000
[0206.788] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x10) returned 0x6b7578
[0206.788] lstrlenW (lpString="") returned 0
[0206.788] GetProcessHeap () returned 0x6b0000
[0206.788] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x2) returned 0x6b6cf0
[0206.788] GetProcessHeap () returned 0x6b0000
[0206.788] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x14) returned 0x6b8670
[0206.788] GetProcessHeap () returned 0x6b0000
[0206.788] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x10) returned 0x6b7590
[0206.788] GetProcessHeap () returned 0x6b0000
[0206.788] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x14) returned 0x6b71b8
[0206.788] GetProcessHeap () returned 0x6b0000
[0206.788] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x14) returned 0x6b73c8
[0206.788] GetProcessHeap () returned 0x6b0000
[0206.788] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x14) returned 0x6b27f8
[0206.788] GetProcessHeap () returned 0x6b0000
[0206.788] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x14) returned 0x6b3588
[0206.788] GetProcessHeap () returned 0x6b0000
[0206.788] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x10) returned 0x6b75a8
[0206.788] GetProcessHeap () returned 0x6b0000
[0206.788] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x14) returned 0x6b6f80
[0206.788] GetProcessHeap () returned 0x6b0000
[0206.788] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x14) returned 0x6b6fa0
[0206.788] GetProcessHeap () returned 0x6b0000
[0206.788] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x14) returned 0x6b6fc0
[0206.789] GetProcessHeap () returned 0x6b0000
[0206.789] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x14) returned 0x6b7a38
[0206.789] GetProcessHeap () returned 0x6b0000
[0206.789] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x10) returned 0x6b7620
[0206.789] GetProcessHeap () returned 0x6b0000
[0206.789] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x14) returned 0x6bc138
[0206.789] GetProcessHeap () returned 0x6b0000
[0206.789] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x14) returned 0x6bc2b8
[0206.789] GetProcessHeap () returned 0x6b0000
[0206.789] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x14) returned 0x6bbff8
[0206.789] GetProcessHeap () returned 0x6b0000
[0206.789] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x14) returned 0x6bc2f8
[0206.789] SetThreadUILanguage (LangId=0x0) returned 0x409
[0206.819] SetLastError (dwErrCode=0x0)
[0206.819] GetProcessHeap () returned 0x6b0000
[0206.819] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x14) returned 0x6bc218
[0206.819] GetProcessHeap () returned 0x6b0000
[0206.819] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x14) returned 0x6bc278
[0206.819] GetProcessHeap () returned 0x6b0000
[0206.819] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x14) returned 0x6bc238
[0206.819] GetProcessHeap () returned 0x6b0000
[0206.819] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x14) returned 0x6bbfd8
[0206.819] GetProcessHeap () returned 0x6b0000
[0206.819] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x14) returned 0x6bc198
[0206.819] GetProcessHeap () returned 0x6b0000
[0206.819] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x10) returned 0x6b7470
[0206.819] _memicmp (_Buf1=0x6b7470, _Buf2=0x13710ac, _Size=0x7) returned 0
[0206.820] GetProcessHeap () returned 0x6b0000
[0206.820] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x208) returned 0x6bc358
[0206.820] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x6bc358, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\timeout.exe" (normalized: "c:\\windows\\syswow64\\timeout.exe")) returned 0x1f
[0206.820] GetFileVersionInfoSizeExW (in: dwFlags=0x1, lpwstrFilename="C:\\Windows\\SysWOW64\\timeout.exe", lpdwHandle=0xdf8e4 | out: lpdwHandle=0xdf8e4) returned 0x76c
[0206.820] GetProcessHeap () returned 0x6b0000
[0206.820] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x776) returned 0x6bc568
[0206.820] GetFileVersionInfoExW (in: dwFlags=0x3, lpwstrFilename="C:\\Windows\\SysWOW64\\timeout.exe", dwHandle=0x0, dwLen=0x776, lpData=0x6bc568 | out: lpData=0x6bc568) returned 1
[0206.820] VerQueryValueW (in: pBlock=0x6bc568, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xdf8ec, puLen=0xdf8f0 | out: lplpBuffer=0xdf8ec*=0x6bc918, puLen=0xdf8f0) returned 1
[0206.834] _memicmp (_Buf1=0x6b7470, _Buf2=0x13710ac, _Size=0x7) returned 0
[0206.834] _vsnwprintf (in: _Buffer=0x6bc358, _BufferCount=0x3f, _Format="\\StringFileInfo\\%04x%04x\\InternalName", _ArgList=0xdf8d0 | out: _Buffer="\\StringFileInfo\\040904b0\\InternalName") returned 37
[0206.834] VerQueryValueW (in: pBlock=0x6bc568, lpSubBlock="\\StringFileInfo\\040904b0\\InternalName", lplpBuffer=0xdf8fc, puLen=0xdf8f8 | out: lplpBuffer=0xdf8fc*=0x6bc74c, puLen=0xdf8f8) returned 1
[0206.834] lstrlenW (lpString="timeout.exe") returned 11
[0206.834] lstrlenW (lpString="timeout.exe") returned 11
[0206.834] lstrlenW (lpString=".EXE") returned 4
[0206.834] StrStrIW (lpFirst="timeout.exe", lpSrch=".EXE") returned=".exe"
[0206.835] lstrlenW (lpString="timeout.exe") returned 11
[0206.835] lstrlenW (lpString=".EXE") returned 4
[0206.835] _memicmp (_Buf1=0x6b7470, _Buf2=0x13710ac, _Size=0x7) returned 0
[0206.835] lstrlenW (lpString="timeout") returned 7
[0206.835] GetProcessHeap () returned 0x6b0000
[0206.835] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x14) returned 0x6bc1f8
[0206.835] GetProcessHeap () returned 0x6b0000
[0206.835] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x14) returned 0x6bc158
[0206.835] GetProcessHeap () returned 0x6b0000
[0206.835] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x14) returned 0x6bc1b8
[0206.835] GetProcessHeap () returned 0x6b0000
[0206.835] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x14) returned 0x6bc118
[0206.835] GetProcessHeap () returned 0x6b0000
[0206.835] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x10) returned 0x6bcff8
[0206.835] _memicmp (_Buf1=0x6bcff8, _Buf2=0x13710ac, _Size=0x7) returned 0
[0206.835] GetProcessHeap () returned 0x6b0000
[0206.835] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0xa0) returned 0x6bdf68
[0206.836] GetProcessHeap () returned 0x6b0000
[0206.836] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x14) returned 0x6bc258
[0206.836] GetProcessHeap () returned 0x6b0000
[0206.836] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x14) returned 0x6bc2d8
[0206.836] GetProcessHeap () returned 0x6b0000
[0206.836] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x14) returned 0x6bc298
[0206.836] GetProcessHeap () returned 0x6b0000
[0206.836] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x10) returned 0x6bcfe0
[0206.836] _memicmp (_Buf1=0x6bcfe0, _Buf2=0x13710ac, _Size=0x7) returned 0
[0206.836] GetProcessHeap () returned 0x6b0000
[0206.836] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x200) returned 0x6be228
[0206.836] LoadStringW (in: hInstance=0x0, uID=0x15ed, lpBuffer=0x6be228, cchBufferMax=256 | out: lpBuffer="Type \"%s /?\" for usage.") returned 0x17
[0206.836] lstrlenW (lpString="Type \"%s /?\" for usage.") returned 23
[0206.836] GetProcessHeap () returned 0x6b0000
[0206.836] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x30) returned 0x6b8548
[0206.836] _vsnwprintf (in: _Buffer=0x6bdf68, _BufferCount=0x4f, _Format="Type \"%s /?\" for usage.", _ArgList=0xdf8d4 | out: _Buffer="Type \"TIMEOUT /?\" for usage.") returned 28
[0206.836] GetProcessHeap () returned 0x6b0000
[0206.836] GetProcessHeap () returned 0x6b0000
[0206.837] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bc568) returned 1
[0206.837] GetProcessHeap () returned 0x6b0000
[0206.837] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6bc568) returned 0x776
[0206.837] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bc568 | out: hHeap=0x6b0000) returned 1
[0206.837] SetLastError (dwErrCode=0x0)
[0206.837] GetThreadLocale () returned 0x409
[0206.837] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0206.838] lstrlenW (lpString="?") returned 1
[0206.838] GetThreadLocale () returned 0x409
[0206.838] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0206.838] GetThreadLocale () returned 0x409
[0206.838] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0206.838] lstrlenW (lpString="nobreak") returned 7
[0206.838] SetLastError (dwErrCode=0x0)
[0206.838] SetLastError (dwErrCode=0x0)
[0206.838] lstrlenW (lpString="3") returned 1
[0206.838] SetLastError (dwErrCode=0x490)
[0206.838] SetLastError (dwErrCode=0x0)
[0206.838] lstrlenW (lpString="3") returned 1
[0206.838] StrChrIW (lpStart="3", wMatch=0x3a) returned 0x0
[0206.838] SetLastError (dwErrCode=0x490)
[0206.838] SetLastError (dwErrCode=0x0)
[0206.838] GetProcessHeap () returned 0x6b0000
[0206.838] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x10) returned 0x6bcec0
[0206.838] _memicmp (_Buf1=0x6bcec0, _Buf2=0x13710ac, _Size=0x7) returned 0
[0206.838] lstrlenW (lpString="3") returned 1
[0206.838] GetProcessHeap () returned 0x6b0000
[0206.838] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x4) returned 0x6b7aa0
[0206.838] lstrlenW (lpString="3") returned 1
[0206.838] lstrlenW (lpString=" \x09") returned 2
[0206.838] StrChrW (lpStart=" \x09", wMatch=0x33) returned 0x0
[0206.838] StrChrW (lpStart=" \x09", wMatch=0x33) returned 0x0
[0206.838] GetLastError () returned 0x0
[0206.838] lstrlenW (lpString="3") returned 1
[0206.838] lstrlenW (lpString="3") returned 1
[0206.838] SetLastError (dwErrCode=0x0)
[0206.838] _errno () returned 0x4905b0
[0206.839] wcstol (in: _String="3", _EndPtr=0xdfab8, _Radix=10 | out: _EndPtr=0xdfab8*="") returned 3
[0206.839] lstrlenW (lpString="") returned 0
[0206.839] _errno () returned 0x4905b0
[0206.839] time (in: timer=0xdfae0 | out: timer=0xdfae0) returned 0x62ed770b
[0206.839] GetStdHandle (nStdHandle=0xfffffff6) returned 0x38
[0206.839] GetFileType (hFile=0x38) returned 0x2
[0206.839] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xdfab0 | out: lpMode=0xdfab0) returned 1
[0206.928] GetStdHandle (nStdHandle=0xfffffff6) returned 0x38
[0206.928] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xdfad0 | out: lpMode=0xdfad0) returned 1
[0207.021] SetConsoleMode (hConsoleHandle=0x38, dwMode=0x1a1) returned 1
[0207.114] GetNumberOfConsoleInputEvents (in: hConsoleInput=0x38, lpNumberOfEvents=0xdfad4 | out: lpNumberOfEvents=0xdfad4) returned 1
[0207.208] FlushConsoleInputBuffer (hConsoleInput=0x38) returned 1
[0207.303] GetProcessHeap () returned 0x6b0000
[0207.304] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x14) returned 0x6bc178
[0207.304] _memicmp (_Buf1=0x6bcfe0, _Buf2=0x13710ac, _Size=0x7) returned 0
[0207.304] LoadStringW (in: hInstance=0x0, uID=0x98, lpBuffer=0x6be228, cchBufferMax=256 | out: lpBuffer="\nWaiting for %*lu") returned 0x11
[0207.304] lstrlenW (lpString="\nWaiting for %*lu") returned 17
[0207.304] GetProcessHeap () returned 0x6b0000
[0207.304] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x24) returned 0x6b36a8
[0207.304] _vsnwprintf (in: _Buffer=0xdfd24, _BufferCount=0xfd, _Format="\nWaiting for %*lu", _ArgList=0xdfa9c | out: _Buffer="\nWaiting for 3") returned 14
[0207.304] __iob_func () returned 0x76b41208
[0207.304] _fileno (_File=0x76b41228) returned 1
[0207.304] _errno () returned 0x4905b0
[0207.304] _get_osfhandle (_FileHandle=1) returned 0x3c
[0207.304] _errno () returned 0x4905b0
[0207.304] GetFileType (hFile=0x3c) returned 0x2
[0207.304] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c
[0207.305] GetFileType (hFile=0x3c) returned 0x2
[0207.305] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xdfa74 | out: lpMode=0xdfa74) returned 0
[0207.305] lstrlenW (lpString="\nWaiting for 3") returned 14
[0207.305] GetConsoleOutputCP () returned 0x1b5
[0207.412] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\nWaiting for 3", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14
[0207.412] GetConsoleOutputCP () returned 0x1b5
[0207.505] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\nWaiting for 3", cchWideChar=14, lpMultiByteStr=0x1376360, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\nWaiting for 3", lpUsedDefaultChar=0x0) returned 14
[0207.505] fprintf (in: _File=0x76b41228, _Format="%s" | out: _File=0x76b41228) returned 14
[0207.506] fflush (in: _File=0x76b41228 | out: _File=0x76b41228) returned 0
[0207.506] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c
[0207.506] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x3c, lpConsoleScreenBufferInfo=0xdfae8 | out: lpConsoleScreenBufferInfo=0xdfae8) returned 0
[0207.506] GetProcessHeap () returned 0x6b0000
[0207.506] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x14) returned 0x6bc1d8
[0207.506] _memicmp (_Buf1=0x6bcfe0, _Buf2=0x13710ac, _Size=0x7) returned 0
[0207.507] LoadStringW (in: hInstance=0x0, uID=0xa0, lpBuffer=0x6be228, cchBufferMax=256 | out: lpBuffer=" seconds, press a key to continue ...") returned 0x25
[0207.507] lstrlenW (lpString=" seconds, press a key to continue ...") returned 37
[0207.507] GetProcessHeap () returned 0x6b0000
[0207.507] RtlAllocateHeap (HeapHandle=0x6b0000, Flags=0xc, Size=0x4c) returned 0x6b7008
[0207.507] __iob_func () returned 0x76b41208
[0207.507] _fileno (_File=0x76b41228) returned 1
[0207.507] _errno () returned 0x4905b0
[0207.507] _get_osfhandle (_FileHandle=1) returned 0x3c
[0207.507] _errno () returned 0x4905b0
[0207.507] GetFileType (hFile=0x3c) returned 0x2
[0207.507] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c
[0207.507] GetFileType (hFile=0x3c) returned 0x2
[0207.507] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xdfa74 | out: lpMode=0xdfa74) returned 0
[0207.507] lstrlenW (lpString=" seconds, press a key to continue ...") returned 37
[0207.507] GetConsoleOutputCP () returned 0x1b5
[0207.646] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" seconds, press a key to continue ...", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37
[0207.646] GetConsoleOutputCP () returned 0x1b5
[0207.725] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr=" seconds, press a key to continue ...", cchWideChar=37, lpMultiByteStr=0x1376360, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" seconds, press a key to continue ...", lpUsedDefaultChar=0x0) returned 37
[0207.725] fprintf (in: _File=0x76b41228, _Format="%s" | out: _File=0x76b41228) returned 37
[0207.740] fflush (in: _File=0x76b41228 | out: _File=0x76b41228) returned 0
[0207.740] PeekConsoleInputW (in: hConsoleInput=0x38, lpBuffer=0xdfb00, nLength=0x2, lpNumberOfEventsRead=0xdfad4 | out: lpBuffer=0xdfb00, lpNumberOfEventsRead=0xdfad4) returned 1
[0207.755] time (in: timer=0xdfae0 | out: timer=0xdfae0) returned 0x62ed770c
[0207.755] _vsnwprintf (in: _Buffer=0xdfd24, _BufferCount=0xfd, _Format="%s%*lu", _ArgList=0xdfa98 | out: _Buffer="\x082") returned 2
[0207.755] SetConsoleCursorPosition (hConsoleOutput=0x3c, dwCursorPosition=0x0) returned 0
[0207.755] __iob_func () returned 0x76b41208
[0207.755] _fileno (_File=0x76b41228) returned 1
[0207.755] _errno () returned 0x4905b0
[0207.755] _get_osfhandle (_FileHandle=1) returned 0x3c
[0207.755] _errno () returned 0x4905b0
[0207.755] GetFileType (hFile=0x3c) returned 0x2
[0207.755] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c
[0207.755] GetFileType (hFile=0x3c) returned 0x2
[0207.755] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xdfa74 | out: lpMode=0xdfa74) returned 0
[0207.755] lstrlenW (lpString="\x082") returned 2
[0207.755] GetConsoleOutputCP () returned 0x1b5
[0207.756] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\x082", cchWideChar=2, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 2
[0207.756] GetConsoleOutputCP () returned 0x1b5
[0207.756] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\x082", cchWideChar=2, lpMultiByteStr=0x1376360, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x082", lpUsedDefaultChar=0x0) returned 2
[0207.756] fprintf (in: _File=0x76b41228, _Format="%s" | out: _File=0x76b41228) returned 2
[0207.756] fflush (in: _File=0x76b41228 | out: _File=0x76b41228) returned 0
[0207.756] Sleep (dwMilliseconds=0x64)
[0207.880] PeekConsoleInputW (in: hConsoleInput=0x38, lpBuffer=0xdfb00, nLength=0x2, lpNumberOfEventsRead=0xdfad4 | out: lpBuffer=0xdfb00, lpNumberOfEventsRead=0xdfad4) returned 1
[0207.967] time (in: timer=0xdfae0 | out: timer=0xdfae0) returned 0x62ed770c
[0207.967] Sleep (dwMilliseconds=0x64)
[0208.129] PeekConsoleInputW (in: hConsoleInput=0x38, lpBuffer=0xdfb00, nLength=0x2, lpNumberOfEventsRead=0xdfad4 | out: lpBuffer=0xdfb00, lpNumberOfEventsRead=0xdfad4) returned 1
[0208.211] time (in: timer=0xdfae0 | out: timer=0xdfae0) returned 0x62ed770c
[0208.211] Sleep (dwMilliseconds=0x64)
[0208.322] PeekConsoleInputW (in: hConsoleInput=0x38, lpBuffer=0xdfb00, nLength=0x2, lpNumberOfEventsRead=0xdfad4 | out: lpBuffer=0xdfb00, lpNumberOfEventsRead=0xdfad4) returned 1
[0208.413] time (in: timer=0xdfae0 | out: timer=0xdfae0) returned 0x62ed770d
[0208.413] _vsnwprintf (in: _Buffer=0xdfd24, _BufferCount=0xfd, _Format="%s%*lu", _ArgList=0xdfa98 | out: _Buffer="\x081") returned 2
[0208.413] SetConsoleCursorPosition (hConsoleOutput=0x3c, dwCursorPosition=0x0) returned 0
[0208.413] __iob_func () returned 0x76b41208
[0208.414] _fileno (_File=0x76b41228) returned 1
[0208.414] _errno () returned 0x4905b0
[0208.414] _get_osfhandle (_FileHandle=1) returned 0x3c
[0208.414] _errno () returned 0x4905b0
[0208.414] GetFileType (hFile=0x3c) returned 0x2
[0208.414] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c
[0208.414] GetFileType (hFile=0x3c) returned 0x2
[0208.414] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xdfa74 | out: lpMode=0xdfa74) returned 0
[0208.414] lstrlenW (lpString="\x081") returned 2
[0208.414] GetConsoleOutputCP () returned 0x1b5
[0208.431] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\x081", cchWideChar=2, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 2
[0208.431] GetConsoleOutputCP () returned 0x1b5
[0208.438] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\x081", cchWideChar=2, lpMultiByteStr=0x1376360, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x081", lpUsedDefaultChar=0x0) returned 2
[0208.438] fprintf (in: _File=0x76b41228, _Format="%s" | out: _File=0x76b41228) returned 2
[0208.438] fflush (in: _File=0x76b41228 | out: _File=0x76b41228) returned 0
[0208.438] Sleep (dwMilliseconds=0x64)
[0208.552] PeekConsoleInputW (in: hConsoleInput=0x38, lpBuffer=0xdfb00, nLength=0x2, lpNumberOfEventsRead=0xdfad4 | out: lpBuffer=0xdfb00, lpNumberOfEventsRead=0xdfad4) returned 1
[0208.553] time (in: timer=0xdfae0 | out: timer=0xdfae0) returned 0x62ed770d
[0208.553] Sleep (dwMilliseconds=0x64)
[0208.669] PeekConsoleInputW (in: hConsoleInput=0x38, lpBuffer=0xdfb00, nLength=0x2, lpNumberOfEventsRead=0xdfad4 | out: lpBuffer=0xdfb00, lpNumberOfEventsRead=0xdfad4) returned 1
[0208.725] time (in: timer=0xdfae0 | out: timer=0xdfae0) returned 0x62ed770d
[0208.725] Sleep (dwMilliseconds=0x64)
[0208.849] PeekConsoleInputW (in: hConsoleInput=0x38, lpBuffer=0xdfb00, nLength=0x2, lpNumberOfEventsRead=0xdfad4 | out: lpBuffer=0xdfb00, lpNumberOfEventsRead=0xdfad4) returned 1
[0208.943] time (in: timer=0xdfae0 | out: timer=0xdfae0) returned 0x62ed770d
[0208.943] Sleep (dwMilliseconds=0x64)
[0209.083] PeekConsoleInputW (in: hConsoleInput=0x38, lpBuffer=0xdfb00, nLength=0x2, lpNumberOfEventsRead=0xdfad4 | out: lpBuffer=0xdfb00, lpNumberOfEventsRead=0xdfad4) returned 1
[0209.177] time (in: timer=0xdfae0 | out: timer=0xdfae0) returned 0x62ed770d
[0209.177] Sleep (dwMilliseconds=0x64)
[0209.311] PeekConsoleInputW (in: hConsoleInput=0x38, lpBuffer=0xdfb00, nLength=0x2, lpNumberOfEventsRead=0xdfad4 | out: lpBuffer=0xdfb00, lpNumberOfEventsRead=0xdfad4) returned 1
[0209.414] time (in: timer=0xdfae0 | out: timer=0xdfae0) returned 0x62ed770e
[0209.414] _vsnwprintf (in: _Buffer=0xdfd24, _BufferCount=0xfd, _Format="%s%*lu", _ArgList=0xdfa98 | out: _Buffer="\x080") returned 2
[0209.414] SetConsoleCursorPosition (hConsoleOutput=0x3c, dwCursorPosition=0x0) returned 0
[0209.414] __iob_func () returned 0x76b41208
[0209.414] _fileno (_File=0x76b41228) returned 1
[0209.414] _errno () returned 0x4905b0
[0209.414] _get_osfhandle (_FileHandle=1) returned 0x3c
[0209.414] _errno () returned 0x4905b0
[0209.415] GetFileType (hFile=0x3c) returned 0x2
[0209.415] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c
[0209.415] GetFileType (hFile=0x3c) returned 0x2
[0209.415] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xdfa74 | out: lpMode=0xdfa74) returned 0
[0209.415] lstrlenW (lpString="\x080") returned 2
[0209.415] GetConsoleOutputCP () returned 0x1b5
[0209.508] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\x080", cchWideChar=2, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 2
[0209.508] GetConsoleOutputCP () returned 0x1b5
[0209.602] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\x080", cchWideChar=2, lpMultiByteStr=0x1376360, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\x080", lpUsedDefaultChar=0x0) returned 2
[0209.602] fprintf (in: _File=0x76b41228, _Format="%s" | out: _File=0x76b41228) returned 2
[0209.602] fflush (in: _File=0x76b41228 | out: _File=0x76b41228) returned 0
[0209.602] Sleep (dwMilliseconds=0x64)
[0209.742] __iob_func () returned 0x76b41208
[0209.742] _fileno (_File=0x76b41228) returned 1
[0209.742] _errno () returned 0x4905b0
[0209.742] _get_osfhandle (_FileHandle=1) returned 0x3c
[0209.742] _errno () returned 0x4905b0
[0209.742] GetFileType (hFile=0x3c) returned 0x2
[0209.742] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c
[0209.742] GetFileType (hFile=0x3c) returned 0x2
[0209.743] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xdfa74 | out: lpMode=0xdfa74) returned 0
[0209.743] lstrlenW (lpString="\n") returned 1
[0209.743] GetConsoleOutputCP () returned 0x1b5
[0209.836] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\n", cchWideChar=1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1
[0209.836] GetConsoleOutputCP () returned 0x1b5
[0209.930] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\n", cchWideChar=1, lpMultiByteStr=0x1376360, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\n", lpUsedDefaultChar=0x0) returned 1
[0209.930] fprintf (in: _File=0x76b41228, _Format="%s" | out: _File=0x76b41228) returned 1
[0209.930] fflush (in: _File=0x76b41228 | out: _File=0x76b41228) returned 0
[0209.930] GetProcessHeap () returned 0x6b0000
[0209.930] GetProcessHeap () returned 0x6b0000
[0209.930] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bdf68) returned 1
[0209.930] GetProcessHeap () returned 0x6b0000
[0209.930] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6bdf68) returned 0xa0
[0209.931] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bdf68 | out: hHeap=0x6b0000) returned 1
[0209.931] GetProcessHeap () returned 0x6b0000
[0209.931] GetProcessHeap () returned 0x6b0000
[0209.931] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bcff8) returned 1
[0209.931] GetProcessHeap () returned 0x6b0000
[0209.931] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6bcff8) returned 0x10
[0209.931] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bcff8 | out: hHeap=0x6b0000) returned 1
[0209.931] GetProcessHeap () returned 0x6b0000
[0209.931] GetProcessHeap () returned 0x6b0000
[0209.931] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bc118) returned 1
[0209.931] GetProcessHeap () returned 0x6b0000
[0209.931] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6bc118) returned 0x14
[0209.931] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bc118 | out: hHeap=0x6b0000) returned 1
[0209.931] GetProcessHeap () returned 0x6b0000
[0209.931] GetProcessHeap () returned 0x6b0000
[0209.931] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6b7aa0) returned 1
[0209.931] GetProcessHeap () returned 0x6b0000
[0209.931] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6b7aa0) returned 0x4
[0209.931] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6b7aa0 | out: hHeap=0x6b0000) returned 1
[0209.931] GetProcessHeap () returned 0x6b0000
[0209.931] GetProcessHeap () returned 0x6b0000
[0209.931] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bcec0) returned 1
[0209.931] GetProcessHeap () returned 0x6b0000
[0209.931] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6bcec0) returned 0x10
[0209.932] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bcec0 | out: hHeap=0x6b0000) returned 1
[0209.932] GetProcessHeap () returned 0x6b0000
[0209.932] GetProcessHeap () returned 0x6b0000
[0209.932] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bc1b8) returned 1
[0209.932] GetProcessHeap () returned 0x6b0000
[0209.932] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6bc1b8) returned 0x14
[0209.932] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bc1b8 | out: hHeap=0x6b0000) returned 1
[0209.932] GetProcessHeap () returned 0x6b0000
[0209.932] GetProcessHeap () returned 0x6b0000
[0209.932] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bc358) returned 1
[0209.932] GetProcessHeap () returned 0x6b0000
[0209.932] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6bc358) returned 0x208
[0209.932] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bc358 | out: hHeap=0x6b0000) returned 1
[0209.932] GetProcessHeap () returned 0x6b0000
[0209.933] GetProcessHeap () returned 0x6b0000
[0209.933] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6b7470) returned 1
[0209.933] GetProcessHeap () returned 0x6b0000
[0209.933] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6b7470) returned 0x10
[0209.933] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6b7470 | out: hHeap=0x6b0000) returned 1
[0209.933] GetProcessHeap () returned 0x6b0000
[0209.933] GetProcessHeap () returned 0x6b0000
[0209.933] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bc198) returned 1
[0209.933] GetProcessHeap () returned 0x6b0000
[0209.933] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6bc198) returned 0x14
[0209.933] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bc198 | out: hHeap=0x6b0000) returned 1
[0209.933] GetProcessHeap () returned 0x6b0000
[0209.933] GetProcessHeap () returned 0x6b0000
[0209.933] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6be228) returned 1
[0209.933] GetProcessHeap () returned 0x6b0000
[0209.933] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6be228) returned 0x200
[0209.933] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6be228 | out: hHeap=0x6b0000) returned 1
[0209.934] GetProcessHeap () returned 0x6b0000
[0209.934] GetProcessHeap () returned 0x6b0000
[0209.934] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bcfe0) returned 1
[0209.934] GetProcessHeap () returned 0x6b0000
[0209.934] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6bcfe0) returned 0x10
[0209.934] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bcfe0 | out: hHeap=0x6b0000) returned 1
[0209.934] GetProcessHeap () returned 0x6b0000
[0209.934] GetProcessHeap () returned 0x6b0000
[0209.934] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bc278) returned 1
[0209.934] GetProcessHeap () returned 0x6b0000
[0209.934] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6bc278) returned 0x14
[0209.934] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bc278 | out: hHeap=0x6b0000) returned 1
[0209.934] GetProcessHeap () returned 0x6b0000
[0209.934] GetProcessHeap () returned 0x6b0000
[0209.934] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6b6cf0) returned 1
[0209.934] GetProcessHeap () returned 0x6b0000
[0209.934] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6b6cf0) returned 0x2
[0209.934] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6b6cf0 | out: hHeap=0x6b0000) returned 1
[0209.934] GetProcessHeap () returned 0x6b0000
[0209.934] GetProcessHeap () returned 0x6b0000
[0209.934] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6b8670) returned 1
[0209.934] GetProcessHeap () returned 0x6b0000
[0209.934] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6b8670) returned 0x14
[0209.934] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6b8670 | out: hHeap=0x6b0000) returned 1
[0209.934] GetProcessHeap () returned 0x6b0000
[0209.934] GetProcessHeap () returned 0x6b0000
[0209.934] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6b71b8) returned 1
[0209.934] GetProcessHeap () returned 0x6b0000
[0209.934] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6b71b8) returned 0x14
[0209.934] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6b71b8 | out: hHeap=0x6b0000) returned 1
[0209.934] GetProcessHeap () returned 0x6b0000
[0209.934] GetProcessHeap () returned 0x6b0000
[0209.934] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6b73c8) returned 1
[0209.934] GetProcessHeap () returned 0x6b0000
[0209.935] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6b73c8) returned 0x14
[0209.935] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6b73c8 | out: hHeap=0x6b0000) returned 1
[0209.935] GetProcessHeap () returned 0x6b0000
[0209.935] GetProcessHeap () returned 0x6b0000
[0209.935] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6b27f8) returned 1
[0209.935] GetProcessHeap () returned 0x6b0000
[0209.935] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6b27f8) returned 0x14
[0209.935] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6b27f8 | out: hHeap=0x6b0000) returned 1
[0209.935] GetProcessHeap () returned 0x6b0000
[0209.935] GetProcessHeap () returned 0x6b0000
[0209.935] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bc258) returned 1
[0209.935] GetProcessHeap () returned 0x6b0000
[0209.935] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6bc258) returned 0x14
[0209.935] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bc258 | out: hHeap=0x6b0000) returned 1
[0209.935] GetProcessHeap () returned 0x6b0000
[0209.935] GetProcessHeap () returned 0x6b0000
[0209.935] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bc2d8) returned 1
[0209.935] GetProcessHeap () returned 0x6b0000
[0209.935] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6bc2d8) returned 0x14
[0209.935] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bc2d8 | out: hHeap=0x6b0000) returned 1
[0209.935] GetProcessHeap () returned 0x6b0000
[0209.935] GetProcessHeap () returned 0x6b0000
[0209.935] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6b8548) returned 1
[0209.935] GetProcessHeap () returned 0x6b0000
[0209.935] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6b8548) returned 0x30
[0209.936] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6b8548 | out: hHeap=0x6b0000) returned 1
[0209.936] GetProcessHeap () returned 0x6b0000
[0209.936] GetProcessHeap () returned 0x6b0000
[0209.936] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bc298) returned 1
[0209.936] GetProcessHeap () returned 0x6b0000
[0209.936] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6bc298) returned 0x14
[0209.936] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bc298 | out: hHeap=0x6b0000) returned 1
[0209.936] GetProcessHeap () returned 0x6b0000
[0209.936] GetProcessHeap () returned 0x6b0000
[0209.936] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6b36a8) returned 1
[0209.936] GetProcessHeap () returned 0x6b0000
[0209.936] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6b36a8) returned 0x24
[0209.937] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6b36a8 | out: hHeap=0x6b0000) returned 1
[0209.937] GetProcessHeap () returned 0x6b0000
[0209.937] GetProcessHeap () returned 0x6b0000
[0209.937] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bc178) returned 1
[0209.937] GetProcessHeap () returned 0x6b0000
[0209.937] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6bc178) returned 0x14
[0209.937] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bc178 | out: hHeap=0x6b0000) returned 1
[0209.937] GetProcessHeap () returned 0x6b0000
[0209.937] GetProcessHeap () returned 0x6b0000
[0209.937] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6b7008) returned 1
[0209.937] GetProcessHeap () returned 0x6b0000
[0209.937] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6b7008) returned 0x4c
[0209.937] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6b7008 | out: hHeap=0x6b0000) returned 1
[0209.938] GetProcessHeap () returned 0x6b0000
[0209.938] GetProcessHeap () returned 0x6b0000
[0209.938] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bc1d8) returned 1
[0209.938] GetProcessHeap () returned 0x6b0000
[0209.938] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6bc1d8) returned 0x14
[0209.938] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bc1d8 | out: hHeap=0x6b0000) returned 1
[0209.938] GetProcessHeap () returned 0x6b0000
[0209.938] GetProcessHeap () returned 0x6b0000
[0209.938] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6b7590) returned 1
[0209.938] GetProcessHeap () returned 0x6b0000
[0209.938] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6b7590) returned 0x10
[0209.938] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6b7590 | out: hHeap=0x6b0000) returned 1
[0209.938] GetProcessHeap () returned 0x6b0000
[0209.938] GetProcessHeap () returned 0x6b0000
[0209.938] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6b3588) returned 1
[0209.938] GetProcessHeap () returned 0x6b0000
[0209.938] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6b3588) returned 0x14
[0209.938] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6b3588 | out: hHeap=0x6b0000) returned 1
[0209.938] GetProcessHeap () returned 0x6b0000
[0209.938] GetProcessHeap () returned 0x6b0000
[0209.938] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6b6f80) returned 1
[0209.938] GetProcessHeap () returned 0x6b0000
[0209.938] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6b6f80) returned 0x14
[0209.938] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6b6f80 | out: hHeap=0x6b0000) returned 1
[0209.938] GetProcessHeap () returned 0x6b0000
[0209.938] GetProcessHeap () returned 0x6b0000
[0209.938] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6b6fa0) returned 1
[0209.938] GetProcessHeap () returned 0x6b0000
[0209.938] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6b6fa0) returned 0x14
[0209.939] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6b6fa0 | out: hHeap=0x6b0000) returned 1
[0209.939] GetProcessHeap () returned 0x6b0000
[0209.939] GetProcessHeap () returned 0x6b0000
[0209.939] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6b6fc0) returned 1
[0209.939] GetProcessHeap () returned 0x6b0000
[0209.939] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6b6fc0) returned 0x14
[0209.939] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6b6fc0 | out: hHeap=0x6b0000) returned 1
[0209.939] GetProcessHeap () returned 0x6b0000
[0209.939] GetProcessHeap () returned 0x6b0000
[0209.939] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6b75a8) returned 1
[0209.939] GetProcessHeap () returned 0x6b0000
[0209.939] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6b75a8) returned 0x10
[0209.939] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6b75a8 | out: hHeap=0x6b0000) returned 1
[0209.939] GetProcessHeap () returned 0x6b0000
[0209.939] GetProcessHeap () returned 0x6b0000
[0209.939] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6b7a38) returned 1
[0209.939] GetProcessHeap () returned 0x6b0000
[0209.939] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6b7a38) returned 0x14
[0209.939] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6b7a38 | out: hHeap=0x6b0000) returned 1
[0209.939] GetProcessHeap () returned 0x6b0000
[0209.939] GetProcessHeap () returned 0x6b0000
[0209.939] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bc138) returned 1
[0209.939] GetProcessHeap () returned 0x6b0000
[0209.939] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6bc138) returned 0x14
[0209.939] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bc138 | out: hHeap=0x6b0000) returned 1
[0209.939] GetProcessHeap () returned 0x6b0000
[0209.939] GetProcessHeap () returned 0x6b0000
[0209.939] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bc2b8) returned 1
[0209.939] GetProcessHeap () returned 0x6b0000
[0209.939] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6bc2b8) returned 0x14
[0209.939] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bc2b8 | out: hHeap=0x6b0000) returned 1
[0209.939] GetProcessHeap () returned 0x6b0000
[0209.939] GetProcessHeap () returned 0x6b0000
[0209.939] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bbff8) returned 1
[0209.939] GetProcessHeap () returned 0x6b0000
[0209.939] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6bbff8) returned 0x14
[0209.939] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bbff8 | out: hHeap=0x6b0000) returned 1
[0209.940] GetProcessHeap () returned 0x6b0000
[0209.940] GetProcessHeap () returned 0x6b0000
[0209.940] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bc218) returned 1
[0209.940] GetProcessHeap () returned 0x6b0000
[0209.940] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6bc218) returned 0x14
[0209.940] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bc218 | out: hHeap=0x6b0000) returned 1
[0209.940] GetProcessHeap () returned 0x6b0000
[0209.940] GetProcessHeap () returned 0x6b0000
[0209.940] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bc238) returned 1
[0209.940] GetProcessHeap () returned 0x6b0000
[0209.940] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6bc238) returned 0x14
[0209.940] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bc238 | out: hHeap=0x6b0000) returned 1
[0209.940] GetProcessHeap () returned 0x6b0000
[0209.940] GetProcessHeap () returned 0x6b0000
[0209.940] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bbfd8) returned 1
[0209.940] GetProcessHeap () returned 0x6b0000
[0209.940] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6bbfd8) returned 0x14
[0209.940] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bbfd8 | out: hHeap=0x6b0000) returned 1
[0209.940] GetProcessHeap () returned 0x6b0000
[0209.940] GetProcessHeap () returned 0x6b0000
[0209.940] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bc1f8) returned 1
[0209.940] GetProcessHeap () returned 0x6b0000
[0209.940] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6bc1f8) returned 0x14
[0209.940] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bc1f8 | out: hHeap=0x6b0000) returned 1
[0209.940] GetProcessHeap () returned 0x6b0000
[0209.940] GetProcessHeap () returned 0x6b0000
[0209.940] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bc158) returned 1
[0209.940] GetProcessHeap () returned 0x6b0000
[0209.940] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6bc158) returned 0x14
[0209.940] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bc158 | out: hHeap=0x6b0000) returned 1
[0209.940] GetProcessHeap () returned 0x6b0000
[0209.940] GetProcessHeap () returned 0x6b0000
[0209.940] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6b7620) returned 1
[0209.940] GetProcessHeap () returned 0x6b0000
[0209.940] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6b7620) returned 0x10
[0209.941] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6b7620 | out: hHeap=0x6b0000) returned 1
[0209.941] GetProcessHeap () returned 0x6b0000
[0209.941] GetProcessHeap () returned 0x6b0000
[0209.941] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bc2f8) returned 1
[0209.941] GetProcessHeap () returned 0x6b0000
[0209.941] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6bc2f8) returned 0x14
[0209.941] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6bc2f8 | out: hHeap=0x6b0000) returned 1
[0209.941] GetProcessHeap () returned 0x6b0000
[0209.941] GetProcessHeap () returned 0x6b0000
[0209.941] HeapValidate (hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6b7578) returned 1
[0209.941] GetProcessHeap () returned 0x6b0000
[0209.941] RtlSizeHeap (HeapHandle=0x6b0000, Flags=0x0, MemoryPointer=0x6b7578) returned 0x10
[0209.941] HeapFree (in: hHeap=0x6b0000, dwFlags=0x0, lpMem=0x6b7578 | out: hHeap=0x6b0000) returned 1
[0209.941] SetConsoleCtrlHandler (HandlerRoutine=0x0, Add=0) returned 1
[0209.941] exit (_Code=0)
Thread:
id = 131
os_tid = 0x654
Process:
id = "14"
image_name = ".exe"
filename = "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\.exe"
page_root = "0xde0a000"
os_pid = "0xae4"
os_integrity_level = "0x3000"
os_privileges = "0x60800000"
monitor_reason = "child_process"
parent_id = "10"
os_parent_pid = "0x320"
cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe\" "
cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
os_username = "XC64ZB\\RDhJ0CNFevzX"
bitness = "32"
os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fa87" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 1752
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 1753
start_va = 0x30000
end_va = 0x31fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000030000"
filename = ""
Region:
id = 1754
start_va = 0x40000
end_va = 0x54fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 1755
start_va = 0x60000
end_va = 0x9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000060000"
filename = ""
Region:
id = 1756
start_va = 0xa0000
end_va = 0x19ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000a0000"
filename = ""
Region:
id = 1757
start_va = 0x1a0000
end_va = 0x1a3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001a0000"
filename = ""
Region:
id = 1758
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001b0000"
filename = ""
Region:
id = 1759
start_va = 0x1c0000
end_va = 0x1c1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001c0000"
filename = ""
Region:
id = 1760
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 1761
start_va = 0x400000
end_va = 0x49ffff
monitored = 1
entry_point = 0x49b6ae
region_type = mapped_file
name = ".exe"
filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\.exe")
Region:
id = 1762
start_va = 0x771d0000
end_va = 0x7734afff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")
Region:
id = 1763
start_va = 0x7ffb0000
end_va = 0x7ffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007ffb0000"
filename = ""
Region:
id = 1764
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 1765
start_va = 0x7fff0000
end_va = 0x7ffa1676ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007fff0000"
filename = ""
Region:
id = 1766
start_va = 0x7ffa16770000
end_va = 0x7ffa16930fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 1767
start_va = 0x7ffa16931000
end_va = 0x7ffffffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00007ffa16931000"
filename = ""
Region:
id = 1768
start_va = 0x4a0000
end_va = 0x5cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000004a0000"
filename = ""
Region:
id = 1769
start_va = 0x640d0000
end_va = 0x6411ffff
monitored = 0
entry_point = 0x640e8180
region_type = mapped_file
name = "wow64.dll"
filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")
Region:
id = 1770
start_va = 0x64050000
end_va = 0x640c9fff
monitored = 0
entry_point = 0x64063290
region_type = mapped_file
name = "wow64win.dll"
filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")
Region:
id = 1771
start_va = 0x76720000
end_va = 0x767fffff
monitored = 0
entry_point = 0x76733980
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 1772
start_va = 0x64120000
end_va = 0x64127fff
monitored = 0
entry_point = 0x641217c0
region_type = mapped_file
name = "wow64cpu.dll"
filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")
Region:
id = 1773
start_va = 0x5d0000
end_va = 0x77ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005d0000"
filename = ""
Region:
id = 1774
start_va = 0x6f850000
end_va = 0x6f8a8fff
monitored = 1
entry_point = 0x6f860780
region_type = mapped_file
name = "mscoree.dll"
filename = "\\Windows\\SysWOW64\\mscoree.dll" (normalized: "c:\\windows\\syswow64\\mscoree.dll")
Region:
id = 1775
start_va = 0x76720000
end_va = 0x767fffff
monitored = 0
entry_point = 0x76733980
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 1776
start_va = 0x76910000
end_va = 0x76a8dfff
monitored = 0
entry_point = 0x769c1b90
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")
Region:
id = 1777
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 1778
start_va = 0x7feb0000
end_va = 0x7ffaffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007feb0000"
filename = ""
Region:
id = 1779
start_va = 0x4a0000
end_va = 0x55dfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 1780
start_va = 0x5c0000
end_va = 0x5cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005c0000"
filename = ""
Region:
id = 1781
start_va = 0x780000
end_va = 0x96ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000780000"
filename = ""
Region:
id = 1782
start_va = 0x73e50000
end_va = 0x73ee1fff
monitored = 0
entry_point = 0x73e90380
region_type = mapped_file
name = "apphelp.dll"
filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll")
Region:
id = 1783
start_va = 0x7fb00000
end_va = 0x7fea0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sysmain.sdb"
filename = "\\Windows\\AppPatch\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\sysmain.sdb")
Region:
id = 1784
start_va = 0x20000
end_va = 0x23fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 1785
start_va = 0x76600000
end_va = 0x7667afff
monitored = 0
entry_point = 0x7661e970
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")
Region:
id = 1786
start_va = 0x76a90000
end_va = 0x76b4dfff
monitored = 0
entry_point = 0x76ac5630
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")
Region:
id = 1787
start_va = 0x560000
end_va = 0x59ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000560000"
filename = ""
Region:
id = 1788
start_va = 0x780000
end_va = 0x87ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000780000"
filename = ""
Region:
id = 1789
start_va = 0x960000
end_va = 0x96ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000960000"
filename = ""
Region:
id = 1790
start_va = 0x76cb0000
end_va = 0x76cf3fff
monitored = 0
entry_point = 0x76cc9d80
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")
Region:
id = 1791
start_va = 0x76c00000
end_va = 0x76cacfff
monitored = 0
entry_point = 0x76c14f00
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")
Region:
id = 1792
start_va = 0x73f00000
end_va = 0x73f1dfff
monitored = 0
entry_point = 0x73f0b640
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")
Region:
id = 1793
start_va = 0x73ef0000
end_va = 0x73ef9fff
monitored = 0
entry_point = 0x73ef2a00
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")
Region:
id = 1794
start_va = 0x76840000
end_va = 0x76897fff
monitored = 0
entry_point = 0x768825c0
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")
Region:
id = 1795
start_va = 0x5d0000
end_va = 0x61ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005d0000"
filename = ""
Region:
id = 1796
start_va = 0x680000
end_va = 0x77ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000680000"
filename = ""
Region:
id = 1797
start_va = 0x6f7d0000
end_va = 0x6f84cfff
monitored = 1
entry_point = 0x6f7e0db0
region_type = mapped_file
name = "mscoreei.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscoreei.dll")
Region:
id = 1798
start_va = 0x76d00000
end_va = 0x76d44fff
monitored = 0
entry_point = 0x76d1de90
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")
Region:
id = 1799
start_va = 0x762b0000
end_va = 0x7646cfff
monitored = 0
entry_point = 0x76392a10
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")
Region:
id = 1800
start_va = 0x74ab0000
end_va = 0x74bfefff
monitored = 0
entry_point = 0x74b66820
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")
Region:
id = 1801
start_va = 0x743d0000
end_va = 0x74516fff
monitored = 0
entry_point = 0x743e1cf0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")
Region:
id = 1802
start_va = 0x1d0000
end_va = 0x1f9fff
monitored = 0
entry_point = 0x1d5680
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")
Region:
id = 1803
start_va = 0x970000
end_va = 0xaf7fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000970000"
filename = ""
Region:
id = 1804
start_va = 0x741b0000
end_va = 0x741dafff
monitored = 0
entry_point = 0x741b5680
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")
Region:
id = 1805
start_va = 0x30000
end_va = 0x30fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000030000"
filename = ""
Region:
id = 1806
start_va = 0x1d0000
end_va = 0x1d0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001d0000"
filename = ""
Region:
id = 1807
start_va = 0xb00000
end_va = 0xc80fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000b00000"
filename = ""
Region:
id = 1808
start_va = 0xc90000
end_va = 0x208ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000c90000"
filename = ""
Region:
id = 1809
start_va = 0x880000
end_va = 0x91afff
monitored = 1
entry_point = 0x91b6ae
region_type = mapped_file
name = ".exe"
filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\.exe")
Region:
id = 1810
start_va = 0x76d50000
end_va = 0x76d5bfff
monitored = 0
entry_point = 0x76d53930
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")
Region:
id = 1811
start_va = 0x6f7c0000
end_va = 0x6f7c7fff
monitored = 0
entry_point = 0x6f7c17b0
region_type = mapped_file
name = "version.dll"
filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll")
Region:
id = 1812
start_va = 0x6f0d0000
end_va = 0x6f7b0fff
monitored = 1
entry_point = 0x6f0fcd70
region_type = mapped_file
name = "clr.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll")
Region:
id = 1813
start_va = 0x6efd0000
end_va = 0x6f0c4fff
monitored = 0
entry_point = 0x6f024160
region_type = mapped_file
name = "msvcr120_clr0400.dll"
filename = "\\Windows\\SysWOW64\\msvcr120_clr0400.dll" (normalized: "c:\\windows\\syswow64\\msvcr120_clr0400.dll")
Region:
id = 1814
start_va = 0x1e0000
end_va = 0x1e0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001e0000"
filename = ""
Region:
id = 1815
start_va = 0x1f0000
end_va = 0x1fffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001f0000"
filename = ""
Region:
id = 1816
start_va = 0x5a0000
end_va = 0x5affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005a0000"
filename = ""
Region:
id = 1817
start_va = 0x5b0000
end_va = 0x5bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005b0000"
filename = ""
Region:
id = 1818
start_va = 0x5d0000
end_va = 0x5dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005d0000"
filename = ""
Region:
id = 1819
start_va = 0x610000
end_va = 0x61ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000610000"
filename = ""
Region:
id = 1820
start_va = 0x5e0000
end_va = 0x5effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005e0000"
filename = ""
Region:
id = 1821
start_va = 0x5f0000
end_va = 0x5fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005f0000"
filename = ""
Region:
id = 1822
start_va = 0x600000
end_va = 0x600fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000600000"
filename = ""
Region:
id = 1823
start_va = 0x620000
end_va = 0x620fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000620000"
filename = ""
Region:
id = 1824
start_va = 0x2090000
end_va = 0x227ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002090000"
filename = ""
Region:
id = 1825
start_va = 0x880000
end_va = 0x94ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000880000"
filename = ""
Region:
id = 1826
start_va = 0x630000
end_va = 0x66ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000630000"
filename = ""
Region:
id = 1827
start_va = 0x2090000
end_va = 0x218ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002090000"
filename = ""
Region:
id = 1828
start_va = 0x2270000
end_va = 0x227ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002270000"
filename = ""
Region:
id = 1829
start_va = 0x670000
end_va = 0x67ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000670000"
filename = ""
Region:
id = 1830
start_va = 0x2280000
end_va = 0x427ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002280000"
filename = ""
Region:
id = 1831
start_va = 0x880000
end_va = 0x91ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000880000"
filename = ""
Region:
id = 1832
start_va = 0x940000
end_va = 0x94ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000940000"
filename = ""
Region:
id = 1833
start_va = 0x2190000
end_va = 0x21cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002190000"
filename = ""
Region:
id = 1834
start_va = 0x4280000
end_va = 0x437ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004280000"
filename = ""
Region:
id = 1835
start_va = 0x4380000
end_va = 0x46b6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 1836
start_va = 0x6dd10000
end_va = 0x6efc1fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "mscorlib.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\mscorlib\\7582400666d289c016013ad0f6e0e3e6\\mscorlib.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\mscorlib\\7582400666d289c016013ad0f6e0e3e6\\mscorlib.ni.dll")
Region:
id = 1837
start_va = 0x74dc0000
end_va = 0x74eaafff
monitored = 0
entry_point = 0x74dfd650
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")
Region:
id = 1838
start_va = 0x21d0000
end_va = 0x2260fff
monitored = 0
entry_point = 0x2208cf0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")
Region:
id = 1839
start_va = 0x73dd0000
end_va = 0x73e44fff
monitored = 0
entry_point = 0x73e09a60
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll")
Region:
id = 1840
start_va = 0x46c0000
end_va = 0x488ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000046c0000"
filename = ""
Region:
id = 1841
start_va = 0x6d2c0000
end_va = 0x6dc8bfff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System\\1be7a15b1f33bf22e4f53aaf45518c77\\System.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system\\1be7a15b1f33bf22e4f53aaf45518c77\\system.ni.dll")
Region:
id = 1842
start_va = 0x6cb90000
end_va = 0x6d2b0fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.core.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Core\\eb4cca4f06a15158c3f7e2c56516729b\\System.Core.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.core\\eb4cca4f06a15158c3f7e2c56516729b\\system.core.ni.dll")
Region:
id = 1843
start_va = 0x6a490000
end_va = 0x6a872fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "windowsbase.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\WindowsBase\\9a2107b30cbb02ca475f58ed046eff63\\WindowsBase.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\windowsbase\\9a2107b30cbb02ca475f58ed046eff63\\windowsbase.ni.dll")
Region:
id = 1844
start_va = 0x710b0000
end_va = 0x710c2fff
monitored = 0
entry_point = 0x710b9950
region_type = mapped_file
name = "cryptsp.dll"
filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll")
Region:
id = 1845
start_va = 0x72bf0000
end_va = 0x72c1efff
monitored = 0
entry_point = 0x72c095e0
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll")
Region:
id = 1846
start_va = 0x713f0000
end_va = 0x7140afff
monitored = 0
entry_point = 0x713f9050
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll")
Region:
id = 1847
start_va = 0x69970000
end_va = 0x6a488fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "presentationcore.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\PresentationCore\\d7a637fdf68801e37fc897b530f9a8a6\\PresentationCore.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\presentationcore\\d7a637fdf68801e37fc897b530f9a8a6\\presentationcore.ni.dll")
Region:
id = 1848
start_va = 0x67c50000
end_va = 0x68ee2fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "presentationframework.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Presentatio5ae0f00f#\\56617af3d6fd992497999aec2be809a4\\PresentationFramework.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\presentatio5ae0f00f#\\56617af3d6fd992497999aec2be809a4\\presentationframework.ni.dll")
Region:
id = 1849
start_va = 0x670000
end_va = 0x67ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000670000"
filename = ""
Region:
id = 1850
start_va = 0x698f0000
end_va = 0x6996ffff
monitored = 1
entry_point = 0x698f1180
region_type = mapped_file
name = "clrjit.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clrjit.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clrjit.dll")
Region:
id = 1851
start_va = 0x76680000
end_va = 0x76711fff
monitored = 0
entry_point = 0x766b8cf0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")
Region:
id = 1852
start_va = 0x920000
end_va = 0x92ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000920000"
filename = ""
Region:
id = 1854
start_va = 0x69730000
end_va = 0x698befff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.drawing.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Drawing\\1d52bd4ac5e0a6422058a5d62c9f6d9d\\System.Drawing.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.drawing\\1d52bd4ac5e0a6422058a5d62c9f6d9d\\system.drawing.ni.dll")
Region:
id = 1855
start_va = 0x66fe0000
end_va = 0x67c46fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.windows.forms.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Windows.Forms\\fb06ad4bc55b9c3ca68a3f9259d826cd\\System.Windows.Forms.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.windows.forms\\fb06ad4bc55b9c3ca68a3f9259d826cd\\system.windows.forms.ni.dll")
Region:
id = 1858
start_va = 0x930000
end_va = 0x930fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000930000"
filename = ""
Region:
id = 1859
start_va = 0x930000
end_va = 0x931fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000930000"
filename = ""
Region:
id = 1860
start_va = 0x950000
end_va = 0x95ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000950000"
filename = ""
Region:
id = 1861
start_va = 0x21d0000
end_va = 0x225efff
monitored = 0
entry_point = 0x21ddd60
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll")
Region:
id = 1862
start_va = 0x695e0000
end_va = 0x69671fff
monitored = 0
entry_point = 0x695edd60
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll")
Region:
id = 1863
start_va = 0x46c0000
end_va = 0x478ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000046c0000"
filename = ""
Region:
id = 1864
start_va = 0x4880000
end_va = 0x488ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004880000"
filename = ""
Region:
id = 1865
start_va = 0x21d0000
end_va = 0x21d0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000021d0000"
filename = ""
Region:
id = 1866
start_va = 0x46c0000
end_va = 0x477bfff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000046c0000"
filename = ""
Region:
id = 1867
start_va = 0x4780000
end_va = 0x478ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004780000"
filename = ""
Region:
id = 1868
start_va = 0x21d0000
end_va = 0x21d3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000021d0000"
filename = ""
Region:
id = 1869
start_va = 0x21e0000
end_va = 0x21e3fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000021e0000"
filename = ""
Region:
id = 1870
start_va = 0x4890000
end_va = 0x4a9afff
monitored = 0
entry_point = 0x493b0a0
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll")
Region:
id = 1871
start_va = 0x72d30000
end_va = 0x72f3efff
monitored = 0
entry_point = 0x72ddb0a0
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll")
Region:
id = 1872
start_va = 0x21f0000
end_va = 0x21f0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "windowsshell.manifest"
filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")
Region:
id = 1873
start_va = 0x2200000
end_va = 0x2201fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002200000"
filename = ""
Region:
id = 1874
start_va = 0x4890000
end_va = 0x49affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004890000"
filename = ""
Region:
id = 1875
start_va = 0x73db0000
end_va = 0x73dccfff
monitored = 0
entry_point = 0x73db3b10
region_type = mapped_file
name = "dwmapi.dll"
filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll")
Region:
id = 1876
start_va = 0x21f0000
end_va = 0x21fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000021f0000"
filename = ""
Region:
id = 1877
start_va = 0x2210000
end_va = 0x221ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002210000"
filename = ""
Region:
id = 1878
start_va = 0x2220000
end_va = 0x222ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002220000"
filename = ""
Region:
id = 1879
start_va = 0x69420000
end_va = 0x6958afff
monitored = 0
entry_point = 0x6948e360
region_type = mapped_file
name = "gdiplus.dll"
filename = "\\Windows\\WinSxS\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10586.0_none_538a540779726150\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10586.0_none_538a540779726150\\gdiplus.dll")
Region:
id = 1880
start_va = 0x49b0000
end_va = 0x4b2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000049b0000"
filename = ""
Region:
id = 1881
start_va = 0x2210000
end_va = 0x224ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002210000"
filename = ""
Region:
id = 1882
start_va = 0x4890000
end_va = 0x498ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004890000"
filename = ""
Region:
id = 1883
start_va = 0x49a0000
end_va = 0x49affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000049a0000"
filename = ""
Region:
id = 1884
start_va = 0x70a20000
end_va = 0x70c10fff
monitored = 0
entry_point = 0x70b03cd0
region_type = mapped_file
name = "dwrite.dll"
filename = "\\Windows\\SysWOW64\\DWrite.dll" (normalized: "c:\\windows\\syswow64\\dwrite.dll")
Region:
id = 1886
start_va = 0x4790000
end_va = 0x47d8fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "~fontcache-system.dat"
filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-System.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-system.dat")
Region:
id = 1887
start_va = 0x21f0000
end_va = 0x21f3fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000021f0000"
filename = ""
Region:
id = 1888
start_va = 0x764e0000
end_va = 0x765fefff
monitored = 0
entry_point = 0x76525980
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll")
Region:
id = 1889
start_va = 0x4b30000
end_va = 0x5b2ffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "~fontcache-fontface.dat"
filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-FontFace.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-fontface.dat")
Region:
id = 1890
start_va = 0x2250000
end_va = 0x2253fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002250000"
filename = ""
Region:
id = 1891
start_va = 0x49b0000
end_va = 0x4aaffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000049b0000"
filename = ""
Region:
id = 1892
start_va = 0x4b20000
end_va = 0x4b2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004b20000"
filename = ""
Region:
id = 1893
start_va = 0x5b30000
end_va = 0x5c2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005b30000"
filename = ""
Region:
id = 1894
start_va = 0x5c30000
end_va = 0x6121fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000005c30000"
filename = ""
Region:
id = 1896
start_va = 0x6130000
end_va = 0x716ffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "staticcache.dat"
filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat")
Region:
id = 1897
start_va = 0x2260000
end_va = 0x2260fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002260000"
filename = ""
Region:
id = 1898
start_va = 0x47e0000
end_va = 0x4841fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "mscorrc.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorrc.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscorrc.dll")
Region:
id = 1899
start_va = 0x4850000
end_va = 0x485ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000004850000"
filename = ""
Region:
id = 1900
start_va = 0x4860000
end_va = 0x486ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004860000"
filename = ""
Region:
id = 1901
start_va = 0x4870000
end_va = 0x487ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004870000"
filename = ""
Region:
id = 1902
start_va = 0x4860000
end_va = 0x486ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004860000"
filename = ""
Region:
id = 1903
start_va = 0x4870000
end_va = 0x487ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004870000"
filename = ""
Region:
id = 1904
start_va = 0x4990000
end_va = 0x499ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004990000"
filename = ""
Region:
id = 1905
start_va = 0x4ab0000
end_va = 0x4abffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004ab0000"
filename = ""
Region:
id = 1906
start_va = 0x4870000
end_va = 0x487ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004870000"
filename = ""
Region:
id = 1907
start_va = 0x4ab0000
end_va = 0x4aeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004ab0000"
filename = ""
Region:
id = 1908
start_va = 0x7170000
end_va = 0x726ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007170000"
filename = ""
Region:
id = 1909
start_va = 0x7270000
end_va = 0x826ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007270000"
filename = ""
Region:
id = 1910
start_va = 0x8270000
end_va = 0x841ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008270000"
filename = ""
Region:
id = 1911
start_va = 0x8420000
end_va = 0x941ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008420000"
filename = ""
Region:
id = 1912
start_va = 0x9420000
end_va = 0x977ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000009420000"
filename = ""
Region:
id = 1913
start_va = 0x4870000
end_va = 0x487ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004870000"
filename = ""
Region:
id = 1914
start_va = 0x4870000
end_va = 0x487ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004870000"
filename = ""
Thread:
id = 132
os_tid = 0x79c
[0211.834] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0
[0212.030] RoInitialize () returned 0x1
[0212.031] RoUninitialize () returned 0x0
[0213.898] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\AppContext", ulOptions=0x0, samDesired=0x20019, phkResult=0x19de58 | out: phkResult=0x19de58*=0x0) returned 0x2
[0213.903] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Windows.Forms\\v4.0_4.0.0.0__b77a5c561934e089\\System.Windows.Forms.dll", nBufferLength=0x105, lpBuffer=0x19eed4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Windows.Forms\\v4.0_4.0.0.0__b77a5c561934e089\\System.Windows.Forms.dll", lpFilePart=0x0) returned 0x77
[0213.915] IsAppThemed () returned 0x1
[0213.918] CoTaskMemAlloc (cb=0xf0) returned 0x6ece98
[0213.918] CreateActCtxA (pActCtx=0x19f418) returned 0x6d0bac
[0213.936] CoTaskMemFree (pv=0x6ece98)
[0213.942] RegisterClipboardFormatW (lpszFormat="WM_GETCONTROLNAME") returned 0xc1e0
[0213.942] RegisterClipboardFormatW (lpszFormat="WM_GETCONTROLTYPE") returned 0xc1df
[0213.968] GetSystemMetrics (nIndex=75) returned 1
[0213.971] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x0
[0213.976] LoadLibraryW (lpLibFileName="comctl32.dll") returned 0x695e0000
[0214.001] AdjustWindowRectEx (in: lpRect=0x19f458, dwStyle=0x56cf0000, bMenu=0, dwExStyle=0x50001 | out: lpRect=0x19f458) returned 1
[0214.003] GetCurrentProcess () returned 0xffffffff
[0214.004] GetCurrentThread () returned 0xfffffffe
[0214.004] GetCurrentProcess () returned 0xffffffff
[0214.004] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x19f370, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x19f370*=0x2a8) returned 1
[0214.006] GetCurrentThreadId () returned 0x79c
[0214.012] GetCurrentActCtx (in: lphActCtx=0x19f2d0 | out: lphActCtx=0x19f2d0*=0x0) returned 1
[0214.012] ActivateActCtx (in: hActCtx=0x6d0bac, lpCookie=0x19f2e0 | out: hActCtx=0x6d0bac, lpCookie=0x19f2e0) returned 1
[0214.012] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x0
[0214.019] LoadLibraryW (lpLibFileName="comctl32.dll") returned 0x72d30000
[0214.034] GetModuleHandleW (lpModuleName="user32.dll") returned 0x743d0000
[0214.034] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="DefWindowProcW", cchWideChar=14, lpMultiByteStr=0x19f194, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DefWindowProcW\x1egÞü×-(ú\rohö\x19", lpUsedDefaultChar=0x0) returned 14
[0214.034] GetProcAddress (hModule=0x743d0000, lpProcName="DefWindowProcW") returned 0x73e807e0
[0214.035] GetStockObject (i=5) returned 0x1900015
[0214.038] GetModuleHandleW (lpModuleName=0x0) returned 0x400000
[0214.041] CoTaskMemAlloc (cb=0x5c) returned 0x6d88b0
[0214.042] RegisterClassW (lpWndClass=0x19f184) returned 0xc1db
[0214.042] CoTaskMemFree (pv=0x6d88b0)
[0214.042] GetModuleHandleW (lpModuleName=0x0) returned 0x400000
[0214.043] CreateWindowExW (dwExStyle=0x0, lpClassName="WindowsForms10.Window.8.app.0.141b42a_r10_ad1", lpWindowName=0x0, dwStyle=0x2010000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0xfffffffd, hMenu=0x0, hInstance=0x400000, lpParam=0x0) returned 0x80132
[0214.044] SetWindowLongW (hWnd=0x80132, nIndex=-4, dwNewLong=1944586208) returned 77202878
[0214.045] GetWindowLongW (hWnd=0x80132, nIndex=-4) returned 1944586208
[0214.046] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\.NETFramework", ulOptions=0x0, samDesired=0x20019, phkResult=0x19e9e4 | out: phkResult=0x19e9e4*=0x2c4) returned 0x0
[0214.046] RegQueryValueExW (in: hKey=0x2c4, lpValueName="DbgJITDebugLaunchSetting", lpReserved=0x0, lpType=0x19ea04, lpData=0x0, lpcbData=0x19ea00*=0x0 | out: lpType=0x19ea04*=0x0, lpData=0x0, lpcbData=0x19ea00*=0x0) returned 0x2
[0214.046] RegQueryValueExW (in: hKey=0x2c4, lpValueName="DbgManagedDebugger", lpReserved=0x0, lpType=0x19ea04, lpData=0x0, lpcbData=0x19ea00*=0x0 | out: lpType=0x19ea04*=0x0, lpData=0x0, lpcbData=0x19ea00*=0x0) returned 0x2
[0214.047] RegCloseKey (hKey=0x2c4) returned 0x0
[0214.048] SetWindowLongW (hWnd=0x80132, nIndex=-4, dwNewLong=77202918) returned 1944586208
[0214.048] GetWindowLongW (hWnd=0x80132, nIndex=-4) returned 77202918
[0214.048] GetWindowLongW (hWnd=0x80132, nIndex=-16) returned 113311744
[0214.049] RegisterClipboardFormatW (lpszFormat="WinFormsMouseEnter") returned 0xc14b
[0214.049] CallWindowProcW (lpPrevWndFunc=0x73e807e0, hWnd=0x80132, Msg=0x24, wParam=0x0, lParam=0x19ecfc) returned 0x0
[0214.049] RegisterClipboardFormatW (lpszFormat="WinFormsUnSubclass") returned 0xc1d9
[0214.050] CallWindowProcW (lpPrevWndFunc=0x73e807e0, hWnd=0x80132, Msg=0x81, wParam=0x0, lParam=0x19ecf0) returned 0x1
[0214.050] CallWindowProcW (lpPrevWndFunc=0x73e807e0, hWnd=0x80132, Msg=0x83, wParam=0x0, lParam=0x19ecdc) returned 0x0
[0214.055] CallWindowProcW (lpPrevWndFunc=0x73e807e0, hWnd=0x80132, Msg=0x1, wParam=0x0, lParam=0x19ecf0) returned 0x0
[0214.056] GetClientRect (in: hWnd=0x80132, lpRect=0x19ea1c | out: lpRect=0x19ea1c) returned 1
[0214.056] GetWindowRect (in: hWnd=0x80132, lpRect=0x19ea1c | out: lpRect=0x19ea1c) returned 1
[0214.057] GetParent (hWnd=0x80132) returned 0x0
[0214.058] DeactivateActCtx (dwFlags=0x0, ulCookie=0x12690001) returned 1
[0214.131] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.131] AdjustWindowRectEx (in: lpRect=0x19f208, dwStyle=0x56010000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19f208) returned 1
[0214.133] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.134] AdjustWindowRectEx (in: lpRect=0x19f218, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f218) returned 1
[0214.134] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.135] AdjustWindowRectEx (in: lpRect=0x19f218, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f218) returned 1
[0214.135] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.135] AdjustWindowRectEx (in: lpRect=0x19f218, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f218) returned 1
[0214.135] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.136] AdjustWindowRectEx (in: lpRect=0x19f218, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f218) returned 1
[0214.136] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.136] AdjustWindowRectEx (in: lpRect=0x19f218, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f218) returned 1
[0214.136] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.137] AdjustWindowRectEx (in: lpRect=0x19f208, dwStyle=0x56010000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19f208) returned 1
[0214.139] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.140] AdjustWindowRectEx (in: lpRect=0x19f21c, dwStyle=0x5601008d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f21c) returned 1
[0214.140] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.141] AdjustWindowRectEx (in: lpRect=0x19f21c, dwStyle=0x5601008d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f21c) returned 1
[0214.141] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.141] AdjustWindowRectEx (in: lpRect=0x19f208, dwStyle=0x56010000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19f208) returned 1
[0214.142] GetCurrentThreadId () returned 0x79c
[0214.142] GetCurrentThreadId () returned 0x79c
[0214.144] GetSystemDefaultLCID () returned 0x409
[0214.145] GetStockObject (i=17) returned 0x10a0047
[0214.146] GetObjectW (in: h=0x10a0047, c=92, pv=0x19f06c | out: pv=0x19f06c) returned 92
[0214.147] GetDC (hWnd=0x0) returned 0xa0100d0
[0214.169] GdiplusStartup (in: token=0x5d9138, input=0x19e628, output=0x19e678 | out: token=0x5d9138, output=0x19e678) returned 0x0
[0214.174] CoTaskMemAlloc (cb=0x5c) returned 0x6d8710
[0214.174] GdipCreateFontFromLogfontW (hdc=0xa0100d0, logfont=0x6d8710, font=0x19f134) returned 0x0
[0214.375] CoTaskMemFree (pv=0x6d8710)
[0214.376] CoTaskMemAlloc (cb=0x5c) returned 0x6d8710
[0214.376] CoTaskMemFree (pv=0x6d8710)
[0214.383] CoTaskMemAlloc (cb=0x5c) returned 0x6d8710
[0214.383] CoTaskMemFree (pv=0x6d8710)
[0214.383] GdipGetFontUnit (font=0x4b21f08, unit=0x19f100) returned 0x0
[0214.383] GdipGetFontSize (font=0x4b21f08, size=0x19f104) returned 0x0
[0214.385] GdipGetFontStyle (font=0x4b21f08, style=0x19f0fc) returned 0x0
[0214.385] GdipGetFamily (font=0x4b21f08, family=0x19f0f8) returned 0x0
[0214.385] GdipGetFontSize (font=0x4b21f08, size=0x228a1a8) returned 0x0
[0214.424] ReleaseDC (hWnd=0x0, hDC=0xa0100d0) returned 1
[0214.424] GetDC (hWnd=0x0) returned 0x17010536
[0214.425] GdipCreateFromHDC (hdc=0x17010536, graphics=0x19f11c) returned 0x0
[0214.426] GdipGetDpiY (graphics=0x5b3f268, dpi=0x228a2b0) returned 0x0
[0214.426] GdipGetFontHeight (font=0x4b21f08, graphics=0x5b3f268, height=0x19f114) returned 0x0
[0214.427] GdipGetEmHeight (family=0x5b34738, style=0, EmHeight=0x19f11c) returned 0x0
[0214.427] GdipGetLineSpacing (family=0x5b34738, style=0, LineSpacing=0x19f11c) returned 0x0
[0214.427] GdipDeleteGraphics (graphics=0x5b3f268) returned 0x0
[0214.427] ReleaseDC (hWnd=0x0, hDC=0x17010536) returned 1
[0214.428] GdipCreateFont (fontFamily=0x5b34738, emSize=0x41040000, style=0, unit=0x3, font=0x228a270) returned 0x0
[0214.428] GdipGetFontSize (font=0x4b2efc0, size=0x228a274) returned 0x0
[0214.428] GdipDeleteFont (font=0x4b21f08) returned 0x0
[0214.430] GetCurrentThreadId () returned 0x79c
[0214.430] GetCurrentThreadId () returned 0x79c
[0214.430] GetCurrentThreadId () returned 0x79c
[0214.430] GetCurrentThreadId () returned 0x79c
[0214.430] GetCurrentThreadId () returned 0x79c
[0214.430] GetCurrentThreadId () returned 0x79c
[0214.430] GetCurrentThreadId () returned 0x79c
[0214.430] GetCurrentThreadId () returned 0x79c
[0214.431] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.431] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x56000000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19f1a8) returned 1
[0214.438] GetProcessWindowStation () returned 0xfc
[0214.440] GetUserObjectInformationA (in: hObj=0xfc, nIndex=1, pvInfo=0x228ab4c, nLength=0xc, lpnLengthNeeded=0x19f084 | out: pvInfo=0x228ab4c, lpnLengthNeeded=0x19f084) returned 1
[0214.443] SetConsoleCtrlHandler (HandlerRoutine=0x49a060e, Add=1) returned 1
[0214.444] GetModuleHandleW (lpModuleName=0x0) returned 0x400000
[0214.444] GetModuleHandleW (lpModuleName=0x0) returned 0x400000
[0214.446] GetClassInfoW (in: hInstance=0x400000, lpClassName=".NET-BroadcastEventWindow.4.0.0.0.141b42a.0", lpWndClass=0x228abb0 | out: lpWndClass=0x228abb0) returned 0
[0214.454] CoTaskMemAlloc (cb=0x58) returned 0x6d0750
[0214.454] RegisterClassW (lpWndClass=0x19efd4) returned 0xc1d7
[0214.502] CoTaskMemFree (pv=0x6d0750)
[0214.503] CreateWindowExW (dwExStyle=0x0, lpClassName=".NET-BroadcastEventWindow.4.0.0.0.141b42a.0", lpWindowName=".NET-BroadcastEventWindow.4.0.0.0.141b42a.0", dwStyle=0x80000000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x400000, lpParam=0x0) returned 0x40222
[0214.503] NtdllDefWindowProc_W (hWnd=0x40222, Msg=0x81, wParam=0x0, lParam=0x19eb10) returned 0x1
[0214.506] NtdllDefWindowProc_W (hWnd=0x40222, Msg=0x83, wParam=0x0, lParam=0x19eafc) returned 0x0
[0214.506] NtdllDefWindowProc_W (hWnd=0x40222, Msg=0x1, wParam=0x0, lParam=0x19eb10) returned 0x0
[0214.507] NtdllDefWindowProc_W (hWnd=0x40222, Msg=0x5, wParam=0x0, lParam=0x0) returned 0x0
[0214.507] NtdllDefWindowProc_W (hWnd=0x40222, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0
[0214.511] GetSysColor (nIndex=10) returned 0xb4b4b4
[0214.511] GetSysColor (nIndex=2) returned 0xd1b499
[0214.511] GetSysColor (nIndex=9) returned 0x0
[0214.511] GetSysColor (nIndex=12) returned 0xababab
[0214.511] GetSysColor (nIndex=15) returned 0xf0f0f0
[0214.511] GetSysColor (nIndex=20) returned 0xffffff
[0214.511] GetSysColor (nIndex=16) returned 0xa0a0a0
[0214.511] GetSysColor (nIndex=15) returned 0xf0f0f0
[0214.511] GetSysColor (nIndex=16) returned 0xa0a0a0
[0214.511] GetSysColor (nIndex=21) returned 0x696969
[0214.511] GetSysColor (nIndex=22) returned 0xe3e3e3
[0214.511] GetSysColor (nIndex=20) returned 0xffffff
[0214.512] GetSysColor (nIndex=18) returned 0x0
[0214.512] GetSysColor (nIndex=1) returned 0x0
[0214.512] GetSysColor (nIndex=27) returned 0xead1b9
[0214.512] GetSysColor (nIndex=28) returned 0xf2e4d7
[0214.512] GetSysColor (nIndex=17) returned 0x6d6d6d
[0214.512] GetSysColor (nIndex=13) returned 0xff9933
[0214.512] GetSysColor (nIndex=14) returned 0xffffff
[0214.512] GetSysColor (nIndex=26) returned 0xcc6600
[0214.512] GetSysColor (nIndex=11) returned 0xfcf7f4
[0214.512] GetSysColor (nIndex=3) returned 0xdbcdbf
[0214.512] GetSysColor (nIndex=19) returned 0x0
[0214.512] GetSysColor (nIndex=24) returned 0xe1ffff
[0214.512] GetSysColor (nIndex=23) returned 0x0
[0214.512] GetSysColor (nIndex=4) returned 0xf0f0f0
[0214.512] GetSysColor (nIndex=30) returned 0xf0f0f0
[0214.512] GetSysColor (nIndex=29) returned 0xff9933
[0214.512] GetSysColor (nIndex=7) returned 0x0
[0214.512] GetSysColor (nIndex=0) returned 0xc8c8c8
[0214.512] GetSysColor (nIndex=5) returned 0xffffff
[0214.512] GetSysColor (nIndex=6) returned 0x646464
[0214.512] GetSysColor (nIndex=8) returned 0x0
[0214.513] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.513] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x56000000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19f1a8) returned 1
[0214.514] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.514] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f1a8) returned 1
[0214.514] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.514] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f1a8) returned 1
[0214.516] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.516] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f1a8) returned 1
[0214.516] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.516] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f1a8) returned 1
[0214.516] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.516] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f1a8) returned 1
[0214.516] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.516] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f1a8) returned 1
[0214.517] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.517] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f1a8) returned 1
[0214.517] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.517] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f1a8) returned 1
[0214.517] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.517] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f1a8) returned 1
[0214.517] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.517] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f1a8) returned 1
[0214.517] GetCurrentThreadId () returned 0x79c
[0214.518] GetCurrentThreadId () returned 0x79c
[0214.518] GetCurrentThreadId () returned 0x79c
[0214.518] GetCurrentThreadId () returned 0x79c
[0214.518] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.518] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x56000000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19f1a8) returned 1
[0214.518] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.518] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x56000000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19f1a8) returned 1
[0214.519] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.520] AdjustWindowRectEx (in: lpRect=0x19f05c, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f05c) returned 1
[0214.521] GdipGetFamilyName (in: family=0x5b34738, name=0x19f028, language=0x409 | out: name="Microsoft Sans Serif") returned 0x0
[0214.522] CreateCompatibleDC (hdc=0x0) returned 0x5901090d
[0214.523] GetCurrentObject (hdc=0x5901090d, type=0x1) returned 0x1b00017
[0214.523] GetCurrentObject (hdc=0x5901090d, type=0x2) returned 0x1900010
[0214.523] GetCurrentObject (hdc=0x5901090d, type=0x7) returned 0x185000f
[0214.523] GetCurrentObject (hdc=0x5901090d, type=0x6) returned 0x18a0048
[0214.524] SaveDC (hdc=0x5901090d) returned 1
[0214.524] GetDeviceCaps (hdc=0x5901090d, index=90) returned 96
[0214.525] CoTaskMemAlloc (cb=0x5c) returned 0x6d83d0
[0214.525] CreateFontIndirectW (lplf=0x6d83d0) returned 0x200a06b4
[0214.525] CoTaskMemFree (pv=0x6d83d0)
[0214.525] GetObjectW (in: h=0x200a06b4, c=92, pv=0x19efec | out: pv=0x19efec) returned 92
[0214.526] GetCurrentObject (hdc=0x5901090d, type=0x6) returned 0x18a0048
[0214.526] GetObjectW (in: h=0x18a0048, c=92, pv=0x19efd4 | out: pv=0x19efd4) returned 92
[0214.526] SelectObject (hdc=0x5901090d, h=0x200a06b4) returned 0x18a0048
[0214.527] GetTextExtentPoint32W (in: hdc=0x5901090d, lpString="0", c=1, psizl=0x228bd0c | out: psizl=0x228bd0c) returned 1
[0214.529] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.529] AdjustWindowRectEx (in: lpRect=0x19f130, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f130) returned 1
[0214.529] GdipCreateFontFamilyFromName (name="Arial", fontCollection=0x0, fontFamily=0x19f1f8) returned 0x0
[0214.530] GdipCreateFont (fontFamily=0x5b30f38, emSize=0x417c0000, style=1, unit=0x3, font=0x228bde8) returned 0x0
[0214.531] GdipGetFontSize (font=0x4b21f08, size=0x228bdec) returned 0x0
[0214.531] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.531] AdjustWindowRectEx (in: lpRect=0x19f014, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f014) returned 1
[0214.531] GdipGetFamilyName (in: family=0x5b30f38, name=0x19efe0, language=0x409 | out: name="Arial") returned 0x0
[0214.532] GetDeviceCaps (hdc=0x5901090d, index=90) returned 96
[0214.532] CoTaskMemAlloc (cb=0x5c) returned 0x6d8438
[0214.532] CreateFontIndirectW (lplf=0x6d8438) returned 0xe0a06ad
[0214.532] CoTaskMemFree (pv=0x6d8438)
[0214.532] GetObjectW (in: h=0xe0a06ad, c=92, pv=0x19efa4 | out: pv=0x19efa4) returned 92
[0214.532] SelectObject (hdc=0x5901090d, h=0xe0a06ad) returned 0x200a06b4
[0214.533] DeleteObject (ho=0x200a06b4) returned 1
[0214.534] GetTextExtentPoint32W (in: hdc=0x5901090d, lpString="0", c=1, psizl=0x228c09c | out: psizl=0x228c09c) returned 1
[0214.534] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.534] AdjustWindowRectEx (in: lpRect=0x19f0e8, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f0e8) returned 1
[0214.535] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.535] AdjustWindowRectEx (in: lpRect=0x19f048, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f048) returned 1
[0214.535] GdipGetFamilyName (in: family=0x5b30f38, name=0x19f014, language=0x409 | out: name="Arial") returned 0x0
[0214.535] GetDeviceCaps (hdc=0x5901090d, index=90) returned 96
[0214.535] CoTaskMemAlloc (cb=0x5c) returned 0x6d88b0
[0214.535] CreateFontIndirectW (lplf=0x6d88b0) returned 0x210a06b4
[0214.535] CoTaskMemFree (pv=0x6d88b0)
[0214.535] GetObjectW (in: h=0x210a06b4, c=92, pv=0x19efd8 | out: pv=0x19efd8) returned 92
[0214.535] GetTextExtentPoint32W (in: hdc=0x5901090d, lpString="0", c=1, psizl=0x228c27c | out: psizl=0x228c27c) returned 1
[0214.535] DeleteObject (ho=0x210a06b4) returned 1
[0214.536] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.536] AdjustWindowRectEx (in: lpRect=0x19f17c, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f17c) returned 1
[0214.536] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.536] AdjustWindowRectEx (in: lpRect=0x19f048, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f048) returned 1
[0214.536] GdipGetFamilyName (in: family=0x5b30f38, name=0x19f014, language=0x409 | out: name="Arial") returned 0x0
[0214.536] GetDeviceCaps (hdc=0x5901090d, index=90) returned 96
[0214.536] CoTaskMemAlloc (cb=0x5c) returned 0x6d89e8
[0214.536] CreateFontIndirectW (lplf=0x6d89e8) returned 0x220a06b4
[0214.536] CoTaskMemFree (pv=0x6d89e8)
[0214.536] GetObjectW (in: h=0x220a06b4, c=92, pv=0x19efd8 | out: pv=0x19efd8) returned 92
[0214.536] GetTextExtentPoint32W (in: hdc=0x5901090d, lpString="0", c=1, psizl=0x228c458 | out: psizl=0x228c458) returned 1
[0214.537] DeleteObject (ho=0x220a06b4) returned 1
[0214.537] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.537] AdjustWindowRectEx (in: lpRect=0x19f024, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f024) returned 1
[0214.540] GdipGetFamilyName (in: family=0x5b30f38, name=0x19ef14, language=0x409 | out: name="Arial") returned 0x0
[0214.540] GetDeviceCaps (hdc=0x5901090d, index=90) returned 96
[0214.540] CoTaskMemAlloc (cb=0x5c) returned 0x6d8710
[0214.541] CreateFontIndirectW (lplf=0x6d8710) returned 0x230a06b4
[0214.541] CoTaskMemFree (pv=0x6d8710)
[0214.541] GetObjectW (in: h=0x230a06b4, c=92, pv=0x19eed8 | out: pv=0x19eed8) returned 92
[0214.541] GetMapMode (hdc=0x5901090d) returned 1
[0214.541] GetTextMetricsW (in: hdc=0x5901090d, lptm=0x19ef00 | out: lptm=0x19ef00) returned 1
[0214.542] DrawTextExW (in: hdc=0x5901090d, lpchText="Chipu and Co.", cchText=13, lprc=0x19f00c, format=0x2400, lpdtp=0x228c6fc | out: lpchText="Chipu and Co.", lprc=0x19f00c) returned 24
[0214.594] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.594] AdjustWindowRectEx (in: lpRect=0x19f0f8, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f0f8) returned 1
[0214.594] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.594] AdjustWindowRectEx (in: lpRect=0x19f05c, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f05c) returned 1
[0214.594] GdipGetFamilyName (in: family=0x5b34738, name=0x19f028, language=0x409 | out: name="Microsoft Sans Serif") returned 0x0
[0214.594] GetDeviceCaps (hdc=0x5901090d, index=90) returned 96
[0214.594] CoTaskMemAlloc (cb=0x5c) returned 0x6d83d0
[0214.594] CreateFontIndirectW (lplf=0x6d83d0) returned 0x170a0606
[0214.594] CoTaskMemFree (pv=0x6d83d0)
[0214.594] GetObjectW (in: h=0x170a0606, c=92, pv=0x19efec | out: pv=0x19efec) returned 92
[0214.595] SelectObject (hdc=0x5901090d, h=0x170a0606) returned 0xe0a06ad
[0214.595] DeleteObject (ho=0xe0a06ad) returned 1
[0214.595] GetTextExtentPoint32W (in: hdc=0x5901090d, lpString="0", c=1, psizl=0x228c96c | out: psizl=0x228c96c) returned 1
[0214.595] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.595] AdjustWindowRectEx (in: lpRect=0x19f130, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f130) returned 1
[0214.595] GdipCreateFontFamilyFromName (name="Arial", fontCollection=0x0, fontFamily=0x19f1f8) returned 0x0
[0214.596] GdipCreateFont (fontFamily=0x5b30f38, emSize=0x417c0000, style=1, unit=0x3, font=0x228ca74) returned 0x0
[0214.596] GdipGetFontSize (font=0x5b3b080, size=0x228ca78) returned 0x0
[0214.596] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.596] AdjustWindowRectEx (in: lpRect=0x19f014, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f014) returned 1
[0214.596] GdipGetFamilyName (in: family=0x5b30f38, name=0x19efe0, language=0x409 | out: name="Arial") returned 0x0
[0214.596] GetDeviceCaps (hdc=0x5901090d, index=90) returned 96
[0214.596] CoTaskMemAlloc (cb=0x5c) returned 0x6d8710
[0214.596] CreateFontIndirectW (lplf=0x6d8710) returned 0xf0a06ad
[0214.596] CoTaskMemFree (pv=0x6d8710)
[0214.596] GetObjectW (in: h=0xf0a06ad, c=92, pv=0x19efa4 | out: pv=0x19efa4) returned 92
[0214.596] SelectObject (hdc=0x5901090d, h=0xf0a06ad) returned 0x170a0606
[0214.597] DeleteObject (ho=0x170a0606) returned 1
[0214.597] GetTextExtentPoint32W (in: hdc=0x5901090d, lpString="0", c=1, psizl=0x228cce0 | out: psizl=0x228cce0) returned 1
[0214.597] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.597] AdjustWindowRectEx (in: lpRect=0x19f0e8, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f0e8) returned 1
[0214.597] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.597] AdjustWindowRectEx (in: lpRect=0x19f048, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f048) returned 1
[0214.597] GdipGetFamilyName (in: family=0x5b30f38, name=0x19f014, language=0x409 | out: name="Arial") returned 0x0
[0214.597] GetDeviceCaps (hdc=0x5901090d, index=90) returned 96
[0214.598] CoTaskMemAlloc (cb=0x5c) returned 0x6d8710
[0214.598] CreateFontIndirectW (lplf=0x6d8710) returned 0x180a0606
[0214.598] CoTaskMemFree (pv=0x6d8710)
[0214.598] GetObjectW (in: h=0x180a0606, c=92, pv=0x19efd8 | out: pv=0x19efd8) returned 92
[0214.598] GetTextExtentPoint32W (in: hdc=0x5901090d, lpString="0", c=1, psizl=0x228cec0 | out: psizl=0x228cec0) returned 1
[0214.598] DeleteObject (ho=0x180a0606) returned 1
[0214.598] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.598] AdjustWindowRectEx (in: lpRect=0x19f17c, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f17c) returned 1
[0214.598] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.598] AdjustWindowRectEx (in: lpRect=0x19f048, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f048) returned 1
[0214.598] GdipGetFamilyName (in: family=0x5b30f38, name=0x19f014, language=0x409 | out: name="Arial") returned 0x0
[0214.599] GetDeviceCaps (hdc=0x5901090d, index=90) returned 96
[0214.599] CoTaskMemAlloc (cb=0x5c) returned 0x6d83d0
[0214.599] CreateFontIndirectW (lplf=0x6d83d0) returned 0x190a0606
[0214.599] CoTaskMemFree (pv=0x6d83d0)
[0214.599] GetObjectW (in: h=0x190a0606, c=92, pv=0x19efd8 | out: pv=0x19efd8) returned 92
[0214.599] GetTextExtentPoint32W (in: hdc=0x5901090d, lpString="0", c=1, psizl=0x228d09c | out: psizl=0x228d09c) returned 1
[0214.599] DeleteObject (ho=0x190a0606) returned 1
[0214.599] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.599] AdjustWindowRectEx (in: lpRect=0x19f024, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f024) returned 1
[0214.599] DrawTextExW (in: hdc=0x5901090d, lpchText="LMS", cchText=3, lprc=0x19f00c, format=0x2400, lpdtp=0x228d110 | out: lpchText="LMS", lprc=0x19f00c) returned 24
[0214.600] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.600] AdjustWindowRectEx (in: lpRect=0x19f0f8, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f0f8) returned 1
[0214.600] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.600] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x56000000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19f1a8) returned 1
[0214.600] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.600] AdjustWindowRectEx (in: lpRect=0x19f1a8, dwStyle=0x56000000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19f1a8) returned 1
[0214.601] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.601] AdjustWindowRectEx (in: lpRect=0x19f1dc, dwStyle=0x2cf0000, bMenu=0, dwExStyle=0x50000 | out: lpRect=0x19f1dc) returned 1
[0214.601] GetSystemMetrics (nIndex=59) returned 1456
[0214.601] GetSystemMetrics (nIndex=60) returned 916
[0214.601] GetSystemMetrics (nIndex=34) returned 136
[0214.601] GetSystemMetrics (nIndex=35) returned 39
[0214.602] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.602] AdjustWindowRectEx (in: lpRect=0x19f0dc, dwStyle=0x2cf0000, bMenu=0, dwExStyle=0x50000 | out: lpRect=0x19f0dc) returned 1
[0214.602] GetCurrentThreadId () returned 0x79c
[0214.602] GetCurrentThreadId () returned 0x79c
[0214.602] GetCurrentThreadId () returned 0x79c
[0214.602] GetCurrentThreadId () returned 0x79c
[0214.602] GetCurrentThreadId () returned 0x79c
[0214.602] GetCurrentThreadId () returned 0x79c
[0214.603] CreateCompatibleDC (hdc=0x0) returned 0x1a010606
[0214.604] GetDC (hWnd=0x0) returned 0x17010536
[0214.604] GdipCreateFromHDC (hdc=0x17010536, graphics=0x19f02c) returned 0x0
[0214.604] CoTaskMemAlloc (cb=0x5c) returned 0x6d88b0
[0214.604] GdipGetLogFontW (font=0x4b2efc0, graphics=0x5b3f3b8, logfontW=0x6d88b0) returned 0x0
[0214.605] CoTaskMemFree (pv=0x6d88b0)
[0214.605] CoTaskMemAlloc (cb=0x5c) returned 0x6d89e8
[0214.605] CoTaskMemFree (pv=0x6d89e8)
[0214.605] CoTaskMemAlloc (cb=0x5c) returned 0x6d8710
[0214.605] CoTaskMemFree (pv=0x6d8710)
[0214.605] GdipDeleteGraphics (graphics=0x5b3f3b8) returned 0x0
[0214.606] ReleaseDC (hWnd=0x0, hDC=0x17010536) returned 1
[0214.606] CoTaskMemAlloc (cb=0x5c) returned 0x6d8710
[0214.606] CreateFontIndirectW (lplf=0x6d8710) returned 0x370a097a
[0214.606] CoTaskMemFree (pv=0x6d8710)
[0214.606] SelectObject (hdc=0x1a010606, h=0x370a097a) returned 0x18a0048
[0214.606] GetTextMetricsW (in: hdc=0x1a010606, lptm=0x19f138 | out: lptm=0x19f138) returned 1
[0214.606] GetTextExtentPoint32W (in: hdc=0x1a010606, lpString="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ", c=52, psizl=0x228d5b8 | out: psizl=0x228d5b8) returned 1
[0214.607] SelectObject (hdc=0x1a010606, h=0x18a0048) returned 0x370a097a
[0214.607] DeleteDC (hdc=0x1a010606) returned 1
[0214.607] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.607] AdjustWindowRectEx (in: lpRect=0x19f118, dwStyle=0x56000000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19f118) returned 1
[0214.608] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.608] AdjustWindowRectEx (in: lpRect=0x19ef7c, dwStyle=0x56000000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19ef7c) returned 1
[0214.608] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.608] AdjustWindowRectEx (in: lpRect=0x19f0e4, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f0e4) returned 1
[0214.608] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.608] AdjustWindowRectEx (in: lpRect=0x19ef48, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef48) returned 1
[0214.608] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.608] AdjustWindowRectEx (in: lpRect=0x19f0e4, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f0e4) returned 1
[0214.609] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.609] AdjustWindowRectEx (in: lpRect=0x19ef48, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef48) returned 1
[0214.609] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.609] AdjustWindowRectEx (in: lpRect=0x19f0e4, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f0e4) returned 1
[0214.609] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.609] AdjustWindowRectEx (in: lpRect=0x19ef48, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef48) returned 1
[0214.609] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.609] AdjustWindowRectEx (in: lpRect=0x19f0e4, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f0e4) returned 1
[0214.609] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.610] AdjustWindowRectEx (in: lpRect=0x19ef48, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef48) returned 1
[0214.610] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.610] AdjustWindowRectEx (in: lpRect=0x19f0e4, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f0e4) returned 1
[0214.610] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.610] AdjustWindowRectEx (in: lpRect=0x19ef48, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef48) returned 1
[0214.610] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.610] AdjustWindowRectEx (in: lpRect=0x19f118, dwStyle=0x56000000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19f118) returned 1
[0214.610] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.611] AdjustWindowRectEx (in: lpRect=0x19ef7c, dwStyle=0x56000000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19ef7c) returned 1
[0214.611] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.611] AdjustWindowRectEx (in: lpRect=0x19f0e4, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f0e4) returned 1
[0214.611] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.611] AdjustWindowRectEx (in: lpRect=0x19ef48, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef48) returned 1
[0214.611] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.611] AdjustWindowRectEx (in: lpRect=0x19eda4, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19eda4) returned 1
[0214.611] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.611] AdjustWindowRectEx (in: lpRect=0x19f0e4, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19f0e4) returned 1
[0214.612] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.612] AdjustWindowRectEx (in: lpRect=0x19ef48, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef48) returned 1
[0214.612] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.612] AdjustWindowRectEx (in: lpRect=0x19eda4, dwStyle=0x5600000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19eda4) returned 1
[0214.612] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.613] AdjustWindowRectEx (in: lpRect=0x19ee90, dwStyle=0x2cf0000, bMenu=0, dwExStyle=0x50000 | out: lpRect=0x19ee90) returned 1
[0214.613] AdjustWindowRectEx (in: lpRect=0x19f0b0, dwStyle=0x2cf0000, bMenu=0, dwExStyle=0x50000 | out: lpRect=0x19f0b0) returned 1
[0214.613] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.613] AdjustWindowRectEx (in: lpRect=0x19ee08, dwStyle=0x2cf0000, bMenu=0, dwExStyle=0x50000 | out: lpRect=0x19ee08) returned 1
[0214.613] AdjustWindowRectEx (in: lpRect=0x19eee8, dwStyle=0x2cf0000, bMenu=0, dwExStyle=0x50000 | out: lpRect=0x19eee8) returned 1
[0214.613] GetSystemMetrics (nIndex=34) returned 136
[0214.613] GetSystemMetrics (nIndex=35) returned 39
[0214.613] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.613] AdjustWindowRectEx (in: lpRect=0x19f078, dwStyle=0x56000000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19f078) returned 1
[0214.613] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x695e0000
[0214.613] AdjustWindowRectEx (in: lpRect=0x19eedc, dwStyle=0x56000000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19eedc) returned 1
[0214.690] EtwEventRegister (in: ProviderId=0x228dff8, EnableCallback=0x49a065e, CallbackContext=0x0, RegHandle=0x228dfd4 | out: RegHandle=0x228dfd4) returned 0x0
[0214.691] EtwEventSetInformation (RegHandle=0x6dddb0, InformationClass=0x32, EventInformation=0x2, InformationLength=0x228df68) returned 0x0
[0214.696] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe.config", nBufferLength=0x105, lpBuffer=0x19ea00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe.config", lpFilePart=0x0) returned 0x31
[0214.697] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x19eeb0) returned 1
[0214.697] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\.exe.config" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\.exe.config"), fInfoLevelId=0x0, lpFileInformation=0x19ef2c | out: lpFileInformation=0x19ef2c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0
[0214.697] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x19eeac) returned 1
[0215.169] BCryptGetFipsAlgorithmMode (in: pfEnabled=0x19f168 | out: pfEnabled=0x19f168) returned 0x0
[0215.192] CreateFileMappingW (hFile=0xffffffff, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xfa00, lpName=0x0) returned 0x2f8
[0215.192] memcpy (in: _Dst=0x4850000, _Src=0x22a06b8, _Size=0xfa00 | out: _Dst=0x4850000) returned 0x4850000
[0215.193] CloseHandle (hObject=0x2f8) returned 1
Thread:
id = 133
os_tid = 0xac8
Thread:
id = 134
os_tid = 0xa1c
Thread:
id = 135
os_tid = 0xaac
[0212.031] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
[0212.031] RoInitialize () returned 0x1
[0212.031] RoUninitialize () returned 0x0
Thread:
id = 136
os_tid = 0x7d0
Thread:
id = 137
os_tid = 0xc10
Process:
id = "15"
image_name = "svchost.exe"
filename = "c:\\windows\\system32\\svchost.exe"
page_root = "0x73042000"
os_pid = "0x60"
os_integrity_level = "0x4000"
os_privileges = "0xe60b1e890"
monitor_reason = "created_scheduled_job"
parent_id = "12"
os_parent_pid = "0x20c"
cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs"
cur_dir = "C:\\Windows\\system32\\"
os_username = "NT AUTHORITY\\SYSTEM"
bitness = "32"
os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\DcpSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\lfsvc" [0xa], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\RetailDemo" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\UsoSvc" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d76b" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe]
Region:
id = 2069
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 2070
start_va = 0x30000
end_va = 0x44fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 2071
start_va = 0x50000
end_va = 0xcffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 2072
start_va = 0xd0000
end_va = 0xd3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000d0000"
filename = ""
Region:
id = 2073
start_va = 0xe0000
end_va = 0xe0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000e0000"
filename = ""
Region:
id = 2074
start_va = 0xf0000
end_va = 0xf1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000f0000"
filename = ""
Region:
id = 2075
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 2076
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 2077
start_va = 0x7df5fffc0000
end_va = 0x7df5fffe2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5fffc0000"
filename = ""
Region:
id = 2078
start_va = 0x7df5ffff0000
end_va = 0x7ff5fffeffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffff0000"
filename = ""
Region:
id = 2079
start_va = 0x7ff719ba0000
end_va = 0x7ff719bacfff
monitored = 0
entry_point = 0x7ff719ba3980
region_type = mapped_file
name = "svchost.exe"
filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe")
Region:
id = 2080
start_va = 0x7ffa5f050000
end_va = 0x7ffa5f210fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 2200
start_va = 0x400000
end_va = 0x596fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 2201
start_va = 0x5a0000
end_va = 0x79ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005a0000"
filename = ""
Region:
id = 2202
start_va = 0x600000
end_va = 0x6fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000600000"
filename = ""
Region:
id = 2203
start_va = 0x7ffa5ef40000
end_va = 0x7ffa5efecfff
monitored = 0
entry_point = 0x7ffa5ef581a0
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 2204
start_va = 0x7ffa5b890000
end_va = 0x7ffa5ba77fff
monitored = 0
entry_point = 0x7ffa5b8bba70
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 2205
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 2206
start_va = 0x7df5ffec0000
end_va = 0x7df5fffbffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffec0000"
filename = ""
Region:
id = 2207
start_va = 0x100000
end_va = 0x1bdfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 2208
start_va = 0x7ffa5cc60000
end_va = 0x7ffa5ccbafff
monitored = 0
entry_point = 0x7ffa5cc738b0
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 2209
start_va = 0x7ffa5ee20000
end_va = 0x7ffa5ef3bfff
monitored = 0
entry_point = 0x7ffa5ee602b0
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 2210
start_va = 0x400000
end_va = 0x47ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 2211
start_va = 0x590000
end_va = 0x596fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000590000"
filename = ""
Region:
id = 2212
start_va = 0x7ffa5a810000
end_va = 0x7ffa5a903fff
monitored = 0
entry_point = 0x7ffa5a81a960
region_type = mapped_file
name = "ucrtbase.dll"
filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll")
Region:
id = 2213
start_va = 0x7ffa5c6f0000
end_va = 0x7ffa5c96cfff
monitored = 0
entry_point = 0x7ffa5c7c4970
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")
Region:
id = 2214
start_va = 0x7ffa5c970000
end_va = 0x7ffa5ca0cfff
monitored = 0
entry_point = 0x7ffa5c9778a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 2215
start_va = 0x7ffa5c350000
end_va = 0x7ffa5c3b9fff
monitored = 0
entry_point = 0x7ffa5c386d50
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")
Region:
id = 2216
start_va = 0x700000
end_va = 0x866fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000700000"
filename = ""
Region:
id = 2217
start_va = 0x870000
end_va = 0xa6ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000870000"
filename = ""
Region:
id = 2218
start_va = 0x900000
end_va = 0x9fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000900000"
filename = ""
Region:
id = 2219
start_va = 0x480000
end_va = 0x55cfff
monitored = 0
entry_point = 0x4de0b0
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 2220
start_va = 0x7ffa5b670000
end_va = 0x7ffa5b67efff
monitored = 0
entry_point = 0x7ffa5b673210
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")
Region:
id = 2221
start_va = 0x7ffa5cac0000
end_va = 0x7ffa5cc15fff
monitored = 0
entry_point = 0x7ffa5caca8d0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 2222
start_va = 0x7ffa5ccc0000
end_va = 0x7ffa5ce45fff
monitored = 0
entry_point = 0x7ffa5cd0ffc0
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 2223
start_va = 0x480000
end_va = 0x53ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000480000"
filename = ""
Region:
id = 2224
start_va = 0xa00000
end_va = 0xb87fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000a00000"
filename = ""
Region:
id = 2225
start_va = 0xb90000
end_va = 0xd10fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000b90000"
filename = ""
Region:
id = 2226
start_va = 0x20000
end_va = 0x20fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "svchost.exe.mui"
filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui")
Region:
id = 2227
start_va = 0x1c0000
end_va = 0x1c0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001c0000"
filename = ""
Region:
id = 2228
start_va = 0x1d0000
end_va = 0x1d0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001d0000"
filename = ""
Region:
id = 2229
start_va = 0xd20000
end_va = 0xef6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000d20000"
filename = ""
Region:
id = 2230
start_va = 0xf00000
end_va = 0x10fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000f00000"
filename = ""
Region:
id = 2231
start_va = 0xf00000
end_va = 0xffffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000f00000"
filename = ""
Region:
id = 2232
start_va = 0x700000
end_va = 0x7fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000700000"
filename = ""
Region:
id = 2233
start_va = 0x860000
end_va = 0x866fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000860000"
filename = ""
Region:
id = 2234
start_va = 0xd20000
end_va = 0xe1ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000d20000"
filename = ""
Region:
id = 2235
start_va = 0xef0000
end_va = 0xef6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000ef0000"
filename = ""
Region:
id = 2236
start_va = 0x7ffa557c0000
end_va = 0x7ffa5590cfff
monitored = 0
entry_point = 0x7ffa55803da0
region_type = mapped_file
name = "gpsvc.dll"
filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll")
Region:
id = 2237
start_va = 0x7ffa5a320000
end_va = 0x7ffa5a32bfff
monitored = 0
entry_point = 0x7ffa5a322480
region_type = mapped_file
name = "sysntfy.dll"
filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll")
Region:
id = 2238
start_va = 0x7ffa557a0000
end_va = 0x7ffa557b7fff
monitored = 0
entry_point = 0x7ffa557a5910
region_type = mapped_file
name = "nlaapi.dll"
filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll")
Region:
id = 2239
start_va = 0x7ffa55790000
end_va = 0x7ffa5579afff
monitored = 0
entry_point = 0x7ffa55791770
region_type = mapped_file
name = "lfsvc.dll"
filename = "\\Windows\\System32\\lfsvc.dll" (normalized: "c:\\windows\\system32\\lfsvc.dll")
Region:
id = 2240
start_va = 0x7ffa57d00000
end_va = 0x7ffa57d91fff
monitored = 0
entry_point = 0x7ffa57d4a780
region_type = mapped_file
name = "msvcp110_win.dll"
filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll")
Region:
id = 2241
start_va = 0x1000000
end_va = 0x10fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001000000"
filename = ""
Region:
id = 2242
start_va = 0x7ffa55610000
end_va = 0x7ffa5578bfff
monitored = 0
entry_point = 0x7ffa55661650
region_type = mapped_file
name = "locationframework.dll"
filename = "\\Windows\\System32\\LocationFramework.dll" (normalized: "c:\\windows\\system32\\locationframework.dll")
Region:
id = 2243
start_va = 0x7ffa5ce50000
end_va = 0x7ffa5cf10fff
monitored = 0
entry_point = 0x7ffa5ce70da0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 2244
start_va = 0x7ffa5b680000
end_va = 0x7ffa5b6cafff
monitored = 0
entry_point = 0x7ffa5b6835f0
region_type = mapped_file
name = "powrprof.dll"
filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")
Region:
id = 2245
start_va = 0x7ffa5ecf0000
end_va = 0x7ffa5ed96fff
monitored = 0
entry_point = 0x7ffa5ed058d0
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 2246
start_va = 0x7ffa5ba80000
end_va = 0x7ffa5bc46fff
monitored = 0
entry_point = 0x7ffa5baddb80
region_type = mapped_file
name = "crypt32.dll"
filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll")
Region:
id = 2247
start_va = 0x7ffa5b6d0000
end_va = 0x7ffa5b6dffff
monitored = 0
entry_point = 0x7ffa5b6d56e0
region_type = mapped_file
name = "msasn1.dll"
filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll")
Region:
id = 2248
start_va = 0x7ffa5eb20000
end_va = 0x7ffa5eb8afff
monitored = 0
entry_point = 0x7ffa5eb390c0
region_type = mapped_file
name = "ws2_32.dll"
filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll")
Region:
id = 2249
start_va = 0x7ffa59f20000
end_va = 0x7ffa59f5ffff
monitored = 0
entry_point = 0x7ffa59f31960
region_type = mapped_file
name = "brokerlib.dll"
filename = "\\Windows\\System32\\BrokerLib.dll" (normalized: "c:\\windows\\system32\\brokerlib.dll")
Region:
id = 2250
start_va = 0x7ffa555a0000
end_va = 0x7ffa55600fff
monitored = 0
entry_point = 0x7ffa555a4b50
region_type = mapped_file
name = "wlanapi.dll"
filename = "\\Windows\\System32\\wlanapi.dll" (normalized: "c:\\windows\\system32\\wlanapi.dll")
Region:
id = 2251
start_va = 0x7ffa554d0000
end_va = 0x7ffa55597fff
monitored = 0
entry_point = 0x7ffa555113f0
region_type = mapped_file
name = "winhttp.dll"
filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll")
Region:
id = 2252
start_va = 0x7ffa580d0000
end_va = 0x7ffa58105fff
monitored = 0
entry_point = 0x7ffa580e0070
region_type = mapped_file
name = "xmllite.dll"
filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll")
Region:
id = 2253
start_va = 0x1100000
end_va = 0x1242fff
monitored = 0
entry_point = 0x1128210
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 2254
start_va = 0x1100000
end_va = 0x11fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001100000"
filename = ""
Region:
id = 2255
start_va = 0x7ffa554c0000
end_va = 0x7ffa554c9fff
monitored = 0
entry_point = 0x7ffa554c1660
region_type = mapped_file
name = "dsrole.dll"
filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll")
Region:
id = 2256
start_va = 0x7ffa554a0000
end_va = 0x7ffa554b6fff
monitored = 0
entry_point = 0x7ffa554a5630
region_type = mapped_file
name = "sens.dll"
filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll")
Region:
id = 2257
start_va = 0x7ffa55480000
end_va = 0x7ffa55492fff
monitored = 0
entry_point = 0x7ffa554857f0
region_type = mapped_file
name = "themeservice.dll"
filename = "\\Windows\\System32\\themeservice.dll" (normalized: "c:\\windows\\system32\\themeservice.dll")
Region:
id = 2258
start_va = 0x1200000
end_va = 0x12fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001200000"
filename = ""
Region:
id = 2259
start_va = 0x7ffa5afc0000
end_va = 0x7ffa5b015fff
monitored = 0
entry_point = 0x7ffa5afd0bf0
region_type = mapped_file
name = "winsta.dll"
filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")
Region:
id = 2260
start_va = 0x1e0000
end_va = 0x1e0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001e0000"
filename = ""
Region:
id = 2261
start_va = 0x5a0000
end_va = 0x5f6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005a0000"
filename = ""
Region:
id = 2262
start_va = 0x1300000
end_va = 0x14fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001300000"
filename = ""
Region:
id = 2263
start_va = 0x1300000
end_va = 0x13fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001300000"
filename = ""
Region:
id = 2264
start_va = 0x1400000
end_va = 0x14fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001400000"
filename = ""
Region:
id = 2265
start_va = 0x1500000
end_va = 0x15dcfff
monitored = 0
entry_point = 0x155e0b0
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 2266
start_va = 0x1500000
end_va = 0x15fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001500000"
filename = ""
Region:
id = 2267
start_va = 0x1600000
end_va = 0x16fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001600000"
filename = ""
Region:
id = 2268
start_va = 0x1f0000
end_va = 0x1f0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001f0000"
filename = ""
Region:
id = 2269
start_va = 0x7ffa5ca10000
end_va = 0x7ffa5cab6fff
monitored = 0
entry_point = 0x7ffa5ca1b4d0
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")
Region:
id = 2270
start_va = 0x540000
end_va = 0x540fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000540000"
filename = ""
Region:
id = 2271
start_va = 0x7ffa55410000
end_va = 0x7ffa55464fff
monitored = 0
entry_point = 0x7ffa5541fc00
region_type = mapped_file
name = "profsvc.dll"
filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll")
Region:
id = 2272
start_va = 0x7ffa5b6e0000
end_va = 0x7ffa5b6f3fff
monitored = 0
entry_point = 0x7ffa5b6e52e0
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")
Region:
id = 2273
start_va = 0x7ffa553e0000
end_va = 0x7ffa55406fff
monitored = 0
entry_point = 0x7ffa553e3bf0
region_type = mapped_file
name = "profsvcext.dll"
filename = "\\Windows\\System32\\profsvcext.dll" (normalized: "c:\\windows\\system32\\profsvcext.dll")
Region:
id = 2274
start_va = 0x7ffa5d0d0000
end_va = 0x7ffa5d12bfff
monitored = 0
entry_point = 0x7ffa5d0eb720
region_type = mapped_file
name = "wldap32.dll"
filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll")
Region:
id = 2275
start_va = 0x7ffa5d5c0000
end_va = 0x7ffa5eb1efff
monitored = 0
entry_point = 0x7ffa5d7211f0
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")
Region:
id = 2276
start_va = 0x7ffa5b7c0000
end_va = 0x7ffa5b802fff
monitored = 0
entry_point = 0x7ffa5b7d4b50
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")
Region:
id = 2277
start_va = 0x7ffa5bc50000
end_va = 0x7ffa5c293fff
monitored = 0
entry_point = 0x7ffa5be164b0
region_type = mapped_file
name = "windows.storage.dll"
filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")
Region:
id = 2278
start_va = 0x7ffa5eff0000
end_va = 0x7ffa5f041fff
monitored = 0
entry_point = 0x7ffa5efff530
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")
Region:
id = 2279
start_va = 0x7ffa5b700000
end_va = 0x7ffa5b7b4fff
monitored = 0
entry_point = 0x7ffa5b7422e0
region_type = mapped_file
name = "shcore.dll"
filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")
Region:
id = 2280
start_va = 0x7ffa5add0000
end_va = 0x7ffa5adeefff
monitored = 0
entry_point = 0x7ffa5add5d30
region_type = mapped_file
name = "userenv.dll"
filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll")
Region:
id = 2281
start_va = 0x7ffa5aa80000
end_va = 0x7ffa5aa8bfff
monitored = 0
entry_point = 0x7ffa5aa827e0
region_type = mapped_file
name = "netutils.dll"
filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll")
Region:
id = 2282
start_va = 0x7ffa553a0000
end_va = 0x7ffa553ddfff
monitored = 0
entry_point = 0x7ffa553aa050
region_type = mapped_file
name = "logoncli.dll"
filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll")
Region:
id = 2283
start_va = 0x1700000
end_va = 0x17fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001700000"
filename = ""
Region:
id = 2284
start_va = 0x7ffa552c0000
end_va = 0x7ffa552dffff
monitored = 0
entry_point = 0x7ffa552c39a0
region_type = mapped_file
name = "locationwinpalmisc.dll"
filename = "\\Windows\\System32\\LocationWinPalMisc.dll" (normalized: "c:\\windows\\system32\\locationwinpalmisc.dll")
Region:
id = 2285
start_va = 0x7ffa5a0b0000
end_va = 0x7ffa5a0d6fff
monitored = 0
entry_point = 0x7ffa5a0b7940
region_type = mapped_file
name = "devobj.dll"
filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll")
Region:
id = 2286
start_va = 0x550000
end_va = 0x550fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000550000"
filename = ""
Region:
id = 2287
start_va = 0x7ffa552b0000
end_va = 0x7ffa552bbfff
monitored = 0
entry_point = 0x7ffa552b14d0
region_type = mapped_file
name = "locationframeworkps.dll"
filename = "\\Windows\\System32\\LocationFrameworkPS.dll" (normalized: "c:\\windows\\system32\\locationframeworkps.dll")
Region:
id = 2288
start_va = 0x7ffa55270000
end_va = 0x7ffa552a6fff
monitored = 0
entry_point = 0x7ffa55276020
region_type = mapped_file
name = "gnssadapter.dll"
filename = "\\Windows\\System32\\GnssAdapter.dll" (normalized: "c:\\windows\\system32\\gnssadapter.dll")
Region:
id = 2289
start_va = 0x7ffa55210000
end_va = 0x7ffa55264fff
monitored = 0
entry_point = 0x7ffa55213fb0
region_type = mapped_file
name = "policymanager.dll"
filename = "\\Windows\\System32\\policymanager.dll" (normalized: "c:\\windows\\system32\\policymanager.dll")
Region:
id = 2290
start_va = 0x1000000
end_va = 0x10fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001000000"
filename = ""
Region:
id = 2291
start_va = 0x1800000
end_va = 0x1b36fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 2292
start_va = 0x7ffa55470000
end_va = 0x7ffa5547bfff
monitored = 0
entry_point = 0x7ffa55472830
region_type = mapped_file
name = "bi.dll"
filename = "\\Windows\\System32\\bi.dll" (normalized: "c:\\windows\\system32\\bi.dll")
Region:
id = 2293
start_va = 0x7ffa551f0000
end_va = 0x7ffa55209fff
monitored = 0
entry_point = 0x7ffa551f2cf0
region_type = mapped_file
name = "locationpelegacywinlocation.dll"
filename = "\\Windows\\System32\\LocationPeLegacyWinLocation.dll" (normalized: "c:\\windows\\system32\\locationpelegacywinlocation.dll")
Region:
id = 2294
start_va = 0x7ffa5c570000
end_va = 0x7ffa5c6b2fff
monitored = 0
entry_point = 0x7ffa5c598210
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 2295
start_va = 0x1b40000
end_va = 0x1c3ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001b40000"
filename = ""
Region:
id = 2296
start_va = 0x7ffa551d0000
end_va = 0x7ffa551e0fff
monitored = 0
entry_point = 0x7ffa551d7ea0
region_type = mapped_file
name = "dcpapi.dll"
filename = "\\Windows\\System32\\dcpapi.dll" (normalized: "c:\\windows\\system32\\dcpapi.dll")
Region:
id = 2297
start_va = 0x7ffa551a0000
end_va = 0x7ffa551c4fff
monitored = 0
entry_point = 0x7ffa551b2f20
region_type = mapped_file
name = "wificonnapi.dll"
filename = "\\Windows\\System32\\wificonnapi.dll" (normalized: "c:\\windows\\system32\\wificonnapi.dll")
Region:
id = 2298
start_va = 0x7ffa550e0000
end_va = 0x7ffa55190fff
monitored = 0
entry_point = 0x7ffa551588b0
region_type = mapped_file
name = "cellularapi.dll"
filename = "\\Windows\\System32\\CellularAPI.dll" (normalized: "c:\\windows\\system32\\cellularapi.dll")
Region:
id = 2299
start_va = 0x7ffa5b500000
end_va = 0x7ffa5b528fff
monitored = 0
entry_point = 0x7ffa5b514530
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll")
Region:
id = 2300
start_va = 0x7ffa550a0000
end_va = 0x7ffa550d8fff
monitored = 0
entry_point = 0x7ffa550a9c90
region_type = mapped_file
name = "aepic.dll"
filename = "\\Windows\\System32\\aepic.dll" (normalized: "c:\\windows\\system32\\aepic.dll")
Region:
id = 2301
start_va = 0x7ffa55080000
end_va = 0x7ffa55090fff
monitored = 0
entry_point = 0x7ffa55083e10
region_type = mapped_file
name = "sfc_os.dll"
filename = "\\Windows\\System32\\sfc_os.dll" (normalized: "c:\\windows\\system32\\sfc_os.dll")
Region:
id = 2302
start_va = 0x7ffa56330000
end_va = 0x7ffa566b1fff
monitored = 0
entry_point = 0x7ffa56381220
region_type = mapped_file
name = "iertutil.dll"
filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll")
Region:
id = 2303
start_va = 0x7ffa55060000
end_va = 0x7ffa55071fff
monitored = 0
entry_point = 0x7ffa55069260
region_type = mapped_file
name = "rilproxy.dll"
filename = "\\Windows\\System32\\rilproxy.dll" (normalized: "c:\\windows\\system32\\rilproxy.dll")
Region:
id = 2304
start_va = 0x7ffa54fb0000
end_va = 0x7ffa5505dfff
monitored = 0
entry_point = 0x7ffa54fc80c0
region_type = mapped_file
name = "windows.networking.connectivity.dll"
filename = "\\Windows\\System32\\Windows.Networking.Connectivity.dll" (normalized: "c:\\windows\\system32\\windows.networking.connectivity.dll")
Region:
id = 2305
start_va = 0x7ffa5a670000
end_va = 0x7ffa5a693fff
monitored = 0
entry_point = 0x7ffa5a673260
region_type = mapped_file
name = "gpapi.dll"
filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll")
Region:
id = 2306
start_va = 0x7ffa54ef0000
end_va = 0x7ffa54faefff
monitored = 0
entry_point = 0x7ffa54f11c50
region_type = mapped_file
name = "taskschd.dll"
filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll")
Region:
id = 2307
start_va = 0x1c40000
end_va = 0x1d3ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001c40000"
filename = ""
Region:
id = 2308
start_va = 0x1d40000
end_va = 0x1e3ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001d40000"
filename = ""
Region:
id = 2309
start_va = 0x7ffa54ce0000
end_va = 0x7ffa54ddbfff
monitored = 0
entry_point = 0x7ffa54d16df0
region_type = mapped_file
name = "schedsvc.dll"
filename = "\\Windows\\System32\\schedsvc.dll" (normalized: "c:\\windows\\system32\\schedsvc.dll")
Region:
id = 2310
start_va = 0x7ffa55090000
end_va = 0x7ffa550d0fff
monitored = 0
entry_point = 0x7ffa550a7eb0
region_type = mapped_file
name = "ubpm.dll"
filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll")
Region:
id = 2311
start_va = 0x7ffa5b4e0000
end_va = 0x7ffa5b4f8fff
monitored = 0
entry_point = 0x7ffa5b4e5e10
region_type = mapped_file
name = "eventaggregation.dll"
filename = "\\Windows\\System32\\EventAggregation.dll" (normalized: "c:\\windows\\system32\\eventaggregation.dll")
Region:
id = 2312
start_va = 0x1e40000
end_va = 0x2026fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001e40000"
filename = ""
Region:
id = 2313
start_va = 0x2030000
end_va = 0x222ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002030000"
filename = ""
Region:
id = 2314
start_va = 0x2100000
end_va = 0x21fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002100000"
filename = ""
Region:
id = 2315
start_va = 0x7ffa5a910000
end_va = 0x7ffa5a958fff
monitored = 0
entry_point = 0x7ffa5a91a090
region_type = mapped_file
name = "authz.dll"
filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll")
Region:
id = 2316
start_va = 0x7ffa54cc0000
end_va = 0x7ffa54cd0fff
monitored = 0
entry_point = 0x7ffa54cc3320
region_type = mapped_file
name = "wmiclnt.dll"
filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll")
Region:
id = 2317
start_va = 0x7ffa5b350000
end_va = 0x7ffa5b37cfff
monitored = 0
entry_point = 0x7ffa5b369d40
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll")
Region:
id = 2318
start_va = 0x560000
end_va = 0x560fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000560000"
filename = ""
Region:
id = 2319
start_va = 0x700000
end_va = 0x77ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000700000"
filename = ""
Region:
id = 2320
start_va = 0xd20000
end_va = 0xe1ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000d20000"
filename = ""
Region:
id = 2321
start_va = 0x7ffa54c50000
end_va = 0x7ffa54cbdfff
monitored = 0
entry_point = 0x7ffa54c57f60
region_type = mapped_file
name = "taskcomp.dll"
filename = "\\Windows\\System32\\taskcomp.dll" (normalized: "c:\\windows\\system32\\taskcomp.dll")
Region:
id = 2322
start_va = 0x7ffa5ab60000
end_va = 0x7ffa5ab90fff
monitored = 0
entry_point = 0x7ffa5ab67d10
region_type = mapped_file
name = "ntmarta.dll"
filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll")
Region:
id = 2323
start_va = 0x1e40000
end_va = 0x1f3ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001e40000"
filename = ""
Region:
id = 2324
start_va = 0x2020000
end_va = 0x2026fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002020000"
filename = ""
Region:
id = 2325
start_va = 0x780000
end_va = 0x7fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000780000"
filename = ""
Region:
id = 2326
start_va = 0x870000
end_va = 0x8effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000870000"
filename = ""
Region:
id = 2327
start_va = 0x7ffa54bf0000
end_va = 0x7ffa54c31fff
monitored = 0
entry_point = 0x7ffa54bf27d0
region_type = mapped_file
name = "mstask.dll"
filename = "\\Windows\\System32\\mstask.dll" (normalized: "c:\\windows\\system32\\mstask.dll")
Region:
id = 2328
start_va = 0x560000
end_va = 0x561fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000560000"
filename = ""
Region:
id = 2329
start_va = 0x7ffa54b70000
end_va = 0x7ffa54b85fff
monitored = 0
entry_point = 0x7ffa54b71b60
region_type = mapped_file
name = "wkscli.dll"
filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll")
Region:
id = 2330
start_va = 0x7ffa54ae0000
end_va = 0x7ffa54b0efff
monitored = 0
entry_point = 0x7ffa54ae8910
region_type = mapped_file
name = "wptaskscheduler.dll"
filename = "\\Windows\\System32\\WPTaskScheduler.dll" (normalized: "c:\\windows\\system32\\wptaskscheduler.dll")
Region:
id = 2331
start_va = 0x7ffa54ad0000
end_va = 0x7ffa54adcfff
monitored = 0
entry_point = 0x7ffa54ad2ca0
region_type = mapped_file
name = "csystemeventsbrokerclient.dll"
filename = "\\Windows\\System32\\CSystemEventsBrokerClient.dll" (normalized: "c:\\windows\\system32\\csystemeventsbrokerclient.dll")
Region:
id = 2332
start_va = 0xe20000
end_va = 0xe9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000e20000"
filename = ""
Region:
id = 2333
start_va = 0x7ffa5af40000
end_va = 0x7ffa5af9bfff
monitored = 0
entry_point = 0x7ffa5af56f70
region_type = mapped_file
name = "mswsock.dll"
filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll")
Region:
id = 2334
start_va = 0x570000
end_va = 0x570fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000570000"
filename = ""
Region:
id = 2335
start_va = 0x7ffa59d80000
end_va = 0x7ffa59d92fff
monitored = 0
entry_point = 0x7ffa59d82760
region_type = mapped_file
name = "wtsapi32.dll"
filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")
Region:
id = 2336
start_va = 0x2200000
end_va = 0x22fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002200000"
filename = ""
Region:
id = 2339
start_va = 0x580000
end_va = 0x580fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000580000"
filename = ""
Region:
id = 2340
start_va = 0x7ffa548d0000
end_va = 0x7ffa549b5fff
monitored = 0
entry_point = 0x7ffa548ecf10
region_type = mapped_file
name = "usermgr.dll"
filename = "\\Windows\\System32\\usermgr.dll" (normalized: "c:\\windows\\system32\\usermgr.dll")
Region:
id = 2341
start_va = 0x7ffa566c0000
end_va = 0x7ffa567f5fff
monitored = 0
entry_point = 0x7ffa566ef350
region_type = mapped_file
name = "wintypes.dll"
filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll")
Region:
id = 2342
start_va = 0x7ffa548a0000
end_va = 0x7ffa548cdfff
monitored = 0
entry_point = 0x7ffa548a7550
region_type = mapped_file
name = "netjoin.dll"
filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll")
Region:
id = 2343
start_va = 0x7ffa5b1b0000
end_va = 0x7ffa5b1d0fff
monitored = 0
entry_point = 0x7ffa5b1c0250
region_type = mapped_file
name = "joinutil.dll"
filename = "\\Windows\\System32\\joinutil.dll" (normalized: "c:\\windows\\system32\\joinutil.dll")
Region:
id = 2344
start_va = 0x7ffa59d20000
end_va = 0x7ffa59d3bfff
monitored = 0
entry_point = 0x7ffa59d237a0
region_type = mapped_file
name = "samlib.dll"
filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll")
Region:
id = 2345
start_va = 0x580000
end_va = 0x58cfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "gpsvc.dll.mui"
filename = "\\Windows\\System32\\en-US\\gpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\gpsvc.dll.mui")
Region:
id = 2346
start_va = 0x7ffa59b00000
end_va = 0x7ffa59b07fff
monitored = 0
entry_point = 0x7ffa59b013e0
region_type = mapped_file
name = "dabapi.dll"
filename = "\\Windows\\System32\\dabapi.dll" (normalized: "c:\\windows\\system32\\dabapi.dll")
Region:
id = 2347
start_va = 0x2300000
end_va = 0x23fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002300000"
filename = ""
Region:
id = 2348
start_va = 0x2400000
end_va = 0x25fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002400000"
filename = ""
Region:
id = 2349
start_va = 0x2400000
end_va = 0x24fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002400000"
filename = ""
Region:
id = 2350
start_va = 0x1f40000
end_va = 0x1fbffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001f40000"
filename = ""
Region:
id = 2351
start_va = 0x2500000
end_va = 0x25fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002500000"
filename = ""
Region:
id = 2352
start_va = 0x7ffa53f40000
end_va = 0x7ffa53fd9fff
monitored = 0
entry_point = 0x7ffa53f5ada0
region_type = mapped_file
name = "shsvcs.dll"
filename = "\\Windows\\System32\\shsvcs.dll" (normalized: "c:\\windows\\system32\\shsvcs.dll")
Region:
id = 2353
start_va = 0x5a0000
end_va = 0x5a0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005a0000"
filename = ""
Region:
id = 2354
start_va = 0x5f0000
end_va = 0x5f6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005f0000"
filename = ""
Region:
id = 2355
start_va = 0x2600000
end_va = 0x26fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002600000"
filename = ""
Region:
id = 2356
start_va = 0x5a0000
end_va = 0x5a0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005a0000"
filename = ""
Region:
id = 2357
start_va = 0x7ffa53ed0000
end_va = 0x7ffa53f10fff
monitored = 0
entry_point = 0x7ffa53ed4840
region_type = mapped_file
name = "usermgrproxy.dll"
filename = "\\Windows\\System32\\UserMgrProxy.dll" (normalized: "c:\\windows\\system32\\usermgrproxy.dll")
Region:
id = 2358
start_va = 0x7ffa57e20000
end_va = 0x7ffa57e83fff
monitored = 0
entry_point = 0x7ffa57e35ae0
region_type = mapped_file
name = "wevtapi.dll"
filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll")
Region:
id = 2359
start_va = 0x7ffa5b170000
end_va = 0x7ffa5b17afff
monitored = 0
entry_point = 0x7ffa5b1719a0
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll")
Region:
id = 2360
start_va = 0x7ffa59d40000
end_va = 0x7ffa59d71fff
monitored = 0
entry_point = 0x7ffa59d4b0c0
region_type = mapped_file
name = "shacct.dll"
filename = "\\Windows\\System32\\shacct.dll" (normalized: "c:\\windows\\system32\\shacct.dll")
Region:
id = 2361
start_va = 0x7ffa59b90000
end_va = 0x7ffa59d15fff
monitored = 0
entry_point = 0x7ffa59bdd700
region_type = mapped_file
name = "propsys.dll"
filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")
Region:
id = 2362
start_va = 0x5a0000
end_va = 0x5a3fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 2363
start_va = 0x800000
end_va = 0x844fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000c.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db")
Region:
id = 2364
start_va = 0x5b0000
end_va = 0x5b3fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 2365
start_va = 0x1c40000
end_va = 0x1ccdfff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db")
Region:
id = 2366
start_va = 0x5c0000
end_va = 0x5d0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "propsys.dll.mui"
filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui")
Region:
id = 2367
start_va = 0x7ffa53c80000
end_va = 0x7ffa53d1afff
monitored = 0
entry_point = 0x7ffa53c87220
region_type = mapped_file
name = "settingsync.dll"
filename = "\\Windows\\System32\\SettingSync.dll" (normalized: "c:\\windows\\system32\\settingsync.dll")
Region:
id = 2368
start_va = 0x5e0000
end_va = 0x5e1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000005e0000"
filename = ""
Region:
id = 2369
start_va = 0x2700000
end_va = 0x27dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "kernelbase.dll.mui"
filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui")
Region:
id = 2374
start_va = 0x27e0000
end_va = 0x29dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000027e0000"
filename = ""
Region:
id = 2375
start_va = 0x2800000
end_va = 0x28fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002800000"
filename = ""
Region:
id = 2376
start_va = 0x2900000
end_va = 0x29fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002900000"
filename = ""
Region:
id = 2390
start_va = 0x7ffa53c70000
end_va = 0x7ffa53c7dfff
monitored = 0
entry_point = 0x7ffa53c71460
region_type = mapped_file
name = "npmproxy.dll"
filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll")
Region:
id = 2476
start_va = 0x2030000
end_va = 0x20affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002030000"
filename = ""
Region:
id = 2477
start_va = 0x7ffa54c40000
end_va = 0x7ffa54c4ffff
monitored = 0
entry_point = 0x7ffa54c42c60
region_type = mapped_file
name = "usermgrcli.dll"
filename = "\\Windows\\System32\\usermgrcli.dll" (normalized: "c:\\windows\\system32\\usermgrcli.dll")
Region:
id = 2479
start_va = 0x7ffa53bf0000
end_va = 0x7ffa53c00fff
monitored = 0
entry_point = 0x7ffa53bf28d0
region_type = mapped_file
name = "credentialmigrationhandler.dll"
filename = "\\Windows\\System32\\CredentialMigrationHandler.dll" (normalized: "c:\\windows\\system32\\credentialmigrationhandler.dll")
Region:
id = 2480
start_va = 0x7ffa53e10000
end_va = 0x7ffa53ecffff
monitored = 0
entry_point = 0x7ffa53e3fd20
region_type = mapped_file
name = "fveapi.dll"
filename = "\\Windows\\System32\\fveapi.dll" (normalized: "c:\\windows\\system32\\fveapi.dll")
Region:
id = 2481
start_va = 0x850000
end_va = 0x850fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000850000"
filename = ""
Region:
id = 2482
start_va = 0x7ffa53b90000
end_va = 0x7ffa53be1fff
monitored = 0
entry_point = 0x7ffa53b938e0
region_type = mapped_file
name = "proximityservice.dll"
filename = "\\Windows\\System32\\ProximityService.dll" (normalized: "c:\\windows\\system32\\proximityservice.dll")
Region:
id = 2483
start_va = 0x7ffa53b60000
end_va = 0x7ffa53b8cfff
monitored = 0
entry_point = 0x7ffa53b62290
region_type = mapped_file
name = "proximitycommon.dll"
filename = "\\Windows\\System32\\ProximityCommon.dll" (normalized: "c:\\windows\\system32\\proximitycommon.dll")
Region:
id = 2484
start_va = 0x7ffa54a90000
end_va = 0x7ffa54ac7fff
monitored = 0
entry_point = 0x7ffa54aa8cc0
region_type = mapped_file
name = "iphlpapi.dll"
filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll")
Region:
id = 2485
start_va = 0x7ffa53b50000
end_va = 0x7ffa53b58fff
monitored = 0
entry_point = 0x7ffa53b51ed0
region_type = mapped_file
name = "proximitycommonpal.dll"
filename = "\\Windows\\System32\\ProximityCommonPal.dll" (normalized: "c:\\windows\\system32\\proximitycommonpal.dll")
Region:
id = 2486
start_va = 0x7ffa53b40000
end_va = 0x7ffa53b4ffff
monitored = 0
entry_point = 0x7ffa53b41700
region_type = mapped_file
name = "proximityservicepal.dll"
filename = "\\Windows\\System32\\ProximityServicePal.dll" (normalized: "c:\\windows\\system32\\proximityservicepal.dll")
Region:
id = 2487
start_va = 0x7ffa5c3c0000
end_va = 0x7ffa5c445fff
monitored = 0
entry_point = 0x7ffa5c3cd8f0
region_type = mapped_file
name = "firewallapi.dll"
filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll")
Region:
id = 2488
start_va = 0x7ffa5a3f0000
end_va = 0x7ffa5a421fff
monitored = 0
entry_point = 0x7ffa5a402340
region_type = mapped_file
name = "fwbase.dll"
filename = "\\Windows\\System32\\fwbase.dll" (normalized: "c:\\windows\\system32\\fwbase.dll")
Region:
id = 2491
start_va = 0x2a00000
end_va = 0x2afffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002a00000"
filename = ""
Region:
id = 2492
start_va = 0x2b00000
end_va = 0x2b7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002b00000"
filename = ""
Region:
id = 2498
start_va = 0x7ffa560b0000
end_va = 0x7ffa56129fff
monitored = 0
entry_point = 0x7ffa560d7630
region_type = mapped_file
name = "es.dll"
filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll")
Region:
id = 2499
start_va = 0x850000
end_va = 0x850fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000850000"
filename = ""
Region:
id = 2503
start_va = 0x7ffa5b530000
end_va = 0x7ffa5b5c8fff
monitored = 0
entry_point = 0x7ffa5b55f4e0
region_type = mapped_file
name = "sxs.dll"
filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll")
Region:
id = 2506
start_va = 0x850000
end_va = 0x851fff
monitored = 0
entry_point = 0x855630
region_type = mapped_file
name = "sens.dll"
filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll")
Region:
id = 2507
start_va = 0x8f0000
end_va = 0x8f4fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "stdole2.tlb"
filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb")
Region:
id = 2511
start_va = 0x7ffa5a660000
end_va = 0x7ffa5a66bfff
monitored = 0
entry_point = 0x7ffa5a662790
region_type = mapped_file
name = "hid.dll"
filename = "\\Windows\\System32\\hid.dll" (normalized: "c:\\windows\\system32\\hid.dll")
Region:
id = 2599
start_va = 0x850000
end_va = 0x850fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000850000"
filename = ""
Region:
id = 2643
start_va = 0x2b80000
end_va = 0x2bfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002b80000"
filename = ""
Region:
id = 2663
start_va = 0x850000
end_va = 0x850fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000850000"
filename = ""
Thread:
id = 152
os_tid = 0xf8
Thread:
id = 153
os_tid = 0x160
Thread:
id = 154
os_tid = 0x2f0
Thread:
id = 155
os_tid = 0x310
Thread:
id = 156
os_tid = 0x2e4
Thread:
id = 157
os_tid = 0x33c
Thread:
id = 158
os_tid = 0x3c0
Thread:
id = 159
os_tid = 0x2e8
Thread:
id = 160
os_tid = 0x3f0
Thread:
id = 161
os_tid = 0x148
Thread:
id = 162
os_tid = 0x2e4
Thread:
id = 163
os_tid = 0x40c
Thread:
id = 164
os_tid = 0x414
Thread:
id = 165
os_tid = 0x420
Thread:
id = 166
os_tid = 0x434
Thread:
id = 167
os_tid = 0x438
Thread:
id = 168
os_tid = 0x43c
Thread:
id = 169
os_tid = 0x440
Thread:
id = 170
os_tid = 0x444
Thread:
id = 171
os_tid = 0x45c
Thread:
id = 172
os_tid = 0x460
Thread:
id = 173
os_tid = 0x498
Thread:
id = 174
os_tid = 0x4b4
Thread:
id = 175
os_tid = 0x4c0
Thread:
id = 176
os_tid = 0x4a0
Thread:
id = 177
os_tid = 0x564
Thread:
id = 194
os_tid = 0x588
Thread:
id = 195
os_tid = 0x59c
Thread:
id = 201
os_tid = 0x5a0
Thread:
id = 209
os_tid = 0x618
Process:
id = "16"
image_name = "taskhostw.exe"
filename = "c:\\windows\\system32\\taskhostw.exe"
page_root = "0x34bc9000"
os_pid = "0x574"
os_integrity_level = "0x4000"
os_privileges = "0xe60b1e890"
monitor_reason = "child_process"
parent_id = "15"
os_parent_pid = "0x60"
cmd_line = "taskhostw.exe TpmTasks"
cur_dir = "C:\\Windows\\system32\\"
os_username = "NT AUTHORITY\\SYSTEM"
bitness = "32"
os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\DcpSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\lfsvc" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\RetailDemo" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\UsoSvc" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d76b" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe]
Region:
id = 2378
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 2379
start_va = 0x30000
end_va = 0x44fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 2380
start_va = 0x50000
end_va = 0xcffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 2381
start_va = 0xd0000
end_va = 0xd3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000d0000"
filename = ""
Region:
id = 2382
start_va = 0xe0000
end_va = 0xe0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000e0000"
filename = ""
Region:
id = 2383
start_va = 0xf0000
end_va = 0xf1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000f0000"
filename = ""
Region:
id = 2384
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 2385
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 2386
start_va = 0x7df5fffc0000
end_va = 0x7df5fffe2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5fffc0000"
filename = ""
Region:
id = 2387
start_va = 0x7df5ffff0000
end_va = 0x7ff5fffeffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffff0000"
filename = ""
Region:
id = 2388
start_va = 0x7ff7faa10000
end_va = 0x7ff7faa28fff
monitored = 0
entry_point = 0x7ff7faa159b0
region_type = mapped_file
name = "taskhostw.exe"
filename = "\\Windows\\System32\\taskhostw.exe" (normalized: "c:\\windows\\system32\\taskhostw.exe")
Region:
id = 2389
start_va = 0x7ffa5f050000
end_va = 0x7ffa5f210fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 2541
start_va = 0x400000
end_va = 0x68ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 2542
start_va = 0x7ffa5ef40000
end_va = 0x7ffa5efecfff
monitored = 0
entry_point = 0x7ffa5ef581a0
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 2543
start_va = 0x7ffa5b890000
end_va = 0x7ffa5ba77fff
monitored = 0
entry_point = 0x7ffa5b8bba70
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 2544
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 2545
start_va = 0x7df5ffec0000
end_va = 0x7df5fffbffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffec0000"
filename = ""
Region:
id = 2546
start_va = 0x100000
end_va = 0x1bdfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 2547
start_va = 0x7ffa5c970000
end_va = 0x7ffa5ca0cfff
monitored = 0
entry_point = 0x7ffa5c9778a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 2548
start_va = 0x400000
end_va = 0x47ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 2549
start_va = 0x590000
end_va = 0x68ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000590000"
filename = ""
Region:
id = 2550
start_va = 0x7ffa5ee20000
end_va = 0x7ffa5ef3bfff
monitored = 0
entry_point = 0x7ffa5ee602b0
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 2551
start_va = 0x7ffa5c6f0000
end_va = 0x7ffa5c96cfff
monitored = 0
entry_point = 0x7ffa5c7c4970
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")
Region:
id = 2552
start_va = 0x7ffa5c350000
end_va = 0x7ffa5c3b9fff
monitored = 0
entry_point = 0x7ffa5c386d50
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")
Region:
id = 2553
start_va = 0x7ffa5ce50000
end_va = 0x7ffa5cf10fff
monitored = 0
entry_point = 0x7ffa5ce70da0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 2554
start_va = 0x690000
end_va = 0x7affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000690000"
filename = ""
Region:
id = 2555
start_va = 0x20000
end_va = 0x26fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 2601
start_va = 0x7b0000
end_va = 0x8f2fff
monitored = 0
entry_point = 0x7d8210
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 2602
start_va = 0x480000
end_va = 0x55cfff
monitored = 0
entry_point = 0x4de0b0
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 2603
start_va = 0x7ffa5b670000
end_va = 0x7ffa5b67efff
monitored = 0
entry_point = 0x7ffa5b673210
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")
Region:
id = 2604
start_va = 0x7ffa5cac0000
end_va = 0x7ffa5cc15fff
monitored = 0
entry_point = 0x7ffa5caca8d0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 2605
start_va = 0x1c0000
end_va = 0x1c6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001c0000"
filename = ""
Region:
id = 2606
start_va = 0x7ffa5ccc0000
end_va = 0x7ffa5ce45fff
monitored = 0
entry_point = 0x7ffa5cd0ffc0
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 2607
start_va = 0x480000
end_va = 0x53ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000480000"
filename = ""
Region:
id = 2608
start_va = 0x7b0000
end_va = 0x937fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000007b0000"
filename = ""
Region:
id = 2609
start_va = 0x940000
end_va = 0xac0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000940000"
filename = ""
Thread:
id = 199
os_tid = 0x578
Thread:
id = 206
os_tid = 0x5d0
Process:
id = "17"
image_name = "svchost.exe"
filename = "c:\\windows\\system32\\svchost.exe"
page_root = "0x72d27000"
os_pid = "0x3cc"
os_integrity_level = "0x4000"
os_privileges = "0x60800000"
monitor_reason = "rpc_server"
parent_id = "15"
os_parent_pid = "0x20c"
cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService"
cur_dir = "C:\\Windows\\system32\\"
os_username = "NT AUTHORITY\\Local Service"
bitness = "32"
os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AJRouter" [0xa], "NT SERVICE\\bthserv" [0xa], "NT SERVICE\\CDPSvc" [0xa], "NT SERVICE\\EventSystem" [0xa], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\FontCache" [0xa], "NT SERVICE\\LicenseManager" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\PhoneSvc" [0xa], "NT SERVICE\\RemoteRegistry" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\tzautoupdate" [0xe], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT SERVICE\\workfolderssvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d20b" [0xc000000f], "LOCAL" [0x7]
Region:
id = 2391
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 2392
start_va = 0x20000
end_va = 0x20fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "svchost.exe.mui"
filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui")
Region:
id = 2393
start_va = 0x30000
end_va = 0x44fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 2394
start_va = 0x50000
end_va = 0xcffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 2395
start_va = 0xd0000
end_va = 0xd3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000d0000"
filename = ""
Region:
id = 2396
start_va = 0xe0000
end_va = 0xe0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000e0000"
filename = ""
Region:
id = 2397
start_va = 0xf0000
end_va = 0xf1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000f0000"
filename = ""
Region:
id = 2398
start_va = 0x100000
end_va = 0x1bdfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 2399
start_va = 0x1c0000
end_va = 0x1c0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001c0000"
filename = ""
Region:
id = 2400
start_va = 0x1d0000
end_va = 0x1d6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001d0000"
filename = ""
Region:
id = 2401
start_va = 0x1e0000
end_va = 0x1e0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001e0000"
filename = ""
Region:
id = 2402
start_va = 0x1f0000
end_va = 0x1f0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001f0000"
filename = ""
Region:
id = 2403
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 2404
start_va = 0x400000
end_va = 0x47ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 2405
start_va = 0x480000
end_va = 0x53ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000480000"
filename = ""
Region:
id = 2406
start_va = 0x540000
end_va = 0x540fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000540000"
filename = ""
Region:
id = 2407
start_va = 0x550000
end_va = 0x550fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000550000"
filename = ""
Region:
id = 2408
start_va = 0x560000
end_va = 0x5a8fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "~fontcache-system.dat"
filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-System.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-system.dat")
Region:
id = 2409
start_va = 0x5b0000
end_va = 0x5b1fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "netprofmsvc.dll.mui"
filename = "\\Windows\\System32\\en-US\\netprofmsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netprofmsvc.dll.mui")
Region:
id = 2410
start_va = 0x5c0000
end_va = 0x5c6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005c0000"
filename = ""
Region:
id = 2411
start_va = 0x600000
end_va = 0x6fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000600000"
filename = ""
Region:
id = 2412
start_va = 0x700000
end_va = 0x7fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000700000"
filename = ""
Region:
id = 2413
start_va = 0x800000
end_va = 0x987fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000800000"
filename = ""
Region:
id = 2414
start_va = 0x990000
end_va = 0xb10fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000990000"
filename = ""
Region:
id = 2415
start_va = 0xb20000
end_va = 0xb9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000b20000"
filename = ""
Region:
id = 2416
start_va = 0xba0000
end_va = 0xc9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000ba0000"
filename = ""
Region:
id = 2417
start_va = 0xcf0000
end_va = 0xcf6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000cf0000"
filename = ""
Region:
id = 2418
start_va = 0xd00000
end_va = 0xdfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000d00000"
filename = ""
Region:
id = 2419
start_va = 0xe00000
end_va = 0xefffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000e00000"
filename = ""
Region:
id = 2420
start_va = 0x1000000
end_va = 0x10fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001000000"
filename = ""
Region:
id = 2421
start_va = 0x1100000
end_va = 0x11fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001100000"
filename = ""
Region:
id = 2422
start_va = 0x1200000
end_va = 0x12fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001200000"
filename = ""
Region:
id = 2423
start_va = 0x1300000
end_va = 0x13fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001300000"
filename = ""
Region:
id = 2424
start_va = 0x1400000
end_va = 0x14fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001400000"
filename = ""
Region:
id = 2425
start_va = 0x1500000
end_va = 0x24fffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "~fontcache-fontface.dat"
filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-FontFace.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-fontface.dat")
Region:
id = 2426
start_va = 0x2500000
end_va = 0x2836fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 2427
start_va = 0x2840000
end_va = 0x303ffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "~fontcache-s-1-5-18.dat"
filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-S-1-5-18.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-s-1-5-18.dat")
Region:
id = 2428
start_va = 0x3140000
end_va = 0x323ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003140000"
filename = ""
Region:
id = 2429
start_va = 0x3340000
end_va = 0x343ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003340000"
filename = ""
Region:
id = 2430
start_va = 0x3440000
end_va = 0x353ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003440000"
filename = ""
Region:
id = 2431
start_va = 0x3540000
end_va = 0x363ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003540000"
filename = ""
Region:
id = 2432
start_va = 0x3640000
end_va = 0x373ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003640000"
filename = ""
Region:
id = 2433
start_va = 0x3740000
end_va = 0x383ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003740000"
filename = ""
Region:
id = 2434
start_va = 0x3840000
end_va = 0x393ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003840000"
filename = ""
Region:
id = 2435
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 2436
start_va = 0x7df5ffec0000
end_va = 0x7df5fffbffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffec0000"
filename = ""
Region:
id = 2437
start_va = 0x7df5fffc0000
end_va = 0x7df5fffe2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5fffc0000"
filename = ""
Region:
id = 2438
start_va = 0x7df5ffff0000
end_va = 0x7ff5fffeffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffff0000"
filename = ""
Region:
id = 2439
start_va = 0x7ff719ba0000
end_va = 0x7ff719bacfff
monitored = 0
entry_point = 0x7ff719ba3980
region_type = mapped_file
name = "svchost.exe"
filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe")
Region:
id = 2440
start_va = 0x7ffa53c70000
end_va = 0x7ffa53c7dfff
monitored = 0
entry_point = 0x7ffa53c71460
region_type = mapped_file
name = "npmproxy.dll"
filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll")
Region:
id = 2441
start_va = 0x7ffa53d80000
end_va = 0x7ffa53e0afff
monitored = 0
entry_point = 0x7ffa53d9d2a0
region_type = mapped_file
name = "netprofmsvc.dll"
filename = "\\Windows\\System32\\netprofmsvc.dll" (normalized: "c:\\windows\\system32\\netprofmsvc.dll")
Region:
id = 2442
start_va = 0x7ffa55080000
end_va = 0x7ffa5508cfff
monitored = 0
entry_point = 0x7ffa55082650
region_type = mapped_file
name = "nsisvc.dll"
filename = "\\Windows\\System32\\nsisvc.dll" (normalized: "c:\\windows\\system32\\nsisvc.dll")
Region:
id = 2443
start_va = 0x7ffa552b0000
end_va = 0x7ffa552bbfff
monitored = 0
entry_point = 0x7ffa552b14d0
region_type = mapped_file
name = "locationframeworkps.dll"
filename = "\\Windows\\System32\\LocationFrameworkPS.dll" (normalized: "c:\\windows\\system32\\locationframeworkps.dll")
Region:
id = 2444
start_va = 0x7ffa557a0000
end_va = 0x7ffa557b7fff
monitored = 0
entry_point = 0x7ffa557a5910
region_type = mapped_file
name = "nlaapi.dll"
filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll")
Region:
id = 2445
start_va = 0x7ffa55910000
end_va = 0x7ffa55938fff
monitored = 0
entry_point = 0x7ffa559224d0
region_type = mapped_file
name = "fontprovider.dll"
filename = "\\Windows\\System32\\FontProvider.dll" (normalized: "c:\\windows\\system32\\fontprovider.dll")
Region:
id = 2446
start_va = 0x7ffa55940000
end_va = 0x7ffa55ae1fff
monitored = 0
entry_point = 0x7ffa5598c2d0
region_type = mapped_file
name = "fntcache.dll"
filename = "\\Windows\\System32\\FntCache.dll" (normalized: "c:\\windows\\system32\\fntcache.dll")
Region:
id = 2447
start_va = 0x7ffa56060000
end_va = 0x7ffa560a9fff
monitored = 0
entry_point = 0x7ffa5606ac30
region_type = mapped_file
name = "deviceaccess.dll"
filename = "\\Windows\\System32\\deviceaccess.dll" (normalized: "c:\\windows\\system32\\deviceaccess.dll")
Region:
id = 2448
start_va = 0x7ffa560b0000
end_va = 0x7ffa56129fff
monitored = 0
entry_point = 0x7ffa560d7630
region_type = mapped_file
name = "es.dll"
filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll")
Region:
id = 2449
start_va = 0x7ffa56130000
end_va = 0x7ffa56162fff
monitored = 0
entry_point = 0x7ffa5613d5a0
region_type = mapped_file
name = "biwinrt.dll"
filename = "\\Windows\\System32\\biwinrt.dll" (normalized: "c:\\windows\\system32\\biwinrt.dll")
Region:
id = 2450
start_va = 0x7ffa57d00000
end_va = 0x7ffa57d91fff
monitored = 0
entry_point = 0x7ffa57d4a780
region_type = mapped_file
name = "msvcp110_win.dll"
filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll")
Region:
id = 2451
start_va = 0x7ffa57da0000
end_va = 0x7ffa57e18fff
monitored = 0
entry_point = 0x7ffa57db7800
region_type = mapped_file
name = "geolocation.dll"
filename = "\\Windows\\System32\\Geolocation.dll" (normalized: "c:\\windows\\system32\\geolocation.dll")
Region:
id = 2452
start_va = 0x7ffa57e90000
end_va = 0x7ffa57ea9fff
monitored = 0
entry_point = 0x7ffa57e9b670
region_type = mapped_file
name = "tzautoupdate.dll"
filename = "\\Windows\\System32\\tzautoupdate.dll" (normalized: "c:\\windows\\system32\\tzautoupdate.dll")
Region:
id = 2453
start_va = 0x7ffa580d0000
end_va = 0x7ffa58105fff
monitored = 0
entry_point = 0x7ffa580e0070
region_type = mapped_file
name = "xmllite.dll"
filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll")
Region:
id = 2454
start_va = 0x7ffa5a190000
end_va = 0x7ffa5a28ffff
monitored = 0
entry_point = 0x7ffa5a1d0f80
region_type = mapped_file
name = "twinapi.appcore.dll"
filename = "\\Windows\\System32\\twinapi.appcore.dll" (normalized: "c:\\windows\\system32\\twinapi.appcore.dll")
Region:
id = 2455
start_va = 0x7ffa5a810000
end_va = 0x7ffa5a903fff
monitored = 0
entry_point = 0x7ffa5a81a960
region_type = mapped_file
name = "ucrtbase.dll"
filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll")
Region:
id = 2456
start_va = 0x7ffa5add0000
end_va = 0x7ffa5adeefff
monitored = 0
entry_point = 0x7ffa5add5d30
region_type = mapped_file
name = "userenv.dll"
filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll")
Region:
id = 2457
start_va = 0x7ffa5b500000
end_va = 0x7ffa5b528fff
monitored = 0
entry_point = 0x7ffa5b514530
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll")
Region:
id = 2458
start_va = 0x7ffa5b670000
end_va = 0x7ffa5b67efff
monitored = 0
entry_point = 0x7ffa5b673210
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")
Region:
id = 2459
start_va = 0x7ffa5b6e0000
end_va = 0x7ffa5b6f3fff
monitored = 0
entry_point = 0x7ffa5b6e52e0
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")
Region:
id = 2460
start_va = 0x7ffa5b700000
end_va = 0x7ffa5b7b4fff
monitored = 0
entry_point = 0x7ffa5b7422e0
region_type = mapped_file
name = "shcore.dll"
filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")
Region:
id = 2461
start_va = 0x7ffa5b890000
end_va = 0x7ffa5ba77fff
monitored = 0
entry_point = 0x7ffa5b8bba70
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 2462
start_va = 0x7ffa5c350000
end_va = 0x7ffa5c3b9fff
monitored = 0
entry_point = 0x7ffa5c386d50
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")
Region:
id = 2463
start_va = 0x7ffa5c570000
end_va = 0x7ffa5c6b2fff
monitored = 0
entry_point = 0x7ffa5c598210
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 2464
start_va = 0x7ffa5c6f0000
end_va = 0x7ffa5c96cfff
monitored = 0
entry_point = 0x7ffa5c7c4970
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")
Region:
id = 2465
start_va = 0x7ffa5c970000
end_va = 0x7ffa5ca0cfff
monitored = 0
entry_point = 0x7ffa5c9778a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 2466
start_va = 0x7ffa5ca10000
end_va = 0x7ffa5cab6fff
monitored = 0
entry_point = 0x7ffa5ca1b4d0
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")
Region:
id = 2467
start_va = 0x7ffa5cac0000
end_va = 0x7ffa5cc15fff
monitored = 0
entry_point = 0x7ffa5caca8d0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 2468
start_va = 0x7ffa5cc60000
end_va = 0x7ffa5ccbafff
monitored = 0
entry_point = 0x7ffa5cc738b0
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 2469
start_va = 0x7ffa5ccc0000
end_va = 0x7ffa5ce45fff
monitored = 0
entry_point = 0x7ffa5cd0ffc0
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 2470
start_va = 0x7ffa5ce50000
end_va = 0x7ffa5cf10fff
monitored = 0
entry_point = 0x7ffa5ce70da0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 2471
start_va = 0x7ffa5ecf0000
end_va = 0x7ffa5ed96fff
monitored = 0
entry_point = 0x7ffa5ed058d0
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 2472
start_va = 0x7ffa5eda0000
end_va = 0x7ffa5eda7fff
monitored = 0
entry_point = 0x7ffa5eda1ea0
region_type = mapped_file
name = "nsi.dll"
filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll")
Region:
id = 2473
start_va = 0x7ffa5ee20000
end_va = 0x7ffa5ef3bfff
monitored = 0
entry_point = 0x7ffa5ee602b0
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 2474
start_va = 0x7ffa5ef40000
end_va = 0x7ffa5efecfff
monitored = 0
entry_point = 0x7ffa5ef581a0
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 2475
start_va = 0x7ffa5f050000
end_va = 0x7ffa5f210fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 2478
start_va = 0x5d0000
end_va = 0x5fdfff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000005d0000"
filename = ""
Region:
id = 2493
start_va = 0xf00000
end_va = 0xfdffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "kernelbase.dll.mui"
filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui")
Region:
id = 2494
start_va = 0x7ffa53b20000
end_va = 0x7ffa53b33fff
monitored = 0
entry_point = 0x7ffa53b21a50
region_type = mapped_file
name = "wlanradiomanager.dll"
filename = "\\Windows\\System32\\WlanRadioManager.dll" (normalized: "c:\\windows\\system32\\wlanradiomanager.dll")
Region:
id = 2495
start_va = 0x7ffa54a90000
end_va = 0x7ffa54ac7fff
monitored = 0
entry_point = 0x7ffa54aa8cc0
region_type = mapped_file
name = "iphlpapi.dll"
filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll")
Region:
id = 2496
start_va = 0x7ffa555a0000
end_va = 0x7ffa55600fff
monitored = 0
entry_point = 0x7ffa555a4b50
region_type = mapped_file
name = "wlanapi.dll"
filename = "\\Windows\\System32\\wlanapi.dll" (normalized: "c:\\windows\\system32\\wlanapi.dll")
Region:
id = 2497
start_va = 0x7ffa53b00000
end_va = 0x7ffa53b18fff
monitored = 0
entry_point = 0x7ffa53b02180
region_type = mapped_file
name = "bthradiomedia.dll"
filename = "\\Windows\\System32\\BthRadioMedia.dll" (normalized: "c:\\windows\\system32\\bthradiomedia.dll")
Region:
id = 2500
start_va = 0x7ffa5b7c0000
end_va = 0x7ffa5b802fff
monitored = 0
entry_point = 0x7ffa5b7d4b50
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")
Region:
id = 2501
start_va = 0x7ffa5a0b0000
end_va = 0x7ffa5a0d6fff
monitored = 0
entry_point = 0x7ffa5a0b7940
region_type = mapped_file
name = "devobj.dll"
filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll")
Region:
id = 2502
start_va = 0x7ffa538c0000
end_va = 0x7ffa538ddfff
monitored = 0
entry_point = 0x7ffa538c1690
region_type = mapped_file
name = "bluetoothapis.dll"
filename = "\\Windows\\System32\\BluetoothApis.dll" (normalized: "c:\\windows\\system32\\bluetoothapis.dll")
Region:
id = 2504
start_va = 0x3940000
end_va = 0x3a3ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003940000"
filename = ""
Region:
id = 2505
start_va = 0x7ffa54b10000
end_va = 0x7ffa54b1afff
monitored = 0
entry_point = 0x7ffa54b11d30
region_type = mapped_file
name = "winnsi.dll"
filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll")
Region:
id = 2508
start_va = 0x3a40000
end_va = 0x3c3ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003a40000"
filename = ""
Region:
id = 2509
start_va = 0x3b00000
end_va = 0x3bfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003b00000"
filename = ""
Region:
id = 2510
start_va = 0x7ffa5eb20000
end_va = 0x7ffa5eb8afff
monitored = 0
entry_point = 0x7ffa5eb390c0
region_type = mapped_file
name = "ws2_32.dll"
filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll")
Region:
id = 2523
start_va = 0x7ffa5af40000
end_va = 0x7ffa5af9bfff
monitored = 0
entry_point = 0x7ffa5af56f70
region_type = mapped_file
name = "mswsock.dll"
filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll")
Region:
id = 2592
start_va = 0x7ffa5a670000
end_va = 0x7ffa5a693fff
monitored = 0
entry_point = 0x7ffa5a673260
region_type = mapped_file
name = "gpapi.dll"
filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll")
Thread:
id = 178
os_tid = 0x56c
Thread:
id = 179
os_tid = 0x520
Thread:
id = 180
os_tid = 0x494
Thread:
id = 181
os_tid = 0x2cc
Thread:
id = 182
os_tid = 0x2c8
Thread:
id = 183
os_tid = 0x2a8
Thread:
id = 184
os_tid = 0x174
Thread:
id = 185
os_tid = 0x14c
Thread:
id = 186
os_tid = 0x144
Thread:
id = 187
os_tid = 0x3f4
Thread:
id = 188
os_tid = 0x3d4
Thread:
id = 189
os_tid = 0x3d0
Thread:
id = 190
os_tid = 0x570
Thread:
id = 191
os_tid = 0x57c
Thread:
id = 192
os_tid = 0x580
Thread:
id = 193
os_tid = 0x584
Thread:
id = 196
os_tid = 0x5a4
Process:
id = "18"
image_name = "sihost.exe"
filename = "c:\\windows\\system32\\sihost.exe"
page_root = "0x31d7d000"
os_pid = "0x5ac"
os_integrity_level = "0x2000"
os_privileges = "0x800000"
monitor_reason = "child_process"
parent_id = "15"
os_parent_pid = "0x60"
cmd_line = "sihost.exe"
cur_dir = "C:\\Windows\\system32\\"
os_username = "XC64ZB\\RDhJ0CNFevzX"
bitness = "32"
os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000106fa" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 2512
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 2513
start_va = 0x30000
end_va = 0x44fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 2514
start_va = 0x50000
end_va = 0xcffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 2515
start_va = 0xd0000
end_va = 0xd3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000d0000"
filename = ""
Region:
id = 2516
start_va = 0xe0000
end_va = 0xe1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000e0000"
filename = ""
Region:
id = 2517
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 2518
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 2519
start_va = 0x7df5fffc0000
end_va = 0x7df5fffe2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5fffc0000"
filename = ""
Region:
id = 2520
start_va = 0x7df5ffff0000
end_va = 0x7ff5fffeffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffff0000"
filename = ""
Region:
id = 2521
start_va = 0x7ff79d980000
end_va = 0x7ff79d995fff
monitored = 0
entry_point = 0x7ff79d985190
region_type = mapped_file
name = "sihost.exe"
filename = "\\Windows\\System32\\sihost.exe" (normalized: "c:\\windows\\system32\\sihost.exe")
Region:
id = 2522
start_va = 0x7ffa5f050000
end_va = 0x7ffa5f210fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 2524
start_va = 0x400000
end_va = 0x68ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 2525
start_va = 0x7ffa5ef40000
end_va = 0x7ffa5efecfff
monitored = 0
entry_point = 0x7ffa5ef581a0
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 2526
start_va = 0x7ffa5b890000
end_va = 0x7ffa5ba77fff
monitored = 0
entry_point = 0x7ffa5b8bba70
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 2527
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 2528
start_va = 0x7df5ffec0000
end_va = 0x7df5fffbffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffec0000"
filename = ""
Region:
id = 2529
start_va = 0xf0000
end_va = 0x1adfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 2530
start_va = 0x7ffa5c970000
end_va = 0x7ffa5ca0cfff
monitored = 0
entry_point = 0x7ffa5c9778a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 2531
start_va = 0x400000
end_va = 0x47ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 2532
start_va = 0x590000
end_va = 0x68ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000590000"
filename = ""
Region:
id = 2533
start_va = 0x7ffa5c6f0000
end_va = 0x7ffa5c96cfff
monitored = 0
entry_point = 0x7ffa5c7c4970
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")
Region:
id = 2534
start_va = 0x7ffa5ee20000
end_va = 0x7ffa5ef3bfff
monitored = 0
entry_point = 0x7ffa5ee602b0
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 2535
start_va = 0x7ffa5c350000
end_va = 0x7ffa5c3b9fff
monitored = 0
entry_point = 0x7ffa5c386d50
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")
Region:
id = 2536
start_va = 0x7ffa5cc60000
end_va = 0x7ffa5ccbafff
monitored = 0
entry_point = 0x7ffa5cc738b0
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 2537
start_va = 0x7ffa5ecf0000
end_va = 0x7ffa5ed96fff
monitored = 0
entry_point = 0x7ffa5ed058d0
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 2538
start_va = 0x20000
end_va = 0x26fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 2539
start_va = 0x7ffa5ab60000
end_va = 0x7ffa5ab90fff
monitored = 0
entry_point = 0x7ffa5ab67d10
region_type = mapped_file
name = "ntmarta.dll"
filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll")
Region:
id = 2540
start_va = 0x7ffa59650000
end_va = 0x7ffa5970dfff
monitored = 0
entry_point = 0x7ffa59692d40
region_type = mapped_file
name = "coremessaging.dll"
filename = "\\Windows\\System32\\CoreMessaging.dll" (normalized: "c:\\windows\\system32\\coremessaging.dll")
Region:
id = 2556
start_va = 0x480000
end_va = 0x4fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000480000"
filename = ""
Region:
id = 2557
start_va = 0x7ffa53630000
end_va = 0x7ffa538b7fff
monitored = 0
entry_point = 0x7ffa5368f670
region_type = mapped_file
name = "coreuicomponents.dll"
filename = "\\Windows\\System32\\CoreUIComponents.dll" (normalized: "c:\\windows\\system32\\coreuicomponents.dll")
Region:
id = 2558
start_va = 0x7ffa5b670000
end_va = 0x7ffa5b67efff
monitored = 0
entry_point = 0x7ffa5b673210
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")
Region:
id = 2559
start_va = 0x7ffa5cac0000
end_va = 0x7ffa5cc15fff
monitored = 0
entry_point = 0x7ffa5caca8d0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 2560
start_va = 0x7ffa5ccc0000
end_va = 0x7ffa5ce45fff
monitored = 0
entry_point = 0x7ffa5cd0ffc0
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 2561
start_va = 0x7ffa5b700000
end_va = 0x7ffa5b7b4fff
monitored = 0
entry_point = 0x7ffa5b7422e0
region_type = mapped_file
name = "shcore.dll"
filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")
Region:
id = 2562
start_va = 0x7ffa566c0000
end_va = 0x7ffa567f5fff
monitored = 0
entry_point = 0x7ffa566ef350
region_type = mapped_file
name = "wintypes.dll"
filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll")
Region:
id = 2563
start_va = 0x690000
end_va = 0x7dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000690000"
filename = ""
Region:
id = 2564
start_va = 0x1b0000
end_va = 0x1b6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001b0000"
filename = ""
Region:
id = 2565
start_va = 0x1c0000
end_va = 0x1f8fff
monitored = 0
entry_point = 0x1c12f0
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 2566
start_va = 0x7e0000
end_va = 0x967fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000007e0000"
filename = ""
Region:
id = 2567
start_va = 0x7ffa5cc20000
end_va = 0x7ffa5cc5afff
monitored = 0
entry_point = 0x7ffa5cc212f0
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 2568
start_va = 0x970000
end_va = 0xaf0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000970000"
filename = ""
Region:
id = 2569
start_va = 0xb00000
end_va = 0x1efffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000b00000"
filename = ""
Region:
id = 2570
start_va = 0x1c0000
end_va = 0x1c0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001c0000"
filename = ""
Region:
id = 2571
start_va = 0x1d0000
end_va = 0x1d0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001d0000"
filename = ""
Region:
id = 2572
start_va = 0x690000
end_va = 0x76cfff
monitored = 0
entry_point = 0x6ee0b0
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 2573
start_va = 0x7d0000
end_va = 0x7dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000007d0000"
filename = ""
Region:
id = 2574
start_va = 0x1e0000
end_va = 0x1e0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001e0000"
filename = ""
Region:
id = 2575
start_va = 0x7ffa5ca10000
end_va = 0x7ffa5cab6fff
monitored = 0
entry_point = 0x7ffa5ca1b4d0
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")
Region:
id = 2576
start_va = 0x1f0000
end_va = 0x1f0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001f0000"
filename = ""
Region:
id = 2577
start_va = 0x7ffa53910000
end_va = 0x7ffa5392dfff
monitored = 0
entry_point = 0x7ffa53915340
region_type = mapped_file
name = "desktopshellext.dll"
filename = "\\Windows\\System32\\DesktopShellExt.dll" (normalized: "c:\\windows\\system32\\desktopshellext.dll")
Region:
id = 2578
start_va = 0x7ffa538f0000
end_va = 0x7ffa53901fff
monitored = 0
entry_point = 0x7ffa538f5110
region_type = mapped_file
name = "windows.shell.servicehostbuilder.dll"
filename = "\\Windows\\System32\\Windows.Shell.ServiceHostBuilder.dll" (normalized: "c:\\windows\\system32\\windows.shell.servicehostbuilder.dll")
Region:
id = 2579
start_va = 0x690000
end_va = 0x78ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000690000"
filename = ""
Region:
id = 2580
start_va = 0x1f00000
end_va = 0x1fdcfff
monitored = 0
entry_point = 0x1f5e0b0
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 2581
start_va = 0x500000
end_va = 0x57ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000500000"
filename = ""
Region:
id = 2582
start_va = 0x1f00000
end_va = 0x1f7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001f00000"
filename = ""
Region:
id = 2583
start_va = 0x1f80000
end_va = 0x1ffffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001f80000"
filename = ""
Region:
id = 2584
start_va = 0x7ffa58d40000
end_va = 0x7ffa591d2fff
monitored = 0
entry_point = 0x7ffa58d4f760
region_type = mapped_file
name = "actxprxy.dll"
filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll")
Region:
id = 2585
start_va = 0x7ffa53480000
end_va = 0x7ffa53559fff
monitored = 0
entry_point = 0x7ffa534d03b0
region_type = mapped_file
name = "modernexecserver.dll"
filename = "\\Windows\\System32\\modernexecserver.dll" (normalized: "c:\\windows\\system32\\modernexecserver.dll")
Region:
id = 2586
start_va = 0x7ffa5ce50000
end_va = 0x7ffa5cf10fff
monitored = 0
entry_point = 0x7ffa5ce70da0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 2587
start_va = 0x7ffa5b680000
end_va = 0x7ffa5b6cafff
monitored = 0
entry_point = 0x7ffa5b6835f0
region_type = mapped_file
name = "powrprof.dll"
filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")
Region:
id = 2588
start_va = 0x7ffa5a430000
end_va = 0x7ffa5a459fff
monitored = 0
entry_point = 0x7ffa5a438b90
region_type = mapped_file
name = "rmclient.dll"
filename = "\\Windows\\System32\\rmclient.dll" (normalized: "c:\\windows\\system32\\rmclient.dll")
Region:
id = 2589
start_va = 0x7ffa53430000
end_va = 0x7ffa5347afff
monitored = 0
entry_point = 0x7ffa53447b70
region_type = mapped_file
name = "veeventdispatcher.dll"
filename = "\\Windows\\System32\\VEEventDispatcher.dll" (normalized: "c:\\windows\\system32\\veeventdispatcher.dll")
Region:
id = 2590
start_va = 0x7ffa5a190000
end_va = 0x7ffa5a28ffff
monitored = 0
entry_point = 0x7ffa5a1d0f80
region_type = mapped_file
name = "twinapi.appcore.dll"
filename = "\\Windows\\System32\\twinapi.appcore.dll" (normalized: "c:\\windows\\system32\\twinapi.appcore.dll")
Region:
id = 2591
start_va = 0x7ffa5b500000
end_va = 0x7ffa5b528fff
monitored = 0
entry_point = 0x7ffa5b514530
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll")
Region:
id = 2593
start_va = 0x7ffa57d00000
end_va = 0x7ffa57d91fff
monitored = 0
entry_point = 0x7ffa57d4a780
region_type = mapped_file
name = "msvcp110_win.dll"
filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll")
Region:
id = 2594
start_va = 0x2000000
end_va = 0x2142fff
monitored = 0
entry_point = 0x2028210
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 2595
start_va = 0x2000000
end_va = 0x20dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "kernelbase.dll.mui"
filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui")
Region:
id = 2596
start_va = 0x20e0000
end_va = 0x215ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000020e0000"
filename = ""
Region:
id = 2597
start_va = 0x7ffa59ff0000
end_va = 0x7ffa5a085fff
monitored = 0
entry_point = 0x7ffa5a015570
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")
Region:
id = 2598
start_va = 0x2160000
end_va = 0x220ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002160000"
filename = ""
Region:
id = 2600
start_va = 0x7ffa53160000
end_va = 0x7ffa53190fff
monitored = 0
entry_point = 0x7ffa53163400
region_type = mapped_file
name = "clipboardserver.dll"
filename = "\\Windows\\System32\\ClipboardServer.dll" (normalized: "c:\\windows\\system32\\clipboardserver.dll")
Region:
id = 2610
start_va = 0x7ffa53100000
end_va = 0x7ffa5315cfff
monitored = 0
entry_point = 0x7ffa53110080
region_type = mapped_file
name = "activationmanager.dll"
filename = "\\Windows\\System32\\ActivationManager.dll" (normalized: "c:\\windows\\system32\\activationmanager.dll")
Region:
id = 2623
start_va = 0x7ffa530a0000
end_va = 0x7ffa530c2fff
monitored = 0
entry_point = 0x7ffa530a3020
region_type = mapped_file
name = "appointmentactivation.dll"
filename = "\\Windows\\System32\\AppointmentActivation.dll" (normalized: "c:\\windows\\system32\\appointmentactivation.dll")
Region:
id = 2645
start_va = 0x2160000
end_va = 0x21dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002160000"
filename = ""
Region:
id = 2646
start_va = 0x2200000
end_va = 0x220ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002200000"
filename = ""
Region:
id = 2647
start_va = 0x7ffa5c570000
end_va = 0x7ffa5c6b2fff
monitored = 0
entry_point = 0x7ffa5c598210
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 2662
start_va = 0x7ffa53ed0000
end_va = 0x7ffa53f10fff
monitored = 0
entry_point = 0x7ffa53ed4840
region_type = mapped_file
name = "usermgrproxy.dll"
filename = "\\Windows\\System32\\UserMgrProxy.dll" (normalized: "c:\\windows\\system32\\usermgrproxy.dll")
Region:
id = 2664
start_va = 0x2210000
end_va = 0x228ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002210000"
filename = ""
Region:
id = 2665
start_va = 0x7ffa54c40000
end_va = 0x7ffa54c4ffff
monitored = 0
entry_point = 0x7ffa54c42c60
region_type = mapped_file
name = "usermgrcli.dll"
filename = "\\Windows\\System32\\usermgrcli.dll" (normalized: "c:\\windows\\system32\\usermgrcli.dll")
Region:
id = 2671
start_va = 0x2290000
end_va = 0x238ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002290000"
filename = ""
Region:
id = 2672
start_va = 0x2390000
end_va = 0x2b8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002390000"
filename = ""
Region:
id = 2684
start_va = 0x2b90000
end_va = 0x2c0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002b90000"
filename = ""
Region:
id = 2685
start_va = 0x2c10000
end_va = 0x2c8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002c10000"
filename = ""
Region:
id = 2687
start_va = 0x2c90000
end_va = 0x2d0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002c90000"
filename = ""
Region:
id = 2690
start_va = 0x7ffa52e80000
end_va = 0x7ffa52ec3fff
monitored = 0
entry_point = 0x7ffa52e8c010
region_type = mapped_file
name = "execmodelclient.dll"
filename = "\\Windows\\System32\\ExecModelClient.dll" (normalized: "c:\\windows\\system32\\execmodelclient.dll")
Region:
id = 2694
start_va = 0x7ffa57ea0000
end_va = 0x7ffa57eadfff
monitored = 0
entry_point = 0x7ffa57ea2690
region_type = mapped_file
name = "notificationplatformcomponent.dll"
filename = "\\Windows\\System32\\notificationplatformcomponent.dll" (normalized: "c:\\windows\\system32\\notificationplatformcomponent.dll")
Region:
id = 2695
start_va = 0x7ffa52de0000
end_va = 0x7ffa52e76fff
monitored = 0
entry_point = 0x7ffa52df4fd0
region_type = mapped_file
name = "appcontracts.dll"
filename = "\\Windows\\System32\\AppContracts.dll" (normalized: "c:\\windows\\system32\\appcontracts.dll")
Thread:
id = 197
os_tid = 0x5b0
Thread:
id = 198
os_tid = 0x5c8
Thread:
id = 200
os_tid = 0x5d4
Thread:
id = 202
os_tid = 0x5e8
Thread:
id = 203
os_tid = 0x5ec
Thread:
id = 204
os_tid = 0x5f0
Thread:
id = 205
os_tid = 0x608
Thread:
id = 210
os_tid = 0x61c
Thread:
id = 212
os_tid = 0x624
Thread:
id = 214
os_tid = 0x62c
Thread:
id = 215
os_tid = 0x630
Thread:
id = 216
os_tid = 0x634
Process:
id = "19"
image_name = "taskhostw.exe"
filename = "c:\\windows\\system32\\taskhostw.exe"
page_root = "0x3109a000"
os_pid = "0x60c"
os_integrity_level = "0x2000"
os_privileges = "0x800000"
monitor_reason = "child_process"
parent_id = "15"
os_parent_pid = "0x60"
cmd_line = "taskhostw.exe"
cur_dir = "C:\\Windows\\system32\\"
os_username = "XC64ZB\\RDhJ0CNFevzX"
bitness = "32"
os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000106fa" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 2611
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 2612
start_va = 0x30000
end_va = 0x44fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 2613
start_va = 0x50000
end_va = 0xcffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 2614
start_va = 0xd0000
end_va = 0xd3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000d0000"
filename = ""
Region:
id = 2615
start_va = 0xe0000
end_va = 0xe0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000e0000"
filename = ""
Region:
id = 2616
start_va = 0xf0000
end_va = 0xf1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000f0000"
filename = ""
Region:
id = 2617
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 2618
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 2619
start_va = 0x7df5fffc0000
end_va = 0x7df5fffe2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5fffc0000"
filename = ""
Region:
id = 2620
start_va = 0x7df5ffff0000
end_va = 0x7ff5fffeffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffff0000"
filename = ""
Region:
id = 2621
start_va = 0x7ff7faa10000
end_va = 0x7ff7faa28fff
monitored = 0
entry_point = 0x7ff7faa159b0
region_type = mapped_file
name = "taskhostw.exe"
filename = "\\Windows\\System32\\taskhostw.exe" (normalized: "c:\\windows\\system32\\taskhostw.exe")
Region:
id = 2622
start_va = 0x7ffa5f050000
end_va = 0x7ffa5f210fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 2624
start_va = 0x400000
end_va = 0x53ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 2625
start_va = 0x7ffa5ef40000
end_va = 0x7ffa5efecfff
monitored = 0
entry_point = 0x7ffa5ef581a0
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 2626
start_va = 0x7ffa5b890000
end_va = 0x7ffa5ba77fff
monitored = 0
entry_point = 0x7ffa5b8bba70
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 2627
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 2628
start_va = 0x7df5ffec0000
end_va = 0x7df5fffbffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffec0000"
filename = ""
Region:
id = 2629
start_va = 0x100000
end_va = 0x1bdfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 2630
start_va = 0x7ffa5c970000
end_va = 0x7ffa5ca0cfff
monitored = 0
entry_point = 0x7ffa5c9778a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 2631
start_va = 0x540000
end_va = 0x5bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000540000"
filename = ""
Region:
id = 2632
start_va = 0x7ffa5ee20000
end_va = 0x7ffa5ef3bfff
monitored = 0
entry_point = 0x7ffa5ee602b0
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 2633
start_va = 0x7ffa5c6f0000
end_va = 0x7ffa5c96cfff
monitored = 0
entry_point = 0x7ffa5c7c4970
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")
Region:
id = 2634
start_va = 0x7ffa5c350000
end_va = 0x7ffa5c3b9fff
monitored = 0
entry_point = 0x7ffa5c386d50
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")
Region:
id = 2635
start_va = 0x7ffa5ce50000
end_va = 0x7ffa5cf10fff
monitored = 0
entry_point = 0x7ffa5ce70da0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 2636
start_va = 0x5c0000
end_va = 0x71ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005c0000"
filename = ""
Region:
id = 2637
start_va = 0x20000
end_va = 0x26fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 2638
start_va = 0x5c0000
end_va = 0x702fff
monitored = 0
entry_point = 0x5e8210
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 2639
start_va = 0x710000
end_va = 0x71ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000710000"
filename = ""
Region:
id = 2640
start_va = 0x5c0000
end_va = 0x69cfff
monitored = 0
entry_point = 0x61e0b0
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 2641
start_va = 0x7ffa5b670000
end_va = 0x7ffa5b67efff
monitored = 0
entry_point = 0x7ffa5b673210
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")
Region:
id = 2642
start_va = 0x1c0000
end_va = 0x1c6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001c0000"
filename = ""
Region:
id = 2644
start_va = 0x7ffa5cc60000
end_va = 0x7ffa5ccbafff
monitored = 0
entry_point = 0x7ffa5cc738b0
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 2648
start_va = 0x5c0000
end_va = 0x63ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005c0000"
filename = ""
Region:
id = 2649
start_va = 0x7ffa5cac0000
end_va = 0x7ffa5cc15fff
monitored = 0
entry_point = 0x7ffa5caca8d0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 2650
start_va = 0x7ffa5ccc0000
end_va = 0x7ffa5ce45fff
monitored = 0
entry_point = 0x7ffa5cd0ffc0
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 2651
start_va = 0x400000
end_va = 0x438fff
monitored = 0
entry_point = 0x4012f0
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 2652
start_va = 0x440000
end_va = 0x53ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000440000"
filename = ""
Region:
id = 2653
start_va = 0x720000
end_va = 0x8a7fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000720000"
filename = ""
Region:
id = 2654
start_va = 0x7ffa5cc20000
end_va = 0x7ffa5cc5afff
monitored = 0
entry_point = 0x7ffa5cc212f0
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 2655
start_va = 0x8b0000
end_va = 0xa30fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000008b0000"
filename = ""
Region:
id = 2656
start_va = 0xa40000
end_va = 0x1e3ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000a40000"
filename = ""
Region:
id = 2657
start_va = 0x1d0000
end_va = 0x1d0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "taskhostw.exe.mui"
filename = "\\Windows\\System32\\en-US\\taskhostw.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskhostw.exe.mui")
Region:
id = 2658
start_va = 0x1e0000
end_va = 0x1e0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001e0000"
filename = ""
Region:
id = 2659
start_va = 0x1f0000
end_va = 0x1f0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001f0000"
filename = ""
Region:
id = 2660
start_va = 0x7ffa59ff0000
end_va = 0x7ffa5a085fff
monitored = 0
entry_point = 0x7ffa5a015570
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")
Region:
id = 2661
start_va = 0x640000
end_va = 0x6affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000640000"
filename = ""
Region:
id = 2666
start_va = 0x7ffa5eb90000
end_va = 0x7ffa5ece9fff
monitored = 0
entry_point = 0x7ffa5ebd38e0
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 2667
start_va = 0x400000
end_va = 0x400fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000400000"
filename = ""
Region:
id = 2668
start_va = 0x1e40000
end_va = 0x1efbfff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001e40000"
filename = ""
Region:
id = 2669
start_va = 0x400000
end_va = 0x403fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000400000"
filename = ""
Region:
id = 2670
start_va = 0x7ffa59600000
end_va = 0x7ffa59621fff
monitored = 0
entry_point = 0x7ffa59601a40
region_type = mapped_file
name = "dwmapi.dll"
filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")
Region:
id = 2673
start_va = 0x1f00000
end_va = 0x1f7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001f00000"
filename = ""
Region:
id = 2674
start_va = 0x410000
end_va = 0x410fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000410000"
filename = ""
Region:
id = 2675
start_va = 0x7ffa5ca10000
end_va = 0x7ffa5cab6fff
monitored = 0
entry_point = 0x7ffa5ca1b4d0
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")
Region:
id = 2676
start_va = 0x420000
end_va = 0x420fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000420000"
filename = ""
Region:
id = 2677
start_va = 0x7ffa52fa0000
end_va = 0x7ffa53098fff
monitored = 0
entry_point = 0x7ffa52fe8000
region_type = mapped_file
name = "settingsynccore.dll"
filename = "\\Windows\\System32\\SettingSyncCore.dll" (normalized: "c:\\windows\\system32\\settingsynccore.dll")
Region:
id = 2678
start_va = 0x430000
end_va = 0x431fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000430000"
filename = ""
Region:
id = 2679
start_va = 0x7ffa5b700000
end_va = 0x7ffa5b7b4fff
monitored = 0
entry_point = 0x7ffa5b7422e0
region_type = mapped_file
name = "shcore.dll"
filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")
Region:
id = 2680
start_va = 0x7ffa5b6e0000
end_va = 0x7ffa5b6f3fff
monitored = 0
entry_point = 0x7ffa5b6e52e0
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")
Region:
id = 2681
start_va = 0x7ffa5ecf0000
end_va = 0x7ffa5ed96fff
monitored = 0
entry_point = 0x7ffa5ed058d0
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 2682
start_va = 0x7ffa5b500000
end_va = 0x7ffa5b528fff
monitored = 0
entry_point = 0x7ffa5b514530
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll")
Region:
id = 2683
start_va = 0x7ffa5b050000
end_va = 0x7ffa5b066fff
monitored = 0
entry_point = 0x7ffa5b0579d0
region_type = mapped_file
name = "cryptsp.dll"
filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll")
Region:
id = 2686
start_va = 0x7ffa52ed0000
end_va = 0x7ffa52f9dfff
monitored = 0
entry_point = 0x7ffa52f014c0
region_type = mapped_file
name = "tokenbroker.dll"
filename = "\\Windows\\System32\\TokenBroker.dll" (normalized: "c:\\windows\\system32\\tokenbroker.dll")
Region:
id = 2688
start_va = 0x7ffa566c0000
end_va = 0x7ffa567f5fff
monitored = 0
entry_point = 0x7ffa566ef350
region_type = mapped_file
name = "wintypes.dll"
filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll")
Region:
id = 2689
start_va = 0x1f80000
end_va = 0x205cfff
monitored = 0
entry_point = 0x1fde0b0
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 2691
start_va = 0x1f80000
end_va = 0x1ffffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001f80000"
filename = ""
Region:
id = 2692
start_va = 0x2000000
end_va = 0x207ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002000000"
filename = ""
Region:
id = 2693
start_va = 0x2080000
end_va = 0x20fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002080000"
filename = ""
Thread:
id = 207
os_tid = 0x610
Thread:
id = 208
os_tid = 0x614
Thread:
id = 211
os_tid = 0x620
Thread:
id = 213
os_tid = 0x628
Thread:
id = 217
os_tid = 0x638
Thread:
id = 218
os_tid = 0x63c
Thread:
id = 219
os_tid = 0x640